Insert a Windows Server 2003 CD into the Windows 2000 domain controller or map a drive to the files contained on the CD. Run the following command from the \i386 directory:

	> winnt32 /checkupgradeonly

Using a command-line interface

To produce a compatibility report from the command line, first you need to create a text file containing the following information:

[Unattended]

Win9xUpgrade = Yes

[Win9xUpg]ReportOnly = Yes

SaveReportTo = "\\server1\upgradereports\"

Save this file as unattend.txt, and then run the following from the command-line:

	> winnt32 /checkupgradeonly /unattend:c:\unattend.txt

With a pretty simple script, you can enumerate all the domains, OUs, and containers in a forest. And you don’t need any type of privileged rights to do it. Here is the script:

' This code prints out the forest tree hierarchy

' BEGIN SECTION 1
 set objRootDSE = GetObject("LDAP://RootDSE")
 strBase    =  "
               objRootDSE.Get("ConfigurationNamingContext") & ">;"
 strFilter  = "(&(objectcategory=crossRef)(systemFlags=3));"
 strAttrs   = "name,trustParent,nCName,dnsRoot,distinguishedName;"
 strScope   = "onelevel"
 set objConn = CreateObject("ADODB.Connection")
 objConn.Provider = "ADsDSOObject"
 objConn.Open "Active Directory Provider"
 set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)
 objRS.MoveFirst
 ' END SECTION 1

' BEGIN SECTION 2
 set dicSubDomainTrue = CreateObject("Scripting.Dictionary")
 set dicDomainHierarchy = CreateObject("Scripting.Dictionary")
 set dicDomainRoot = CreateObject("Scripting.Dictionary")
 ' END SECTION 2

' BEGIN SECTION 3
 while not objRS.EOF
    dicDomainRoot.Add objRS.Fields("name").Value, objRS.Fields("nCName").Value
    if objRS.Fields("trustParent").Value <> "" then
       dicSubDomainTrue.Add objRS.Fields("name").Value, 0
       set objDomainParent = GetObject("LDAP://" & _
                             objRS.Fields("trustParent").Value)
       dicDomainHierarchy.Add objRS.Fields("name").Value, _
                              objDomainParent.Get("name")
    else
       dicSubDomainTrue.Add objRS.Fields("name").Value, 1
    end if
    objRS.MoveNext
 wend
 ' END SECTION 3

' BEGIN SECTION 4
 for each strDomain in dicSubDomainTrue
   if dicSubDomainTrue(strDomain) = 1 then
       DisplayDomains strDomain, "", dicDomainHierarchy, dicDomainRoot
   end if
 next

Function DisplayDomains ( strDomain, strSpaces, dicDomainHierachy, dicDomainRoot)
    WScript.Echo strSpaces & strDomain
    DisplayObjects "LDAP://" & dicDomainRoot(strDomain), "  " & strSpaces
    for each strD in dicDomainHierarchy
       if dicDomainHierarchy(strD) = strDomain then
          DisplayDomains strD, "  " & strSpaces, dicDomainHierarchy, _
                         dicDomainRoot
       end if
    next
 End Function

' DisplayObjects takes the ADsPath of the object to display
 ' child objects for and the number of spaces (indention) to
 ' use when printing the first parameter
 Function DisplayObjects( strADsPath, strSpace)
    set objObject = GetObject(strADsPath)
    Wscript.Echo strSpace & objObject.Name
    objObject.Filter = Array("container","organizationalUnit")
    for each objChildObject in objObject
       DisplayObjects objChildObject.ADsPath, strSpace & " "
    next
 End Function

' END SECTION 4

Let’s walk through it.

In SECTION 1, I set up an ADO query to find all domains in a forest. This is a little trickier than you might imagine. Domains are represented in the Configuration naming context as crossRef objects; but since LDAP referrals can also be created as crossRef objects, I have to look for a specific type of crossRef object, ones that have a systemFlags attribute equal to 3. This signifies Active Directory domains.

In SECTION 2, I set up three dictionary objects that I’ll use throughout the script. Here is a brief overview of each dictionary object:

dicSubDomainTrue

This is used to identify whether domains contain subdomains. The keys will be domain names and values will be 0 if the domain has no subdomains or 1 if it does. This dictionary will be used later to enumerate the domain hierarchy.

dicDomainHierarchy

This is used to store the parent domain of a subdomain. The keys will be the domain names and the values will be each domain’s parent domain name.

dicDomainRoot

This is used to store the default naming context for each domain. The keys will be the domain names and the values will be the DN of each domain’s root.

In SECTION 3, I enumerate over each of the values returned by the ADO query started in SECTION 1. I first set the domain root in the dicDomainRoot dictionary. Next, I evaluate if the trustParent attribute contains a value. If it does, then I know the domain I’m currently on has a parent domain. If TRustParent does not contain a value, I know that it is the root domain of the forest or domain tree. If it does have a parent, I set an entry for the domain in dicSubDomainTrue to 0 to signify that I haven’t found a subdomain for this domain yet. I then set an entry in dicDomainHierarchy to contain the domain and parent domain as key value pairs.

At this point, I’ve set up all the data structures I need to start printing out the structure of a forest. In SECTION 4, I start iterating over each domain in the forest. I’ll enter only the domains that are roots of their forests. Then I call the DisplayDomains function. DisplayDomains prints the name of the current domain and calls DisplayObjects to print each container and organizationalUnit object in the domain. This effectively prints the structure of that domain. After it is done with that, it starts to loop over the keys in dicDomainHierarchy to find all child domains that have the current domain set as their parent. If it finds a subdomain of the current domain, it calls DisplayDomains (recursively) on that domain and the process repeats.

These settings are stored under HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics. By default, all settings are set to 0, which disables diagnostic logging, but you can increase any one of them by setting it to a number from 1 through 5. As a general rule, a value of 1 is used for minimum logging, 3 for medium logging, and 5 for maximum logging. It is a good practice to ease your way up to 5 because some diagnostics logging settings can generate a huge number of events in the event log, which may make it difficult to read, along with increasing resource utilization on the domain controller.

Here is the complete list of diagnostics logging settings for Windows Server 2003. Note that settings 20-24 are not available on Windows 2000-based domain controllers.

1 Knowledge Consistency Checker
 2 Security Events
 3 ExDS Interface Events
 4 MAPI Interface Events
 5 Replication Events
 6 Garbage Collection
 7 Internal Configuration
 8 Directory Access
 9 Internal Processing
 10 Performance Counters
 11 Initialization/Termination
 12 Service Control
 13 Name Resolution
 14 Backup
 15 Field Engineering
 16 LDAP Interface Events
 17 Setup
 18 Global Catalog
 19 Inter-site Messaging
 20 Group Caching
 21 Linked-Value Replication
 22 DS RPC Client
 23 DS RPC Server
 24 DS Schema

Using a graphical user interface

1. Run regedit.exe from the command line or Start Run.
2. In the left pane, expand HKEY_LOCAL_MACHINE System CurrentControlSet Services NTDS Diagnostics.
3. In the right pane, double-click on the diagnostics logging entry you want to increase, and enter a number (0-5) based on how much you want logged.
4. Click OK.

Using a command-line interface

> reg add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "

" /t REG_DWORD /d <0-5>

Using VBScript

' This code sets the specified diagnostics logging level
' ------ SCRIPT CONFIGURATION ------
strDC   = "<DomainControllerName>"  ' e.g., dc01
strLogSetting = "<LoggingSetting>"  ' e.g., 1 Knowledge Consistency Checker
intFlag = <FlagValue>               ' Flag value in decimal, e.g., 5
' ------ END CONFIGURATION ---------
const HKLM = &H80000002
strRegKey = "SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics"
set objReg = GetObject("winmgmts:\\" & strDC & "\root\default:StdRegProv")
objReg.SetDwordValue HKLM, strRegKey, strLogSetting, intFlag
WScript.Echo "Diagnostics logging for " & strLogSetting _
             & " set to " & intFlag

Using a graphical user interface
For the Windows 2000 version of the Active Directory Domains and Trusts snap-in:

1. In the left pane, right-click on the trusting domain and select Properties.
2. Click the Trusts tab.
3. Click the domain that is associated with the trust you want to verify.
4. Click the Edit button.
5. Click the Verify button.
6. If the validation function fails, you’ll be given an option to reset the trust.

For the Windows Server 2003 version of the Active Directory Domains and Trusts snap-in:

1. In the left pane, right-click on the trusting domain and select Properties.
2. Click the Trusts tab.
3. Click the domain that is associated with the trust you want to verify.
4. Click the Properties button.
5. Click the Validate button.
6. If the validation function fails, you’ll be given an option to reset the trust.

Using a command-line interface

The following command verifies a trust:

> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Verify /verbose
   [/UserO:<TrustingDomainUser> /PasswordO:*]
   [/UserD:<TrustedDomainUser> /PasswordD:*]

The following command resets a trust:

> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Verify /verbose
   [/UserO:<TrustingDomainUser> /PasswordO:*]
   [/UserD:<TrustedDomainUser> /PasswordD:*]

' The following code lists all of the trusts for the
' specified domain using the Trustmon WMI Provider.
' The Trustmon WMI Provider is supported only on Windows Server 2003.
' ------ SCRIPT CONFIGURATION ------
strDomain = "<DomainDNSName>"  ' e.g., amer.rallencorp.com
' ------ END CONFIGURATION ---------
set objWMI = GetObject("winmgmts:\\" & strDomain & _
                       "\root\MicrosoftActiveDirectory")
set objTrusts = objWMI.ExecQuery("Select * from Microsoft_DomainTrustStatus")
for each objTrust in objTrusts
    Wscript.Echo objTrust.TrustedDomain
    Wscript.Echo " TrustedAttributes: " & objTrust.TrustAttributes
    Wscript.Echo " TrustedDCName: "     & objTrust.TrustedDCName
    Wscript.Echo " TrustedDirection: "  & objTrust.TrustDirection
    Wscript.Echo " TrustIsOk: "         & objTrust.TrustIsOK
    Wscript.Echo " TrustStatus: "       & objTrust.TrustStatus
    Wscript.Echo " TrustStatusString: " & objTrust.TrustStatusString
    Wscript.Echo " TrustType: "         & objTrust.TrustType
    Wscript.Echo ""
next

' This code shows how to search specifically for trusts
' that have failed, which can be accomplished using a WQL query that
' contains the query: TrustIsOk = False
' ------ SCRIPT CONFIGURATION ------
strDomain = "<DomainDNSName>"  ' e.g., amer.rallencorp.com
' ------ END CONFIGURATION ---------

set objWMI = GetObject("winmgmts:\\" & strDomain & _
                       "\root\MicrosoftActiveDirectory")
set objTrusts = objWMI.ExecQuery("select * " _
                               & " from Microsoft_DomainTrustStatus " _
                               & " where TrustIsOk = False ")
if objTrusts.Count = 0 then
   Wscript.Echo "There are no trust failures"
else
   WScript.Echo "Trust Failures:"
   for each objTrust in objTrusts
      Wscript.Echo " " & objTrust.TrustedDomain & " : " & _
                         objTrust.TrustStatusString
      Wscript.Echo ""
   next
end if

' This code resets the specified trust.
' ------ SCRIPT CONFIGURATION ------
' Set to the DNS or NetBIOS name for the Windows 2000,
' Windows NT domain or Kerberos realm you want to reset the trust for.
strTrustName = "<TrustToCheck>"

' Set to the DNS name of the source or trusting domain.
strDomain    = "<TrustingDomain>"
' ------ END CONFIGURATION ---------

' Enable SC_RESET during trust enumerations
set objTrustProv = GetObject("winmgmts:\\" & strDomain & _
              "\root\MicrosoftActiveDirectory:Microsoft_TrustProvider=@")
objTrustProv.TrustCheckLevel = 3  ' Enumerate with SC_RESET
objTrustProv.Put_

' Query the trust and print status information
set objWMI = GetObject("winmgmts:\\" & strDomain & _
                       "\root\MicrosoftActiveDirectory")
set objTrusts = objWMI.ExecQuery("Select * " _
                        & " from Microsoft_DomainTrustStatus " _
                        & " where TrustedDomain = '" & strTrustName & "'" )
for each objTrust in objTrusts
    Wscript.Echo objTrust.TrustedDomain
    Wscript.Echo " TrustedAttributes: " & objTrust.TrustAttributes
    Wscript.Echo " TrustedDCName: "     & objTrust.TrustedDCName
    Wscript.Echo " TrustedDirection: "  & objTrust.TrustDirection
    Wscript.Echo " TrustIsOk: "         & objTrust.TrustIsOK
    Wscript.Echo " TrustStatus: "       & objTrust.TrustStatus
    Wscript.Echo " TrustStatusString: " & objTrust.TrustStatusString
    Wscript.Echo " TrustType: "         & objTrust.TrustType
    Wscript.Echo ""
next

1. Open the Active Directory Domains and Trusts snap-in.
2. In the left pane, right-click the domain you want to view and select Properties.
3. Click on the Trusts tab.

Using a command-line interface

> netdom query trust /Domain:

Using VBScript

' This code prints the trusts for the specified domain.

' ------ SCRIPT CONFIGURATION ------

strDomain = ""   ' e.g., rallencorp.com

 ' ------ END CONFIGURATION ---------

' Trust Direction Constants taken from NTSecAPI.h
 set objTrustDirectionHash = CreateObject("Scripting.Dictionary")
 objTrustDirectionHash.Add "DIRECTION_DISABLED", 0
 objTrustDirectionHash.Add "DIRECTION_INBOUND",  1
 objTrustDirectionHash.Add "DIRECTION_OUTBOUND", 2
 objTrustDirectionHash.Add "DIRECTION_BIDIRECTIONAL", 3

' Trust Type Constants - taken from NTSecAPI.h
 set objTrustTypeHash = CreateObject("Scripting.Dictionary")
 objTrustTypeHash.Add "TYPE_DOWNLEVEL", 1
 objTrustTypeHash.Add "TYPE_UPLEVEL", 2
 objTrustTypeHash.Add "TYPE_MIT", 3
 objTrustTypeHash.Add "TYPE_DCE", 4

' Trust Attribute Constants - taken from NTSecAPI.h
 set objTrustAttrHash = CreateObject("Scripting.Dictionary")
 objTrustAttrHash.Add "ATTRIBUTES_NON_TRANSITIVE", 1
 objTrustAttrHash.Add "ATTRIBUTES_UPLEVEL_ONLY", 2
 objTrustAttrHash.Add "ATTRIBUTES_QUARANTINED_DOMAIN", 4
 objTrustAttrHash.Add "ATTRIBUTES_FOREST_TRANSITIVE", 8
 objTrustAttrHash.Add "ATTRIBUTES_CROSS_ORGANIZATION", 16
 objTrustAttrHash.Add "ATTRIBUTES_WITHIN_FOREST", 32
 objTrustAttrHash.Add "ATTRIBUTES_TREAT_AS_EXTERNAL", 64

set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")
 set objTrusts  = GetObject("LDAP://cn=System," & _
                             objRootDSE.Get("defaultNamingContext") )
 objTrusts.Filter = Array("trustedDomain")
 Wscript.Echo "Trusts for " & strDomain & ":"

for each objTrust in objTrusts
    for each strFlag In objTrustDirectionHash.Keys
       if objTrustDirectionHash(strFlag) = objTrust.Get("trustDirection") then
          strTrustInfo = strTrustInfo & strFlag & " "
       end If
    next

   for each strFlag In objTrustTypeHash.Keys
       if objTrustTypeHash(strFlag) = objTrust.Get("trustType") then
          strTrustInfo = strTrustInfo & strFlag & " "
       end If
    next

   for each strFlag In objTrustAttrHash.Keys
       if objTrustAttrHash(strFlag) = objTrust.Get("trustAttributes") then
          strTrustInfo = strTrustInfo & strFlag & " "
       end If
    next

   WScript.Echo " " & objTrust.Get("trustPartner") & " : " & strTrustInfo
    strTrustInfo = ""
 next

In Windows Server 2003, Active Directory introduced a new trust type called a forest trust. A forest trust allows you to create a single transitive trust between two forest root domains and have it apply to all subdomains. In Windows 2000 forests, you have to set up individual trusts between all the domains in one forest with all the domains in another.

Trusts are stored in Active Directory as two objects; a TRustedDomain object in the System container and a user object in the Users container. Both of these objects need to be removed when deleting a trust. The GUI and CLI solutions take care of that in one step, but in the VBScript example both objects needed to be explicitly deleted. It is also worth noting that each solution deleted only one side of the trust. If the trust was to a remote AD forest or NT 4.0 domain, you also need to delete the trust in that domain.

Using a graphical user interface

1. Open the Active Directory Domains and Trusts snap-in.
2. In the left pane, right-click the domain you want to add a trust for and select Properties.
3. Click on the Trusts tab.
4. Click the New Trust button.
5. After the New Trust Wizard opens, click Next.
6. Complete the rest of the wizard steps. They will vary depending on the type of trust you create.

Using a command-line interface

> netdom trust  /Domain: /ADD

          [/UserD:\ADUser> /PasswordD:*]

          [/UserO:\TargetUser> /PasswordO:*]

          [/TwoWay]

For example, to create a trust from the NT4 domain RALLENCORP_NT4 to the AD domain RALLENCORP, use the following command:

> netdom trust RALLENCORP_NT4 /Domain:RALLENCORP /ADD
          /UserD:RALLENCORP\administrator /PasswordD:*
          /UserO:RALLENCORP_NT4\administrator /PasswordO:*

You can make the trust bidirectional, i.e., two-way, by adding a /TwoWay option to the example.

The following command deletes a trust:

> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Remove /verbose
   [/UserO:<TrustingDomainUser> /PasswordO:*]
   [/UserD:<TrustedDomainUser> /PasswordD:*]

Using VBScript

None of the scripting interfaces support the capability to create a trust, but you can delete them as shown here:

' This code deletes a trust in the specified domain.
' ------ SCRIPT CONFIGURATION ------
' Set to the DNS or NetBIOS name for the Windows 2000,
' Windows NT domain or Kerberos realm trust you want to delete.
strTrustName = "<TrustName>"
' Set to the DNS name of the source or trusting domain
strDomain    = "<DomainDNSName>"
' ------ END CONFIGURATION ---------

set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")
set objTrust = GetObject("LDAP://cn=System," & _
                         objRootDSE.Get("defaultNamingContext") )
objTrust.Delete "trustedDomain", "cn=" & strTrustName
set objTrustUser = GetObject("LDAP://cn=Users," & _
                         objRootDSE.Get("defaultNamingContext") )
objTrustUser.Delete "trustedDomain", "cn=" & strTrustName & "$"
WScript.Echo "Successfully deleted trust for " & strTrustName

Some FSMO roles are more time critical than others. For example, the PDC Emulator role is used extensively, but the Schema Master is needed only when extending the schema. If a FSMO role owner becomes unavailable before you can transfer it, you’ll need to seize the role.

Seizing a FSMO role should not be done lightly. The general recommendation is to seize a FSMO role only when you cannot possibly bring the previous role holder back online. One reason that seizing a role is problematic is that you could possibly lose data. For example, let’s say that you extended the schema and immediately after it was extended, the Schema FSMO went down. If you could not bring that server back online, those extensions may have not replicated before the server went down. You would need to determine if the schema extensions replicated and, if not, re-extend the schema. A similar problem can result from losing the RID FSMO, where duplicate RID pools may be allocated.

Using a graphical user interface

1. Use the same directions as described for viewing a specific FSMO, except target (i.e., right-click and select Connect to Domain Controller) the domain controller you want to transfer the FSMO to before selecting Operations Master.
2. Click the Change button.
3. Click OK twice.
4. You should then see a message stating whether the transfer was successful.

Using a command-line interface
The following transfers the PDC Emulator role to

> ntdsutil roles conn "co t s " q "TRansfer PDC" q q

The following seizes the PDC Emulator role to run on :

> ntdsutil roles conn "co t s " q "seize PDC" q q

Using VBScript

' This code transfers the PDC Emulator role to the specified owner.

' ------ SCRIPT CONFIGURATION ------

strNewOwner = ""  ' e.g., dc2.rallencorp.com

 ' ------ END CONFIGURATION ---------

 Set objRootDSE = GetObject("LDAP://" & strNewOwner & "/RootDSE")

 objRootDSE.Put "becomePDC", 1

 objRootDSE.SetInfo

Seizing a FSMO role is typically not something you need to do programmatically, but you can do it. All you need to do is set the fSMORoleOwner attribute for the object that represents the FSMO role with the distinguished name of ntdSDSA object of the new role owner.

There are five designated FSMO roles that correspond to these sensitive functions. A FSMO role can apply either to an entire forest or to a specific domain. Each role is stored in the fSMORoleOwner attribute on various objects in Active Directory depending on the role.

Using a graphical user interface

For the Schema Master:

1. Open the Active Directory Schema snap-in.
2. Right-click on Active Directory Schema in the left pane and select Operations Master.

For the Domain Naming Master:

1. Open the Active Directory Domains and Trusts snap-in.
2. Right-click on Active Directory Domains and Trusts in the left pane and select Operations Master.

For the PDC Emulator, RID Master, and Infrastructure Master:

1. Open the Active Directory Users and Computers snap-in.
2. Make sure you’ve targeted the correct domain.
3. Right-click on Active Directory Users and Computers in the left pane and select Operations Master.
4. There are individual tabs for the PDC, RID, and Infrastructure roles.

Using a command-line interface

In the following command, you can leave out the /Domain option to query the domain in which you are currently logged on:

> netdom query fsmo /Domain:

You can also use the dsquery server command to list the FSMO role owners as shown here where can be schema, name, infr, pdc, or rid:

> dsquery server -hasfsmo 

Using VBScript

' This code prints the FSMO role owners for the specified domain.

' ------ SCRIPT CONFIGURATION ------

strDomain = ""  ' e.g., emea.rallencorp.com

 ' ------ END CONFIGURATION ---------

set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE") strDomainDN  = objRootDSE.Get("defaultNamingContext") strSchemaDN = objRootDSE.Get("schemaNamingContext") strConfigDN = objRootDSE.Get("configurationNamingContext")

' PDC Emulator set objPDCFsmo = GetObject("LDAP://" & strDomainDN) Wscript.Echo "PDC Emulator: " & objPDCFsmo.fsmoroleowner

' RID Master set objRIDFsmo = GetObject("LDAP://cn=RID Manager$,cn=system," & strDomainDN) Wscript.Echo "RID Master: " & objRIDFsmo.fsmoroleowner

' Schema Master set objSchemaFsmo = GetObject("LDAP://" & strSchemaDN) Wscript.Echo "Schema Master: " & objSchemaFsmo.fsmoroleowner

' Infrastructure Master set objInfraFsmo = GetObject("LDAP://cn=Infrastructure," & strDomainDN) Wscript.Echo "Infrastructure Master: " & objInfraFsmo.fsmoroleowner

' Domain Naming Master set objDNFsmo = GetObject("LDAP://cn=Partitions," & strConfigDN) Wscript.Echo "Domain Naming Master: " & objDNFsmo.fsmoroleowner

After enabling the global catalog, it can take some time before the domain controller can start serving as a global catalog server. The length of time is based on the amount of data that needs to replicate and the type of connectivity between the domain controller’s replication partners. Once a server has completed initial replication of the global catalog, the isGlobalCatalogReady attribute in the RootDSE will be marked TRUE. Another way to determine if a domain controller has been at least flagged to become a global catalog is by checking if the options attribute on the ntdSDSA object for the server has been set to 1. Note that this does not necessarily mean the server is accepting requests as a global catalog. After replication is complete, you should see Event 1119 in the Directory Services log stating the server is advertising itself as a global catalog. At that point, you should also be able to perform LDAP queries against port 3268 on that server.

If you have Exchange installed in the forest, you’ll also need to reboot the server before it will be used as a global catalog by Exchange servers and clients.

Using a graphical user interface

1. Open the Active Directory Sites and Services snap-in.
2. Browse to the nTDSDSA object (NtdS Settings) underneath the server object for the domain controller whose global catalog you want to enable or disable.
3. Right-click on NTDS Settings and select Properties.
4. Under the General tab, check (to enable) or uncheck (to disable) the box beside Global Catalog.
5. Click OK.

Using a command-line interface

In the following command, should be the server object DN, not the DN of the ntdSDSA object:

> dsmod server "" -isgc yes|no

For example, the following command enables the global catalog on dc1 in the Raleigh site:

> dsmod server "cn=DC1,cn=servers,cn=Raleigh,cn=sites,cn=configuration,dc=rallencorp,dc=com"
 -isgc yes

Using VBScript

' This code enables or disables the GC for the specified DC
 ' ------ SCRIPT CONFIGURATION ------
 strDC = ""   ' e.g., dc01.rallencorp.com
 strGCEnable = 1                    ' 1 = enable, 0 = disable
 ' ------ END CONFIGURATION ---------

set objRootDSE = GetObject("LDAP://" & strDC & "/RootDSE")
 objNTDS = GetObject("LDAP://" & strDC & "/" &  _
                     objRootDSE.Get("dSServiceName"))
 objNTDS.Put "options", strGCEnable
 objNTDS.SetInfo

The Microsoft DsGetDcName Directory Services API method implements the DC Locator process, but unfortunately cannot be used directly from a scripting language, such as VBScript. The IADsTools interface provides a wrapper around DsGetDcName, which is what I used. The nltest /dsgetdc command is also a wrapper around the DsGetDcName method, and is a handy tool when troubleshooting client issues related to finding an optimal domain controller.

Using a command-line interface

The following command finds the closest domain controller in the specified domain (). By default, it will return the DC closest to the computer nltest is being run from, but you can optionally use the /server option to target a remote computer. You can also optionally specify the /site option to find a domain controller that belongs to a particular site.

> nltest /dsgetdc: [/site:] [/server:]

Using VBScript

' This code finds the closest domain controller in the domain
 ' that the computer running the script is in.
 ' ------ SCRIPT CONFIGURATION ------
 strDomain = ""  ' e.g., emea.rallencorp.com
 ' ------ END CONFIGURATION ---------

set objIadsTools = CreateObject("IADsTools.DCFunctions")
 objIadsTools.DsGetDcName( Cstr(strDomain) )
 Wscript.Echo "DC: " & objIadsTools.DCName
 Wscript.Echo "DC Site: " & objIadsTools.DCSiteName
 Wscript.Echo "Client Site: " & objIadsTools.ClientSiteName