31 You will also want to remove any trusts that have been established for the domain (see Recipe 2.22 for more details). For more information on how to demote a domain controller, see Recipe 3.3. 2.4.3 Discussion The "brute force" method for removing a forest as described in the Discussion for Recipe 2.2 is not a good method for removing a domain. Doing so will leave all of the domain controller and server objects, along with the domain object and associated domain naming context hanging around in the forest. If you used that approach, you would eventually see a bunch of replication and file replication service (FRS) errors in the event log from failed replication events. 2.4.4 See Also Recipe 2.19 for viewing the trusts for a domain, Recipe 2.22 for removing a trust, Recipe 3.3 for demoting a domain controller, MS KB 238369 (HOW TO: Promote and Demote Domain Controllers in Windows 2000), and MS KB 255229 (Dcpromo Demotion of Last Domain Controller in Child Domain Does Not Succeed) Recipe 2.5 Removing an Orphaned Domain 2.5.1 Problem You want to completely remove a domain that was orphaned because "This server is the last domain controller in the domain" was not selected when demoting the last domain controller, the domain was forcibly removed, or the last domain controller in the domain was decommissioned improperly. 2.5.2 Solution 2.5.2.1 Using a command-line interface The following ntdsutil commands (in bold) would forcibly remove the emea.rallencorp.com domain from the rallencorp.com forest. Replace <DomainControllerName> with the hostname of the Domain Naming Flexible Single Master Operation (FSMO) for the forest: > ntdsutil "meta clean" "s o t" conn "con to server <DomainControllerName >" q q metadata cleanup: "s o t" "list domains" Found 4 domain(s) 0 - DC=rallencorp,DC=com 1 - DC=amer,DC=rallencorp,DC=com 2 - DC=emea,DC=rallencorp,DC=com 3 - DC=apac,DC=rallencorp,DC=com select operation target: sel domain 2 No current site Domain - DC=emea,DC=rallencorp,DC=com No current server 32 No current Naming Context select operation target: q metadata cleanup: remove sel domain You will receive a message indicating whether the removal was successful. 2.5.3 Discussion Removing an orphaned domain consists of removing the domain object for the domain (e.g., dc=emea,dc=rallencorp,dc=com), all of its child objects, and the associated crossRef object in the Partitions container. You need to target the Domain Naming FSMO when using the ntdsutil command because that server is responsible for creation and removal of domains. In the solution, shortcut parameters were used to reduce the amount of typing necessary. If each parameter were typed out fully, the commands would look as follows: > ntdsutil "metadata cleanup" "select operation target" connections "connect to server <DomainControllerName >" quit quit metadata cleanup: "select operation target" "list domains" Found 4 domain(s) 0 - DC=rallencorp,DC=com 1 - DC=amer,DC=rallencorp,DC=com 2 - DC=emea,DC=rallencorp,DC=com 3 - DC=apac,DC=rallencorp,DC=com select operation target: select domain 2 No current site Domain - DC=emea,DC=rallencorp,DC=com No current server No current Naming Context select operation target: quit metadata cleanup: remove selected domain 2.5.4 See Also Recipe 3.6 for removing an unsuccessfully demoted domain controller, MS KB 230306 (HOW TO: Remove Orphaned Domains from Active Directory), MS KB 251307 (HOW TO: Remove Orphaned Domains from Active Directory Without Demoting the Domain Controllers), and MS KB 255229 (Dcpromo Demotion of Last Domain Controller in Child Domain Does Not Succeed) Recipe 2.6 Finding the Domains in a Forest 2.6.1 Problem You want a list of the domains in a forest. 33 2.6.2 Solution 2.6.2.1 Using a graphical user interface Open the Active Directory Domains and Trusts snap-in. The list of the domains in the default forest can be browsed in the left pane. 2.6.2.2 Using a command-line interface > ntdsutil "d m" "sel op tar" c "co t s <DomainControllerName>" q "l d" q q q[RETURN] 2.6.2.3 Using VBScript ' This code gets the list of the domains contained in the ' forest that the user running the script is logged into. set objRootDSE = GetObject("LDAP://RootDSE") strADsPath = "<GC://" & objRootDSE.Get("rootDomainNamingContext") & ">;" strFilter = "(objectcategory=domainDNS);" strAttrs = "name;" strScope = "SubTree" set objConn = CreateObject("ADODB.Connection") objConn.Provider = "ADsDSOObject" objConn.Open "Active Directory Provider" set objRS = objConn.Execute(strADsPath & strFilter & strAttrs & strScope) objRS.MoveFirst while Not objRS.EOF Wscript.Echo objRS.Fields(0).Value objRS.MoveNext wend 2.6.3 Discussion 2.6.3.1 Using a graphical user interface If you want to view the domains for an alternate forest than the one you are logged into, right- click on "Active Directory Domains and Trusts" in the left pane, and select "Connect to Domain Controller." Enter the forest name you want to browse in the Domain field. In the left pane, expand the forest root domain to see any subdomains. 2.6.3.2 Using a command-line interface In the ntdsutil example, shortcut parameters were used to reduce the amount of typing needed. If each parameter were typed out fully, the command line would look like: > ntdsutil "domain management" "select operation target" connections "connect[RETURN] to server <DomainControllerName>" quit "List domains" quit quit quit 2.6.3.3 Using VBScript 34 In the VBScript solution, an ADO query is used to search for domainDNS objects stored in the global catalog, using the root (forest) Domain NC as the search base. This query will find all domains in the forest. To find the list of domains for an alternate forest, include the name of the forest as part of the ADsPath used in the first line of code. The following would target the othercorp.com forest: set objRootDSE = GetObject("LDAP://othercorp.com/" & "RootDSE") 2.6.4 See Also Recipe 3.8 for finding the domain controllers for a domain Recipe 2.7 Finding the NetBIOS Name of a Domain 2.7.1 Problem You want to find the NetBIOS name of a domain. Although Microsoft has moved to using DNS for primary name resolution, the NetBIOS name of a domain is still important, especially with down-level clients that are still based on NetBIOS instead of DNS for naming. 2.7.2 Solution 2.7.2.1 Using a graphical user interface 1. Open the Active Directory Domains and Trusts snap-in. 2. Right-click the domain you want to view in the left pane and select Properties. The NetBIOS name will be shown in the "Domain name (pre-Windows 2000)" field. 2.7.2.2 Using a command-line interface > dsquery * cn=partitions,cn=configuration,<ForestRootDN> -filter[RETURN] "(&(objectcategory=crossref)(dnsroot=<DomainDNSName>)(netbiosname=*))" - attr[RETURN] netbiosname 2.7.2.3 Using VBScript ' This code prints the NetBIOS name for the specified domain ' SCRIPT CONFIGURATION strDomain = "<DomainDNSName>" ' e.g. amer.rallencorp.com ' END CONFIGURATION set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE") strADsPath = "<LDAP://" & strDomain & "/cn=Partitions," & _ objRootDSE.Get("configurationNamingContext") & ">;" strFilter = "(&(objectcategory=Crossref)" & _ "(dnsRoot=" & strDomain & ")(netBIOSName=*));" strAttrs = "netbiosname;" strScope = "Onelevel" 35 set objConn = CreateObject("ADODB.Connection") objConn.Provider = "ADsDSOObject" objConn.Open "Active Directory Provider" set objRS = objConn.Execute(strADsPath & strFilter & strAttrs & strScope) objRS.MoveFirst WScript.Echo "NetBIOS name for " & strDomain & " is " & objRS.Fields(0).Value 2.7.3 Discussion Each domain has a crossRef object that is used by Active Directory to generate referrals. Referrals are necessary when a client performs a query and the directory server handling the request does not have the matching object(s) in its domain. The NetBIOS name of a domain is stored in the domain's crossRef object in the Partitions container in the Configuration NC. Each crossRef object has a dnsRoot attribute, which is the fully qualified DNS name of the domain. The netBIOSName attribute contains the NetBIOS name for the domain. Recipe 2.8 Renaming a Domain 2.8.1 Problem You want to rename a domain due to organizational changes or legal restrictions because of an acquisition. Renaming a domain is a very involved process and should be done only when absolutely necessary. Changing the name of a domain can have an impact on everything from DNS, replication, and GPOs to DFS and Certificate Services. A domain rename also requires that all domain controllers and member computers in the domain are rebooted! 2.8.2 Solution Under Windows 2000, there is no supported process to rename a domain. There is one workaround for mixed-mode domains in which you revert the domain and any of its child domains back to Windows NT domains. This can be done by demoting all Windows 2000 domain controllers and leaving the Windows NT domain controllers in place. You could then reintroduce Windows 2000 domain controllers and use the new domain name when setting up Active Directory. The process is not very clean and probably won't be suitable for most situations, but you can find out more about it in MS KB 292541. A domain rename procedure is supported if a forest is running all Windows Server 2003 domain controllers and is at the Windows Server 2003 forest functional level. Microsoft provides a rename tool (rendom.exe) and detailed white paper describing the process at the following location: http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx 2.8.3 Discussion The domain rename process can accommodate very complex changes to your domain model. You can perform the following types of renames: 36 • Rename a domain to a new name without repositioning it in the domain tree. • Reposition a domain within a domain tree. • Create a new domain tree with a renamed domain. One thing you cannot do with the domain rename procedure is reposition the forest root domain. You can rename the forest root domain, but you cannot change its status as the forest root domain. Another important limitation to note is that you cannot rename any domain in a forest that has had Exchange 2000 installed. A future service pack release of Exchange Server 2003 will reportedly handle domain renames. See the web site mentioned in the solution for more information on other limitations. 2.8.4 See Also MS KB 292541 (How to: Rename the DNS name of a Windows 2000 Domain) Recipe 2.9 Changing the Mode of a Domain 2.9.1 Problem You want to change the mode of a Windows 2000 Active Directory domain from mixed to native. You typically want to do this as soon as possible after installing a Windows 2000 domain to take advantage of features that aren't available with mixed-mode domains. 2.9.2 Solution 2.9.2.1 Using a graphical user interface 1. Open the Active Directory Domains and Trusts snap-in. 2. Browse to the domain you want to change in the left pane. 3. Right-click on the domain and select Properties. The current mode will be listed in the Domain Operation Mode box. 4. To change the mode, click the Change Mode button at the bottom. 2.9.2.2 Using a command-line interface To retrieve the current mode, use the following command: > dsquery * <DomainDN> -scope base -attr ntMixedDomain Or you can use the enumprop command found in the Windows 2000 Resource Kit. > enumprop /ATTR:ntMixedDomain "LDAP://<DomainDN>" To change the mode to native, create an LDIF file called change_domain_mode.ldf with the following contents: 37 dn: <DomainDN> changetype: modify replace: ntMixedDomain ntMixedDomain: 0 - Then run the ldifde command to import the change. > ldifde -i -f change_domain_mode.ldf 2.9.2.3 Using VBScript ' This code changes the mode of the specified domain to native ' SCRIPT CONFIGURATION strDomain = "<DomainDNSName>" ' e.g. amer.rallencorp.com ' END CONFIGURATION set objDomain = GetObject("LDAP://" & strDomain) if objDomain.Get("nTMixedDomain") > 0 Then Wscript.Echo "Changing mode to native . . . " objDomain.Put "nTMixedDomain", 0 objDomain.SetInfo else Wscript.Echo "Already a native mode domain" end if 2.9.3 Discussion The mode of a domain restricts the operating systems the domain controllers in the domain can run. In a mixed-mode domain, you can have Windows 2000 and Windows NT domain controllers. In a native-mode domain, you can have only Windows 2000 (and Windows Server 2003) domain controllers. There are several important feature differences between mixed and native mode. Mixed mode imposes the following limitations: • The domain cannot contain Universal security groups. • Groups in the domain cannot have their scope or type changed. • The domain cannot have nested groups (aside from global groups in domain local groups). • Account modifications sent to Windows NT BDCs, including password changes, must go through PDC Emulator for the domain. • The domain cannot use SID History. • The domain cannot fully utilize trust transitivity. The domain mode can be changed only from mixed to native mode. You cannot change it back from native to mixed. When a Windows 2000 domain is first created, it starts off in mixed mode even if all the domain controllers are running Windows 2000. The domain mode is stored in the ntMixedDomain attribute on the domain object (e.g., dc=amer,dc=rallencorp,dc=com). A value of 0 signifies a native-mode domain and 1 indicates a mixed-mode domain. Windows Server 2003 Active Directory has a similar concept called functional levels. For more information on Windows Server 2003 functional levels, see Recipe 2.13 and Recipe 2.14. 38 2.9.4 See Also Recipe 2.13 for raising the functional level of a domain, Recipe 2.14 for raising the functional level of a forest, and MS KB 186153 (Modes Supported by Windows 2000 Domain Controllers) Recipe 2.10 Using ADPrep to Prepare a Domain or Forest for Windows Server 2003 2.10.1 Problem You want to upgrade your existing Windows 2000 Active Directory domain controllers to Windows Server 2003. Before doing this, you must run the ADPrep tool, which extends the schema and adds several objects in Active Directory that are necessary for new features and enhancements. 2.10.2 Solution First, run the following command on the Schema FSMO with the credentials of an account that is in both the Enterprise Admins and Schema Admins groups: > adprep /forestprep After the updates from /forestprep have replicated throughout the forest (see Recipe 2.11), run the following command on the Infrastructure FSMO in each domain with the credentials of an account in the Domain Admins group: > adprep /domainprep If the updates from /forestprep have not replicated to at least the Infrastructure FSMO servers in each domain, an error will be returned when running /domainprep. To debug any problems you encounter, see the ADPrep log files located at %SystemRoot%\System32\Debug\Adprep\Logs. adprep can be found in the \i386 directory on the Windows Server 2003 CD. The tool relies on several files in that directory, so you cannot simply copy that file out to a server and run it. You must either run it from a CD or from a location where the entire directory has been copied. 2.10.3 Discussion The adprep command prepares a Windows 2000 forest and domains for Windows Server 2003. Both /forestprep and /domainprep must be run before you can upgrade any domain controllers to Windows Server 2003 or install new Windows Server 2003 domain controllers. 39 The adprep command serves a similar function to the Exchange 2000 setup /forestprep and /domainprep commands, which prepare an Active Directory forest and domains for Exchange 2000. The adprep /forestprep command extends the schema and modifies some default security descriptors, which is why it must run on the Schema FSMO and under the credentials of someone in both the Schema Admins and Enterprise Admins groups. In addition, the adprep /forestprep and /domainprep commands add new objects throughout the forest, many of which are necessary for new features supported in Windows Server 2003 Active Directory. If you've installed Exchange 2000 or Services For Unix 2.0 in your forest prior to running adprep, there are schema conflicts with the adprep schema extensions that you'll need to fix first. MS KB 325379 and 314649 have a detailed list of compatibility issues and resolutions. 2.10.4 See Also Recipe 2.11 for determining if ADPrep has completed, Chapter 14 of Active Directory, Second Edition for upgrading to Windows Server 2003, MS KB 331161 (List of Fixes to Use on Windows 2000 Domain Controllers Before You Run the Adprep/Forestprep Command), MS KB 314649 (Windows Server 2003 ADPREP Command Causes Mangled Attributes in Windows 2000 Forests That Contain Exchange 2000 Servers), and MS KB 325379 (Upgrade Windows 2000 Domain Controllers to Windows Server 2003) Recipe 2.11 Determining if ADPrep Has Completed 2.11.1 Problem You want to determine if the ADPrep process, described in Recipe 2.10, has successfully prepared a Windows 2000 domain or forest for Windows Server 2003. After ADPrep has completed, you will them be ready to start promoting Windows Server 2003 domain controllers. 2.11.2 Solution To determine if adprep /domainprep completed, check for the existence of the following object where <DomainDN> is the distinguished name of the domain: cn=Windows2003Update,cn=DomainUpdates,cn=System,<DomainDN> To determine if adprep /forestprep completed, check for the existence of the following object where <ForestRootDN> is the distinguished name of the forest root domain: cn=Windows2003Update,cn=ForestUpdates,cn=Configuration,<ForestRootDN> 2.11.3 Discussion As described in Recipe 2.10, the adprep utility is used to prepare a Windows 2000 forest for the upgrade to Windows Server 2003. One of the nice features of adprep is it stores its progress in Active Directory. For /domainprep, a container with a distinguished name of 40 cn=DomainUpdates,cn=System,<DomainDN> is created that has child object containers cn=Operations and cn=Windows2003Update. After adprep completes a task, such as extending the schema, it creates an object under the cn=Operations container to signify its completion. Each object has a GUID for its name, which represents some internal operation for adprep. For /domainprep, 52 of these objects are created. After all of the operations have completed successfully, the cn=Windows2003Update object is created to indicate /domainprep has completed.Figure 2-2 shows an example of the container structure created by /domainprep. Figure 2-2. DomainPrep containers For /forestprep, a container with the distinguished name of cn=ForestUpdates,cn=Configuration,<ForestRootDN>, is created with child object containers cn=Operations and cn=Windows2003Update. The same principles apply as for /domainprep except that there are 36 operation objects stored within the cn=Operations container. After /forestprep completes, the cn=Windows2003Update object will be created that marks the successful completion of /forestprep. Figure 2-3 shows an example of the container structure created by /forestprep. Figure 2-3. ForestPrep containers . Prepare a Domain or Forest for Windows Server 2003 2.10.1 Problem You want to upgrade your existing Windows 2000 Active Directory domain controllers to Windows Server 2003. Before doing this,. and 1 indicates a mixed-mode domain. Windows Server 2003 Active Directory has a similar concept called functional levels. For more information on Windows Server 2003 functional levels, see Recipe. entire directory has been copied. 2.10.3 Discussion The adprep command prepares a Windows 2000 forest and domains for Windows Server 2003. Both /forestprep and /domainprep must be run before