What is an IP address?

What is a subnet mask?

What is ARP?
What is ARP Cache Poisoning?
What is the ANDing process?
What is a default gateway? What happens if I don't have one?
Can a workstation computer be configured to browse the Internet and yet NOT have a default gateway?
What is a subnet?
What is APIPA?
What is an RFC? Name a few if possible (not necessarily the numbers, just the ideas behind them)
What is RFC 1918?
What is CIDR?
You have the following Network ID: 192.115.103.64/27. What is the IP range for your network?
You have the following Network ID: 131.112.0.0. You need at least 500 hosts per network. How many networks can
you create? What subnet mask will you use?
You need to view at network traffic. What will you use? Name a few tools
How do I know the path that a packet takes to the destination?
What does the ping 192.168.0.1 -l 1000 -n 100 command do?
What is DHCP? What are the benefits and drawbacks of using it?
Describe the steps taken by the client and DHCP server in order to obtain an IP address.
What is the DHCPNACK and when do I get one? Name 2 scenarios.
What ports are used by DHCP and the DHCP clients?
Describe the process of installing a DHCP server in an AD infrastructure.
What is DHCPINFORM?
Describe the integration between DHCP and DNS.
What options in DHCP do you regularly use for an MS network?
What are User Classes and Vendor Classes in DHCP?
How do I configure a client machine to use a specific User Class?
What is the BOOTP protocol used for, where might you find it in Windows network infrastructure?
DNS zones describe the differences between the 4 types.
DNS record types describe the most important ones.
Describe the process of working with an external domain name
Describe the importance of DNS to AD.
Describe a few methods of finding an MX record for a remote domain on the Internet.
What does "Disable Recursion" in DNS mean?
What could cause the Forwarders and Root Hints to be grayed out?
What is a "Single Label domain name" and what sort of issues can it cause?
What is the "in-addr.arpa" zone used for?
What are the requirements from DNS to support AD?
How do you manually create SRV records in DNS?
Name 3 benefits of using AD-integrated zones.
What are the benefits of using Windows 2003 DNS when using AD-integrated zones?
You installed a new AD domain and the new (and first) DC has not registered its SRV records in DNS. Name a few
possible causes.
What are the benefits and scenarios of using Stub zones?
What are the benefits and scenarios of using Conditional Forwarding?
What are the differences between Windows Clustering, Network Load Balancing and Round Robin, and scenarios
for each use?
How do I work with the Host name cache on a client computer?
How do I clear the DNS cache on the DNS server?

What is the 224.0.1.24 address used for?

What is WINS and when do we use it?
Can you have a Microsoft-based network without any WINS server on it? What are the "considerations" regarding
not using WINS?
Describe the differences between WINS push and pull replications.
What is the difference between tombstoning a WINS record and simply deleting it?
Name the NetBIOS names you might expect from a Windows 2003 DC that is registered in WINS.
Describe the role of the routing table on a host and on a router.
What are routing protocols? Why do we need them? Name a few.
What are router interfaces? What types can they be?
In Windows 2003 routing, what are the interface filters?
What is NAT?
What is the real difference between NAT and PAT?
How do you configure NAT on Windows 2003?
How do you allow inbound traffic for specific hosts on Windows 2003 NAT?
What is VPN? What types of VPN does Windows 2000 and beyond work with natively?
What is IAS? In what scenarios do we use it?
What's the difference between Mixed mode and Native mode in AD when dealing with RRAS?
What is the "RAS and IAS" group in AD?
What are Conditions and Profile in RRAS Policies?
What types or authentication can a Windows 2003 based RRAS work with?
How does SSL work?
How does IPSec work?
How do I deploy IPSec for a large number of computers?
What types of authentication can IPSec use?
What is PFS (Perfect Forward Secrecy) in IPSec?
How do I monitor IPSec?
Looking at IPSec-encrypted traffic with a sniffer. What packet types do I see?
What can you do with NETSH?
How do I look at the open ports on my machine?

What is Active Directory?

What is LDAP?
Can you connect Active Directory to other 3rd-party Directory Services? Name a few options.
Where is the AD database held? What other folders are related to AD?
What is the SYSVOL folder?
Name the AD NCs and replication issues for each NC
What are application partitions? When do I use them
How do you create a new application partition
How do you view replication properties for AD partitions and DCs?
What is the Global Catalog?
How do you view all the GCs in the forest?
Why not make all DCs in a large forest as GCs?
Trying to look at the Schema, how can I do that?
What are the Support Tools? Why do I need them?
What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?
What are sites? What are they used for?
What's the difference between a site link's schedule and interval?
What is the KCC?
What is the ISTG? Who has that role by default?

What are the requirements for installing AD on a new server?

What can you do to promote a server to DC if you're in a remote location with slow WAN link?
How can you forcibly remove AD from a server, and what do you do later? Can I get user passwords from the AD
database?
What tool would I use to try to grab security related packets from the wire?
Name some OU design considerations.
What is tombstone lifetime attribute?
What do you do to install a new Windows 2003 DC in a Windows 2000 AD?
What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD?
How would you find all users that have not logged on since last month?
What are the DS* commands?
What's the difference between LDIFDE and CSVDE? Usage considerations?
What are the FSMO roles? Who has them by default? What happens when each one fails?
What FSMO placement considerations do you know of?
I want to look at the RID allocation table for a DC. What do I do?
What's the difference between transferring a FSMO role and seizing one? Which one should you NOT seize? Why?
How do you configure a "stand-by operation master" for any of the roles?
How do you backup AD?
How do you restore AD?
How do you change the DS Restore admin password?
Why can't you restore a DC that was backed up 4 months ago?
What are GPOs?
What is the order in which GPOs are applied?
Name a few benefits of using GPMC.
What are the GPC and the GPT? Where can I find them?
What are GPO links? What special things can I do to them?
What can I do to prevent inheritance from above?
How can I override blocking of inheritance?
How can you determine what GPO was and was not applied for a user? Name a few ways to do that.
A user claims he did not receive a GPO, yet his user and computer accounts are in the right OU, and everyone else
there gets the GPO. What will you look for?
Name a few differences in Vista GPOs
Name some GPO settings in the computer and user parts.
What are administrative templates?
What's the difference between software publishing and assigning?
Can I deploy non-MSI software with GPO?
You want to standardize the desktop environments (wallpaper, My Documents, Start menu, printers etc.) on the
computers in one department. How would you do that?
Tell me a bit about the capabilities of Exchange Server.
What are the different Exchange 2003 versions?
What's the main differences between Exchange 5.5 and Exchange 2000/2003?
What are the major network infrastructure for installing Exchange 2003?
What is the latest Exchange 2003 Service Pack? Name a few changes in functionality in that SP.
What are the disk considerations when installing Exchange (RAID types, locations and so on).
You got a new HP DL380 (2U) server, dual Xeon, 4GB of RAM, 7 SAS disks, 64-bit. What do you do next to install
Exchange 2003? (you have AD in place)
Why not install Exchange on the same machine as a DC?
Are there any other installation considerations?
How would you prepare the AD Schema in advance before installing Exchange?

What type or permissions do you need in order to install the first Exchange server in a forest? In a domain?
How would you verify that the schema was in fact updated?
What type of memory optimization changes could you do for Exchange 2003?
How would you check your Exchange configuration settings to see if they're right?
What are the Exchange management tools? How and where can you install them?
What types of permissions are configurable for Exchange?
How can you grant access for an administrator to access all mailboxes on a specific server?
What is the Send As permission?
What other management tools are used to manage and control Exchange 2003? Name the tools you'd use.
What are Exchange Recipient types? Name 5.
You created a mailbox for a user, yet the mailbox does not appear in ESM. Why?
You wanted to change mailbox access permissions for a mailbox, yet you see the SELF permission alone on the
permissions list. Why?
What are Query Based Distribution groups?
What type of groups would you use when configuring distribution groups in a multiple domain forest?
Name a few configuration options for Exchange recipients.
What's the difference between Exchange 2003 Std. and Ent. editions when related to storage options and size?
Name a few configuration options related to mailbox stores.
What are System Public Folders? Where would you find them?
How would you plan and configure Public Folder redundancy?
How can you immediately stop PF replication?
How can you prevent PF referral across slow WAN links?
What types of PF management tools might you use?
What are the differences between administrative permissions and client permissions in PF?
How can you configure PF replication from the command prompt in Exchange 2003?
What are the message hygiene options you can use natively in Exchange 2003?
What are the configuration options in IMF?
What are virtual servers? When would you use more than one?
Name some of the SMTP Virtual Server configuration options.
What is a Mail Relay? Name a few known mail relay software or hardware options.
What is a Smart Host? Where would you configure it?
What are Routing Groups? When would you use them?
What are the types of Connectors you can use in Exchange?
What is the cost option in Exchange connectors?
What is the Link State Table? How would you view it?
How would you configure mail transfer security between 2 routing groups?
What is the Routing Group Master? Who holds that role?
Explain the configuration steps required to allow Exchange 2003 to send and receive email from the Internet
(consider a one-site multiple server scenario).
What is DS2MB?
What is Forms Based Authentication?
How would you configure OWA's settings on an Exchange server?
What is DSACCESS?
What are Recipient Policies?
How would you work with multiple recipient policies?
What is the "issue" with trying to remove email addresses added by recipient policies? How would you fix that?
What is the RUS?
When would you need to manually create additional RUS?
What are Address Lists?

How would you modify the filter properties of one of the default address lists?
How can you create multiple GALs and allow the users to only see the one related to them?
What is a Front End server? In what scenarios would you use one?
What type of authentication is used on the front end servers?
When would you use NLB?
How would you achieve incoming mail redundancy?
What are the 4 types of Exchange backups?
What is the Dial-Tone server scenario?
When would you use offline backup?
How do you re-install Exchange on a server that has crashed but with AD intact?
What is the dumpster?
What are the e00xxxxx.log files?
What is the e00.chk file?
What is circular logging? When would you use it?
What's the difference between online and offline defrag?
How would you know if it is time to perform an offline defrag of your Exchange stores?
How would you plan for, and perform the offline defrag?
What is the eseutil command?
What is the isinteg command?
How would you monitor Exchange's services and performance? Name 2 or 3 options.
Name all the client connection options in Exchange 2003.
What is Direct Push? What are the requirements to run it?
How would you remote wipe a PPC?
What are the issues with connecting Outlook from a remote computer to your mailbox?
How would you solve those issues? Name 2 or 3 methods
What is RPC over HTTP? What are the requirements to run it?
What is Cached Mode in OL2003/2007?
What are the benefits and "issues" when using cached mode? How would you tackle those issues?
What is S/MIME? What are the usage scenarios for S/MIME?
What are the IPSec usage scenarios for Exchange 2003?
How do you enable SSL on OWA?
What are the considerations for obtaining a digital certificate for SSL on Exchange?
Name a few 3rd-party CAs.
What do you need to consider when using a client-type AV software on an Exchange server?
What are the different clustering options in Exchange 2003? Which one would you choose and why.

What are the AD installation requirements and

recommendations?
The process of installing an Active Directory domain is quite simple, but if you don't know your
basics you might stumble across a few pitfalls.
What do we need in order to successfully install Active Directory on a Windows 2000 or
Windows Server 2003 server?
Here is a quick list of what you must have:

An NTFS partition with enough free space

An Administrator's username and password

The correct operating system version

A NIC

Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway)

A network connection (to a hub or to another computer via a crossover cable)

An operational DNS server (which can be installed on the DC itself)

A Domain name that you want to use

The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder)

Brains (recommended, not required...)

An NTFS Partition
To successfully install AD you must have at least one NTFS formatted partition, preferably the
partition Windows is installed on (This is NOT true when you have performance issues on your
mind. You will then install the AD db on another different fast physical disk, but that's another
topic). To convert a partition (C:) to NTFS type the following command in the command
prompt window:
convert c:/fs:ntfs
The NTFS partition is required for the SYSVOL folder.

Free space on your disk

You need at least 250mb of free space on the partition you plan to install AD on. Of course
you'll need more than that if you plan to create more users, groups and various AD objects.

Local Administrator's username and password

Only a local Administrator (or equivalent) can install the first domain and thus create the new
forest.
If you plan to create another Domain Controller for an existing domain - then you must have
Domain Admin right in the domain you're planning to join.
If you want to create a child domain under an existing domain, or another tree in an existing
forest - you must have Enterprise Admin rights.

Windows 2000 Server (or Advanced Server or Data Center

Server), or Windows Server 2003 (or Enterprise Server or
Data Center)
Duh... you cannot install AD on a Professional computer.

IP Configuration
You need a dedicated IP address to install Active Directory. If you do not use a dedicated IP
address, DNS registrations may not work and Active Directory functionality may be lost. If the
computer is a multi-homed computer, the network adapter that is not connected to the
Internet can host the dedicated IP address.
The Active Directory domain controller should point to its own IP address in the DNS server list
to prevent possible DNS connectivity issues.
To configure your IP configuration, use the following steps:
1. Right-click My Network Places, and then click Properties.
2. Right-click Local Area Connection, and then click Properties.

3. Click Internet Protocol (TCP/IP), and then click Properties.Make sure you have a static
and dedicated IP address. If you don't need Internet connectivity through this specific
NIC you can use a Private IP range such as 192.168.0.0 with a Subnet Mask of
255.255.255.0.
4. Click Advanced, and then click the DNS tab. The DNS information should be configured
as follows:
5. Configure the DNS server addresses to point to the DNS server. This should be the
computer's own IP address if it is the first server or if you are not going to configure a
dedicated DNS server.

6. If the Append these DNS suffixes (in order) option is selected for the resolution of
unqualified names, the Active Directory DNS domain name should be listed first, at the
top of the list.
7. Verify that the information in the DNS Suffix for this connection box is the same as the
Active Directory domain name.
Make sure that the Register this connection's addresses in DNS check box is selected.

Active Network Connection Required During Installation

The installation of Active Directory requires an active network connection. When you attempt
to use Dcpromo.exe to promote a Windows 2000 Server-based computer to a domain
controller, you may receive the following error message:
Active Directory Installation Failed

The operation failed with the following error

The network location cannot be reached. For further information about network
troubleshooting, see Windows Help.
This problem can occur if the network cable is not plugged into a hub or other network device.
Sample of a disconnected or un-plugged network cable)
To resolve this problem, plug the network cable into a hub or other network device. If network
connectivity is not available and this is the first domain controller in a new forest, you can
finish Dcpromo.exe by installing Microsoft Loopback Adapter.
The Microsoft Loopback adapter is a tool for testing in a virtual network environment where
access to a network is not feasible. Also, the Loopback adapter is essential if there are conflicts
with a network adapter or a network adapter driver. Network clients, protocols, and so on, can
be bound to the Loopback adapter, and the network adapter driver or network adapter can be
installed at a later time while retaining the network configuration information. The Loopback
adapter can also be installed during the unattended installation process. To manually install:
1. Click Start, point to Settings, click Control Panel, and then double-click Add/Remove
Hardware.
2. Click Add/Troubleshoot a device, and then click Next.
3. Click Add a new device, and then click Next.
4. Click No, I want to select the hardware from a list, and then click Next.
5. Click Network adapters, and then click Next.
6. In the Manufacturers box, click Microsoft.
7. In the Network Adapter box, click Microsoft Loopback Adapter, and then click Next.
8. Click Finish.
After the adapter is installed successfully, you can configure its options manually, as with any
other adapter. Note that if the TCP/IP properties are configured to use DHCP (the default), the
adapter will eventually use an autonet APIPA address (169.254.x.x/16) because it is not
actually connected to any physical media.

"Always On" Internet Connection (recommended)

An "always on" connection (for example, a cable modem or digital subscriber line [DSL] line) is
recommended (but not required) to enable clients to obtain Internet access. If you do not use
an "always on" connection, you must configure a demand-dial interface using Network Address
Translation (NAT) for clients to access the Internet.

This is really not a requirement for AD, but if you later want to install and configure Exchange
2000 or other Internet-aware applications or services you'll need an Internet connection.

DNS Configuration
A DNS server that supports Active Directory DNS entries (SRV records) must be present for
Active Directory to function properly. You need to keep in mind the following DNS configuration
issues when you install Active Directory on a home network: Root Zone entries and DNS
Forwarders.

Root zone entries

External DNS queries to the Internet do not work if a root zone entry exists on the DNS server.
To resolve this issue, remove the root zone entry. This entry is identified with a dot (.) in the
DNS Manager forward lookup zones. To check for the existence of the root zone entry, open
the forward lookup zones in the DNS Management console. You should see the entry for the
domain. If the "dot" zone exists, delete it. For additional information about the root zone entry

DNS forwarders (recommended)

If you plan to have full Internet connectivity then DNS forwarders are necessary to ensure that
all DNS entries are correctly sent to your Internet service provider's DNS server and that
computers on your network will be able to resole Internet addresses correctly. You can only
configure DNS forwarders if no root zone entry is present.
To configure forwarders on the DNS server:
1. Start the DNS Management console.
2. Right-click the name of the server, and then click Properties.

3. On the Forwarders tab, click to select the Enable Forwarders check box.
4. Type the appropriate IP addresses for the DNS servers that may be accepting
forwarded requests from this DNS server. The list reads top-down in order, so place a
preferred DNS server at the top of the list.
5. It is recommended that you have all the Root Hints (Top Level DNS server) listed in the
Root Hints tab

6. If not, copy the Cache.dns file from the %systemroot%\system32\dns\samples folder

to the %systemroot%\system32\dns\ folder and restart the DNS service.

7. Click OK to accept the changes.

Client Connections
When you have a scenario in which clients on the LAN connect directly to the Internet and not
through a NAT device, the clients should connect to the Active Directory domain controller
using an internal network on a second network adapter. This prevents any issues that may

arise if clients obtain an IP address from your Internet service provider (ISP). You can achieve
this configuration with a second network adapter on the server connected to a hub. You can
use NAT or ICS to isolate the clients on the local network. The clients should point to the
domain's DNS server to ensure proper DNS connectivity. The DNS server's forwarder will then
allow the clients to access DNS addresses on the Internet.

Do not use ICS (recommended)

Use NAT instead. ICS (Internet Connection Sharing) will break down all the DHCP and DNS
functionality on your LAN. Try to avoid ICS at all costs. If you must, make the Domain
Controller itself the ICS server, and let all clients obtain their IP configuration automatically.
This of course is not a good security decision, because you will expose your Domain Controller
to potential Internet threats. Again, and I cannot stress this more, avoid ICS on your corporate
LAN and use NAT instead.

NetBIOS Over TCP/IP

A common security consideration with an active connection to the Internet is the restriction of
NetBIOS connections on the network adapter that is directly connected to the Internet. If
clients connect on a second network adapter, you can safely disable NetBIOS over TCP/IP on
the external network adapter, and prevent any attempts of unauthorized NetBIOS access by
outside sources.
To disable NetBIOS on the NIC that is connected to the Internet, use the following steps:
1. Right-click My Network Places, and then click Properties.
2. Right-click the icon of the NIC that is connected to the Internet, and then click
Properties.

3. Un-check the File and Print Sharing for Microsoft Networks check box.
4. Click TCP/IP and then Properties.
5. Click Advanced and go to the WINS tab.
6. Select the Disable NetBIOS Over TCP/IP radio box.

7. Click Ok all the way out.

Do not use Single-Label domain names

As a general rule, Microsoft recommends that you register DNS domain names for internal and
external namespaces with Internet authorities. This includes the DNS names of Active Directory
domains, unless such names are sub-domains of names that are registered by your organization
name, for example, "corp.example.com" is a sub-domain of "example.com". When you register
DNS names with Internet authorities, it prevents possible name collisions should registration for
the same DNS domain be requested by another organization, or if your organization merges,
acquires or is acquired by another organization that uses the same DNS names.

How can I migrate users and groups from my NT 4.0

domain to a Windows 2000 Domain?
The Active Directory Migration Tool provides an easy, secure, and fast way to migrate to
Windows 2000 Active Directory service. As a system administrator, you can use this tool to
diagnose any possible problems before starting migration operations to Windows 2000 Server
Active Directory. You can then use the task-based wizard to migrate users, groups, and
computers; set correct file permissions; and migrate Microsoft Exchange Server mailboxes.
The tool's reporting feature allows you to assess the impact of the migration, both before and
after move operations.
In many cases, if there is a problem, you can use the rollback features to automatically restore
previous structures. The tool also provides support for parallel domains, so you can maintain
your existing Windows NT 4.0 domains while you deploy Windows 2000.
Note: To successfully run the AD Migration Tool the source domain must be running Windows
NT 4.0 Service Pack 4 or later, and the target domain will be a Windows 2000-based domain in
Native mode.
The Active Directory Migration Tool version 3 (ADMT v3) simplifies the process of restructuring
your operating environment to meet the needs of your organization. You can use ADMT v3 to
migrate users, groups, and computers from Microsoft Windows NT 4.0 domains to Active
Directory directory service domains; between Active Directory domains in different forests
(interforest migration); and between Active Directory domains in the same forest (intraforest
migration). ADMT v3 also performs security translation from Windows NT 4.0 domains to
Active Directory domains and between Active Directory domains in different forests.

How to use Active Directory Migration Tool v2.0 to

migrate from Windows 2000 to Windows Server 2003?
This article describes how to set up the Active Directory Migration Tool (ADMT) to migrate from
a Windows 2000-based domain to a Windows Server 2003-based domain.
Warning: If you use Registry Editor incorrectly, you may cause serious problems that may
require you to reinstall your operating system. Microsoft cannot guarantee that you can solve
problems that result from using Registry Editor incorrectly. Use Registry Editor at your own
risk.

You can use ADMT to migrate users, groups, and computers from one domain to another, and
analyze the migration affect before and after the actual migration process.
Note: This article assumes that the source domain is a Windows 2000-based domain, and that
the target domain is a Windows Server 2003-based domain in Windows 2000 Native mode or
later.

How to Set Up ADMT for a Windows 2000 to Windows Server

2003 Migration
You can install the Active Directory Migration Tool version 2 (ADMTv2) on any computer that is
running Windows 2000 or later, including:

Microsoft Windows 2000 Professional

Microsoft Windows 2000 Server

Microsoft Windows XP Professional

Microsoft Windows Server 2003

The computer on which you install ADMTv2 must be a member of either the source or the
target domain.

Intraforest Migration
Intraforest migration does not require any special domain configuration. The account you use
to run ADMT must have enough permissions to perform the actions that are requested by
ADMT. For example, the account must have the right to delete accounts in the source domain,
and to create accounts in the target domain.
Intraforest migration is a move operation instead of a copy operation. These migrations are
said to be destructive because after the move, the migrated objects no longer exist in the
source domain. Because the object is moved instead of copied, some actions that are optional
in interforest migrations occur automatically. Specifically, the sIDHistory and password are
automatically migrated during all intraforest migrations.

Interforest Migration
ADMT requires the following permissions to run properly:

Administrator rights in the source domain.

Administrator rights on each computer that you migrate.

Administrator rights on each computer on which you translate security.

Before you migrate a Windows 2000-based domain to a Windows Server 2003-based domain,
you must make some domain and security configurations. Computer migration and security
translation do not require any special domain configuration. However, each computer you want
to migrate must have the administrative shares, C$ and ADMIN$.
The account you use to run ADMT must have enough permissions to complete the required
tasks. The account must have permission to create computer accounts in the target domain
and organizational unit, and must be a member of the local Administrators group on each
computer to be migrated.

User and Group Migration

You must configure the source domain to trust the target domain. Optionally, the target may
be configured to trust the source domain. While this may ease configuration, it is not required
to finish the ADMT migration.

Requirements for Optional Migration Tasks

You can complete the following tasks automatically by running the User Migration Wizard in
Test mode and selecting the migrate sIDHistory option. The user account you use to run ADMT
must be an Administrator in both the source and the target domains for the automatic
configuration to succeed.

1. Create a new local group in the source domain that is named %sourcedomain%$$$.
There must be no members in this group.
2. Turn on auditing for the success and failure of Audit account management on both
domains in the Default Domain Controllers policy.

3. Configure the source domain to allow RPC access to the SAM by configuring the
following registry entry on the PDC Emulator in the source domain with a DWORD value
of 1:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\LSA\TcpipClientSupport
You must restart the PDC Emulator after you make this change.
Note: For Windows 2000 domains, the account you use to run ADMTv2 must have domain
administrator permissions in both the source and target domains. For Windows Server 2003
target domains, the 'Migrate sIDHistory' may be delegated. For more information, see
Windows Server 2003 Help & Support.
You can turn on interforest password migration by installing a DLL that runs in the context of
LSA. By running in this protected context, passwords are shielded from being viewed in
cleartext, even by the operating system. The installation of the DLL is protected by a secret
key that is created by ADMTv2, and must be installed by an administrator.
To install the password migration DLL:
1. Log on as an administrator or equivalent to the computer on which ADMTv2 is installed.

2. At a command prompt, run the ADMT KEY sourcedomainpath [* | password] command

to create the password export key file (.pes). In this example, sourcedomain is the
NetBIOS name of the source domain and path is the file path where the key will be
created. The path must be local, but can point to removable media such as a floppy
disk drive, ZIP drive, or writable CD media. If you type the optional password at the
end of the command, ADMT protects the .pes file with the password. If you type the
asterisk (*), ADMT prompts for a password, and the system will not echo it as it is
typed.
3. Move the .pes file you created in step 2 to the designated Password Export Server in
the source domain. This can be any domain controller, but make sure it has a fast,
reliable link to the computer that is running ADMT.
4. Install the Password Migration DLL on the Password Export Server by running the
Pwmig.exe tool. Pwmig.exe is located in the I386\ADMT folder on the Windows Server
2003 installation media, or the folder to which you downloaded ADMTv2 from the
Internet.
5. When you are prompted to do so, specify the path to the .pes file that you created in
step 2. This must be a local file path.
6. After the installation completes, you must restart the server.
7. If you are ready to migrate passwords, modify the following registry key to have a
DWORD value of 1. For maximum security, do not complete this step until you are
ready to migrate.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\LSA\AllowPasswordExport
The Active Directory Migration Tool v2 is included in the I386\Admt folder on the Windows
Server 2003 CD.

How do I defragment the Active Directory to make it

smaller in size?
The size of NTDS.DIT will often be different sizes across the domain controllers in a domain.
Remember that Active Directory is a multi-master independent model where updates are
occurring in each of the domain controllers with the changes being replicated over time to the
other domain controllers.

The changed data is replicated between domain controllers, not the database, so there is no
guarantee that the files are going to be the same size across all domain controllers.
Windows 2000 and Windows Server 2003 servers running Directory Services (DS) perform a
directory online defragmentation every 12 hours by default as part of the garbage-collection
process. This defragmentation only moves data around the database file (NTDS.DIT) and
doesnt reduce the files size - the database file cannot be compacted while Active Directory is
mounted.

Active Directory routinely performs online database defragmentation, but this is limited to the
disposal of tombstoned objects. The database file cannot be compacted while Active Directory
is mounted (or online).
An NTDS.DIT file that has been defragmented offline (compacted), can be much smaller than
the NTDS.DIT file on its peers.
However, defragmenting the NTDS.DIT file isnt something you should really need to do.
Normally, the database self-tunes and automatically tombstoning the records then sweeping
them away when the tombstone lifetime has passed to make that space available for additional
records.
Defragging the NTDS.DIT file probably wont help your AD queries go any faster in the long
run.
So why defrag it in the first place?
One reason you might want to defrag your NTDS.DIT file is to save space, for example if you
deleted a large number of records at one time.
To create a new, smaller NTDS.DIT file and to enable offline defragmentation, perform the
following steps:
1. Back up Active Directory (AD).
2. Reboot the server, select the OS option, and press F8 for advanced options.

3. Select the Directory Services Restore Mode option, and press Enter. Press
4. Enter again to start the OS.
5. W2K will start in safe mode, with no DS running.
6. Use the local SAMs administrator account and password to log on.
7. Youll see a dialog box that says youre in safe mode. Click OK.
8. From the Start menu, select Run and type cmd.exe

9. In the command window, youll see the following text. (Enter the commands in bold.)
C:\> ntdsutil
ntdsutil: files
file maintenance:info
....
file maintenance:compact to c:\temp
10. Youll see the defragmentation process. If the process was successful, enter quit to
return to the command prompt.
11. Then, replace the old NTDS.DIT file with the new, compressed version. (Enter the
commands in bold.)

C:\> copy c:\temp\ntds.dit %systemroot%\ntds\ntds.dit

12. Restart the computer, and boot as normal.

How does Ntdsutil.exe know it's in Directory Restore

mode?
NTDSUTIL is a tool used for many Active Directory database maintenance tasks, such as defragmenting the DB,
moving the DB and/or log files to a different place, cleaning the DB and more.
NTDSUTIL will allow you to perform many of it's functions while the DC is up and running. However some of the
maintenance tasks (such as performing an offline defragmentation of the DB and moving the files to a different
location, along with the Authoritive restore commands) require that you start the DC in Directory Restore mode, found
when you access the boot menu by pressing F8 before the server starts it's startup sequence.
When you start the domain controller in Directory Restore mode, the DC sets the environment
variable safeboot_option to "dsrepair."
If, for some reason, you want to access the "protected" features of NTDSUTIL while it is NOT in the Directory Restore
mode, you will receive an error similar to this:
C:\WINDOWS>ntdsutil
ntdsutil: files
*** Error: Operation only allow ed w hen booted in DS
"set SAFEBOOT_OPTION=DSREPAIR" to overrid
ntdsutil:

If you want to check something in NTDSUTIL that is allowed only in Directory Restore mode,
you can "trick" the program by typing the following statement at a command prompt:
set SAFEBOOT_OPTION=DSREPAIR

Lamer Note: Type the above command into a different CMD window, NOT the one that NTDSUTIL is running in.
Don't use this approach on a live or important machine because it could result in system
damage if you try to perform system modifications when the system isn't in Directory Restore
mode.

How do I modify the number of Active Directory

objects to search?

By default, the Windows 2000 Active Directory searches 10,000 objects at a time. This policy
affects all browse displays associated with AD, the Microsoft Management Console (MMC) Active
Directory Users and Computers snap-in, and the dialog boxes you use to set permissions for user or
group objects in AD. As your organization grows, you might need to change the number of objects
to search.
To set the number for a group policy object:
1. Start the MMC Active Directory Users and Computers snap-in.
2. Right-click the container, and select Properties.
3. Select the Group Policy tab.
4. Select the Group Policy Object, and select Edit.
5. Select the User Configuration branch, and expand Administrative Templates > Desktop
> Active Directory.
6. Double-click Maximum size of Active Directory searches.
7. Select Enabled, and set the number (e.g., 20000).
8. Click Apply.
9. Click OK.
10. Close the Group Policy Editor.
To edit the registry to set the number for a user:
1. Start regedit.
2. Go to the
HKEY_CURRENT_USER\Softw are\Policies\Microsoft

registry entry.
3. From the Edit menu, select New > Key.
4. Enter
Window s

5. Select the new Windows key, and from the Edit menu, select New, Key.
6. Enter
Directory UI

7. Go to the Directory UI key, and from the Edit menu, select New, DWORD Value.
8. Enter
QueryLimit

and press Enter.

9. Double-click the new value, and set the decimal value (i.e. 20000).
10. Click OK.
11. Close the registry editor.
For both methods, the change will take effect when the user logs on the next time.

For a planned Active Directory, how can I predict how

much memory will my new Domain Controllers require,
and how many of them I need?
The Active Directory service Sizer tool lets you estimate the hardware required for deploying
Active Directory in an organization based on the organization's profile, domain information and
site topology.
Based on user inputs and internal formulas, this tool estimates the number of:

Domain controllers per domain per site.

Global Catalog servers per domain per site.

CPUs per machine and type of CPU.

Disks needed for Active Directory data storage.

In addition, the Sizer tool provides approximate estimates for the following:

Amount of memory required.

Network bandwidth utilization.

Domain database size.

Global Catalog database size.

Inter-site replication bandwidth required.

The list of information to be gathered per domain to accurately size the domain controllers
includes:

Total number of users in the domain. Total number of concurrent users.

Total number of attributes per user. Active Directory automatically assigns each user a
number of attributes. Additional attributes based on the business uses of the Active
Directory service should be included in the estimate.

Average number of groups a user belongs to. The number of groups a user belongs to
can affect the time to process a logon request. The logon request evaluates user access
by looking at the access granted to each group the user belongs to.

Average logon rate per second during peak hours (interactive, batch and network).
Interactive logon type is intended for users who will be interactively using the machine,
such as a user being logged on using Terminal Services, a remote shell, or similar
process. Batch logon type is intended for batch servers, where processes may be
executing on behalf of a user without their direct intervention; or for higher
performance servers that process many clear-text authentication attempts at a time,
such as mail or Web servers. Network logon type is intended for high performance
servers to authenticate clear text passwords. This type is used to access other network
resources, such as remote servers or printers.

Password expiration rate (in days).

Number of Windows 2000-based computers in the domain.

Number of other computers in this domain.

Number of other objects published in this domain. Other objects are any objects other
than users and computers that will be included in Active Directory. For example, user
groups, organizational units, contacts, printers or shares would be consider "other
objects".

Desired average CPU utilization limit for each Domain Controller.

Preferred CPU type for domain controllers,

Number of processors required of the CPU type specified above.

Administration. This section allows an administrator to specify the administratorgenerated workload for object addition, deletion, or modification to Active Directory.

The planned average number of objects added, deleted, or modified on a daily, weekly,
or yearly interval should be entered.

Microsoft Exchange 2000. Microsoft Exchange 2000 Server uses Active Directory for
directory services, transport and name resolution. If planning to install Exchange 2000,
enter the average number of messages per user/per day and the average number of
recipients for each message.

DNS related issues. This section allows an administrator to specify whether Active
Directory-integrated DNS zones will be used, the number of dial-in connections (per
day) that will be made by computers joined to the domain, the duration of DHCP
leases, and the behavior of the DNS Server aging and scavenging feature.

Other Active Directory-enabled application issues. This section covers other Active
Directory-enabled applications that are not specifically known by the tool. Changes
introduced by Active Directory Connector (ADC) or other directory synchronization
programs (such as Microsoft Directory Synchronization Services) should be estimated in
operations per second for searching, adding, deleting, and modifying objects.

Note: These estimates were planned on old Dell POWEREDGE 6300 servers. With today's
hardware available you'd expect Microsoft to produce more up-to-date templates for this
useful tool - but they haven't.

What DNS entries (SRV Records) does Windows

2000/2003 add when you create a domain?
In order for Active Directory to function properly, DNS servers must provide support for
Service Location (SRV) resource records described in RFC 2052, A DNS RR for specifying the
location of services (DNS SRV). SRV resource records map the name of a service to the name
of a server offering that service. Active Directory clients and domain controllers use SRV
records to determine the IP addresses of domain controllers. Although not a technical
requirement of Active Directory, it is highly recommended that DNS servers provide support
for DNS dynamic updates described in RFC 2136, Observations on the use of Components of
the Class A Address Space within the Internet.
The Windows 2000 DNS service provides support for both SRV records and dynamic updates.
If a non-Windows 2000 DNS server is being used, verify that it at least supports the SRV
resource record. If not, it must be upgraded to a version that does support the use of the SRV
resource record. For example, Windows NT Server 4.0 DNS servers must be upgraded to
Service Pack 4 or later to support SRV resource records. A DNS server that supports SRV
records but does not support dynamic update must be updated with the contents of the
Netlogon.dns file created by the Active Directory Installation wizard while promoting a
Windows 2000 Server to a domain controller. The Netlogon.dns file is described in the following
section.
So now you understand that Windows 2000 domains rely heavily on DNS entries. If you enable
dynamic update on the relevant DNS zones, W2K creates these entries automatically:

_ldap._tcp.<DNSDomainName>

Enables a client to locate a W2K domain controller in the domain named by

<DNSDomainName>. A client searching for a domain controller in the domain dpetri.net would
query the DNS server for _ldap._tcp.dpetri.net.

_ldap._tcp.<SiteName>._sites.<DNSDomainName>

Enables a client to find a W2K domain controller in the domain and site specified (e.g.,
_ldap._tcp.lab._sites.dpetri.net for a domain controller in the Lab site of dpetri.net).

_ldap._tcp.pdc._ms-dcs.<DNSDomainName>

Enables a client to find the PDC flexible single master object (FSMO) role holder of a mixedmode domain. Only the PDC of the domain registers this record.

_ldap._tcp.gc._msdcs.<DNSTreeName>

Enables a client to find a Global Catalog (GC) server. Only domain controllers serving as GC
servers for the tree will register this name. If a server ceases to be a GC server, the server will
deregister the record.

_ldap._tcp. ._sites.gc._msdcs.<DNSTreeName>

Enables a client to find a GC server in the specified site (e.g.,

_ldap._tcp.lab._sites.gc._msdcs.dpetri.net).

_ldap._tcp.<DomainGuid>.domains._msdcs.<DNSTreeName>

Enables a client to find a domain controller in a domain based on the domain controllers
globally unique ID. A GUID is a 128-bit (8 byte) number that generates automatically for
referencing Active Directory objects.

<DNSDomainName>

Enables a client to find a domain controller through a normal Host record.

After running DCPROMO, A text file containing the appropriate DNS resource records for the
domain controller is created. The file called Netlogon.dns is created in the %systemroot
%\System32\config folder and contains all the records needed to register the resource records
of the domain controller. Netlogon.dns is used by the Windows 2000 NetLogon service and to
support Active Directory for non-Windows 2000 DNS servers.
If you are using a DNS server that supports the SRV resource record but does not support
dynamic updates (such as a UNIX-based DNS server or a Windows NT Server 4.0 DNS server),
you can import the records in Netlogon.dns into the appropriate primary zone file to manually
configure the primary zone on that server to support Active Directory.

Active Directory Training Labs

A review of Train Signals Windows 2000/2003 Active Directory Video Lab Training Product Details. See more details at
Train Signal's website.
Comprehensive Instructional Video. Perfect for the novice who needs a crash course in installing and setting up Active
Directory in Windows 2000 Server/Advanced Server and/or Windows 2003 Server or for the more experienced
administrator who wants to expand their knowledge. Both operating systems are covered on each CD.

The CD comes with AVI movies that can be played through the Camtasia player supplied on the CD
or Windows Media player but first the Camtasia codec must be installed. I prefer Windows Media
player due to the video time played display. Makes it easier to restart at a point after stopping or
bookmarking an area of interest.
This instructional CD comes with several videos. The first to look at is Concepts. This covers the terms used in
Windows 2003 Server, what they mean and how they apply to the O/S. Each concept is explained fully with some cross
covering of the explained terms during the introduction to the new one. I found this very useful as the repetition of the
explanations assisted with the absorption of the new information or old (forgotten) material revisited. These concept
explanations provide a good grounding for what is to come.
The next video in the list covers the new features in Active Directory in Windows 2003. Once again these features are
explained in an easy to understand fashion with examples given. Important features are noted and talked about in
greater detail or even cross covered with an interlocking feature. I especially liked the Drag & Drop feature in AD
along with the ability to now disable the built-in Administrator account.
Although listed as Lab 1 on the CD, I am going to refer to it as Video 1 to avoid confusion with the various individual
Train Signal Labs.
Video 1 starts with a run through of the steps that will take place during the installation of AD and DNS. It is gone into
in sufficient depth but it is done in such a way that they make it easy for the complete novice to understand. What
surprised me was that during installation of AD, a DNS error occurred. Instead of stopping the video, fixing the error
and re-recording that segment, Scott (the instructor) found out what caused the problem and then proceeded to show
what was wrong and how to fix it, leaving that valuable information in the video. This added to the video by inserting a
diagnostic segment into the video. Absolutely brilliant and a case of Train Signal providing more bang for your buck.
Nothing seems too small to be included. Even the simple operation of converting a FAT32 partition to the necessary
NTFS one that is required for the AD database is included.
Video 2 is an interesting, informative and in depth look into AD Organizational Units (OU) and Group Policy Objects
(GPO). (Windows 2000 had around 500 policies, 2003 has around 1000.) Correct design of OUs makes applying GPOs
extremely efficient. This video gives, once again, easy to understand and follow instructions and examples. This
particular video made me realize just how damn good this Train Signal training course is. I have installed Windows
2003 Server several dozen times, read bible sized books about it but never caught on to the multitude of Right Click
options that are available in AD. The information in this video is very detailed and this video alone is worth purchasing
the product.
Video 3 looked more deeply into Active Directory features that allow you to manage policy, software, desktop
restrictions, security settings and more from one centralized interface. Sounds a lot, well it is a lot! I made over a page
of notes on this video alone when preparing this review. Not only is the video chock full of goodies but it also goes over
related information from videos 1 and 2. For me this helped drive home the message on some of the fundamentals that
just have to be known. Details are not just glassed over with the hope they will be remembered. The repartition may get
annoying when you replay the videos several times, but hey, you dont forget it. GPO Editor is given a good workout
and you come away with a good understanding of it and how to apply a GPO. I loved the part of making sure a GPO is

not applied to the Admins. After some practice in my lab I cant wait to apply the new knowledge and apply it on a live
network. The Losers arent going to know what hit them.
Video 4 is about AD from the AD users perspective and publishing resources so they can be searched for in AD. Again
nothing is too small to be included. You are shown how to create a SHARE, publish it in AD so you can search for that
share in AD. The difference between object permission and the actual share permission is explained and how to apply
keywords to a share to make searching for it easier. It means users dont have to remember the share name anymore,
just the keyword or keywords. Sweet!!! The Saved Query tutorial included in the video showed that this is also a pretty
useful tool to have.
These instructional videos are professionally made. I was impressed that each video was made in one hit until I noticed
the time on the Taskbar in the various videos. Some of the segments were hours apart but have been made to appear
seamless. You just dont notice that the instructor has finished, gone home, slept and come back and finished it the next
day. I also found myself asking a question at one stage because it felt like I was sitting in the same room as Scott. It is
just like having a personal tutor. I was also pleased to discover that Scott and I have the same make of malfunctioning
keyboard. Mine also has trouble spelling many of the same words.
I found this CD to be extremely useful. I wish I had found Train Signal before I forked out $850 on 2003 books. It also
convinced me I need more Train Signal Labs. I would also like to point out that I am in no way affiliated with Train
Signal nor was I paid to write this review. This is just an excellent product that demystifies a complex operating system.

How can I add additional attributes to the users

objects in Active Directory?
Windows 2000 and Windows Server 2003 Active Directory allows you to edit the Schema and
add additional attributes to it. These attributes can be easily connected to existing Object
Classes such as users, groups, computers and so on.

Adding items to the Schema, also called "extending the Schema", or even modifying existing objects can be a tricky
business, and if done without proper knowledge, can be very destructive to your existing Active Directory
infrastructure. This is because the Schema is a forest-wide setting, and any additions or changes to the Schema will be
immediately replicated to each and every Domain Controller in each and every domain in your AD Forest. You cannot
make any changes to the Schema and yet keep it within your domain's boundaries. Furthermore, changing existing
attributes (such as configuring an attribute to replicate itself to the Global Catalog) will cause a forest-wide replication
of all the attributes and objects, even if your change was just made on one attribute. Note that this behavior was
changed in Windows Server 2003, but even so, you might unintentionally cause a major network load and a lot of
overhead by simply clicking one one small checkbox on one small attribute.
Many articles talk about adding items and extending the Schema. However on this article I wish to show you a simple
method of adding attributes to the Schema, and by using these examples you can modify them and use them for your
own purposes.

Requirements
Warning! First, let me stress the fact that the Schema is not a child's play. If you don't know what you're doing - stop
now. Go read a good book about AD, consult a knowledgeable friend, go play with traffic. Don't blame me if you mess
up your corporate network because you've made careless changes to the schema. Read my lips: I will not be held
responsible for any of your actions, and for any of the results that follow these actions.

Now, read ahead.

In order to extend the Schema you'll need to be a member of the Enterprise Admins and Schema Admins groups. These
groups are part of the AD Forest Root Domain, and if you're not already a member of these groups, then it probably
means that you have no business in messing with the Schema in the first place.
Next, in most cases, you'd be better off by doing this on the Domain Controller that is holding the Schema Master
FSMO role (read more about Understanding FSMO Roles in Active Directory).
Register the Active Directory Schema snap-in in order to later use it from an MMC window
1.

Open the Run command and type:

regsvr32 schmmgmt.dll

You should get a confirmation message.

2.
3.

Next, open Run and type mmc.exe. Press Enter.

In the new MMC window, click File > Add/Remove Snap-in.

4.

Click Add, then, in the Add Standalone Snap-in window, select the Active Directory Schema snap-in from the
list. Next click Add again.

5.

Click Ok.

Windows 2000 only - Enable write operations to the Schema

If you're running Windows 2000-based AD, you'll probably need to allow the Schema to be written. To do so follow
these guidelines (only required for W2K-based DC):
1.

2.

In the MC window from the previous procedure, under the Console Root, double-click on the Active Directory
Schema snap-in and let it load (you'll know when it has loaded when you will see 2 nodes under the root Classes and Attributes)
Right-click Active Directory Schema (your domain controller name) and

Adding 3 new attributes to the Schema

One method of creating new attributes in the Schema is by using the Active Directory Schema snap-in from an MMC.
In order to use this snap-in you must first register it with the following command:

regsvr32 schmmgmt.dll

Connecting the new attributes to the User Object Class

One method of creating new attributes in the Schema is by using the Active Directory Schema snap-in from an MMC.
In order to use this snap-in you must first register it with the following command:
regsvr32 schmmgmt.dll

How can I add an "unlock user account" option to the

Active Directory Users and Computers context menu?
One of the daily tasks of a network administrator is to monitor user accounts, logo activities,
password changes and account options, such as disabling and enabling user accounts.
When an administrator wants to disable a user account he or she has quite a few options. One method is do disable or
enable the account via a specific script, a DSMOD USER command (in Windows Server 2003) or through the built-in
Active Directory Users and Computers snap-in (also known as DSA.MSC). One more task regularly
performed by administrators might be to unlock user accounts after they have forgotten their
passwords and were locked out by the system. Enabling user accounts is different from
unlocking these accounts, because the action needed to disable the account is performed by
the administrator, whereas the action needed to lockout the account is done by the users
themselves, and unless caused by a security penetration or hack attempt, usually indicates
that the user has attempted to logon to the system with a bad password, more times than
specified in the Account Lockout Threshold parameter in the GPO of the system.
To disable a user account you can just right-click on the required account and simply select Disable Account.

If the account was already disabled, then an option to enable it appears when you right-click that user account in
DSA.MSC.
However, if that administrator wanted to just unlock the user account, not enable it, then he or she would need to select
the user account in DSA.MSC, right-click it and choose Properties, then go to the Account tab, and un-check the
Account is Locked Out option. This process is considerably longer than the one required when enabling a disabled
account.To make the life of the administrator easier (thus leaving him or her more time to play online games) we can
add a small addition to the Active Directory onfiguration partition, and then have the ability to unlock a user account by
simply right-clicking on that account (as you would do

How can I add additional user account information

option to the Active Directory Users and Computers
context menu?
As seen in the Add Unlock User Option to Active Directory Users and Computers article, many
of the daily tasks of a network administrator is to monitor user accounts, logo activities,
password changes and account options, such as disabling and enabling user accounts, and also
looking for logon information for the user account.

One method of viewing additional information about user accounts is by using the Acctinfo.dll addin for Active Directory Users and Computers
Another method is by adding some right-click (context menu) options to the user account objects. By right-clicking a
user object you will be able to view some more information about any user account you want, information that includes
the last logon time, the user's logon script, the last time the user has changed his or her password and so on.

How can I add a new Administrative Template to an existing (or new)

GPO?
In a previous article - Understanding Administrative Templates in GPO - I've described the purpose of the
Administrative Templates section in the Windows 2000/XP/2003 GPO. Administrative Templates are a large repository
of registry-based changes that can be found in any GPO on Windows 2000, Windows XP, and Windows Server 2003.
The Administrative Templates are Unicode-formatted text files with the extension .ADM and are used to create the
Administrative Templates portion of the user interface for the GPO Editor.
Although Administrative Templates have virtually hundreds of options within them, there may be times when an
administrator will need to add more options to a new or existing GPO.

One method for an administrator to add such extensions to the GPO is by adding new settings to the Administrative
Templates sections. This can be done by adding .ADM files to the existing Administrative Templates section in GPO.

Adding .ADM files to the Administrative Templates in a GPO

In order to add additional .ADM files to the existing Administrative Templates section in GPO please follow the next
steps:

1. Open the Group Policy Management Console (or GPMC) from the Administrative Tools folder in the Stat
menu, or by typing gpmc.msc in the Run command.
Note: GPMC is not a built-in part of Windows 2000/XP/2003, and needs to be separately installed. You can download
GPMC from the following link (Download GPMC), yet remember it can only be used effectively on Windows Server
2003-based Active Directory.
If you do not have GPMC or cannot install it then you'll need to edit the GPO via the regular means, i.e. from Active
Directory Users and Computers management tool (dsa.msc).

2. Right-click an existing GPO (or create an new GPO, then right-click on it) and select Edit.

3. Expand either the Computer settings or Users settings sections of the GPO. Go to the appropriate
Administrative Templates section and right-click it. Select Add/Remove Templates.

4. In the Add/Remove Templates window click Add.

5.

Browse to the location of the required .ADM file and click Open.

6. In the Add/Remove Templates window notice that the new .ADM file is listed, then click Close.

Now re-open the Administrative Templates section and browse to the new settings location.

Disabling GPO settings filtering

Many custom Administrative Templates require you to remove the requirement to show policy settings that can be fully
managed in the GPO editor. To do so follow the next steps:
1.

After completing the above procedure, browse to the newly added Administrative Template section.

Note that the section is indeed listed, however in the right-pane is empty.

2. Right-click an empty spot in the right pane and select View > Filtering.

3. In the Filtering window click to un-mark the "Only show policy settings that can be fully managed" option.
Then click Ok.

4.

Notice how the available options are now displayed in the right pane.

You can now configure these options as you please.

Replicating the added .ADM files across the domain

When adding new .ADM files to any GPO you actually place new features in the Administrative Templates section for
that GPO. These settings should be accessible from any DC, and should apply to any computer that is affected by that
GPO.
However, if the .ADM files were added, for example, when sitting on DC1, how do you make sure they are also
replicated to DC2, DC3 and so on?

Well, luckily for us, in most cases there are no additional configuration steps involved. When adding the new .ADM file
it is automatically uploaded to the following location on the DC that was used to edit the GPO (usually - the PDC
Emulator, read more in the Understanding FSMO Roles in Active Directory article):
%SystemRoot%\SYSVOL\sysvol\domain name\Policies\{GPO GUID}\Adm
as seen clearly in the following screenshot:

Because all of the SYSVOL folder is shared and automatically replicated all over the domain, the uploaded .ADM file
will automatically replicated to all the GPO instances on all DCs in the domain.
However this might cause a problem when using too many templates and too many GPOs, especially on slow WAN
links.
In Windows Server 2003, the size of the Administrative Templates has grown when compared to the same .ADM files
in Windows 2000. As a result, the entire set of Administrative Templates has grown to almost 1.75MB. When you
multiply this size by each Policy that SYSVOL contains, you can see that much space is devoted to these templates.
For example, for a large corporation with 1200 GPOs in place, the entire SYSVOL folder (where the GPOs are located
on each DC) can take up more than 1GB of hard disk space. Replicating such a folder over the WAN (especially when
promoting a new DC) can be very problematic. Here is where the following article - Install DC from Media in
Windows Server 2003 - comes in very handy.

Removing .ADM files from an existing GPO

Whenever you do not need the added feature anymore you can simply reverse the process and instead of adding new
.ADM files - removing them.
Before removing an Administrative Template, make sure you modify its policy settings and wait for Group Policy to
refresh on all the computers that were supposed to be effected by the GPO. This is because removing an Administrative
Template that was previously installed does not change or remove any Registry settings that the GPO deployed when
Group Policy was last processed.

How can I administer Windows 2000/2003-based

computers using Windows XP Professional-based
clients?
This article describes how to use the Windows Server 2003 Administration Tools package on
Windows XP Professional or how to use the Windows Server 2003 family to remotely
administer Microsoft Windows 2000 Server family-based and Windows Server 2003 familybased computers. The following topics are discussed in this article:

How to remotely administer computers that are running Windows 2000 Server family
products or Windows Server 2003 family products from Windows Server 2003 and

Windows XP-based clients that are using the Release to Manufacturing (RTM) version of
the Adminpak.msi file from the Windows Server 2003 media.
How to download the RTM version of the Windows Server 2003 Administration Tools
Pack from the Microsoft Web site.

Known issues that may occur when you use Administration tools from the Windows
Server 2003 Adminpak.msi file to manage Windows 2000-based and Windows Server
2003-based computers.

Compatibility issues that occur when Windows 2000 Professional-based computers that
have Windows 2000 Administration tools installed are upgraded to Windows XP.

Compatibility issues that occur when Windows 2000 domain controllers are upgraded to
Windows Server 2003 domain controllers

Other procedures to remotely administer Windows-based servers.

Note: You might also want to read Download Windows 2003 Adminpak, Administer Exchange
2003 from Windows XP SP1, Administer Exchange 2000 from Windows XP SP1 and Extract
Specific Tools from Adminpak.msi.

Windows Server 2003 Administration Tools Pack (Adminpak.msi)

To make the remote management of your servers easier, Microsoft has included the Windows
Server 2003 Administration Tools Pack on the Microsoft Windows Server 2003 family product
CDs. Using this CD, you can install the Windows Server 2003 Administration Tools Pack onto
computers that are running the following operating systems:

The Windows Server 2003 family

Windows XP Professional with Service Pack 1 (SP1) or later

Windows XP Professional with QFE patch Q329357

With the RTM version of the Windows Server 2003 Administration Tools Pack, you can manage
the following operating systems:

The Windows Server 2003 family

The Windows 2000 Server family

The Adminpak.msi (Adminpak) file is a self-extracting file that contains commonly used
administrative tools. The Adminpak.msi file is located in the \I386 folder on the Windows
Server 2003 CD-ROM or as a separate Web download package.
If you want to remotely administer Windows 2000 Server or Windows Server 2003 family
member-based computers and domain controllers from Windows XP Professional or Windows
Server 2003 family-based clients, note the following issues:

You must completely remove previous beta versions of the Windows Server 2003
Administration Tools package before you install the final release version.
Note In some limited cases, servers must be administered from clients that are running
the same operating system version. For example, some remote administration
operations against Windows 2000-based servers can be accomplished only from
Windows 2000-based clients. Similarly, some operations against Windows Server 2003based computers can be accomplished only from Windows XP-based or Windows Server
2003 clients. This article documents these limitations or restrictions for each tool that is
included in the Administration Tools package.

The administration tools from the Windows 2000 Adminpak.msi file that are installed on
Windows 2000-based computers that are later upgraded to Windows XP Professional do
not start or operate correctly. The Winnt32.exe upgrade process warns you to remove
the Windows 2000 version of Adminpak.msi. Either remove the Windows 2000
Adminpak.msi file before the upgrade or reinstall the Windows Server 2003
Administration Tools Pack after the upgrade. You can use the Winnt32.exe
/checkupgradeonly flag to determine if the Windows 2000 Adminpak is installed before
you upgrade any computer.

You cannot install the Windows 2000 Adminpak.msi file on Windows XP-based clients or
on Windows Server 2003 family-based computers. These tools no longer work on these
platforms and are not supported. Please use the Windows Server 2003 version of the
Administration Tools pack.

The Windows Server 2003 RTM version of Adminpak.msi can only be installed on
computers that are running the Windows Server 2003 family, Windows XP Professional
with SP1 or later, and Windows XP Professional build 2600 with QFE Q329357.

If you are using Windows XP Professional with QFE Q329357 and the Windows
Server2003 Administration Tools pack, you cannot administer Cluster servers. However,
if you are using Windows XP Professional with SP1 and the Windows Server 2003
Administration Tools Pack, you can manage Cluster servers.
Windows XP Professional does not include the Windows Server 2003 Adminpak.msi file
because these tools are part of the Windows Server 2003 product and are shipped
when that product is released

The majority of the Windows Server 2003 Administration tools work the same as the
Windows 2000 counterparts. In some cases, the Windows Server 2003 Administration
tools offer enhanced functionality over their Windows 2000 counterparts. In rare cases,
Windows Server 2003 tools are incompatible and unsupported for managing Windows
2000 Server-based computers. Similarly, in rare cases, Windows 2000 tools are
incompatible with Windows Server 2003-based family computers.

Enhanced functionality in Windows Server 2003 Administration tools may not be turned
on or supported when you administer Windows 2000-based computers. For example,
the new drag-and-drop feature of the Windows Server 2003 Users and Computers
snap-in is fully functional against Windows 2000-based domain controllers.

Administration tools features that depend on functionality in Windows Server 2003,

such as the "Saved query for last logon time" functionality, are not supported against
Windows 2000 Server-based computers because earlier version servers do not have the

required attributes. In most cases, these advanced features are not visible or are not
turned on when Administration tools are used against Windows 2000-based computers.
Windows 2000 and the Windows Server 2003 Administration Tools Package
The Windows Server 2003 Administration Tools package cannot be installed or run on Windows
2000-based computers. If you try to install the Windows Server 2003 Administration Tools
package on a Windows 2000-based computer, you receive the following error message:
Windows Server2003 Administration Tools Pack can only be installed on Windows XP
Professional with QFE Q329357 applied, or on Windows XP Professional SP1 or later, or on
computers running Windows Server 2003 operating systems.
Service pack level mismatch. Please obtain the Administration Tools Pack that matches the
service pack level of your operating system.
Similarly, the command-line utilities from the Windows Server 2003 Administration Tools
package are designed to run on Windows XP and the Windows Server 2003 family only.
Command-line utilities in the Windows Server 2003 Administration Tools package do not run if
there is a DLL mismatch or an entry point error (if you copy the utilities to a Windows 2000based computer). If you try to install Windows 2000 Administration Tools package on a
Windows Server 2003-based computer, you receive the following error message:

Anonymous LDAP operations in Windows 2003 AD?

Background

By default, anonymous LDAP operations, except rootDSE searches and binds, are not permitted on Windows
domain controllers. This means that when trying to perform unauthenticated search in Active Directory, you c
for attributes of the RootDSE object only any other query will result in domain controller requesting authent
to LDAP and refusing to your query.

Actually this is new behavior compared to Windows 2000 domain controllers which allowed anonymous opera
the query results were based only on the permissions of the objects.

"So what is it good for?" you might ask yourself. Well, one of the reasons is minimizing the impact of potentia
service (DoS) attacks against AD. Consider a malicious application performing an anonymous LDAP query aga
domain controller. Theoretically, by crafting a very complicated LDAP filter with a "Sub" scope, an attacker co
overload the LDAP server which would result in significant degradation in domain controller performance and
denial of service.

Why you might want to enable anonymous binds? Usually this is desired when you need to provide an easy a
subset of information stored in AD to 3rd party applications that are not capable of authenticating to AD or th
information is intended to be in public domain from the beginning and you are storing it in AD. The scenarios
infinite, but before enabling anonymous operations make sure that you truly understand the implications of th
the change (though reversible) does increase the security risks to your environment.

Let's have a look at what are we allowed to see when we are trying to perform an anonymous lookup against

domain controller.

The query below is performed from a Linux machine just to eliminate the query tools attempts on Windows to
GSSAPI authentication in the background.

Just to decipher the syntax above:

-h
descartes.antid0t.net

perform the query against host

descartes.antid0t.net

-b ''

Use RootDSE as the search base

-x

Use simple bind

-LLL

Print responses in LDIF format without comments

and version

-s base

Do base search (as opposed to subtree or

onelevel)

'objectClass=*'

LDAP filter which basically means: return anything

you find

Not much, right? Just enough to be able to negotiate the correct authentication dialect, learn about LDAP pro
versions supported, enumerate the partitions and acquire some more details about the LDAP semantics suppo
the server.

Notice that I had to use "base" scope query. Trying to perform "Subtree" or "OneLevel" query would yield the
requiring authenticated bind:

Enabling anonymous LDAP operations

1. Launch ADSI Edit (part of support tools) and navigate to:
CN=Directory Service,CN=Window s NT,CN=Services

Where <forestRoot> is the root domain of your forest (in my case this is DC=antid0t,DC=net)

2. Right click the "CN=Directory Services" container, choose "Properties" from the context menu and scro
the dsHeuristics attribute

3. If the attribute is not set (has no value), fill in "0000002" in the value field.

The last (seventh) character is the one that controls the way you can bind to LDAP service. "0" or no s
character means that anonymous LDAP operations are disabled. Setting the seventh character to "2" p
anonymous operations (you are still subject to Access Control Lists of the objects in AD)

Warning: if the attribute already contains a value, make sure you are changing only the seventh character fro
this is the only character that needs to be changed in order to enable anonymous binds. So for example if t
value is "0010000", you will need to change it to "0010002".

If the current value is less than 7 characters, you will need to put zeros in the places not used: "001" will bec
"0010002"

4. Make yourself a cup of coffee and wait till the change is replicated to all you DCs in the forest. The new

be picked up without any need for server reboots or service restarts. Meanwhile you can get a bit mor
about the process from MS KB article 326690.

Let's test it:

As you can see, now we are allowed a little more: we are allowed to perform "Sub" queries against all the AD
Though this step allows unauthenticated operations against AD, only a very small subset of attributes are bei
exposed. The step can be compared to opening the lobby door of an apartment building you can travel arou
the doors to the apartments are closed.

Granting anonymous read access

This step involves granting NT AUTHORITY\ANONYMOUS LOGON (well know security principal) access to ob
want to be able to be located by the means of anonymous lookups. This can be compared to opening some d
apartments inside the building.
Let's give it a try and expose some details about one of my computers to the public:

1. Open Active Directory Users and Computers.

2. Make sure "View Advanced Features" is checked.
3. Navigate to the object you want to expose it's information and double click it.
4. Go to Security tab and click Add button.
5. Type in " ANONYMOUS LOGON" and acknowledge the dialog.

6. In the ACL you will notice that now " ANONYMOUS LOGON" has access to some property sets of the co

object (you can actually grant more granular access permissions to the object, but this is beyond the s
this article).

Let's test it:

Hey! This didn't work! Well, apparently there is a good reason for that: you need to grant at least "List Conte
permission to the "ANONYMOUS LOGON" on the OU the object, you are querying for, resides in.
How do you do that?

1. In Active Directory Users and Computers, right-click the OU the object is located in and choose Proper
2. Click the Security tab and click advanced.

3. Click the Add button and in the dialog that opens type in "ANONYMOUS LOGON".
4. Acknowledge the dialog. This will open a new dialog window.

5. In the "Apply to" drop-down box choose "This object only" and tick the "List Contents" checkbox as sh
picture:

Now let's try it again:

Hurray! Now it works.

Happy binding!

Basic Active Directory Services Interface (ADSI) Scripting

ADSI is a set of COM objects that are used to programmatically manipulate a namespace. A namespace could be
anything from the Active Directory to an application such as MS Exchange Server.
Since ADSI is based on COM, it may be scripted using any language with COM bindings (any language that supports
accessing the COM subsystem). This means that you may access ADSI with C\C++, Visual Basic, Java, Perl or many other
languages. You could even embed ADSI scripts into an MS Office macro using VBA as part of a workflow process. The
possibilities are almost limitless.

ADSI Concepts
It is necessary to understand some terminology before delving into ADSI programming.
Component Object Model (COM) A technology that allows the creation of binary compatible software components. This
simply means that a COM component is a chunk of software that may be accessed anywhere a COM system is available.
This is regardless of location, language or even operating system. It helps to think of this in a similar fashion to the Java
system. Java may run wherever a Java Virtual Machine (JVM) is available. COM is accessible wherever a COM subsystem is
available. But do not confuse the purposes of COM and Java. They are two very different technologies with different
purposes.
Interface A set of functions that are packaged and grouped together according to purpose. COM components provide a
number of Interfaces that are available for use in applications. For example later in this article I will demonstrate using the
IADsContainer interface (the leading I designates this as an interface) to access an LDAP directory.

Provider A provider is the software that services requests to some external resource. The resource may be the Active
Directory, an LDAP director or an application such as Internet Information Services.
Binding Binding is the process of connecting a provider to a physical instance of a resource. Simply put, if I want to
manipulate objects in my AD domain called Johnson, I would first bind to the Johnson domain. Then I could create, modify,
update, search for or delete objects in the Johnson AD at will.

Using ADSI
In order to manipulate anything in a namespace with ADSI, you must first bind to it. After binding, you may perform any
operations on objects in the namespace you wish.
A typical ADSI application follows this format. Note that this is not real code and is for illustration purposes only:
1.
2.
3.

4.

declare variables: var1, var2, etc

bind to a resource: var1 = bind to AD(Johnson)
manipulate the resource
a. var1->createuser
b. var1->delete another user
c. var1->enumerate all users in the Johnson domain
End

Notice how the process of binding returns an object that is stored in a variable. The object returned is actually an interface
variable. This interface variable is used as the tool to do the actual manipulation of the bound resource. Thats about all there
is to it. If you can understand this simple example, you are well on your way to using ADSI.

ADSI Examples
LDAP Example
This is an example of connecting to a Sun One Directory Server and enumerating the users in a branch of the directory:
1.
2.
3.
4.
5.
6.
7.

option explicit
dim Container ' as IADsContainer
dim Entry 'as IADs
dim Where 'as String
dim Filter 'as Variant
Where = "/ou=People"
set Container = GetObject ("LDAP://192.168.1.105:59822/DC=NET/DC=COMCAST/DC=IL/DC=HSD1" &
Where)
8. for each entry in Container
9. wscript.echo entry.name
10. wscript.echo entry.get("mail")
11. next
Line 1 turns on explicit variable declaration. This makes it easier to catch typos in variable names.
Lines 2-5 declare variables for use within the script. This script is written using VBScript (vbs) and therefore does not use
typed variables. Every variable is a variant (can hold a value of any type). However, I show the variable type as a comment
for documentation purposes. It is also useful when moving a script between vbs and its big brother Visual Basic.

Line 6 sets the Where variable to the location in the directory where enumeration will begin.
Line 7 is where the interesting stuff begins. Here is where the provider is bound to my test directory. Notice that the ldap port
use is 59822 instead of 389. Also the contents of the Where variable is concatenated to the connection string to form the full
LDAP URL. The GetObject function returns object of type IADsContainer, which is a collection of directory entries.
Lines 8 and 11 form a loop around two console output statements that print the desired directory information.
Line 9 is an example of a property of the interface variable. Each directory entry interface object has a name property that
corresponds to the name of the entry in the ldap directory.
Line 10 is an example of a property on the directory entry itself, not the interface variable. These types of properties must be
accessed via the get method on the interface variable. This example gets the mail property which is typically an rfc822 email
address.
Executing this script against my test LDAP server produces the following output:
C:\scripts>SunOneDirServerUserDump
uid=KJohnson
[email protected]
uid=RJohnson
[email protected]
uid=tadmin
C:\scripts\SunOneDirServerUserDump.vbs(12, 2) Ac

Notice the error message on the last lines. This is because the mail field is undefined for the tadmin user.
Active Directory Example 1
This example shows how to enumerate objects in the Active Directory. This script takes up to two arguments. The first
argument is a starting location in the directory to use for enumeration. The second is a filter to limit the returned results to a
particular object type. To run this script, simply type the name of the script into a command prompt. adexa1.vbs
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.

adexa1.vbs
option explicit 'Always use explicit variable declaration!!!
dim RootDSE 'as IAD
dim Container 'as IADsContainer
dim Entry 'as IADs
dim Location 'as String
dim Filter 'as string
if(WScript.Arguments.Count > 0) then
Location = WScript.Arguments(0)
end if
if(WScript.Arguments.Count > 1) then
Filter = WScript.Arguments(1)
end if
set RootDSE = GetObject("LDAP://RootDSE")
set Container = GetObject("LDAP://"& Location & "," & RootDSE.get("DefaultNamingContext"))
if(Filter <> "") then
Container.Filter = Array(Filter)

18.
19.
20.
21.
22.

end if
For Each Entry in Container
wscript.echo Entry.Name
Next
Wscript.Quit

Line 1 is a comment. It contains the name of the script.

Line 2 turns on explicit variable declaration.
Lines 3-7 declare variables for use within the script.
Lines 8 - 10 check to see if at least one command line argument was specified. If so, its value will be used as the starting
directory location for enumeration.
Lines 11-13 check to see if at least two command line arguments were specified. If so, the second argument will be used as
the value of the container filter. This filter will determine which object classes in the container will be available for
manipulation.
Line 14 gets the RootDSE of the directory. This is a standard LDAP v3 object that contains information about the directory.
Line 15 is where binding occurs. However, this time the LDAP connection string is constructed by concatenating the
container with the Default Naming Context (the name of the domain) obtained via the RootDSE object.
Lines 16-18 set the filter if one was supplied on the command line.
Lines 19-21 print each entry in the container.
Line 22 explicitly ends the script.
Running this script on one of my test Windows 2003 Server machines produces the following output:
C:\scripts>adexa1.vbs cn=users user
CN=Administrator
CN=Guest
CN=IUSR_SERVER1
CN=IWAM_SERVER1
CN=krbtgt
CN=SUPPORT_388945a0

Windows NT Example
Yes thats right, Windows NT. I know you still remember it. This is just to show you that it did work in Windows NT. Not
that any NT 4 boxes still exist to actually test this out
1.
2.
3.
4.
5.

Dim Container as IOleDsContainer

Dim NewUser as IOleDsUser
Set Container = GetObject("@WinNT!JOHNSON")
Set NewUser = Container.Create("User", "JSomebody")
NewUser.AccountRestrictions.SetPassword("password")

6.

NewUser.SetInfo

Closing Remarks
There is one more thing worth mentioning for budding ADSI scripters, the EzAD Scriptomatic. This is a little tool available
from Microsoft that allows you to select operations from a couple of drop down text lists and then generate a corresponding
script. This is pretty cool if you are just learning ADSI scripting and want to see how to do a few common ADSI scripting
tasks. This tool is available from the Microsoft Technet script center.

ADSI scripting is very powerful, and this article shows a small sampling of what can be accomplished with ADSI scripting.
Use the links below to find out more about ADSI technology.

How can I change the Recovery Console or Directory

Restore Safe Mode Administrator password on a
Domain Controller?
When you promote a Windows 2000 or Windows Server 2003 Server-based computer to a
domain controller, you are prompted to type a Directory Service Restore Mode Administrator
password. This password is also used by Recovery Console, and is separate from the
Administrator password that is stored in Active Directory after a completed promotion.

Featured Product
Windows Key by LostPassword.com - Use this easy tool to reset any
Windows local or domain controller password in a minute. Money-back
guarantee. Download FREE version now!
The Administrator password that you use when you start Recovery Console or when you press
F8 to start Directory Service Restore Mode is stored in the registry-based Security Accounts
Manager (SAM) on the local computer. The SAM is located in the %SystemRoot
%\System32\Config folder. The SAM-based account and password are computer specific and
they are not replicated to other domain controllers in the domain.
For ease of administration of domain controllers or for additional security measures, you can
change the Administrator password for the local SAM. To change the local Administrator
password that you use when you start Recovery Console or when you start Directory Service
Restore Mode, use one of the following methods:

Method #1

If Windows 2000 Service Pack 2 or later is installed on your computer, you can use the
Setpwd.exe utility to change the SAM-based Administrator password. To do this:
1. At a command prompt, change to the %SystemRoot%\System32 folder.
2. To change the local SAM-based Administrator password, type
setpw d

and then press ENTER.

1. To change the SAM-based Administrator password on a remote domain controller, type
setpw d /s: servername

and then press ENTER, where servername is the name of the remote domain controller.
1. When you are prompted to type the password for the Directory Service Restore Mode
Administrator account, type the new password that you want to use.
Note: If you make a mistake, repeat these steps to run setpwd again.

Method #2
On Windows 2000, if you do know the Directory Service Restore Mode Administrator password you can
easily change it to something else by using the following method:
1. Shut down the domain controller on which you want to change the password.
2. Restart the computer. When the selection menu screen is displayed during the restart
process, press F8 to view advanced startup options.
3. Select the Directory Service Restore Mode option.
4. After you successfully log on, use one of the following methods to change the local
Administrator password:
At a command prompt, type the following command:

net user administrator *

or
Use the Local User and Groups snap-in (Lusrmgr.msc) to change the Administrator password.
5. Shut down and restart the computer.
You can now use the Administrator account to log on to Recovery Console or Directory Services
Restore Mode using the new password.

Method #3
On Windows 2000, if you do not know the Directory Service Restore Mode Administrator password you
can easily change it to something else by using the following method:
1. At a command prompt, type the following command:
net user administrator 123456

This will change the local administrator's password to 123456.

You can now use the Administrator account to log on to Recovery Console or Directory Services
Restore Mode using the new password.

Method #4
On Windows Server 2003, the setpwd or NET USER trick won't work. Here, if you want to change the Directory
Service Restore Mode Administrator password you'll need to use the following method:
1.

Click, Start, click Run, type

ntdsutil

and then click OK.

2.

At the Ntdsutil command prompt, type

set dsrm passw ord

3.

At the DSRM command prompt, type one of the following lines:

To reset the password on the server on which you are working, type
reset passw ord on server null

The null variable assumes that the DSRM password is being reset on the local computer. Type the new password when
you are prompted. Note that no characters appear while you type the password.
or
To reset the password for another server, type
reset passw ord on server <servername>

where <servername> is the DNS name for the server on which you are resetting the DSRM password. Type the new
password when you are prompted. Note that no characters appear while you type the password.
4.
5.

At the DSRM command prompt, type q.

At the Ntdsutil command prompt, type q to exit.

You can now use the Administrator account to log on to Recovery Console or Directory Services
Restore Mode using the new password.

Changing the Tombstone Lifetime Attribute in Active Directory

The tombstone lifetime must be substantially longer than the expected replication latency between the domain
controllers. The interval between cycles of deleting tombstones must be at least as long as the maximum replication
propagation delay across the forest. Because the expiration of a tombstone lifetime is based on the time when an object was
deleted logically, rather than on the time when a particular server received that tombstone through replication, an object's
tombstone is collected as garbage on all servers at approximately the same time. If the tombstone has not yet replicated to a
particular domain controller, that DC never records the deletion. This is the reason why you cannot restore a domain
controller from a backup that is older than the tombstone lifetime.

By default, the Active Directory tombstone lifetime is sixty days. This value can be changed if necessary. To change this
value, the tombstoneLifetime attribute of the CN=Directory Service object in the configuration partition must be modified.
This object is located here:
cn=Directory Service,cn=Window s NT,cn=Services,cn=Configuration,dc

Note: Longer tombstone lifetime decreases the chance that a deleted object remains in the local directory of a disconnected
DC beyond the time when the object is permanently deleted from online DCs. The tombstone lifetime is not changed
automatically when you upgrade to Windows Server 2003 with SP1, but you can change the tombstone lifetime manually
after the upgrade. New forests that are installed with Windows Server 2003 with SP1 have a default tombstone lifetime of
180 days.
You can check your tombstone lifetime attribute by using the following command:
dsquery * " cn=Directory Service,cn=Window s NT,cn=Services,cn=Conf

There are several ways of modifying this attributes value, the easiest is using ADSIEdit.

Method #1: Using ADSIEdit

The following explains how to modify this attributes value using ADSI Edit.
Note: ADSIEdit is part of the Windows 2003 Support Tools. To get ADSIEdit you need to install the support tools on your
computer/DC. Read my "What are the Windows Server 2003 Support Tools? Where can I get them from?" article for more
info on how to obtain the Windows Server 2003 Support Tools (insert link to existing article).
In addition, in order to perform the following steps you'll need to be a member of the Enterprise Admins group.
To view or change attribute values by using ADSIEdit:
1.

On the Start menu, point to Run and then type ADSIEdit.msc and press Enter.

cn=Directory Service,cn=Window s NT,cn=Services,cn=Configuration,dc

2. Navigate to:

Where "ForestRootDN" is the Distinguished Name of your Active Directory Forest Root domain. For example, if
your domain's name is kuku.co.il, then the DN for it would be:
DC=kuku,DC=co,DC=il

3.

Right-click and choose properties.

4. In the resultant properties dialog, scroll down to tombstoneLifetime, select this attribute and choose Edit.

5.

Configure the Tombstone Lifetime Period, then press Ok.

6.

Click OK and then close ADSIEdit.

When you view properties on cn=Directory Service,cn=Windows NT, cn=Services,cn=Configuration,dc=, if no value is set it
means that the default value is in effect. Any value that you type in the Edit Attribute box replaces the default value when you
click Set .
The default value for these two attributes applies if the attribute is not set (the initial state of the system).

Method #2: Using an LDIF file

Open Notepad and create a text file with the following content:

dn: cn=Directory Service,cn=Window s NT,cn=Services,cn=Configuration

changetype: modify
replace: tombstoneLifetime
tombstoneLifetime: <NumberOfDays>
-

Note: Don't forget the "-" on the last line, at the end.
Where is the Distinguished Name of your Active Directory Forest Root domain. For example, if your domain's name is
kuku.co.il, then the DN for it would be:
DC=kuku,DC=co,DC=il

Save this file as tombstoneLifetime.ldf (or similar).

Open the Command Prompt and type:
Ldifde I f {Path to tombstoneLifetime.ldf}

Method #3: Using a VBS script

You can read more about this option on the Change tombstone lifetime (VBScript) page, which presents code found in
Chapter 17 of the Active Directory Cookbook. See the following Links:

TechTasks Code Center

Active Directory Cookbook

How can I configure a Windows 2000/2003 Server as a

Global Catalog?
The Global Catalog (GC) contains an entry for every object in an enterprise forest but only a
few properties for each object. An entire forest shares a GC, with multiple servers holding
copies. You can perform an enterprise wide forest search only on the properties in the GC,
whereas you can search for any property in a users domain tree. Only Directory Services (DS)
or Domain Controller (DC) can hold a copy of the GC.
Configuring an excessive number of GCs in a domain wastes network bandwidth during
replication. One GC server per domain in each physical location is sufficient. Windows NT sets
servers as GCs as necessary, so you dont need to configure additional GCs unless you notice
slow query response times.

Because full searches involve querying the whole domain tree rather than the GC, grouping the
enterprise into one tree will improve your searches. Thus, you can search for items not in the
GC.
By default, the first DC in the First Domain in the First Tree in the AD Forest (the root domain)
will be configured as the GC.
You can configure another DC to become the GC, or even add it as another GC while keeping
the first default one.
Reasons for such an action might be the need to place a GC in each AD Site.
To configure a Windows 2000/2003 Domain Controller as a GC server, perform the following
steps:
1. Start the Microsoft Management Console (MMC) Active Directory Sites and Services
Manager. (From the Start menu, select Programs, Administrative Tools, Active Directory
Sites and Services Manager).
2. Select the Sites branch.
3. Select the site that owns the server, and expand the Servers branch.
4. Select the server you want to configure.
5. Right-click NTDS Settings, and select Properties.

6. Select or clear the Global Catalog Server checkbox, which the Screen shows.

7. Click Apply, OK.

You must allow for the GC to replicate itself throughout the forest. This process might take anywhere between 10-15
minutes to even several days, all depending on your AD infrastructure.

How do I change the intrasite replication interval in

Windows 2000 for domain information?

Active Directory intrasite replication for naming context data doesnt occur until 5 minutes
after a change.
When you make a change to the naming context (i.e., domain) data, the DCs local copy of
Active Directory (AD) records the change, then the DC waits 5 minutes (by default) before
notifying its replication partners of the change. You can continue to make changes during this
time period. The delay exists so that all changes transmit at once. If no changes occur during
a particular time period (which you can configure in the intrasite connection object schedule),
a replication sequence initiates to ensure no changes were missed.

This delay lets all changes transmit at once. You can change this 5-minute delay by using the
registry editor:
Warning!
This document contains instructions for editing the registry. If you make any error while editing the
registry, you can potentially cause Windows to fail or be unable to boot, requiring you to reinstall
Windows. Edit the registry at your own risk. Always back up the registry before making any
changes. If you do not feel comfortable editing the registry, do not attempt these instructions.
Instead, seek the help of a trained computer specialist.
1. Start Regedit.exe.
2. Go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSe
\Services\NTDS\Parameters

3. Double-click Replicator notify pause after modify (secs).

Note: The default value data for the "Replicator notify pause after modify (secs)" DWORD
value is 0x12c, which in hexadecimal format is 300 decimal (5 minutes).
4. Enter the number of seconds you want for the delay, and click OK.
5. Close the registry editor.
6. Reboot the machine.
Notice the parameter Replicator notify pause between DSAs (secs). This parameter determines
the number of seconds between notification of directory service agents (DSAs). This parameter
prevents simultaneous replies by replication partners.
Note: The default value data for the "Replicator notify pause between DSAs (secs)" DWORD
value is 0x1e, which in hexadecimal format is 30 decimal (30 seconds).

How do I change the intrasite replication interval in

Windows 2000 for domain information?
Active Directory intrasite replication for naming context data doesnt occur until 5 minutes
after a change.
When you make a change to the naming context (i.e., domain) data, the DCs local copy of
Active Directory (AD) records the change, then the DC waits 5 minutes (by default) before
notifying its replication partners of the change. You can continue to make changes during this
time period. The delay exists so that all changes transmit at once. If no changes occur during
a particular time period (which you can configure in the intrasite connection object schedule),
a replication sequence initiates to ensure no changes were missed.

This delay lets all changes transmit at once. You can change this 5-minute delay by using the
registry editor:
Warning!
This document contains instructions for editing the registry. If you make any error while editing the
registry, you can potentially cause Windows to fail or be unable to boot, requiring you to reinstall
Windows. Edit the registry at your own risk. Always back up the registry before making any
changes. If you do not feel comfortable editing the registry, do not attempt these instructions.
Instead, seek the help of a trained computer specialist.
1. Start Regedit.exe.
2. Go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSe
\Services\NTDS\Parameters

3. Double-click Replicator notify pause after modify (secs).

Note: The default value data for the "Replicator notify pause after modify (secs)" DWORD
value is 0x12c, which in hexadecimal format is 300 decimal (5 minutes).
4. Enter the number of seconds you want for the delay, and click OK.
5. Close the registry editor.
6. Reboot the machine.
Notice the parameter Replicator notify pause between DSAs (secs). This parameter determines
the number of seconds between notification of directory service agents (DSAs). This parameter
prevents simultaneous replies by replication partners.

Note: The default value data for the "Replicator notify pause between DSAs (secs)" DWORD
value is 0x1e, which in hexadecimal format is 30 decimal (30 seconds).

How can I easily perform management operations in

AD from a customized Taskpad?
As your AD infrastructure grows, and the number of objects within it constantly changes, you might find that managing
the growing number of users, groups and computers is becoming more than a headache. Fortunately for us, one of
Active Directory's best features is the ability to delegate administrative control over specific objects to lower-level
administrators.
You can read more about the administrative tasks delegation in an article that will be published shortly.
In this article I'll show how to create a custom tool (called Taskpad) from the Active Directory Users and Computers
snap-in, and how to use this custom tool to ease some of your daily user management tasks.
Let's assume that your organization has an AD domain with several thousands of users. This domain consists of several
distinctive divisions or departments. You have already created the right OU (Organization Unit) structure, and have
already placed the right users accounts, groups and computers in their respective OUs.
We will also assume that one user named David will be responsible for managing all the user objects within the Sales
OU. Other users might be responsible for other management tasks (such as adding computer objects, controlling Group
Policy Objects or managing group membership, but for now let us concentrate on David).
This is how your AD domain structure looks like:

Note: This is only an example, you should use your own OU structure, based upon management and GPO functionality
considerations.

To create a custom MMC Taskpad for AD Users management

1.
2.

Click Start > Run, type MMC and click Enter.

In the new MMC window, click File > Add/Remove Snap-in.

3.

In the Add/Remove Snap-in window click on Add.

4.

In the Add Standalone Snap-in window, click on Active Directory Users and Computers and then click on the
Add button.

5.

Back in the MMC window, click to expand the AD domain, and browse t the required OU (in this case Corp >
Sales). Right-click on the OU and select New Taskpad view.

6.

In the Welcome screen click Next.

7.

In the New Taskpad wizard page customize the view you want to retain. You can select a various sizes for the
display, and other options related to the button captions and so on. When done, click Next.

8.

In the Taskpad Target window leave the default setting and click Next.

9.

In the Name and Description window type any name and description you want to appear in the Taskpad view.
Click Next.

10. In the Completing wizard page make sure that the Start New Task Wizard checkbox is selected and click Next.

11. In the Command Type window leave the Menu Command selection and click Next.

12. In the Shortcut Menu Command window notice how each right-click action associated with a user object is
available for selection in the right-hand side window. Note that you do NOT need to select a specific user
account on the left-hand side window, but in order for the right-click option to be available, you do need to
select any one of the available user accounts. I usually build one or two fake user accounts just for this
purpose, and when I'm done with the Taskpad creation, I delete those accounts.
In this step I've chosen the Properties task, but you can choose your own tasks.

Note that although all right-click tasks are available for you to choose from, creating a task in this stage will not give
the user that's supposed o use this Taskpad any additional permissions on the objects. I.e. if I choose New > Group from
the available tasks and the user that's going to use this tool does NOT have the permission to create a new group in the
Sales OU, he or she will NOT see the task button, although I've specifically added it to the task buttons.
When done click Next.
12. In the Name and Description window type or modify the needed info and click Next.

13. In the Task Icon window browse to find the most appropriate icon (or add your own) and click Next.

14. In the Completing the task wizard page select the Run this wizard again checkbox and click Finish.

15. You will now have the option to re-run the wizard. Follow steps 10-12 and select the next task to add to the
Taskpad.
This time I chose Delete.

Follow steps 13 to 14 and re-run the wizard.

Here are some of the options available:
New User:

Reset Password:

Disable Account:

16. In order to add the Enable Account option we will first need to manually disable one of the available user
accounts, then the Enable Account option will be available to choose:

Enable Account:

17. For other options, such as Find and Refresh, we will first need to configure the Command Source as Tree Item
Task. Then the Find and Refresh options will become available.
Find:

Refresh:

18. You can also follow the same steps as before, but this time choose Shell Command in the Command Type
window.

19. Here you can add any command or batch file you want. For example, here is a command that will cause a Ping
window to appear, pinging your DC:

20. You can also add a Command Prompt window:

21. And a command that will cause your DC to replicate with other DCs (this can be easily accomplished by using
the REPADMIN command in a batch file).

22. When finished adding all the required tasks and buttons, click Finish and look at what we've done:

Notice how the original tree display is still visible. We will fix this right away.
23. Click on the View menu, then select Customize.

24. In the Customize View window clear all checkboxes. Click Ok. Notice how all menus and the tree display
have vanished.

25. Now, we need to customize the tool's icon and settings before we save it. On the File menu click Options.

26. In the Options menu give the Taskpad a good descriptive name and change the icon if you want. Also, in the
Console Mode list, select User Mode - Limited Access, Single Window. Next, select the Do Not Save Changes
checkbox, and clear the Allow the User to Customize Views checkbox. Click Ok.

27. Next, save the Taskpad to anywhere you want. You can also send the Taskpad (which in fact is an .MSC file)
by mail to the user responsible for the management of the OU. However remember that this user must also
have the AD Users & Computers snap-in installed on his or her computer. See Extract Specific Tools from
Adminpak.msi for more info.

Now let us test the Taskpad:

1.

Click on the saved Taskpad and run it.

2.

You will notice how the list of users is found on the right, and the list of available tasks is on the left. See how
the available tasks and buttons change as you click on various objects. For example, when you click on a
disabled user account, the Enable button will appear:

When you click on Find, a Find dialog box appears:

and when you click on User, a new user dialog box appears:

In conclusion, the Taskpad views are powerful add-ons to the administrator's arsenal, and can be used in various
scenarios. Remember that the Taskpad view is not just limited to the AD Users & Computers snap-in, but can be used in
virtually and available snap-in. Also, as a security measure, do NOT rely on the Taskpad's available buttons to prevent a
user from doing harm. Use good permission strategy to protect your resources, and only use the Taskpad as a method of
easing your administrative

Creating a trust relationship between two Small

Business Server 2000/2003 domains
Legal note

"The server is a single-domain solution, which is not intended to be integrated with other Windows domains. You are not
permitted to establish explicit trusts to other Microsoft Windows NT nor to Active Directory domains. Also, Small Business
Server 2000 does not enable you to create child domains."
Note that the SBS EULA mentions the following:
"1.e Reservation of Rights: Microsoft reserves all rights not expressly granted to you in this EULA".

How can I determine who are the current FSMO Roles

holders in my domain/forest?
Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called
FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active
Directory.
The five FSMO roles are:

Schema master - Forest-wide and one per forest.

Domain naming master - Forest-wide and one per forest.

RID master - Domain-specific and one for each domain.

PDC - PDC Emulator is domain-specific and one for each domain.

Infrastructure master - Domain-specific and one for each domain.

In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the
same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an
administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC. The
transferring method is described in the Transferring FSMO Roles article, while seizing the roles from a non-operational
DC to a different DC is described in the Seizing FSMO Roles article.

Can I disable the circular logging method in Active

Directory?
Actually you do NOT need to do anything...
Windows 2000/2003 Active Directory uses circular logging for maintaining transactions in the
database (Ntds.dit). The log files are maintained until the data they contain is committed to
the database. It uses these log files to recover transactions if the database is shut down in an
inconsistent state (for example, as a result of a power failure or a blue-screen error message).
In Windows 2000 and Windows Server 2003, there is currently no way to disable or turn
off circular logging.

With Microsoft Exchange, Microsoft currently recommends that administrators turn this feature off,
or never turn it on in the first place (unless the server is used as a Front end server). In Windows
2000/2003, this is not the case.
There is no documented or supported way to disable this feature in Windows 2000/2003.
Because of the redundancy built into Active Directory with multiple domain controllers within a
given organization and domain, Windows 2000/2003 has been optimized to use circular
logging. Administrators should be able to successfully recover a domain controller with a solid
backup strategy and at least one replica domain controller per domain in the organization.
When Windows 2000/2003 performs a database write operation, it records the transaction in a
log file and shortly thereafter writes the transaction to memory. When the system has time or
at system shutdown, the transactions are written to the database file.
Windows 2000/2003 records the transaction in the current log file (Edb.log), which is 10
megabytes (MB) in size. When it fills the current file, it creates a new log file (for example,
Edb00001.log). The log files continue to be incremented, but circular logging purges the oldest
file when the transactions within the log have been committed to the database. There are also
two reserve log file named Res1.log and Res2.log. These files are used as placeholders in the
event that the system runs out of disk space. Each file is also 10 MB in size.
Windows 2000/2003 also maintains a checkpoint file (Edb.chk) that records which transactions
within the log have been committed to the database. If the computer stops responding
(hangs), Extensible Storage Engine (ESE) can detect an improper shutdown by checking the
last log recorded. If the last record is not a "shutdown" record, it replays the logs from the
checkpoint. This event occurs at the first reboot after the system is shut down improperly. If
the checkpoint file is missing for any reason, every transaction within the log file is replayed.

How can I disable the password requirement for a user

in a Windows Server 2003 Active Directory domain?
Windows Server 2003 provides security policies that ensure that all users select strong passwords. Creating a password
policy involves setting the following options in the Default Domain Group Policy object. These policies, with the
exception of those settings related to password lifetime, are enforced on all users in a domain.
The default password filter (Passfilt.dll) included with Windows Server 2003 requires that a password:

Is not based on the users account name.

Contains at least six characters.

Contains characters from three of the following four categories:

Uppercase alphabet characters (AZ)

Lowercase alphabet characters (az)

Arabic numerals (09)

Nonalphanumeric characters (for example, !$#,%)

As stated above, this policy is enabled by default.

In some occasions, such as testing, lab-building, classes and so on, you might want to disable this built-in requirement.
Security Warning: Bare in mind that this setting can only be enabled/disabled at the domain level, and NOT on an OU
level. Disabling the password requirement for an entire domain will lower your security configuration, and should only
be done when absolutely necessary.
In order to disable this requirement you need to edit the Default Domain Policy for your domain.
1.
2.

Go to Administrative tools folder.

Double-click on the Default Domain Security Policy icon.

Note: If for any reason you don't see that icon you can still edit the Default Domain Group Policy from the AD Users
and Computers snap-in, or from a GPMC window (if you have GPMC installed - Download GPMC).
3.
4.

Navigate to Security Settings > Account Policies > Password Policy.

Right-click on the Minimum Password Length option in the right pane and select Properties.

5.
6.

Keep the V on the Define Setting selected! Do not remove the V from that check-box. Removing the V will
cause the GPO to revert to the default setting, which is what we are trying to remove in the first place.
Enter 0 (zero) for the number of minimum characters required in a password.

7.

Now double-click on the Passwords Must Meet Complexity Requirements option in the right pane.

8.

Again, do not remove the V from that check-box. Instead, select Disabled.

9.

Click OK all the way out and close the GPO window.

In order to refresh the policy type the following command in a CMD window and click ENTER:
gpupdate /force

Establishing a Proper Global Catalog Placement Strategy

Deciding how many Global Catalog Servers to have on your network, and where to place those servers can be tricky. If there
are too few Global Catalog Servers, you could cause severe performance problems or possibly a single point of failure. At the
same time though, having too many Global Catalog Servers can also cause performance problems. So whats an
administrator to do? In this article, I will share with you some techniques for determining how many global catalog servers
you really need.

Why Are Global Catalog Servers So Important?

In case you arent familiar with Global Catalog Servers, they are simply domain controllers that have been designated to
perform the Global Catalog server role. When you create an Active Directory forest, the first domain controller in the forest
is automatically assigned the Global Catalog server roll, because every forest requires at least one Global Catalog server.
The Global Catalog server performs a variety of tasks, both for Windows and for Exchange. Since my primary focus in this
article is Exchange Server, I dont really want to get into the Global Catalog servers Windows related function. I will tell
you though, that if a Global Catalog server is not available, then nobody will be able to log into the domain except for the
Administrator.
As you can see, the Global Catalog server performs some critical functions at the Active Directory level, but its role in
relation to Exchange Server is just as critical. In order for clients to be able to send and receive mail, both the Outlook client
and the Exchange Server must be able to query a global catalog server. Without access to a Global Catalog server, Outlook
clients will not be able to open the Global Address List or resolve the e-mail addresses of message recipients within the
forest.

Global Catalog Server Placement

Now that I have given you an idea of why Global Catalog servers are so important, lets talk about placement. Given the fact
that any domain controller thats running Windows 2000 or Windows Server 2003 can be designated to act as a Global
Catalog server, it might be tempting to just designate every domain controller to act as a Global Catalog server. In most cases
this is a bad idea though. Global Catalog servers produce quite a bit of traffic related to the replication process.
Over the years, Microsoft has released several different guidelines for Global Catalog placement, many of which are
contradictory. One set of guidelines states that you should place a Global Catalog Server into any site that contains a server
thats running an application that makes use of port 3268 (the Global Catalog lookup port). Exchange Server is such an
application, so if you were to follow this rule, then you would want to place a Global Catalog server into any site that
contains an Exchange Server.
Another Microsoft document that I read suggested placing a Global Catalog server into each site, regardless of what the site
is used for. I tend to think that this is the best approach, given the critical nature of Global Catalog servers, and the fact that
clients make use of the global catalog during the logon process. Microsoft does state however, that a site doesnt need a
Global Catalog server if the site does not contain any servers running Global Catalog dependant applications (such as
Exchange), contains fewer than 100 users, and is directly connected to a site that does contain a Global Catalog Server.

Keep in mind that this is a generic guideline though. The recommendations change depending on the size and topology of
your network. For example, in large organizations with lots of Exchange mailboxes, it is possible for a Global Catalog server
to become overwhelmed. To keep that from happening, Microsoft recommends having one Global Catalog Server for every
four mailbox servers. Therefore, if a site contained eight mailbox servers, then you would want to place at least two global
catalog servers in that site.
Of course not every network is large enough to have multiple sites. If you have a single site, single domain network, then it is
safe to go ahead and designate all of your domain controllers to act as Global Catalog servers. In this type of environment, all
of the domain controllers contain full copies of the Active Directory anyway, so the additional resource consumption caused
by having multiple Global Catalog servers will be minimal.

Event logs archiving with GPO

In some environments the company policy requires that security logs of Domain Controllers are configured to retain
information X days into the past. Requiring such a setting means 2 things:

You can not configure the Event Log to override events as needed (if the log reaches it's maximal size)
The log file can grow to a rather large size (the default is 512KB, but if you retain logs you have probably
changed that)

One of the things that can help you in this situation is automating the process of opening a new
security log file when the maximum size limit is reached.
Below you will find an Administrative Template (.ADM file) that does exactly that: the moment the file size limit is
reached, the server archives the security log and opens a fresh one.
I'll quote:
Using this entry causes the Event Log service to automatically clear a full event log and to back-up the log file. On
computers with the "CrashOnAuditFail" policy turned on, the computer continues to log events (instead of hanging
because of an audit failure) if the current log file can be backed up automatically. By default, event logs are stored in
the %SystemRoot%\System32\Config folder. If you enable this setting, a full log file is automatically backed up in the
%SystemRoot%\System32\Config folder, the log file is cleared, and event logging resumes.
If you are still wondering what I am talking about, lets have a look at the following example:
1.
2.

The company's policy requirement is to retain security events for 60 days.

The environment is rather big and the logs quickly grow.

3.

You configure the maximum security log size to rather large number (maximum is 4GB), but still this is not
enough to accommodate 60 days of events (and if you are not aware, if you hit the max size limit and your
server is not configured to override the events as needed, the server will enter the "Crash" mode - it will stop
providing services).

4.

Working with very large logs is very painful - the Event Viewer will just crawl.

So what do you do? You configure the maximum log size to rather reasonable number (lets say 128MB) and use the
Administrative Template attached below to configure the server to open a new log when it hits the 128MB limit. The
even log will be saved in %SystemRoot%\System32\Config folder with timestamp suffix and a new log will be opened.
You can later collect those files to a central location or configure a job to prune files older than 60 days.

Add the new Administrative Template to a new or to an existing GPO, then look for the settings under Computer
Configuration > Administrative Templates > System > Event Viewer. The new settings are quite self explanatory.

Follow the steps outlined in the Adding New Administrative Templates to a GPO article on general instructions on how
to add or remove an .ADM file from the Administrative Templates section in GPO.
Note: As with many custom Administrative Templates, you will need to remove the requirement to show policy settings
that can be fully managed in the GPO editor.
Needless to say, as with any GPO setting, this option will only work on Windows 2000 operating systems and higher, and
requires you to have an Active Directory in place.

Why do Windows 2000-based clients connect only to

the Domain Controller that was upgraded first in a
Mixed-Mode Domain?
After you upgrade the first of multiple Windows NT Server 4.0-based domain controllers to
Windows 2000 or to Windows Server 2003, all of the domain's Windows 2000 Professional and
Windows XP-based clients connect to that domain controller for authentication purposes.
These clients do not connect to any other domain controller; therefore, the upgraded domain
controller may become overloaded. You may also experience loss of fault tolerance capability.
Read 284937 for more info.
To resolve this problem, obtain the latest service pack for Windows 2000.
Before you apply the latest service pack to a computer that you want to upgrade from
Windows NT Server 4.0 to Windows 2000 Service Pack 1 (SP1), follow these steps on the
Windows NT Server 4.0 primary domain controller (PDC):
On the computer that is running the Windows NT Server 4.0 PDC, start Registry Editor
(Regedt32.exe).

1. Locate and click the following key in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\

2. Click Add Value on the Edit menu, and then add the following registry value:
Value name: NT4Emulator

Data type: REG_DWORD

Radix: Hex
Value data: 0x1
3. Quit Registry Editor.
4. Apply the latest service pack for Windows NT 4.0.
Note: If you run Dcpromo.exe before you add the registry key, all Windows 2000 Professional
and member servers must rejoin the domain. You can use the Netdom utility to rejoin member
servers.
You can also use this procedure to upgrade a computer that is running Windows NT 4.0 as a
backup domain controller (BDC). You do not need to make any changes to the computers that
are running Windows 2000 Professional or to member servers in the domain.
This procedure is a temporary solution. When you have sufficient Windows 2000 domain
controllers, you can remove the NT4emulator registry value on all the Windows 2000 domain
controllers.
To perform remote administration on Windows 2000 domain controllers that have the
NT4emulator registry value after you install the Windows 2000 Administration Tools package,
follow these steps:
1. On the computer that is running Windows 2000 Professional or a member server, start
Registry Editor (Regedt32.exe).
2. Locate and click the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\

1. Click Add Value on the Edit menu, and then add the following registry value:
Value name: NeutralizeNT4Emulator
Data type: REG_DWORD
Radix: Hex
Value data: 0x1
2. Quit Registry Editor.
Use Dcpromo.exe to upgrade, and then apply the latest service pack.

How can I manually delete a server object from the

Active Directory database in case of a bad DCPROMO
procedure?
MS KB 216498 has more info:
The DCPROMO (Dcpromo.exe) utility is used for promoting a server to a domain controller and
demoting a domain controller to a member server (or to a standalone server in a workgroup if
the domain controller is the last in the domain). As part of the demotion process, the
DCPROMO utility removes the configuration data for the domain controller from the Active
Directory. This data takes the form of an "NTDS Settings" object, which exists as a child to the
server object in the Active Directory Sites and Services Manager.
The information is in the following location in the Active Directory:
CN=NTDS Settings,CN=<servername>,
CN=Servers,CN=<sitename>,CN=Sites,
CN=Configuration,DC=<domain>...
The attributes of the NTDS Settings object include data representing how the domain
controller is identified in respect to its replication partners, the naming contexts that are
maintained on the machine, whether or not the domain controller is a Global Catalog server,
and the default query policy. The NTDS Settings object is also a container that may have child
objects that represent the domain controller's direct replication partners. This data is required
for the domain controller to operate within the environment, but is retired upon demotion.In
the event that the NTDS Settings object is not removed properly (for example, the NTDS
Settings object is not properly removed from a demotion attempt), the administrator can use
the Ntdsutil.exe utility to manually remove the NTDS Settings object. The following steps list
the procedure for removing the NTDS Settings object in the Active Directory for a given
domain controller. At each NTDSUTIL menu, the administrator can type help for more
information about the available options.

Caution: The administrator should also check that replication has occurred since the demotion
before manually removing the NTDS Settings object for any server. Using the NTDSUTIL utility
improperly can result in partial or complete loss of Active Directory functionality.

Procedure
1. Click Start, point to Programs, point to Accessories, and then click Command Prompt.
At the command prompt, type
ntdsutil
and then press ENTER.
2. Type

metadata cleanup
and then press ENTER. Based on the options given, the administrator can perform the
removal, but additional configuration parameters need to be specified before the removal can
occur.
3. Type
connections
and press ENTER. This menu is used to connect to the specific server on which the changes
occur. If the currently logged on user does not have administrative permissions, alternate
credentials can be supplied by specifying the credentials to use before making the connection.
To do so, type
set creds domain nameusernamepassword
and press ENTER. For a null password, type null for the password parameter.
4. Type
connect to server servername
and then press ENTER. You should receive confirmation that the connection is successfully
established. If an error occurs, verify that the domain controller being used in the connection
is available and the credentials you supplied have administrative permissions on the server.
Note: If you try to connect to the same server that you want to delete, when you try to delete
the server that step 15 refers to, you may receive the following error message:
Error 2094. The DSA Object cannot be deleted0x2094
Note: Windows Server 2003 Service Pack 1 eliminates the need for steps 3 and 4.
5. Type
quit
and then press ENTER. The Metadata Cleanup menu appears.
6. Type
select operation target
and press ENTER.
7. Type
list domains

and press ENTER. A list of domains in the forest is displayed, each with an associated number.
8. Type
select domain number
and press ENTER, where number is the number associated with the domain to which the
server you are removing is a member. The domain you select is used to determine if the server
being removed is the last domain controller of that domain.
9. Type
list sites
and press ENTER. A list of sites, each with an associated number, is displayed.
10. Type
select site number
and press ENTER, where number is the number associated with the site to which the server
you are removing is a member. You should receive a confirmation listing the site and domain
you chose.
11. Type
list servers in site
and press ENTER. A list of servers in the site, each with an associated number, is displayed.
12. Type
select server number
where number is the number associated with the server you want to remove. You receive a
confirmation listing the selected server, its Domain Name Server (DNS) host name, and the
location of the server's computer account you want to remove.
13. Type
quit
and press ENTER. The Metadata Cleanup menu appears.
14. Type
remove selected server
and press ENTER. You should receive confirmation that the removal completed successfully. If
you receive the following error message:

Error 8419 (0x20E3)

The DSA object could not be found
the NTDS Settings object may already be removed from the Active Directory as the result of
another administrator removing the NTDS Settings object, or replication of the successful
removal of the object after running the DCPROMO utility.
Note: You may also see this error when you attempt to bind to the domain controller that is
going to be removed. Ntdsutil needs to bind to a domain controller other than the one that is
going to be removed with metadata cleanup.
15. Type
quit
at each menu to quit the NTDSUTIL utility. You should receive confirmation that the connection
disconnected successfully.
16. Remove the cname record in the _msdcs.root domain of forest zone in DNS. Assuming
that DC is going to be reinstalled and re-promoted, a new NTDS settings object is
created with a new globally unique identifier (GUID) and a matching cname record in
DNS. You do not want the DC's that exist to use the old cname record.
As best practice you should delete the hostname and other DNS records. If the lease time that
remains on Dynamic Host Configuration Protocol (DHCP) address assigned to offline server is
exceeded then another client can obtain the IP address of the problem DC.
Now that the NTDS setting object has been deleted we can now delete the following objects:
1. Use ADSIEdit to delete the computer account in the OU=Domain
Controllers,DC=domain...
Note: The FRS subscriber object is deleted when the computer object is deleted, since it is a
child of the computer account.
2. Use ADSIEdit to delete the FRS member object in CN=Domain System Volume (SYSVOL
share),CN=file replication service,CN=system....
3. In the DNS console, use the DNS MMC to delete the cname (also known as the Alias)
record in the _msdcs container.
4. In the DNS console, use the DNS MMC to delete the A (also known as the Host) record
in DNS.
If the deleted computer was the last domain controller in a child domain and the child domain was
also deleted, use ADSIEdit to delete the trustDomain object for the child in CN=System,
DC=domain, DC=domain, Domain NC.

Forcibly Removing Active Directory from a DC

Dcpromo is the Windows 2000 and Windows Server 2003 GUI interface for promoting a server to the role of being a
Domain Controller, and if is already a DC, then dcpromo will be the tool to use to demote it back to being a member server.
Dcpromo has a specific set of checks it performs before allowing the process to continue. These requirements change based
on whether the server is being promoted or demoted. In this article we will deal with demoting issues.
Dcpromo might fail when trying to demote a Domain Controller in some cases. These scenarios include, for example:
There are no domain controllers currently available in the parent domain when you try to demote the last domain
controller in a child domain.

Dcpromo cannot complete because there is a name resolution, authentication, replication engine, or AD object
dependency that you cannot resolve.

A DC has not replicated incoming Active Directory changes in Tombstone Lifetime (Default Tombstone Lifetime is
60 days for Windows 2000 and Windows Server 2003 DCs, and 180 days for Windows Server 2003 SP1 and R2
DCs) number of days for one or more naming contexts.

If you run Dcpromo on an existing DC to demote it and it fails because of one of the above scenarios the best thing you
should do is to try to resolve the problem and then restart Dcpromo. However, if Dcpromo still fails you can still demote the
DC by running Dcpromo with the /forceremoval switch, which tells the process to ignore errors. Note that the /forceremoval
demotion causes the loss of any locally held changes and should be considered a last resort that you should use and only
when absolutely necessary.
With /forceremoval, an administrator can forcibly remove Active Directory and roll back the system without having to
contact or replicate any locally held changes to another DC in the forest.
Note: The /forceremoval switch is only supported on Windows 2000 Servers that either have SP2 with Q332199 hotfix
installed on them, or with SP4, and on Windows Server 2003 servers.
Windows Server 2003 SP1 enhances the /forceremoval process. When it is run it checks to determine whether the DC hosts
an operations master role (FSMO role read my Understanding FSMO Roles in Active Directory article), is a Domain
Name System (DNS) server, or is a global catalog server. For each of these roles, the administrator receives a popup warning
that advises the administrator to take appropriate action.
RID Master warning:

PDC Emulator warning:

Infrastructure Master warning:

Naming Master warning:

Schema Master warning:

DNS Server warning:

Global Catalog Server warning:

When you force the demotion of a DC, you return the operating system to a state that is the same as the successful demotion
of the last domain controller in a domain (service start values, installed services, use of a registry based SAM for the account
database, computer is a member of a workgroup).
Note: In Windows 2000, the System event log identifies forcibly demoted DCs and instances of the /forceremoval operation
by event ID 29234. In Windows Server 2003 the System event log identifies forcibly demoted DCs by event ID 29239.
1.

Click Start, click Run, and then type the following command:
dcpromo /forceremoval

Click Ok.
2.

At the Welcome to the Active Directory Installation Wizard page, click Next.

3.

At the Force the Removal of Active Directory page, click Next.

4.

In Administrator Password, type the password and confirmed password that you want to assign to the Administrator
account of the local SAM database, and then click Next.

5.

In Summary, click Next.

6.

Watch as the process runs. Do not disturb it. Go drink some coffee. It should take no longer than a few minutes.

7.

When Dcpromo finishes it will prompt you to click Finish.

8.

Restart the server.

After you use the dcpromo /forceremoval command, all the remaining metadata for the demoted DC is not deleted on the
surviving domain controllers, and therefore you must manually remove it by using the NTDSUTIL command. For more
information please read my Delete Failed DCs from Active Directory article (insert link).

Links
Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in
Windows Server 2003 and in Windows 2000 Server - 332199

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller - 255504

Permissions Are Affected After You Demote a Domain Controller - 320230

How to Backup Windows Server 2003 Active Directory

Backing up Active Directory is essential to maintain the proper health of the Active Directory database. You can backup
Active Directory by using the NTBACKUP tool that comes built-in with Windows Server 2003, or use any 3rd-party tool
that supports this feature. Backing up the Active Directory is done on one or more of your Active Directory domain
Controllers (or DCs), and is performed by backing up the System State on those servers. The System State contains the local
Registry, COM+ Class Registration Database, the System Boot Files, certificates from Certificate Server (if its installed),
Cluster database (if its installed), NTDS.DIT, and the SYSVOL folder.

To ensure your ability to actually use this backup, you must be aware of the tombstone lifetime. By default, the tombstone is
60 days (for Windows 2000/2003 DCs), or 180 days (for Active Directory based upon Windows Server 2003 SP1 DCs).
Note: Longer tombstone lifetime decreases the chance that a deleted object remains in the local directory of a disconnected
DC beyond the time when the object is permanently deleted from online DCs. The tombstone lifetime is not changed
automatically when you upgrade to Windows Server 2003 with SP1, but you can change the tombstone lifetime manually
after the upgrade. New forests that are installed with Windows Server 2003 with SP1 have a default tombstone lifetime of
180 days. Read my "Changing the Tombstone Lifetime Attribute in Active Directory" article for more info on that.
Any backup older than 60/180 days is not a good backup and cannot be used to restore any DC. You do not need to backup
all your DCs' System States, usually backing up the first DC in the Forest + the first DCs in each domain is enough for most
scenarios.

Purpose of Performing Regular Backups

You need a current, verified, and reliable backup to:

Restore Active Directory data that becomes lost. By using an authoritative restore process, you can restore
individual objects or sets of objects (containers or directory partitions) from their deleted state. Read my
"Recovering Deleted Items in Active Directory" article for more info on that.
Recover a DC that cannot start up or operate normally because of software failure or hardware failure.
Install Active Directory from backup media (using the dcpromo /adv command). Read my "Install DC from Media
in Windows Server 2003" article for more info on that.
Perform a forest recovery if forest-wide failure occurs.

All these are reasons to have good working and reliable backups.
Note: One of the Active Directory features that was introduced in Windows Server 2003 with Service Pack 1 was the
Directory Service Backup Reminders. With this reminder, a new event message, event ID 2089, provides the backup status of
each directory partition that a domain controller stores. This includes application directory partitions and Active Directory
Application Mode (ADAM) partitions. If halfway through the tombstone lifetime a partition has not been backed up, this
event is logged in the Directory Service event log and continues daily until the partition is backed up.
Note: You can only back up the System State data on a local computer. You cannot back up the System State data on a remote
computer.

Method #1: Using NTBACKUP

1.

Open NTBACKUP by either going to Run, then NTBACKUP and pressing Enter or by going to Start ->
Accessories -> System Tools.

2.

If you are prompted by the Backup or Restore Wizard, I suggest you un-check the "Always Start in Wizard Mode"
checkbox, and click on the Advanced Mode link.

3.

Inside NTBACKUP's main window, click on the Backup tab.

4.

Click to select the System State checkbox. Note you cannot manually select components of the System State
backup. It's all or nothing.

5.

Enter a backup path for the BKF file. If you're using a tape device, make sure NTBACKUP is aware and properly
configured to use it.

6.

Press Start Backup.

7.

The Backup Job Information pops out, allowing you to configure a scheduled backup job and other settings. For the
System State backup, do not change any of the other settings except the schedule, if so desired. When done, press

Start Backup.

8.

After a few moments of configuration tasks, NTBACKUP will begin the backup job.

9.

When the backup is complete, review the output and close NTBACKUP.

Next, you need to properly label and secure the backup file/tape and if possible, store a copy of it on a remote and
secure location.

Method #2: Using the Command Prompt

You can use the command line version of NTBACKUP in order to perform backups from the Command Prompt.
For example, to create a backup job named "System State Backup Job" that backs up the System State data to the file
D:\system_state_backup.bkf, type:
ntbackup backup systemstate /J "System State Backup Job" /F "D:\system

How do I install Active Directory on my Windows 2000

Server?
First make sure you read and understand Active Directory Installation Requirements. If you don't comply with all the
requirements of that article you will not be able to set up your AD (for example: you don't have a NIC or you're using a
computer that's not connected to a LAN).
Note: This article is only good for understanding how to install the FIRST DC in a NEW AD Domain, in a NEW
TREE, in a NEW FOREST. Meaning - don't do it for any other scenario, such as a new replica DC in an existing
domain (How to Install a Replica DC in an Existing AD Domain on Windows 2000).

Here is a quick list of what you must have:

An NTFS partition with enough free space

An Administrator's username and password

The correct operating system version

A NIC

Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway)

A network connection (to a hub or to another computer via a crossover cable)

An operational DNS server (which can be installed on the DC itself)

A Domain name that you want to use

The Windows 2000 CD media (or at least the i386 folder)

Brains (recommended, not required...)

This article assumes that all of the above requirements are fulfilled.

Step 1: Configure the computer's suffix

(Not mandatory, can be done via the Dcpromo process).
1.
2.

Right click My Computer and choose Properties.

Click the Network Identification tab, then Properties.

3.

Set the computer's NetBIOS name. On a W2K server this cannot be changed after the computer has been
promoted to Domain Controller.
Click More.

4.

5. In the Primary DNS suffix of this computer box enter the would-be domain name. We will use dpetri.net for
this example, you should use your own domain name. Make sure you got it right. No spelling mistakes, no
"oh, I thought I did it right..." because on W2K this cannot be changed after the computer has been promoted
to Domain Controller and if you got it wrong the Dcpromo process might fail.

6.
7.

Click Ok.
You'll get a warning window.

8.
9.

Click Ok.
Check your settings. See if they're correct.

10. Click Ok.

11. You'll get a warning window.

13. Click Ok to restart.

Step 2: Configuring the computer's TCP/IP settings

You must configure the would-be Domain Controller to use it's own IP address as the address of the DNS server, so it
will point to itself when registering SRV records and when querying the DNS database.
Configure TCP/IP
1. Click Start, point to Settings and then click Control Panel.
2. Double-click Network and Dial-up Connections.
3. Right-click Local Area Connection, and then click Properties.

4. Click Internet Protocol (TCP/IP), and then click Properties.

5. Assign this server a static IP address, subnet mask, and gateway address. Enter the
server's IP address in the Preferred DNS server box.

6. Click Advanced.
7. Click the DNS Tab.
8. Select "Append primary and connection specific DNS suffixes"
9. Check "Append parent suffixes of the primary DNS suffix"
10. Check "Register this connection's addresses in DNS". If this Windows 2000-based DNS
server is on an intranet, it should only point to its own IP address for DNS; do not enter
IP addresses for other DNS servers here. If this server needs to resolve names on the
Internet, it should have a forwarder configured.

11. Click OK to close the Advanced TCP/IP Settings properties.

12. Click OK to accept the changes to your TCP/IP configuration.
13. Click OK to close the Local Area Connections properties.

Step 3: Install and configure the DNS Service

Now you need to install Microsoft DNS Service:

Install and Configure Windows 2000 DNS Server

Install and Configure Windows 2000 DNS Server to Prepare for AD

Step 4: Running DCPROMO

After completing all the previous steps (remember you didn't have to do them) and after double checking your
requirements you should now run Dcpromo.exe from the Run command.
1.

Click Start, point to Run and type "dcpromo".

2.

The wizard windows will appear. Click Next.

3.

Choose Domain Controller for a new domain and click Next.

4.

Choose Create a new domain tree and click Next.

5.

Choose Create a new forest of domain trees and click Next.

6. Enter the full DNS name of the new domain, for example - dpetri.net - this must be the same as the DNS zone
you've created in step 3, and the same as the computer name suffix you've created in step 1. Click Next.

This step might take some time because the computer is searching for the DNS server and checking to see if any
naming conflicts exist.

7. Accept the the down-level NetBIOS domain name, in this case it's DPETRI. Click Next

8. Accept the Database and Log file location dialog box (unless you want to change them of course). The
location of the files is by default %systemroot%\NTDS, and you should not change it unless you have
performance issues in mind. Click Next.

9. Accept the Sysvol folder location dialog box (unless you want to change it of course). The location of the files
is by default %systemroot%\SYSVOL, and you should not change it unless you have performance issues in
mind. This folder must be on an NTFS v5.0 partition. This folder will hold all the GPO and scripts you'll
create, and will be replicated to all other Domain Controllers. Click Next.

10. If your DNS server, zone and/or computer name suffix were not configured correctly you will get the
following warning:

This means the Dcpromo wizard could not contact the DNS server, or it did contact it but could not find a zone with the
name of the future domain. You should check your settings. Go back to steps 1, 2 and 3. Click Ok.
11. You do have an option to let Dcpromo do the configuration for you. If you want, Dcpromo can install the DNS
service, create the appropriate zone, configure it to accept dynamic updates, and configure the TCP/IP settings
for the DNS server IP address. Click Next.

Accept the default choice or, if you want, quit Dcpromo and check steps 1-3.
12. Accept the Pre-Windows 2000 compatible permissions.

13. Enter the Restore Mode administrator's password. You can leave it blank (in Windows Server 2003 you must
enter a password) but whatever you do - remember it! Without it you'll have a hard time restoring the AD if
you ever need to do so. Click Next.

14. Review your settings and if you like what you see - Click Next.

15. See the wizard going through the various stages of installing AD. Whatever you do - NEVER click Cancel!!!
You'll wreck your computer if you do. If you see you made a mistake and want to undo it, you'd better let the
wizard finish and then run it again to undo the AD.

16. If all went well you'll see the final confirmation window. Click Finish.

17. You must reboot in order for the AD to function properly. Click Restart now.

Step 5: Checking the AD installation

You should now check to see if the AD installation went well.
1.

First, see that the Administrative Tools folder has all the AD management tools installed.

2. Run Active Directory Users and Computers (or type "dsa.msc" from the Run command). See that all OUs and
Containers are there.

3.

Run Active Directory Sites and Services. See that you have a site named Default-First-Site-Name, and that in
it your server is listed.

4.

Open the DNS console. See that you have a zone with the same name as your AD domain (the one you've just
created, remember? Duh...). See that within it you have the 4 SRV record folders. They must exist.

= Good
If they don't (like in the following screenshot), your AD functions will be broken (a good sign of that is the long time it
took you to log on. The "Preparing Network Connections" windows will sit on the screen for many moments, and even
when you do log on many AD operations will give you errors when trying to perform them).

= Bad
This might happen if you did not manually configure your DNS server and let the DCPROMO process do it for you.
Another reason for the lack of SRV records (and of all other records for that matter) is the fact that you DID configure
the DNS server manually, but you made a mistake, either with the computer suffix name or with the IP address of the
DNS server (see steps 1 through 3).
To try and fix the problems first see if the zone is configured to accept dynamic updates.
1. In DNS Manager, expand the DNS Server object.
2. Expand the Forward Lookup Zones folder.
3. Right-click the zone you created, and then click Properties.
4. On the General tab, click to select the Allow Dynamic Update check box, and then click
OK to accept the change.

5.

Do the same for the Reverse Lookup Zone.

You should now restart the NETLOGON service to force the SRV registration.
From the command prompt type "net stop netlogon", and after it finishes, type "net start netlogon".

Let it finish, go back to the DNS console, click your zone and refresh it (F5). If all is ok you'll now see the 4 SRV
record folders.
If the 4 SRV records are still not present double check the spelling of the zone in the DNS server. It should be exactly
the same as the AD Domain name. Also check the computer's suffix (see step 1). You won't be able to change the
computer's suffix after the AD is installed, but if you have a spelling mistake you'd be better off by removing the AD
now, before you have any users, groups and other objects in place, and then after repairing the mistake - re-running
DCPROMO.
5.

Check the NTDS folder for the presence of the required files.

6.

Check the SYSVOL folder for the presence of the required subfolders.

7.

Check to see if you have the SYSVOL and NETLOGON shares, and their location.

If all of the above is ok, I think it's safe to say that your AD is properly installed.

How do I install Active Directory on my Windows 2000

Server?
First make sure you read and understand Active Directory Installation Requirements. If you don't comply with all the
requirements of that article you will not be able to set up your AD (for example: you don't have a NIC or you're using a
computer that's not connected to a LAN).
Note: This article is only good for understanding how to install the FIRST DC in a NEW AD Domain, in a NEW
TREE, in a NEW FOREST. Meaning - don't do it for any other scenario, such as a new replica DC in an existing
domain (How to Install a Replica DC in an Existing AD Domain on Windows 2000).

Here is a quick list of what you must have:

An NTFS partition with enough free space

An Administrator's username and password

The correct operating system version

A NIC

Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway)

A network connection (to a hub or to another computer via a crossover cable)

An operational DNS server (which can be installed on the DC itself)

A Domain name that you want to use

The Windows 2000 CD media (or at least the i386 folder)

Brains (recommended, not required...)

This article assumes that all of the above requirements are fulfilled.

Step 1: Configure the computer's suffix

(Not mandatory, can be done via the Dcpromo process).
1.
2.

Right click My Computer and choose Properties.

Click the Network Identification tab, then Properties.

3.
4.

Set the computer's NetBIOS name. On a W2K server this cannot be changed after the computer has been
promoted to Domain Controller.
Click More.

5. In the Primary DNS suffix of this computer box enter the would-be domain name. We will use dpetri.net for
this example, you should use your own domain name. Make sure you got it right. No spelling mistakes, no
"oh, I thought I did it right..." because on W2K this cannot be changed after the computer has been promoted
to Domain Controller and if you got it wrong the Dcpromo process might fail.

6.
7.

Click Ok.
You'll get a warning window.

8.
9.

Click Ok.
Check your settings. See if they're correct.

10. Click Ok.

11. You'll get a warning window.

13. Click Ok to restart.

Step 2: Configuring the computer's TCP/IP settings

You must configure the would-be Domain Controller to use it's own IP address as the address of the DNS server, so it
will point to itself when registering SRV records and when querying the DNS database.
Configure TCP/IP
1. Click Start, point to Settings and then click Control Panel.
2. Double-click Network and Dial-up Connections.
3. Right-click Local Area Connection, and then click Properties.

4. Click Internet Protocol (TCP/IP), and then click Properties.

5. Assign this server a static IP address, subnet mask, and gateway address. Enter the
server's IP address in the Preferred DNS server box.

6. Click Advanced.
7. Click the DNS Tab.
8. Select "Append primary and connection specific DNS suffixes"
9. Check "Append parent suffixes of the primary DNS suffix"
10. Check "Register this connection's addresses in DNS". If this Windows 2000-based DNS
server is on an intranet, it should only point to its own IP address for DNS; do not enter

IP addresses for other DNS servers here. If this server needs to resolve names on the
Internet, it should have a forwarder configured.

11. Click OK to close the Advanced TCP/IP Settings properties.

12. Click OK to accept the changes to your TCP/IP configuration.
13. Click OK to close the Local Area Connections properties.

Step 3: Install and configure the DNS Service

Now you need to install Microsoft DNS Service:

Install and Configure Windows 2000 DNS Server

Install and Configure Windows 2000 DNS Server to Prepare for AD

Step 4: Running DCPROMO

After completing all the previous steps (remember you didn't have to do them) and after double checking your
requirements you should now run Dcpromo.exe from the Run command.
1.

Click Start, point to Run and type "dcpromo".

2.

The wizard windows will appear. Click Next.

3.

Choose Domain Controller for a new domain and click Next.

4.

Choose Create a new domain tree and click Next.

5.

Choose Create a new forest of domain trees and click Next.

6. Enter the full DNS name of the new domain, for example - dpetri.net - this must be the same as the DNS zone
you've created in step 3, and the same as the computer name suffix you've created in step 1. Click Next.

This step might take some time because the computer is searching for the DNS server and checking to see if any
naming conflicts exist.

7. Accept the the down-level NetBIOS domain name, in this case it's DPETRI. Click Next

8. Accept the Database and Log file location dialog box (unless you want to change them of course). The
location of the files is by default %systemroot%\NTDS, and you should not change it unless you have
performance issues in mind. Click Next.

9. Accept the Sysvol folder location dialog box (unless you want to change it of course). The location of the files
is by default %systemroot%\SYSVOL, and you should not change it unless you have performance issues in
mind. This folder must be on an NTFS v5.0 partition. This folder will hold all the GPO and scripts you'll
create, and will be replicated to all other Domain Controllers. Click Next.

10. If your DNS server, zone and/or computer name suffix were not configured correctly you will get the
following warning:

This means the Dcpromo wizard could not contact the DNS server, or it did contact it but could not find a zone with the
name of the future domain. You should check your settings. Go back to steps 1, 2 and 3. Click Ok.
11. You do have an option to let Dcpromo do the configuration for you. If you want, Dcpromo can install the DNS
service, create the appropriate zone, configure it to accept dynamic updates, and configure the TCP/IP settings
for the DNS server IP address. Click Next.

Accept the default choice or, if you want, quit Dcpromo and check steps 1-3.
12. Accept the Pre-Windows 2000 compatible permissions.

13. Enter the Restore Mode administrator's password. You can leave it blank (in Windows Server 2003 you must
enter a password) but whatever you do - remember it! Without it you'll have a hard time restoring the AD if
you ever need to do so. Click Next.

14. Review your settings and if you like what you see - Click Next.

15. See the wizard going through the various stages of installing AD. Whatever you do - NEVER click Cancel!!!
You'll wreck your computer if you do. If you see you made a mistake and want to undo it, you'd better let the
wizard finish and then run it again to undo the AD.

16. If all went well you'll see the final confirmation window. Click Finish.

17. You must reboot in order for the AD to function properly. Click Restart now.

Step 5: Checking the AD installation

You should now check to see if the AD installation went well.
1.

First, see that the Administrative Tools folder has all the AD management tools installed.

2. Run Active Directory Users and Computers (or type "dsa.msc" from the Run command). See that all OUs and
Containers are there.

3.

Run Active Directory Sites and Services. See that you have a site named Default-First-Site-Name, and that in
it your server is listed.

4.

Open the DNS console. See that you have a zone with the same name as your AD domain (the one you've just
created, remember? Duh...). See that within it you have the 4 SRV record folders. They must exist.

= Good
If they don't (like in the following screenshot), your AD functions will be broken (a good sign of that is the long time it
took you to log on. The "Preparing Network Connections" windows will sit on the screen for many moments, and even
when you do log on many AD operations will give you errors when trying to perform them).

= Bad
This might happen if you did not manually configure your DNS server and let the DCPROMO process do it for you.
Another reason for the lack of SRV records (and of all other records for that matter) is the fact that you DID configure
the DNS server manually, but you made a mistake, either with the computer suffix name or with the IP address of the
DNS server (see steps 1 through 3).
To try and fix the problems first see if the zone is configured to accept dynamic updates.
1. In DNS Manager, expand the DNS Server object.
2. Expand the Forward Lookup Zones folder.
3. Right-click the zone you created, and then click Properties.
4. On the General tab, click to select the Allow Dynamic Update check box, and then click
OK to accept the change.

5.

Do the same for the Reverse Lookup Zone.

You should now restart the NETLOGON service to force the SRV registration.

From the command prompt type "net stop netlogon", and after it finishes, type "net start netlogon".

Let it finish, go back to the DNS console, click your zone and refresh it (F5). If all is ok you'll now see the 4 SRV
record folders.
If the 4 SRV records are still not present double check the spelling of the zone in the DNS server. It should be exactly
the same as the AD Domain name. Also check the computer's suffix (see step 1). You won't be able to change the
computer's suffix after the AD is installed, but if you have a spelling mistake you'd be better off by removing the AD
now, before you have any users, groups and other objects in place, and then after repairing the mistake - re-running
DCPROMO.
5.

Check the NTDS folder for the presence of the required files.

6.

Check the SYSVOL folder for the presence of the required subfolders.

7. Check to see if you have the SYSVOL and NETLOGON shares, and their location.

If all of the above is ok, I think it's safe to say that your AD is properly installed.

What are the FSMO Roles in Active Directory?

Windows 2000/2003 Multi-Master Model
A multi-master enabled database, such as the Active Directory, provides the flexibility of allowing changes to occur at
any DC in the enterprise, but it also introduces the possibility of conflicts that can potentially lead to problems once the
data is replicated to the rest of the enterprise. One way Windows 2000/2003 deals with conflicting updates is by having
a conflict resolution algorithm handle discrepancies in values by resolving to the DC to which changes were written last
(that is, "the last writer wins"), while discarding the changes in all other DCs. Although this resolution method may be

acceptable in some cases, there are times when conflicts are just too difficult to resolve using the "last writer wins"
approach. In such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after the fact.

For certain types of changes, Windows 2000/2003 incorporates methods to prevent conflicting Active Directory updates
from occurring.

Windows 2000/2003 Single-Master Model

To prevent conflicting updates in Windows 2000/2003, the Active Directory performs updates to certain objects in a
single-master fashion.
In a single-master model, only one DC in the entire directory is allowed to process updates. This is similar to the role
given to a primary domain controller (PDC) in earlier versions of Windows (such as Microsoft Windows NT 4.0), in
which the PDC is responsible for processing all updates in a given domain.
In a forest, there are five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are:
Schema Master:
The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is
complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you
must have access to the schema master. There can be only one schema master in the whole forest.
Domain naming master:
The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the
only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in
external directories. There can be only one domain naming master in the whole forest.
Infrastructure Master:
When an object in one domain is referenced by another object in another domain, it represents the reference by the
GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure
FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object
reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.
Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server
(GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it
does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial
replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a
warning to that effect will be logged on that DC's event log. If all the domain controllers in a domain also host the
global catalog, all the domain controllers have the current data, and it is not important which domain controller holds
the infrastructure master role.
Relative ID (RID) Master:
The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain.
When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the
object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is
unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is

allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC
issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by
retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At any one
time, there can be only one domain controller acting as the RID master in the domain.
PDC Emulator:
The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the W32Time
(Windows Time) time service that is required by the Kerberos authentication protocol. All Windows 2000/2003-based
computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time
service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common
time usage.
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes
authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO
role holders follow the hierarchy of domains in the selection of their in-bound time partner.
In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions:

Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.
Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded
to the PDC emulator before a bad password failure message is reported to the user.

Account lockout is processed on the PDC emulator.

Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC
Emulator's SYSVOL share, unless configured not to do so by the administrator.

The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or
earlier PDC performs for Windows NT 4.0-based or earlier clients.

This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain
controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC emulator still
performs the other functions as described in a Windows 2000/2003 environment.
At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the
forest.

What are the domain and forest function levels in a

Windows Server 2003-basedActive Directory?
Functional levels are an extension of the mixed/native mode concept introduced in Windows 2000 to activate new
Active Directory features after all the domain controllers in the domain or forest are running the Windows Server 2003
operating system.

When a computer that is running Windows Server 2003 is installed and promoted to a domain controller, new Active
Directory features are activated by the Windows Server 2003 operating system over its Windows 2000 counterparts.

Additional Active Directory features are available when all domain controllers in a domain or forest are running
Windows Server 2003 and the administrator activates the corresponding functional level in the domain or forest.
To activate the new domain features, all domain controllers in the domain must be running Windows Server 2003. After
this requirement is met, the administrator can raise the domain functional level to Windows Server 2003 (read Raise
Domain Function Level in Windows Server 2003 Domains for more info).
To activate new forest-wide features, all domain controllers in the forest must be running Windows Server 2003, and
the current forest functional level must be at Windows 2000 native or Windows Server 2003 domain level. After this
requirement is met, the administrator can raise the domain functional level (read Raise Forest Function Level in
Windows Server 2003 Active Directory for more info).
Note: Network clients can authenticate or access resources in the domain or forest without being affected by the
Windows Server 2003 domain or forest functional levels. These levels only affect the way that domain controllers
interact with each other.

Important
Raising the domain and forest functional levels to Windows Server 2003 is a nonreversible
task and prohibits the addition of Windows NT 4.0based or Windows 2000based domain
controllers to the environment. Any existing Windows NT 4.0 or Windows 2000based
domain controllers in the environment will no longer function. Before raising functional levels
to take advantage of advanced Windows Server 2003 features, ensure that you will never need
to install domain controllers running Windows NT 4.0 or Windows 2000 in your environment.
When the first Windows Server 2003based domain controller is deployed in a domain or forest, a set of default Active
Directory features becomes available. The following table summarizes the Active Directory features that are available
by default on any domain controller running Windows Server 2003:
Feature

Functionality

Multiple selection of user objects

Allows you to modify common attributes of multiple user objects at

one time.

Drag and drop functionality

Allows you to move Active Directory objects from container to

container by dragging one or more objects to a location in the domain
hierarchy. You can also add objects to group membership lists by
dragging one or more objects (including other group objects) to the
target group.

Efficient search capabilities

Search functionality is object-oriented and provides an efficient

search that minimizes network traffic associated with browsing
objects.

Saved queries

Allows you to save commonly used search parameters for reuse in

Active Directory Users and Computers

Active Directory command-line tools

Allows you to run new directory service commands for

administration scenarios.

InetOrgPerson class

The inetOrgPerson class has been added to the base schema as a

security principal and can be used in the same manner as the user
class.

Application directory partitions

Allows you to configure the replication scope for application-specific

data among domain controllers. For example, you can control the
replication scope of Domain Name System (DNS) zone data stored in
Active Directory so that only specific domain controllers in the forest
participate in DNS zone replication.

Ability to add additional domain controllers

by using backup media

Reduces the time it takes to add an additional domain controller in an

existing domain by using backup media.

Universal group membership caching

Prevents the need to locate a global catalog across a wide area

network (WAN) when logging on by storing universal group
membership information on an authenticating domain controller.

Secure Lightweight Directory Access

Protocol (LDAP) traffic

Active Directory administrative tools sign and encrypt all LDAP

traffic by default. Signing LDAP traffic guarantees that the packaged
data comes from a known source and that it has not been tampered
with.

Partial synchronization of the global catalog

Provides improved replication of the global catalog when schema

changes add attributes to the global catalog partial attribute set. Only
the new attributes are replicated, not the entire global catalog.

Active Directory quotas

Quotas can be specified in Active Directory to control the number of

objects a user, group, or computer can own in a given directory
partition. Members of the Domain Administrators and Enterprise
Administrators groups are exempt from quotas.

When the first Windows Server 2003based domain controller is deployed in a domain or forest, the domain or forest
operates by default at the lowest functional level that is possible in that environment. This allows you to take advantage
of the default Active Directory features while running versions of Windows earlier than Windows Server 2003.
When you raise the functional level of a domain or forest, a set of advanced features becomes available. For example,
the Windows Server 2003 interim forest functional level supports more features than the Windows 2000 forest
functional level, but fewer features than the Windows Server 2003 forest functional level supports. Windows Server
2003 is the highest functional level that is available for a domain or forest. The Windows Server 2003 functional level
supports the most advanced Active Directory features; however, only Windows Server 2003 domain controllers can
operate in that domain or forest.
If you raise the domain functional level to Windows Server 2003, you cannot introduce any domain controllers that are
running versions of Windows earlier than Windows Server 2003 into that domain. This applies to the forest functional
level as well.

Domain Functional Level

Domain functionality activates features that affect the whole domain and that domain only. The four domain functional
levels, their corresponding features, and supported domain controllers are as follows:

Windows 2000 mixed (Default)

Supported domain controllers: Microsoft Windows NT 4.0, Windows 2000, Windows Server 2003
Activated features: local and global groups, global catalog support

Windows 2000 native

Supported domain controllers: Windows 2000, Windows Server 2003

Activated features: group nesting, universal groups, SidHistory, converting groups between security groups
and distribution groups, you can raise domain levels by increasing the forest level settings

Windows Server 2003 interim

Supported domain controllers: Windows NT 4.0, Windows Server 2003

Supported features: There are no domain-wide features activated at this level. All domains in a forest are
automatically raised to this level when the forest level increases to interim. This mode is only used when you
upgrade domain controllers in Windows NT 4.0 domains to Windows Server 2003 domain controllers.

Windows Server 2003

Supported domain controllers: Windows Server 2003

Supported features: domain controller rename, logon timestamp attribute updated and replicated. User
password support on the InetOrgPerson objectClass. Constrained delegation, you can redirect the Users and
Computers containers.

Domains that are upgraded from Windows NT 4.0 or created by the promotion of a Windows Server 2003-based
computer operate at the Windows 2000 mixed functional level. Windows 2000 domains maintain their current domain
functional level when Windows 2000 domain controllers are upgraded to the Windows Server 2003 operating system.
You can raise the domain functional level to either Windows 2000 native or Windows Server 2003.
After the domain functional level is raised, domain controllers that are running earlier operating systems cannot be
introduced into the domain. For example, if you raise the domain functional level to Windows Server 2003, domain
controllers that are running Windows 2000 Server cannot be added to that domain.
The following describes the domain functional level and the domain-wide features that are activated for that level. Note
that with each successive level increase, the feature set of the previous level is included.

Forest Functional Level

Forest functionality activates features across all the domains in your forest. Three forest functional levels, the
corresponding features, and their supported domain controllers are listed below.

Windows 2000 (default)

Supported domain controllers: Windows NT 4.0, Windows 2000, Windows Server 2003
New features: Partial list includes universal group caching, application partitions, install from media, quotas,
rapid global catalog demotion, Single Instance Store (SIS) for System Access Control Lists (SACL) in the Jet
Database Engine, Improved topology generation event logging. No global catalog full sync when attributes are
added to the PAS Windows Server 2003 domain controller assumes the Intersite Topology Generator (ISTG)
role.

Windows Server 2003 interim

Supported domain controllers: Windows NT 4.0, Windows Server 2003. See the "Upgrade from a Windows
NT 4.0 Domain" section of this article.
Activated features: Windows 2000 features plus Efficient Group Member Replication using Linked Value
Replication, Improved Replication Topology Generation. ISTG Aliveness no longer replicated. Attributes
added to the global catalog. ms-DS-Trust-Forest-Trust-Info. Trust-Direction, Trust-Attributes, Trust-Type,
Trust-Partner, Security-Identifier, ms-DS-Entry-Time-To-Die, Message Queuing-Secured-Source, Message
Queuing-Multicast-Address, Print-Memory, Print-Rate, Print-Rate-Unit

Windows Server 2003

Supported domain controllers: Windows Server 2003

Activated features: all features in Interim Level, Defunct schema objects, Cross Forest Trust, Domain Rename,
Dynamic auxiliary classes, InetOrgPerson objectClass change, Application Groups, 15-second intrasite
replication frequency for Windows Server 2003 domain controllers upgraded from Windows 2000

After the forest functional level is raised, domain controllers that are running earlier operating systems cannot be
introduced into the forest. For example, if you raise forest functional levels to Windows Server 2003, domain
controllers that are running Windows NT 4.0 or Windows 2000 Server cannot be added to the forest.

Working with Group Policy

This article deals with the mechanism of deploying and verifying GPO deployment. It will not deal in the GPO itself
and the settings inside it (these settings and configurations will be discussed in different articles).
Group Policy is a one of the most useful tools found in the Windows 2000/2003 Active Directory infrastructure. Group
Policy can help you do the following:
1.
2.

Configure user's desktops

Configure local security on computers

3.

Install applications

4.

Run start-up/shut-down or logon/logoff scripts

5.

Configure Internet Explorer settings

6.

Redirect special folders

In fact, you can configure any aspect of the computer behavior with it. Although it is a cool toy; working with it without
proper attention can cause unexpected behavior.

Terms
Here are some basic terms you need to be familiar with before drilling down into Group Policy:
Local policy - Refers to the policy that configures the local computer or server, and is not inherited from the domain.
You can set local policy by running gpedit.msc from the Run command, or you can add "Group Policy Object Editor"
snap-in to MMC. Local Policies also exist in the Active Directory environment, but have many fewer configuration
options that the full-fledged Group Policy in AD.
GPO - Group Policy Object - Refers to the policy that is configured at the Active Directory level and is inherited by
the domain member computers. You can configure a GPO Group Policy Object - at the site level, domain level or OU
level.
GPC Group Policy Container - The GPC is the store of the GPOs; The GPC is where the GPO stores all the ADrelated configuration. Any GPO that is created is not effective until it is linked to an OU, Domain or a Site. The GPOs
are replicated among the Domain Controllers of the Domain through replication of the Active Directory.
GPT - Group Policy Templates - The GPT is where the GPO stores the actual settings. The GPT is located within the
Netlogon share on the DCs.
Netlogon share - A share located only on Domain Controllers and contains GPOs, scripts and .POL files for policy of
Windows NT/98. The Netlogon share replicates among all DCs in the Domain, and is accessible for read only for the
Everyone group, and Full Control for the Domain Admins group. The Netlogon's real location is:
C:\WINDOWS\SYSVOL\sysvol\domain.com\SCRIPTS
When a domain member computer boots up, it finds the DC and looks for the Netlogon share in it.
To see what DC the computer used when it booted, you can go to the Run command and type %logonserver
%\Netlogon. The content of the Netlogon share should be the same on all DCs in the domain.

GPO behavior
Group Policy is processed in the following order:
Local Policy > Site GPO > Domain GPO > OU GPO > Child OU GPO
and so on.
GPOs inherited from the Active Directory are always stronger than local policy. When you configure a Site policy it is
being overridden by Domain policy, and Domain policy is being overridden by OU policy. If there is an OU under the
previous OU, its GPO is stronger the previous one.
The rule is simple, as more you get closer to the object that is being configured, the GPO is stronger.
What does it mean "stronger"? If you configure a GPO and linke it to "Organization" OU, and in it you configure
Printer installation allowed and then at the "Dallas" OU you configured other GPO but do not allow printer
installation, then the Dallas GPO is more powerful and the computers in it will not allow installation of printers.

The example above is true when you have different GPOs that have similar configuration, configured with opposite
settings. When you apply couple of GPOs at different levels and every GPO has its own settings, all settings from all
GPOs are merged and inherited by the computers or users.

Group Policy sections

Each GPO is built from 2 sections:

Computer configuration contains the settings that configure the computer prior to the user logon combo-box.
User configuration contains the settings that configure the user after the logon. You cannot choose to apply
the setting on a single user, all users, including administrator, are affected by the settings.

Within these two section you can find more sub-folders:

Software settings and Windows settings both of computer and user are settings that configure local DLL
files on the machine.
Administrative templates are settings that configure the local registry of the machine. You can add more
options to administrative templates by right clicking it and choose .ADM files. Many programs that are
installed on the computer add their .ADM files to %systemroot%\inf folder so you can add them to the
Administrative Templates.

You can download .ADM files for the Microsoft operating systems

Tools used to configure GPO

You can configure GPOs with these set of tools from Microsoft (other 3rd-party tools exist but we will discuss these in
a different article):

1. Group Policy Object Editor snap-in in MMC - or - use gpedit.msc from the Run command.
2. Active Directory Users and Computers snap in - or dsa.msc to invoke the Group Policy tab on every OU or
on the Domain.

3. Active Directory Sites and Services - or dssite.msc to invoke the Group Policy tab on a site.
4. Group Policy Management Console - or gpmc.msc - this utility is NOT included in Windows 2003 server and
needs to be separately installed. You can download it from HERE
Note that if you'd like to use the GPMC tool on Windows XP, you need to install it on computers running Windows XP
SP2. Installing it on computers without SP2 will generate errors due to unsupported and newer .ADM files.

GPMC utility - Creating a GPO

When you create a GPO it is stored in the GPO container. After creation you should link the GPO to an OU that you
choose.

Linking a GPO
To link a GPO simply right click an OU and choose Link an existing GPO or you can create and link a GPO in the same
time. You can also drag and drop a GPO from the Group Policy Objects folder to the appropriate Site, Domain or OU.
When you right-click a link you can:

Edit a GPO - This will open the GPO window so you can configure settings.
Link/Unlink a GPO - This setting allows you to temporarily disable a link if you need to add settings to it or if you
will activate it later.

Enabling/disabling computer or user settings

GPO has computer and user settings but if you create a GPO that contains only computer settings, you might want to
disable the user settings in that GPO, this will reduce the amount of settings replicated and can also be used for testing.
To disable one of the configurations simply choose the GPO link and go to Details tab:

How do I know what are the settings in a GPO?

Prior to the use of GPMC, an administrator who wanted to find out which one of the hundreds of settings of a GPO
were actually configured - had to open each GPO and manually comb through each and every node of the GPO
sections. Now, with GPMC, you can simply see what the configurations of any GPO are if you point on that GPO and
go to the Settings tab. There you can use the drop-down menus to see computer or user settings.

Block/Enforce inheritance
You can block policy inheritance to an OU if you dont want the settings from upper GPOs to configure your OU.

To block GPO inheritance, simply right click your OU and choose "Block Inheritance". Blocking inheritance will block
all upper GPOs.
In case you need one of the upper GPOs to configure all downstream OUs and overcome Block inheritance, use the
Enforce option of a link. Enforcing a GPO is a powerful option and rarely should be used.
You can see in this example that when you look at Computers OU, three different GPOs are inherited to it.

In this example you can see that choosing "Block inheritance" will reject all upper GPOs.

Now, if we configure the "Default domain policy" with the Enforce option, it will overcome the inheritance blocking.

Link order
When linking more than one GPO to an OU, there could be a problem when two or more GPOs have the same settings
but with opposite configuration, like, GPO1 have Allow printer installation among other settings but GPO2 is
configured to prevent printer installation among other settings. Because the two GPOs are at the same level, there is a
link order which can be changed.
The GPO with the lowest link order is processed last, and therefore has the highest precedence.

Security Filtering
Filtering let you choose the user, group or computer that the GPO will apply onto. If you configured "Computers" OU
with a GPO but you only want to configure Win XP stations with that GPO and exclude Win 2000 stations, you can
easily create a group of Win XP computers and apply the GPO only to that group.
This option save you from creating complicated OU tree with each type of computer in it.
A user or a group that you configure in the filtering field have by default the "Read" and "Apply" permission. By
default when you create a GPO link, you can see that "Authenticated users" are listed.

In the above example, Office 2K3 will be installed on all computers that are part of the two listed groups.
If we still were using Authenticated users, the installation of the Office suite could have followed the user to any
computer that he logs onto, like servers or other machines. Using filtering narrows the installation options.
If you want to configure these permissions with higher resolution, you can go to Delegation tab and see the
permissions. Going to the Advanced Tab will let you configure the ACL permission with the highest resolution.

How the GPO is updated on the computers

GPO inherited from AD is refreshed on the computers by several ways:
1.
2.

Logon to computer (If the settings are of "user settings" in GPO)

Restart of the computer (If the settings are of "computer settings" in GPO)

3.

Every 60 to 90 minutes, the computers query their DC for updates.

4.

Manually by using gpupdate command. You can add the /force switch to force all settings and not only the
delta.

Note: Windows 2000 doesn't support the Gpupdate command so you need run a different command instead:
Secedit /refreshpolicy machine_policy

for computer settings.

Secedit /refreshpolicy user_policy

for user settings.

In both commands you can use the /enforce that is similar to the /force in gpupdate.
If any configuration change requires a logoff or a restart message will appear:

You can force logoff or reboot using gpupdate switches.

How to check that the GPO was deployed

To be sure that GPO was deployed correctly, you can use several ways. The term for the results is called RSoP
Resultant Sets of Policies.

1. Use gpresult command in the command prompt.

The default result is for the logged on user on that machine. You can also choose to check what is the results for other
users on to that machine. If you use /v or /z switches you will get very detailed information.
You can see what GPOs were applied and what GPOs were filtered out and the reason for not being deployed.

Microsoft (R) Window s (R) XP Operating System Group Policy

Copyright (C) Microsoft Corp. 1981-2001
Created On 04/24/2005
RSOP results for XPPRO\Administrator on XPPRO: Logging Mod
------------------------------------------------------------------------OS Type:
Microsoft Window s XP Professio
OS Configuration:
Member Workstation
OS Version:
5.1.2600
Domain Name:
NWTRADERS
Domain Type:
Window sNT 4
Site Name:
N/A
Roaming Profile:
Local Profile:
C:\Documents and Sett
Connected over a slow link? No
COMPUTER SETTINGS
------------------------Last time Group Policy w as applied: 04/24/2005
Group Policy w as applied from:
london.nw traders.msft
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-------------------------------Default Domain Policy
Raanana WSUS Updates
Local Group Policy
The follow ing GPOs w ere not applied because they w ere filter
---------------------------------------------------------------------------Raanana XP SP2 Behavior
Filtering: Not Applied (Empty)
The computer is a part of the follow ing security groups:
-------------------------------------------------------------BUILTIN\Administrators
Everyone
Debugger Users
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
USER SETTINGS
-------------Last time Group Policy w as applied: 04/24/2005
Group Policy w as applied from:
N/A
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-------------------------------Local Group Policy
The user is a part of the follow ing security groups:
---------------------------------------------------Everyone, BUILTIN\Administrators, Remote Desktop Users, BUIL
NT AUTHORITY\INTERACTIVE, NT AUTHORITY\Authenticated U

2. Resultant Set of Policy snap-in in MMC.

The snap-in has two modes:
Logging mode which tells you what are the real settings that were deployed on the machine
Planning mode which tells you what will be the results if you choose some options.
This option is not so compatible because you need to browse in the RSoP data to find the settings.

1. Group Policy Results in GPMC.

This is the most comfortable option that let you check the RSoP data on every computer or user from a central location.
This option also displays the summary of the RSoP and Detailed RSoP data in HTML format.

In the example above example you can see the summary of applied or non applied GPOs both of computer and user
settings.
When looking at the Settings tab we can see what settings did applied on the computer and see which is the "Winning
GPO" that actually configured the computer with the particular setting.

How do I install and configure a new Windows 2000

DNS server within an existing DNS environment where
Active Directory is not enabled?
To create a new Windows 2000 DNS Server, you must install Windows 2000 Server or
Advanced Server on a server that is attached to your network. Because DNS is not installed by
default during installation of Windows 2000 Server or Advanced Server, you have to install
DNS on the server. You can install the Windows 2000 DNS service either during the installation
of Windows 2000 Server or Advanced Server, or after the initial installation.
If your existing environment already has a DNS domain and an existing DNS infrastructure,
and Active Directory is enabled, you can delegate a sub-domain of your existing DNS domain
to the Windows 2000 domain. The Windows 2000 DNS server must already be installed to
complete the following step.

With an existing DNS domain, you can delegate a sub-domain from the existing DNS server to
the Windows 2000 DNS server. For example, if your domain name is mycompany.com, you can
create a sub-domain with the name windows2000.mycompany.com. The Windows 2000 DNS
server has authority over that sub-domain.
To create the sub-domain, configure the DNS server to use one of the organization's main DNS
servers as a forwarder. A forwarder provides recursive lookups for any queries that the DNS
server receives that it cannot answer based on its local zones. After you set up the forwarder,
the Windows 2000 DNS server is responsible for resolving any queries for computers or
resources that are contained within its own local domain. Any queries beyond this range,
however, are forwarded directly to the organization's main DNS servers for resolution.
To Add the Organization's Main DNS Servers to the List of Forwarders on the Windows 2000
Server:
1. Click Start, point to Programs, point to Administrative Tools, and then click DNS to start
the DNS Management Console.
2. Right click the DNS Server object for your server in the left pane of the console, and
click Properties.

3. Click the Forwarders tab.

4. Check the Enable forwarders check-box.

5. In the IP address box enter the IP address of the DNS servers you want to forward
queries to - typically the DNS server of your ISP. You can also move them up or down.
The one that is highest in the list gets the first try, and if it does not respond within a
given time limit - the query will be forwarded to the next server in the list.

6. Click OK.

How can I configure DNS forwarding for Internet

connection?
If you want you DNS server to be integrated into a larger DNS environment such as the Internet,
you will need to configure forwarding on your server.

To configure DNS forwarding:

1. Click Start, point to Programs, point to Administrative Tools, and then click DNS to start
the DNS Management Console.
2. Right click the DNS Server object for your server in the left pane of the console, and
click Properties.

3. Click the Forwarders tab.

4. Check the Enable forwarders check-box.

5. In the IP address box enter the IP address of the DNS servers you want to forward

queries to - typically the DNS server of your ISP. You can also move them up or down.
The one that is highest in the list gets the first try, and if it does not respond within a
given time limit - the query will be forwarded to the next server in the list.

6. Click OK.

How can I change the Recovery Console

Administrator password on a Domain Controller?
When you promote a Windows 2000 Server-based computer to a domain controller, you are
prompted to type a Directory Service Restore Mode Administrator password. This password is
also used by Recovery Console, and is separate from the Administrator password that is stored
in Active Directory after a completed promotion.

Featured Product
Windows Key by LostPassword.com - Use this easy tool to reset any
Windows local or domain controller password in a minute. Money-back
guarantee. Download FREE version now!
The Administrator password that you use when you start Recovery Console or when you press
F8 to start Directory Service Restore Mode is stored in the registry-based Security Accounts
Manager (SAM) on the local computer. The SAM is located in the %SystemRoot

%\System32\Config folder. The SAM-based account and password are computer specific and
they are not replicated to other domain controllers in the domain.
For ease of administration of domain controllers or for additional security measures, you can
change the Administrator password for the local SAM. To change the local Administrator
password that you use when you start Recovery Console or when you start Directory Service
Restore Mode, use one of the following methods:

Method #1
If Windows 2000 Service Pack 2 or later is installed on your computer, you can use the
Setpwd.exe utility to change the SAM-based Administrator password. To do this:
At a command prompt, change to the %SystemRoot%\System32 folder.
To change the local SAM-based Administrator password, type
setpwd
and then press ENTER.
To change the SAM-based Administrator password on a remote domain controller, type
setpwd /s: servername
and then press ENTER, where servername is the name of the remote domain controller.
When you are prompted to type the password for the Directory Service Restore Mode
Administrator account, type the new password that you want to use.
Note: If you make a mistake, repeat these steps to run setpwd again.

Method #2
Shut down the domain controller on which you want to change the password.
Restart the computer. When the selection menu screen is displayed during the restart process,
press F8 to view advanced startup options.
Select the Directory Service Restore Mode option.
After you successfully log on, use one of the following methods to change the local
Administrator password:
At a command prompt, type the following command:
net user administrator *
Use the Local User and Groups snap-in (Lusrmgr.msc) to change the Administrator password.

Shut down and restart the computer.

You can now use the Administrator account to log on to Recovery Console or Directory Services
Restore Mode using the new password.

Can I configure the Windows XP/2000/2003 Recovery

Console to auto-logon whenever I run it?
Yes, but be warned! By doing this, any user can gain access to your computer by using the
Recovery Console and without being prompted for an administrative password.
To set an automatic administrator logon for the Recovery Console, complete the following
steps while you are logged on with administrative privileges:
1. Double-click Administrative Tools in Control Panel, and then double-click Local Security
Policy.
2. Expand Security Settings , expand Local Policies, and then click Security Options .
Locate the "Recovery Console: Allow automatic administrative logon" policy. Doubleclick this policy, and then set it to "Enable".
3. Close the snap-in. The policy is effective immediately. Be sure to go back into the Local
Security Policy snap-in to make sure that the effective setting for the policy is
"Enabled".
The next time you boot to the Recovery Console, you won't be prompted for a password.

How can I delete the Recovery Console?

To delete the Recovery Console follow these steps:
1. Open My Computer.
2. Double-click the hard drive on which you installed the Recovery Console.
3. On the Tools menu, click Folder Options.
4. Click the View tab.
5. Click Show hidden files and folders, clear the Hide protected operating system files
check box, and then click OK.
6. At the root directory, delete the \Cmdcons folder.
7. At the root directory, delete the file Cmldr.
8. At the root directory, right-click the Boot.ini file and then click Properties.
9. Clear the Read-only check box, and then click OK.

10. Open Boot.ini in Notepad, and remove the entry for the Recovery Console. It will look
similar to this:
C:\cmdcons\bootsect.dat="Microsoft Windows Recovery Console" /cmdcons
11. Save the file and close it.

Can I use RIS to deploy the Recovery Console to my

client machines?
You can use a Remote Installation Server (RIS) to boot the client to Windows 2000 text-mode
Setup, and then select the Recovery Console option.
WARNING : This process is to be used only when recovery of the system is needed. This
process resets the computer's machine account in the Active Directory and requires that the
system be rejoined to the domain. Do not perform this action on domain controllers.
To add this option to the RIS server, create a template (.sif) file that contains the following
information.
You can use a text editor such as Notepad (or use setupmgr.exe from the Windows 2000
Resource Kit) to create the following file:

Note that the "Repartition = No" line must exist or RIS will attempt to reformat the hard disk.
The [UserData] section must also exist or Setup will not succeed.
When the Welcome To Setup screen appears, either press F10 or R to repair, and then press C
for the Recovery

How can I install the Windows XP/2000 Recovery

Console? How can I start the computer and use the
Recovery Console from the Setup CD-ROM?
The Windows Recovery console is designed to help you recover when your Windows-Based
computer does not start properly or does not start at all. If Safe mode and other startup
options do not work, you can consider using the Recovery Console. This method is
recommended only if you are an advanced user who can use basic commands to identify and
locate problem drivers and files. In addition, you must be an administrator to use the Recovery
Console.

Installing the Recovery Console

You can install the Recovery Console on your computer to make it available in case you are
unable to restart Windows. You can then select the Recovery Console option from the list of
available operating systems on startup. It is wise to install the Recovery Console on important
servers, and on the workstations of IT personnel. This article describes how you can install the
Recovery Console to your Windows XP computer. To install the Recovery Console, you must
have administrative rights on the computer.
Although you can run the Recovery console by booting directly from the Windows XP CD, it's
much more convenient to set it up as a startup option on your boot menu. To run directly by
booting from the CD see the "Using the Recovery Console" section later in this article.
To install the Recovery Console, perform the following steps:
1. Insert the Windows XP CD into the CD-ROM drive.
2. Click Start, and then click Run.
3. In the Open box, type
d:\i386\winnt32.exe /cmdcons
where d is the drive letter for the CD-ROM drive.
4. A Windows Setup Dialog Box appears, which describes the Recovery Console option.
5. The system prompts you to confirm installation. Click Yes to start the installation
procedure.
6. Restart the computer. The next time you start your computer, you will see a "Microsoft
Windows Recovery Console" entry on the boot menu.

Note: Alternatively, you can use a UNC to install the Recovery Console from a network share
point.

Running Recovery Console without installing it

If you cannot start your computer, you can run the Recovery Console from the Microsoft
Windows XP/2000 startup disks or the Windows XP/2000 CD-ROM.
To run the Recovery Console from the Windows XP startup disks or the Windows XP CD-ROM,
use the following steps:
1. Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP
CD-ROM into the CD-ROM drive, and then restart the computer.
2. Click to select any options that are required to start the computer from the CD-ROM
drive if you are prompted to do so.
3. When you're prompted to press F6 for mass storage devices - press F10 instead. This
will automatically start the Recovery Console.
4. Alternatively, when the "Welcome to Setup" screen appears, press R to start the
Recovery Console.
5. If you have a dual-boot or multiple-boot computer, choose the installation that you
need to access from the Recovery Console.
6. When you are prompted to do so, type the Administrator password. If the administrator
password is blank, just press ENTER.
7. At the command prompt, type the appropriate commands to diagnose and repair your
Windows XP installation.
For a list of commands that are available in Recovery Console, type recovery console
commands or help at the command prompt, and then press ENTER.
For information about a specific command, type help commandname at the command prompt,
and then press ENTER.
To exit the Recovery Console and restart the computer, type exit at the command prompt, and
then press ENTER.

In the Windows XP/2003 Recovery Console I cannot

access any drives or folders other than the system
folder. Can I change this setting?
Yes. When you use the Windows Recovery Console, you can use only the following folders:

The root folder

The %SystemRoot% folder and the subfolders of the Windows installation that you are
currently logged on to.

The Cmdcons folder.

Removable media drives such as CD-ROM or DVD-ROM drives.

Note: If you try to obtain access to other folders, you receive an "Access Denied" error
message. Also, while you are using the Windows Recovery Console, you cannot copy a file
from the local hard disk to a floppy disk. You can copy a file from a floppy disk or from a CDROM to a hard disk, and from one hard disk to another hard disk.
If you pre-install the Recovery Console on a computer, you should use Group Policy to enhance
the environment settings, adding power to the available file operations. To do so:
1. Click Start , click Run, type
gpedit.msc
2. Click Local Computer, click Finish , and then click Close to return to the Add/Remove
Snap-in dialog box.
3. Click OK to return to the Console window.
4. Expand the Local Computer Policy object to Computer Configuration\Windows
Settings\Security Settings\Local Policies\Security Options.
5. Select the Security Options object in the Console pane to display the security policies in
the Details pane.
6. In the Details pane, double-click the Recovery Console: Allow Floppy Copy And Access
To All Drives And Folders policy.
7. Click Enabled, and then click OK.
8. Quit the MMC.
After you have enabled this Group Policy, when you enter the Recovery Console you can
change the environment settings with the set command, by using the set variable = TRUE or
FALSE syntax.
Note: Be sure to use a space on each side of the equal sign. If you do not, the set command
generates a "syntax error" error message and does not work.
The following variables define the default environment. The variables, when set to TRUE,
enlarge the scope of the environment setting and have the following meanings:
AllowWildCards = TRUE - Enable wildcard support for some commands (such as the del
command).
AllowAllPaths = TRUE - Allows access to all files and folders on the computer.

AllowRemovableMedia = TRUE - Allow files to be copied to removable media, such as a

floppy disk.
NoCopyPrompt = TRUE - Do not prompt when overwriting an existing file.
To see the current settings for the environment, type set without parameters at a command
prompt.

Why can't I install the Recovery Console on a system

that has software RAID1 (Mirroring) on it?
When your system partition (containing the Ntldr, Ntdetect.com, and Boot.ini files) is part of a
Windows basic or dynamic disk software mirror, you cannot pre-install the Recovery Console. If
you try to pre-install the Recovery Console with the winnt32 /cmdcons command, you receive
the following error message:
No valid system partitions were found, Setup is unable to continue.
The winnt32 /cmdcons command performs the same system checks as a "clean" installation. A
clean installation of Windows is not allowed on a mirrored system partition.
If you want the Recovery Console pre-installed on a mirrored system partition to help facilitate
a repair, you must break the mirror, install the Recovery Console, then re-establish the mirror.
If you are using legacy basic disk mirroring, you should not break the mirror unless you plan
to upgrade the disk from basic to dynamic. Legacy disk mirrors cannot be re-created in
Windows; only dynamic disk mirrors can be created.
Pre-installing the Recovery Console on a computer running Microsoft Windows NT 4.0 is
allowed, but you must break the mirror, install the Recovery Console, re-establish the mirror,
and then upgrade to Windows 2000 or Windows XP. This process retains your legacy basic disk
mirroring.

What is the Recovery Console? How can I use it? What

will it help me do?
If safe mode and other startup options do not work, you can consider using the Recovery
Console. This method is recommended only if you are an advanced user who can use basic
commands to identify and locate problem drivers and files. In addition, you must be an
administrator to use the Recovery Console.
Using the Recovery Console, you can enable and disable services, format drives, read and
write data on a local drive (including drives formatted to use NTFS), and perform many other
administrative tasks. The Recovery Console is particularly useful if you need to repair your
system by copying a file from a floppy disk or CD-ROM to your hard drive, or if you need to
reconfigure a service that is preventing your computer from starting properly.

After you start the Recovery Console you will have to choose which installation you want to log
on to (if you have a dual-boot or multiple-boot system) and you will have to log on with your
administrator password.
The console provides commands you can use to do simple operations such as changing to a
different directory or viewing a directory, and more powerful operations such as fixing the boot
sector. You can access Help for the commands in the Recovery Console by typing help at the
Recovery Console command prompt.
The following commands can be used with the Recovery Console:
Attrib - Changes the attributes of a file or directory.
Batch - Executes the commands specified in the text file.
Bootcfg - Boot file (boot.ini) configuration and recovery.
ChDir (Cd) - Displays the name of the current directory or changes the current directory.
Chkdsk - Checks a disk and displays a status report.
Cls - Clears the screen.
Copy - Copies a single file to another location.
Delete (Del) - Deletes one or more files.
Dir - Displays a list of files and subdirectories in a directory.
Disable - Disables a system service or a device driver.
Diskpart - Manages partitions on your hard drives.
Enable - Starts or enables a system service or a device driver.
Exit - Exits the Recovery Console and restarts your computer.
Expand - Extracts a file from a compressed file.
Fixboot - Writes a new partition boot sector onto the specified partition.
Fixmbr - Repairs the master boot record of the specified disk.
Format - Formats a disk.
Help - Displays a list of the commands you can use in the Recovery Console.
Listsvc - Lists the services and drivers available on the computer.

Logon - Logs on to a Windows installation.

Map - Displays the drive letter mappings.
Mkdir (Md) - Creates a directory.
More - Displays a text file.
Net Use - Connects a network share to a drive letter.
Rename (Ren) - Renames a single file.
Rmdir (Rd) - Deletes a directory.
Set - Displays and sets environment variables.
Systemroot - Sets the current directory to the systemroot directory of the system you are
currently logged on to.

Type - Displays a text file.