Important Things in Active Directory

7/29/2019 Important Things in Active Directory

1/10

How do I manually defragment Active

Directory?

Windows 2000 servers running Directory Services (DSs) perform a directory onlinedefragmentation every 12 hours by default as part of the garbage-collection process. Thisdefragmentation only moves data around the database file (ntds.dit) and doesn?t reducethe files size.

To create a new, smaller ntds.dit file and to enable offline defragmentation, perform thefollowing steps.

1. Back up Active Directory (AD) (see the FAQ How do I back up Active Directoryand the System State?).

2. Reboot the server, select the OS option, and press F8 for advanced options.

3. Select the Directory Services Restore Mode option, and press Enter. Press Enteragain to start the OS.4. Win2K will start in safe mode, with no DS running.5. Use the local Sams administrator account and password to log on.6. Youll see a dialog box that says youre in safe mode. Click OK.7. From the Start menu, select Run and type cmd.exe

8. In the command window, youll see the following text. (Enter the commands inbold.)C:\> ntdsutilntdsutil: filesfile maintenance: info....

file maintenance: compact to c:\temp9. Youll see the defragmentation process. If the process was successful, enterquitquit

10. to return to the command prompt.11. Then, replace the old ntds.dit file with the new, compressed version. (Enter the

commands in bold.)C:\> copy c:\temp\ntds.dit %systemroot%\ntds\ntds.dit

12. Restart the computer, and boot as normal.

How does intrasite replication work in

Windows 2000?Windows 2000?s Knowledge Consistency Checker (KCC) automatically managesreplication within a site. The KCC uses a bidirectional ring topology that uses remoteprocedure call (RPC) over TCP/IP without compression. Domain controllers (DCs)within a site are typically on a fast network (per the definition of a site), and the extraprocessing necessary for compression and decompression is undesirable.
http://www.windows2000faq.com/articles/index.cfm?articleid=13383http://www.windows2000faq.com/articles/index.cfm?articleid=13383http://www.windows2000faq.com/articles/index.cfm?articleid=13383http://www.windows2000faq.com/articles/index.cfm?articleid=13383


2/10

The KCC runs every 15 minutes, adjusting the topology as necessary. As you create newDCs, the KCC automatically places them in the ring. To view the DC links, you can usethe Microsoft Management Console (MMC) Active Directory Sites and Services snap-in.Expand the site, the Servers container, and the server. Under the NTDS Settings branchare the created connection objects.

Because the KCC runs on all DCs, the rings are in order of the DCs? globally unique IDs(GUIDs) to ensure convergence on one topology. An exception to the ring rule is that nomore than three hops can exist between two DCs within the ring. To protect the three-hoprule, the KCC adds extra links for seven or more DCs, as the Figure shows.

These rings are for same-naming context (i.e., domains) in one site. If you have multipledomains in a site, rings exist for each domain in the site.

Another type of ring that exists replicates schema and configuration information betweenDCs, as the Figure shows. Because all the domains share this information (i.e., the

information is forestwide), each site has only one ring. Thus, if you have two domains ina site, you have three rings: one ring for each domain and one ring for the schema andconfiguration information. If you have only one domain in a site, one ring functions astwo.

Manual configuration of intrasite replication is unnecessary, and Microsoft doesn?trecommend such configuration. The only task you might need to perform is adding extraconnection objects to reduce the hop count between DCs.

When you make a change to the naming context (i.e., domain) data, the DC?s local copyof Active Directory (AD) records the change, then the DC waits 5 minutes (by default)

before notifying its replication partners of the change. You can continue to make changesduring this time period. The delay exists so that all changes transmit at once. If nochanges occur during a particular time period (which you can configure in the intrasiteconnection object schedule), a replication sequence initiates to ensure no changes weremissed.

The SAM or the Local Security Authority (LSA) can trigger urgent replication during thefollowing events: replication of a newly locked-out account (e.g., if you fire someone),change of an LSA secret (i.e., a trust account), and state changes to the Relative Identifier(RID) Manager. These events trigger immediate replication. Because urgent replicationrequires notification, this type of replication occurs only within a site (i.e., intrasite).

However, you can modify site links to enable notification.

An exception to multimaster normal replication is user passwords. As in other attributechanges, you can change a user password at any DC. However, the DC pushes the changeto the PDC Flexible Single-Master Operation (FSMO) role holder on a best-attemptbasis. Other DCs receive the password through normal replication. The reason for theextra password work is that if password validation fails, the validating DC will pass the


3/10

request to the PDC FSMO in case the password has changed and the DC hasn?t yetreceived the new password via standard replication.

How do I automatically upgrade a server

to a domain controller duringinstallation?

You can automatically run DCPROMO during an unattended installation. Enter thecommand

dcpromo /answer:%path_to_answer_file%

In my example, the DCInstall section and parameters are added directly to the unattendedanswer file. TheMicrosoft Windows 2000 Resource Kitdetails the DCInstall section?sparameters in the file Unattend.doc. I?ve listed the main entries in the following table.

AdministratorPassword The new password for the domain Administrator account

AutoConfigDNS Specifies whether the wizard should configure DNS

ChildName Name of the child part of the domain

CreateOrJoinSpecifies whether the domain will join an existing forest orcreate a new one

DatabasePath Location for the Active Directory database

DNSOnNetwork

Used when a new forest of domains is installed and no DNS

client is configured on the computer

DomainNetBiosName NetBIOS name for the domain

IsLastDCInDomainOnly valid when demoting an existing domain controller to amember server

LogPath Path for the Directory Service (DS) logs

NewDomainDNSName Name of the new tree or when a new forest is created

ParentDomainDNSName Specifies the name of the parent domain

Password Password for the username used to promote the server

RebootOnSuccess Specifies whether an automatic reboot should be performed

ReplicaDomainDNSName Name of the domain to be replicated from

ReplicaOrMemberSpecifies whether a Windows NT 4.0 or 3.51 BDC beingupgraded should become a replica domain controller or bedemoted to a regular member server

ReplicaOrNewDomainSpecifies whether the machine is a new domain controller in anew domain or a replica of an existing domain


4/10

SiteName Name of the site (Default-First-Site by default)

SysVolPath Path of SYSVOL

TreeOrChildSpecifies whether entry is a new tree or child of existingdomain

UserDomain Domain for the user being used in promotionUserName Name of the user performing the upgrade

Because the DCPROMO process occurs after setup, the created answer file is called$winnt$.inf and copies to the \system32 folder. The parameters are in this file, so youneed to add the following text to the GUIRunOnce section of the unattended Setupanswer file.

[GUIRunOnce] "DCpromo /answer:%systemroot%\system32\$winnt$.inf"

After the DCPROMO process completes, DCPROMO removes password information

from the $winnt$.inf file. To make this process easier because the RunOnce commanddoesn?t execute until someone logs on to the computer, you can add the following text tothe unattended answer file.

[GUIUnattended]Autologon = yes ; automatically logs on the administrator accountAutoLogoncount = n ; number of times to perform auto-admin logon

Don't use items such as %systemroot% or %windir%, because the unattended installationprocess doesn?t understand them.

You can just create a DCInstall section directly in your unattend.txt file to avoid havingmultiple unattended setup files. Enter text such as the following.

[DCInstall]AdministratorPassword = cartmanCreateOrJoin = CreateDomainNetBiosName = savtechNewDomainDNSName = savtech.comRebootOnSuccess = YesReplicaOrNewDomain = DomainSiteName = "London"TreeOrChild = Tree

My example script would create a new forest with the domain savtech.com at the top andthe new domain controller in the site London. The SYSVOL, logs, and Active Directory(AD) files would be in the default locations. The new domain Administrator accountpassword would be cartman.

If you want to use DCPROMO outside an unattended installation, enter

dcpromo /answer:


5/10

You?ll see a dialog box that saysDCPROMO is running in unattended mode. Then, themachine will reboot.

How can I move the Active Directory log

files?Along with the ntds.dit file, the Active Directory (AD) keeps several log files that youmight want to move to a faster disk. To do so, perform the following steps:

1. Restart the domain controller (DC).2. Press F8 at the Startup menu when the system displays the list of OSs.3. Select Directory Services Restore Mode.4. Select the appropriate installation, if more than one exists, and then log on as an

administrator at the logon prompt.

5. Start a command prompt (Start, Run, cmd.exe).6. Start the NTDS utility, ntdsutil.exe.7. At the ntdsutil prompt, type "files" as shown below:8. ntdsutil: files9.

10. At the file maintenance prompt, type the following:11. file maintenance: move logs to [new location for file]12.

13. To view the log files, at the file maintenance prompt, type "info":14. file maintenance: info15.

16. Type "quit" (without the quotation marks) twice to return to a C prompt.17. Restart the computer in Normal mode.

How do I change how often the

Knowledge Consistency Checker runs?

The Knowledge Consistency Checker (KCC), which manages connection objects forinter- and intrasite replication, runs every 15 minutes by default. To change this timeperiod, start regedit and go to theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\ParametersRegistry entry.

From the Edit menu, select New, DWORD Value. Enter

Repl topology update period (secs)

and press Enter. Double-click the new value, and enter the number of seconds for howoften you want the KCC to run. Click OK, then close the Registry editor. Restart themachine for the change to take effect


6/10

How do I tune Active Directory

replication?

You can use one of several settings under theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\ParametersRegistry entry to modify elements of Active Directory (AD) replication. When you makea change to AD, a timer starts. This timer specifies how long the domain controller willwait before notifying its first replication partner about replication between domaincontrollers. The default time is 5 minutes. To change this time period, edit theReplicatornotify pause after modify (secs) value in theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\ParametersRegistry entry, as the screen shows.

After the domain controller notifies its first replication partner, the domain controller

waits before it notifies each subsequent replication partner. This delay preventssimultaneous replies from the replication partners. The default time is 30 seconds. Tochange this time period, edit theReplicator notify pause between DSAs (secs) value in theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\ParametersRegistry entry, as the screen shows.

You can modify other values to enhance a multiple-CPU system?s performance. Forexample, set the replication thread priority high value to 1 to run replication at highpriority. If you don?t set this value, or you set it to 0, replication will run at low priority.Set the replication thread priority low value to 1 to run replication at low priority. If youset this value to -1, the value is ignored.

How do I audit Active Directory?

You can configure Active Directory (AD) auditing to produce successful and failedentries in the Directory Service (DS) event log.

1. Start the Microsoft Management Console (MMC) Active Directory Users andComputers snap-in. (Select Programs, Administrative Tools, Active DirectoryUsers and Computers from the Start menu.)

2. From the View menu, select Advanced Features.

3. Expand the domain, right-click the Domain Controllers container, and selectProperties from the context menu.4. Select the Group Policy tab.5. Select Default Domain Controllers Policy, and click Edit.6. Expand the Computer Configuration branch, the Windows Settings branch, the

Security Settings branch, and the Local Policies branch.7. Select Audit Policy.


7/10

8. The rightmost window will show auditing levels. Double-click Audit DirectoryService Access.

9. Select the relevant checkboxes (e.g., Audit successful attempts, Audit failedattempts), as the Screen shows. Click OK.

10. Close the Group Policy window.11. In the main Domain Controllers Properties dialog box, click OK.12. Close the Active Directory Users and Computers MMC snap-in.

You can use Event Viewer to view the logs in the Security log. Because domaincontrollers poll for policy changes every 5 minutes, the policy change might take as longas 5 minutes to take effect. Other domain controllers in the enterprise receive the changesafter the 5-minute interval, plus replication time.

Which naming conventions does Active

Directory use for objects?Active Directory (AD) uses several naming conventions for objects. These namingconventions include the distinguished name (DN), relative distinguished name (RDN),Lightweight Directory Access Protocol (LDAP) URL name, LDAP canonical name, userprincipal name, and SAM account name.

The most popular method for naming AD objects is to use the DN. Every AD object has aDN that uniquely identifies the object in the Directory Service (DS). For example, theDN

/O=Internet/DC=COM/DC=SavillTech/CN=Users/CN=John Savill

identifies an object as follows:

/O=Internet - Organization=Internet /DC=COM - Domain Component=COM /DC=SavillTech - Domain Component=SavillTech (the full Domain Component

is SavillTech.com) /CN=Users - Common Names=Users /CN=John Savill - Common Names=John Savill

A DN might also include an organizational unit (OU). For more information about DNs,see RFC 1779 A String Representation of Distinguished Names.

The RDN is also known as thefriendly name. The RDN for the above example isCN=John Savill. The RDN for the Users container is CN=Users.


8/10

LDAP URL names begin with LDAP://, then include an LDAP server and a modified DNthat identifies the object (e.g.,LDAP://titanic.savilltech.com/ou=Sales,cn=JSavill,dc=SavillTech,dc=com).

An LDAP canonical name is the LDAP name without certain information (i.e., ou=, cn=,

dc=). An example LDAP canonical name is savilltech.com/Sales/Jsavill. Manyadministrative tools use these names.

The user principal name contains the username and DNS domain name, linked with thesymbol @ (e.g., [email protected]).

The SAM account name (e.g., savillj) is in the Windows NT 4.0 format. Because of thisnames single-layer convention, each name must be unique within an organization.

Objects are actually stored as globally unique IDs. A GUID is a 128-bit number thatgenerates at object creation and is stored in the object attribute objectGUID. GUIDs dont

change.

How do I modify the Active Directory's

garbage-collection period?

The Active Directory (AD) garbage-collection process performs two vital functions.First, it cleans up deleted objects. When you delete an object in AD, the system doesn'timmediately delete the object because when replication occurs, a replication partnerwould recreate the object. Instead, the system uses a tombstone with a finite lifetime to

mark the object as deleted. The tombstone replicates to all domain controllers (DCs), andafter it expires, the garbage-collection agent deletes the object.

The garbage-collection process also performs online AD defragementation.

By default this process runs every 12 hours on each DC. However, you can change thisfrequency by modifying the attribute garbageCollPeriod under the path CN=DirectoryService, CN=Windows NT, CN=Services, CN=Configuration, DC=, DC=, DC=COM.The best way to modify the attribute is to use the Windows 2000 Support Tools' ldp.exeutility.

How does ntdsutil know it's in DirectoryRestore mode?

When you start the domain controller (DC) in Directory Restore mode, the DC sets theenvironment variable safeboot_option to "dsrepair." If you want to check something inntdsutil that is allowed only in Directory Restore mode, you can "trick" the program by


9/10

typing the following statement at a command prompt:set SAFEBOOT_OPTION=DSREPAIR

Don'tuse this approach on a live or important machine because it could result in systemdamage if you try to perform system modifications when the system isn't in Directory

Restore mode.

How do I create trusts from the command

line in Windows 2000?

TheMicrosoft Windows 2000 Resource Kits Trustdom tool lets you define trustrelationships between Windows 2000 domains and one-way relationships with WindowsNT 4.0 domains. You can create two types of one-way trusts: an outbound trust on thelocal or specified domain, and an inbound trust on the specified target domain.

Trustdom? s syntax is

C:\> trustdom [[domain[:dc],]target_domain[:dc]] [Options]

The default switch is -out. To see a list of other switches, use the /? switch.

Why is size of the ntds.dit file different on

different domain controllers?

The ntds.dit file contains Active Directory (AD) information, and because all domaincontrollers (DCs) replicate AD, you might expect the file to be the same size on all DCs.However, you might find differently sized files because the database file is createdindividually on each DC, and the data--not the database file--replicates. Thus, severalfactors can lead to files with different sizes:

Over time, the database can become fragmented. Although objects are deletedwhile the database is online, you can't compact the database online (compactingrequires a manual offline defragmentation).

If a DC is a Global Catalog (GC), it contains information about objects of otherdomains in the forest, thus making it larger than non-GC servers.

The displayed size of the ntds.dit file is the size of the file when you started theDC; if many objects are added and you restart one DC, that DC's ntds.dit file sizewill appear larger.

How can I set the RPC port that intrasite

replication uses?


10/10

For security, Windows 2000 sets the remote procedure call (RPC) replication portdynamically. However, you might want to manually set the port (e.g., to monitor data).

1. Start regedit.2. Go to the

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters registry entry.3. From the Edit menu, select New, DWORD Value.4. Enter

TCP/IP Port

and press Enter.5. Double-click the new entry, and enter the port you want to use. (Make sure the

port isn?t already in use.) Click OK.6. Close the registry editor.7. Reboot the machine.

After monitoring finishes, you need to remove the registry entry you created. Removingthis entry reinstates the security that dynamic RPC port allocation provides.

Documents

Important Things in Active Directory