31
You will also want to remove any trusts that have been established for the domain (see Recipe
2.22 for more details). For more information on how to demote a domain controller, see Recipe
3.3.
2.4.3 Discussion
The "brute force" method for removing a forest as described in the Discussion for Recipe 2.2 is
not a good method for removing a domain. Doing so will leave all of the domain controller and
server objects, along with the domain object and associated domain naming context hanging
around in the forest. If you used that approach, you would eventually see a bunch of replication
and file replication service (FRS) errors in the event log from failed replication events.
2.4.4 See Also
Recipe 2.19 for viewing the trusts for a domain, Recipe 2.22 for removing a trust, Recipe 3.3 for
demoting a domain controller, MS KB 238369 (HOW TO: Promote and Demote Domain
Controllers in Windows 2000), and MS KB 255229 (Dcpromo Demotion of Last Domain
Controller in Child Domain Does Not Succeed)
Recipe 2.5 Removing an Orphaned Domain
2.5.1 Problem
You want to completely remove a domain that was orphaned because "This server is the last
domain controller in the domain" was not selected when demoting the last domain controller, the
domain was forcibly removed, or the last domain controller in the domain was decommissioned
improperly.
2.5.2 Solution
2.5.2.1 Using a command-line interface
The following ntdsutil commands (in bold) would forcibly remove the emea.rallencorp.com
domain from the rallencorp.com forest. Replace <DomainControllerName> with the hostname
of the Domain Naming Flexible Single Master Operation (FSMO) for the forest:
> ntdsutil "meta clean" "s o t" conn "con to server <DomainControllerName
>" q q
metadata cleanup: "s o t" "list domains"
Found 4 domain(s)

0 - DC=rallencorp,DC=com
1 - DC=amer,DC=rallencorp,DC=com
2 - DC=emea,DC=rallencorp,DC=com
3 - DC=apac,DC=rallencorp,DC=com
select operation target: sel domain 2
No current site
Domain - DC=emea,DC=rallencorp,DC=com
No current server

32
No current Naming Context
select operation target: q
metadata cleanup: remove sel domain
You will receive a message indicating whether the removal was successful.
2.5.3 Discussion
Removing an orphaned domain consists of removing the domain object for the domain (e.g.,
dc=emea,dc=rallencorp,dc=com), all of its child objects, and the associated crossRef object in
the Partitions container. You need to target the Domain Naming FSMO when using the
ntdsutil command because that server is responsible for creation and removal of domains.
In the solution, shortcut parameters were used to reduce the amount of typing necessary. If each
parameter were typed out fully, the commands would look as follows:
> ntdsutil "metadata cleanup" "select operation target" connections "connect
to
server <DomainControllerName
>" quit quit
metadata cleanup: "select operation target" "list domains"
Found 4 domain(s)
0 - DC=rallencorp,DC=com
1 - DC=amer,DC=rallencorp,DC=com
2 - DC=emea,DC=rallencorp,DC=com

3 - DC=apac,DC=rallencorp,DC=com
select operation target: select domain 2
No current site
Domain - DC=emea,DC=rallencorp,DC=com
No current server
No current Naming Context
select operation target: quit
metadata cleanup: remove selected domain
2.5.4 See Also
Recipe 3.6 for removing an unsuccessfully demoted domain controller, MS KB 230306 (HOW
TO: Remove Orphaned Domains from Active Directory), MS KB 251307 (HOW TO: Remove
Orphaned Domains from Active Directory Without Demoting the Domain Controllers), and MS
KB 255229 (Dcpromo Demotion of Last Domain Controller in Child Domain Does Not Succeed)
Recipe 2.6 Finding the Domains in a Forest
2.6.1 Problem
You want a list of the domains in a forest.

33
2.6.2 Solution
2.6.2.1 Using a graphical user interface
Open the Active Directory Domains and Trusts snap-in. The list of the domains in the default
forest can be browsed in the left pane.
2.6.2.2 Using a command-line interface
> ntdsutil "d m" "sel op tar" c "co t s <DomainControllerName>" q "l d" q q
q[RETURN]
2.6.2.3 Using VBScript
' This code gets the list of the domains contained in the
' forest that the user running the script is logged into.

set objRootDSE = GetObject("LDAP://RootDSE")

strADsPath = "<GC://" & objRootDSE.Get("rootDomainNamingContext") & ">;"
strFilter = "(objectcategory=domainDNS);"
strAttrs = "name;"
strScope = "SubTree"

set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
set objRS = objConn.Execute(strADsPath & strFilter & strAttrs & strScope)
objRS.MoveFirst
while Not objRS.EOF
Wscript.Echo objRS.Fields(0).Value
objRS.MoveNext
wend
2.6.3 Discussion
2.6.3.1 Using a graphical user interface
If you want to view the domains for an alternate forest than the one you are logged into, right-
click on "Active Directory Domains and Trusts" in the left pane, and select "Connect to Domain
Controller." Enter the forest name you want to browse in the Domain field. In the left pane,
expand the forest root domain to see any subdomains.
2.6.3.2 Using a command-line interface
In the
ntdsutil example, shortcut parameters were used to reduce the amount of typing needed.
If each parameter were typed out fully, the command line would look like:
> ntdsutil "domain management" "select operation target" connections
"connect[RETURN]
to server <DomainControllerName>" quit "List domains" quit quit quit
2.6.3.3 Using VBScript

34

In the VBScript solution, an ADO query is used to search for domainDNS objects stored in the
global catalog, using the root (forest) Domain NC as the search base. This query will find all
domains in the forest.
To find the list of domains for an alternate forest, include the name of the forest as part of the
ADsPath used in the first line of code. The following would target the othercorp.com forest:
set objRootDSE = GetObject("LDAP://othercorp.com/" & "RootDSE")
2.6.4 See Also
Recipe 3.8 for finding the domain controllers for a domain
Recipe 2.7 Finding the NetBIOS Name of a Domain
2.7.1 Problem
You want to find the NetBIOS name of a domain. Although Microsoft has moved to using DNS
for primary name resolution, the NetBIOS name of a domain is still important, especially with
down-level clients that are still based on NetBIOS instead of DNS for naming.
2.7.2 Solution
2.7.2.1 Using a graphical user interface
1. Open the Active Directory Domains and Trusts snap-in.
2. Right-click the domain you want to view in the left pane and select Properties.
The NetBIOS name will be shown in the "Domain name (pre-Windows 2000)" field.
2.7.2.2 Using a command-line interface
> dsquery * cn=partitions,cn=configuration,<ForestRootDN> -filter[RETURN]
"(&(objectcategory=crossref)(dnsroot=<DomainDNSName>)(netbiosname=*))" -
attr[RETURN]
netbiosname
2.7.2.3 Using VBScript
' This code prints the NetBIOS name for the specified domain
' SCRIPT CONFIGURATION
strDomain = "<DomainDNSName>" ' e.g. amer.rallencorp.com
' END CONFIGURATION

set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")

strADsPath = "<LDAP://" & strDomain & "/cn=Partitions," & _
objRootDSE.Get("configurationNamingContext") & ">;"
strFilter = "(&(objectcategory=Crossref)" & _
"(dnsRoot=" & strDomain & ")(netBIOSName=*));"
strAttrs = "netbiosname;"
strScope = "Onelevel"

35
set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
set objRS = objConn.Execute(strADsPath & strFilter & strAttrs & strScope)
objRS.MoveFirst
WScript.Echo "NetBIOS name for " & strDomain & " is " & objRS.Fields(0).Value
2.7.3 Discussion
Each domain has a crossRef object that is used by Active Directory to generate referrals.
Referrals are necessary when a client performs a query and the directory server handling the
request does not have the matching object(s) in its domain. The NetBIOS name of a domain is
stored in the domain's crossRef object in the Partitions container in the Configuration NC.
Each
crossRef object has a dnsRoot attribute, which is the fully qualified DNS name of the
domain. The
netBIOSName attribute contains the NetBIOS name for the domain.
Recipe 2.8 Renaming a Domain
2.8.1 Problem
You want to rename a domain due to organizational changes or legal restrictions because of an
acquisition. Renaming a domain is a very involved process and should be done only when
absolutely necessary. Changing the name of a domain can have an impact on everything from
DNS, replication, and GPOs to DFS and Certificate Services. A domain rename also requires
that all domain controllers and member computers in the domain are rebooted!

2.8.2 Solution
Under Windows 2000, there is no supported process to rename a domain. There is one
workaround for mixed-mode domains in which you revert the domain and any of its child
domains back to Windows NT domains. This can be done by demoting all Windows 2000
domain controllers and leaving the Windows NT domain controllers in place. You could then
reintroduce Windows 2000 domain controllers and use the new domain name when setting up
Active Directory. The process is not very clean and probably won't be suitable for most
situations, but you can find out more about it in MS KB 292541.
A domain rename procedure is supported if a forest is running all Windows Server 2003 domain
controllers and is at the Windows Server 2003 forest functional level. Microsoft provides a
rename tool (rendom.exe) and detailed white paper describing the process at the following
location:
/>
2.8.3 Discussion
The domain rename process can accommodate very complex changes to your domain model.
You can perform the following types of renames:

36
• Rename a domain to a new name without repositioning it in the domain tree.
• Reposition a domain within a domain tree.
• Create a new domain tree with a renamed domain.
One thing you cannot do with the domain rename procedure is reposition the forest root domain.
You can rename the forest root domain, but you cannot change its status as the forest root
domain. Another important limitation to note is that you cannot rename any domain in a forest
that has had Exchange 2000 installed. A future service pack release of Exchange Server 2003
will reportedly handle domain renames. See the web site mentioned in the solution for more
information on other limitations.
2.8.4 See Also
MS KB 292541 (How to: Rename the DNS name of a Windows 2000 Domain)
Recipe 2.9 Changing the Mode of a Domain

2.9.1 Problem
You want to change the mode of a Windows 2000 Active Directory domain from mixed to native.
You typically want to do this as soon as possible after installing a Windows 2000 domain to take
advantage of features that aren't available with mixed-mode domains.
2.9.2 Solution
2.9.2.1 Using a graphical user interface
1. Open the Active Directory Domains and Trusts snap-in.
2. Browse to the domain you want to change in the left pane.
3. Right-click on the domain and select Properties. The current mode will be listed in the
Domain Operation Mode box.
4. To change the mode, click the Change Mode button at the bottom.
2.9.2.2 Using a command-line interface
To retrieve the current mode, use the following command:
> dsquery * <DomainDN> -scope base -attr ntMixedDomain
Or you can use the enumprop command found in the Windows 2000 Resource Kit.
> enumprop /ATTR:ntMixedDomain "LDAP://<DomainDN>"
To change the mode to native, create an LDIF file called change_domain_mode.ldf with the
following contents:

37
dn: <DomainDN>
changetype: modify
replace: ntMixedDomain
ntMixedDomain: 0
-
Then run the ldifde command to import the change.
> ldifde -i -f change_domain_mode.ldf
2.9.2.3 Using VBScript
' This code changes the mode of the specified domain to native
' SCRIPT CONFIGURATION

strDomain = "<DomainDNSName>" ' e.g. amer.rallencorp.com
' END CONFIGURATION

set objDomain = GetObject("LDAP://" & strDomain)
if objDomain.Get("nTMixedDomain") > 0 Then
Wscript.Echo "Changing mode to native . . . "
objDomain.Put "nTMixedDomain", 0
objDomain.SetInfo
else
Wscript.Echo "Already a native mode domain"
end if
2.9.3 Discussion
The mode of a domain restricts the operating systems the domain controllers in the domain can
run. In a mixed-mode domain, you can have Windows 2000 and Windows NT domain
controllers. In a native-mode domain, you can have only Windows 2000 (and Windows Server
2003) domain controllers. There are several important feature differences between mixed and
native mode. Mixed mode imposes the following limitations:
• The domain cannot contain Universal security groups.
• Groups in the domain cannot have their scope or type changed.
• The domain cannot have nested groups (aside from global groups in domain local groups).
• Account modifications sent to Windows NT BDCs, including password changes, must go
through PDC Emulator for the domain.
• The domain cannot use SID History.
• The domain cannot fully utilize trust transitivity.
The domain mode can be changed only from mixed to native mode. You cannot change it back
from native to mixed. When a Windows 2000 domain is first created, it starts off in mixed mode
even if all the domain controllers are running Windows 2000. The domain mode is stored in the
ntMixedDomain attribute on the domain object (e.g., dc=amer,dc=rallencorp,dc=com). A value
of 0 signifies a native-mode domain and 1 indicates a mixed-mode domain.
Windows Server 2003 Active Directory has a similar concept called functional levels. For more

information on Windows Server 2003 functional levels, see Recipe 2.13 and Recipe 2.14.

38
2.9.4 See Also
Recipe 2.13 for raising the functional level of a domain, Recipe 2.14 for raising the functional
level of a forest, and MS KB 186153 (Modes Supported by Windows 2000 Domain Controllers)
Recipe 2.10 Using ADPrep to Prepare a Domain or
Forest for Windows Server 2003
2.10.1 Problem
You want to upgrade your existing Windows 2000 Active Directory domain controllers to
Windows Server 2003. Before doing this, you must run the ADPrep tool, which extends the
schema and adds several objects in Active Directory that are necessary for new features and
enhancements.
2.10.2 Solution
First, run the following command on the Schema FSMO with the credentials of an account that is
in both the Enterprise Admins and Schema Admins groups:
> adprep /forestprep
After the updates from /forestprep have replicated throughout the forest (see Recipe 2.11), run
the following command on the Infrastructure FSMO in each domain with the credentials of an
account in the Domain Admins group:
> adprep /domainprep
If the updates from /forestprep have not replicated to at least the Infrastructure FSMO servers
in each domain, an error will be returned when running
/domainprep. To debug any problems
you encounter, see the ADPrep log files located at
%SystemRoot%\System32\Debug\Adprep\Logs.

adprep can be found in the \i386 directory on the Windows Server 2003
CD. The tool relies on several files in that directory, so you cannot simply
copy that file out to a server and run it. You must either run it from a CD or

from a location where the entire directory has been copied.

2.10.3 Discussion
The adprep command prepares a Windows 2000 forest and domains for Windows Server 2003.
Both /forestprep and /domainprep must be run before you can upgrade any domain
controllers to Windows Server 2003 or install new Windows Server 2003 domain controllers.

39
The adprep command serves a similar function to the Exchange 2000 setup /forestprep and
/domainprep commands, which prepare an Active Directory forest and domains for Exchange
2000. The adprep /forestprep command extends the schema and modifies some default
security descriptors, which is why it must run on the Schema FSMO and under the credentials of
someone in both the
Schema Admins and Enterprise Admins groups. In addition, the adprep
/forestprep and /domainprep commands add new objects throughout the forest, many of
which are necessary for new features supported in Windows Server 2003 Active Directory.
If you've installed Exchange 2000 or Services For Unix 2.0 in your forest prior to running
adprep, there are schema conflicts with the adprep schema extensions that you'll need to fix
first. MS KB 325379 and 314649 have a detailed list of compatibility issues and resolutions.
2.10.4 See Also
Recipe 2.11 for determining if ADPrep has completed, Chapter 14 of Active Directory, Second
Edition for upgrading to Windows Server 2003, MS KB 331161 (List of Fixes to Use on
Windows 2000 Domain Controllers Before You Run the Adprep/Forestprep Command), MS KB
314649 (Windows Server 2003 ADPREP Command Causes Mangled Attributes in Windows
2000 Forests That Contain Exchange 2000 Servers), and MS KB 325379 (Upgrade Windows
2000 Domain Controllers to Windows Server 2003)
Recipe 2.11 Determining if ADPrep Has Completed
2.11.1 Problem
You want to determine if the ADPrep process, described in Recipe 2.10, has successfully
prepared a Windows 2000 domain or forest for Windows Server 2003. After ADPrep has

completed, you will them be ready to start promoting Windows Server 2003 domain controllers.
2.11.2 Solution
To determine if adprep /domainprep completed, check for the existence of the following object
where <DomainDN> is the distinguished name of the domain:
cn=Windows2003Update,cn=DomainUpdates,cn=System,<DomainDN>
To determine if adprep /forestprep completed, check for the existence of the following object
where <ForestRootDN> is the distinguished name of the forest root domain:
cn=Windows2003Update,cn=ForestUpdates,cn=Configuration,<ForestRootDN>
2.11.3 Discussion
As described in Recipe 2.10, the adprep utility is used to prepare a Windows 2000 forest for the
upgrade to Windows Server 2003. One of the nice features of adprep is it stores its progress in
Active Directory. For
/domainprep, a container with a distinguished name of

40
cn=DomainUpdates,cn=System,<DomainDN> is created that has child object containers
cn=Operations and cn=Windows2003Update. After adprep completes a task, such as extending
the schema, it creates an object under the cn=Operations container to signify its completion.
Each object has a GUID for its name, which represents some internal operation for adprep. For
/domainprep, 52 of these objects are created. After all of the operations have completed
successfully, the
cn=Windows2003Update object is created to indicate /domainprep has
completed.Figure 2-2
shows an example of the container structure created by /domainprep.
Figure 2-2. DomainPrep containers

For /forestprep, a container with the distinguished name of
cn=ForestUpdates,cn=Configuration,<ForestRootDN>, is created with child object containers
cn=Operations and cn=Windows2003Update. The same principles apply as for /domainprep
except that there are 36 operation objects stored within the cn=Operations container. After

/forestprep completes, the cn=Windows2003Update object will be created that marks the
successful completion of
/forestprep. Figure 2-3 shows an example of the container structure
created by
/forestprep.
Figure 2-3. ForestPrep containers