Generic Tricks & Tweaks
Exchange Schema Version
dsquery * CN=ms-Exch-Schema-Version-Adc,cn=schema,cn=configuration,dc=yourdomain,dc=local -scope base -attr rangeUpper
Windows 2003 (and R2) Servers
Some improvements were made to Active Directory and the roles have been redefined to allow more load-balancing and to optimize performance over slow WAN links. The role structure is now called FSMO (flexible single master operations).
- scheme master (one per forest)
- domain naming master (one per forest)
- RID (relative id) master (one per sub-tree)
- PDC emulation master (one per sub-tree) - also time server
- infrastructure master (one per sub-tree)
- global catalog server (not exactly a role but also an important function in AD)
The Active Directory database is stored in a file called NTDS.DIT and again contains two main tables plus one new ACE deduplication table which allows single-storage of permission records.
Roles may be changed when in proper operation by command line: "ntdsutil /roles"
If there are (at least) two DC servers in a domain, the functions in that the failed server was active master, will be taken by the remaining server(s) more or less automatically, although there are still single points of failure, which might be eliminated in future versions of Windows Server. If the failed server cannot be repaired at all or cannot be repaired without complete reinstallation, the AD computer account for that DC server must be dereferenced and deleted manually.
Note that the "transfer" command is the proper way while the "seize" command is a drastic step.
C:\...> **ntdsutil** [ENTER]
**connect to server <servername>** [ENTER]
server connections> **quit** [ENTER]
fsmo maintenance> **<transfer|seize> <scheme master|domain naming master|infrastructure master|rid master|pdc>** [ENTER]
fsmo maintenance> **quit** [ENTER]
In some cases, you can also change the role masters graphically:
#. for scheme master - register "regsvr32 schmmgmt.dll" (needed only the first time)
#. start empty management console - add new snap-in "AD schema"
#. connect to desired new domain controller, if not local host
#. right click on "active directory schema" then "operation masters" - make the change.
It has also been reported that the following command may help for "global catalog not found"-error messages after global catalog service has been enabled at the current server.
how to enable GC: MS KB 313994
then command line: NLTEST /dsgetdc:example.com /gc (from MS KB 253096)
Windows 2000 Servers
Windows 2000 Server was the first system to implement its domain structure through ActiveDirectory*, which is Microsoft's version of a functionality that Novell's NetWare network operating system already offered for decades. The main features are:
- Hierarchical structure with the ability to have sub-trees stored on branch servers, and delegate administration of sub-trees to sub-admins
- Use of well-known documented protocols such as DNS and LDAP
The whole of Active Directory with all of its sub-trees is called the forest (which is slightly incorrect, since in graph theory*, a forest is a set of unconnected trees).
The Active Directory database is stored in a file called NTDS.DIT and contains two main tables.
Windows NT Servers
There are exactly one PDC and zero or more BDC in one Windows Domain.
Windows NT implemented its domain structure through NTDS* (NT Directory Services), which was the predecessor of ActiveDirectory*.
- PDC (primary domain controller)
- BDC (backup domain controllers)
If the PDC fails, any BDC that has properly synchronized before, can take over the PDC function (command line: "dcpromo")