Windows 2000 Active
Directory Diagnostics,
Troubleshooting and
Recovery
3 Leaf Solutions LLC
What we will cover:





Verifying Active Directory
functionality
Diagnosing and troubleshooting
replication
Locating Active Directory database
files
Backing up and recovering system
state data
Seizing FSMO roles
Prerequisite Knowledge



Experience supporting Microsoft
Networks
Experience administering Windows 2000
Servers
Experience administering Active Directory
Domains
Level 200
Agenda





Verify Active Directory Functionality
Troubleshoot Replication
Active Directory Database Maintenance
Backup and Recovery
Seizing FSMO Roles
Verify Active Directory Functionality
Turn Up Active Directory Logging

A good first step when troubleshooting
Active Directory



Allows for more verbose event logging
Can generate a lot of logged data


Requires editing the Registry
May need to increase the size of event logs
Check Event Viewer

Active Directory events are in Directory
Service event log
Verify Active Directory Functionality
DNS
 Critical for Active Directory name
resolution
 Windows 2000 domain controllers must
register in DNS


Allows Windows 2000 servers and clients to
locate domain controllers
NSLOOKUP Command-line tool


Displays information from DNS servers
Can determine if Windows 2000 domain
controllers are registered in DNS correctly
Verify Active Directory Functionality
Windows 2000 Support Tools utilities


DCDIAG and NETDOM command-line
utilities
DCDIAG



Analyze state of domain controllers in forest
Run several tests and report problems
NETDOM


Manages and verifies Windows 2000 domains
and trust relationships
Verifies domain controllers have correct
credentials, can replicate with partners, etc.
Demonstration 1
Verify Active Directory
Functionality
Turn up logging
DNS and NSLOOKUP
DCDIAG and NETDOM
Agenda





Verify Active Directory Functionality
Troubleshoot Replication
Active Directory Database Maintenance
Backup and Recovery
Seize FSMO Roles
Troubleshoot Replication
Directory and File Replication

Directory Service Replication



Replicates computer and user accounts, and
other directory objects
Provides enterprise-wide authentication
File Replication


Uses File Replication Service
Replicates logon scripts and policies
Troubleshoot Replication
Replication Between Domain Controllers
Directory Replication
Directory objects (users, computers, etc.)
Domain
Controller
File Replication Service
SYSVOL (logon scripts, policies, etc.)
Domain
Controller
Troubleshoot Replication
Active Directory Replication Monitor

Windows 2000 Support Tools utility




Also called REPLMON
View low-level status of Active Directory
replication
View replication topology in graphical
format
Force replication between domain
controllers

Even across site boundaries
Troubleshoot Replication
REPADMIN Command-line Tool





Windows 2000 Support Tools utility
Diagnose replication problems between
domain controllers
Show replication partners
Force replication between domain
controllers
Discover from where domain objects are
replicated
Troubleshoot Replication
File Replication Service

FRS replicates the SYSVOL

Contains NETLOGON share




Stores logon scripts and system policies
Contains Group Policies in separate folders
Stores replication information in a JET
database
Replaces Replication Manager found on
Windows NT 4.0 servers
Troubleshoot Replication
NTFRSUTL Command-line Tool


Examines state of File Replication Service
on local or remote computers
Verifies that a server is a member and
subscriber of the SYSVOL replica set



The replica set is the set of files and folders
specified to replicate
View daily replication schedule
Troubleshoot FRS configuration problems
Demonstration 2
Diagnosing and
Troubleshooting Replication
REPLMON tool
REPADMIN tool
Troubleshoot FRS with NTDSUTL
Agenda





Verify Active Directory Functionality
Troubleshoot Replication
Active Directory Database Maintenance
Backup and Recovery
Seize FSMO Roles
Active Directory Database Maintenance
NTDSUTIL Command-line Utility




Locate Active Directory database files
Perform database maintenance
Manage FSMO roles
Clean domain controller accounts


Left when domain controllers are improperly
removed
May need to boot into Directory Services
Restore Mode
Active Directory Database Maintenance
NTDSUTIL is an interactive tool
Demonstration 3
Active Directory Database
Maintenance
View Active Directory Database
and Log files
Database Maintenance
Agenda





Verify Active Directory Functionality
Troubleshoot Replication
Active Directory Database Maintenance
Backup and Recovery
Seize FSMO Roles
Backup and Recovery
What is the system state?



Active Directory
Boot files
COM+ class registration database



Registry
SYSVOL


Installed COM+ applications
Group policies and logon scripts
Cluster service database information
Backup and Recovery
Backing up system state data

Use Windows 2000 Backup utility




Easy to use and schedule backups
Can backup system state while the server is
on-line an functioning
Can backup to a file or a network location
May generate large backup files
Backup and Recovery
Restoring system state data

Use Windows 2000 Backup utility




Can restore to original or alternate location
Can specify whether to overwrite existing
files
Non-authoritative restores
Authoritative restores



Recover deleted directory objects
Restore objects changed since backup
Use NTDSUTIL
Backup and Recovery
Authoritative restore
Restore System State
from Backup media
Other Domain
Controllers
Authoritative data is replicated
to other domain controllers
Domain
Controller
Authoritatively restored
Active Directory object
(user, OU, etc)
Use NTDSUTIL to mark restored
Active Directory objects as authoritative
Demonstration 4
Backup and Recovery
Backup system state
Delete an OU and force
replication
Perform an authoritative restore
Agenda





Verify Active Directory Functionality
Troubleshoot Replication
Active Directory Database Files
Backup and Recovery
Seize FSMO Roles
Seize FSMO Roles
What are FSMO roles?


Forest and domain-level operations
controlled by a single domain controller
Roles requiring single masters





Schema Master
Domain Naming Master
Primary Domain Controller (PDC) Emulator
Relative ID (RID) Master
Infrastructure Master
Seize FSMO Roles
Seizing FMSO roles

Necessary operation when a role-holding
domain controller improperly removed


Not always possible due to hardware failure,
etc.
Use NTDSUTIL


Allows you to transfer roles when roleholding server is still online
Allows you to seize any or all FSMO roles if
role-holding server is unavailable
Seize FSMO Roles
Seizing the PDC role
PDC FSMO
Role Holder
PDC FSMO
Role Holder
Windows 2000
Domain Controller
Other Windows 2000 DC
seizes PDC role
X
Windows 2000
Domain Controller
Use NTDSUTIL seize PDC role
Windows
NT 4.0NT
Domain
Controller
Windows
4.0 Domain
synchronizes
with
PDC role
holder
Controller no
longer
in sync
Windows NT 4.0 Domain Controller
now synchronizes with new PDC
role holder
Windows NT 4.0
Domain Controller
Demonstration 5
Seizing FSMO Roles
Seize FSMO roles using
NTDSUTL
Session Summary





Turn up Active Directory Logging to
troubleshot Active Directory problems
Perform Active Directory Database
Maintenance with NTDSUTIL
Backup System State on Domain
Controllers to backup Active Directory
Authoritative Restores can recover
deleted directory objects
Seize FSMO roles with NTDSUTIL.EXE
For More Information…

Main TechNet Web site at
www.microsoft.com/technet

This session’s resource page
www.microsoft.com/technet//tnt1-76
MS Press
Inside information for IT Professionals
To find the latest IT Professional related titles visit
www.microsoft.com/mspress/it/
3rd Party Publications
Supplementary publications for IT Pro’s
These books can be found and purchased at all good book
stores and on-line retailers
Training
Training Resources for IT Professionals
 Implementing
and Administering
Microsoft Windows 2000 Directory
Services
 Course
Number: 2154
 Availability: Current
Syllabus:
 Detailed
To locate
a training provider, please access
www.microsoft.com/traincert
www.microsoft.com/traincert
Microsoft Certified Technical Education Centers
are Microsoft’s premier partners for training services
Become a Microsoft Certified
Systems Administrator (MCSA)

What is the MCSA certification?


How do I become an MCSA on Microsoft
Windows 2000?



For professionals who implement, manage, and
troubleshoot existing network and system
environments based on Microsoft Windows 2000
platforms
Pass 3 core exams
Pass 1 elective exam or 2 CompTIA certifications
Where do I get more information?

For more information about certification
requirements, exams, and training options,
visit www.microsoft.com/mcsa
Become A Microsoft Certified
Systems Engineer (MCSE)

What is the MCSE certification?


How do I become an MCSE on Microsoft Windows
2000?




Premier certification for professionals who analyze the
business requirements and design and implement the
infrastructure for business solutions based on the Microsoft
server software.
Pass 4 core exams
Pass 1 design exam
Pass 2 elective exams from a comprehensive list
Where do I get more information?

For more information about certification requirements,
exams, and training options,
visit www.microsoft.com/mcse
What is TechNet?

Put the right answers at your fingertips

TechNet is the comprehensive collection of resources to help IT
implementers plan, deploy and manage Microsoft products
successfully
TechNet
Subscription
TechNet Web Site
TechNet Flash
TechNet Events
and Web Casts
TechNet
Communities
 Monthly updates delivered on DVD or CD
 The definitive resource to help you evaluate, deploy and
maintain Microsoft products
 Accessible at www.microsoft.com/technet
 Online resources and community
 Subscriber-only Online Services
 Bi-weekly e-newsletter
 Security updates, new resources, and special offers
 Briefings on the latest Microsoft products and technologies
 Hands-on, “how to” information
 User Groups
 Managed Newsgroups
The TechNet Subscription
TechNet is a monthly subscription
service that provides the tools,
software, and resources that an IT
professional needs to efficiently
plan, deploy, manage, and support
Microsoft products.
A TechNet Subscription is proven to
save you or your company time and
money.
If you’re an IT professional working
in technical support, network or
systems administration, or
technology architecture, TechNet
was created for you.
“You have everything you need to solve problems in one place”
– Wayne Brown, VP Information Technology, Heald College
Where Can I Get TechNet?

Visit TechNet Online at
www.microsoft.com/technet

Register for the TechNet Flash
www.microsoft.com/technet/usingtn/register/flash.asp

Join the TechNet Online forum at
www.microsoft.com/technet/itcommunity

Become a TechNet Subscriber at
www.microsoft.com/technet/buynow/subscribe

Attend More TechNet Events or view on-line
www.microsoft.com/technet/tcevents/itevents