Join and Authentication Issues |
To install and remove Active Directory, the Active Directory Installation Wizard (Dcpromo) is used. It is important that certain requirements are met to prevent an unsuccessful installation and removal of Active Directory in an enterprise. These requirements include planning for sufficient storage capacity, time synchronization, domain controller availability, DNS configuration, and administrator access permissions. Also, there are specific troubleshooting techniques that you can follow if you do encounter errors when installing and removing Active Directory. Some of the common problems you might encounter are the following:
The recommended ways to diagnose and resolve these problems :
Note
Whenever you encounter errors running the Active Directory Installation Wizard (Dcpromo.exe), examine the Dcpromoxx.log files. These files (Dcpromo.log and Dcpromoui.log) are located in the
To avoid any problems with installing or removing Active Directory, it is important to confirm that you have sufficient disk space on the network drives that are going to be configured to host the directory information tree (DIT) and log files.
The Active Directory Installation Wizard requires 200 megabytes (MB) of disk space for the Active Directory database and 50 MB for the ESENT transaction log files. File size requirements for the Active Directory database and log files are calculated by the Dssize tool. This is dependent on the number and type of objects in the domain database or databases held by the forest if the computer is serving as a Global Catalog server.
The Kerberos v5 authentication protocol time synchronization between domain controllers and stand-alone servers defaults to five minutes of each other. Use the net time command to synchronize the time of the server that is being promoted with the domain controller from which you are holding the directory partition.
Note
By default, time synchronization is done automatically.
The Domain Naming Master server must be available when a Windows 2000 Server attempts to join an existing tree by creating a new domain.
Note
For an additional domain controller installation, the domain naming operations master is not needed.
To determine operations master availability, use the Active Directory Users and Computers console and the Active Directory Domains and Trusts console. You can also use the Ntdsutil tool to determine operations master availability and server location.
For more information about operations master roles, see "Managing Flexible Single-Master Operations" in this book.
To test the DNS configuration paths in the Active Directory Installation Wizard, type ipconfig /release at the command prompt, and then start the Active Directory Installation Wizard. This causes the wizard to run as if DNS is not properly configured. You cannot use the wizard to continue until it detects a valid DNS setup. To simulate completion of the configuration, run ipconfig /renew in another process, and then return to the Active Directory Installation Wizard.
To install an additional domain controller, an administrator who is a member of the Built-in [administrators] group (for example, Enterprise Admins and Domain Admins) on your domain controller must have the "enable computer and user accounts to be trusted for delegation" privilege. This is necessary so that during the installation of Active Directory, the computer account canbe trusted for delegation.
Note
By default, the delegation privilege is provided to the Built-in [administrators] group.
The Active Directory Installation Wizard attempts to enable the computer account to be trusted for delegation for an install of an additional domain controller. However, there might be situations where the "enable computer and user accounts to be trusted for delegation" privilege is not provided by default to the Built-in [administrators] group. In that case, the security configuration engine must correct the this privilege problem before the Active Directory Installation Wizard can successfully run or you manually need to give the priviledge to a computer account.
To give the "enable computer and user accounts to be trusted for delegation" privilege to a computer account
During the installation of Active Directory, there are requirements that must be met by the servers that hold certain operations master roles.
The Domain Naming Master operations master role must be available by RPC when installing a new domain in an existing forest.
Failure to access the Domain Naming Master operations master role holder during the installation of Active Directory for a new domain generates an error such as this:
To perform the requested operation, the Directory Service needs to contact the
Domain Naming Master (server reskit.com). The attempt to contact it failed.
"The RPC server is unavailable"
The text message is a win32 error message indicating why the network operation to reskit.com failed
If you receive the preceding error message, it is recommended that you verify the following:
Note
Flush the DNS cache to verify that the DNS entries are correct. The command to use is ipconfig /flushdns.
As part of the removal of Active Directory from a domain controller, the Active Directory Installation Wizard removes the configuration data for the domain controller from Active Directory. This data takes the form of the NTDS Settings object, which exists as a child of the server object (cn=NTDS Settings,cn=<serverName>,cn=Servers,cn=<siteName>,cn=Sites,cn=Configuration,dc=forestRootDomain). You can view these objects in the Sites container in the Active Directory Sites and Services console.
The attributes of the NTDS Settings object include data that represent how the domain controller is identified to its replication partners, the directory partitions that are maintained on the computer, whether or not the domain controller is a Global Catalog server. The NTDS Settings object is also a container that can have child objects that represent the domain controller's direct replication partners. This data is required for the domain controller to operate within the environment, but the NTDS Settings object is removed upon the removal of Active Directory.
If the NTDS Settings object is not properly removed during the process of removing Active Directory, the administrator can use the Ntdsutil tool to manually remove the NTDS Settings object. The following sections outline the procedure for removing the NTDS Settings object from Active Directory for a specific domain controller using the Ntdsutil tool. For more information about the available options, the administrator can type help on each Ntdstutil menu.
Caution
Before manually removing the NTDS Settings object for any server, it is recommended that the administrator also check that replication has occurred because of the removal of Active Directory. Improper use of the Ntdsutil tool can result in partial or complete loss of Active Directory functionality.
For more information about the Ntdsutil tool, see Windows 2000 Support Tools on the Windows 2000 Server operating system CD.
Removing the Domain Controller Object
After you remove Active Directory from a domain controller, the object that represents the server in the Active Directory Sites and Services console remains.
This condition occurs because the server object is a container object that can hold child objects that represent configuration data for other services installed on your computer. For this reason, the wizard does not automatically remove the server object.
Warning
If the server object contains any child objects named NTDS Settings, these objects represent the server as a domain controller and must be removed automatically when Active Directory is removed. If these objects are not removed automatically, or if removal of Active Directory cannot be performed (for example, on a computer that has malfunctioning hardware), these objects must be removed by using the Ntdsutil tool before you can delete the server object.
To remove the domain controller object
Note
This process might not complete successfully for either of the following reasons:
If you receive a message that states the server is a container that contains other objects, before you continue verify that the appropriate services have been stopped.
If you receive a message that states the NTDS Settings object cannot be deleted, you might be attempting to delete an active domain controller. However, this message would only occur if the NTDS Settings object is the computer which you are trying to delete, otherwise the delete operation will succeed.
An administrator can safely delete the server object in the Active Directory Sites and Services console after all services have been removed and no child objects exist.
For more information about the Ntdsutil tool, see Windows 2000 Support Tools on the Windows 2000 Server operating system CD.
When the Active Directory Installation Wizard performs the domain controller promotion process, it automatically creates its own log file: the Dcpromoui.log file. Specifically, it verifies and checks the following:
All important API calls are logged with the parameters and the error code returned. For example:
dcpromoui t:0x260 00325 Calling NetValidateName
dcpromoui t:0x260 00326 lpServer : (null)
dcpromoui t:0x260 00327 lpName : server.reskit.com
dcpromoui t:0x260 00328 lpAccount : (null)
dcpromoui t:0x260 00329 lpPassword : (null)
dcpromoui t:0x260 00330 NameType : NetSetupNonExistentDomain
dcpromoui t:0x260 00331 Error 0x0 (!0 => error)
The error codes are typically Win32 error codes. For more information about the cause of each error according to API, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources. Please note that not all error codes indicate a malfunction. In some cases, the error is the expected result, as in the following example:
dcpromoui t:0x260 00311 Calling DsGetDcName
dcpromoui t:0x260 00312 ComputerName : (null)
dcpromoui t:0x260 00313 DomainName : server.reskit.com
dcpromoui t:0x260 00314 DomainGuid : (null)
dcpromoui t:0x260 00315 SiteGuid : (null)
dcpromoui t:0x260 00316 Flags : 0x1
dcpromoui t:0x260 00317 Error 0x54B (!0 => error)
dcpromoui t:0x260 00318 Trying again w/ rediscovery
dcpromoui t:0x260 00319 Error 0x54B (!0 => error)
This example shows that the error 0x54b is returned from two calls to DsGetDcName. 0x54b is ERROR_NO_SUCH_DOMAIN. This is a good result, because you are validating that the domain does not already exist in this context.
Most error conditions occur during the role change, because this is where high-dependency operations occur, such as DNS name resolution or Kerberos v5 authenticated network connections. The Active Directory Installation Wizard displays these errors. Errors returned from the API are divided as follows:
For example:
The Directory Service failed to create the object CN=Test,CN=Partitions,CN=Configuration,DC=server1,DC=reskit,DC=com. Please check the event log for possible system errors.
The operation failed because:
The directory cannot validate the proposed directory partition name because it does not hold a replica of the directory partition above the proposed directory partition. "
In this example, the promotion operation was attempting to create a cross reference object in the directory partition for the new domain, but that operation failed because Active Directory cannot validate the specific domain name. The problem was that installation of the grandchild domain occurred before the child domain was replicated to the Global Catalog server. The corrective action is to force a replication to the Global Catalog server to allow the name validation to occur.
Usually, the problem is a network related issue. The first part of the error code, that is the operation that was happening at the time, helps you to isolate the problem. For example, you might see the message "can't open LDAP connection." The second part of the error code and the second text might help you understand why the error occurred, for example, "unable to authenticate."
For more information about cross reference objects, see "Name Resolution in Active Directory" in this book.
While Dcpromoui.log logs all the events from a graphical interface perspective , Dcpromo.log captures the creation and removal of Active Directory, SYSVOL trees and the installation, modification and removal of key services.
For more information about the Active Directory Installation and Removal process and why the following events are logged, see "Active Directory Data Storage" in this book.
A typical line in Dcpromo.log is formatted as follows:
<time-stamp> <INFO field>: <description of operation>: <status code in hexadecimal>
For example:
08/11 14:08:29 Request for promotion returning 0
The description of the promotion operation is usually self explanatory. The status code is NET API_STATUS or Win32 error code. A 0x0 indicates success, any other code indicates an error.
During the gathering information phase, Dcpromo.log captures events that identify the DNS domain name, NetBIOS domain name, site name, and the location of the system volume.
08/16 16:21:07 [INFO] Promotion request for domain controller of new domain
08/16 16:21:07 [INFO] DnsDomainName user.reskit.com
08/16 16:21:07 [INFO] FlatDomainName USER0
08/16 16:21:07 [INFO] SiteName (NULL)
08/16 16:21:07 [INFO] SystemVolumeRootPath C:\WINNT\SYSVOL
08/16 16:21:07 [INFO] DsDatabasePath C:\WINNT\NTDS, DsLogPath C:\WINNT\NTDS
08/16 16:21:07 [INFO] ParentDnsDomainName reskit.com
08/16 16:21:07 [INFO] ParentServer (NULL)
08/16 16:21:07 [INFO] Account reskit\administrator
08/16 16:21:07 [INFO] Options 2244
Verify the Ntds.dit file path and verify if SYSVOL is on a fixed drive and resides on an NTFS v5 volume.
08/16 16:21:07 [INFO] Validate supplied paths
08/16 16:21:07 [INFO] Validating path C:\WINNT\NTDS.
08/16 16:21:07 [INFO] Path is a directory
08/16 16:21:07 [INFO] Path is on a fixed disk drive.
08/16 16:21:07 [INFO] Validating path C:\WINNT\NTDS.
08/16 16:21:07 [INFO] Path is a directory
08/16 16:21:07 [INFO] Path is on a fixed disk drive.
08/16 16:21:07 [INFO] Validating path C:\WINNT\SYSVOL.
08/16 16:21:07 [INFO] Path is on a fixed disk drive.
08/16 16:21:07 [INFO] Path is on an NTFS volume
Ensure the name passed in is unique.
08/16 16:21:07 [INFO] Child domain creation -- check the new domain name is child of parent domain name.
08/16 16:21:07 [INFO] Domain Creation -- check that the flat name is unique.
Determine the site to place the domain controller and which domain controller to replicate from
08/16 16:21:22 [INFO] Start the worker task
08/16 16:21:23 [INFO] Request for promotion returning 0
08/16 16:21:23 [INFO] No source DC or no site name specified. Searching for dc in domain reskit.com: ( DS_REQUIRED | WRITABLE )
08/16 16:21:23 [INFO] Searching for a domain controller for the domain reskit.com
08/16 16:21:23 [INFO] Located domain controller reskit.com for domain (null)
08/16 16:21:23 [INFO] No user specified source DC
08/16 16:21:23 [INFO] No user specified site
08/16 16:21:23 [INFO] Using site Default-First-Site-Name for server reskit.com
Force a time synch so Kerberos v5 will authenticate successfully.
08/16 16:21:23 [INFO] Forcing a time synch with \\MARAK.reskit.com
08/16 16:21:17 [INFO] Reading domain policy from the domain controller \\MARAK.reskit.com
08/16 16:21:17 [INFO] Stopping service NETLOGON
08/16 16:21:17 [INFO] Stopping service NETLOGON
08/16 16:21:17 [INFO] Configuring service NETLOGON to 1 returned 0
Prepare the SYSVOL.
08/16 16:21:17 [INFO] Creating the System Volume C:\WINNT\SYSVOL
08/16 16:21:17 [INFO] Deleting current sysvol path C:\WINNT\SYSVOL
08/16 16:21:22 [INFO] Preparing for system volume replication using root C:\WINNT\SYSVOL
Ensure that the computer can be a member of the existing forest. If there is an existing forest, contact the Domain Name Master operations master role owner to verify that the domain does not already exist in the forest.
08/16 16:21:22 [INFO] Copying initial Directory Service database file C:\WINNT\system32\ntds.dit to C:\WINNT\NTDS\ntds.dit
08/16 16:21:28 [INFO] Installing the Directory Service
08/16 16:21:28 [INFO] Calling NtdsInstall for user.reskit.com
08/16 16:21:28 [INFO] Starting the Directory Service installation
08/16 16:21:28 [INFO] Validating user supplied options
08/16 16:21:28 [INFO] Determining local site to enter
08/16 16:21:28 [INFO] Examining existing Enterprise Directory Service
08/16 16:21:30 [INFO] Configuring the local server to host the Directory Service
Replicate the forest data
08/16 16:22:05 [INFO] Replicating the Directory Service schema container
08/16 16:22:09 [INFO] Replicating CN=Schema,CN=Configuration,DC=reskit,DC=com: received 100 out of 1002 objects.
08/16 16:22:11 [INFO] Replicating CN=Schema,CN=Configuration,DC=reskit,DC=com: received 199 out of 1002 objects.
08/16 16:22:13 [INFO] Replicating CN=Schema,CN=Configuration,DC=reskit,DC=com: received 298 out of 1002 objects.
CN=Schema,CN=Configuration,DC=reskit,DC=com: received 1002 out of 1002 objects.
08/16 16:22:31 [INFO] Replicating the Directory Service configuration container
08/16 16:22:33 [INFO] Replicating CN=Configuration,DC=reskit,DC=com: received 99 out of 1236 objects.
08/16 16:22:35 [INFO] Replicating CN=Configuration,DC=reskit,DC=com: received 145 out of 1236 objects.
0
08/16 16:22:53 [INFO] Replicating CN=Configuration,DC=reskit,DC=com: received 1186 out of 1236 objects.
Create the new domain.
08/16 16:22:54 [INFO] Creating Partition: DC=user,DC=reskit,DC=com; 12 objects remaining.
08/16 16:22:54 [INFO] Creating Partition: DC=user,DC=reskit,DC=com; 11 objects remaining.
08/16 16:22:54 [INFO] Creating Partition: DC=user,DC=reskit,DC=com; 10 objects remaining.
08/16 16:22:55 [INFO] Creating Partition: DC=user,DC=reskit,DC=com; 0 objects remaining.
Move the current users and groups from the registry to Active Directory.
08/16 16:22:57 [INFO] Creating new domain security principals
08/16 16:23:00 [INFO] The Directory Service install is completing
08/16 16:23:02 [INFO] NtdsInstall for user.reskit.com returned 0
08/16 16:23:02 [INFO] DsRolepInstallDs returned 0
Set the local LSA policy to host the domain.
08/16 16:23:02 [INFO] Setting AccountDomainInfo to:
08/16 16:23:02 [INFO] Domain: USER0
08/16 16:23:02 [INFO] Sid: S-1-5-21-776561741-789336058-842925246
Configure the domain and domain controller services to autostart when the computer is restarted.
08/16 16:23:03 [INFO] Configuring service w32time08/16 16:23:04 [INFO] Configuring service w32time to 16 returned 0
08/16 16:23:04 [INFO] Configuring service NETLOGON08/16 16:23:05 [INFO] Configuring service NETLOGON to 16 returned 0
08/16 16:23:05 [INFO] DsRolepSetRegStringValue on SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\Auth2 to RASSFM returned 0
08/16 16:23:05 [INFO] Configuring service RPCLOCATOR08/16 16:23:06 [INFO] Configuring service RPCLOCATOR to 16 returned 0
08/16 16:23:06 [INFO] Configuring service IsmServ08/16 16:23:06 [INFO] Configuring service IsmServ to 16 returned 0
08/16 16:23:06 [INFO] Configuring service kdc08/16 16:23:07 [INFO] Configuring service kdc to 16 returned 0
08/16 16:23:07 [INFO] Configuring service TrkSvr08/16 16:23:08 [INFO] Configuring service TrkSvr to 16 returned 0
08/16 16:23:08 [INFO] Configuring service NETLOGON08/16 16:23:08 [INFO] Configuring service NETLOGON to 144 returned 0
Create a trust relationship to the parent domain.
08/16 16:23:08 [INFO] Setting the LSA policy information08/16 16:23:08 [INFO] Setting the LSA policy information from policy \\MARAK.reskit.com
08/16 16:23:08 [INFO] Creating a parent trust relationship on domain reskit.com08/16 16:23:08 [INFO] Creating trusted domain object on parent
08/16 16:23:08 [INFO] DnsDomain: user.reskit.com
08/16 16:23:08 [INFO] Flat name: USER0
08/16 16:23:08 [INFO] Direction: 3
08/16 16:23:08 [INFO] Type: 2
08/16 16:23:08 [INFO] Attributes: 0x0
08/16 16:23:09 [INFO] Creating a trust relationship with domain user.reskit.com08/16 16:23:09 [INFO] Creating trusted domain object on child
08/16 16:23:09 [INFO] DnsDomain: reskit.com
08/16 16:23:09 [INFO] Flat name: RESKIT
08/16 16:23:09 [INFO] Direction: 3
08/16 16:23:09 [INFO] Type: 2
08/16 16:23:09 [INFO] Attributes: 0x400000
08/16 16:23:14 [INFO] Setting the computer's Dns computer name root to user.reskit.com
Set the registry and file ACLs to become a domain controller.08/16 16:23:23 [INFO] Setting security on the domain controller and Directory Service files and registry keys
08/16 16:23:27 [INFO] Securing users\.default
08/16 16:23:27 [INFO] Securing users\.default\software\microsoft\netdde
08/16 16:23:27 [INFO] Securing users\.default\software\microsoft\protected storage system provider
08/16 16:23:27 [INFO] Securing machine\software
08/16 16:23:28 [INFO] Securing machine\software\classes
08/16 16:23:49 [INFO] Securing machine\software\microsoft\command processor
08/16 16:23:49 [INFO] Securing machine\software\microsoft\cryptography
08/16 16:23:49 [INFO] Securing machine\software\microsoft\driver signing
08/16 16:23:49 [INFO] Securing machine\software\microsoft\enterprisecertificates
08/16 16:23:49 [INFO] Securing machine\software\microsoft\netdde
08/16 16:23:49 [INFO] Securing machine\software\microsoft\non-driver signing
08/16 16:23:49 [INFO] Securing machine\software\microsoft\ntds
08/16 16:23:49 [INFO] Securing machine\software\microsoft\ole
08/16 16:23:49 [INFO] Securing machine\software\microsoft\protected storage system provider
08/16 16:23:49 [INFO] Securing machine\software\microsoft\rpc
08/16 16:23:49 [INFO] Securing machine\software\microsoft\systemcertificates
08/16 16:23:50 [INFO] Securing machine\software\microsoft\windows\currentversion\explorer
08/16 16:23:50 [INFO] Securing machine\software\microsoft\windows\currentversion\group policy
08/16 16:23:50 [INFO] Securing machine\software\microsoft\windows\currentversion\installer
08/16 16:23:50 [INFO] Securing machine\software\microsoft\windows\currentversion\policies
08/16 16:23:50 [INFO] Securing machine\software\microsoft\windows\currentversion\run
08/16 16:23:50 [INFO] Securing machine\software\microsoft\windows\currentversion\runonce
08/16 16:23:50 [INFO] Securing machine\software\microsoft\windows\currentversion\runonceex
08/16 16:23:50 [INFO] Securing machine\software\microsoft\windows\currentversion\uninstall
08/16 16:23:50 [INFO] Securing machine\software\microsoft\Windows NT\currentversion
08/16 16:23:50 [INFO] Securing machine\software\microsoft\Windows NT\currentversion\accessibility
08/16 16:23:50 [INFO] Securing machine\software\microsoft\Windows NT\currentversion\aedebug
08/16 16:23:50 [INFO] Securing machine\software\microsoft\Windows NT\currentversion\asrcommands
08/16 16:23:50 [INFO] Securing machine\software\microsoft\Windows NT\currentversion\classes
08/16 16:23:50 [INFO] Securing machine\software\microsoft\Windows NT\currentversion\drivers32
08/16 16:23:50 [INFO] Securing machine\software\microsoft\Windows NT\currentversion\efs
08/16 16:23:50 [INFO] Securing machine\software\microsoft\Windows NT\currentversion\font drivers
08/16 16:23:50 [INFO] Securing machine\software\microsoft\Windows NT\currentversion\fontmapper
08/16 16:23:50 [INFO] Securing machine\software\microsoft\Windows NT\currentversion\image file execution options
08/16 16:23:50 [INFO] Securing machine\software\microsoft\Windows NT\currentversion\inifilemapping
08/16 16:23:50 [INFO] Securing machine\software\microsoft\Windows NT\currentversion\perflib
08/16 16:23:50 [INFO] Securing machine\software\microsoft\Windows NT\currentversion\perflib\009
08/16 16:23:50 [INFO] Securing machine\software\microsoft\Windows NT\currentversion\profilelist
08/16 16:23:50 [INFO] Securing machine\software\microsoft\Windows NT\currentversion\secedit
08/16 16:23:50 [INFO] Securing machine\software\microsoft\Windows NT\currentversion\svchost
08/16 16:23:50 [INFO] Securing machine\software\microsoft\Windows NT\currentversion\time zones
08/16 16:23:50 [INFO] Securing machine\software\microsoft\Windows NT\currentversion\windows
08/16 16:23:50 [INFO] Securing machine\software\policies
08/16 16:23:50 [INFO] Securing machine\system
0
08/16 16:24:31 [INFO] Securing c:\winnt\ntds
08/16 16:24:31 [INFO] Securing c:\winnt\profiles
08/16 16:24:31 [INFO] Securing c:\winnt\repair
08/16 16:24:31 [INFO] Securing c:\winnt\security
08/16 16:24:31 [INFO] Securing c:\winnt\system32
08/16 16:24:40 [INFO] Securing c:\winnt\system32\autoexec.nt
08/16 16:24:40 [INFO] Securing c:\winnt\system32\cmos.ram
08/16 16:24:40 [INFO] Securing c:\winnt\system32\config
08/16 16:24:41 [INFO] Securing c:\winnt\system32\config.nt
08/16 16:24:41 [INFO] Securing c:\winnt\system32\dhcp
08/16 16:24:41 [INFO] Securing c:\winnt\system32\dllcache
08/16 16:24:51 [INFO] Securing c:\winnt\system32\grouppolicy
08/16 16:24:51 [INFO] Securing c:\winnt\system32\hpmon.dll
08/16 16:24:51 [INFO] Securing c:\winnt\system32\hpmon.hlp
08/16 16:24:51 [INFO] Securing c:\winnt\system32\ias
08/16 16:24:51 [INFO] Securing c:\winnt\system32\midimap.cfg
08/16 16:24:51 [INFO] Securing c:\winnt\system32\ntmsdata
08/16 16:24:51 [INFO] Securing c:\winnt\system32\spool
08/16 16:24:51 [INFO] Securing c:\winnt\sysvol
08/16 16:24:51 [INFO] Securing c:\winnt\sysvol\domain\policies
08/16 16:24:52 [INFO] Securing c:\winnt\tasks
08/16 16:24:52 [INFO] Securing c:\winnt\temp
08/16 16:24:52 [INFO] Securing LanManServer
08/16 16:24:57 [INFO] SetProductType to 2 [LanmanNT] returned 0
08/16 16:24:57 [INFO] The attempted domain controller operation has completed
Returns a success or failure when finished running the Active Directory Installation Wizard.
08/16 16:24:58 [INFO] DsRolepSetOperationDone returned 0
For more information about the Active Directory installation and removal process, see "Active Directory Data Storage" in this book. For more information about cross-reference objects, see "Name Resolution in Active Directory" in this book.