How do I manually defragment Active Directory?

Windows 2000 servers running Directory Services (DSs) perform a directory online defragmentation every 12 hours by default as part of the garbage-collection process. This defragmentation only moves data around the database file (ntds.dit) and doesn?t reduce the files size. To create a new, smaller ntds.dit file and to enable offline defragmentation, perform the following steps. 1. Back up Active Directory (AD) (see the FAQ How do I back up Active Directory and the System State?). 2. Reboot the server, select the OS option, and press F8 for advanced options. 3. Select the Directory Services Restore Mode option, and press Enter. Press Enter again to start the OS. 4. Win2K will start in safe mode, with no DS running. 5. Use the local Sams administrator account and password to log on. 6. Youll see a dialog box that says youre in safe mode. Click OK. 7. From the Start menu, select Run and type cmd.exe 8. In the command window, youll see the following text. (Enter the commands in bold.)
C:\> ntdsutil ntdsutil: files file maintenance: info .... file maintenance: compact to c:\temp

9. Youll see the defragmentation process. If the process was successful, enter quit
quit

10. to return to the command prompt. 11. Then, replace the old ntds.dit file with the new, compressed version. (Enter the commands in bold.)
C:\> copy c:\temp\ntds.dit %systemroot%\ntds\ntds.dit

12. Restart the computer, and boot as normal.

How does intrasite replication work in Windows 2000?

Windows 2000?s Knowledge Consistency Checker (KCC) automatically manages replication within a site. The KCC uses a bidirectional ring topology that uses remote procedure call (RPC) over TCP/IP without compression. Domain controllers (DCs) within a site are typically on a fast network (per the definition of a site), and the extra processing necessary for compression and decompression is undesirable.

The KCC runs every 15 minutes, adjusting the topology as necessary. As you create new DCs, the KCC automatically places them in the ring. To view the DC links, you can use the Microsoft Management Console (MMC) Active Directory Sites and Services snap-in. Expand the site, the Servers container, and the server. Under the NTDS Settings branch are the created connection objects. Because the KCC runs on all DCs, the rings are in order of the DCs? globally unique IDs (GUIDs) to ensure convergence on one topology. An exception to the ring rule is that no more than three hops can exist between two DCs within the ring. To protect the three-hop rule, the KCC adds extra links for seven or more DCs, as the Figure shows. These rings are for same-naming context (i.e., domains) in one site. If you have multiple domains in a site, rings exist for each domain in the site. Another type of ring that exists replicates schema and configuration information between DCs, as the Figure shows. Because all the domains share this information (i.e., the information is forestwide), each site has only one ring. Thus, if you have two domains in a site, you have three rings: one ring for each domain and one ring for the schema and configuration information. If you have only one domain in a site, one ring functions as two. Manual configuration of intrasite replication is unnecessary, and Microsoft doesn?t recommend such configuration. The only task you might need to perform is adding extra connection objects to reduce the hop count between DCs. When you make a change to the naming context (i.e., domain) data, the DC?s local copy of Active Directory (AD) records the change, then the DC waits 5 minutes (by default) before notifying its replication partners of the change. You can continue to make changes during this time period. The delay exists so that all changes transmit at once. If no changes occur during a particular time period (which you can configure in the intrasite connection object schedule), a replication sequence initiates to ensure no changes were missed. The SAM or the Local Security Authority (LSA) can trigger urgent replication during the following events: replication of a newly locked-out account (e.g., if you fire someone), change of an LSA secret (i.e., a trust account), and state changes to the Relative Identifier (RID) Manager. These events trigger immediate replication. Because urgent replication requires notification, this type of replication occurs only within a site (i.e., intrasite). However, you can modify site links to enable notification. An exception to multimaster normal replication is user passwords. As in other attribute changes, you can change a user password at any DC. However, the DC pushes the change to the PDC Flexible Single-Master Operation (FSMO) role holder on a best-attempt basis. Other DCs receive the password through normal replication. The reason for the extra password work is that if password validation fails, the validating DC will pass the

request to the PDC FSMO in case the password has changed and the DC hasn?t yet received the new password via standard replication.

How do I automatically upgrade a server to a domain controller during installation?

You can automatically run DCPROMO during an unattended installation. Enter the command
dcpromo /answer:%path_to_answer_file%

In my example, the DCInstall section and parameters are added directly to the unattended answer file. The Microsoft Windows 2000 Resource Kit details the DCInstall section?s parameters in the file Unattend.doc. I?ve listed the main entries in the following table. AdministratorPassword AutoConfigDNS ChildName The new password for the domain Administrator account Specifies whether the wizard should configure DNS Name of the child part of the domain Specifies whether the domain will join an existing forest or CreateOrJoin create a new one DatabasePath Location for the Active Directory database Used when a new forest of domains is installed and no DNS DNSOnNetwork client is configured on the computer DomainNetBiosName NetBIOS name for the domain Only valid when demoting an existing domain controller to a IsLastDCInDomain member server LogPath Path for the Directory Service (DS) logs NewDomainDNSName Name of the new tree or when a new forest is created ParentDomainDNSName Specifies the name of the parent domain Password Password for the username used to promote the server RebootOnSuccess Specifies whether an automatic reboot should be performed ReplicaDomainDNSName Name of the domain to be replicated from Specifies whether a Windows NT 4.0 or 3.51 BDC being ReplicaOrMember upgraded should become a replica domain controller or be demoted to a regular member server Specifies whether the machine is a new domain controller in a ReplicaOrNewDomain new domain or a replica of an existing domain

SiteName SysVolPath TreeOrChild UserDomain UserName

Name of the site (Default-First-Site by default) Path of SYSVOL Specifies whether entry is a new tree or child of existing domain Domain for the user being used in promotion Name of the user performing the upgrade

Because the DCPROMO process occurs after setup, the created answer file is called $winnt$.inf and copies to the \system32 folder. The parameters are in this file, so you need to add the following text to the GUIRunOnce section of the unattended Setup answer file.
[GUIRunOnce] "DCpromo /answer:%systemroot%\system32\$winnt$.inf"

After the DCPROMO process completes, DCPROMO removes password information from the $winnt$.inf file. To make this process easier because the RunOnce command doesn?t execute until someone logs on to the computer, you can add the following text to the unattended answer file.
[GUIUnattended] Autologon = yes ; automatically logs on the administrator account AutoLogoncount = n ; number of times to perform auto-admin logon

Don't use items such as %systemroot% or %windir%, because the unattended installation process doesn?t understand them. You can just create a DCInstall section directly in your unattend.txt file to avoid having multiple unattended setup files. Enter text such as the following.
[DCInstall] AdministratorPassword = cartman CreateOrJoin = Create DomainNetBiosName = savtech NewDomainDNSName = savtech.com RebootOnSuccess = Yes ReplicaOrNewDomain = Domain SiteName = "London" TreeOrChild = Tree

My example script would create a new forest with the domain savtech.com at the top and the new domain controller in the site London. The SYSVOL, logs, and Active Directory (AD) files would be in the default locations. The new domain Administrator account password would be cartman. If you want to use DCPROMO outside an unattended installation, enter
dcpromo /answer:<DCInstall answer filename>

You?ll see a dialog box that says DCPROMO is running in unattended mode. Then, the machine will reboot.

How can I move the Active Directory log files?

Along with the ntds.dit file, the Active Directory (AD) keeps several log files that you might want to move to a faster disk. To do so, perform the following steps: 1. 2. 3. 4. Restart the domain controller (DC). Press F8 at the Startup menu when the system displays the list of OSs. Select Directory Services Restore Mode. Select the appropriate installation, if more than one exists, and then log on as an administrator at the logon prompt. 5. Start a command prompt (Start, Run, cmd.exe). 6. Start the NTDS utility, ntdsutil.exe. 7. At the ntdsutil prompt, type "files" as shown below:
8. ntdsutil: files 9.

10. At the file maintenance prompt, type the following:

11. file maintenance: move logs to [new location for file] 12.

13. To view the log files, at the file maintenance prompt, type "info":
14. file maintenance: info 15.

16. Type "quit" (without the quotation marks) twice to return to a C prompt. 17. Restart the computer in Normal mode.

How do I change how often the Knowledge Consistency Checker runs?

The Knowledge Consistency Checker (KCC), which manages connection objects for inter- and intrasite replication, runs every 15 minutes by default. To change this time period, start regedit and go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters Registry entry. From the Edit menu, select New, DWORD Value. Enter
Repl topology update period (secs)

and press Enter. Double-click the new value, and enter the number of seconds for how often you want the KCC to run. Click OK, then close the Registry editor. Restart the machine for the change to take effect

How do I tune Active Directory replication?

You can use one of several settings under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters Registry entry to modify elements of Active Directory (AD) replication. When you make a change to AD, a timer starts. This timer specifies how long the domain controller will wait before notifying its first replication partner about replication between domain controllers. The default time is 5 minutes. To change this time period, edit the Replicator notify pause after modify (secs) value in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters Registry entry, as the screen shows. After the domain controller notifies its first replication partner, the domain controller waits before it notifies each subsequent replication partner. This delay prevents simultaneous replies from the replication partners. The default time is 30 seconds. To change this time period, edit the Replicator notify pause between DSAs (secs) value in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters Registry entry, as the screen shows. You can modify other values to enhance a multiple-CPU system?s performance. For example, set the replication thread priority high value to 1 to run replication at high priority. If you don?t set this value, or you set it to 0, replication will run at low priority. Set the replication thread priority low value to 1 to run replication at low priority. If you set this value to -1, the value is ignored.

How do I audit Active Directory?

You can configure Active Directory (AD) auditing to produce successful and failed entries in the Directory Service (DS) event log. 1. Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. (Select Programs, Administrative Tools, Active Directory Users and Computers from the Start menu.) 2. From the View menu, select Advanced Features. 3. Expand the domain, right-click the Domain Controllers container, and select Properties from the context menu. 4. Select the Group Policy tab. 5. Select Default Domain Controllers Policy, and click Edit. 6. Expand the Computer Configuration branch, the Windows Settings branch, the Security Settings branch, and the Local Policies branch. 7. Select Audit Policy.

8. The rightmost window will show auditing levels. Double-click Audit Directory Service Access. 9. Select the relevant checkboxes (e.g., Audit successful attempts, Audit failed attempts), as the Screen shows. Click OK. 10. Close the Group Policy window. 11. In the main Domain Controllers Properties dialog box, click OK. 12. Close the Active Directory Users and Computers MMC snap-in. You can use Event Viewer to view the logs in the Security log. Because domain controllers poll for policy changes every 5 minutes, the policy change might take as long as 5 minutes to take effect. Other domain controllers in the enterprise receive the changes after the 5-minute interval, plus replication time.

Which naming conventions does Active Directory use for objects?

Active Directory (AD) uses several naming conventions for objects. These naming conventions include the distinguished name (DN), relative distinguished name (RDN), Lightweight Directory Access Protocol (LDAP) URL name, LDAP canonical name, user principal name, and SAM account name. The most popular method for naming AD objects is to use the DN. Every AD object has a DN that uniquely identifies the object in the Directory Service (DS). For example, the DN /O=Internet/DC=COM/DC=SavillTech/CN=Users/CN=John Savill identifies an object as follows:

/O=Internet - Organization=Internet /DC=COM - Domain Component=COM /DC=SavillTech - Domain Component=SavillTech (the full Domain Component is SavillTech.com) /CN=Users - Common Names=Users /CN=John Savill - Common Names=John Savill

A DN might also include an organizational unit (OU). For more information about DNs, see RFC 1779 A String Representation of Distinguished Names. The RDN is also known as the friendly name. The RDN for the above example is CN=John Savill. The RDN for the Users container is CN=Users.

LDAP URL names begin with LDAP://, then include an LDAP server and a modified DN that identifies the object (e.g., LDAP://titanic.savilltech.com/ou=Sales,cn=JSavill,dc=SavillTech,dc=com). An LDAP canonical name is the LDAP name without certain information (i.e., ou=, cn=, dc=). An example LDAP canonical name is savilltech.com/Sales/Jsavill. Many administrative tools use these names. The user principal name contains the username and DNS domain name, linked with the symbol @ (e.g., jsavill@savilltech.com). The SAM account name (e.g., savillj) is in the Windows NT 4.0 format. Because of this names single-layer convention, each name must be unique within an organization. Objects are actually stored as globally unique IDs. A GUID is a 128-bit number that generates at object creation and is stored in the object attribute objectGUID. GUIDs dont change.

How do I modify the Active Directory's garbage-collection period?

The Active Directory (AD) garbage-collection process performs two vital functions. First, it cleans up deleted objects. When you delete an object in AD, the system doesn't immediately delete the object because when replication occurs, a replication partner would recreate the object. Instead, the system uses a tombstone with a finite lifetime to mark the object as deleted. The tombstone replicates to all domain controllers (DCs), and after it expires, the garbage-collection agent deletes the object. The garbage-collection process also performs online AD defragementation. By default this process runs every 12 hours on each DC. However, you can change this frequency by modifying the attribute garbageCollPeriod under the path CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration, DC=, DC=, DC=COM. The best way to modify the attribute is to use the Windows 2000 Support Tools' ldp.exe utility.

How does ntdsutil know it's in Directory Restore mode?

When you start the domain controller (DC) in Directory Restore mode, the DC sets the environment variable safeboot_option to "dsrepair." If you want to check something in ntdsutil that is allowed only in Directory Restore mode, you can "trick" the program by

typing the following statement at a command prompt: set SAFEBOOT_OPTION=DSREPAIR Don't use this approach on a live or important machine because it could result in system damage if you try to perform system modifications when the system isn't in Directory Restore mode.

How do I create trusts from the command line in Windows 2000?

The Microsoft Windows 2000 Resource Kits Trustdom tool lets you define trust relationships between Windows 2000 domains and one-way relationships with Windows NT 4.0 domains. You can create two types of one-way trusts: an outbound trust on the local or specified domain, and an inbound trust on the specified target domain. Trustdom? s syntax is
C:\> trustdom [[domain[:dc],]target_domain[:dc]] [Options]

The default switch is -out. To see a list of other switches, use the /? switch.

Why is size of the ntds.dit file different on different domain controllers?

The ntds.dit file contains Active Directory (AD) information, and because all domain controllers (DCs) replicate AD, you might expect the file to be the same size on all DCs. However, you might find differently sized files because the database file is created individually on each DC, and the data--not the database file--replicates. Thus, several factors can lead to files with different sizes:

Over time, the database can become fragmented. Although objects are deleted while the database is online, you can't compact the database online (compacting requires a manual offline defragmentation). If a DC is a Global Catalog (GC), it contains information about objects of other domains in the forest, thus making it larger than non-GC servers. The displayed size of the ntds.dit file is the size of the file when you started the DC; if many objects are added and you restart one DC, that DC's ntds.dit file size will appear larger.

How can I set the RPC port that intrasite replication uses?

For security, Windows 2000 sets the remote procedure call (RPC) replication port dynamically. However, you might want to manually set the port (e.g., to monitor data). 1. Start regedit. 2. Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Para meters registry entry. 3. From the Edit menu, select New, DWORD Value. 4. Enter
TCP/IP Port

and press Enter. 5. Double-click the new entry, and enter the port you want to use. (Make sure the port isn?t already in use.) Click OK. 6. Close the registry editor. 7. Reboot the machine. After monitoring finishes, you need to remove the registry entry you created. Removing this entry reinstates the security that dynamic RPC port allocation provides.