Windows 2000 Active Directory Diagnostics, Troubleshooting

Windows 2000 Active Directory Diagnostics, Troubleshooting and Recovery 3 Leaf Solutions LLC

What we will cover: Verifying Active Directory functionality Diagnosing and troubleshooting replication Locating Active Directory database files Backing up and recovering system state data Seizing FSMO roles

Prerequisite Knowledge Experience supporting Microsoft Networks Experience administering Windows 2000 Servers Experience administering Active Directory Domains Level 200

Agenda Verify Active Directory Functionality Troubleshoot Replication Active Directory Database Maintenance Backup and Recovery Seizing FSMO Roles

Verify Active Directory Functionality Turn Up Active Directory Logging A good first step when troubleshooting Active Directory Allows for more verbose event logging Can generate a lot of logged data Requires editing the Registry May need to increase the size of event logs Check Event Viewer Active Directory events are in Directory Service event log

Verify Active Directory Functionality DNS Critical for Active Directory name resolution Windows 2000 domain controllers must register in DNS Allows Windows 2000 servers and clients to locate domain controllers NSLOOKUP Command-line tool Displays information from DNS servers Can determine if Windows 2000 domain controllers are registered in DNS correctly

Verify Active Directory Functionality Windows 2000 Support Tools utilities DCDIAG and NETDOM command-line utilities DCDIAG Analyze state of domain controllers in forest Run several tests and report problems NETDOM Manages and verifies Windows 2000 domains and trust relationships Verifies domain controllers have correct credentials, can replicate with partners, etc.

Demonstration 1 Verify Active Directory Functionality Turn up logging DNS and NSLOOKUP DCDIAG and NETDOM

Agenda Verify Active Directory Functionality Troubleshoot Replication Active Directory Database Maintenance Backup and Recovery Seize FSMO Roles

Troubleshoot Replication Directory and File Replication Directory Service Replication Replicates computer and user accounts, and other directory objects Provides enterprise-wide authentication File Replication Uses File Replication Service Replicates logon scripts and policies

Troubleshoot Replication Replication Between Domain Controllers Directory Replication Directory objects (users, computers, etc.) Domain Controller File Replication Service SYSVOL (logon scripts, policies, etc.) Domain Controller

Troubleshoot Replication Active Directory Replication Monitor Windows 2000 Support Tools utility View low-level status of Active Directory replication View replication topology in graphical format Force replication between domain controllers Also called REPLMON Even across site boundaries

Troubleshoot Replication REPADMIN Command-line Tool Windows 2000 Support Tools utility Diagnose replication problems between domain controllers Show replication partners Force replication between domain controllers Discover from where domain objects are replicated

Troubleshoot Replication File Replication Service FRS replicates the SYSVOL Contains NETLOGON share Stores logon scripts and system policies Contains Group Policies in separate folders Stores replication information in a JET database Replaces Replication Manager found on Windows NT 4.0 servers

Troubleshoot Replication NTFRSUTL Command-line Tool Examines state of File Replication Service on local or remote computers Verifies that a server is a member and subscriber of the SYSVOL replica set The replica set is the set of files and folders specified to replicate View daily replication schedule Troubleshoot FRS configuration problems

Demonstration 2 Diagnosing and Troubleshooting Replication REPLMON tool REPADMIN tool Troubleshoot FRS with NTDSUTL

Agenda Verify Active Directory Functionality Troubleshoot Replication Active Directory Database Maintenance Backup and Recovery Seize FSMO Roles

Active Directory Database Maintenance NTDSUTIL Command-line Utility Locate Active Directory database files Perform database maintenance Manage FSMO roles Clean domain controller accounts Left when domain controllers are improperly removed May need to boot into Directory Services Restore Mode

Active Directory Database Maintenance NTDSUTIL is an interactive tool

Demonstration 3 Active Directory Database Maintenance View Active Directory Database and Log files Database Maintenance

Agenda Verify Active Directory Functionality Troubleshoot Replication Active Directory Database Maintenance Backup and Recovery Seize FSMO Roles

Backup and Recovery What is the system state? Active Directory Boot files COM class registration database Installed COM applications Registry SYSVOL Group policies and logon scripts Cluster service database information

Backup and Recovery Backing up system state data Use Windows 2000 Backup utility Easy to use and schedule backups Can backup system state while the server is on-line an functioning Can backup to a file or a network location May generate large backup files

Backup and Recovery Restoring system state data Use Windows 2000 Backup utility Can restore to original or alternate location Can specify whether to overwrite existing files Non-authoritative restores Authoritative restores Recover deleted directory objects Restore objects changed since backup Use NTDSUTIL

Backup and Recovery Authoritative restore Restore System State from Backup media Other Domain Controllers Authoritative data is replicated to other domain controllers Domain Controller Authoritatively restored Active Directory object (user, OU, etc) Use NTDSUTIL to mark restored Active Directory objects as authoritative

Demonstration 4 Backup and Recovery Backup system state Delete an OU and force replication Perform an authoritative restore

Agenda Verify Active Directory Functionality Troubleshoot Replication Active Directory Database Files Backup and Recovery Seize FSMO Roles

Seize FSMO Roles What are FSMO roles? Forest and domain-level operations controlled by a single domain controller Roles requiring single masters Schema Master Domain Naming Master Primary Domain Controller (PDC) Emulator Relative ID (RID) Master Infrastructure Master

Seize FSMO Roles Seizing FMSO roles Necessary operation when a role-holding domain controller improperly removed Not always possible due to hardware failure, etc. Use NTDSUTIL Allows you to transfer roles when role- holding server is still online Allows you to seize any or all FSMO roles if role-holding server is unavailable

Seize FSMO Roles Seizing the PDC role PDC FSMO Role Holder PDC FSMO Role Holder Windows 2000 Domain Controller Other Windows 2000 DC seizes PDC role X Windows 2000 Domain Controller Use NTDSUTIL seize PDC role Windows NT 4.0NT Domain Controller Windows 4.0 Domain synchronizes with PDC role holder Controller no longer in sync Windows NT 4.0 Domain Controller now synchronizes with new PDC role holder Windows NT 4.0 Domain Controller

Demonstration 5 Seizing FSMO Roles Seize FSMO roles using NTDSUTL

Session Summary Turn up Active Directory Logging to troubleshot Active Directory problems Perform Active Directory Database Maintenance with NTDSUTIL Backup System State on Domain Controllers to backup Active Directory Authoritative Restores can recover deleted directory objects Seize FSMO roles with NTDSUTIL.EXE

For More Information Main TechNet Web site at www.microsoft.com/technet This session’s resource page www.microsoft.com/technet//tnt1-76

MS Press Inside information for IT Professionals To find the latest IT Professional related titles visit www.microsoft.com/mspress/it/

3rd Party Publications Supplementary publications for IT Pro’s These books can be found and purchased at all good book stores and on-line retailers

Training Training Resources for IT Professionals Implementing and Administering Microsoft Windows 2000 Directory Services Course Number: 2154 Availability: Current Detailed Syllabus: www.microsoft.com/traincert To locate a training provider, please access www.microsoft.com/traincert Microsoft Certified Technical Education Centers are Microsoft’s premier partners for training services

Become a Microsoft Certified Systems Administrator (MCSA) What is the MCSA certification? How do I become an MCSA on Microsoft Windows 2000? For professionals who implement, manage, and troubleshoot existing network and system environments based on Microsoft Windows 2000 platforms Pass 3 core exams Pass 1 elective exam or 2 CompTIA certifications Where do I get more information? For more information about certification requirements, exams, and training options, visit www.microsoft.com/mcsa

Become A Microsoft Certified Systems Engineer (MCSE) What is the MCSE certification? How do I become an MCSE on Microsoft Windows 2000? Premier certification for professionals who analyze the business requirements and design and implement the infrastructure for business solutions based on the Microsoft server software. Pass 4 core exams Pass 1 design exam Pass 2 elective exams from a comprehensive list Where do I get more information? For more information about certification requirements, exams, and training options, visit www.microsoft.com/mcse

What is TechNet? Put the right answers at your fingertips TechNet is the comprehensive collection of resources to help IT implementers plan, deploy and manage Microsoft products successfully TechNet Subscription TechNet Web Site TechNet Flash TechNet Events and Web Casts TechNet Communities Monthly updates delivered on DVD or CD The definitive resource to help you evaluate, deploy and maintain Microsoft products Accessible at www.microsoft.com/technet Online resources and community Subscriber-only Online Services Bi-weekly e-newsletter Security updates, new resources, and special offers Briefings on the latest Microsoft products and technologies Hands-on, “how to” information User Groups Managed Newsgroups

The TechNet Subscription TechNet is a monthly subscription service that provides the tools, software, and resources that an IT professional needs to efficiently plan, deploy, manage, and support Microsoft products. A TechNet Subscription is proven to save you or your company time and money. If you’re an IT professional working in technical support, network or systems administration, or technology architecture, TechNet was created for you. “You have everything you need to solve problems in one place” – Wayne Brown, VP Information Technology, Heald College

Where Can I Get TechNet? Visit TechNet Online at www.microsoft.com/technet Register for the TechNet Flash www.microsoft.com/technet/usingtn/register/flash.asp Join the TechNet Online forum at www.microsoft.com/technet/itcommunity Become a TechNet Subscriber at www.microsoft.com/technet/buynow/subscribe Attend More TechNet Events or view on-line www.microsoft.com/technet/tcevents/itevents