Learning Windows Server 2003

5.7. Active Directory Troubleshooting and Maintenance

Things will inevitably break in your networkthis is a given. Also, you'll need to perform a few fairly common tasks on a somewhat regular basis to keep your Active Directory installation running at maximum performance and efficiency. In this section, I'll take a look at troubleshooting and maintenance, and show you how to both keep your network in tip-top shape, and how to figure out what's wrong when things go wrong.

5.7.1. Troubleshooting AD with DNSLint

Recall DNSLint from Chapter 4? Well, since AD is based on DNS, there are some specific scenarios in which DNSLint can be a lifesaver in terms of identifying and solving a quirky problem with your AD infrastructure. In fact, DNS problems are the most common issue keeping AD from working correctly.

DNSLint can help you figure out when the following issues are occurring:

• A network adapter whose TCP/IP configuration doesn't refer to an authoritative DNS server for the zone that works with the AD domain.

• A DNS zone file wihout a CNAME record with the globally unique identifier (GUID) of each domain controller along with the A records that act as glue records. (Check out Chapter 4 for a refresher on what those terms mean.)

• Lame delegations to child zones where the NS records specified for the delegation either do not have corresponding glue records or point to servers that are offline or not responding.

• The DNS zone corresponding to an AD domain does not contain the necessary SRV records, including the _ldap service on TCP port 389, the _kerberos service on TCP and UDP port 88. GC servers need a SRV record for the _gc service on TCP port 3268.

• The PDC Emulator FSMO role master does not have a required SRV record for the _ldap service.

Even better, you can use DNSLint with Dcdiag, another program that can be found in the Support Tools on the Windows Server 2003 CD, to perform many tests and checks prior to promoting a machine to a DC role. You can also probe a current DC just to make sure it's configured correctly. Specifically, the /dcpromo switch for Dcdiag tests to verify that you have the correct DNS settings for promoting a machine to a DC, and it will list the problems and solutions if there are any.

To check the machine JH-W2K3-DC2 to ensure that it's ready to be promoted to a DC in the corp.hasselltech.local domain, use the following command:

dcdiag /s:jh-w2k3-dc2 /dcpromo /dnsdomain:corp.hasselltech.local /replicadc

5.7.2. Offline Defragmenting of NTDS Database

Like a hard disk, the database containing all the objects and information within Active Directory can become fragmented at times on domain controllers because different parts of the directory are being written too often, and other parts are being rearranged to be read less often. Although you might think that defragging your hard drive will defragment the NTDS.DIT file on your domain controller's hard disk automatically, this just isn't the case.

Active Directory handles online defragmenting itself, and it does an adequate job. To really clean out the database, however, and defrag it for the maximum possible gain in efficiency, you need to take the domain controller offline so that the defragmenting process can have exclusive use of the database file. This requires four steps: first, reboot the domain controller in question and get it into directory services restore mode; second, perform the actual defragmentation; third, copy the defragmented database back into the production directory; and fourth, reboot the machine. (Replication to other domain controllers in Active Directory won't be affected, as Active Directory is smart enough to work around the downed domain controller. It will receive changes when it is brought back online.)

Let's step through these steps now:

1. Reboot your domain controller.

2. As the domain controller begins to boot, press F8 to make the Startup menu appear.

3. Select Directory Services Restore Mode.

4. When the system prompts you to log in, use the domain administrator account, but use the restore mode password you created when you first promoted this domain controller to a domain controller role.

5. Open a command prompt.

6. Enter ntdsutil at the command prompt to start the offline NTDSUtil tool.

7. Enter file to enter the file maintenance context.

8. Type compact to <location>, where <location> signifies the path to the place where you want the defragmented copy of the directory stored. When defragmented, Active Directory makes a copy of the database so that if something goes wrong, you haven't messed up the production copy of the directory.

9. Look for the line "Operation completed successfully in x seconds." If you see this, type quit to exit NTDSUtil.

10. At the regular command prompt, copy the file NTDS.DIT from the location you selected in step 8 to \Windows\NTDS. Feel free to overwrite the current file at that locationit is the fragmented version.

11. Delete any files with the extension .LOG in that same directory.

12. Restart your domain controller normally, and boot Windows Server 2003 as normal.

Your database is now defragmented.

5.7.3. Cleaning Directory Metadata

As your Active Directory implementation ages, you'll probably be left with some junk: old computer accounts that refer to PCs you dumped a long time ago, domain controllers you removed from service without first decommissioning them within Active Directory, and other detritus. Every so often, it's a good idea to clean out this old data so that bugs that are hard to track (and therefore are hard to troubleshoot) don't pop up, and so that future major Active Directory actions, such as renaming or removing a domain, aren't held up because of a junked-up directory.

Let's say we have a child domain, called cluster.hasselltech.local, which we want removed. To do this, we again will use the NTDSUtil tool and its metadata cleanup feature. To begin, go to a domain controller and log in as an enterprise administrator. Then follow these steps:

1. Open a command prompt.

2. Type ntdsutil to open the program.

3. Type metadata cleanup to enter that part of the program.

4. Type connections to receive the Server Connections prompt.

5. Enter connect to server localhost to initiate a connection with the current domain controller.

6. Type quit to exit that module.

7. Now type select operation target and press Enter.

8. Type list domains to get a list of domains.

9. NTDSUtil will bring up a list of domains in your system. In our example, cluster.hasselltech.local comes up as domain 2. So, to set the domain in our sights to destroy, type select domain 2 and press Enter.

10. Next, you'll need to determine the site in which cluster.hasselltech.local resides. Type list sites to bring up a list like you saw in steps 8 and 9.

11. In our case, cluster.hasselltech.local resides in site CHARLOTTE, which comes up as site 3 in our list. So, type select site 3 and press Enter.

12. Now you need to get rid of the domain controllers in that domain. Find out what those machines are by typing list servers for domain in site and pressing Enter.

13. There are two domain controllers, numbered 0 and 1. You need to get rid of both, so type select server 0 and press Enter.

14. Type quit, and then type remove selected server. Confirm your choice.

15. Type select server 1 and press Enter.

16. Type remove selected server, and again confirm your choice.

17. Finally, type remove selected domain and press Enter.

18. Type quit to exit NTDSUtil.