Active DirectoryNotes

Active DirectoryNotes

This section provides some additional information about Active Directory; since this is a complicated topic, you'll definitely want to read this section.

Active Directory Users and Computers

If you try to connect to a domain controller using this console and receive an error message that the domain can't be contacted or doesn't exist, check to make sure the Windows Time Service is running on the domain controller.

If the console connects to a domain but performs slowly or hangs , you may have a DNS problem. Check to make sure your DNS server contains the proper SRV records for the domain. Another possibility is that your DNS server may have records pointing to nonexistent or unavailable domain controllers (check to make sure all your domain controllers are running too).

Normally, when you start Active Directory Users and Computers, it automatically connects to an available domain controller in the domain to which you are currently logged on. If desired, you can start this console from the command line to connect to a different domain or a specific domain controller. Suppose you are currently logged on to the mtit.local domain as Administrator. To open the console and connect to a domain named usa.mtit.local :

  dsa.msc /domain=usa.mtit.local

To open the console and connect to a domain controller named dc5 in the domain canada.mtit.local:

  dsa.msc /server=dc5.canada.mtit.local

WS2003 includes a revamped object picker that allows you to select multiple objects in the details pane of an MMC console, like Active Directory Users and Computers, in order to modify the properties of multiple objects simultaneously .

Client Computers

If you want Windows 98, Windows Me, or NT 4.0 post-SP3 computers to participate in an Active Directory-based network, you need to download and install the Active Directory Client Extensions for these operating systems from Microsoft's web site. This feature allows these machines to take advantage of advanced features like SMB signing that are available only when these extensions are installed. Computers running Windows 95 or NT 4.0 with SP3 or earlier can't log on to WS2003 domains unless SMB signing is disabled on WS2003 domain controllers by doing the following:

Default Domain Controller Policy Computer Configuration Windows Settings Security Settings Local Policies Security Options Microsoft network server: Digitally sign communications (always) Disabled

Compacting Active Directory

Active Directory automatically performs periodic garbage collection to optimize its performance, but this online defragmentation process doesn't compact the datastore to reclaim disk space. If you frequently make changes to Active Directory, you may want to supplement this with occasional offline defragmentation. To do this, press F8 during startup to open the Windows Advanced Options Menu and select the option to start your domain controller in Directory Services Restore Mode. Then log on using the local Administrator account for the machine and use the ntdsutil utility to perform the offline defragmentation. Note that the password for the local Administrator account is set during dcpromo .

New in WS2003 is the ability to manually initiate an online defragmentation of Active Directory. To do this, first install the WS2003 Support Tools from \SUPPORT\TOOLS on the product CD. Run the Ldp tool, bind to your domain as an administrator, select Browse Modify, and enter the following information:

Dn: Leave this blank
Attribute: DoOnlineDefrag
Value: 180

Leave Add selected, click Enter Run, and an online defragmentation process is initiated and is run once for 180 seconds.

Enable Diagnostic Logging

If you're experiencing problems with certain aspects of Active Directory, such as directory replication, you can enable various levels of diagnostic logging to help troubleshoot its operation. Open Registry Editor and select the following key:

 HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics

Then open the appropriate value (in this case 5 Replication Events ) and change the level of diagnostic logging from 0 (none) to 1 (minimum), 3 (medium), or 5 (maximum), as appropriate. Diagnostic events are recorded in the directory service log in Event Viewer. Be sure you don't enable too high a level of diagnostic logging for too many aspects of Active Directory or your log will fill rapidly and performance of your domain controller may degrade.

Failure During Active Directory Installation

Active Directory installation can fail if your server doesn't have network connectivity, so make sure your server's network card is securely attached to a switch or hub using a cable. If installation still fails, try uninstalling the following network components :

Client for Microsoft Networks
File and Printer Sharing for Microsoft Networks
TCP/IP Protocol

Reinstall these components and try installing Active Directory again.

LDAP Queries

Note that Active Directory on WS2003 doesn't allow anonymous LDAP operations to be performed against it, with the exception of binds and rootDSE searches. Instead, you must be an authenticated user to successfully issue an LDAP request against Active Directory. You can override this behavior; see Knowledge Base article 326690 on support.microsoft.com.

Publishing Resources

If your network includes slow WAN links, publish only resources that change relatively infrequently to prevent unnecessary replication traffic from consuming valuable network bandwidth. If you move a published resource to a different server on the network, update the information about the resource in Active Directory to reflect this. In this way, users can still connect to the resource without needing to know its new location. This is really the main benefit of publishing resources in Active Directory: it frees users from the need to memorize which server the resource is located on in the network.