Domain ControllerTasks

Previous page
Table of content
Next page

Domain ControllerTasks

Upgrade Domain Controllers

Upgrading W2K domain controllers to WS2003 is trivial since no modification of the namespace is required. Make sure all your W2K domain controllers have the latest service pack installed, use adprep to prepare the forest by extending the schema, and then run Setup on each domain controller to upgrade to WS2003.

If you are upgrading an NT domain, you need to upgrade the PDC first:

Synchronize all BDCs with PDC take one BDC offline in case something goes wrong insert WS2003 product CD into PDC select Upgrade

Test your new mixed-mode domain, then upgrade the remaining BDCs, test, and once you're sure everything works, you can upgrade or decommission the BDC you set aside for an emergency.

Configure a Domain Controller

There's very little to configure on a domain controller:

Active Directory Users and Computers Select domain select OU right-click on a domain controller Properties

The "Trust computer for delegation" setting on the General tab enables services on the local machine running under the LocalSystem account to request services from other servers on behalf of clients . Since this can be a security concern, enable this only if you know it will be neededfor example, to allow the Message Queuing Service to run on the machine. None of the other settings on the properties sheet are really important, though a fewsuch as displaying the latest service pack installed on the machineare informative.

Manage a Domain Controller

Active Directory Users and Computers choose domain choose OU right-click on a domain controller Manage

This opens the Computer Management console with the focus on the selected domain controller.

Verify FSMO Roles

Various consoles are used to determine whether a particular domain controller in a particular domain has an FSMO role assigned to it. Specifically, to verify Infrastructure master, PDC emulator, or RID master roles:

Active Directory Users and Computers right-click on root node Connect to a domain right-click on root node Connect to a domain controller right-click on root node All Tasks Operations Masters

If an Infrastructure, PDC, or RID tab is visible, the selected domain controller in the selected domain has that FSMO role.

To verify the domain-naming master role:

Active Directory Domains and Trusts right-click on root node Operations Master

To verify the schema master role:

Active Directory Schema right-click on root node Operations Master

Transfer FSMO Roles

To transfer an FSMO role to a different domain controller, follow the procedure described in the previous section, Verify FSMO Roles , and:

Change select a different domain controller in the domain.

You can also transfer FSMO roles from the command line using the ntdsutil utility.

Seize FSMO Roles

If your domain controller goes down before you can transfer its FSMO roles to another domain controller, you'll have to seize these roles to assign them to another domain controller. This must be done from the command line using the ntdsutil utility.

Promote/Demote a Domain Controller

To promote a member server to the role of domain controller, you can:

Manage Your Server Add or Remove Role Domain Controller

Alternatively, you can use DCPromo for example, to create a child domain:

Start Run dcpromo Domain controller for a new domain Create a new child domain in an existing tree specify Enterprise Admin credentials and DNS name of forest root domain specify parent domain specify name for child domain specify permissions specify password for Directory Services Restore Mode reboot

Promoting and demoting computers to the role of domain controller has certain drastic effects:

  • If you promote a standalone server, any local user accounts on the machine will be lost. If you demote a domain controller, any domain user accounts in Active Directory will be lost if this is the last domain controller in the domain.

  • Any cryptographic keys stored on the computer will be lost after promotion or demotion and should be exported if necessary.

  • Any EFS-encrypted files will be inaccessible after promotion or demotion and should therefore be unencrypted before the action is taken.

To demote a domain controller, either remove the role using Manage Your Server or run DCPromo again. If there are still other domain controllers in the domain, the domain controller you are demoting becomes a member server in the domain. If you are demoting the last domain controller in the domain, the domain controller becomes a standalone server. Note that you can't remove the last domain controller from a domain if your domain is a parent for other domains. To remove the last domain controller in the domain:

Start Run dcpromo specify the server as the last domain controller in the domain specify an Enterprise Admins account for the forest specify a password for a new local Administrator account reboot

If you try to use DCPromo to demote a domain controller and the procedure fails for some reason, use dcpromo /forcedremoval to force the computer to return to the member server state.

Install from Media

If you need to deploy domain controllers at remote sites where qualified administrators aren't present, you can use the new Install From Media feature of WS2003. This new feature lets you prestage new domain controllers for an existing domain by installing them from the backup media created by backing up an existing domain controller. The procedure uses the Backup utility under System Tools in Accessories:

Back up the system state of an existing domain controller in the domain start Backup on the remote server Restore Files and Settings System State Advanced Alternate Location specify a folder Replace Existing Files Finish Start Run dcpromo/adv Additional domain controller for existing domain select restored backup files specify administrator credentials specify domain

WS2003 does a better job of demoting domain controllers than W2K and removes folders and files that were previously left behind.

Assign a Global Catalog Server

To assign the role of global catalog server to a domain controller:

Active Directory Sites and Services Site container Servers container right-click on domain controller Properties General select Global Catalog

To remove the role of global catalog server from a domain controller:

Active Directory Sites and Services Site container Servers container right-click on domain controller Properties General deselect Global Catalog

Add an Attribute to the Global Catalog

This procedure is useful to speed up search queries across domains for an attribute that is not included by default in the global catalog. For example, you might want to add the Phone Number attribute for user objects to the Global Catalog so users can search for other users' phone numbers easily in a multidomain forest:

Active Directory Schema expand Attributes container right-click on attribute Properties Replicate this attribute to the Global Catalog


Previous page
Table of content
Next page
Windows Server 2003 in a Nutshell
Windows Server 2003 in a Nutshell
ISBN: 0596004044
EAN: 2147483647
Year: 2003
Pages: 415
Authors: Mitch Tulloch
BUY ON AMAZON
Qshell for iSeries
Building Web Applications with UML (2nd Edition)
An Introduction to Design Patterns in C++ with Qt 4
Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
Cultural Imperative: Global Trends in the 21st Century
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy