Doing so will leave all of the domain controller and server objects, along with the domain object and associated domain naming context hanging around in the forest.. 2.4.4 See Also Reci
Trang 1You will also want to remove any trusts that have been established for the domain (see Recipe 2.22 for more details) For more information on how to demote a domain controller, see Recipe 3.3
2.4.3 Discussion
The "brute force" method for removing a forest as described in the Discussion for Recipe 2.2 is not a good method for removing a domain Doing so will leave all of the domain controller and server objects, along with the domain object and associated domain naming context hanging around in the forest If you used that approach, you would eventually see a bunch of replication and file replication service (FRS) errors in the event log from failed replication events
2.4.4 See Also
Recipe 2.19 for viewing the trusts for a domain, Recipe 2.22 for removing a trust, Recipe 3.3 for demoting a domain controller, MS KB 238369 (HOW TO: Promote and Demote Domain
Controllers in Windows 2000), and MS KB 255229 (Dcpromo Demotion of Last Domain
Controller in Child Domain Does Not Succeed)
Recipe 2.5 Removing an Orphaned Domain
2.5.1 Problem
You want to completely remove a domain that was orphaned because "This server is the last domain controller in the domain" was not selected when demoting the last domain controller, the domain was forcibly removed, or the last domain controller in the domain was decommissioned improperly
2.5.2 Solution
2.5.2.1 Using a command-line interface
The following ntdsutil commands (in bold) would forcibly remove the emea.rallencorp.com
domain from the rallencorp.com forest Replace <DomainControllerName> with the hostname
of the Domain Naming Flexible Single Master Operation (FSMO) for the forest:
> ntdsutil "meta clean" "s o t" conn "con to server <DomainControllerName
>" q q
metadata cleanup: "s o t" "list domains"
Found 4 domain(s)
0 - DC=rallencorp,DC=com
1 - DC=amer,DC=rallencorp,DC=com
2 - DC=emea,DC=rallencorp,DC=com
3 - DC=apac,DC=rallencorp,DC=com
select operation target: sel domain 2
Trang 2No current Naming Context
select operation target: q
metadata cleanup: remove sel domain
You will receive a message indicating whether the removal was successful
2.5.3 Discussion
Removing an orphaned domain consists of removing the domain object for the domain (e.g.,
dc=emea,dc=rallencorp,dc=com), all of its child objects, and the associated crossRef object in
the Partitions container You need to target the Domain Naming FSMO when using the
ntdsutil command because that server is responsible for creation and removal of domains
In the solution, shortcut parameters were used to reduce the amount of typing necessary If each parameter were typed out fully, the commands would look as follows:
> ntdsutil "metadata cleanup" "select operation target" connections "connect
to
server <DomainControllerName
>" quit quit
metadata cleanup: "select operation target" "list domains"
Found 4 domain(s)
0 - DC=rallencorp,DC=com
1 - DC=amer,DC=rallencorp,DC=com
2 - DC=emea,DC=rallencorp,DC=com
3 - DC=apac,DC=rallencorp,DC=com
select operation target: select domain 2
No current site
Domain - DC=emea,DC=rallencorp,DC=com
No current server
No current Naming Context
select operation target: quit
metadata cleanup: remove selected domain
2.5.4 See Also
Recipe 3.6 for removing an unsuccessfully demoted domain controller, MS KB 230306 (HOW TO: Remove Orphaned Domains from Active Directory), MS KB 251307 (HOW TO: Remove Orphaned Domains from Active Directory Without Demoting the Domain Controllers), and MS
KB 255229 (Dcpromo Demotion of Last Domain Controller in Child Domain Does Not Succeed)
Recipe 2.6 Finding the Domains in a Forest
2.6.1 Problem
You want a list of the domains in a forest
Trang 32.6.2 Solution
2.6.2.1 Using a graphical user interface
Open the Active Directory Domains and Trusts snap-in The list of the domains in the default forest can be browsed in the left pane
2.6.2.2 Using a command-line interface
> ntdsutil "d m" "sel op tar" c "co t s <DomainControllerName>" q "l d" q q
q[RETURN]
2.6.2.3 Using VBScript
' This code gets the list of the domains contained in the
' forest that the user running the script is logged into
set objRootDSE = GetObject("LDAP://RootDSE")
strADsPath = "<GC://" & objRootDSE.Get("rootDomainNamingContext") & ">;" strFilter = "(objectcategory=domainDNS);"
strAttrs = "name;"
strScope = "SubTree"
set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
set objRS = objConn.Execute(strADsPath & strFilter & strAttrs & strScope) objRS.MoveFirst
while Not objRS.EOF
Wscript.Echo objRS.Fields(0).Value
objRS.MoveNext
wend
2.6.3 Discussion
2.6.3.1 Using a graphical user interface
If you want to view the domains for an alternate forest than the one you are logged into, right-click on "Active Directory Domains and Trusts" in the left pane, and select "Connect to Domain Controller." Enter the forest name you want to browse in the Domain field In the left pane, expand the forest root domain to see any subdomains
2.6.3.2 Using a command-line interface
In the ntdsutil example, shortcut parameters were used to reduce the amount of typing needed
If each parameter were typed out fully, the command line would look like:
> ntdsutil "domain management" "select operation target" connections
"connect[RETURN]
to server <DomainControllerName>" quit "List domains" quit quit quit
Trang 4In the VBScript solution, an ADO query is used to search for domainDNS objects stored in the global catalog, using the root (forest) Domain NC as the search base This query will find all domains in the forest
To find the list of domains for an alternate forest, include the name of the forest as part of the
ADsPath used in the first line of code The following would target the othercorp.com forest:
set objRootDSE = GetObject("LDAP://othercorp.com/" & "RootDSE")
2.6.4 See Also
Recipe 3.8 for finding the domain controllers for a domain
Recipe 2.7 Finding the NetBIOS Name of a Domain
2.7.1 Problem
You want to find the NetBIOS name of a domain Although Microsoft has moved to using DNS for primary name resolution, the NetBIOS name of a domain is still important, especially with down-level clients that are still based on NetBIOS instead of DNS for naming
2.7.2 Solution
2.7.2.1 Using a graphical user interface
1 Open the Active Directory Domains and Trusts snap-in
2 Right-click the domain you want to view in the left pane and select Properties
The NetBIOS name will be shown in the "Domain name (pre-Windows 2000)" field
2.7.2.2 Using a command-line interface
> dsquery * cn=partitions,cn=configuration,<ForestRootDN> -filter[RETURN]
"(&(objectcategory=crossref)(dnsroot=<DomainDNSName>)(netbiosname=*))"
-attr[RETURN]
netbiosname
2.7.2.3 Using VBScript
' This code prints the NetBIOS name for the specified domain
' - SCRIPT CONFIGURATION -
strDomain = "<DomainDNSName>" ' e.g amer.rallencorp.com
' - END CONFIGURATION -
set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")
strADsPath = "<LDAP://" & strDomain & "/cn=Partitions," & _
objRootDSE.Get("configurationNamingContext") & ">;"
strFilter = "(&(objectcategory=Crossref)" & _
"(dnsRoot=" & strDomain & ")(netBIOSName=*));"
strAttrs = "netbiosname;"
Trang 5set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
set objRS = objConn.Execute(strADsPath & strFilter & strAttrs & strScope) objRS.MoveFirst
WScript.Echo "NetBIOS name for " & strDomain & " is " & objRS.Fields(0).Value
2.7.3 Discussion
Each domain has a crossRef object that is used by Active Directory to generate referrals Referrals are necessary when a client performs a query and the directory server handling the request does not have the matching object(s) in its domain The NetBIOS name of a domain is stored in the domain's crossRef object in the Partitions container in the Configuration NC Each crossRef object has a dnsRoot attribute, which is the fully qualified DNS name of the domain The netBIOSName attribute contains the NetBIOS name for the domain
Recipe 2.8 Renaming a Domain
2.8.1 Problem
You want to rename a domain due to organizational changes or legal restrictions because of an acquisition Renaming a domain is a very involved process and should be done only when absolutely necessary Changing the name of a domain can have an impact on everything from DNS, replication, and GPOs to DFS and Certificate Services A domain rename also requires that all domain controllers and member computers in the domain are rebooted!
2.8.2 Solution
Under Windows 2000, there is no supported process to rename a domain There is one
workaround for mixed-mode domains in which you revert the domain and any of its child
domains back to Windows NT domains This can be done by demoting all Windows 2000 domain controllers and leaving the Windows NT domain controllers in place You could then reintroduce Windows 2000 domain controllers and use the new domain name when setting up Active Directory The process is not very clean and probably won't be suitable for most
situations, but you can find out more about it in MS KB 292541
A domain rename procedure is supported if a forest is running all Windows Server 2003 domain controllers and is at the Windows Server 2003 forest functional level Microsoft provides a
rename tool (rendom.exe) and detailed white paper describing the process at the following
location:
http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx
2.8.3 Discussion
Trang 6• Rename a domain to a new name without repositioning it in the domain tree
• Reposition a domain within a domain tree
• Create a new domain tree with a renamed domain
One thing you cannot do with the domain rename procedure is reposition the forest root domain You can rename the forest root domain, but you cannot change its status as the forest root
domain Another important limitation to note is that you cannot rename any domain in a forest that has had Exchange 2000 installed A future service pack release of Exchange Server 2003 will reportedly handle domain renames See the web site mentioned in the solution for more information on other limitations
2.8.4 See Also
MS KB 292541 (How to: Rename the DNS name of a Windows 2000 Domain)
Recipe 2.9 Changing the Mode of a Domain
2.9.1 Problem
You want to change the mode of a Windows 2000 Active Directory domain from mixed to native You typically want to do this as soon as possible after installing a Windows 2000 domain to take advantage of features that aren't available with mixed-mode domains
2.9.2 Solution
2.9.2.1 Using a graphical user interface
1 Open the Active Directory Domains and Trusts snap-in
2 Browse to the domain you want to change in the left pane
3 Right-click on the domain and select Properties The current mode will be listed in the Domain Operation Mode box
4 To change the mode, click the Change Mode button at the bottom
2.9.2.2 Using a command-line interface
To retrieve the current mode, use the following command:
> dsquery * <DomainDN> -scope base -attr ntMixedDomain
Or you can use the enumprop command found in the Windows 2000 Resource Kit
> enumprop /ATTR:ntMixedDomain "LDAP://<DomainDN>"
To change the mode to native, create an LDIF file called change_domain_mode.ldf with the
following contents:
Trang 7dn: <DomainDN>
changetype: modify
replace: ntMixedDomain
ntMixedDomain: 0
-
Then run the ldifde command to import the change
> ldifde -i -f change_domain_mode.ldf
2.9.2.3 Using VBScript
' This code changes the mode of the specified domain to native
' - SCRIPT CONFIGURATION -
strDomain = "<DomainDNSName>" ' e.g amer.rallencorp.com
' - END CONFIGURATION -
set objDomain = GetObject("LDAP://" & strDomain)
if objDomain.Get("nTMixedDomain") > 0 Then
Wscript.Echo "Changing mode to native "
objDomain.Put "nTMixedDomain", 0
objDomain.SetInfo
else
Wscript.Echo "Already a native mode domain"
end if
2.9.3 Discussion
The mode of a domain restricts the operating systems the domain controllers in the domain can run In a mixed-mode domain, you can have Windows 2000 and Windows NT domain
controllers In a native-mode domain, you can have only Windows 2000 (and Windows Server 2003) domain controllers There are several important feature differences between mixed and native mode Mixed mode imposes the following limitations:
• The domain cannot contain Universal security groups
• Groups in the domain cannot have their scope or type changed
• The domain cannot have nested groups (aside from global groups in domain local groups)
• Account modifications sent to Windows NT BDCs, including password changes, must go through PDC Emulator for the domain
• The domain cannot use SID History
• The domain cannot fully utilize trust transitivity
The domain mode can be changed only from mixed to native mode You cannot change it back from native to mixed When a Windows 2000 domain is first created, it starts off in mixed mode even if all the domain controllers are running Windows 2000 The domain mode is stored in the ntMixedDomain attribute on the domain object (e.g., dc=amer,dc=rallencorp,dc=com) A value
of 0 signifies a native-mode domain and 1 indicates a mixed-mode domain
Trang 82.9.4 See Also
Recipe 2.13 for raising the functional level of a domain, Recipe 2.14 for raising the functional level of a forest, and MS KB 186153 (Modes Supported by Windows 2000 Domain Controllers)
Recipe 2.10 Using ADPrep to Prepare a Domain or
Forest for Windows Server 2003
2.10.1 Problem
You want to upgrade your existing Windows 2000 Active Directory domain controllers to
Windows Server 2003 Before doing this, you must run the ADPrep tool, which extends the schema and adds several objects in Active Directory that are necessary for new features and enhancements
2.10.2 Solution
First, run the following command on the Schema FSMO with the credentials of an account that is
in both the Enterprise Admins and Schema Admins groups:
> adprep /forestprep
After the updates from /forestprep have replicated throughout the forest (see Recipe 2.11), run the following command on the Infrastructure FSMO in each domain with the credentials of an account in the Domain Admins group:
> adprep /domainprep
If the updates from /forestprep have not replicated to at least the Infrastructure FSMO servers
in each domain, an error will be returned when running /domainprep To debug any problems you encounter, see the ADPrep log files located at
%SystemRoot%\System32\Debug\Adprep\Logs
adprep can be found in the \i386 directory on the Windows Server 2003
CD The tool relies on several files in that directory, so you cannot simply copy that file out to a server and run it You must either run it from a CD or from a location where the entire directory has been copied
2.10.3 Discussion
The adprep command prepares a Windows 2000 forest and domains for Windows Server 2003 Both /forestprep and /domainprep must be run before you can upgrade any domain
controllers to Windows Server 2003 or install new Windows Server 2003 domain controllers
Trang 9The adprep command serves a similar function to the Exchange 2000 setup /forestprep and /domainprep commands, which prepare an Active Directory forest and domains for Exchange
2000 The adprep /forestprep command extends the schema and modifies some default
security descriptors, which is why it must run on the Schema FSMO and under the credentials of someone in both the Schema Admins and Enterprise Admins groups In addition, the adprep /forestprep and /domainprep commands add new objects throughout the forest, many of which are necessary for new features supported in Windows Server 2003 Active Directory
If you've installed Exchange 2000 or Services For Unix 2.0 in your forest prior to running
adprep, there are schema conflicts with the adprep schema extensions that you'll need to fix first MS KB 325379 and 314649 have a detailed list of compatibility issues and resolutions
2.10.4 See Also
Recipe 2.11 for determining if ADPrep has completed, Chapter 14 of Active Directory, Second Edition for upgrading to Windows Server 2003, MS KB 331161 (List of Fixes to Use on
Windows 2000 Domain Controllers Before You Run the Adprep/Forestprep Command), MS KB
314649 (Windows Server 2003 ADPREP Command Causes Mangled Attributes in Windows
2000 Forests That Contain Exchange 2000 Servers), and MS KB 325379 (Upgrade Windows
2000 Domain Controllers to Windows Server 2003)
Recipe 2.11 Determining if ADPrep Has Completed
2.11.1 Problem
You want to determine if the ADPrep process, described in Recipe 2.10, has successfully
prepared a Windows 2000 domain or forest for Windows Server 2003 After ADPrep has
completed, you will them be ready to start promoting Windows Server 2003 domain controllers
2.11.2 Solution
To determine if adprep /domainprep completed, check for the existence of the following object where <DomainDN> is the distinguished name of the domain:
cn=Windows2003Update,cn=DomainUpdates,cn=System,<DomainDN>
To determine if adprep /forestprep completed, check for the existence of the following object where <ForestRootDN> is the distinguished name of the forest root domain:
cn=Windows2003Update,cn=ForestUpdates,cn=Configuration,<ForestRootDN>
2.11.3 Discussion
Trang 10cn=DomainUpdates,cn=System,<DomainDN> is created that has child object containers
cn=Operations and cn=Windows2003Update After adprep completes a task, such as extending the schema, it creates an object under the cn=Operations container to signify its completion Each object has a GUID for its name, which represents some internal operation for adprep For /domainprep, 52 of these objects are created After all of the operations have completed
successfully, the cn=Windows2003Update object is created to indicate /domainprep has
completed.Figure 2-2 shows an example of the container structure created by /domainprep
Figure 2-2 DomainPrep containers
For /forestprep, a container with the distinguished name of
cn=ForestUpdates,cn=Configuration, <ForestRootDN>, is created with child object containers cn=Operations and cn=Windows2003Update The same principles apply as for /domainprep except that there are 36 operation objects stored within the cn=Operations container After /forestprep completes, the cn=Windows2003Update object will be created that marks the successful completion of /forestprep Figure 2-3 shows an example of the container structure created by /forestprep
Figure 2-3 ForestPrep containers