Expert Workshop E143 Chapter 4

Troubleshooting Domain

Extended Automation System 800xA

© ABB Consult IT - 1
Revision C
 Domain
Troubleshooting Troubleshooting Domain

„ Active Directory
„ Domain
„ Domain Name System
© ABB Consult IT - 2
Revision C
 Domain
Troubleshooting Active Directory
„ Administrates resources on a network such as
Applications

Applications
Computers
Files

Computers Groups
Users Files
Peripherals e.g.
printers
Users Groups
Peripherals e.g.
printers
© ABB Consult IT - 3

„ Implements the LDAP protocol

Lightweight Directory Access Protocol
Revision C
 Domain
Troubleshooting The Domain Serves Three Functions
„ Administrative boundary for objects
„ Manage security for shared resource
„ Serve as a unit for replication of objects
© ABB Consult IT - 4
Revision C
 Domain
Troubleshooting Active Directory Structure
„ Objects are organized in units so called
Organizational units OU within a domain

A domain administrator administrates

all objects in the domain

A user may handle one

or several OUs.

Operators
© ABB Consult IT - 5

Application Engineers Administrators

Revision C
 Domain
Troubleshooting Active Directory Domain Tree
„ Domain can be hierarchical organized. The
children inherite the name of the parent.

papercomp.local
© ABB Consult IT - 6

pulp.papercomp.local machine.papercomp.local
Revision C
 Domain
Troubleshooting Active Directory Domain Forest
„ Multiple domain trees are called a forest.
Unusual in 800xA systems.

papercomp.local
steelcomp.local

Trust
© ABB Consult IT - 7

Trust relationships allow users in

one domain to be authenticated by a
Revision C

domain controller in another domain.

 Domain
Troubleshooting 800xA Domain
„ Usually a local domain

IIT.local

Always use a Fully Qualified

Domain Name (FQDN)

Operators
© ABB Consult IT - 8

Application Engineers Administrators

Revision C
 Domain
Troubleshooting Active Directory Global Catalog
„ Global catalog holds information about all objects

papercomp.local steelcomp.local

Trust
© ABB Consult IT - 9
Revision C
 Domain
Troubleshooting Active Directory Global Catalog
„ Global catalog replicated to those Domain
controllers designated as Global Catalog
servers
papercomp.local
© ABB Consult IT - 10
Revision C
 Domain
Troubleshooting Domain Controller Replication
„ Replication between the domain controllers
secures consistent information
© ABB Consult IT - 11
Revision C
 Domain
Troubleshooting Operation Masters
The Operation Masters runs only in one single Domain controller to
avoid to ensure consistency and avoid conflicts in data entries.

Forest wide roles Domain wide roles

• Schema master • PDC emulator
• Domain naming master • RID master
• Infrastructure master
© ABB Consult IT - 12
Revision C
 Domain
Troubleshooting Schema Masters
The Schema master is responsible for object classes and their
properties. If the Schema Master is not available you cannot modify
the Schema or install application that modifies the schema.

Schema Master
© ABB Consult IT - 13
Revision C
 Domain
Troubleshooting Domain Naming Masters
The Domain Naming Master controls the addition or
removal of domains in the forest.

Domain Naming
Master
© ABB Consult IT - 14

New domain
Revision C
 Domain
Troubleshooting PDC Emulator
The PDC emulator acts as a Microsoft Windows NT
primary domain controller (among other tasks).

PDC The PDC emulator performs the following

Emulator roles:
• Act as the PDC for any existing BDCs (Windows NT).
• Manage password changes from computers running
Windows NT, Windows 95, 98, ME.
• Minimize replication latency for password changes.
• Synchronize the time on all domain controllers.
• Prevents the possibility of overwriting Group Policy
objects.
© ABB Consult IT - 15
Revision C
 Domain
Troubleshooting Relative ID (RID) Master
The RID master domain controller allocates blocks of
RIDs to each domain controller in the domain.

RID
Master You can examine the RID pool with the
command dcdiag.
© ABB Consult IT - 16

Object SID = Domain SID + RID

Revision C
 Domain
Troubleshooting Infrastructure Master
The Infrastructure master is a domain controller that updates object
references in its domain that points to objects in another domain.

Global group is nested

in domain local group.

Move
Infrastructure
Master
© ABB Consult IT - 17

Do not make a domain controller that hosts the global

catalog an infrastructure master in large domains (not
Revision C

valid for a 800xA domain).

 Domain
Troubleshooting When to Seize Operation Master Roles?

Seize a role when you can not transfer it!

Non-Functioning
Operation Master

Functioning
Operation Master
© ABB Consult IT - 18
Revision C
 Domain
Troubleshooting
© ABB Consult IT - 19 Domain Name Space
Revision C
 Domain
Troubleshooting Zones

Name server checks its local zone data base file if it

© ABB Consult IT - 20

has authority of the requested name if not the root

server will be asked if the domain is not local.
Revision C
 Domain
Troubleshooting Zones

Name Server

Name Server

Name Name Server

Server

webserver1 client

Name server checks its local zone data base file if it

has authority of the requested name if not the root
© ABB Consult IT - 21

server will be asked if the domain is not local.

Revision C
 Domain
Troubleshooting Example: 800xA Forward Lookup Zone
A Fully Qualified Domain Name
Local Domain
SRV records

The primary Client Server

network addresses appear only
in the Forward Lookup zone.
© ABB Consult IT - 22
Revision C
 Domain
Troubleshooting Example: 800xA Reverse Lookup Zone

There must be
one Reverse
Lookup zone for
path 0

There must be
one Reverse
Lookup zone for
path 1
© ABB Consult IT - 23
Revision C
 Domain
Troubleshooting Verify Domain Configuration Checks
Only the Client/Server network area
should be available.
If more areas: check DNS configuration,
especially the zones and the RNRP
filtering in Configuration Wizard.
© ABB Consult IT - 24
Revision C
 Domain
Troubleshooting Verify Domain Configuration Checks

The zone must be Active

Directory Integrated.

After you are done with

adding clients to the DNS
keep secure only updates.
Secure only

Zone properties
© ABB Consult IT - 25
Revision C
 Domain
Troubleshooting Verify Domain Configuration Checks

DNS Server properties

Defines the addresses

the Domain controller
listens to on itself.
© ABB Consult IT - 26
Revision C
 Domain
Troubleshooting Verify File Replication

Force a File replication

A Ok! Message must be
returned.
Check also File Replication
Event log. No error events
concerning File Replication
© ABB Consult IT - 27
Revision C
 Domain
Troubleshooting Verify File Replication With ReplMon
The server icon shows if there
are replication problems
Status of the replications
© ABB Consult IT - 28
Revision C
 Domain
Troubleshooting Transfer of Operation Master Roles
Domain object in Users and Computes has the dialogue for
transfer the Operation Master roles:
¾RID master
¾PDC emulator
¾Infrastructure
© ABB Consult IT - 29
Revision C
 Domain
Troubleshooting Transfer of Operation Master Roles
Schema object has the dialogue for Active Directory object has the
transfer the Schema Master role. The dialogue for transfer the Operations
user most belong to Schema Admin Master role.
group.
© ABB Consult IT - 30
Revision C
 Domain
Troubleshooting Check DNS Configuration with nslookup
Allow zone transfer to
your own domain
controller for nslookup.

nslookup
>ls – d domain shows all records
>ls –t SRV domain shows SRV records
Result can be piped to file.
© ABB Consult IT - 31
Revision C
 Domain
Troubleshooting Windows Support Tools

Install support tools from the media CD

Gives additional tools for debugging
© ABB Consult IT - 32
Revision C
 Domain
Troubleshooting Check DNS Configuration with nslookup

1. nslookup with FQDN

2. nslookup with name
3. Nslookup with path 0 IP address
4. Nslookup with path 1 IP address

All of these call-up alternatives

must give a correct answer on all
machines.
© ABB Consult IT - 33
Revision C
 Domain
Troubleshooting Check Active Directory with dcdiag

The test should pass on

all instances, you will get
a messages if w32time
Service is disabled
© ABB Consult IT - 34
Revision C
 Domain
Troubleshooting Command-line Tools

Net share
SYSVOL and
NETLOGON must
exist as share

Edb.* transaction logs and checkpoint

files
Ntds.dit directory database
Res.* Reserved log files
© ABB Consult IT - 35
Revision C
 Domain
Troubleshooting Backup of System State Scheduled Backup (1)

This description is based on Microsoft Windows Server 2003.

This can be applicable on Stand alone DC or when the Image
of the Domain Controller has passed the Tombstone limit

„ Log on to the domain controller by using an account

that has Domain Admin, local Administrator, or Backup
Operator credentials.
„ Start the Windows NT Backup Wizard by choosing one
of the following options:
„ Open a command prompt, type ntbackup and press ENTER.
„ Click Start, point to Programs, then point to Accessories,
then point to System Tools, and then click Backup.
© ABB Consult IT - 36
Revision C
 Domain
Troubleshooting Backup of System state Scheduled Backup (1)

„ Select the Schedule Jobs Tab card

„ Click the Add Job button, and then click Next.
„ Select Only back up the system state data.
„ In the Backup Type screen, select the location and file name of the
backup.
„ In the How to Backup screen select, Verify data after Backup.
„ In the Backup Options screen select, Replace the existing Backup.
„ In the When to Back up screen select, Later give the Job a proper name
and select Set Schedule button.
„ Define the Job schedule (weekly Back up) and press OK.
„ Type in account and password the Job should run with.
„ Press Next.
„ Type in account and password the Job should run with.
„ Select Finish.
© ABB Consult IT - 37

„ Check the Event Viewer Application Log if Backup has been completed
successfully.
Revision C
 Domain
Troubleshooting Create a copy of the System State Backup

„ The System State backup will overwrite the existing backup.

Therefore we will create a copy of the backup file.
„ Create a .bat file which copies the System State backup to a new file,
„ e.g.: copy d:\backup\SystemStateDC1.bkf
d:\backup\SystemStateDC1_previous.bkf
„ Select All Programs > Accessories > System Tools > Scheduled
Tasks
„ Select Add Scheduled Task, click Next.
„ Click Browse and browse for the .bat file.
„ Schedule the backup copy, e.g. 2 days after creating the system
state.
„ Type in account and password the job should run with.
„ Click Finish.
© ABB Consult IT - 38
Revision C
 Domain
Troubleshooting Restore of the Domain Controller (1)

„ This description is based on Microsoft Windows Server

2003.
„ Re-boot the Domain Controller.
„ Press F8 during re-boot.
„ Select in the Advanced Startup Menu the option
Directory Services Restore Mode
„ Start the Windows NT Backup Wizard by choosing one
of the following options:
„ Open a command prompt, type ntbackup and press ENTER.
„ Click Start, point to Programs, then point to Accessories,
then point to System Tools, and then click Backup.
© ABB Consult IT - 39
Revision C
 Domain
Troubleshooting Restore of the Domain Controller (2)

„ Select Restore Wizard and Next.

„ Browse for the Backup file.
„ In the column Items to restore open the structure, select System
State und click Next.
„ Click Advanced button.
„ Select Restore files to Original Location, click Next.
„ Accept Warning with OK.
„ Select Replace existing Files, click Next.
„ Restore Security Setting, Restore junction points… , Preserve
existing volume mount points has to be checked. If you are
restoring the only Domain Controller in the domain check
additionally the item When restoring replicated data sets …,
click Next.
„ Click Finish.
„ After restore click Close and Reboot the PC.
© ABB Consult IT - 40
Revision C
© ABB Consult IT - 41
Revision C
Domain
Troubleshooting
ABB Logo
Maintenenance Expert workshop

Exercise 4.1 Analyze Domain Controller

4.1.1 Description
The exercise gives you the ability to verify the domain configuration.. The exercise
shows how to analyze the domain controllers.

4.1.2 Objectives
Upon completion of this exercise you will be able to:
• Use Microsoft tools for checking the domain controller configuration.
• Be able to make your of Microsoft Management consol as an aid for the
domain control analyze.
• Use commands for analyze

4.1.3 Reference documentation

Microsoft Tech. net articles.

1/3
 E143-04 Exercise 4.1 - RevB.doc

4.1.4 Exercise Steps

1. Find out which one of the domain controller who carries the Flexible Single
Master Operation (FSMO) roles.

2. Execute the command sequence as follow:

C:\ntdsutil
ntdsutil: roles
fsmo maintenance: conn
server connections: conn to serv <servername>
server connections: quit
fsmo maintenance: Select operation target
select operation target: list roles for conn serv

You will now get a list like follow:

Server <the working server> knows about 5 roles

Schema - CN=NTDS Settings,CN=<server with FSMO roles>,
CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=demo,DC=net
Domain - CN=NTDS Settings,CN=<server with FSMO roles>,
CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=demo,DC=net
PDC - CN=NTDS Settings,CN=<server with FSMO roles>,
CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=demo,DC=net
RID - CN=NTDS Settings,CN=<server with FSMO roles>,
CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=demo,DC=net
Infrastructure - CN=NTDS Settings,CN=<server with FSMO roles>,
CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=demo,DC=net

3. Which domain controller holds the FSMO roles

2/3
Maintenenance Expert workshop

4. Instead you could use the command netdom query fsmo to find out the holder of
the FSMO roles. Try this command. What must be installed to have this
command working?

5. Start a File Replication Monitor with the command replmon. Add the servers.
Force manually a File Replication. Check the result both in the event log and the
File Replication Monitor

6. Verify the DNS with the nslookup command by calling up the command with
Fully Qualified Domain Name (FQDN), name and IP address for path 0 and 1.

3/3
Maintenenance Expert workshop

Exercise 4.2 Recover Domain Controller

4.2.1 Description
The exercise covers a situation where the first domain controller doesn’t work any
more. The exercise shows how to analyze the remaining domain controller and make it
to a primary domain controller. The exercise deals also with a restore of a 800xA node
when it is installed in the same PC box as the domain controller.
The used case is a crash of the first domain controller which holds the FSMO roles.
The image backup is older than the tombstone limits. This means the user needs to
clean up the old domain configuration after the server is restored but before it is
connected to the network.

4.2.2 Objectives
Upon completion of this exercise you will be able to:
• Use Microsoft tools for checking the domain controller configuration.
• Finding the corresponding Microsoft Tech Net articles concerning FSMO
roles.
• Be able to make the current running domain controller as a primary domain
controller.
• Restore of a domain controller from a backup which is older than the
tombstone limits.
• Transfer of roles.

4.2.3 Reference documentation

Microsoft Tech. net articles.

1/5
 E143-04 Exercise 4.2 - RevC.doc

4.2.4 Exercise Steps

1. Simulate a crash of the primary domain controller by shutting it down and remove
it from the switch.
2. Execute the command dcdiag in a DOS window on the remaining domain
controller.
3. What type of error messages do you get? Do they make sense?

4. The situation you have now is a crashed first domain controller. The only backup
you have is a early image. You need now to make the remaining domain controller
to a first domain controller. The following steps are involved:
• Seize the roles
• Make the remaining domain controller to a Global Catalogue server.
• Clean up all the history from the crashed domain controller in remaining
domain controller.

5. Seize the FSMO roles according to the Microsoft tech net articles according to
article: Using NtdUtils.exe to transfer or seize FSMO roles to a domain.

Here follows a short description of the procedure. The Seize of roles is the last
way out when are sure that the crashed domain controller never comes back.

• In a command window enter the command ntdsutil

• Type roles, and press ENTER
• Type connections , and press ENTER

2/5
Maintenenance Expert workshop

• Type connect to server servername, and then press ENTER, where

servername is the name of the domain controller that you want to assign the
FSMO role to.
• At the server connections prompt, type q, and then press ENTER.
• The role you can seize are:
Schema Master
Domain Naming Master
PDC
RID Master
Infrastructure
• Type seize Schema Master to seize the Schema roles. Seize the rest by
typing.
Seize Domain Naming Master
Seize PDC
Seize RID master
Seize Infrastructure Master
• Type q 2 times to quit the ntdsutil utility.
6. Create a new global catalogue according to article: How to create or move a
Global Catalog in Windows 2000
7. Restart the netlogon service with the commands:
net stop netlogon
net start netlogon

After 5 minutes you will get an event message in the Directory Service Log that
the domain controller is now a Global Catalogue server. You can verify this.
8. Remove the old primary domain server from the active directory according to
article: How to remove data in Active Directory after an unsuccessful domain
controller demotion (216498). Below you find a short description how the
metadata cleanup works.
• In a command window enter the command ntdsutil
• Type metadata cleanup, and press ENTER.
• Type connections , and press ENTER
• Type connect to server servername, and then press ENTER, where
servername is the name of the current domain controller.
• Type q, and then press ENTER. The metadata cleanup menu appears.
• Type select operation target and press ENTER.
• Type list domains and press ENTER.
• Type select domain number and press ENTER, where number is the current
domain.
• Type list sites and press ENTER
• Type select site number and press ENTER, where number is the site where
you have the domain controller to be removed.
• Type list servers in site and press ENTER. A list of servers appear.

3/5
 E143-04 Exercise 4.2 - RevC.doc

• Type select server number and press ENTER, where number is the number
associated to the server you want to remove.
• Type q and press ENTER. The metadata cleanup menu appears.
• Type remove selected server and press ENTER.
• Type quit x number of times until you have exited the ntdsutil.
• Remove the cname in the _msdcs.root object in the forward lookup zone.
• Remove the “removed” domain controller in Active Directory Sites and
Services.
• Check that you have done everything according to article How to remove data
in Active Directory after an successful domain controller demotion (216498)
9. Check the status again with commands: dcdiag and netdiag.
10. Make a restore of the server by restoring the only image. The instructor will tell
which image you should restore. Don’t connect any network cables yet. After the
server is restored you must log on with the domain account.
11. You need also to delete the system on the node you have restored. You do this as
follow:
• Stop the server.
• Delete the system.
12. Remove the domain configuration by using the command:
dcpromo /forceremoval. This will bring the server automatically into a
workgroup. Check this. In order to log on you must use the local administrator
account.
13. Connect the restored server to the network.
14. Add the restored server to the domain. Check that the time is the same as the other
computers.
15. Check if DNS is installed. Open add remove programs. Select Add/Remove
window components. Select Network Services and press detail. Install DNS if it is
not installed.
16. Promote the domain controller.
Give the command dcpromo in a dos window. The domain controller will be a
second domain controller.
17. Check the Forward and Reverse look up zone.
18. Check that the license service runs with the service account.
19. Check the license connection.
20. Run the system software user settings again.
21. Connect the node again to the system from the Configuration Wizard.
22. Check the OPC configuration.
23. Check the domain configuration on the newly restored domain controller.
24. Transfer the FSMO roles back to the newly restored domain controller.

4/5
Maintenenance Expert workshop

For more information about the restore procedure see the attached information on the
following pages:

5/5
Using NSlookup.exe Page 1 of 4

Using NSlookup.exe
This article was previously published under Q200525
Article ID : 200525
SUMMARY Last Review : November 30, 2004
Nslookup.exe is a command-line administrative tool for testing and Revision : 2.0
troubleshooting DNS servers. This tool is installed along with the TCP/IP
protocol through Control Panel. This article includes several tips for using Nslookup.exe.

MORE INFORMATION
To use Nslookup.exe, please note the following:

• The TCP/IP protocol must be installed on the computer running Nslookup.exe

• At least one DNS server must be specified when you run the IPCONFIG /ALL command from a command
prompt.
• Nslookup will always devolve the name from the current context. If you fail to fully qualify a name query
(that is, use trailing dot), the query will be appended to the current context. For example, the current DNS
settings are att.com and a query is performed on www.microsoft.com; the first query will go out as
www.microsoft.com.att.com because of the query being unqualified. This behavior may be inconsistent with
other vendor's versions of Nslookup, and this article is presented to clarify the behavior of Microsoft
Windows NT Nslookup.exe
• If you have implemented the use of the search list in the Domain Suffix Search Order defined on the DNS
tab of the Microsoft TCP/IP Properties page, devolution will not occur. The query will be appended to
the domain suffixes specified in the list. To avoid using the search list, always use a Fully Qualified Domain
Name (that is, add the trailing dot to the name).

Nslookup.exe can be run in two modes: interactive and noninteractive. Noninteractive mode is useful when only a
single piece of data needs to be returned. The syntax for noninteractive mode is:

nslookup [-option] [hostname] [server]

To start Nslookup.exe in interactive mode, simply type "nslookup" at the command prompt:

C:\> nslookup
Default Server: nameserver1.domain.com
Address: 10.0.0.1
>

Typing "help" or "?" at the command prompt will generate a list of available commands. Anything typed at the
command prompt that is not recognized as a valid command is assumed to be a host name and an attempt is
made to resolve it using the default server. To interrupt interactive commands, press CTRL+C. To exit interactive
mode and return to the command prompt, type exit at the command prompt.

The following is the help output and contains the complete list of options:

Commands: (identifiers are shown in uppercase, [] means optional)

NAME - print info about the host/domain NAME using default

server
NAME1 NAME2 - as above, but use NAME2 as server
help or ? - print info on common commands
set OPTION - set an option

all - print options, current server and host

[no]debug - print debugging information
[no]d2 - print exhaustive debugging information
[no]defname - append domain name to each query
[no]recurse - ask for recursive answer to query
[no]search - use domain search list
[no]vc - always use a virtual circuit
domain=NAME - set default domain name to NAME

http://support.microsoft.com/default.aspx?kbid=200525 2006-03-27
Using NSlookup.exe Page 2 of 4

srchlist=N1[/N2/.../N6] - set domain to N1 and search list to N1, N2,

and so on
root=NAME - set root server to NAME
retry=X - set number of retries to X
timeout=X - set initial time-out interval to X seconds
type=X - set query type (for example, A, ANY, CNAME, MX,
NS, PTR, SOA, SRV)
querytype=X - same as type
class=X - set query class (for example, IN (Internet), ANY)
[no]msxfr - use MS fast zone transfer
ixfrver=X - current version to use in IXFR transfer request

server NAME - set default server to NAME, using current default server
lserver NAME - set default server to NAME, using initial server
finger [USER] - finger the optional NAME at the current default host
root - set current default server to the root
ls [opt] DOMAIN [> FILE] - list addresses in DOMAIN (optional: output to
FILE)

-a - list canonical names and aliases

-d - list all records
-t TYPE - list records of the given type (for example, A, CNAME,
MX, NS, PTR, and so on)

view FILE - sort an 'ls' output file and view it with pg

exit - exit the program

A number of different options can be set in Nslookup.exe by running the set command at the command prompt. A
complete listing of these options is obtained by typing set all. See above, under the set command for a printout
of the available options.

Looking up Different Data Types

To look up different data types within the domain name space, use the set type or set q[uerytype] command at
the command prompt. For example, to query for the mail exchanger data, type the following:

C:\> nslookup
Default Server: ns1.domain.com
Address: 10.0.0.1

> set q=mx

> mailhost
Server: ns1.domain.com
Address: 10.0.0.1

mailhost.domain.com MX preference = 0, mail exchanger =

mailhost.domain.com
mailhost.domain.com internet address = 10.0.0.5
>

The first time a query is made for a remote name, the answer is authoritative, but subsequent queries are
nonauthoritative. The first time a remote host is queried, the local DNS server contacts the DNS server that is
authoritative for that domain. The local DNS server will then cache that information, so that subsequent queries
are answered nonauthoritatively out of the local server's cache.

Querying Directly from Another Name Server

To query another name server directly, use the server or lserver commands to switch to that name server. The
lserver command uses the local server to get the address of the server to switch to, while the server command
uses the current default server to get the address.

Example:

C:\> nslookup

Default Server: nameserver1.domain.com

http://support.microsoft.com/default.aspx?kbid=200525 2006-03-27
Using NSlookup.exe Page 3 of 4

Address: 10.0.0.1

> server 10.0.0.2

Default Server: nameserver2.domain.com

Address: 10.0.0.2
>

Using Nslookup.exe to Transfer Entire Zone

Nslookup can be used to transfer an entire zone by using the ls command. This is useful to see all the hosts within
a remote domain. The syntax for the ls command is:

ls [- a | d | t type] domain [> filename]

Using ls with no arguments will return a list of all address and name server data. The -a switch will return alias
and canonical names, -d will return all data, and -t will filter by type.

Example:

>ls domain.com
[nameserver1.domain.com]
nameserver1.domain.com. NS server = ns1.domain.com
nameserver2.domain.com NS server = ns2.domain.com
nameserver1 A 10.0.0.1
nameserver2 A 10.0.0.2

>

Zone transfers can be blocked at the DNS server so that only authorized addresses or networks can perform this
function. The following error will be returned if zone security has been set:

*** Can't list domain example.com.: Query refused

For additional information, see the following article or articles in the Microsoft Knowledge Base:

193837 (http://support.microsoft.com/kb/193837/EN-US/) Windows NT 4.0 DNS Server Default Zone Security

Settings

Troubleshooting Nslookup.exe
Default Server Timed Out
When starting the Nslookup.exe utility, the following errors may occur:

*** Can't find server name for address w.x.y.z: Timed out

NOTE: w.x.y.z is the first DNS server listed in the DNS Service Search Order list.

*** Can't find server name for address 127.0.0.1: Timed out

The first error indicates that the DNS server cannot be reached or the service is not running on that computer. To
correct this problem, either start the DNS service on that server or check for possible connectivity problems.

The second error indicates that no servers have been defined in the DNS Service Search Order list. To correct this
problem, add the IP address of a valid DNS server to this list.

For additional information, see the following article or articles in the Microsoft Knowledge Base:

172060 (http://support.microsoft.com/kb/172060/EN-US/) NSLOOKUP: Can't Find Server Name for Address

127.0.0.1

http://support.microsoft.com/default.aspx?kbid=200525 2006-03-27
Using NSlookup.exe Page 4 of 4

Can't Find Server Name when Starting Nslookup.exe

When starting the Nslookup.exe utility, the following error may occur:

*** Can't find server name for address w.x.y.z: Non-existent domain

This error occurs when there is no PTR record for the name server's IP address. When Nslookup.exe starts, it does
a reverse lookup to get the name of the default server. If no PTR data exists, this error message is returned. To
correct make sure that a reverse lookup zone exists and contains PTR records for the name servers.

For additional information, see the following article or articles in the Microsoft Knowledge Base:

172953 (http://support.microsoft.com/kb/172953/EN-US/) How to Install and Configure Microsoft DNS Server

Nslookup on Child Domain Fails

When querying or doing a zone transfer on a child domain, Nslookup may return the following errors:

*** ns.domain.com can't find child.domain.com.: Non-existent domain

*** Can't list domain child.domain.com.: Non-existent domain

In DNS Manager, a new domain can be added under the primary zone, thus creating a child domain. Creating a
child domain this way does not create a separate db file for the domain, thus querying that domain or running a
zone transfer on it will produce the above errors. Running a zone transfer on the parent domain will list data for
both the parent and child domains. To work around this problem, create a new primary zone on the DNS server
for the child domain.

APPLIES TO
• Microsoft Windows 2000 Server
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows NT Server 4.0 Standard Edition

Keywords: kbinfo KB200525

©2006 Microsoft Corporation. All rights reserved.

http://support.microsoft.com/default.aspx?kbid=200525 2006-03-27
How to remove data in Active Directory after an unsuccessful domain controller demo... Page 1 of 6

How to remove data in Active Directory after an unsuccessful

domain controller demotion
This article was previously published under Q216498
Article ID : 216498
SUMMARY Last Review : January 9, 2006
This article describes how to remove data in Active Directory after an Revision : 8.0
unsuccessful domain controller demotion.

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly
modify the attributes of Active Directory objects, you can cause serious problems. These problems may require
you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server,
Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that
occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your
own risk.

The Active Directory Installation Wizard (Dcpromo.exe) is used for promoting a server to a domain controller and
for demoting a domain controller to a member server (or to a stand-alone server in a workgroup if the domain
controller is the last in the domain). As part of the demotion process, the wizard removes the configuration data
for the domain controller from Active Directory. This data takes the form of an NTDS Settings object that exists as
a child of the server object in Active Directory Sites and Services.

The information is in the following location in Active Directory:

CN=NTDS
Settings,CN=<servername>,CN=Servers,CN=<sitename>,CN=Sites,CN=Configuration,DC=<domain>...

The attributes of the NTDS Settings object include data representing how the domain controller is identified in
respect to its replication partners, the naming contexts that are maintained on the machine, whether the domain
controller is a global catalog server, and the default query policy. The NTDS Settings object is also a container
that may have child objects that represent the domain controller's direct replication partners. This data is required
for the domain controller to operate in the environment, but is retired upon demotion.

In the event that the NTDS Settings object is not removed correctly (for example, if the NTDS Settings object is
not correctly removed from a demotion attempt), the administrator can use the Ntdsutil.exe utility to manually
remove the NTDS Settings object. The following steps list the procedure for removing the NTDS Settings object in
Active Directory for a particular domain controller. At each Ntdsutil menu, the administrator can type help for
more information about the available options.

Windows Server 2003 Service Pack 1 (SP1) – Enhanced version of Ntdsutil.exe

The version of Ntdsutil.exe that is included with Service Pack 1 for Windows Server 2003 has been enhanced to
make the metadata cleanup process complete. Ntdsutil.exe that is included with SP1 does the following when
metadata cleanup is run:

• Removes the NTDSA or NTDS Setting subject.

• Removes inbound AD connection objects that existing destination DCs use to replicate from the source DC
being deleted .
• Removes the computer account .
• Removes FRS member object.
• Removes FRS subscriber objects.
• Tries to seize flexible single operations master roles (also known as flexible single master operations or
FSMO) held by the DC that are being removed .

Caution The administrator must also make sure that replication has occurred since the demotion before manually
removing the NTDS Settings object for any server. Using the Ntdsutil utility incorrectly may result in partial or
complete loss of Active Directory functionality.

Procedure 1: Windows Server 2003 SP1 only

1. Click Start, point to Programs, point to Accessories, and then click Command Prompt.
2. At the command prompt, type ntdsutil, and then press ENTER.
3. Type metadata cleanup, and then press ENTER. Based on the options given, the administrator can
perform the removal, but additional configuration parameters must be specified before the removal can

http://support.microsoft.com/default.aspx/kb/216498 2006-03-27
How to remove data in Active Directory after an unsuccessful domain controller demo... Page 2 of 6

occur.
4. Type connections and press ENTER. This menu is used to connect to the specific server where the
changes occur. If the currently logged on user does not have administrative permissions, different
credentials can be supplied by specifying the credentials to use before making the connection. To do this,
type set creds DomainNameUserNamePassword, and then press ENTER. For a null password, type
null for the password parameter.
5. Type connect to server servername, and then press ENTER. You should receive confirmation that the
connection is successfully established. If an error occurs, verify that the domain controller being used in
the connection is available and the credentials you supplied have administrative permissions on the
server.

Note If you try to connect to the same server that you want to delete, when you try to delete the server
that step 15 refers to, you may receive the following error message:

Error 2094. The DSA Object cannot be deleted0x2094

6. Type quit, and then press ENTER. The Metadata Cleanup menu appears.
7. Type select operation target and press ENTER.
8. Type list domains and press ENTER. A list of domains in the forest is displayed, each with an associated
number.
9. Type select domain number and press ENTER, where number is the number associated with the
domain the server you are removing is a member of. The domain you select is used to determine
whether the server being removed is the last domain controller of that domain.
10. Type list sites and press ENTER. A list of sites, each with an associated number, appears.
11. Type select site number and press ENTER, where number is the number associated with the site the
server you are removing is a member of. You should receive a confirmation listing the site and domain
you chose.
12. Type list servers in site and press ENTER. A list of servers in the site, each with an associated number,
is displayed.
13. Type select server number, where number is the number associated with the server you want to
remove. You receive a confirmation listing the selected server, its Domain Name System (DNS) host
name, and the location of the server's computer account you want to remove.
14. Type quit and press ENTER. The Metadata Cleanup menu appears.
15. Type remove selected server and press ENTER. You should receive confirmation that the removal
completed successfully. If you receive the following error message, the NTDS Settings object may
already be removed from Active Directory as the result of another administrator removing the NTDS
Settings object or replication of the successful removal of the object after running the DCPROMO utility.

Error 8419 (0x20E3)

The DSA object could not be found

Note You may also see this error when you try to bind to the domain controller that will be removed.
Ntdsutil has to bind to a domain controller other than the one that will be removed with metadata
cleanup.
16. Type quit at each menu to quit the Ntdsutil utility. You should receive confirmation that the connection
disconnected successfully.
17. Remove the cname record in the _msdcs.root domain of forest zone in DNS. Assuming that DC will be
reinstalled and re-promoted, a new NTDS Settings object is created with a new GUID and a matching
cname record in DNS. You do not want the DCs that exist to use the old cname record.

As best practice, you should delete the host name and other DNS records. If the lease time that remains
on Dynamic Host Configuration Protocol (DHCP) address assigned to offline server is exceeded then
another client can obtain the IP address of the problem DC.
18. In the DNS console, use the DNS MMC to delete the A record in DNS. The A record is also known as the
Host record. To delete the A record, right-click the A record, and then click Delete. Also, delete the
cname record in the _msdcs container. To do this, expand the _msdcs container, right-click cname, and
then click Delete.

Important If this is a DNS server, remove the reference to this DC under the Name Servers tab. To do
this, in the DNS console, click the domain name under Forward Lookup Zones, and then remove this
server from the Name Servers tab.

http://support.microsoft.com/default.aspx/kb/216498 2006-03-27
How to remove data in Active Directory after an unsuccessful domain controller demo... Page 3 of 6

Note If you have reverse lookup zones, also remove the server from these zones.
19. If the deleted computer is the last domain controller in a child domain, and the child domain was also
deleted, use ADSIEdit to delete the trustDomain object for the child. To do this, follow these steps:
a. Click Start, click Run, type adsiedit.msc, and then click OK
b. Expand the Domain NC container.
c. Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
d. Expand CN=System.
e. Right-click the Trust Domain object, and then click Delete.

20. Use Active Directory Sites and Services to remove the domain controller. To do this, follow these steps:
a. Start Active Directory Sites and Services.
b. Expand Sites.
c. Expand the server's site. The default site is Default-First-Site-Name.
d. Expand Server.
e. Right-click the domain controller, and then click Delete.

Procedure 2: Windows 2000 (All versions) Windows Server 2003 RTM

1. Click Start, point to Programs, point to Accessories, and then click Command Prompt.
2. At the command prompt, type ntdsutil, and then press ENTER.
3. Type metadata cleanup, and then press ENTER. Based on the options given, the administrator can
perform the removal, but additional configuration parameters must be specified before the removal can
occur.
4. Type connections and press ENTER. This menu is used to connect to the specific server where the
changes occur. If the currently logged on user does not have administrative permissions, different
credentials can be supplied by specifying the credentials to use before you make the connection. To do
this, type set creds DomainNameUserNamePassword, and then press ENTER. For a null password,
type null for the password parameter.
5. Type connect to server servername, and then press ENTER. You should receive confirmation that the
connection is successfully established. If an error occurs, verify that the domain controller being used in
the connection is available and the credentials you supplied have administrative permissions on the
server.

Note If you try to connect to the same server that you want to delete, when you try to delete the server
that step 15 refers to, you may receive the following error message:

Error 2094. The DSA Object cannot be deleted0x2094

6. Type quit, and then press ENTER. The Metadata Cleanup menu appears.
7. Type select operation target and press ENTER.
8. Type list domains and press ENTER. A list of domains in the forest is displayed, each with an associated
number.
9. Type select domain number and press ENTER, where number is the number associated with the
domain the server you are removing is a member of. The domain you select is used to determine
whether the server being removed is the last domain controller of that domain.
10. Type list sites and press ENTER. A list of sites, each with an associated number, is displayed.
11. Type select site number and press ENTER, where number is the number associated with the site the
server you are removing is a member of. You should receive a confirmation listing the site and domain
you chose.
12. Type list servers in site and press ENTER. A list of servers in the site, each with an associated number,
is displayed.
13. Type select server number, where number is the number associated with the server you want to
remove. You receive a confirmation listing the selected server, its Domain Name System (DNS) host
name, and the location of the server's computer account you want to remove.
14. Type quit and press ENTER. The Metadata Cleanup menu appears.
15. Type remove selected server and press ENTER. You should receive confirmation that the removal

http://support.microsoft.com/default.aspx/kb/216498 2006-03-27
How to remove data in Active Directory after an unsuccessful domain controller demo... Page 4 of 6

completed successfully. If you receive the following error message:

Error 8419 (0x20E3)

The DSA object could not be found

the NTDS Settings object may already be removed from Active Directory as the result of another
administrator removing the NTDS Settings object, or replication of the successful removal of the object
after you run the Dcpromo utility.

Note You may also see this error when you try to bind to the domain controller that will be removed.
Ntdsutil has to bind to a domain controller other than the one that will be removed with metadata
cleanup.
16. Type quit at each menu to quit the Ntdsutil utility. You should receive confirmation that the connection
disconnected successfully.
17. Remove the cname record in the _msdcs.root domain of forest zone in DNS. Assuming that DC will be
reinstalled and re-promoted, a new NTDS Settings object is created by using a new GUID and a matching
cname record in DNS. You do not want the DC's that exist to use the old cname record.

As best practice you should delete the hostname and other DNS records. If the lease time that remains
on Dynamic Host Configuration Protocol (DHCP) address assigned to offline server is exceeded then
another client can obtain the IP address of the problem DC.

Now that the NTDS Settings object has been deleted, you can delete the computer account, the FRS member
object, the cname (or Alias) record in the _msdcs container, the A (or Host) record in DNS, the trustDomain
object for a deleted child domain, and the domain controller.

The Adsiedit utility is included with the Windows Support Tools feature in both Windows 2000 Server and Windows
Server 2003. To install the Windows Support Tools, following these steps:

• Windows 2000 Server: On the Windows 2000 Server CD, open the Support\Tools folder, double-click
Setup.exe, and then follow the instructions that appear on the screen.
• Windows Server 2003: On the Windows Server 2003 CD, open the Support\Tools folder, double-click
Suptools.msi, click Install, and then follow the steps in the Windows Support Tools Setup Wizard to
complete the installation.

1. Use ADSIEdit to delete the computer account. To do this, follow these steps:
a. Click Start, click Run, type adsiedit.msc in the Open box, and then click OK.
b. Expand the Domain NC container.
c. Expand DC=Your Domain Name, DC=COM, PRI, LOCAL, NET.
d. Expand OU=Domain Controllers.
e. Right-click CN=domain controller name, and then click Delete.
If you receive the "DSA object cannot be deleted" error message when you try to delete the object,
change the UserAccountControl value. To change the UserAccountControl value, right-click the domain
controller in ADSIEdit, and then click Properties. Under Select a property to view, click
UserAccountControl. Click Clear, change the value to 4096, and then click Set. You can now delete the
object.

Note The FRS subscriber object is deleted when the computer object is deleted because it is a child of the
computer account.
2. Use ADSIEdit to delete the FRS member object. To do this, follow these steps:
a. Click Start, click Run, type adsiedit.msc in the Open box, and then click OK
b. Expand the Domain NC container.
c. Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
d. Expand CN=System.
e. Expand CN=File Replication Service.
f. Expand CN=Domain System Volume (SYSVOL share).
g. Right-click the domain controller you are removing, and then click Delete.

3. In the DNS console, use the DNS MMC to delete the A record in DNS. The A record is also known as the
Host record. To delete the A record, right-click the A record, and then click Delete. Also delete the cname
(also known as the Alias) record in the _msdcs container. To do so, expand the _msdcs container, right-
click the cname, and then click Delete.

http://support.microsoft.com/default.aspx/kb/216498 2006-03-27
How to remove data in Active Directory after an unsuccessful domain controller demo... Page 5 of 6

Important If this was a DNS server, remove the reference to this DC under the Name Servers tab. To
do this, in the DNS console, click the domain name under Forward Lookup Zones, and then remove this
server from the Name Servers tab.

Note If you have reverse lookup zones, also remove the server from these zones.
4. If the deleted computer was the last domain controller in a child domain and the child domain was also
deleted, use ADSIEdit to delete the trustDomain object for the child. To do this, follow these steps:
a. Click Start, click Run, type adsiedit.msc in the Open box, and then click OK
b. Expand the Domain NC container.
c. Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
d. Expand CN=System.
e. Right-click the Trust Domain object, and then click Delete.

5. Use Active Directory Sites and Services to remove the domain controller. To do this, follow these steps:
a. Start Active Directory Sites and Services.
b. Expand Sites.
c. Expand the server's site. The default site is Default-First-Site-Name.
d. Expand Server.
e. Right-click the domain controller, and then click Delete.

Advanced optional syntax with the SP1 version of Ntdsutil.exe

Windows Server 2003 SP1 introduced a new syntax that can be used. By using the new syntax, it is no longer
required to bind to the DS and select your operation target. To use the new syntax, you must know or obtain the
DN of the NTDS settings object of the server that is being demoted. To use the new syntax for Metadata cleanup,
follow these steps:

1. Run ntdsutil.
2. Switch to the metadata cleanup prompt.
3. Run the following command

remove selected server <DN of the server object in the config container>

An example of this command is as follows.

Note The following is one line but has been wrapped.

Remove selected server cn=servername,cn=servers,cn=sitename,cn=sites,cn=configurat

ion,dc=<forest_root_domain>

4. Remove the cname record in the _msdcs.root domain of forest zone in DNS. Assuming that DC will be
reinstalled and re-promoted, a new NTDS Settings object is created by using a new GUID and a matching
cname record in DNS. You do not want the DCs that exist to use the old cname record.

As best practice, you should delete the host name and other DNS records. If the lease time that remains
on Dynamic Host Configuration Protocol (DHCP) address assigned to offline server is exceeded, another
client can obtain the IP address of the problem DC.
5. If the deleted computer was the last domain controller in a child domain, and the child domain was also
deleted, use ADSIEdit to delete the trustDomain object for the child. To do this, follow these steps:
a. Click Start, click Run, type adsiedit.msc, and then click OK.
b. Expand the Domain NC container.
c. Expand DC=Your Domain Name, DC=COM, PRI, LOCAL, NET.
d. Expand CN=System.
e. Right-click the Trust Domain object,, and then click Delete.

6. Use Active Directory Sites and Services to remove the domain controller. To do this, follow these steps:
a. Start Active Directory Sites and Services.
b. Expand Sites.
c. Expand the server's site. The default site is Default-First-Site-Name.
d. Expand Server.

http://support.microsoft.com/default.aspx/kb/216498 2006-03-27
How to remove data in Active Directory after an unsuccessful domain controller demo... Page 6 of 6

e. Right-click the domain controller, and then click Delete.

MORE INFORMATION
For additional information about how to forcefully demote a Windows Server 2003 or Windows 2000 domain
controller, click the following article number to view the article in the Microsoft Knowledge Base:

332199 (http://support.microsoft.com/kb/332199/) Domain controllers do not demote gracefully when you use
the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in Windows 2000
Server

Determine the DN of the server

There are several ways to obtain the DN of the server object that is to be removed. The following example uses
Ldp.exe. To obtain the DN by using Ldp.exe, follow these steps:

1. Run LDP.
2. Bind to rootDSE .
3. Select View\tree. Base DN should be cn=configuration,dc=rootdomain,dc=<suffix>.
4. Expand Sites.
5. Expand the site where the server object resides.
6. Expand Servers.
7. Expand the server that you are removing.
8. Look for a line on the right hand side that starts with DN.
9. Copy whole line excluding the DN.

Example snip of the first part of the LDP spew:

Expanding base 'CN=DC1,CN=Servers,CN=Default-First-Site-

Name,CN=Sites,CN=Configuration,DC=corp,DC=com'...
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn: CN=DC1,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=corp,DC=com”

What you would copy would be

"CN=DC1,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=corp,DC=com"

APPLIES TO
• Microsoft Windows 2000 Server
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Datacenter Server
• Microsoft Windows Server 2003, Standard Edition (32-bit x86)
• Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
• Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)

Keywords: kbenv kbhowtomaster KB216498

©2006 Microsoft Corporation. All rights reserved.

http://support.microsoft.com/default.aspx/kb/216498 2006-03-27
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller Page 1 of 4

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain

controller
This article was previously published under Q255504
Article ID : 255504
SUMMARY Last Review : January 6, 2006
This article describes how to use the Ntdsutil.exe utility to transfer or to Revision : 7.0
seize Flexible Single Master Operations (FSMO) roles.

MORE INFORMATION
Certain domain and enterprise-wide operations that are not good for multi-master updates are performed by a
single domain controller in an Active Directory domain or forest. The domain controllers that are assigned to
perform these unique operations are called operations masters or FSMO role holders.

The following list describes the 5 unique FSMO roles in an Active Directory forest and the dependent operations
that they perform:

• Schema master - The Schema master role is forest-wide and there is one for each forest. This role is
required to extend the schema of an Active Directory forest or to run the adprep /domainprep command.
• Domain naming master - The Domain naming master role is forest-wide and there is one for each forest.
This role is required to add or remove domains or application partitions to or from a forest.
• RID master - The RID master role is domain-wide and there is one for each domain. This role is required to
allocate the RID pool so that new or existing domain controllers can create user accounts, computer
accounts or security groups.
• PDC emulator - The PDC emulator role is domain-wide and there is one for each domain. This role is
required for the domain controller that sends database updates to Windows NT backup domain controllers.
The domain controller that owns this role is also targeted by certain administration tools and updates to
user account and computer account passwords.
• Infrastructure master - The Infrastructure master role is domain-wide and there is one for each domain.
This role is required for domain controllers to run the adprep /forestprep command successfully and to
update SID attributes and distinguished name attributes for objects that are referenced across domains.

The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first domain controller in
the forest root domain. The first domain controller in each new child or tree domain is assigned the three domain-
wide roles. Domain controllers continue to own FSMO roles until they are reassigned by using one of the following
methods:

• An administrator reassigns the role by using a GUI administrative tool.

• An administrator reassigns the role by using the ntdsutil /roles command.
• An administrator gracefully demotes a role-holding domain controller by using the Active Directory
Installation Wizard. This wizard reassigns any locally-held roles to an existing domain controller in the
forest. Demotions that are performed by using the dcpromo /forceremoval command leave FSMO roles
in an invalid state until they are reassigned by an administrator.

We recommend that you transfer FSMO roles in the following scenarios:

• The current role holder is operational and can be accessed on the network by the new FSMO owner.
• You are gracefully demoting a domain controller that currently owns FSMO roles that you want to assign to
a specific domain controller in your Active Directory forest.
• The domain controller that currently owns FSMO roles is being taken offline for scheduled maintenance and
you need specific FSMO roles to be assigned to a “live” domain controller. This may be required to perform
operations that connect to the FSMO owner. This would be especially true for the PDC Emulator role but
less true for the RID master role, the Domain naming master role and the Schema master roles.

We recommend that you seize FSMO roles in the following scenarios:

• The current role holder is experiencing an operational error that prevents an FSMO-dependent operation
from completing successfully and that role cannot be transferred.
• A domain controller that owns an FSMO role is force-demoted by using the dcpromo /forceremoval
command.
• The operating system on the computer that originally owned a specific role no longer exists or has been
reinstalled.

As replication occurs, non-FSMO domain controllers in the domain or forest gain full knowledge of changes that

http://support.microsoft.com/default.aspx/kb/255504 2006-03-27
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller Page 2 of 4

are made by FSMO-holding domain controllers. If you must transfer a role, the best candidate domain controller is
one that is in the appropriate domain that last inbound-replicated, or recently inbound-replicated a writable copy
of the “FSMO partition” from the existing role holder. For example, the Schema master role-holder has a
distinguished name path of CN=schema,CN=configuration,dc=<forest root domain>, and this mean that roles
reside in and are replicated as part of the CN=schema partition. If the domain controller that holds the Schema
master role experiences a hardware or software failure, a good candidate role-holder would be a domain controller
in the root domain and in the same Active Directory site as the current owner. Domain controllers in the same
Active Directory site perform inbound replication every 5 minutes or 15 seconds.

The partition for each FSMO role is in the following list:

FSMO role Partition

Schema CN=Schema,CN=configuration,DC=<forest root domain>

Domain Naming Master CN=configuration,DC=<forest root domain>

PDC DC=<domain>

RID DC=<domain>

Infrastructure DC=<domain>

A domain controller whose FSMO roles have been seized should not be permitted to communicate with existing
domain controllers in the forest. In this scenario, you should either format the hard disk and reinstall the
operating system on such domain controllers or forcibly demote such domain controllers on a private network and
then remove their metadata on a surviving domain controller in the forest by using the ntdsutil /metadata
cleanup command. The risk of introducing a former FSMO role holder whose role has been seized into the forest
is that the original role holder may continue to operate as before until it inbound-replicates knowledge of the role
seizure. Known risks of two domain controllers owning the same FSMO roles include creating security principals
that have overlapping RID pools, and other problems.

Transfer FSMO roles

To transfer the FSMO roles by using the Ntdsutil utility, follow these steps:

1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain
controller that is located in the forest where FSMO roles are being transferred. We recommend that you
log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a
member of the Enterprise Administrators group to transfer Schema master or Domain naming master
roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID
master and the Infrastructure master roles are being transferred.
2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
3. Type roles, and then press ENTER.

Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type ?, and
then press ENTER.
4. Type connections, and then press ENTER.
5. Type connect to server servername, and then press ENTER, where servername is the name of the
domain controller you want to assign the FSMO role to.
6. At the server connections prompt, type q, and then press ENTER.
7. Type transfer role, where role is the role that you want to transfer. For a list of roles that you can
transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the
start of this article. For example, to transfer the RID master role, type transfer rid master. The one
exception is for the PDC emulator role, whose syntax is transfer pdc, not transfer pdc emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt.
Type q, and then press ENTER to quit the Ntdsutil utility.

Seize FSMO roles

To seize the FSMO roles by using the Ntdsutil utility, follow these steps:

1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain
controller that is located in the forest where FSMO roles are being seized. We recommend that you log on
to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of
the Enterprise Administrators group to transfer schema or domain naming master roles, or a member of
the Domain Administrators group of the domain where the PDC emulator, RID master and the

http://support.microsoft.com/default.aspx/kb/255504 2006-03-27
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller Page 3 of 4

Infrastructure master roles are being transferred.

2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
3. Type roles, and then press ENTER.
4. Type connections, and then press ENTER.
5. Type connect to server servername, and then press ENTER, where servername is the name of the
domain controller that you want to assign the FSMO role to.
6. At the server connections prompt, type q, and then press ENTER.
7. Type seize role, where role is the role that you want to seize. For a list of roles that you can seize, type ?
at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this
article. For example, to seize the RID master role, type seize rid master. The one exception is for the
PDC emulator role, whose syntax is seize pdc, not seize pdc emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt.
Type q, and then press ENTER to quit the Ntdsutil utility.

Notes
• Under typical conditions, all five roles must be assigned to “live” domain controllers in the forest. If a
domain controller that owns a FSMO role is taken out of service before its roles are transferred, you
must seize all roles to an appropriate and healthy domain controller. We recommend that you only
seize all roles when the other domain controller is not returning to the domain. If it is possible, fix the
broken domain controller that is assigned the FSMO roles. You should determine which roles are to be
on which remaining domain controllers so that all five roles are assigned to a single domain
controller. For more information about FSMO role placement, click the following article number to
view the article in the Microsoft Knowledge Base:

223346 (http://support.microsoft.com/kb/223346/) FSMO placement and optimization on Windows

2000 domain controllers

• If the domain controller that formerly held any FSMO role is not present in the domain and if it has
had its roles seized by using the steps in this article, remove it from the Active Directory by following
the procedure that is outlined in the following Microsoft Knowledge Base article:

216498 (http://support.microsoft.com/kb/216498/) How to remove data in active directory after an

unsuccessful domain controller demotion

• Removing domain controller metadata with the Windows 2000 version or the Windows Server 2003
build 3790 version of the ntdsutil /metadata cleanup command does not relocate FSMO roles that
are assigned to live domain controllers. The Windows Server 2003 Service Pack 1 (SP1) version of
the Ntdsutil utility automates this task and removes additional elements of domain controller
metadata.
• Some customers prefer not to restore system state backups of FSMO role-holders in case the role has
been reassigned since the backup was made.
• Do not put the Infrastructure master role on the same domain controller as the global catalog server.
If the Infrastructure master runs on a global catalog server it stops updating object information
because it does not contain any references to objects that it does not hold. This is because a global
catalog server holds a partial replica of every object in the forest.

To test whether a domain controller is also a global catalog server:

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites
and Services.
2. Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-name
if no other sites are available.
3. Open the Servers folder, and then click the domain controller.
4. In the domain controller's folder, double-click NTDS Settings.
5. On the Action menu, click Properties.
6. On the General tab, view the Global Catalog check box to see if it is selected.

For more information about FSMO roles, click the following article numbers to view the articles in the Microsoft
Knowledge Base:

197132 (http://support.microsoft.com/kb/197132/) Windows 2000 Active Directory FSMO roles

http://support.microsoft.com/default.aspx/kb/255504 2006-03-27
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller Page 4 of 4

223787 (http://support.microsoft.com/kb/223787/) Flexible Single Master Operation transfer and seizure process

APPLIES TO
• Microsoft Windows Server 2003, Standard Edition (32-bit x86)
• Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
• Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
• Microsoft Windows 2000 Server
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Datacenter Server

Keywords: kbhowto KB255504

©2006 Microsoft Corporation. All rights reserved.

http://support.microsoft.com/default.aspx/kb/255504 2006-03-27
260371 - Troubleshooting Common Active Directory Setup Issues in Windows 2000 Page 1 of 5

Microsoft Knowledge Base Article - 260371

Troubleshooting Common Active Directory Setup Issues in

Windows 2000
View products that this article applies to.

This article was previously published under Q260371

SUMMARY
Some common issues that you may encounter with Active Directory installation and configuration can cause a partial or
complete loss of functionality in Active Directory. These issues may include, but not be limited to:

l Domain Name System (DNS) configuration errors

l Network configuration problems
l Difficulties when you upgrade from Microsoft Windows NT

This article describes how to troubleshoot Active Directory issues by identifying common configuration issues. For more
information about any of the issues described in this article, consult the Help system in Windows 2000, and the
Deployment Planning Guide , which is located on the following Microsoft Web site:

l http://www.microsoft.com/windows2000/library/resources/reskit/dpg/default.asp

Chapter 9 of the Deployment Planning Guide describes the design of the Active Directory structure, which is essential to
a successful Windows 2000 Active Directory deployment. Chapter 9 of the Deployment Planning Guide is available on the
Internet at the following Microsoft Web site:

l http://www.microsoft.com/windows2000/library/resources/reskit/dpg/chapt-9.asp

MORE INFORMATION
Consider the following items when you are investigating Active Directory Setup issues.

Domain Name System (DNS)

You must configure DNS correctly to ensure that Active Directory will function properly. For a more in-depth treatment of
DNS configuration for Active Directory, see the following Microsoft Knowledge Base article:

237675 Setting Up the Domain Name System for Active Directory

Review the following configuration items to ensure that DNS is healthy and that the Active Directory DNS entries will be
registered correctly:

l DNS IP configuration
l Active Directory DNS registration
l Dynamic zone updates
l DNS forwarders

DNS IP Configuration

An Active Directory server that is hosting DNS must have its TCP/IP settings configured properly. TCP/IP on an Active
Directory DNS server must be configured to point to itself to allow the server to register with its own DNS server. To view
the current IP configuration, open a command window and type ipconfig /all to display the details. You can modify the
DNS configuration by following these steps:

1. Right-click My Network Places, and then click Properties.

2. Right-click Local Area Connection , and then click Properties.
3. Click Internet Protocol (TCP/IP), and then click Properties.
4. Click Advanced, and then click the DNS tab. Configure the DNS information as follows:
a. Configure the DNS server addresses to point to the DNS server. This should be the computer's own IP
address if it is the first server or if no dedicated DNS server will be configured.
b. If the resolution of unqualified names setting is set to Append these DNS suffixes (in order), the

http://support.microsoft.com/default.aspx?scid=kb;[LN];260371 2004-02-04
260371 - Troubleshooting Common Active Directory Setup Issues in Windows 2000 Page 2 of 5

Active Directory DNS domain name should be listed first (at the top of the list).
c. Verify that the DNS Suffix for this connection setting is the same as the Active Directory domain
name.
d. Verify that the Register this connection's addresses in DNS check box is selected.
5. At a command prompt, type ipconfig /flushdns to purge the DNS resolver cache, and then type
ipconfig /registerdns to register the DNS resource records.

Start the DNS Management console. There should be a host record (an "A" record in Advanced view) for the computer
name. There should also be a Start of Authority (SOA in Advanced view) record pointing to the domain controller (DC) as
well as a Name Server record (NS in Advanced view).

Active Directory DNS Registration

The Active Directory DNS records must be registering in DNS. The DNS zone can be either a standard primary or an
Active Directory-integrated zone. An Active Directory-integrated zone is different from a standard primary zone in several
ways. An Active Directory-integrated zone provides the following benefits:

l The Windows 2000 DNS service stores zone data in Active Directory. This causes DNS replication to create
multiple masters, and it allows any DNS server to accept updates for a directory service-integrated zone. Using
Active Directory integration also reduces the need to maintain a separate DNS zone transfer replication topology.
l Secure dynamic updates are integrated with Windows security. This allows an administrator to precisely control
which computers can update which names, and it prevents unauthorized computers from obtaining existing names
from DNS.

Use the following steps to ensure that DNS is registering the Active Directory DNS records:

1. Start the DNS Management console.

2. Expand the zone information under the server name.
3. Expand Forward Lookup Zones, right-click the name of the Active Directory domain's DNS zone, click
Properties, and then verify that Allow Dynamic Updates is set to Yes.
4. Four folders with the following names are present when DNS is correctly registering the Active Directory DNS
records. These folders are labeled:

_msdcs
_sites
_tcp
_udp

If these folders do not exist, DNS is not registering the Active Directory DNS records. These records are critical to
Active Directory functionality and must appear within the DNS zone. You should repair the Active Directory DNS
record registration.

To repair the Active Directory DNS record registration:

l Check for the existence of a Root Zone entry. View the Forward Lookup zones in the DNS Management console.
There should be an entry for the domain. Other zone entries may exist. There should not be a dot (".") zone. If
the dot (".") zone exists, delete the dot (".") zone. The dot (".") zone identifies the DNS server as a root server.
Typically, an Active Directory domain that needs external (Internet) access should not be configured as a root
DNS server.

The server probably needs to reregister its IP configuration (by using Ipconfig) after you delete the dot ("."). The
Netlogon service may also need to be restarted. Further details about this step are listed later in this article.
l Manually repopulate the Active Directory DNS entries. You can use the Windows 2000 Netdiag tool to repopulate
the Active Directory DNS entries. Netdiag is included with the Windows 2000 Support tools. At a command
prompt, type netdiag /fix.

To install the Windows 2000 Support tools:

1. Insert the Windows 2000 CD-ROM.
2. Browse to Support\Tools.
3. Run Setup.exe in this folder.
4. Select a typical installation. The default installation path is Systemdrive :\Program Files\Support Tools.
After you run the Netdiag utility, refresh the view in the DNS Management console. The Active Directory DNS
records should then be listed.

NOTE: The server may need to reregister its IP configuration (by using Ipconfig) after you run Netdiag. The
Netlogon service may also need to be restarted.

If the Active Directory DNS records do not appear, you may need to manually re -create the DNS zone.

http://support.microsoft.com/default.aspx?scid=kb;[LN];260371 2004-02-04
260371 - Troubleshooting Common Active Directory Setup Issues in Windows 2000 Page 3 of 5

l After you run the Netdiag utility, refresh the view in the DNS Management console. The Active Directory DNS
records should then be listed.Manually re-create the DNS zone:
1. Start the DNS Management console.
2. Right-click the name of the zone, and then click Delete .
3. Click OK to acknowledge any warnings. The Forward Lookup zones no longer list the deleted zone.
4. Right-click Forward Lookup Zones, and then click New Zone.
5. The New Zone Wizard starts. Click Next to continue.
6. Click the appropriate zone type (either Active Directory-integrated or Standard primary, and then
click Next.
7. Type the name of the zone exactly as it appears in Network Identification, and then click Next.
8. Click the appropriate zone file, or a new zone file. Click Next, and then click Finish to finish the New Zone
Wizard. The newly created zone appears in the DNS Management console.
9. Right-click the newly created zone, click Properties, and then change Allow Dynamic Updates to Yes.
10. At a command prompt, type net stop netlogon, and then press ENTER. The Netlogon service is stopped.
11. Type net start netlogon, and then press ENTER. The Netlogon service is restarted.
12. Refresh the view in the DNS Management console. The Active Directory DNS records should be listed under
the zone.

If the Active Directory DNS records still do not exist, there may be a disjointed DNS namespace. If you suspect that there
is a disjointed DNS namespace, see the "Disjointed DNS Namespace" section in this article.

Dynamic Zone Updates

Microsoft recommends that the DNS Lookup zone accept dynamic updates. You can configure this by right-clicking the
name of the zone, and then clicking Properties. On the General tab, the Allow Updates setting should be set to Yes,
or for an Active Directory-integrated zone, either Yes or Only secure updates. If dynamic updates are not allowed, all
host registration must be completed manually.

DNS Forwarders

To ensure network functionality outside of the Active Directory domain (such as browser requests for Internet
addresses), configure the DNS server to forward DNS requests to the appropriate Internet service provider (ISP) or
corporate DNS servers. To configure forwarders on the DNS server:

1. Start the DNS Management console.

2. Right-click the name of the server, and then click Properties.
3. Click the Forwarders tab.
4. Click to select the Enable Forwarders check box.

NOTE: If the Enable Forwarders check box is unavailable, the DNS server is attempting to host a root zone
(usually identified by a zone named only with a period, or dot ("."). You must delete this zone to enable the DNS
server to forward DNS requests. In a configuration in which the DNS server does not rely on an ISP DNS server
or a corporate DNS server, you can use a root zone entry.
5. Type the appropriate IP addresses for the DNS servers that will accept forwarded requests from this DNS server.
The list reads from the top down in order; if there is a preferred DNS server, place it at the top of the list.
6. Click OK to accept the changes.

For more troubleshooting information about DNS configuration for Active Directory, see the following Microsoft
Knowledge Base articles:

249868 Replacing Root Hints with the Cache.dns File

237675 Setting Up the Domain Name System for Active Directory

241505 SRV Records Missing After Implementing Active Directory and DNS

241515 How to Verify the Creation of SRV Records for a Domain Controller

Network Configuration

You must configure specific network components properly to ensure proper operation of Active Directory on the network,
and to ensure that computers will be able to join the domain.

File and Printer Sharing Must Be Enabled

http://support.microsoft.com/default.aspx?scid=kb;[LN];260371 2004-02-04
260371 - Troubleshooting Common Active Directory Setup Issues in Windows 2000 Page 4 of 5

If the File and Printer Sharing component is disabled on the Windows 2000-based domain controller, error messages
occur when attempts are made to join the domain. For more information, see the following Microsoft Knowledge Base
article:

254680 DNS Namespace Planning

Note that there are situations in which it is preferable to disable File and Printer Sharing on a Windows 2000-based
computer. For example, when a Windows 2000-based computer is accessible over the Internet. In this case, you should
disable File and Printer Sharing only on the network adapter that is accessible on the Internet.

NetBIOS over TCP/IP Must Be Enabled for Other Clients

If clients that are not running Windows 2000 (for example, clients that are running Microsoft Windows 95, Microsoft
Windows 98, or Microsoft Windows NT) will participate in the Active Directory domain, they should be able to perform
NetBIOS name resolution. NetBIOS name resolution does not work if NetBIOS over TCP/IP is disabled.

258500 Error Message When Attempting to Join a Windows 2000 Domain

Upgrade Installation Considerations

Earlier (Legacy) DNS Server

DNS servers that run Windows NT 4.0 cannot dynamically register the Active Directory DNS records. The best solution in
this case is to install DNS on the Active Directory domain controller to ensure that Active Directory DNS records will be
registered for the domain.

Disjointed DNS Namespace

You must configure the correct DNS suffix information before you begin a Windows 2000 upgrade installation. You
cannot change the server name and DNS domain information after Active Directory is installed.

To configure the DNS suffix information in Windows NT before you upgrade the computer to a Windows 2000 -based
Active Directory domain controller:

1. Right-click Network Neighborhood , and then click Properties.

2. Click the Protocols tab, click TCP/IP Protocol, and then click Properties.
3. Click the DNS tab.
4. In the Domain box, type the complete Active Directory domain name.
5. Click Apply, and then click OK.
6. Click OK to quit the Network tool.
7. Restart the computer.
8. To verify the settings, open a command window, and then type ipconfig /all. The Host Name line shows the
fully qualified domain name.

If you must change the DNS domain information after you install Active Directory, you must run the Dcpromo utility on
the computer to remove it from the domain and make it a stand-alone server.

To determine if a disjointed namespace exists on an existing Windows 2000-based domain controller:

1. Right-click My Computer, and then click Properties.

2. Click the Network Identification tab.
3. Compare the DNS suffix section of the full computer name to that of the domain name listing. The full computer
name reads as follows: hostname .dns_suffix. These two entries should contain identical suffix information.

If these two entries do not contain identical suffix information, a disjointed DNS namespace exists. This condition
prevents proper registration of any Active Directory DNS records.

NOTE: The only supported method to recover from a disjointed namespace is to use Dcpromo to remove the computer
from the domain and make it a stand -alone server. You can then correct the DNS namespace information and run
Dcpromo again to promote the computer back to a domain controller.

WARNING: Exercise caution if you determine that this process is necessary on an existing Windows 2000-based
domain. The process of running Dcpromo to remove the computer from a domain, and then re-creating an Active
Directory domain results in a total loss of all the computer account information and user account information for the
domain. You must manually re-create all user account information and computer account information after using this
process.

http://support.microsoft.com/default.aspx?scid=kb;[LN];260371 2004-02-04
260371 - Troubleshooting Common Active Directory Setup Issues in Windows 2000 Page 5 of 5

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

258832 Cannot Join Windows 2000 Client to a Windows NT Domain

The information in this article applies to:

l Microsoft Windows 2000 Server

l Microsoft Windows 2000 Advanced Server
l Microsoft Windows 2000 Datacenter Server
l Microsoft Small Business Server 2000

Last Reviewed: 9/22/2003 (3.0)

Keywords: kbActiveDirectoryRepl kbenv kbinfo kbtshoot KB260371

Contact Us

© 2004 Microsoft Corporation. All rights reserved. Terms of use Security & Privacy Accessibility

http://support.microsoft.com/default.aspx?scid=kb;[LN];260371 2004-02-04
How to create or move a Global Catalog in Windows 2000 Page 1 of 2

How to create or move a Global Catalog in Windows 2000

This article was previously published under Q313994
Article ID : 313994
SUMMARY Last Review : February 9, 2006
This article explains how to create a new global catalog server. This may Revision : 3.2
be necessary if you need additional global catalog servers (e.g. to support
an Exchange 2000 roll out) or if you want to move the global catalog server role to a different domain controller.

There may be occasions when it is necessary to create a new global catalog to replace an existing one, or to add a
new global catalog. Microsoft recommends the following method:

1. Create a new global catalog on a second domain controller.

2. Wait for the account and the schema information to replicate to the new global catalog. For single
domains, this is relatively straightforward. For multiple domain networks, full replication will take
additional time, depending on the complexity of the network. The new global catalog will be created by
normal Active Directory (AD) replication and depending on the structure of your AD forest, this replication
could take considerable time.
3. Remove the global catalog from the original domain controller (optional).

By default, Windows 2000 will only place a Global catalog on the first Domain Controller in each AD forest.

To create additional global catalog servers, or to move a global catalog from one domain controller to another,
you need to perform these actions manually.

How to Create a New Global Catalog on the Destination Global Catalog Server
To create a new global catalog:

1. On the domain controller where you want the new global catalog, start the Active Directory Sites and
Services snap-in. To start the snap-in, click Start, point to Programs, point to Administrative Tools,
and then click Active Directory Sites and Services.
2. In the console tree, double-click Sites, and then double-click sitename.
3. Double-click Servers, click your domain controller, right-click NTDS Settings, and then click Properties.
4. On the General tab, click to select the Global catalog check box to assign the role of global catalog to
this server.
5. Restart the domain controller.

Note Allow sufficient time for the account and the schema information to replicate to the new global catalog
server before you remove the global catalog from the original domain controller.

Event 1119 may be logged in the Directory Services log in Event Viewer with a description that states that the
computer is now advertising itself as a global catalog server.

In a Windows 2000 domain with only one domain controller, you typically assign the roles of the global catalog
and of the operations master (also known as flexible single-master operations or FSMO) to the same domain
controller; however, in domains with multiple domain controllers, particularly in forests with multiple domains, it is
important to consider the placement of these roles before you assign them. For more information, click the
following article number to view the article in the Microsoft Knowledge Base:

223346 (http://support.microsoft.com/kb/223346/) FSMO Placement and Optimization on Windows 2000

Domains

How to Remove the Global Catalog from the Original Global Catalog Server
To remove the global catalog from the original domain controller:

1. On the domain controller from which you want to remove the global catalog, start the Active Directory
Sites and Services snap-in. To start the snap-in, click Start, point to Programs, point to Administrative
Tools, and then click Active Directory Sites and Services.
2. In the console tree, double-click Sites, and then double-click sitename.
3. Double-click Servers, click your domain controller, right-click NTDS Settings, and then click Properties.
4. On the General tab, click to clear the Global catalog check box to remove the role of global catalog from
this server.
5. Restart the domain controller.

http://support.microsoft.com/default.aspx/kb/313994 2006-03-27
How to create or move a Global Catalog in Windows 2000 Page 2 of 2

Note Allow sufficient time for the account and the schema information to replicate to the new global catalog
server before you remove the global catalog from the original domain controller.

If you create additional global catalog servers, this may provide quicker responses to user inquiries; however, if
you enable additional domain controllers as global catalog servers, this may increase replication traffic on the
network. For more information about directory replication in Windows 2000, click the following article number to
view the article in the Microsoft Knowledge Base:

199174 (http://support.microsoft.com/kb/199174/) Directory replication basics for Windows 2000

REFERENCES
For more information about the global catalog, click the following article numbers to view the articles in the
Microsoft Knowledge Base:

257203 (http://support.microsoft.com/kb/257203/) Common default attributes set for Active Directory and
Global Catalog

232517 (http://support.microsoft.com/kb/232517/) Global Catalog attributes and replication properties

229662 (http://support.microsoft.com/kb/229662/) How to control what data is stored in the Global Catalog

248717 (http://support.microsoft.com/kb/248717/) How to modify attributes that replicate to the Global Catalog

199174 (http://support.microsoft.com/kb/199174/) Directory replication basics for Windows 2000

229896 (http://support.microsoft.com/kb/229896/) Using Repadmin.exe to troubleshoot Active Directory

replication

APPLIES TO
• Microsoft Windows 2000 Server
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Professional Edition
• Microsoft Small Business Server 2000 Standard Edition
• Microsoft Windows Server 2003, Standard Edition (32-bit x86)
• Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
• Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
• Microsoft Windows Server 2003, Web Edition
• Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
• Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems

Keywords: kbenv kbhowtomaster kbnetwork KB313994

©2006 Microsoft Corporation. All rights reserved.

http://support.microsoft.com/default.aspx/kb/313994 2006-03-27
216993 - Backup of the Active Directory Has 60-Day Useful Life Page 1 of 2

All Products | Support | Search | Microsoft.com Guide

Microsoft Knowledge Base Article - 216993

Backup of the Active Directory Has 60 -Day Useful Life

View products that this article applies to.

This article was previously published under Q216993

SUMMARY
Windows Backup, the backup tool included in the Administrative Tools
folder on Windows 2000 servers, can back up and restore the Active
Directory on Windows 2000 domain controllers. These backups can be
performed while the domain controller is online. You can restore these
backups only when the domain controller is booted into Directory Services
Restore mode using the F8 key when the server is starting.

If a non-authoritative restore is performed using Backup, the domain

controller will contain the settings and entries that existed in the Domain,
Schema, Configuration, and optionally the Global Catalog Naming
Contexts when the backup was performed. Partial synchronization
(replication) from other replicas within the enterprise then update all
naming contexts hosted on the domain controller, overwriting the
restored data.

For additional information about authoritative and non-authoritative

restores, please see the following article in the Microsoft Knowledge Base:

216243 Authoritative Restore of Active Directory and Impact on

Trusts and Computer Accounts

Windows 2000 prohibits the restoring of old backup images into a

replicated enterprise. Specifically, the useful life of a backup is identical to
the "tombstone lifetime" setting for the enterprise. The default value for
the tombstone lifetime entry is 60 days. This value can be set on the
Directory Service (NTDS) config object.

MORE INFORMATION
If your only backup of the Active Directory is older than the tombstone
lifetime setting, reinstall the server after confirming there is at least one
surviving domain controller in the domain from which new replicas can be
synchronized. You can lose all but one server in the domain and still
recover with no loss of data, assuming that the remaining survivor holds
current information.

If every server in the domain is destroyed, restore one server from an

arbitrarily outdated backup, and replicate all other servers from the
restored one.

file://E:\Microsoft%20software%20and%20tools\Q216993%20-%20Backup%20of% ... 2004-01-22

216993 - Backup of the Active Directory Has 60-Day Useful Life Page 2 of 2

The tombstone lifetime attribute is located on the enterprise-wide DS

config object. The path for this attribute is:

CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=COMPANY,DC=COM

Use the Active Directory editing tool of your choice so that the
"tombstoneLifetime" attribute is set to be older than the backup used to
restore the Active Directory. Supported tools include Adsiedit.msc,
Ldp.exe, and ADSI Scripts.

NOTE: This information assumes that the backup is not older than the
default "tombstoneLifetime" setting. Otherwise, the objects have already
been deleted from the database. In this case, an authoritative restore
may be the better alternative if there are multiple domain controllers.

The "tombstoneLifetime" attribute represents the number of days a

backup of the Active Directory can be used in addition to the frequency
with which garbage collection routines (removing items previously marked
for deletion) are run. Fore more information about garbage collection,
please see the following article in the Microsoft Knowledge Base:

198793 The Active Directory Database Garbage Collection Process

The information in this article applies to:

Microsoft Windows 2000 Server

Microsoft Windows 2000 Advanced Server
Last Reviewed: 9/22/2003 (3.0)
Keywords: kbinfo KB216993

Contact Us

© 2003 Microsoft Corporation. All rights reserved. Terms of use Security & Privacy Accessibility

file://E:\Microsoft%20software%20and%20tools\Q216993%20-%20Backup%20of% ... 2004-01-22