When you open the tool, you see a blank screen that is divided into two panels: Monitored Server and Log. Follow these steps to perform replication monitoring: 1. Select the Add Monitored Server option from the Edit menu. 2. Enter the server name (if known) to be monitored, or search for a specific domain for a server to monitor.After this is done, the Monitored Server panel displays the Active Directory information, and the log panel shows the information stored in the log file. 3. To save the log information, select the Save Monitored List As and Open Log options from the File menu. 4. The Active Directory Replication Monitor tool can also be used for synchronizing the directory partition. DCs listed for a directory partition are treated as source servers, while the direct replication partners are represented by an icon that indicates the network- connected servers. Right-clicking a server and selecting Properties can also identify it. The Properties box displays the source server as a Direct Replication Partner, a Transitive Replication Partner, or a Bridge Head Connection. 5. Right-click the direct replication partner, and select Synchronize Replica. replmon.exe initiates replication and reports the success or failure of the request. 6. Apart from these functionalities, the Replication Monitor tool has various options under different menus, such as Action, View, and so forth. Under the Action menu you have different options. For example, under the Domain option you can select Search Domain Controller, which is used for replication errors.There is a Server option that is basically used for replication-related work and helps to check the replication topology. 7. Apart from these submenus, there are options such as Site, Naming Context, and Replication Partners that are enabled when the appropriate function for a server is selected. The Active Directory Replication Monitor is simple and easy to use. It provides a great deal of information and is useful for fixing Active Directory replication problems. Using Event Viewer The Event Viewer is used for configuring Active Directory event logging.To configure Active Directory event logging, follow these steps: 1. Select Start | Run. In the Open box, type regedit, and click OK. 2. Locate and click the following Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Dia gnostics 3. Each entry in the right pane of the Registry Editor window represents a type of event that Active Directory can log. All entries are set to the default value of 0 (None). 526 Chapter 14 • Working with Active Directory Sites 301_BD_W2k3_14.qxd 5/24/04 9:09 AM Page 526 To configure event logging for the appropriate component, follow these steps: 1. In the right pane of the Registry Editor, double-click the entry that represents the type of event that is to be logged; for example, Security Events. 2. Type the logging level that’s needed in the Value data box, and click OK. 3. Repeat step 2 for each component that you want to be logged.Then, on the Registry menu, click Exit to quit the Registry Editor. Some of the events that can be written to the event log include: ■ KCC ■ MAPI events ■ Security events ■ Replication events ■ Directory access ■ Internal configuration ■ Internal processing ■ Inter-site messaging ■ Service control setup Each entry is assigned a value of 0 through 5, which determines the level of details of the events that are logged: ■ 0 (None): Only critical events and error events are logged at this level.This is the default setting for all entries. ■ 1 (Minimal): Very high-level events are recorded in the event log at this setting. Events can include one message for each major task that is performed by the service.This can be used when the location to start an investigation is not known. ■ 2 (Basic) ■ 3 (Extensive):This level records more detailed information than the lower levels, such as steps that are performed to complete a task. ■ 4 (Verbose) ■ 5 (Internal):This level logs all events, including debug strings and configuration changes. A complete log of the service is recorded. Using Support Tools As mentioned earlier, the Support Tools must be installed separately from the Windows Server 2003 operating system. In addition to the Replication Monitor, there are other support tools that will be Working with Active Directory Sites • Chapter 14 527 301_BD_W2k3_14.qxd 5/24/04 9:09 AM Page 527 useful to you in managing sites, subnets, and your overall network.Table 14.1 lists some of the sup- port tools that are used most frequently. Table 14.1 Categorizing Support Tools Tool Description Repadmin.exe: Replication A command-line interface that is used for Active Diagnostics Tool Directory replication. This tool provides a powerful interface into the inner workings of Active Directory replication, and is useful in troubleshooting Active Directory replication problems. Active Directory Replication Monitor Used to display replication topology, status, and (Replmon.exe) performance of Active Directory DCs. ADSI Edit MMC snap-in that acts as a low-level editor for Active Directory. Browstat.exe: Browser Status A network browser diagnostic tool. Dsacls.exe Facilitates management of ACLs for directory services. Dsastat.exe: Active Directory Compares and detects differences between naming Diagnostic Tool contexts on DCs. 528 Chapter 14 • Working with Active Directory Sites 301_BD_W2k3_14.qxd 5/24/04 9:09 AM Page 528 Working with Domain Controllers In this chapter: Planning and Deploying Domain Controllers Backing Up Domain Controllers Managing Operations Masters Introduction In the preceding chapters, we discussed forests, domains, sites and subsnets.The common link? Domain Controllers (DC), the backbone of any Windows Server 2003 network. Server roles were discussed in Chapter 3 and managing domain controllers was covered at length in Chapter 12. In this chapter, we’re going to take a quick look at DCs in more detail. Implementing and managing DCs is an important part of the network administrator’s job, because the DCs play such a vital role in the operation of the net- work.The focus of this chapter is the Active Directory DC and how to plan and deploy DCs on your network.You’ll learn about server roles, where DCs fit in, and how to create and upgrade DCs. We discuss placement of DCs within sites, and how to back up your DCs. Planning and Deploying Domain Controllers Remember that a DC does not equal a domain. A domain is a logical entity containing potentially millions of objects, while a DC, in the context of this chapter, is simply a computer running Windows Server 2003 with a copy of the Active Directory database (of course, an NT Server or Windows 2000 Server computer can also be a DC).This server takes on a management role in granting or denying access to resources throughout the entire domain, not just those resources located on this physical machine. Chapter 15 529 301_BD_w2k3_15.qxd 5/12/04 1:24 PM Page 529 In order to provide acceptable connectivity performance, it is imperative that all users have adequate access to a DC close to their physical locations. Understanding Server Roles You might recall that, before Windows 2000, in order to install a server operating system, you had to decide the server’s role during installation. Switching between the roles of primary domain con- troller (PDC), backup domain controller (BDC) and member or standalone server was difficult and required new installations with each change. Starting with Windows 2000 and continuing with Server 2003, all servers begin as standalone or member servers, and then you promote the server to be a DC as needed. In addition, you can now demote the DC back to a member server. As already mentioned, a server that contains a copy of the Active Directory database is a DC. A DC has domain responsibilities and those can interfere with other tasks. Because the Active Directory is the most important part of the domain, your DC will delay your print job or file access until it is finished with its DC duties.Your users, however, don’t care about the domain and its needs.Their own needs are more important to them.Therefore, you should separate file and print access, e-mail and Internet access, and other application-based duties from the DC. Plan your servers according to the needs of the users in your area of stewardship, and balance that with the needs of your domain. Function of Domain Controllers We have alluded to the responsibilities of DCs, and now we will iterate those responsibilities or functions: ■ Track all user and computer accounts ■ Authenticate access to resources ■ Verify passwords ■ Establish secure connections ■ Replicate all changes to all other DCs A DC receives changes to its copy of the Active Directory database. By default, all DCs within a site replicate everything to each other within about 15 minutes. Between sites, the replication is managed, which is the main reason to create separate sites. If replication is immediate over fast WAN connections, then replication will be as well. If the replication is based on time or activity, the change will have to wait in Denver until the site policy decides to talk to Philadelphia and exchange data. What this means is that it could take 12 to 24 hours before Jett can use his Manager- level access. Kim knows that Jett can’t wait this long, so to avoid this, she changes her DC connec- tion to go directly to a DC in Philadelphia, over the WAN. Now the change is accomplished within 15 minutes. Of course, Kim’s time to make the change is slowed by that WAN connection, but Jett is much happier! Although the previous list of DC responsibilities is by no means exhaustive, it represents most of the functions you should be concerned about first. Additionally, your DC integrates with other ser- vices for ease of administration and security.The following is a short list of some of these services. 530 Chapter 15 • Working with Domain Controllers 301_BD_w2k3_15.qxd 5/12/04 1:24 PM Page 530 ■ DNS ■ DHCP ■ Kerberos security ■ Remote access ■ Virtual private networking Important to note here is that Active Directory, which is on the DCs, provides these services to give you centralization and control of resources. Making them work efficiently is accomplished by understanding the various services and knowing when to use them and more importantly when not to use them. It is easy to turn on the services and let them run, but each service has an effect on the hardware resources involved, which are limited. Enabling unused services also creates a security risk because the unused (and often unmonitored) service could be exploited by a hacker. Determining the Number of Domain Controllers Since you just learned about sites in Chapter 14,“Working with Active Directory Sites,” you know that each site requires at least one DC.Your site topology is very important, because of the speed factors (actually the lack of speed) involved in the WAN connections between these sites.You must keep firm control of the replications crossing the WAN. Without sites, you break the age-old rule originally established by Novell: Don’t span the WAN.The information that follows applies to DCs in each site. Table 15.1 lists the factors you must consider in determining the number of DCs to install. Table 15.1 Domain Controller Functions Affecting Performance DC Functions Description of Effect PDC Emulator This FSMO is assigned to the first DC installed, and is designed to respond to Windows NT 4 BDCs. Additionally, this FSMO receives all new password and lockout information changes immediately for the entire domain. Active Directory replication The process of synchronizing the Active Directory database between DCs. Workstation logon Computer accounts authenticating to domain. Global Catalog (GC) operations Required in a multidomain Active Directory forest to facilitate logons. File and print services A DC can store files and be a print server too. Network services A DC can host other important network services such as: DNS DHCP WINS User logon User authentication on startup and resource access. Working with Domain Controllers • Chapter 15 531 Continued 301_BD_w2k3_15.qxd 5/12/04 1:24 PM Page 531 Table 15.1 Domain Controller Functions Affecting Performance DC Functions Description of Effect LDAP searches If you use LDAP applications or services, be aware of this need. Other FSMOs Depending on the number of users, computers, and application needs in your domain, you most likely need more than one DC. At the very least, you should have two DCs for fault tolerance in case one goes down. As your network size increases, so will the number of DCs.This facilitates both load balancing and redundancy of the Active Directory.The number of nondomain functions, such as file and print services, will have to go to dedicated member servers. Then, how many DCs do you need? Microsoft has outlined a way to determine this and even created a Job Aid to help you.The first issue is, how much can your server physically handle? Microsoft has issued minimum guidelines in Table 15.2 for processors and memory, based on the number of users in the domain and the number of DCs handling the load. Table 15.2 Minimum DC, GC, RAM, and CPU per Site Number of Domain Users in Site Number of DCs Global Catalog RAM CPU 1 to 499 1 DC is a GC server 512MB Uniprocessor PIII 500+ 500 to 999 1 DC is a GC server 1GB Dual PIII 500+ 1,000 to 10,000 2 Both DCs are GC 2GB Quad PIII Xeon+ servers 10,000+ 1 for every Half of all DCs are 2GB Quad PIII Xeon+ 5000 users GC servers with a minimum of two GCs When the term “minimum” is used, remember that it means just that: the bare minimum! Your servers should have much more than the minimum if you want more than minimal performance. According to the experts, if you have to choose between CPU and RAM, get more RAM. It’s always easier to get more RAM up front. Although we always say that we can add more RAM later, we often don’t, or when we want to, it is not available for that particular server because it has become obsolete. Using the Active Directory Installation Wizard You know what a DC is, what hardware to buy, how many to buy, and where to put them, and now we will show you how to create one. Microsoft’s Active Directory Installation Wizard (ADIW) is used to create DCs, domains, trees, and forests, so you need to understand how to start it and which options to choose. 532 Chapter 15 • Working with Domain Controllers 301_BD_w2k3_15.qxd 5/12/04 1:24 PM Page 532 To start the ADIW, click Start | Run.Type dcpromo and press Enter. The initial Welcome window contains a link to Windows’ Help files. Use the Help files if you have to—they are very good. Click Next. Operating system compatibility is described in the next window. Click Next. The next window shows the Additional domain controller for an existing domain dialog, used to create all other DCs within that same domain. Use this to set up DCs for each site. Selecting this option takes you to a window that requires administrator-level credentials in order to create the DC. The server you are promoting must be able to find another DC via DNS, so make sure you are connected to the network and you have set up your TCP/IP settings to find both the DNS and the DC. Choosing Domain controller for a new domain will make this server a DC, and it will be the first DC in a new domain. Use this for each new domain. Following most experts’ recommenda- tions, you will only do this once, because a single domain network is the best way to go. Of course, reality dictates that you might have to create additional domains, and this is where you do it. Three choices are presented to you to create a new: ■ Domain in a new forest This choice is for the very first DC in your first tree in your first forest. ■ Child domain in an existing domain tree This choice is used when you already have a domain tree (for example, yourfirm.biz) and you need a second domain or child to this domain (for example, MyPlace.YourFirm.biz). ■ Domain tree in an existing forest With this option you are sharing the forest and allowing some communication, but you have different tree names. For example, you could have a forest like YourFirm.biz and then add another domain tree that uses a different DNS name, like MyFirm.biz. The options of Child domain in an existing forest and Domain tree in an existing forest require an existing entity to which you are adding.The next window requests administrator credentials at the tree and forest levels. Again, the TCP/IP settings must already be in place in order to find the corresponding DCs to authenticate your credentials and allow you to add on to the tree or forest. Refer to Chapter 12 for specific step-by-step instructions for creating and naming new domains. Creating Additional Domain Controllers To add more DCs to your new domain, yourfirm.biz, you must install Windows Server 2003 on another machine. Remember the initial server installation is either a standalone or member server and then it can be promoted to a DC. Dcpromo, otherwise known as the ADIW, accomplishes this feat.You just created your first DC, so the steps are still fresh in your mind, right? Since the domain and DNS servers already exist, when you see the window shown in Figure 15.1, select the second option, Additional domain controller for an existing domain. Next, enter the credentials for your parent domain administrator, and the ADIW creates the new DC with replication, dynamic updates, and DNS SRV records all in place. Use the following procedure to promote a Windows Server 2003 member server to an additional domain controller. Working with Domain Controllers • Chapter 15 533 301_BD_w2k3_15.qxd 5/12/04 1:24 PM Page 533 There are a few prerequisites you will need to meet before you begin: ■ One DC ■ One standalone or member server ■ Both of these servers connected on the same network ■ Both of these servers set up with TCP/IP pointing to the same DNS server Once these have been met, follow these steps: 1. On your member or standalone server, make sure you are logged on with administrator permissions and that the prerequisites are met. 2. Begin the promotion process by clicking Start | Run and typing dcpromo. Click OK. 3. The ADIW is launched. Click Next. 4. Click Next on the next dialog labeled Operating System Compatibility. 5. Select Additional domain controller for an existing domain, and click Next. 6. Type in the Administrator account and password.Type in the domain name if it is not already there. 7. This dialog requires the FQDN that matches the A record in your DNS server. By default, it puts whatever was in the last dialog. Make sure it is correct and click Next (see Figure 15.2). 534 Chapter 15 • Working with Domain Controllers Figure 15.1 Domain Controller Type 301_BD_w2k3_15.qxd 5/12/04 1:24 PM Page 534 8. The next two dialogs should seem familiar.You must specify the location of the Active Directory database and log. Keep the defaults of \WINDOWS\NTDS. Click Next. 9. Specify the location of your system volume (SYSVOL) folder, which must be on an NTFS partition.The default is fine as long as you formatted your disk with NTFS. Click Next (Figure 15.3). 10. Type in the same password you used for your domain password.This dialog requests a pass- word for the directory services restore administrator which is different from the domain administrator; however, unless there are compelling reasons otherwise, put in the same password. It can be difficult enough dealing with the crash requiring a restore, without adding to the stress of remembering a password not often used. Click Next. 11. Think about what dcpromo is about to do and what must be in place for it to work. After clicking Next, you will test the settings outlined in the prerequisites.The ADIW must find a DNS server, ask for the location of a DC in the existing domain, locate and authenticate Working with Domain Controllers • Chapter 15 535 Figure 15.2 Full DNS Name of Existing Domain Figure 15.3 Shared System Volume Location 301_BD_w2k3_15.qxd 5/12/04 1:24 PM Page 535 . install Windows Server 2003 on another machine. Remember the initial server installation is either a standalone or member server and then it can be promoted to a DC. Dcpromo, otherwise known as the. standalone or member server ■ Both of these servers connected on the same network ■ Both of these servers set up with TCP/IP pointing to the same DNS server Once these have been met, follow these steps: 1 continuing with Server 2003, all servers begin as standalone or member servers, and then you promote the server to be a DC as needed. In addition, you can now demote the DC back to a member server. As