This appendix summarizes some registry settings and Active Directory objects that can be useful for administrators when managing and tuning Active Directory. Be careful, since direct editing of the registry and Active Directory objects is an advanced technique!
Keep in mind that some registry values may be absent on domain controllers, especially on those that are running on Windows .NET (in such cases, the default values are used). Therefore, you need to first create a value and then give it a specified setting. To edit attributes of directory objects, use the ADSI Edit snap-in.
To disable caching of positively answered lookup queries on the DNS client, set the REG_DWORD MaxCacheEntryTtlLimit value to zero (default is 86,400 seconds, or a day) under the registry key HKLM\System\CurrentControlSet\Services\DnsCache\Parameters\.
To disable caching of negatively answered lookup queries, set the REG_DWORD NegativeCacheTime Value to zero under the key HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters (the default value is 300 seconds).
When a domain controller is ready to operate as a Global Catalog server, the Global Catalog Promotion Complete registry value under the HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters key must be equal to 1 (you cannot change it, nor do you need to); at the same time, the isGlobalCatalogReady attribute of the RootDSE object is set to 1.
When a server has been successfully promoted to a domain controller, the HKLM\SYSTEM\CurrentControlSet\Services registry key must contain the NTDS subkey. When the DC has performed a full synchronization of all directory partitions, the isSynchronized attribute of the RootDSE object is set to TRUE.
To troubleshoot Active Directory problems, you raise the diagnostic levels (up to 5) for necessary event types and then view them in the Directory Service log. All level values are stored under the HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics key. For example, to track all changes in Active Directory on a specific DC, set the 8 Directory Access value to 4.
All created dynamic objects live for one day. When a dynamic object is updated, its existence is determined by a minimal lifetime. Both control values are stored in the msDS-Other-Settings attribute of the CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration,DC=ForestDnsName directory object:
DynamicObjectDefaultTTL=86400 sec (1 day)
DynamicObjectMinTTL=900 sec (15 minutes)
You can prevent a domain controller from answering the LDAP queries from specific IP address(es). To do so, edit the lDAPIPDenyList attribute of the CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services, CN=Configuration,DC=ForestDnsName directory object. Follow two examples: the string of ASCII codes "31 39 32 2E 31 36 38 2E 31 2E 31 2E 31 32 33 20 32 35 35 2E 32 35 35 2E 32 35 35 2E 32 35 35" defines a single node "192.168.1.123 255.255.255.255"; and the string "31 39 32 2E 31 36 38 2E 31 2E 30 20 32 35 35 2E 32 35 35 2E 32 35 35 2E 30" defines a subnet "192.168.1.0 255.255.255.0".
By default, the Default Query Policy is used (albeit not set!) on every domain controller. It is stored in the CN=Default Query Policy, CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ForestDnsName object. The lDAPAdminLimits attribute contains all LDAP administrative limits.
To assign a query policy to a site, create a query policy object and specify its distinguished name in the queryPolicyObject attribute of the NTDS Site Settings object (of the nTDSSiteSettings object class). Every site has a similar object; see childs of the CN=Sites,CN=Configuration,DC=ForestDnsName object.
To see which DCs store the replicas of an application partition, find the corresponding crossRef object in the CN=Partitions,CN=Configuration,DC=ForestDnsName container. The multi-valued attribute msDS-NC-Replica-Locations (syntax DN) contains distinguished names (DN) of all nTDSDSA objects that represent the domain controllers (Active Directory servers) that hold replicas of that partition; here is an example of such a name: CN=NTDS Settings,CN=NETDC1,CN=Servers, CN=NET-Site,CN=Sites,CN=Configuration,DC=net,DC=dom.
You can also search the Sites container of the Configuration partition for nTDSDSA objects whose hasMasterNCs attribute contains the DN of the application partition. For example, for the ForestDnsZones.net.dom application partition, you can use the following search filter:
When the Active Directory database is restored from backup media, it is not in a valid format. The Backup utility automatically adds the RestoreInProgress value to the HKLM\SYSTEM\CurrentControlSet\Services\NTDS key when restore is successful. Active Directory reads this value after the system reboot, and performs a consistency check and re-index of the database files. Then, the RestoreInProgress value is automatically deleted. You must not add, delete, or change this value; however, you can check it to be sure that the restore has been successfully completed and that Active Directory is in operational condition.
To disable browsing of Active Directory containers and OUs as well as specific directory objects in the My Network Places folder or in the Active Directory Users and Groups snap-in (in normal node), you can modify the showInAdvancedViewOnly attribute of the corresponding object and set it to TRUE (default setting for usual objects, such as users, groups, as so on, is <Not Set>, i.e., FALSE).
When a directory object is deleted, it is moved to the Deleted Objects container and is marked as a tombstone. By default, the tombstone lifetime is 60 days (minimum setting is 2 days). When a tombstone is deleted during a period that exceeds the lifetime value, a special garbage collection process will completely remove the directory object. This process runs at regular intervals (by default, 12 hours; minimum setting is 1 hour); it also defragments the Active Directory database. Two attributes, tombstoneLifetime and garbageCollPeriod, of the cn=Directory Service,cn=Windows NT, cn=Services,cn=Configuration,dc=ForestDnsName object control both parameters.
When a DC has been offline for a period that exceeds the tombstone lifetime, the tombstones stored on it cannot be completely removed and replicated to/from other DCs (since the other DCs do not store such deleted objects at this point). The following sample command will help you to remove tombstones and repair replication:
C:\>repadmin /removelingeringobjects netdc4.net.dom df69f38c-c924-492d- a7e6-3bOb1bc7dcc5 DC=net,DC=dom RemoveLingeringObjects sucessfull on netdc4.net.dom.
The target DC is specified by its DNS name, and a "reference" DC is represented by its GUID name (use the repadmin /showreps command to view DC object GUIDs).