Active Directory Product Operations Guide

Log on to the domain controller by using the account that has domain administrator or backup operator credentials.

Start the Windows Backup Wizard.

By default, the Always Start in Wizard Mode check box is checked. You can leave this option selected, and click Next.

Select the Back up files and settings option, and then click Next.

Select the Let me choose what to back up option, and then click Next.

In the Items to Back Up window, expand My Computer by clicking the plus sign.

From the expanded list below My Computer, check the SystemState option, and then click Next.

Select a location to store the backup.

Enter a name for this backup, and click Next.

On the last page of the wizard, select Advanced.

Do not change the default options for Type of Backup. Normal should be selected, and the check box should remain cleared for Backup migrated remote storage data. Click Next.

Check the Verify data after backup option, and then click Next.

In the Backup Options dialog box, select a backup option, and then click Next.

Allow only the owner and administrator access to the backup data and to any backups appended to this medium; click Next.

In the When to back up box, select the appropriate option for your needs, and click Next.

If you are satisfied with all of the options selected, click Finish to perform the back up operation according to your selected schedule.

Note: The system state can also be backed up using backup from a command line with appropriate parameters. For more information, refer to the command-line reference accessible by typing ntbackup -? from a command prompt.

Log on to the domain controller by using an account that has domain administrator, local administrator, or backup operator credentials.

Start the Windows Backup Wizard by choosing one of the following options:

Click the Backup Wizard button, and then click Next.

Select Back up selected files, drives, or network data.

In Items to Back Up, click SystemState to select it. Then select the drive letter containing the system files, and click the system disk. Click Next.

In the Where to Store the Backup box, select the backup media type by choosing one of the following options:

In the Backup Media or File Name box, choose one of the following options:

After you click Next, the Completing the Backup Wizard screen appears. This screen summarizes the options selected for this backup job. Verify that Prompt to replace data is listed in the How category. If it is not, click the Advanced button, click Next until you reach the Media Options screen, and then select Replace the data on the media with this backup.

Complete the remaining wizard screens, and click Finish to begin the backup operation. When a Replace Data dialog box appears, click Yes to overwrite the existing backup on this tape or file path with this backup. A progress indicator shows the status of the backup operation.

Restart the domain controller.

When the screen for selecting an operating system appears, press F8.

From the Windows Advanced Options menu, select Directory Services Restore Mode.

When prompted, log on as the local administrator.

Open the command prompt.

Find the outbound partners for this domain controller by typing: repadmin /showrepl /repsto <local domain controller name> and press ENTER.

This repadmin command will output a list that contains information about all of the outbound neighbors. For each neighbor, verify that the last synchronization attempt was successful and has a time stamp that indicates it has replicated since restore.

If replication has not been successful, you can force replication between this domain controller and its outbound partners rather than waiting for the next replication cycle. From a command prompt, run repadmin /syncall /ed /A /P /q.

Check for replication errors in the output of the command in the previous step. If there are no errors, then replication has been successful. Any replication errors that exist must be rectified in order for replication to be completed.

In Directory Services Restore Mode, start the Windows Server 2003 backup utility. Go to Start > Programs > Accessories > System Tools > Backup.

Click the Restore Wizard button, and then click Next.

Select the appropriate backup location and ensure that at least the System disk and SystemState containers are selected.

Click the Advanced button.

In Restore Files to list, select Original Location, and then click Next.

In the Advanced Restore Options window, check the boxes for:

Click Finish.

When the restore is complete, click Close, and then click Yes to restart the computer.

From a command prompt or the Run text box, type repadmin /options +DISABLE_INBOUND_REPL and then press ENTER.

Verify that the option is set. You should get this message: repadmin running command /options against server localhost.

From a command prompt or the Run text box, type repadmin /options . -DISABLE_INBOUND_REPL and then press ENTER.

Verify that the option is set. You should get this message: repadmin running command /options against server localhost.

From a command prompt or the Run text box, type ntdsutil to start the tool.

At the ntdsutil: prompt, type authoritative restore and press ENTER.

For assistance with the Ntdsutil command line-tool, type help at any time.

Type List NC CRs and press ENTER.

NTDSUTIL will output a list of the application partitions that are available after the restore, and the associated cross references. Note the cross-reference distinguished name and application-partition distinguished name that corresponds to the application partition you wish to restore.

Type restore subtree <App Partition DN>, where App Partition DN is the distinguished name of the application partition noted above.

Ntdsutil will provide a confirmation dialog. Click Yes to proceed.

The output message will indicate the status of the operation. There should be no failures.

Type restore object <Cross Ref DN> (where Cross Ref DN is the distinguished name of the application partition cross reference noted above) and press ENTER.

Ntdsutil will provide a confirmation dialog. Click Yes to proceed.

The output message will indicate the status of the operation. There should be no failures.

Quit the Ntdsutil tool.

From a command prompt or the Run text box, type ntdsutil to start the tool.

At the ntdsutil: prompt, type authoritative restore and press ENTER.

For assistance with the Ntdsutil command line-tool, type help at any time.

To restore an object, type restore object <object DN> (where object DN is the distinguished name of the object that is to be marked authoritative).

If you were to restore a deleted user named John Smith in a corp.contoso.com domain, the command would be similar to: restore object CN=John Smith,CN=Users,DC=corp,DC=contoso,DC=com. Always enclose the distinguished name in quotes when there is a space or other special characters within the distinguished name.

Press ENTER. Ntdsutil will start the attempt to mark the object as authoritative. The output message will indicate the status of the operation. The most common cause of failure is an incorrectly specified distinguished name, or a backup for which the DN does not exist (which would occur if you tried to restore a deleted user that was created after the backup).

Quit the Ntdsutil tool.

After the restore operation completes, restart the computer in Start Windows Normally mode. Active Directory and Certificate Services automatically detect that they have been recovered from a backup. They perform an integrity check and re-index the database.

After you are able to log on to the system, browse Active Directory. Verify that all of the User objects and Group objects that were present in the directory prior to backup are restored. Similarly, verify that files that were members of a File Replication service (FRS) replica set and certificates that were issued by the Certificate Services are present.

Click the Restore tab.

Select SystemState. (You need not restore the system disk to an alternate location.)

In the Restore Files to drop-down list, ensure that Alternate Location is selected, and designate an alternate location.

When the restore process is finished, close the backup utility.

At the command line, type ntdsutil and press ENTER.

At the ntdsutil: prompt, type metadata cleanup and press ENTER.

At the metadata cleanup: prompt, type connections and press ENTER.

At the server connections: prompt, type connect to server servername, where servername is the domain controller (any functional domain controller in the same domain) from which you plan to clean up the metadata of the failed domain controller. Press ENTER.

Type quit and press ENTER to return to the metadata cleanup: prompt.

Type select operation target and press ENTER.

Type list domains and press ENTER.

This lists all domains in the forest with a number associated with each.

Type select domain number, where number is the number corresponding to the domain in which the failed server was located. Press ENTER.

Type list sites and press ENTER.

Type select site number, where number refers to the number of the site in which the domain controller was a member. Press ENTER.

Type list servers in site and press ENTER. This will list all servers in that site with a corresponding number.

Type select server number, where number refers to the domain controller to be removed, and press ENTER.

Type quit and press ENTER.

The Metadata cleanup menu is displayed.

Type remove selected server and press ENTER.

At this point, Active Directory confirms that the domain controller was removed successfully. If you receive an error that the object could not be found, Active Directory might have already removed the domain controller.

Type quit and press ENTER until you return to the command prompt.

In Active Directory Sites and Services, expand the appropriate site.

Delete the Server object associated with the failed domain controller.

In Active Directory Users and Computers, expand the domain controller's container.

Delete the Computer object associated with the failed domain controller.

In the Run text box, type dcpromo and click OK.

The Active Directory Installation Wizard appears. At the Welcome screen, click Next.

For Domain Controller Type, select Additional domain controller for an existing domain. Click Next.

For Network Credentials, enter the user name, password, and domain for the user account that has permission to add this new domain controller to the domain. Click Next.

Enter the name of the domain that you want the new domain controller to host. Click Next.

For Database and Log Locations, enter the paths for the locations of the directory database (Ntds.dit) and the log files. For better performance, store the database and log files on separate physical disk drives. Click Next.

For Shared System Volume, enter the path where you want to locate the system volume (SYSVOL). Click Next.

Under Directory Services Restore Mode Administrator Password, enter the password that you want to use when you need to start Directory Services Restore Mode. Click Next.

The Summary screen displays a list of the items you chose. Verify that the information is correct, and then click Next to proceed with the installation.

The wizard proceeds to install Active Directory. When it finishes, the wizard displays a summary screen listing the domain and site in which the new domain controller is a member. Verify that this information is correct. Click Finish to close the wizard.

Click Restart to restart the domain controller.

Let the domain controller restart. If any message indicates that one or more services has failed to start, restart the domain controller one more time. If the initial replication cycles have not had enough time to complete during the first restart on a new domain controller, some services may be unable to start successfully. If the message appears during additional restarts, examine the event logs in Event Viewer to determine the cause of the problem.

In the Run text box, type dcpromo /adv and click Next.

Select Additional domain controller for exiting domain.

Select From these restored backup files and point to the same location where you had restored the system state data.

Since the domain controller you are promoting was a global catalog server, the Active Directory Installation Wizard will ask you whether you want this server to also be a global catalog.

Give appropriate credentials for the operation.

Enter the domain in which you want to place the new domain controller in. It has to be the same domain of the domain controller whose system state data you are using.

Continue with the remaining steps of dcpromo.

Insert the Windows Server 2003 CD-ROM into the computers CD-ROM drive or DVD-ROM drive. Press and hold down the SHIFT key as you insert the CD to prevent it from starting automatically.

Start Windows Explorer, and then open the Support\Tools folder on the Windows Server 2003 CD-ROM.

In the details pane, double-click the Deploy.cab file to open it.

On the Edit menu, click Select All.

On the Edit menu, click Copy.

Create a new folder on your local hard disk. To do this:

Right-click the new folder that you created, and then click Paste.

Double-click the new folder to open it, and then double-click the Setupmgr.exe file. The Setup Manager wizard starts. Follow the instructions in the wizard to create an answer file.

Ensure that the computer is using a static IP address. Right-click My Network Places and click Properties.

In the Network and Dial-up Connections dialog box, right-click the connection that represents the connection this computer uses to attach to your network. The default label is Local Area Connection, but this can be changed, so it might not be labeled the same on your computer. Click Properties.

In the Local Area Connection Properties dialog box, click once on Internet Protocol (TCP/IP) to highlight it (be sure that you do not clear the check box in front of it), and then click Properties.

In the Internet Protocol (TCP/IP) Properties dialog box, ensure that Use the following IP address: is selected and that a valid IP address, subnet mask, and default gateway appear. Click OK to close the dialog box. Click OK again to return to your desktop.

In Control Panel, click Add/Remove Programs. Click Add/Remove Windows Components.

Scroll down to Networking Services. Highlight it and click Details.

In the Networking Services dialog box, select the check box in front of Domain Name System (DNS). Click OK.

Click Next. Provide the location of the installation files, if necessary. After the installation is complete, click Finish to end the wizard, and then click Close to exit Add/Remove Programs.

In the Run text box, type adsiedit.msc and press ENTER.

Double-click DomainNC [machinename] (where machinename is the name of this domain controller). Verify that the Domain NC expands to display the domain component (DC=) folder.

Click the domain component to display the containers and OUs in the details pane. Double-click the Domain Controllers OU to display the containers that represent the domain controllers.

Double-click the container that represents this domain controller (CN=computername) to display more containers.

Double-click the CN=NTFRS Subscriptions container.

Right-click the CN=Domain System Volume container, and click Properties.

In the Select which properties to view list, select Mandatory.

In the Select a property to view list, select fRSRootPath. The current value appears in the Value(s) box.

Record the current value in the table above. Based on the folder structure discussed earlier and the new location, record the new path value for this parameter in the table.

Click Cancel to close the dialog box.

In the Run text box, type adsiedit.msc and press ENTER.

Double-click DomainNC [machinename] (where machinename is the name of this domain controller). Verify that the Domain NC expands to display the domain component (DC=) folder.

Click the domain component to display the containers and OUs in the details pane. Double-click the Domain Controllers OU to display the containers that represent the domain controllers.

Double-click the container that represents this domain controller (CN=computername) to reveal more containers.

Double-click the CN=NTFRS Subscriptions container.

Right-click the CN=Domain System Volume container, and click Properties.

In the Select which properties to view list, select Mandatory.

In the Select a property to view list, select fRSStagingPath. The current value appears in the Value(s) box.

Record the current value in Table 1. Based on the folder structure discussed earlier and the new location, record the new path value for this parameter in Table 1.

In the Run text box, type regedit and press ENTER.

In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters.

Sysvol appears in the details pane. The current value is listed in the Data column.

Record the current value in Table 1. Based on the folder structure discussed earlier and the new location, record the new path value for this parameter in Table 1.

At a command prompt, change the directory to %systemroot%\SYSVOL\Sysvol.

Note: This assumes that the system volume is still in the default location. If it has been relocated, substitute the appropriate paths into these instructions.

At the command prompt, type dir. Verify that the fully qualified domain name (FQDN) is listed as type <JUNCTION>.

At the command prompt, type linkd fqdn (where fqdn is the domain name listed in the Dir output). This displays the value stored in the junction point. Press ENTER.

Record the current value in Table 1. Based on the folder structure discussed earlier and the new location, record the new path value for this parameter in Table 1.

At a command prompt, change the directory to <%systemroot%>\SYSVOL\Staging Areas.

Note: This assumes that the staging area is still in the default location. If it has been relocated, substitute the appropriate paths into these instructions.

At the command prompt, type dir. Verify that the fully qualified domain name is listed as type <JUNCTION>.

At the command prompt, type linkd fqdn (where fqdn is the domain name listed in the Dir output). This displays the value stored in the junction point. Press ENTER.

Record the current value in Table 1. Based on the folder structure discussed earlier and the new location, record the new path value for this parameter in Table 1.

Log on locally or open a Terminal Services connection to the server for which you want to check the IP address.

On the desktop, right-click My Network Places, and then click Properties.

In the Network and Dial-up Connections dialog box, right-click Local Area Connection, and then click Properties.

Double-click Internet Protocol (TCP/IP).

Use the values in IP address and Subnet mask to calculate the subnet address.

In Active Directory Sites and Services, expand the Sites container, and then click the Subnets container.

In the Name column in the details pane, find the Subnet object that matches the subnet address.

In the Site column, note the site to which the IP subnet address is associated.

To ensure that the operations masters can be located, at a command prompt, type:

dcdiag /s: domaincontroller /test:knowsofroleholders /verbose
where domaincontroller is the name of a domain controller in the domain in which you want to add the new domain controller. The verbose option provides a detailed list of the operations masters that were tested. Near the bottom of the screen, a message confirms that the test succeeded. If you use the verbose option, look carefully at the bottom part of the displayed output. The test confirmation message appears immediately after the list of operations masters. Press ENTER.

To test to ensure the operations masters are functioning properly and are available on the network, at a command prompt, type:

dcdiag /s: domaincontroller /test:fsmocheck
where domaincontroller is the name of a domain controller in the domain in which you want to add the new domain controller. The verbose option provides a detailed list of the operations masters that were tested. Near the bottom of your screen, a message confirms that the test succeeded. Press ENTER.