DonatShell
Server IP : 180.180.241.3  /  Your IP : 216.73.216.252
Web Server : Microsoft-IIS/7.5
System : Windows NT NETWORK-NHRC 6.1 build 7601 (Windows Server 2008 R2 Standard Edition Service Pack 1) i586
User : IUSR ( 0)
PHP Version : 5.3.28
Disable Function : NONE
MySQL : ON  |  cURL : ON  |  WGET : OFF  |  Perl : OFF  |  Python : OFF  |  Sudo : OFF  |  Pkexec : OFF
Directory :  /Windows/Help/Windows/en-US/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Command :

[ HOME SHELL ]     

Current File : /Windows/Help/Windows/en-US/ad_ds.h1s
MZ@PEL!@0@.rsrc@@.its @@0	HX||4VS_VERSION_INFOStringFileInfo040904b0b!FileVersion1.00.00                         l"FileDescriptionCompiled Microsoft Help 2.0 TitleBFileStamp71115C1201CA041F4JCompilerVersion2.5.71210.08579VCompileDate2009-07-14T01:07:22      >TopicCount103000000000000ALegalCopyright 2005 Microsoft Corporation. All rights reserved.CCCCCCCCCCCCCDVarFileInfo$Translation	tig\qÇúITOLITLS(X쌡^
V`   x aCAOLPHHC ITSF #q	-Y쌡^
VY쌡^
VIFCMAOLLaIFCM AOLL&//$FXFtiAttribute//$FXFtiAttribute/BTREEX/$FXFtiAttribute/DATA/$FXFtiAttribute/PROPERTYpN/$FXFtiMain//$FXFtiMain/BTREE'/$FXFtiMain/DATA?K/$FXFtiMain/PROPERTY
N/$Index/$ATTRNAME^/$Index/$PROPBAGl/$Index/$STRINGSV/$Index/$SYSTEMh
/$Index/$TOC//$Index/$TOC/$AD_DS/$Index/$TOPICATTR> /$Index/$TOPICS/$Index/$URLSTRdh/$Index/$URLTBLL8/$Index/$VTAIDXb /$Index/AssetId//$Index/AssetId/$BL0/$Index/AssetId/$LEAF_COUNTS/$Index/AssetId/$LEAVES	/$OBJINST
/ad_ds.h1c
/AD_DS.H1Fb
/AD_DS.H1Tg0
/AD_DS.H1Vd/AD_DS_AssetId.H1Kk/AD_DS_BestBet.H1Kk/AD_DS_LinkTerm.H1Kml/AD_DS_SubjectTerm.H1KYo/assets/0/assets/04516079-76bb-4def-8856-c5534c411238.xml6:0/assets/09ca3b92-5e7a-4154-9d18-5be2c54b9bb7.xmlp0/assets/183d02af-b5d5-4a94-bf75-213d7100aec7.xml
C0/assets/2005bba5-0ecc-4b67-8596-18bd75d57d02.xmlPU0/assets/29f83de8-d4d6-4db6-90bc-1741ece46aec.xml%R0/assets/339e0997-e4a6-4deb-b00e-d46ffdc4ed78.xmlw0/assets/35762977-9b9e-4ef5-99be-73f6838cc158.xml0/assets/3739d3bb-38d5-48da-b9bf-d80401baf053.xml}0/assets/4132ba61-18b0-4c82-bb9d-5f3c8fa9e09c.xmlt0/assets/4332bca8-b13f-45bc-a8a4-d22ef6f0e0b8.xmlR0/assets/4cf83c2c-ecc7-4db7-b397-a2181e789b09.xml^R0/assets/51189958-f622-49f7-b944-823d4bd1bb68.xml0A0/assets/528cfe92-0dd3-45bf-996c-b0ecfd1f8f37.xmlqC0/assets/52ec32f6-5eda-4d6a-8e38-809fee243b71.xmlD0/assets/54462cf1-d293-436c-b396-27925e13ede2.xmlHj0/assets/576d75af-26b6-4df8-903a-7579a81500d4.xml2R0/assets/59840570-41e6-4eaf-ac40-0505e7765a7a.xml\0/assets/5ce13491-3a1c-4935-af59-70e27dae6144.xml`
0/assets/60016765-34aa-49b3-8fea-1308ecfc0e43.xmlm]0/assets/62919f2e-6873-431b-b3da-36d27e544da9.xmlJ%0/assets/66a228ff-5c99-4ac9-928d-ba460461d3be.xmlo0/assets/66b093ee-b131-4a8d-b5bb-09c0d1f50a08.xml{J0/assets/695c2fad-f7d1-4075-8402-127581ecb172.xmlEx0/assets/6b4fd0a5-62b0-4cb9-a01b-5dc21d9d8236.xml=d0/assets/6dd108a2-b5a2-4b98-a67c-f654cf7d1741.xml!r0/assets/6e082c82-6315-42be-b5a1-6f4647bfa5e8.xml0/assets/702963cf-6d46-4cf8-bc5a-1877db288a84.xmly0/assets/7fc91f3b-c926-4dd7-a9f5-8d140d261a14.xml;0/assets/859ed5a8-79b6-42e9-8e70-967f8d4fd4fb.xmlJ 0/assets/887e6f79-c332-4cb8-a0fe-8b5bfa2786e1.xmlj\0/assets/9539d62e-ac0c-4f30-bba7-5f5782a0cb85.xmlF0/assets/9922023d-94c4-4e9b-a04e-446b5464bca5.xmlZD0/assets/9f4e0147-687f-46f3-9558-22b542e2c455.xml0/assets/a2261e08-4875-4204-bb1e-69db914262a0.xml8x0/assets/a61e3e1e-17df-45da-8aa7-8c479e835259.xml0H0/assets/a9a06564-b6e2-4287-8e4b-05a4a07a6bb8.xmlxp0/assets/ae51cdda-4957-43b6-8d0f-1f8c1c108af0.xmlh 0/assets/c0a2bc79-a198-4fcf-a515-38484850366c.xml)0/assets/ce4f829a-7b01-4b43-84a4-a896bd9bff2a.xml1>0/assets/d2d11b40-f929-4abd-849e-314222a283d0.xmlo0/assets/d354d108-0112-4e35-8530-d90417f3d185.xml-0/assets/e2dd91d6-441f-4175-9d1d-d152d148d73c.xmlf0/assets/e324865f-1cbe-42ec-bf18-a220c0e26fe6.xml{?0/assets/e374bef1-c875-4792-b0f7-381549f53744.xml:V0/assets/e470dd1b-507b-436e-a17b-3ddcb5bb5044.xml0/assets/e6e3cd78-023f-4377-952e-9cda33be0420.xmlh80/assets/f21782b3-e3b6-4c60-a51b-9e136d6ac7e4.xml ^0/assets/f7cd8568-60c6-490f-952b-7981f6b76ce0.xml~/relatedAssets/7/relatedAssets/10853d03-fe57-4f44-b77f-aa7dddd20a39.gif,i7/relatedAssets/3dd4f848-9c62-4403-bfe7-52364867ea8c.giftB7/relatedAssets/624dd3fb-47aa-402e-87f8-773e8e9b828f.gif9s7/relatedAssets/9252a22b-ed7e-41e6-94c8-8615694db76b.gifJ7/relatedAssets/a94424e0-d4de-41f8-8893-7e8e9f465bbd.gif0	7/relatedAssets/d2d99fd8-5456-486d-95be-a01d6af7ae69.gif4::DataSpace/NameList<(::DataSpace/Storage/MSCompressed/ContentHd,::DataSpace/Storage/MSCompressed/ControlDataT )::DataSpace/Storage/MSCompressed/SpanInfoL/::DataSpace/Storage/MSCompressed/Transform/List<_::DataSpace/Storage/MSCompressed/Transform/{8CEC5846-07A1-11D9-B15E-000D56BFE6EE}/InstanceData/i::DataSpace/Storage/MSCompressed/Transform/{8CEC5846-07A1-11D9-B15E-000D56BFE6EE}/InstanceData/ResetTable,p3::Transform/{8CEC5846-07A1-11D9-B15E-000D56BFE6EE}/

	wdP=-AQqaUncompressedMSCompressedFX쌡^
VnLZXCHHGIF89a

333!,


"meo[tX}F;<maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Optimize Network Utilization Across Geographic Locations by Adding an Active Directory Site</maml:title><maml:introduction>
<maml:para>Sites are boundaries for intrasite replication. They provide a way to define which domain controller is used for authentication and directory searches by a collection of client computers on a common IP subnet. Sites are created for IP subnets that contain a large number of users or a small number of users who need to avoid authentication and directory searches across a wide area network (WAN) link. Sites also provide a way for site-aware clients to target authentication requests, directory searches, and other operations against a domain controller in the same site or in a nearby site.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Creating an Active Directory site</maml:title><maml:introduction>
<maml:para>The following table lists the references that you can use when you need to create an Active Directory site. </maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Step</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>On a domain controller, click <maml:ui>Start</maml:ui>, click <maml:ui>Administrative Tools</maml:ui>, click <maml:ui>Active Directory Sites and Services</maml:ui>, and then press <maml:ui>F1</maml:ui>. Review the Help topic titled <maml:ui>Checklist: Configure an Additional Site</maml:ui>.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Active Directory Sites and Services Help</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>On a domain controller, click <maml:ui>Start</maml:ui>, click <maml:ui>Administrative Tools</maml:ui>, click <maml:ui>Active Directory Sites and Services</maml:ui>, and then press <maml:ui>F1</maml:ui>. Review the Help topic titled <maml:ui>Adding a Site to the Forest</maml:ui>.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Active Directory Sites and Services Help</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Review the information on the Web and complete the steps for creating an Active Directory site.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Adding a New Site (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93237</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93237"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Ensure That DNS Clients Can Locate Domain Controllers by Configuring DNS Support for AD DS</maml:title><maml:introduction>
<maml:para>The Active Directory Domain Services (AD DS) server role needs Domain Name System (DNS) services to locate computers, domain controllers, member servers, and network services by name. The DNS Server role provides DNS name resolution services for TCP/IP-based networks by mapping names to IP addresses, which makes it possible for computers to locate network resources in an AD DS environment.</maml:para>

<maml:para>AD DS registers resource records in DNS zones so that DNS clients can locate domain controllers. You must configure DNS clients with the address of a DNS server that can refer to the required zone data. The DNS server must either host the required zones itself or be able to use forwarding or delegations to reach another DNS server that hosts the required zones.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Configure DNS support for AD DS</maml:title><maml:introduction>
<maml:para>The following table lists the steps that you can take to configure DNS support for AD DS. </maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Step</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Review information about the DNS server role in Windows Server 2008.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>DNS Server (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93215</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93215"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Configure DNS client settings.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Configuring TCP/IP and DNS Client Settings</maml:linkText><maml:uri href="mshelp://windows/?id=183d02af-b5d5-4a94-bf75-213d7100aec7"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Create any necessary DNS delegation records.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Creating or Updating a DNS Delegation</maml:linkText><maml:uri href="mshelp://windows/?id=9922023d-94c4-4e9b-a04e-446b5464bca5"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Configure forwarders.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Configure a DNS Server to Use Forwarders</maml:linkText><maml:uri href="mshelp://windows/?id=e324865f-1cbe-42ec-bf18-a220c0e26fe6"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>If your organization uses root hints for recursive name resolution, configure root hints on your DNS servers.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Update Root Hints on the DNS Server</maml:linkText><maml:uri href="mshelp://windows/?id=d354d108-0112-4e35-8530-d90417f3d185"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configuring TCP/IP and DNS Client Settings</maml:title><maml:introduction>
<maml:para>Active Directory Domain Services (AD DS) relies on properly configured TCP/IP and Domain Name System (DNS) client settings to function. You have to configure these settings on the IP version 4 (IPv4) and IP version 6 (IPv6) properties for all the physical network adapters for the server that will become the domain controller. The Active Directory Domain Services Installation Wizard detects whether any TCP/IP or DNS client settings are not properly configured. The wizard does not proceed with the installation until the settings are correct. </maml:para>

<maml:para>For TCP/IP, this means that each of the physical network adapters for the domain controller must be assigned a valid IP address. You should always use a static IP address for each network adapter so that clients can continue to locate the domain controller if the Dynamic Host Configuration Protocol (DHCP) server or the DHCP service is not available or if the domain controller is assigned a different IP address by the DHCP server in the future. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Configuring TCP/IP and DNS Client Settings</maml:title><maml:introduction>
<maml:para>Membership in the local <maml:phrase>Administrators</maml:phrase> group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=83477</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=83477"></maml:uri></maml:navigationLink>.</maml:para>

<maml:procedure><maml:title>To configure TCP/IP and DNS client settings</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Initial Configuration Tasks</maml:ui> page that appears when you first start the server, under <maml:ui>Provide Computer Information</maml:ui>, click <maml:ui>Configure networking</maml:ui>. </maml:para>

<maml:para>Or </maml:para>

<maml:list class="ordered">
<maml:listItem>
<maml:para>Click <maml:ui>Start</maml:ui>, click <maml:ui>Control Panel</maml:ui>, and then click <maml:ui>View network status and tasks</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Click <maml:ui>Change adapter settings</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click <maml:ui>Local Area Connection</maml:ui>, and then click <maml:ui>Properties</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para> If the <maml:ui>User Account Control</maml:ui> dialog box appears, confirm that the action it displays is what you want, and then click <maml:ui>Yes</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the <maml:ui>Local Area Connection Properties</maml:ui> dialog box, click <maml:ui>Internet Protocol Version 4 (TCP/IPv4)</maml:ui> or <maml:ui>Internet Protocol Version 6 (TCP/IPv6)</maml:ui> as necessary, and then click <maml:ui>Properties</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Use the following IP address</maml:ui>, and then type the static IP address for the server.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Use the following DNS server addresses</maml:ui>, and then type the IP address for the preferred DNS server and, if one is available, the alternate DNS server. </maml:para>

<maml:para>If you plan to install the DNS server role on the server, specify the IP address of this server as the preferred DNS server.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Share Resources with Other Forests by Creating Trust Relationships</maml:title><maml:introduction>
<maml:para>When a trust exists between two Active Directory forests, the authentication mechanisms for each forest trust the authentications that come from the other forest. Trusts help to control access to shared resources in a resource domain (the trusting domain) by verifying that incoming authentication requests come from a trusted authority (the trusted domain). Trusts between forests can be external trusts or forest trusts. External trusts can exist with Windows 2000 Server or Windows Server 2003 domains, regardless of their functional level, and they use NTLM authentication. Forest trusts can exist with forests that operate at the Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 forest functional level. These trusts use Kerberos authentication.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Creating a trust</maml:title><maml:introduction>
<maml:para>The following table lists the steps that you can take to create a trust for sharing resources with other forests. The trust can be either one-way or two-way, and it can be either incoming or outgoing. </maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Step</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Review information, including any known issues, about creating domain and forest trusts.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Creating Domain and Forest Trusts (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93232</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93232"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>As necessary, complete the steps for creating an external trust.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Creating External Trusts (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93233</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93233"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>As necessary, complete the steps for creating a forest trust.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Creating Forest Trusts (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93235</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93235"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Help Prepare for Disaster Recovery by Performing Routine Backups of the Active Directory Database</maml:title><maml:introduction>
<maml:para>Incorporate domain controller backups into your routine operations schedule to protect against user error, software error, or hardware error. Windows Server Backup is an optional Windows Server 2008 feature that you install by using Server Manager. Use Windows Server Backup to back up all volumes on a domain controller (also known as a full server backup) or a specified set of critical volumes that contain system state data. Critical volumes include volumes that host the Active Directory database (Ntds.dit) and log files, SYSVOL, the registry, and select operating system files. </maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>For install from media (IFM) installations, use Ntdsutil.exe, rather than Windows Server Backup, to create the installation media. Ntdsutil.exe includes an <maml:computerOutputInline>ifm</maml:computerOutputInline> subcommand that creates installation media for the installation of additional domain controllers. The <maml:computerOutputInline>ifm</maml:computerOutputInline> subcommand creates installation media that includes only the files that are required to install AD DS, and you can use it to create secure installation media for RODC installation. For more information about using the <maml:computerOutputInline>ntdsutil ifm</maml:computerOutputInline> subcommand, see Installing AD DS from Media (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93228</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93228"></maml:uri></maml:navigationLink>).</maml:para>
</maml:alertSet>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Performing domain controller backups</maml:title><maml:introduction>
<maml:para>The following table lists references that you can use to perform backups of domain controllers that run Windows Server 2008.</maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Step</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>If necessary, install Windows Server Backup.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Installing Windows Server Backup (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93229</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93229"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>As needed, perform a backup of system state data or the critical volumes that are required to recover a domain controller.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Performing an Unscheduled Backup of a Domain Controller (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93224</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93224"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>As needed, perform a backup of all volumes that are hosted on a domain controller.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Perform a Full Server Backup of a Domain Controller by Using the GUI (Windows Server Backup) (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93230</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93230"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Automate domain controller backups by scheduling Windows Server Backup to perform daily backup jobs.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Scheduling Regular Full Server Backups of a Domain Controller (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93231</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93231"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Selecting an Installation Partner for Active Directory Domain Services</maml:title><maml:introduction>
<maml:para>On the <maml:ui>Source Domain Controller</maml:ui> page of the Active Directory Domain Services Installation Wizard, you can select which domain controller will be used as a source for data that must be replicated during installation, or you can have the wizard select which domain controller will be used as the source for this data. This wizard page appears only if you select the <maml:ui>Use advanced mode installation</maml:ui> check box on the <maml:ui>Welcome to the Active Directory Domain Services Installation Wizard</maml:ui> page and you are adding an additional domain to a forest or adding an additional domain controller to an existing domain. </maml:para>

<maml:para>Even if you choose to install from media (IFM), some network communication must occur between the new domain controller and an existing domain controller, which is sometimes known as an installation partner or a "helper domain controller." </maml:para>

<maml:para>The Active Directory Domain Services Installation Wizard lists all the domain controllers that are eligible to be used as an installation partner. If you are creating an additional domain, any domain controller can be the installation partner. However, the following restrictions apply to the domain controllers that can be used as an installation partner in other situations:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>A read-only domain controller (RODC) can never be an installation partner. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If you are installing an RODC, only a writable domain controller that runs Windows Server 2008 or Windows Server 2008 R2 can be an installation partner. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If you are installing an additional domain controller for an existing domain, only a domain controller for that domain can be an installation partner.</maml:para>
</maml:listItem>
</maml:list>

<maml:para>If you specify a domain controller to be used as an installation partner, specify a domain controller that has a low number of inbound and outbound connections and ensure that it is not a significant originator or forwarder of changes with File Replication Service (FRS) replication partners.</maml:para>

<maml:para>If you choose not to use IFM, a new NTDS Settings object and a new computer account is created or modified on the installation partner. The installation partner also has the first opportunity to replicate the contents of the SYSVOL shared folder to the new domain controller. </maml:para>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Choosing an Active Directory Domain Services Deployment Configuration</maml:title><maml:introduction>
<maml:para>When you install Active Directory Domain Services (AD DS), you choose one of the following possible deployment configurations:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Adding a new domain controller to a domain</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Adding a new child domain to a forest, or, as an option, adding a new domain tree</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>The option to install a new domain tree appears only if you select the <maml:ui>Use advanced mode installation</maml:ui> check box on the <maml:ui>Welcome to the Active Directory Domain Services Installation Wizard</maml:ui> page of the Active Directory Domain Services Installation Wizard.</maml:para>
</maml:alertSet>
</maml:listItem>

<maml:listItem>
<maml:para>Creating a new forest</maml:para>
</maml:listItem>
</maml:list>

<maml:para>The following sections describe each of these deployment configurations in detail.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Adding a new domain controller to a domain</maml:title><maml:introduction>
<maml:para>If you already have one domain controller in a domain, you can add additional domain controllers to the domain to improve the availability and reliability of network services. Adding additional domain controllers can help provide fault tolerance, balance the load of existing domain controllers, and provide additional infrastructure support to sites.</maml:para>

<maml:para>More than one domain controller in a domain makes it possible for the domain to continue to function if a domain controller fails or must be disconnected. Multiple domain controllers can also improve performance by making it easier for clients to connect to a domain controller when they log on to the network. </maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Preparing an existing domain</maml:title><maml:introduction>
<maml:para>Before you add a domain controller running Windows Server 2008 R2 to an existing Active Directory domain, you have to prepare the forest and the domain by running Adprep.exe. Be sure to run the version of Adprep that is included with your Windows Server 2008 R2 installation media. This version of Adprep adds schema objects and attributes that are required by domain controllers that run Windows Server 2008 R2, and it modifies permissions on new and existing objects. </maml:para>

<maml:para>Run the following <maml:computerOutputInline>adprep</maml:computerOutputInline> parameters as necessary for your environment:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Run <maml:computerOutputInline>adprep /forestprep</maml:computerOutputInline> once on the domain controller in the forest that holds the schema operations master role (the schema master) before you add a domain controller that runs Windows Server 2008 R2. To run this command, you must be a member of the Enterprise Admins group, the Schema Admins group, and the Domain Admins group of the domain that includes the schema master. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>In addition, run <maml:computerOutputInline>adprep /domainprep /gpprep</maml:computerOutputInline> once on the domain controller that holds the infrastructure operations master role (the infrastructure master) in each domain in which you plan to add a domain controller that runs Windows Server 2008 R2. To run this command, you must be a member of the Domain Admins group. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If you plan to deploy a read-only domain controller (RODC) in any domain in the forest, you also must run <maml:computerOutputInline>adprep /rodcprep</maml:computerOutputInline> once in the forest. You can run this command on any computer in the forest. To run this command, you must be a member of the Enterprise Admins group. For more information, see Prepare a Forest for a Read-Only Domain Controller (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93244</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93244"></maml:uri></maml:navigationLink>).</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Installing from media</maml:title><maml:introduction>
<maml:para>When you install a new domain controller in an existing domain, you can choose to install from media (IFM), in which the domain database is copied from the media rather than over the network. This option is available in the Active Directory Domain Services Installation Wizard only if you select the <maml:ui>Use advanced mode installation</maml:ui> check box on the <maml:ui>Welcome</maml:ui> page. The recommended tool for creating the installation media is the <maml:computerOutputInline>ntdsutil ifm</maml:computerOutputInline> subcommand. For more information about using IFM, see <maml:navigationLink><maml:linkText>Installing from Media</maml:linkText><maml:uri href="mshelp://windows/?id=66b093ee-b131-4a8d-b5bb-09c0d1f50a08"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section><maml:section>
<maml:title>Adding a new domain to a forest</maml:title><maml:introduction>
<maml:para>By default, the new forest that you create will contain one domain, which is known as the forest root domain. This single domain can accommodate thousands of users even if only a small amount of network bandwidth is available for Active Directory replication. Therefore, a single domain is typically sufficient for most small organizations and medium-sized organizations. Adding more domains to the forest greatly increases the administration requirements for the forest. </maml:para>

<maml:para>Larger organizations, however, may decide to add child domains to the forest so that domain data is replicated only where it is needed. A child domain shares a contiguous namespace with its parent domain. For example, sales.contoso.com is a child domain of contoso.com. A child domain automatically has a two-way, transitive trust with its parent domain. </maml:para>

<maml:para>A new domain that does not share a contiguous namespace with its parent domain is known as a new domain tree. For more information about creating a new domain tree, see <maml:navigationLink><maml:linkText>Creating a new domain tree</maml:linkText><maml:uri href="mshelp://windows/?id=35762977-9b9e-4ef5-99be-73f6838cc158#BKMK_Tree"></maml:uri></maml:navigationLink> later in this topic. </maml:para>

<maml:para>When you add domains to the forest, you are partitioning AD DS, which allows data to be replicated only where it is needed. In this way, a single Active Directory forest can scale globally to accommodate hundreds of thousands—or even millions—of users on a network that has limited bandwidth.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Requirements for creating a new domain</maml:title><maml:introduction>
<maml:para>When you create a new child domain, you must be a member of the Domain Admins group in the parent domain or the Enterprise Admins group to proceed. When you create a new domain tree, you must be a member of the Enterprise Admins group. </maml:para>

<maml:para>The Active Directory Domain Services Installation Wizard allows Active Directory domain names up to 64 characters or up to 155 bytes. Although the limit of 64 characters is usually reached before the limit of 155 bytes, the opposite could be true if the name contains Unicode characters that consume three bytes. These limits do not apply to computer names.</maml:para>

<maml:para>During installation, a Domain Name System (DNS) zone delegation is created by Dcpromo.exe. If DNS zone delegation creation fails or you choose not to create it (which is not recommended), you must create a zone delegation manually. For more information about creating a zone delegation, see <maml:navigationLink><maml:linkText>Creating or Updating a DNS Delegation</maml:linkText><maml:uri href="mshelp://windows/?id=9922023d-94c4-4e9b-a04e-446b5464bca5"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>Before you can add a domain to a forest, a DNS delegation must be created for the DNS zone that matches the name of the Active Directory domain that you are adding. The Active Directory Domain Services Installation Wizard verifies that the DNS delegation exists. If it does not exist, the wizard provides an option to create the DNS delegation automatically during the creation of the new domain.</maml:para>
</maml:introduction></maml:section>

<maml:section address="BKMK_Tree">
<maml:title>Creating a new domain tree</maml:title><maml:introduction>
<maml:para>You should create a new domain tree only when you need to create a domain whose DNS namespace is not related to the other domains in the forest. This means that the name of the tree root domain (and any child domain below it) does not have to contain the full name of the parent domain. </maml:para>

<maml:para>For example, treyresearch.net can be a domain tree in the contoso.com forest. New domain trees are most commonly created as part of a business acquisition or a merger of multiple organizations. A forest can contain one or more domain trees.</maml:para>

<maml:para>Before you create a new domain tree, consider creating another forest when you want a different DNS namespace. Multiple forests provide administrative autonomy, isolation of the schema and configuration directory partitions, separate security boundaries, and the flexibility to use an independent namespace design for each forest.</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section><maml:section>
<maml:title>Creating a new forest</maml:title><maml:introduction>
<maml:para>To create a new forest, you must be a member of the local Administrators group on the server where you are installing AD DS. </maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>DNS and NetBIOS names</maml:title><maml:introduction>
<maml:para>Before you create a new forest, be sure that you have completely planned your DNS infrastructure. To create a new forest, you must know the full DNS name for it. You can install the DNS Server service before you install AD DS or, preferably, you can choose to have the Active Directory Domain Services Installation Wizard install the DNS Server service for you. </maml:para>

<maml:para>If you have the wizard install the DNS Server service, the wizard uses the DNS name that you provide to automatically generate a NetBIOS name for the first domain in the forest. The wizard verifies that the DNS name and the NetBIOS name are unique on the network before it continues. You must select the <maml:ui>Use advanced mode installation</maml:ui> check box on the <maml:ui>Welcome to the Active Directory Domain Services Installation Wizard</maml:ui> page to specify a different NetBIOS name than the name that is generated automatically by the wizard. </maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>The <maml:ui>Domain NetBIOS Name</maml:ui> wizard page also appears if the automatically generated NetBIOS name conflicts with an existing name. </maml:para>
</maml:alertSet>

<maml:para>By default, the DNS Server service is installed on the first domain controller in a forest. If you already have a DNS infrastructure set up to support name resolution for the new forest, you can clear the <maml:ui>DNS server</maml:ui> check box on the <maml:ui>Additional Options</maml:ui> wizard page. However, if you do not have a supporting DNS infrastructure already in place, accept the default setting to have the wizard install the DNS Server service on the first domain controller in the forest. </maml:para>

<maml:para>When you click <maml:ui>Next</maml:ui> to continue, the Active Directory Domain Services Installation Wizard examines your existing DNS infrastructure. If you cleared the <maml:ui>DNS server</maml:ui> check box, the wizard performs diagnostic tests to verify that the supporting DNS infrastructure is in place. If the diagnostic tests fail, you again have the option to install the DNS Server service by using the wizard.</maml:para>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Functional levels</maml:title><maml:introduction>
<maml:para>For a new forest, the default forest functional level is Windows 2000 and the domain functional level is Windows 2000 native. These are the lowest possible functional levels, and they allow domain controllers to run Windows Server 2003, Windows® 2000 Server, Windows Server 2008, or Windows Server 2008 R2. </maml:para>

<maml:para>If you do not plan to add domain controllers that run these earlier versions of Windows Server, select higher functional levels to enable advanced features. If you select Windows Server 2008 R2 as the forest functional level, all domains that are subsequently added to the forest will be created at the Windows Server 2008 R2 domain functional level. Therefore, the <maml:ui>Set Domain Functional Level</maml:ui> page does not appear in the Active Directory Domain Services Installation Wizard. If you select a different forest functional level, you can set the domain functional level independently for each domain in the forest. For more information about functional levels, see <maml:navigationLink><maml:linkText>Setting the Domain or Forest Functional Level</maml:linkText><maml:uri href="mshelp://windows/?id=887e6f79-c332-4cb8-a0fe-8b5bfa2786e1"></maml:uri></maml:navigationLink>. </maml:para>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Operations master roles</maml:title><maml:introduction>
<maml:para>The first domain controller for this domain hosts all the operations master roles (also known as flexible single master operations or FSMO) for the forest. </maml:para>

<maml:para>Additional domain controllers in the domain are recommended to improve the availability and fault tolerance of AD DS. After you create additional domain controllers, you may want to transfer some of the operations master roles that are hosted on the first domain controller to these other domain controllers. If you plan to create a multidomain forest and any domain controller in your forest root domain will not be a global catalog server, then you should transfer at least the infrastructure master role in the forest root domain to another domain controller in the domain that is not a global catalog server. </maml:para>

<maml:para>For more information about managing operations master roles, see <maml:navigationLink><maml:linkText>Ensure Successful Active Directory Operations by Managing Operations Master Roles</maml:linkText><maml:uri href="mshelp://windows/?id=62919f2e-6873-431b-b3da-36d27e544da9"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Change the Zone Type</maml:title><maml:introduction>
<maml:para>You can use this procedure to change make a zone a primary, secondary, or stub zone. You can also use it to integrate a zone with Active Directory Domain Services (AD DS). For more information, see <maml:navigationLink><maml:linkText>Understanding zone types</maml:linkText><maml:uri href="mshelp://windows/?id=94d8e229-ef7b-4b4f-884f-5fec92bbc911"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>Membership in the <maml:phrase>Administrators</maml:phrase> group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=83477</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=83477"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Changing the zone type</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Using the Windows interface</maml:linkText><maml:uri href="mshelp://windows/?id=3739d3bb-38d5-48da-b9bf-d80401baf053#BKMK_winui"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Using a command line</maml:linkText><maml:uri href="mshelp://windows/?id=3739d3bb-38d5-48da-b9bf-d80401baf053#BKMK_cmd"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section address="BKMK_winui"><maml:title></maml:title><maml:introduction>
<maml:procedure><maml:title>To change the zone type using the Windows interface</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open DNS Manager.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, right-click the applicable zone, and then select <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>General</maml:ui> tab, note the current zone type, and then click <maml:ui>Change</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Change Zone Type</maml:ui>, select a zone type other than the current zone type, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>To open DNS Manager, click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>DNS</maml:ui>. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>You can select either <maml:ui>Primary zone</maml:ui>, <maml:ui>Secondary zone</maml:ui> or <maml:ui>Stub zone</maml:ui>. When you select the secondary or stub zone types, you must specify the IP address of another Domain Name System (DNS) server to be used as the source for obtaining updated information for the zone.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If the DNS server computer is operating as a domain controller, the option to store the zone in AD DS is available. This option is not otherwise available. When this zone type is selected for use, zone data is stored and replicated as part of the AD DS database.</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>You cannot change the zone type (primary, secondary, or stub) and the method for storing the zone at the same time. You must perform the two operations separately.</maml:para>
</maml:alertSet>
</maml:listItem>

<maml:listItem>
<maml:para>Changing a zone from a secondary to primary type can affect other zone activities, including management of dynamic updates and zone transfers and the use of DNS notify lists to notify other servers about changes in the zone.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Changing a zone from stub to primary or the reverse is not recommended. This contradicts the purpose of stub zones. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Changing the DNS zone type or storage can be time consuming for large zones.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>

<maml:section address="BKMK_cmd"><maml:title></maml:title><maml:introduction>
<maml:procedure><maml:title>To change the zone type using a command line</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open a command prompt.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Type the following command, and then press ENTER: </maml:para>

<dev:code>dnscmd &lt;ServerName&gt; /ZoneResetType &lt;ZoneName Property&gt; [&lt;MasterIPaddress...&gt;] [/file &lt;FileName&gt;] {/OverWrite_Mem|/OverWrite_Ds|/DirectoryPartition &lt;FQDN&gt;}</dev:code>
</maml:section></maml:sections></maml:step></maml:procedure>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Parameter</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Description</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para>dnscmd </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Specifies the name of the command-line tool for managing DNS servers.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>&lt;ServerName&gt; </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>&lt;ZoneName&gt; </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Required. Specifies the fully qualified domain name (FQDN) of zone.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>&lt;Property&gt; </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Required. One of the following zone types:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:computerOutputInline>/Primary </maml:computerOutputInline></maml:para>

<maml:para>Standard primary zone. The <maml:computerOutputInline>/file</maml:computerOutputInline> <maml:replaceable>FileName</maml:replaceable> option is required.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:computerOutputInline>/DsPrimary </maml:computerOutputInline></maml:para>

<maml:para>AD DS-integrated primary zone. If the zone is not already a primary zone, you must convert it to a primary zone (using <maml:computerOutputInline>/Primary</maml:computerOutputInline>) before you use this parameter to integrate the zone with AD DS.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:computerOutputInline>/Secondary </maml:computerOutputInline></maml:para>

<maml:para>Secondary zone. You must specify at least one <maml:replaceable>MasterIPaddress.</maml:replaceable></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:computerOutputInline>/Stub </maml:computerOutputInline></maml:para>

<maml:para>Stub zone. You must specify at least one <maml:replaceable>MasterIPaddress.</maml:replaceable> If the zone is an AD DS-integrated primary zone, you must use <maml:computerOutputInline>/DsStub</maml:computerOutputInline> to convert it to an AD DS-integrated stub zone before you use this parameter.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:computerOutputInline>/DsStub </maml:computerOutputInline></maml:para>

<maml:para>AD DS -integrated stub zone. You must specify at least one <maml:replaceable>MasterIPaddress.</maml:replaceable> If the zone is not already a stub zone, you must convert it to a stub zone (using <maml:computerOutputInline>/Stub</maml:computerOutputInline>) before you use this parameter to integrate the zone with AD DS.</maml:para>
</maml:listItem>
</maml:list>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>/file &lt;FileName&gt;</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Required for <maml:computerOutputInline>/Primary</maml:computerOutputInline>. Specifies the name of a file for the new zone. This parameter is not valid for the <maml:computerOutputInline>/DsPrimary</maml:computerOutputInline> zone type.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>&lt;MasterIPaddress...&gt; </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Required for <maml:computerOutputInline>/Secondary</maml:computerOutputInline>, <maml:computerOutputInline>/Stub</maml:computerOutputInline> and <maml:computerOutputInline>/DsStub</maml:computerOutputInline>. Specifies one or more IP addresses for the master servers of the secondary zone or stub zone, from which zone data is copied.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>/OverWrite_Mem | /OverWrite_Ds | /DirectoryPartition &lt;FQDN&gt;</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:computerOutputInline>/OverWrite_Mem</maml:computerOutputInline> overwrites existing DNS data using the data in AD DS. <maml:computerOutputInline>/OverWrite_Ds</maml:computerOutputInline> overwrites Active Directory data with data in DNS. <maml:computerOutputInline>/DirectoryPartition</maml:computerOutputInline> stores the new zone in the application directory partition that is specified by <maml:replaceable>FQDN</maml:replaceable>, such as DomainDnsZones.corp.widgets.tailspintoys.com.</maml:para>
</maml:entry></maml:row>
</maml:table>

<maml:para>To view the complete syntax for this command, at a command prompt, type the following command, and then press ENTER:</maml:para>

<dev:code>dnscmd /ZoneResetType /help </dev:code>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>To open an elevated Command Prompt window, click <maml:ui>Start</maml:ui>, point to <maml:ui>All Programs</maml:ui>, click <maml:ui>Accessories</maml:ui>, right-click <maml:ui>Command Prompt</maml:ui>, and then click <maml:ui>Run as administrator</maml:ui>. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>You can select either primary zones, secondary zones, or stub zones. When you select the secondary or stub zone type, specify the IP address of another DNS server to be used as the source for obtaining updated information for the zone.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If the DNS server computer is operating as a domain controller, you can use the <maml:computerOutputInline>/DsPrimary</maml:computerOutputInline> or <maml:computerOutputInline>/DsStub</maml:computerOutputInline> parameters. These options are not otherwise available. When either zone type is selected for use, zone data is stored and replicated as part of the AD DS database.</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Before you use these options, you must first convert the zone to the appropriate type, if necessary. That is, the zone must already be a primary zone before you can use <maml:computerOutputInline>/DsPrimary</maml:computerOutputInline> to integrate the zone with AD DS. Similarly, the zone must already be a stub zone before you can use <maml:computerOutputInline>/DsStub</maml:computerOutputInline> to integrate the zone with AD DS.</maml:para>
</maml:alertSet>
</maml:listItem>

<maml:listItem>
<maml:para>Changing a zone from a secondary zone to a primary zone can affect other zone activities, including management of dynamic updates and zone transfers, and the use of DNS notify lists to notify other servers about changes in the zone. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Changing a zone from a stub zone to a primary zone or the reverse is not recommended. This contradicts the purpose of stub zones. </maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Providing a Directory Services Restore Mode Administrator Password</maml:title><maml:introduction>
<maml:para>The Directory Services Restore Mode (DSRM) password is required for logon to a domain controller when Active Directory Domain Services (AD DS) is not running, either because AD DS is stopped or because the domain controller has been started in DSRM.</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>The DSRM password is not the same as the password for the domain Administrator account.</maml:para>
</maml:alertSet>

<maml:para>If you are creating the first domain controller in the forest, the password policy that is in effect on the local server is enforced by the Active Directory Domain Services Installation Wizard. </maml:para>

<maml:para>For all other domain controller installations, the Active Directory Domain Services Installation Wizard enforces the password policy that is in effect on the domain controller that is used as the installation partner. This means that the DSRM password that you specify must meet the minimum password length, history, and complexity requirements for the domain that contains the installation partner. By default, a strong password that contains a combination of uppercase and lowercase letters, numbers, and symbols must be provided. </maml:para>

<maml:para>Be sure to safeguard the DSRM password. Divulging the DSRM password to unauthorized personnel after the installation presents a security risk. A malicious user can use the password to start the domain controller in DSRM and subsequently cause problems in the forest. For example, a malicious user might start the domain controller in DSRM and then force the removal of AD DS from the server.</maml:para>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Enable Advanced Features by Raising the Domain or Forest Functional Level</maml:title><maml:introduction>
<maml:para>After you remove domain controllers that are running older versions of Windows Server or you upgrade them to Windows Server 2008 R2, you can raise the domain or forest functional level. Raising functional levels enables advanced features in the domain or forest, such as improved replication of group membership changes and the ability to create forest trusts. Raising the functional level limits which versions of Windows Server can host the domain controller role. Client and application compatibility are not affected by changes to functional levels.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Raising functional levels</maml:title><maml:introduction>
<maml:para>The following table lists the steps that you can take to raise your domain or forest functional level.</maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Step</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Review the list of features that are enabled at various domain and forest functional levels.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Setting the Domain or Forest Functional Level</maml:linkText><maml:uri href="mshelp://windows/?id=887e6f79-c332-4cb8-a0fe-8b5bfa2786e1"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Review planning information about raising domain and forest functional levels.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Enabling Windows Server 2008 Advanced Features for AD DS (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93175</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93175"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Complete the steps for raising the domain or forest functional level.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Raising the Functional Levels (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93174</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93174"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Delegating Read-Only Domain Controller Installation and Administration</maml:title><maml:introduction>
<maml:para>When you create an account for the installation of a read-only domain controller (RODC), you can specify which user or group will be responsible for subsequently attaching the server to the RODC account. If you do not specify a user or group, only a member of the Domain Admins group or the Enterprise Admins group can attach the server to the account. If you do specify a user or group who can attach the server to the account, that user or group will also be responsible for administering the RODC after the installation is complete. You can specify only one user or group for this purpose. </maml:para>

<maml:para>If you want a delegated RODC administrator to be able to have passwords cached on the RODC, you must add the user account for that administrator to the list of security principals who are allowed to cache their passwords on the RODC (also known as the Allowed List), along with the computer account that the delegated administrator will use. Failure to add the corresponding computer account to the Allowed List will prevent the RODC from authenticating the delegated administrator when the connection to a writable domain controller is not available. For more information about the Allowed List and setting the Password Replication Policy (PRP), see <maml:navigationLink><maml:linkText>Specifying Password Replication Policy</maml:linkText><maml:uri href="mshelp://windows/?id=e6e3cd78-023f-4377-952e-9cda33be0420"></maml:uri></maml:navigationLink>. </maml:para>

<maml:para>The user or group that you specify on this page in the Active Directory Domain Services Installation Wizard will have local administrative permissions on the RODC. As a practical matter, this means that the user or group has full control of the server, including the ability to log on locally, install additional software, install device drivers, and so on. The delegated user or group will also be able to remove Active Directory Domain Services (AD DS) from the RODC. </maml:para>

<maml:para>Therefore, delegate RODC installation and administration only to the users and groups that are required to have such access rights and permissions so that they can do their jobs. In addition, assign permissions to security groups rather than to individual users to simplify the process for changing those permissions when necessary. </maml:para>

<maml:para>You may want to create a security group specifically for the purpose of administering the RODC that you plan to deploy, and then specify that group name on this wizard page. That group will then appear in the <maml:ui>Name</maml:ui> field on the <maml:ui>Managed By</maml:ui> tab of the RODC properties sheet in the Active Directory Users and Computers snap-in, where you can change it anytime after the installation. </maml:para>

<maml:para>To search the directory for a specific user or group, click <maml:ui>Set</maml:ui>, and then type the name of the user or group. We recommend that you delegate RODC installation and administration to a group. </maml:para>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Unattended Installation Return Codes</maml:title><maml:introduction>
<maml:para>When the unattended installation of Active Directory Domain Services (AD DS) completes, Dcpromo returns one of the following codes to indicate the status of the operation. Unused numbers are reserved for future use.</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>1-10 = success return codes</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>11-100 = failure return codes</maml:para>
</maml:listItem>
</maml:list>
<maml:para>For more information, see AD DS Installation and Removal Step-by-Step Guide (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkID=139657</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkID=139657"></maml:uri></maml:navigationLink>).</maml:para></maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Success return codes</maml:title><maml:introduction>
<maml:para>The codes in the following table indicate successful completion of an AD DS installation or removal operation.</maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Value</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Case</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Description</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para>1</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitSuccess</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The operation succeeded.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>2</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitSuccessNeedReboot</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The operation succeeded, and the server must be restarted manually.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>3</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitSuccessWithNonCriticalFailure</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The operation succeeded, but there has been a failure, such as a failure with Domain Name System (DNS) installation or delegation configuration. Check Dcpromoui log files, and investigate further. </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>4</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitSuccessWithNonCriticalFailureNeedReboot</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The operation succeeded, but there has been a failure, such as a failure with DNS installation or delegation configuration, and the server must be restarted manually. Check Dcpromoui log files, and investigate further.</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction></maml:section><maml:section>
<maml:title>Failure return codes</maml:title><maml:introduction>
<maml:para>The codes in the following table indicate failed completion of an AD DS installation or removal operation.</maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Value</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Case</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Description</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para>11</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitAlreadyRunning</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Dcpromo is already running.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>12</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitMustBeAdministrator</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The user must be a local administrator on the computer.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>13</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitCertSvcInstalled</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Active Directory Certificate Services (AD CS) is installed.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>14</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitInSafeBootMode</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The server is running in Safe Mode.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>15</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitRoleChangePending</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A role change is in progress or requires that the server be restarted.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>16</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitIncorrectPlatform</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The server is running on the wrong platform.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>17</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitNeedNTFS5Drive</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No drives are formatted for NTFS 5.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>18</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitInsufficientWinDirSpace</maml:para>
</maml:entry>
<maml:entry>
<maml:para>%windir% does not have enough space.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>19</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitNameChangeNeedsReboot</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A name change is pending, and the computer must be restarted.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>20</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitBadComputerName</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The computer name uses syntax that is not valid.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>21</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitHoldsFSMOs</maml:para>
</maml:entry>
<maml:entry>
<maml:para>This domain controller holds an operations master (also known as flexible single master operations or FSMO) role, is a global catalog server, or is a DNS server.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>22</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitNeedToInstallTcpIp</maml:para>
</maml:entry>
<maml:entry>
<maml:para>TCP/IP must be installed or is not functioning.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>23</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitNeedToConfigDnsFirst</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The DNS client must be configured first.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>24</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitBadCredentials</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The supplied credentials are not valid or are missing required elements.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>25</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitDcNotFound</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A domain controller for the specified domain could not be located.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>26</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitUnableReadDomainList</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The list of domains could not be read from the forest.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>27</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitMustSpecifyDomain</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A domain name is missing (parent, child, tree, or forest).</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>28</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitBadDomainName</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The domain name is not valid.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>29</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitParentDomainNotExists</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The parent domain does not exist.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>30</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitDomainNotInForest</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The specified domain is not found in the forest.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>31</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitChildDomainExists</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The child domain already exists.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>32</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitBadNetbiosDomainName</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The NetBIOS name is not valid.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>33</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitBadIFMPath</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The path to the install from media (IFM) files is not valid.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>34</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitBadIFMDatabase</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The IFM database is bad.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>35</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitNoSyskeyForIFM</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A system key is required for the IFM database.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>37</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitBadDBPath</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The database path or database log path is not valid.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>38</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitInsuffSpaceForDB</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The volume does not have enough space for the database or the database log.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>39</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitBadSysVolPath</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The SYSVOL path is not valid.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>40</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitBadSiteName</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The site name is not valid.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>41</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitMustSpecifySafeModePwd</maml:para>
</maml:entry>
<maml:entry>
<maml:para>You must specify a password for Safe Mode.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>42</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitBadSafeModePwd</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The Safe Mode password does not meet password complexity criteria.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>43</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitBadAdminPwd</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The administrator password does not meet criteria.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>44</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitBadForestName</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The specified forest name is not valid.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>45</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitForestExists</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A forest with the specified name already exists.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>46</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitBadTreeName</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The specified name for the tree is not valid.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>47</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitTreeExists</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A tree with the specified name already exists.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>48</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitTreeNotFitInForest</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The tree name does not fit into the forest structure.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>49</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitDomainNotExists</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The specified domain does not exist.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>50</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitLastDcMismatch</maml:para>
</maml:entry>
<maml:entry>
<maml:para>This is not the last domain controller although it was indicated to be the last domain controller, or this is the last domain controller although it was not indicated to be the last domain controller.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>51</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitUnconfirmedAppPartitions</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Application partitions that have not been approved for removal exist on this domain controller.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>52</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitRequiredParameterMissing</maml:para>
</maml:entry>
<maml:entry>
<maml:para>An answer file or command-line unattended installation parameters were not provided.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>53</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitPromoDemotFailedNeedReboot</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The installation or removal failed and the server must be restarted.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>54</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitPromoDemotFailed</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The installation or removal failed.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>55</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitPromoDemoteFailedBecauseUserCancelled</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The installation or removal failed because it was canceled by the user.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>56</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitPromoDemotFailedBecauseUserCancelledNeedReboot</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The installation or removal failed because it was canceled by the user. The computer must be restarted to return to the previous state.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>57</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitDomainReadOnlyReplicaGroupNotSpecified</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The operator failed to specify one of the required read-only domain controller (RODC) groups (Allowed/Denied).</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>58</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitDomainReadOnlyReplicaSiteNotSpecified</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The operator failed to specify the site name for an RODC.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>59</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitLastDnsServer</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The domain controller is the last DNS server for one of its Active Directory–integrated zones.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>61</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitInstallDNSNotAllowed</maml:para>
</maml:entry>
<maml:entry>
<maml:para>You cannot install AD DS with DNS in an existing domain that does not already host DNS.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>62</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitAnswerFileMissingSectionName</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The answer file does not have a [DCInstall] section.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>63</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitInsufficientForestFunctionalLevelForRodc</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The forest functional level is less than Windows Server 2003. The forest functional level must be Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 to add an RODC to the forest.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>64</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitPromoFailedBecauseComponentBinaryDetectionFailed</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The installation failed because the installation of the AD DS binaries on the server could not be determined.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>65</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitPromoFailedBecauseComponentBinaryInstallationFailed</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The installation failed because the AD DS binaries could not be installed.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>66</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitPromoFailedBecauseOSDetectionFailed</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The installation failed because the operating system installation option (a full installation or a Server Core installation) could not be determined.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>68</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitInvalidReplicationPartner</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The replication partner is not valid.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>69</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitRequiredPortInUse</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The required port is already in use by some other application.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>70</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitForestRootDcMustBeGc</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The first forest root domain controller must be a global catalog server.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>71</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitDnsAlreadyInstalled</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The DNS Server service is already installed.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>72</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitIsAppServer</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The installation failed because the server is a Remote Desktop Services application server.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>73</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitInvalidForestFunctionalLevel</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The specified forest functional level is not valid.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>74</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitInvalidDomainFunctionalLevel</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The specified domain functional level is not valid.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>75</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitDefaultPasswordReplicationPolicyCannotBeDetermined</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The default password replication policy cannot be determined.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>76</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitInvalidPasswordReplicationPolicy</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Specified Allowed and Denied security groups for the password replication policy are not valid.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>77</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitInvalidArgument</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The specified argument is not valid.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>78</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitForestCheckFailed</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The installation failed because the Active Directory forest could not be examined.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>79</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitRodcNDNCNotPrepped</maml:para>
</maml:entry>
<maml:entry>
<maml:para>An RODC cannot be installed because <maml:computerOutputInline>adprep /rodcprep</maml:computerOutputInline> has not been performed.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>80</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitDomainNotPrepped</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The installation failed because <maml:computerOutputInline>adprep</maml:computerOutputInline> <maml:computerOutputInline>/domainprep</maml:computerOutputInline> has not been performed.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>81</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitForestNotPrepped</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The installation failed because <maml:computerOutputInline>adprep</maml:computerOutputInline> <maml:computerOutputInline>/forestprep</maml:computerOutputInline> has not been performed.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>82</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitForestSchemaMismatch</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The installation failed because there is a forest schema mismatch.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>83</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitUnsupportedSku</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The installation failed because the operating system edition does not support AD DS.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>84</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitDcAccountDetectionFailed</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Unable to detect a domain controller account.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>85</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitDcAccountSelectionFailed</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Unable to select a domain controller account to which this server can be attached.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>86</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitStage2Required</maml:para>
</maml:entry>
<maml:entry>
<maml:para>You must attach the server to an existing account.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>87</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitDcAccountConflictingType</maml:para>
</maml:entry>
<maml:entry>
<maml:para>An RODC or writable domain controller account in the domain exists, but it does not match the type of domain controller that you want to install. Installation cannot continue.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>88</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitServerAdminInvalid</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The specified RODC server administrator is not valid. </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>89</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitRidMasterOffline</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The relative ID (RID) master for the specified domain is offline.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>90</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitDNMasterOffline</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The domain naming master is offline.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>91</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitWow64ProcessDetectionFailed</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Failed to detect if the process is Wow64.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>92</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitWow64ProcessNotSupported</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The Wow64 process is not supported.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>93</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitDcServiceNotRunningForRegularDemotion</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The removal of AD DS failed because the AD DS service is not running.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>94</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitBadLocalAdminPwd</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The local administrator password does not meet complexity requirements. It could be that the password is either blank or not required.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>95</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitCannotDemoteLastLHDC</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Cannot demote the last domain controller that runs Windows Server 2008 or Windows Server 2008 R2 in a domain where an operational RODC exists. </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>96</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitComponentBinaryUninstallFailed</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The AD DS binaries failed to uninstall.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>97</maml:para>
</maml:entry>
<maml:entry>
<maml:para>ExitFFLNotSupported</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The specified forest functional level is not supported.</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Removing Active Directory Domain Services</maml:title><maml:introduction>
<maml:para>When you run Dcpromo.exe on a domain controller, the Active Directory Domain Services Installation Wizard detects that Active Directory Domain Services (AD DS) is already installed on the server. The wizard then starts and prompts you for information that it needs to uninstall AD DS on the server.</maml:para>

<maml:para>You can start the Active Directory Domain Services Installation Wizard on a domain controller in the following ways:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>On the domain controller, click <maml:ui>Start</maml:ui>, click <maml:ui>Run</maml:ui>, type <maml:ui>dcpromo</maml:ui>, and then click <maml:ui>OK</maml:ui>. As an alternative, you can type <maml:computerOutputInline>dcpromo</maml:computerOutputInline> at a command prompt, and then press ENTER.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Click <maml:ui>Start</maml:ui>, click <maml:ui>Server Manager</maml:ui>, and then, under <maml:ui>Roles Summary</maml:ui>, click<maml:ui> Remove Roles</maml:ui>. Server Manager is also available on the <maml:ui>Administrative Tools</maml:ui> menu or through an icon in the notification area.</maml:para>
</maml:listItem>
</maml:list>

<maml:para>When it removes AD DS, the Active Directory Domain Services Installation Wizard informs you if the domain controller is a global catalog server so that you can ensure that other global catalog servers are still available to handle user logon requests as necessary.</maml:para>

<maml:para>When you delete the last domain controller in a domain, you delete the domain. Ensure that the domain user accounts and computer accounts are no longer required. You must delete any unoccupied or disabled RODC accounts that remain in the domain before you can remove the last domain controller. In addition, export all cryptographic keys that are stored on the server before you use the wizard to delete the domain. </maml:para>

<maml:para>Review the list of application directory partitions that the domain controller holds the last replica for. Have the wizard remove the Domain Name System (DNS) application directory partitions that it created during the AD DS installation. To remove any other application directory partitions, use a utility that the application provides. For more information, see <maml:navigationLink><maml:linkText>Removing Application Directory Partitions</maml:linkText><maml:uri href="mshelp://windows/?id=a2261e08-4875-4204-bb1e-69db914262a0"></maml:uri></maml:navigationLink>. </maml:para>

<maml:para>If you are deleting a child domain that uses Active Directory–integrated DNS, the wizard lists the DNS application directory partition for that domain. This partition distinguished name appears in the list as DC=DomainDNSZones,DC=<maml:replaceable>domain_name</maml:replaceable>. </maml:para>

<maml:para>If you are deleting the forest root domain, the wizard lists the DNS application directory partition for the forest in addition to the DNS application directory partition for that domain. The partition distinguished name for the forest-wide DNS zone appears in the list as DC=ForestDNSZones,DC=<maml:replaceable>domain_name</maml:replaceable>. </maml:para>

<maml:para>You can also use remove the AD DS binaries that are associated with the AD DS server role. You must remove the AD DS server role before you remove the AD DS binaries. The process for removing the AD DS binaries is as follows:</maml:para>

<maml:list class="ordered">
<maml:listItem>
<maml:para>Remove the AD DS server role. This step does not remove the AD DS binaries that are associated with the AD DS server role.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Restart the server.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Remove the AD DS server role binaries. This step may require another restart of the server.</maml:para>
</maml:listItem>
</maml:list>

<maml:para>The recommended methods for removing the AD DS binaries are:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Use the Remove Roles Wizard in <maml:ui>Server Manager</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Use Dcpromo.exe. At a command prompt, type the following command, and then press ENTER:</maml:para>

<maml:para><maml:computerOutputInline>dcpromo /UninstallBinaries</maml:computerOutputInline></maml:para>
</maml:listItem>
</maml:list>

<maml:para>The following topics provide more information about specific wizard pages that you may encounter when you remove AD DS:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Providing Network Credentials to Install or Remove Active Directory Domain Services</maml:linkText><maml:uri href="mshelp://windows/?id=54462cf1-d293-436c-b396-27925e13ede2"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Removing Application Directory Partitions</maml:linkText><maml:uri href="mshelp://windows/?id=a2261e08-4875-4204-bb1e-69db914262a0"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Performing Metadata Cleanup</maml:linkText><maml:uri href="mshelp://windows/?id=702963cf-6d46-4cf8-bc5a-1877db288a84"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual>GIF89a3f3333f333ff3fffff3f3f̙3f3333f3333333333f3333333f3f33ff3f3f3f3333f3333333f3̙333333f333ff3ffffff3f33f3ff3f3f3ffff3fffffffffff3fffffff3fff̙ffff3fffff3f̙3333f33̙3ff3ffff̙f3f̙3f̙̙3f̙3f3333f333ff3fffff̙̙3̙f̙̙̙3f̙3f3f3333f333ff3fffff3f3f̙3f!,	H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0cʜI͛8sɳϟ@
JѣH*]ʴӧPJJիXjʵׯ`ÊK٤ҪM{۷?ZKwZxU	߿l
Lb߿.̸q޵&L˘g˙CƺgΣSvϫcZmg]vMI<ܸ'9!JnnzǓn[{|}߀s`eDF_g
*FIم1a6Ƞvn(d%z(\ ba$vhba^٨"3ic;F%`Fyr)&YZ	))Q{X^sWDI~zii%GGBõ	Aj6&y@_湘el})P^p.%y؜tgIni饁*iIhV騕fjAmqNzQmv_46ꪰZzJkiF{lڪ[îJ#!N+2-*.Zo螶ԒWd>y	6'¸ʰ5|I<[m|f`Eȯ,2Fo.kQC+S$q+<TR6'
QJZ_=Sn@mQG#tm}B9uKS=tS#uQ^_cs[Ԩr94swն@o'XMx+u7_5zD.G8Mej>sQ8ǍP[~9LbLDB@޸ۦ/:;A}",!+u
1vB*_:i:#~\;DCT9VzD7R5OÃR*/!ߋN8ρ l	R,̓aE(@p`!n3P[a^>l^S
oCЄ@{4 ^cC$v*I\"It=$F$Rr'^<"m'^aԋ*}]`CҢ-R).|#8٤~ wh>q!3CB~<"@:4l'ɣ5އorM*m|b+	Q&>z*Zb!]"RA6L&+OI6~Ɨ'kĐq*anS^|iɞprwL|rQd2$+ʬԣT~z0
h.CC}fM!UqD1ARz"UF?,٭?Mt.^gB7QdTD*Uxi %FKSVT!3$(w|PHNʩ;=(myiGN*zɇ}jA4f(ZhQxhkW_9t=Jռ{Q L
F/Q]cّ9,f3īr(OQ;ڧPծ:'*V󙴶M[NVo3sqfZz>\責E%)ɸ:ݶVݞTgr2tꕷJH]n)%ҷu+Dԧ~
yK30I-R׵+ՃN
Xsq4+YG))BX{QVZ;^J&*V*o7^X@~LMB9GuV!#}f;x-+/o5xf^a|24فaWF[Û4?3*&׌BG6WdVXFȽYeO~ZLMTl]7SymSrƕ+5nAmޅ.*P
>(VOQ}S!s:&[>4W8I9}mύthV'<>QU!Ma>`'zOojz,+簞Ǖ{<ĉ7÷{)-I'Rz4bGjW _‹/{IoflOVd<fka	Ҟf+/e,tqzL{Ց?G9ATn<K&Cdlݍ;n¾.~e{V}_;̛=v%=yR,+u=k+rw3ڒ#xā٬{{b	+Wh|oLC;?ח<׵HƖEOwڲV|]Cw'DUYӘdGaUtVo,ycJ'~̧jz#qCf97tWie9w9.tG|t@Ky7~79=z`=ctT~/swp|"a'i3B8.5,M6hhz#Y@'B6_y;XV	.@y-]ry|}N;Phygv%HtQe7qo:8GWw|၆+؄x<F5`*aBl>aƂk/Ȉb.]>NoxHwjpD8&W$Htw5/9kU(GI#XvH xXƊȌk28GטA_9Zĉwu3gCqx&;҈[CuXYvHhOWOc(5|b9Gx,Ζ%!F&dHrgCm{che
وF&q5pCnń+VƎ2),3()6ucTwf=.9>PCi35Y_yKiR:Q>UObn]x9)hgsDFgTGpFyyaLB6DTniFSymH<	:ak9WzNYsٙAhT$sxwyF:Yr92$&NSSb֛iBtAlكy\̖2U3{.]oo8XI0SvXP!瑼iw_q6O]QIYVyg}TI񟬧`Y(fBc4zؠߙrөm6Y~vmbi{%ɩ(s(Elӡ&h7:oCV>*S@W2LF}beKʤrK(<*jUHL\LIezȅy甦71ѦhET8bgvWxj4zZGai~9|3eW'c4HZb^aJ{ZeFufF':0LBNMɅ` :ngxMVU
V|j,AYjӭIdJBYيRfIl=D\	&WzOGZ\گhۤ{W?w8cc1{Bc9S懱x8kGG&z嚫,I੩94K6{JV14<Z-9FK%ѝQ;I@4EDN^>N6DXZyi72R
I9'u{Yʯzqۥ#	^]vKk䭒At︅긂KdÖ(Loy|HRK=	)`:ExVȺ#>CO*rv˻Cj2:L+9Gqaez5̻7{Sg*5ag۽GHpuZrxJ9I[dvz'C9z˼{`K媰Jnu#z~XF2ISk:eӖy;t虅&=3[[$:saΔ;48CF8x;W!AI=ZIe+HWcz~y+7.jgF]*+6p8?${Ȕ%L"ظ16Q;vk%wy8h,kL%iog4j38%uLjlp6qȲ -D+vǣW<
N-4j5~QL3M7rJ|GWD9Ÿl`Z2FuڬW{լs1Z{+̓VdYGǀ)tP&luSHj7Dпe E	(<R=M]{#<+h䈆'ɲкAw}Ԛv}qmLrTD?ͭ+E@
*|<Λeя|*ݷڱ-X5]-Wat\ALg--RCH;dt=mD(K7z4;ͯ旈R:M;PFM
մKVmT7˵ՄZ=özڱJMΕ#<
]!Jvů^hM-&
ݪ{sJO1q4[;@ע={LMNCwTqv;2:{SR&";/"o
Qy
<n|3j;8}=nN>%-ν1]se~i I<7m>~hs/1Z&MT!:=~.D3CcHKiI^v-F.8U>}'
J\0g<a)UXNhTgdt~9n_TݔeՀ^AdmYskɧ[菵h֗{sN=EԻL[|AX*Sn0G꨾؊ڙ)`]5N-g(~{ʾn;<maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Understanding Forwarders</maml:title><maml:introduction>
<maml:para>A forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for external DNS names to DNS servers outside that network. You can also forward queries according to specific domain names using conditional forwarders. </maml:para>

<maml:para>You designate a DNS server on a network as a forwarder by configuring the other DNS servers in the network to forward the queries that they cannot resolve locally to that DNS server. By using a forwarder, you can manage name resolution for names outside your network, such as names on the Internet, and improve the efficiency of name resolution for the computers in your network. For more information about forwarders and conditional forwarders, see <maml:navigationLink><maml:linkText>Using Forwarders</maml:linkText><maml:uri href="mshelp://windows/?id=e2dd91d6-441f-4175-9d1d-d152d148d73c"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>The following figure illustrates how external name queries are directed with forwarders.</maml:para>

<maml:para><maml:embedObject><maml:caption>External name queries and forwarders</maml:caption><maml:objectUri href="mshelp://windows/?id=d2d99fd8-5456-486d-95be-a01d6af7ae69" mimeType="image/gif"><maml:summary>Example of a common forwarder configuration</maml:summary></maml:objectUri></maml:embedObject></maml:para>

<maml:para>When you designate a DNS server as a forwarder, you make that forwarder responsible for handling external traffic, which limits DNS server exposure to the Internet. A forwarder builds up a large cache of external DNS information because all the external DNS queries in the network are resolved through it. In a small amount of time, a forwarder resolves a large number of external DNS queries using this cached data. This decreases the Internet traffic over the network and the response time for DNS clients. </maml:para>

<maml:para>A DNS server that is configured to use a forwarder behaves differently than a DNS server that is not configured to use a forwarder. A DNS server that is configured to use a forwarder behaves as follows:</maml:para>

<maml:list class="ordered">
<maml:listItem>
<maml:para>When the DNS server receives a query, it attempts to resolve this query by using the zones that it hosts and by using its cache.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If the query cannot be resolved using local data, the DNS server forwards the query to the DNS server that is designated as a forwarder.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If forwarders are unavailable, the DNS server attempts to use its root hints to resolve the query..</maml:para>
</maml:listItem>
</maml:list>

<maml:para>When a DNS server forwards a query to a forwarder, it sends a recursive query to the forwarder. This is different than the iterative query that a DNS server sends to another DNS server during standard name resolution (name resolution that does not involve a forwarder).</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Conditional forwarders</maml:title><maml:introduction>
<maml:para>A conditional forwarder is a DNS server on a network that forwards DNS queries according to the DNS domain name in the query. For example, you can configure a DNS server to forward all the queries that it receives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Internet name resolution</maml:title><maml:introduction>
<maml:para>DNS servers can use conditional forwarders to resolve queries between the DNS domain names of companies that share information. For example, two companies, Wingtip Toys and Tailspin Toys, want to improve how the DNS clients of Wingtip Toys resolve the names of the DNS clients of Tailspin Toys. The administrators from Tailspin Toys inform the administrators of Wingtip Toys about the set of DNS servers in the Tailspin Toys network where Wingtip Toys can send queries for the domain dolls.tailspintoys.com. The DNS servers in the Wingtip Toys network are configured to forward all queries for names ending with dolls.tailspintoys.com to the designated DNS servers in the network for Tailspin Toys. Consequently, the DNS servers in the Wingtip Toys network do not have to query their internal root servers—or the Internet root servers—to resolve queries for names ending with dolls.tailspintoys.com.</maml:para>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Providing Network Credentials to Install or Remove Active Directory Domain Services</maml:title><maml:introduction>
<maml:para>When you install Active Directory Domain Services (AD DS), you must provide credentials that correspond to a domain user account that has sufficient privileges for the deployment configuration that you choose for the domain controller, such as a new forest, a new domain, or an additional domain controller for an existing domain. The Active Directory Domain Services Installation Wizard also examines the credentials that you provide to determine the forest where the domain controller will be installed. </maml:para>

<maml:para>If the credentials for the user account with which you are currently logged on (or the alternate credentials that you provide) indicate the target forest for the domain controller that you are installing, the wizard automatically specifies that forest name on the <maml:ui>Network Credentials </maml:ui>page. By specifying the forest name on this page, the wizard can enumerate all the domains for that forest on the <maml:ui>Select a Domain</maml:ui> page later in the wizard. </maml:para>

<maml:para>The wizard cannot always detect the target forest based on the credentials that you provide. For example, if you provide credentials by using a smart card or by using a user principal name (UPN), the wizard might not be able to detect the target forest. In this case, you must specify the name of the target forest on the <maml:ui>Network Credentials</maml:ui> page. The name of the target forest is the name of the forest root domain for that forest. </maml:para>

<maml:para>In cases in which the wizard successfully detects the target forest name based on the credentials that you provide, you can overwrite the name that the wizard provides to specify the name of another target forest in which you have sufficient privileges to install AD DS.</maml:para>

<maml:para>On networks that run IP version 6 (IPv6) only, you must specify the fully qualified domain name (FQDN) for the user account credentials instead of the single-label domain name. For example, you must specify corp.contoso.com\user_name or user_name@corp.contoso.com, instead of contoso\user_name. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Network credential requirements</maml:title><maml:introduction>
<maml:para>The network credentials that the Active Directory Domain Services Installation Wizard requires are different for different deployment configurations. For example, to install a new Active Directory forest, you only have to be a member of the local Administrators group on the server that will become the first domain controller in the forest. To add a new domain to an existing forest or remove a domain, however, you must be a member of the Enterprise Admins group or the Domain Admins group in the parent domain of the domain that you want to add or remove. The Active Directory Domain Services Installation Wizard verifies that the credentials you supply are sufficient to implement the deployment configuration that you specify in the wizard.</maml:para>

<maml:para>The following table lists the network credentials that are required for each deployment configuration.</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If you are preparing an existing Active Directory environment for a domain controller that runs Windows Server 2008 R2, you must run Adprep.exe, which is available on the Windows Server 2008 R2 installation media in the support\adprep folder. Running Adprep may require additional credentials that are not listed in the following table. </maml:para>
</maml:alertSet>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Deployment configuration</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Required credentials</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para>Add a new forest</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Local Administrators group on the server where you are installing AD DS</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Add an additional child domain</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Enterprise Admins </maml:para>

<maml:para>Depending on security settings, Domain Admins might also be allowed to add a domain.</maml:para>

<maml:para>To create a Domain Name System (DNS) delegation, you also need Domain Admins credentials in the parent domain.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Add a new domain tree</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Enterprise Admins </maml:para>

<maml:para>Depending on security settings, Domain Admins might also be allowed to add a domain tree.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Add an additional domain controller to a domain</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Enterprise Admins or Domain Admins </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Add a read-only domain controller (RODC) in a normal installation</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Enterprise Admins or Domain Admins</maml:para>

<maml:para>Enterprise Admins credentials are required to run <maml:computerOutputInline>adprep /rodcprep</maml:computerOutputInline>.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Add an RODC in a staged installation</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Enterprise Admins or Domain Admins to create the RODC account</maml:para>

<maml:para>Domain Admins or delegated permissions to attach a server to the RODC account</maml:para>

<maml:para>Enterprise Admins credentials are required to run <maml:computerOutputInline>adprep /rodcprep</maml:computerOutputInline>.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Remove an additional domain controller from a domain</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Enterprise Admins or Domain Admins </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Remove an RODC</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Delegated RODC administrator, Enterprise Admins, or Domain Admins</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Remove a domain</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Enterprise Admins </maml:para>

<maml:para>Depending on security settings, Domain Admins might also be allowed to remove a domain, but they might not be able to remove the DNS delegations that were created in the parent DNS domain.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Remove a forest</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Enterprise Admins </maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction></maml:section></maml:sections></maml:content><maml:relatedLinks type="seeAlso"><maml:title>See Also</maml:title><maml:navigationLink><maml:linkText>Installing Active Directory Domain Services</maml:linkText><maml:uri href="mshelp://windows/?id=576d75af-26b6-4df8-903a-7579a81500d4"></maml:uri></maml:navigationLink></maml:relatedLinks></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Installing Active Directory Domain Services</maml:title><maml:introduction>
<maml:para>There are three ways in which you can add the Active Directory domain controller server role to a server:</maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para>You can add the role interactively by using the Active Directory Domain Services Installation Wizard. The rest of this topic explains how to start the wizard, and it provides links to additional topics that explain the options that are available on each wizard page.</maml:para></maml:listItem>
<maml:listItem><maml:para>You can perform an unattended installation by running the <maml:computerOutputInline>dcpromo /unattend</maml:computerOutputInline> command with the appropriate parameters at the command line. For more information, see Installing an Additional Domain Controller by Using the Command Line (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=128100</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=128100"></maml:uri></maml:navigationLink>). </maml:para></maml:listItem>
<maml:listItem><maml:para>You can automate the installation by using an answer file. For more information, see Installing an Additional Domain Controller by Using an Answer File (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=128101</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=128101"></maml:uri></maml:navigationLink>).</maml:para></maml:listItem>
</maml:list>

<maml:para>You can add the Active Directory domain controller server role interactively by starting the Active Directory Domain Services Installation Wizard in the following ways:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>You can use the Add Roles Wizard. You can access the Add Roles Wizard in the following ways:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Click <maml:ui>Add Roles</maml:ui> in <maml:ui>Initial Configuration Tasks</maml:ui>, the application that appears when you first install the operating system.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Click <maml:ui>Add Roles</maml:ui> in Server Manager, which is always available on the <maml:ui>Administrative Tools</maml:ui> menu and through an icon in the notification area.</maml:para>
</maml:listItem>
</maml:list>

<maml:para>The Add Roles Wizard installs the files that are required to install and configure Active Directory Domain Services (AD DS) on a server, but the Add Roles Wizard does not start the actual AD DS installation. When you complete the Add Roles Wizard, click the link to start the Active Directory Domain Services Installation Wizard and install AD DS.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>You can click <maml:ui>Start</maml:ui>, click <maml:ui>Run</maml:ui>, and then type <maml:userInput>dcpromo</maml:userInput>. As an alternative, you can type <maml:userInput>dcpromo</maml:userInput> at a command prompt, as in previous versions of the Windows Server operating system. </maml:para>


</maml:listItem>

<maml:listItem>
<maml:para>A member of the Domain Admins group can precreate a read-only domain controller (RODC) account by using the Active Directory Users and Computers snap-in. (Either right-click the <maml:ui>Domain Controllers</maml:ui> container or click the <maml:ui>Domain Controllers</maml:ui> container and click <maml:ui>Action</maml:ui>, and then click <maml:ui>Pre-create Read-only Domain Controller account</maml:ui>.) A delegated RODC administrator can perform the next stage of the RODC installation by running the Active Directory Domain Services Installation Wizard on a server to attach that server to the RODC account. For more information about using this method to install an RODC, see <maml:navigationLink><maml:linkText>Performing a Staged Installation of a Read-Only Domain Controller</maml:linkText><maml:uri href="mshelp://windows/?id=e470dd1b-507b-436e-a17b-3ddcb5bb5044"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>

<maml:para>The following topics provide more information about specific wizard pages that you might encounter when you install AD DS:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Using Advanced Mode Installation</maml:linkText><maml:uri href="mshelp://windows/?id=66a228ff-5c99-4ac9-928d-ba460461d3be"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Choosing a Computer Name for the Domain Controller</maml:linkText><maml:uri href="mshelp://windows/?id=9539d62e-ac0c-4f30-bba7-5f5782a0cb85"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Configuring TCP/IP and DNS Client Settings</maml:linkText><maml:uri href="mshelp://windows/?id=183d02af-b5d5-4a94-bf75-213d7100aec7"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Choosing an Active Directory Domain Services Deployment Configuration</maml:linkText><maml:uri href="mshelp://windows/?id=35762977-9b9e-4ef5-99be-73f6838cc158"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Providing Network Credentials to Install or Remove Active Directory Domain Services</maml:linkText><maml:uri href="mshelp://windows/?id=54462cf1-d293-436c-b396-27925e13ede2"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Configuring Additional Domain Controller Options</maml:linkText><maml:uri href="mshelp://windows/?id=d2d11b40-f929-4abd-849e-314222a283d0"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Creating or Updating a DNS Delegation</maml:linkText><maml:uri href="mshelp://windows/?id=9922023d-94c4-4e9b-a04e-446b5464bca5"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Setting the Domain or Forest Functional Level</maml:linkText><maml:uri href="mshelp://windows/?id=887e6f79-c332-4cb8-a0fe-8b5bfa2786e1"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Placing Active Directory Domain Services Files</maml:linkText><maml:uri href="mshelp://windows/?id=ce4f829a-7b01-4b43-84a4-a896bd9bff2a"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Installing from Media</maml:linkText><maml:uri href="mshelp://windows/?id=66b093ee-b131-4a8d-b5bb-09c0d1f50a08"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Selecting an Installation Partner for Active Directory Domain Services</maml:linkText><maml:uri href="mshelp://windows/?id=339e0997-e4a6-4deb-b00e-d46ffdc4ed78"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Providing a Directory Services Restore Mode Administrator Password</maml:linkText><maml:uri href="mshelp://windows/?id=4132ba61-18b0-4c82-bb9d-5f3c8fa9e09c"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Using an Answer File</maml:linkText><maml:uri href="mshelp://windows/?id=9f4e0147-687f-46f3-9558-22b542e2c455"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Manually Configuring a DNS Server for Active Directory Domain Services Integration</maml:linkText><maml:uri href="mshelp://windows/?id=e374bef1-c875-4792-b0f7-381549f53744"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Reduce Directory Size and Ensure Its Integrity and Performance by Performing Offline Defragmentation</maml:title><maml:introduction>
<maml:para>Although the Active Directory database is automatically defragmented while it is running (also known as online defragmentation), you can also stop Active Directory Domain Services (AD DS) to perform offline defragmentation to further reduce the size of the database. Offline defragmentation provides additional checks that can help ensure database integrity and performance.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Performing offline defragmentation</maml:title><maml:introduction>
<maml:para>The following table lists the steps that you can take to perform offline defragmentation of the Active Directory database.</maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Step</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference or procedure to use</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Review guidelines about performing offline defragmentation. </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Returning Unused Disk Space from the Active Directory Database to the Windows File System (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93219</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93219"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Change the garbage collection logging level to determine how much free space is available. </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Change the Garbage Collection Logging Level to 1 (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93222</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93222"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Back up system state.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Performing an Unscheduled Backup of a Domain Controller (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93224</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93224"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Stop AD DS.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Click <maml:ui>Start</maml:ui>, click <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Services</maml:ui>. Right-click <maml:ui>Active Directory Domain Services</maml:ui>, and then click <maml:ui>Stop</maml:ui>. When you are prompted to stop dependent services, click <maml:ui>Yes</maml:ui>.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Perform the offline defragmentation procedure.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Compact the Directory Database File (Offline Defragmentation) (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93225</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93225"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Restart AD DS.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Click <maml:ui>Start</maml:ui>, click <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Services</maml:ui>. Right-click <maml:ui>Active Directory Domain Services</maml:ui>, and then click <maml:ui>Start</maml:ui>.</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Improve Resource Access Efficiency by Using Security Groups</maml:title><maml:introduction>
<maml:para>As a best practice, assign resource access to security groups—instead of to individual users—to simplify administration and troubleshooting. Resources can include the following:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Files </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Folders and shared folders </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Registry settings </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Active Directory Domain Services (AD DS)</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Applications </maml:para>
</maml:listItem>
</maml:list>

<maml:para>For efficiency, create global groups for users based on criteria such as job function or department. Create domain local groups, and then place global groups into domain local groups. Assign permissions to the domain local groups as required for your environment. This practice simplifies troubleshooting. It also simplifies management of changes when they occur, for example, when users change job functions.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Using security groups</maml:title><maml:introduction>
<maml:para>The following table provides a reference for more information about using security groups. </maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Step</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Review best practice information about assigning permissions on Active Directory objects. </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Best Practices for Assigning Permissions on Active Directory Objects (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93217</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93217"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Selecting a Read-Only Domain Controller Account</maml:title><maml:introduction>
<maml:para>To attach the server to the read-only domain controller (RODC) account, you must rename the server that will become the RODC with the name of the RODC account that was created for it by the domain administrator. The Active Directory Domain Services Installation Wizard matches the name of the server to the name of the RODC account that was created for the server. </maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>The server that you plan to attach the account to must not be joined to the domain when you start the Active Directory Domain Services Installation Wizard.</maml:para>
</maml:alertSet>

<maml:para>On the <maml:ui>Select Domain Controller Account</maml:ui> page, the wizard lists all the potential matching accounts for each domain in the forest that you specified on the <maml:ui>Network Credentials</maml:ui> page earlier in the wizard. You cannot select accounts from other forests. </maml:para>

<maml:para>The Active Directory Domain Services Installation Wizard provides a message that confirms that it was able to find one, and only one, RODC account with the same name. If it finds more than one account name that could be a match, you can select an account from the possible accounts that the wizard lists. You can select only one account. </maml:para>

<maml:para>If the wizard does not find an RODC account for the name that you specify, the wizard provides a message that states that the name you provide must match the name of the RODC account that was created previously. In this case, you can either:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Rename the computer to a name that matches an RODC account that has been created. </maml:para>

<maml:para>Or</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Have a domain administrator create a new RODC account, and specify an RODC account name that matches the name that you plan to provide for the server that will become the RODC in the branch office location. </maml:para>
</maml:listItem>
</maml:list>

<maml:para>The wizard does not proceed until you select exactly one matching account. After you select a matching RODC account, the wizard performs additional verification tests. </maml:para>

<maml:para>The wizard first verifies that you have permission to attach the server to the selected account. The member of the Domain Admins group grants this permission to a delegated user or group when he or she creates the RODC account. Only the following users can join the computer to the selected RODC account:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>The delegated user</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>A member of the delegated group</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>A member of the Domain Admins group </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>A member of the Enterprise Admins group</maml:para>
</maml:listItem>
</maml:list>

<maml:para>After the wizard verifies the user credentials, the wizard determines whether the RODC account is enabled (that is, whether the account is already in use). If the RODC account is not enabled, the wizard proceeds with the RODC installation. If the RODC account is enabled, the wizard attempts to contact the computer that already has this account enabled. </maml:para>

<maml:para>If the wizard successfully contacts a computer that already has this account enabled, you have provided the name of a domain controller that is already functioning on the network. In this case, the wizard provides a message that indicates that the installation cannot continue. Instead, you must rename the computer to match the name of an RODC account that is not already in use. </maml:para>

<maml:para>If the Active Directory Domain Services Installation Wizard cannot contact a computer that has this account enabled, it provides a message that warns that if you continue to install AD DS and the other server with the same name does exist, the other server will no longer function properly. In this case, you can perform additional network diagnostic tests to determine if the computer that has the enabled account is currently functioning on the network. You can perform these additional network diagnostic tests, such as using the <maml:computerOutputInline>ping</maml:computerOutputInline> command, independently from the wizard. After you resolve the issue, you can continue with the wizard to complete the installation.</maml:para>

<maml:para>When you create the RODC account, the wizard automatically generates a NetBIOS name based on the Domain Name System (DNS) name that you provide. To use a different NetBIOS name, use the ADSI Edit snap-in to modify the NetBIOS name after you create the RODC account.</maml:para>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Ensure Successful Active Directory Operations by Managing Operations Master Roles</maml:title><maml:introduction>
<maml:para>Operations master roles (also known as flexible single master operations or FSMO) are configured by default when Active Directory Domain Services (AD DS) is installed. Typically, these roles do not require ongoing management. However, for a change such as a replacement of a domain controller, you may have to transfer the operations master roles to another domain controller. As a last resort in case you cannot transfer an operations master role, you can seize the role to another domain controller.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Managing an operations master role</maml:title><maml:introduction>
<maml:para>The following table lists the steps that you can take to transfer or seize an operations master role.</maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Step</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Transfer an operations master role.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Transferring an Operations Master Role (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93239</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93239"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Seize an operations master role.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Seizing an Operations Master Role (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93240</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93240"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Using Advanced Mode Installation</maml:title><maml:introduction>
<maml:para>Some wizard pages in the Active Directory Domain Services Installation Wizard appear only if you select the <maml:ui>Use advanced mode installation</maml:ui> check box on the <maml:ui>Welcome to the Active Directory Domain Services Installation Wizard</maml:ui> page of the wizard. </maml:para>

<maml:para>Advanced mode installation provides experienced users with more control over the installation process, without confusing newer users with configuration options that may not be familiar. For users who do not select the <maml:ui>Use advanced mode installation</maml:ui> check box, the wizard uses default options that apply to most configurations.</maml:para>

<maml:para>The <maml:ui>Use advanced mode installation</maml:ui> option on the <maml:ui>Welcome</maml:ui> page of the wizard is an alternative to running <maml:computerOutputInline>dcpromo</maml:computerOutputInline> at a command prompt with the <maml:computerOutputInline>/adv</maml:computerOutputInline> switch (<maml:computerOutputInline>dcpromo /adv</maml:computerOutputInline>). </maml:para>

<maml:para>The following table lists the additional wizard pages that appear for each deployment configuration when you select the <maml:ui>Use advanced mode installation</maml:ui> check box. </maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Deployment configuration</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Advanced mode installation wizard pages</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para>New forest</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:ui>Domain NetBIOS name</maml:ui></maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>New domain in an existing forest</maml:para>
</maml:entry>
<maml:entry>
<maml:para>On the <maml:ui>Choose a Deployment Configuration</maml:ui> page, the option to create a new domain tree appears only in advanced mode installation. </maml:para>

<maml:para><maml:ui>Domain NetBIOS name</maml:ui></maml:para>

<maml:para><maml:ui>Source Domain Controller</maml:ui></maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Additional domain controller in an existing domain</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:ui>Install from Media</maml:ui></maml:para>

<maml:para><maml:ui>Source Domain Controller</maml:ui></maml:para>

<maml:para><maml:ui>Specify Password Replication Policy</maml:ui> (for RODC installation only)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Create an account for a read-only domain controller (RODC) installation </maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:ui>Specify Password Replication Policy</maml:ui></maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Attach a server to an account for an RODC installation</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:ui>Install from Media</maml:ui></maml:para>

<maml:para><maml:ui>Source Domain Controller</maml:ui></maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Installing from Media</maml:title><maml:introduction>
<maml:para>When you install an additional domain controller, you can install from media (IFM) instead of replicating all directory data over the network. The installation media can be stored on a local drive, removable media such as a DVD, or on a network shared folder.</maml:para>

<maml:para>Performing an IFM operation to create an additional domain controller greatly reduces the network bandwidth that is used when you install Active Directory Domain Services (AD DS). However, network connectivity is still necessary so that all new objects and recent changes to existing objects are replicated to the new domain controller.</maml:para>

<maml:para>If you select the option to copy domain information over the network, all AD DS data will be copied over your network connection. If you need to replicate information for a large domain, to postpone noncritical replication you can click <maml:ui>Finish Replication Later</maml:ui> on the progress page that appears after you finish the wizard. If you decide to postpone noncritical replication, the Active Directory Domain Services Installation Wizard will continue to complete Domain Name System (DNS) installation and configuration. The wizard will also install the Group Policy Management Console. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Creating AD DS installation media</maml:title><maml:introduction>
<maml:para>The recommended method for creating AD DS installation media is to use the Ntdsutil.exe tool that is built into Windows Server 2008 R2 and available when the AD DS server role is installed. The <maml:computerOutputInline>ntdsutil</maml:computerOutputInline> tool includes an <maml:computerOutputInline>ifm</maml:computerOutputInline> subcommand that creates only the files that are necessary to install AD DS. </maml:para>

<maml:para>As an alternative to using Ntdsutil.exe, you can restore a system state backup and use it as installation media, but a system state backup of a domain controller typically includes more data than is required to perform an IFM operation. </maml:para>

<maml:para>We also recommend the <maml:computerOutputInline>ntdsutil ifm</maml:computerOutputInline> subcommand because you can use it to remove secrets, such as passwords, from the AD DS database so that you can install a read-only domain controller (RODC). When you remove these secrets, the RODC installation media is more secure if it must be transported to a branch office for an RODC installation. </maml:para>

<maml:para>You must use RODC installation media to install an RODC. You can create RODC installation media on either an RODC or a writeable domain controller. You must use writeable domain controller installation media to install a writeable domain controller. You can create writeable domain controller installation media only on a writeable domain controller. In the <maml:computerOutputInline>ntdsutil ifm</maml:computerOutputInline> subcommand, the writeable domain controller installation media is denoted as "full" media. For more information about using the <maml:computerOutputInline>ntdsutil ifm</maml:computerOutputInline> subcommand, see Installing AD DS from Media (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93104</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93104"></maml:uri></maml:navigationLink>). </maml:para>

<maml:para>If you use a backup of another domain controller as AD DS installation media, use the most recent backup available. Older backups require more network bandwidth for replication. The backup that you use cannot be older than the tombstone lifetime of the domain, which is set to a default value of 180 days (60 days in a forest that is created on a server running Windows Server 2003 or earlier).</maml:para>

<maml:para>When you choose the option to copy domain information from restored backup files, you first must create a system state backup of a domain controller from the domain in which this member server will become an additional domain controller. Then, you must restore the backup locally on the server on which you are installing AD DS.</maml:para>

<maml:para>If you want to use the application partitions that are available on the installation media, you can specify the <maml:computerOutputInline>/ApplicationPartitionsToReplicate</maml:computerOutputInline> parameter when you start <maml:computerOutputInline>dcpromo</maml:computerOutputInline> during an unattended installation. Specify <maml:computerOutputInline>*</maml:computerOutputInline> to include all available application partitions. For example, to use all available applications for the additional domain controller, you can type the following command at a command prompt, and then press ENTER:</maml:para>

<maml:para><maml:computerOutputInline>dcpromo /unattend /ReplicaOrNewDomain:Replica /ApplicationPartitionsToReplicate:*</maml:computerOutputInline></maml:para>

<maml:para>If you want the new domain controller to be a global catalog server, you can either use installation media that is created from a global catalog server or replicate the global catalog data to the new domain controller over the network.</maml:para>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Improve Active Directory Redundancy by Adding Another Domain Controller</maml:title><maml:introduction>
<maml:para>You can add domain controllers to a domain to improve load balancing in a site and fault tolerance in a domain. Additional domain controllers improve the performance of authentication requests and global catalog server lookups. They also help Active Directory Domain Services (AD DS) overcome hardware, software, or administrator errors. When you add a domain controller, information is replicated over the network.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Deploying another domain controller</maml:title><maml:introduction>
<maml:para>The following table lists the steps that you can take to add another domain controller to a domain.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>The following table refers to running Adprep.exe to prepare your environment for a domain controller that runs Windows Server 2008 R2. Adprep.exe is located in the support\adprep folder of the Windows Server 2008 R2 installation disc. In addition, Windows Server 2008 R2 includes a 32-bit version (Adprep32.exe) and a 64-bit version (Adprep.exe). The 64-bit version runs by default. If you are running Adprep on a 32-bit computer, run the 32-bit version.  </maml:para></maml:alertSet>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Step</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>If this is the first domain controller in your forest that runs Windows Server 2008 R2, prepare the forest schema by running <maml:computerOutputInline>adprep forestprep</maml:computerOutputInline>.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Prepare a Windows 2000 or Windows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2 (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93242</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93242"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>If this is the first domain controller in your domain that runs Windows Server 2008 R2, prepare the domain by running <maml:computerOutputInline>adprep /domainprep /gpprep</maml:computerOutputInline>.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Prepare a Windows 2000 or Windows Server 2003 Domain for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2 (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93243</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93243"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>If you plan to install a read-only domain controller (RODC), raise the forest functional level to Windows Server 2003.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Raising the Functional Levels (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93174</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93174"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>If you are installing the first RODC in your forest, prepare your forest by running <maml:computerOutputInline>adprep /rodcprep</maml:computerOutputInline>.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Prepare a Forest for a Read-Only Domain Controller (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93244</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93244"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Determine the user account and password that you will use to install the domain controller. The account must be a member of the Domain Admins group in the domain where you are installing the domain controller, or it must be delegated sufficient privileges. </maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Providing Network Credentials to Install or Remove Active Directory Domain Services</maml:linkText><maml:uri href="mshelp://windows/?id=54462cf1-d293-436c-b396-27925e13ede2"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Determine the fully qualified Domain Name System (DNS) name of the domain where you plan to install the domain controller. Your AD DS design team may provide this information. </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Collect Regional Domain Design Information (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93249</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93249"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Decide where you plan to store the database, log files, and SYSVOL. For improved performance and efficient backup and recovery operations, store these components on separate volumes. </maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Placing Active Directory Domain Services Files</maml:linkText><maml:uri href="mshelp://windows/?id=ce4f829a-7b01-4b43-84a4-a896bd9bff2a"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>If you plan to install from media (IFM), use the <maml:computerOutputInline>ntdsutil ifm</maml:computerOutputInline> subcommand to create the installation media.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Installing AD DS from Media (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93264</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93264"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Determine a strong password that you will assign for the Directory Services Restore Mode (DSRM) account.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Providing a Directory Services Restore Mode Administrator Password</maml:linkText><maml:uri href="mshelp://windows/?id=4132ba61-18b0-4c82-bb9d-5f3c8fa9e09c"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Determine which additional domain controller options you want to install. For example, determine if you want the domain controller to be a DNS server, global catalog server, or an RODC.</maml:para>
</maml:entry>
<maml:entry>
<maml:para><maml:navigationLink><maml:linkText>Configuring Additional Domain Controller Options</maml:linkText><maml:uri href="mshelp://windows/?id=d2d11b40-f929-4abd-849e-314222a283d0"></maml:uri></maml:navigationLink></maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Use Dcdiag.exe to verify connectivity with operations masters. </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Verify the availability of the operations masters (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93271</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93271"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Install AD DS.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Installing an Additional Domain Controller (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93254</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93254"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Overview of the Active Directory Domain Services Installation Wizard</maml:title><maml:introduction>
<maml:para>You can use the Active Directory Domain Services Installation Wizard to install and configure Active Directory Domain Services (AD DS) on a server. When you install AD DS on a server, that server becomes a domain controller. </maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>When you click a link to open a Help topic for the wizard, the Help topic remains on top of the wizard page. You can resize and reposition the Help topic to continue working in the wizard.</maml:para>
</maml:alertSet>

<maml:para>The Active Directory Domain Services Installation Wizard provides a user interface (UI) for gathering information about your computing environment. It also checks prerequisites for installing AD DS, such as available disk space and the version of the operating system, to ensure that the server is capable of becoming a domain controller. If all the prerequisites are met, the wizard uses the information that it gathers to configure AD DS. </maml:para>

<maml:para>You can also use the wizard to remove AD DS from a domain controller. In this case, the wizard detects that AD DS is already installed on the server and it prompts you for information that is needed to uninstall AD DS. </maml:para>

</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Active Directory Domain Services</maml:title><maml:introduction>
<maml:para>Active Directory® Domain Services (AD DS) stores information about users, computers, and other resources on a network. AD DS helps administrators manage this information securely. It also facilitates resource sharing and collaboration among users. AD DS is required for directory-enabled applications, such as Microsoft® Exchange Server, and for other Windows Server® technologies, such as Group Policy.</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>AD DS requires a Domain Name System (DNS) server to be installed on the network. If you do not have a DNS server available for name resolution in the domain, you will be prompted to install the DNS server role on this server.</maml:para>
</maml:alertSet>

<maml:para>The following topics provide information about using the Active Directory Domain Services Installation Wizard and about implementing common configurations of AD DS: </maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Overview of the Active Directory Domain Services Installation Wizard</maml:linkText><maml:uri href="mshelp://windows/?id=6b4fd0a5-62b0-4cb9-a01b-5dc21d9d8236"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Installing Active Directory Domain Services</maml:linkText><maml:uri href="mshelp://windows/?id=576d75af-26b6-4df8-903a-7579a81500d4"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Performing a Staged Installation of a Read-Only Domain Controller</maml:linkText><maml:uri href="mshelp://windows/?id=e470dd1b-507b-436e-a17b-3ddcb5bb5044"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Removing Active Directory Domain Services</maml:linkText><maml:uri href="mshelp://windows/?id=528cfe92-0dd3-45bf-996c-b0ecfd1f8f37"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Unattended Installation Return Codes</maml:linkText><maml:uri href="mshelp://windows/?id=51189958-f622-49f7-b944-823d4bd1bb68"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Common Configurations for Active Directory Domain Services</maml:linkText><maml:uri href="mshelp://windows/?id=ae51cdda-4957-43b6-8d0f-1f8c1c108af0"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>

<maml:para>Before you install AD DS, be sure that you have planned how AD DS will be deployed on your network, including DNS server support for AD DS. For more information about planning your AD DS deployment, see Planning and Architecture: AD DS (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93715</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93715"></maml:uri></maml:navigationLink>).</maml:para>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Simplify Active Directory Administration by Delegating Management of Users, Computers, and Other Network Resources</maml:title><maml:introduction>
<maml:para>You can use the Delegation of Control Wizard to delegate administrative control of a particular domain or organizational unit (OU) to groups or individuals who are responsible for only that domain or OU. By delegating administration, you can make it possible for groups or individuals in your organization to perform tasks such as:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>User, computer, and security group management.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Password resets.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Group Policy management.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Replication topology and schedule setting.</maml:para>
</maml:listItem>
</maml:list>

<maml:para>You can also help secure your network from accidental or malicious damage by limiting the capabilities of the groups or individuals to whom you delegate control.</maml:para>

<maml:para>To use the Delegation of Control Wizard, open the Active Directory Users and Computers snap-in, right-click the OU that you want to delegate control of, and then click <maml:ui>Delegate Control</maml:ui>. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Delegating management of users, computers, and other network resources</maml:title><maml:introduction>
<maml:para>The following table lists references for more information about delegating Active Directory administration. </maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Step</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Review best practice information for delegating Active Directory administration.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Best Practices for Delegating Active Directory Administration (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93213</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93213"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Review a list of Active Directory administrative tasks for service administration and data administration, along with the permissions required to perform each task.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Best Practices for Delegating Active Directory Administration: Appendices (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93214</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93214"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Performing Metadata Cleanup</maml:title><maml:introduction>
<maml:para>The Active Directory Domain Services Installation Wizard automatically removes associated metadata from the forest when it successfully removes Active Directory Domain Services (AD DS) from a domain controller. However, certain conditions, such as lack of network connectivity, may prevent the wizard from successfully removing AD DS. If you force the removal of AD DS because the wizard cannot run successfully on the domain controller, you must delete the domain controller object. If you perform the deletion on a domain controller that runs Windows Server 2008 or Windows Server 2008 R2, the metadata that is associated with the deleted domain controller is cleaned up automatically. This eliminates the need to perform metadata cleanup, as is required for domain controllers that run Windows 2000 Server or Windows Server 2003.</maml:para>
<maml:para>To delete the domain controller object, open the Active Directory Users and Computers snap-in or the Active Directory Sites and Services snap-in, navigate to the domain controller object that you want to delete, right-click it, and then click <maml:ui>Delete</maml:ui>. </maml:para><maml:para>For more information, see AD DS Installation and Removal Step-by-Step Guide (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkID=139657</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkID=139657"></maml:uri></maml:navigationLink>).</maml:para></maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Updating Root Hints</maml:title><maml:introduction>
<maml:para>You can use root hints to prepare servers that are authoritative for nonroot zones so that they can discover authoritative servers that manage domains at a higher level or in other subtrees of the DNS domain namespace. These root hints are essential for servers that are authoritative at lower levels of the namespace when locating and finding other servers under these conditions.</maml:para>

<maml:para>For example, suppose that a DNS server (Server A) has a zone called sub.corp.contoso.com. In the process of answering a query for a higher-level domain, such as the corp.contoso.com domain, Server A needs some assistance to locate an authoritative server (such as Server B) for this domain.</maml:para>

<maml:para>For Server A to find Server B—or any other servers that are authoritative for the contoso.com domain, Server A must be able to query the root servers for the DNS namespace. The root servers can then refer Server A to the authoritative servers for the com domain. The servers for the com domain can, in turn, offer referral to Server B or other servers that are authoritative for the contoso.com domain. The root hints that Server A uses must have helpful hints to the root servers for this process to locate Server B (or another authoritative server) as intended.</maml:para>

<maml:para>To configure and use root hints correctly, first answer the following questions about your DNS server:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Are you using DNS on the Internet or on a private network?</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Is the DNS server used as a root server?</maml:para>
</maml:listItem>
</maml:list>

<maml:para>By default, the DNS Server service implements root hints by using a file, Cache.dns, that is stored in the %systemroot%\System32\Dns folder on the server computer. This file normally contains the name server (NS) and host (A) resource records for the Internet root servers. If, however, you are using the DNS Server service on a private network, you can edit or replace this file with similar records that point to your own internal root DNS servers.</maml:para>

<maml:para>Root hints are also treated differently when a DNS server is configured to be used by other DNS servers in an internal namespace as a forwarder for any DNS queries of names that are managed externally (on the Internet, for example). Even though the DNS server that is used as a forwarder can be located internally on the same network as servers that are using it as a forwarder, it needs hints for the Internet root servers to work properly and resolve external names.</maml:para>

<maml:para>If a DNS server is configured to access other DNS servers, such as through a list of DNS servers that is configured in its client TCP/IP properties for an installed network connection, the DNS Server service is capable of gathering its own root hints during new server configuration. You can use the Configure a DNS Server Wizard to accomplish this.</maml:para>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Consolidate Servers by Retiring a Domain Controller and Removing AD DS from the Server</maml:title><maml:introduction>
<maml:para>To remove Active Directory Domain Services (AD DS) from a domain controller, run the Active Directory Domain Services Installation Wizard (Dcpromo.exe). The wizard automatically detects that the server is already a domain controller and guides you through the steps to remove AD DS. If the wizard cannot successfully remove AD DS for some reason, you may have to force the removal of the domain controller.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Removing AD DS from a server</maml:title><maml:introduction>
<maml:para>The following table lists the steps that you can take to remove AD DS from a server. </maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Step</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>If you plan to retain other domain controllers in the domain, follow the steps for removing a domain controller from the domain. </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Removing a Domain Controller from a Domain (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93207</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93207"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>If you plan to retire the last domain controller in a domain, follow the steps for removing the last domain controller in the domain.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Removing the Last Domain Controller in a Domain (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93208</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93208"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>If you plan to retire the last domain controller from the only domain in the forest, follow the steps for removing the last domain controller in the forest.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Removing the Last Domain Controller in a Forest (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93209</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93209"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>If the domain controller that you want to retire has no connectivity to other domain controllers, you may have to force the removal of AD DS from the server. </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Forcing the Removal of a Domain Controller (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93210</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93210"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Setting the Domain or Forest Functional Level</maml:title><maml:introduction>
<maml:para>Functional levels determine the features of Active Directory Domain Services (AD DS) that are enabled in a domain or forest. They also restrict which Windows Server operating systems can run on domain controllers in the domain or forest. However, functional levels do not affect which operating systems can run on workstations and member servers that are joined to the domain or forest. </maml:para>

<maml:para>When you create a new domain or a new forest, set the domain and forest functional levels to the highest values that you know your environment can support. This way, you can take advantage of as many AD DS features as possible. For example, if you are sure that no domain controllers that run Windows Server 2008 (or any earlier operating system) will ever be added to the domain or forest, select the Windows Server 2008 R2 functional level. On the other hand, if it is possible that you will retain or add domain controllers that run Windows Server 2008 or earlier, select the Windows Server 2008 functional level during installation. You can raise the functional level after the installation, when you are sure that no such domain controllers will be added or are still in use. </maml:para>

<maml:para>When you install a new forest, you are prompted to set the forest functional level and then the domain functional level. You cannot set the domain functional level to a value that is lower than the forest functional level. For example, if you set the forest functional level to Windows Server 2008 R2, you can set the domain functional level only to Windows Server 2008 R2. The Windows 2000, Windows Server 2003, and Windows Server 2008 domain functional level values will not be available on the <maml:ui>Set domain functional level</maml:ui> wizard page. In addition, all domains that you subsequently add to that forest will have the Windows Server 2008 R2 domain functional level by default. </maml:para>
<maml:para>After you set the domain functional level to a certain value, you cannot roll back or lower the domain functional level, with one exception: when you raise the domain functional level to Windows Server 2008 R2 and if the forest functional level is Windows Windows Server 2008 or lower, you have the option of rolling the domain functional level back to Windows Server 2008. You can lower the domain functional level only from Windows Server 2008 R2 to Windows Server 2008. If the domain functional level is set to Windows Server 2008 R2, it cannot be rolled back, for example, to Windows Server 2003.</maml:para>
<maml:para>After you set the forest functional level to a certain value, you cannot roll back or lower the forest functional level, with one exception: when you raise the forest functional level to Windows Server 2008 R2 and if Active Directory Recycle Bin is not enabled, you have the option of rolling the forest functional level back to Windows Server 2008. You can lower the forest functional level only from Windows Server 2008 R2 to Windows Server 2008. If the forest functional level is set to Windows Server 2008 R2, it cannot be rolled back, for example, to Windows Server 2003.</maml:para>
<maml:para>The following sections explain the sets of features that are enabled at the different domain and forest functional levels. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Features that are enabled at domain functional levels</maml:title><maml:introduction>
<maml:para>The following table lists the enabled features and supported domain controller operating systems for each domain functional level.</maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Domain functional level</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Enabled features</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Supported domain controller operating systems</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para>Windows 2000 native</maml:para>
</maml:entry>
<maml:entry>
<maml:para>All default Active Directory features, plus the following features:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Universal groups for both distribution groups and security groups</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Group nesting</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Group conversion, which makes conversion possible between security groups and distribution groups</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Security identifier (SID) history</maml:para>
</maml:listItem>
</maml:list>
</maml:entry>
<maml:entry>
<maml:para>Windows 2000</maml:para>

<maml:para>Windows Server 2003</maml:para>

<maml:para>Windows Server 2008</maml:para>

<maml:para>Windows Server 2008 R2</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Windows Server 2003</maml:para>
</maml:entry>
<maml:entry>
<maml:para>All default Active Directory features, all features from the Windows 2000 native domain functional level, plus the following features:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>The domain management tool, Netdom.exe, is available to prepare for domain controller rename.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Logon time stamp update. The <maml:phrase>lastLogonTimestamp</maml:phrase> attribute will be updated with the last logon time of the user or computer. This attribute is replicated within the domain. Note that this attribute might not be updated if a read-only domain controller (RODC) authenticates the account.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>The <maml:phrase>userPassword</maml:phrase> attribute can be set as the effective password on inetOrgPerson objects and user objects.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Users and Computers containers can be redirected. By default, two well-known containers are provided for housing computer and user/group accounts: cn=Computers,&lt;domain root&gt; and cn=Users,&lt;domain root&gt;. With this feature, you can define a new well-known location for these accounts.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Authorization Manager can store its authorization policies in AD DS.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Constrained delegation, which makes it possible for applications to take advantage of the secure delegation of user credentials by means of the Kerberos authentication protocol. You can configure delegation to be allowed only to specific destination services.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Support for selective authentication, which makes it possible to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest. </maml:para>
</maml:listItem>
</maml:list>
</maml:entry>
<maml:entry>
<maml:para>Windows Server 2003</maml:para>

<maml:para>Windows Server 2008</maml:para>

<maml:para>Windows Server 2008 R2</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Windows Server 2008</maml:para>


</maml:entry>
<maml:entry>
<maml:para>All default Active Directory features, all features from the Windows 2000 native and the Windows Server 2003 domain functional levels, plus the following features:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Distributed File System (DFS) Replication support for SYSVOL, which provides more robust and detailed replication of SYSVOL contents. You may need to perform additional steps to use DFS Replication for SYSVOL. For more information, see File Services (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93167</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93167"></maml:uri></maml:navigationLink>).</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Advanced Encryption Services (AES 128 and 256) support for the Kerberos protocol. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Last Interactive Logon Information, which displays the time of the last successful interactive logon for a user, from what workstation, and the number of failed logon attempts since the last logon.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Fine-grained password policies, which make it possible for password and account lockout policies to be specified for users and global security groups in a domain.</maml:para>
</maml:listItem>
</maml:list>
</maml:entry>
<maml:entry>
<maml:para>Windows Server 2008</maml:para>
<maml:para>Windows Server 2008 R2</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry><maml:para>Windows Server 2008 R2</maml:para></maml:entry>
<maml:entry><maml:para>All default Active Directory features, all features from the Windows 2000 native, Windows Server 2003, and Windows Server 2008 functional levels, plus the following feature:</maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para>Authentication Mechanism Assurance, which packages information about the type of logon method (smartcard or user name/password) that is used to authenticate domain users inside each user’s Kerberos token. When this feature is enabled in a network environment that has deployed a federated identity management infrastructure, such as Active Directory Federation Services (AD FS), the information in the token can then be extracted whenever a user attempts to access any claims-aware application that has been developed to determine authorization based on a user’s logon method.</maml:para></maml:listItem>
</maml:list>
</maml:entry>
<maml:entry><maml:para>Windows Server 2008 R2</maml:para></maml:entry>
</maml:row>
</maml:table>
</maml:introduction></maml:section><maml:section>
<maml:title>Features that are enabled at forest functional levels</maml:title><maml:introduction>
<maml:para>The following table lists the enabled features and supported domain controller operating systems for each forest functional level.</maml:para>
<maml:table>
<maml:row>
<maml:entry><maml:para>Forest functional level</maml:para></maml:entry>
<maml:entry><maml:para>Enabled features</maml:para></maml:entry>
<maml:entry><maml:para>Supported domain controller operating systems</maml:para></maml:entry>
</maml:row><maml:row>
<maml:entry><maml:para>Windows 2000</maml:para></maml:entry>
<maml:entry><maml:para>All default Active Directory features</maml:para></maml:entry>
<maml:entry><maml:para>Windows 2000</maml:para>
<maml:para>Windows Server 2003</maml:para>
<maml:para>Windows Server 2008</maml:para>
<maml:para>Windows Server 2008 R2</maml:para>
</maml:entry>
</maml:row><maml:row>
<maml:entry><maml:para>Windows Server 2003</maml:para></maml:entry>
<maml:entry><maml:para>All default Active Directory features, plus the following features:</maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para>Forest trust</maml:para></maml:listItem>
<maml:listItem><maml:para>Domain rename</maml:para></maml:listItem>
<maml:listItem><maml:para>Linked-value replication (changes in group membership to store and replicate values for individual members instead of replicating the entire membership as a single unit). This change results in lower network bandwidth and processor usage during replication, and it eliminates the possibility of lost updates when different members are added or removed concurrently at different domain controllers.</maml:para></maml:listItem>
<maml:listItem><maml:para>The ability to deploy an RODC</maml:para></maml:listItem>
<maml:listItem><maml:para>Improved Knowledge Consistency Checker (KCC) algorithms and scalability. The intersite topology generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than can be supported at the Windows 2000 forest functional level.</maml:para></maml:listItem>
<maml:listItem><maml:para>The ability to create instances of the dynamic auxiliary class called <maml:phrase>dynamicObject</maml:phrase> in a domain directory partition</maml:para></maml:listItem>
<maml:listItem><maml:para>The ability to convert an inetOrgPerson object instance into a User object instance, and the reverse</maml:para></maml:listItem>
<maml:listItem><maml:para>The ability to create instances of the new group types, called application basic groups and Lightweight Directory Access Protocol (LDAP) query groups, to support role-based authorization</maml:para></maml:listItem>
<maml:listItem><maml:para>Deactivation and redefinition of attributes and classes in the schema</maml:para></maml:listItem>
</maml:list>
</maml:entry>
<maml:entry><maml:para>Windows Server 2003</maml:para>
<maml:para>Windows Server 2008</maml:para>
<maml:para>Windows Server 2008 R2</maml:para>
</maml:entry>
</maml:row><maml:row>
<maml:entry><maml:para>Windows Server 2008</maml:para></maml:entry>
<maml:entry><maml:para>All the features that are available at the Windows Server 2003 forest functional level, but no additional features. All domains that are subsequently added to the forest, however, will operate at the Windows Server 2008 domain functional level by default. </maml:para>

<maml:para>If you plan to include only domain controllers that run Windows Server 2008 or Windows Server 2008 R2 in the entire forest, you might choose this forest functional level for administrative convenience. </maml:para>
</maml:entry>
<maml:entry><maml:para>Windows Server 2008</maml:para>
<maml:para>Windows Server 2008 R2</maml:para></maml:entry>
</maml:row>
<maml:row>
<maml:entry><maml:para>Windows Server 2008 R2</maml:para></maml:entry>
<maml:entry><maml:para>All of the features that are available at the Windows Server 2003 forest functional level, plus the following feature:</maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para>Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running.</maml:para></maml:listItem>

</maml:list>
<maml:para>All domains that are subsequently added to the forest will operate at the Windows Server 2008 R2 domain functional level by default.</maml:para>
<maml:para>If you plan to include only domain controllers that run Windows Server 2008 R2 in the entire forest, you might choose this forest functional level for administrative convenience. If you do, you will never have to raise the domain functional level for each domain that you create in the forest.</maml:para>
</maml:entry>

<maml:entry><maml:para>Windows Server 2008 R2</maml:para></maml:entry>
</maml:row>
</maml:table>


</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Choosing a Computer Name for the Domain Controller</maml:title><maml:introduction>
<maml:para>If the name of the server where you plan to install Active Directory Domain Services (AD DS) does not conform to Domain Name System (DNS) specifications, the Active Directory Domain Services Installation Wizard displays a warning. The warning states that you must rename the server or, if you retain the nonconforming name, that you must use a Microsoft DNS server so that clients can locate the server. However, the warning does not prevent you from installing AD DS successfully on this server to make it a domain controller. You can continue to install AD DS on this server and then correct its DNS configuration after the installation is complete.</maml:para>

<maml:para>For this domain controller to be discovered by other domain members and domain controllers, the DC Locator DNS records must be added to DNS. It is strongly recommended that your DNS infrastructure allow dynamic updates of DC Locator DNS records. However, your DNS administrator may add these records manually after the installation is complete and the domain controller is restarted. These records are listed in the following location:</maml:para>

<maml:para>%systemroot%\system32\config\netlogon.dns</maml:para>

<maml:para>You will receive the warning for a nonconforming DNS name if the name of the server contains one or more of the following invalid characters:</maml:para>

<maml:para>{ | } ~ [ \ ] ^ ' : ; &lt; = &gt; ? @ ! " # $ ^ ` ( ) + / , * or a space </maml:para>

<maml:para>Valid characters for a computer name include all uppercase letters (A through Z), lowercase letters (a through z), numbers (0 through 9), and hyphens (-).</maml:para>

<maml:para>To resolve this problem, exit the wizard, rename the computer, and then restart the wizard.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Renaming your computer</maml:title><maml:introduction>
<maml:para>You can use the following procedure to rename your computer. </maml:para>

<maml:para>Membership in the local <maml:phrase>Administrators</maml:phrase> group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=83477</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=83477"></maml:uri></maml:navigationLink>.</maml:para>

<maml:procedure><maml:title>To rename your computer</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, right-click <maml:ui>Computer</maml:ui>, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Computer name, domain, and workgroup settings</maml:ui>, click <maml:ui>Change settings</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Computer name</maml:ui> tab, click <maml:ui>Change</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Computer name</maml:ui>, type the new name for the computer, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>When you are prompted, restart your computer. </maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>A computer joining a domain must use the name that was created for it by the network administrator, unless you have a user name and password with rights to create computer accounts.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If you supply a valid user name and password for a domain, the domain membership will be updated automatically with the new computer name.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Computer names that are 15 characters or less are recommended. If your computer has TCP/IP installed, the computer name can be up to 63 characters long. However, it should contain only the numbers 0 through 9, the letters A through Z and a through z, and hyphens. You may use other characters, but doing so may prevent other users from finding your computer on the network. If your network is using a Microsoft DNS server, you can use any characters except periods. If other networking protocols are installed without TCP/IP, the name is limited to 15 characters. </maml:para>

<maml:para>Before you use additional characters, consider the following issues:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Some non-Microsoft resolver software supports only the characters that are listed in Request for Comments (RFC) 1123. If you have any non-Microsoft resolver software, that software is probably not able to look up computers with names that have nonstandard characters. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>A DNS server that does not support UTF-8 encoding might accept a zone transfer of a zone containing UTF-8 names, but it cannot write back those names to a zone file or reload those names from a zone file. Therefore, you must not transfer a zone that contains UTF-8 characters to a DNS server that does not support them.</maml:para>
</maml:listItem>
</maml:list>
</maml:listItem>

<maml:listItem>
<maml:para>If you specify a computer name that is longer than 15 characters and you want longer names to be recognized by the Active Directory domain, the domain administrator must enable registration of DNS names that are 16 bytes or longer.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If your computer is a member of a workgroup, no networking is installed (or TCP/IP is not installed), the computer name cannot be more than 15 characters, and the characters must all be uppercase.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Creating or Updating a DNS Delegation</maml:title><maml:introduction>
<maml:para>When you add another Active Directory domain to a forest, delegation records that point to the authoritative DNS servers for the new zone should be created in the parent Domain Name System (DNS) zone. Delegation records transfer name resolution authority and provide correct referral to other DNS servers and clients of the new servers that are being made authoritative for the new zone. If you are using Active Directory–integrated DNS, these DNS servers might also be the domain controllers for that domain.</maml:para>

<maml:para>You can create these DNS delegation records before you start the Active Directory Domain Services Installation Wizard, or you can have the wizard create them automatically. The wizard verifies that the appropriate records exist in the parent DNS zone after you click <maml:ui>Next</maml:ui> on the <maml:ui>Additional Domain Controller Options</maml:ui> page. If the wizard cannot verify that the records exist in the parent domain, the wizard provides you with the option to create the records automatically and continue with the new domain installation. </maml:para>

<maml:para>For example, to add a new child domain named na.contoso.com to the contoso.com forest, a delegation for the DNS subdomain (na.contoso.com) must be created in the parent DNS zone (contoso.com). </maml:para>

<maml:para>If an authoritative DNS server for the newly delegated na.contoso.com subdomain is named ns1.na.contoso.com, to make this server known to others outside of the new delegated zone two resource records must be present in the contoso.com zone to complete delegation to the new zone. These resource records include the following:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>A name server (NS) resource record to effect the delegation. This resource record advertises that the server named ns1.na.example.microsoft.com is an authoritative server for the delegated subdomain.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>A host (A or AAAA) resource record—also known as a glue record—must be present to resolve the name of the server that is specified in the name server (NS) resource record to its IP address. The process of resolving the host name in this resource record to the delegated DNS server in the name server (NS) resource record is sometimes referred to as "glue chasing."</maml:para>
</maml:listItem>
</maml:list>

<maml:para>To create a zone delegation, open <maml:ui>DNS Manager</maml:ui>, right-click the parent domain, and then click <maml:ui>New Delegation</maml:ui>. Follow the steps in the New Delegation Wizard to create the delegation. </maml:para>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Using an Answer File</maml:title><maml:introduction>
<maml:para>On the <maml:ui>Summary</maml:ui> page of the Active Directory Domain Services Installation Wizard, you can click <maml:ui>Export settings</maml:ui> to save the settings that you specified in the wizard to an answer file. You can then use the answer file to automate subsequent installations of Active Directory Domain Services (AD DS).</maml:para>

<maml:para>The answer file is a plain text file with a [DCInstall] header. The answer file provides answers to the questions that are asked by the Active Directory Domain Services Installation Wizard. Using the answer file eliminates the need for an administrator to interact with the wizard. The Active Directory Domain Services Installation Wizard adds text to the answer file that explains how to use it, such as how to invoke it with the <maml:computerOutputInline>dcpromo</maml:computerOutputInline> command and which settings must be updated to use it. </maml:para>

<maml:para>During an unattended operation, a return code indicates whether or not the operation was successful. For information about return codes, see <maml:navigationLink><maml:linkText>Unattended Installation Return Codes</maml:linkText><maml:uri href="mshelp://windows/?id=51189958-f622-49f7-b944-823d4bd1bb68"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>To use an answer file to install AD DS, type the following command at a command prompt, and then press ENTER:</maml:para>

<maml:para><maml:computerOutputInline>dcpromo /answer[:</maml:computerOutputInline><maml:replaceable>filename</maml:replaceable><maml:computerOutputInline>]</maml:computerOutputInline></maml:para>

<maml:para>Where <maml:replaceable>filename</maml:replaceable> is the name of your answer file. </maml:para>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Removing Application Directory Partitions</maml:title><maml:introduction>
<maml:para>An application directory partition is a directory partition that is replicated only to specific domain controllers. Application directory partitions are usually created by the applications that use them to store and replicate data. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition.</maml:para>

<maml:para>For example, Domain Name System (DNS) application directory partitions are created by default on domain controllers that run Windows Server 2008 R2 if they are also hosting Active Directory–integrated DNS zones. The following DNS application directory partitions are created on these domain controllers:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>DomainDNSZones</maml:phrase>: This application directory partition includes DNS data that is replicated to all domain controllers in the domain.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:phrase>ForestDNSZones</maml:phrase>: This application directory partition includes DNS data that is replicated to all domain controllers in the forest.</maml:para>
</maml:listItem>
</maml:list>

<maml:para>The Active Directory Domain Services Installation Wizard can remove these DNS application directory partitions when it removes Active Directory Domain Services (AD DS) from the last domain controller that hosts the partitions. </maml:para>

<maml:para>If you are removing the last domain controller in the domain, the wizard lists the distinguished name for the DomainDNSZones application directory partition. If you are removing the last domain controller in the forest, the wizard lists the distinguished name for the ForestDNSZones application directory partition. You can click <maml:phrase>Next</maml:phrase> to have the wizard remove these DNS application directory partitions. </maml:para>

<maml:para>Before you delete the last replica of any other application directory partition, identify the applications that use the application directory partition, determine if it is safe to delete the last replica, identify the partition deletion tool that the application provides, and then remove the application directory partition by using the tool that is provided or by using the Ntdsutil command-line tool if no tool is provided. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Identify the applications that use the application directory partition</maml:title><maml:introduction>
<maml:para>To determine what application directory partitions are hosted on a computer, refer to the list on the <maml:ui>Application Directory Partitions</maml:ui> page in the Active Directory Domain Services Installation Wizard. If the list does not provide enough information to identify the applications that use a particular application directory partition, you may be able to identify them in one of the following ways:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Consult a member of the Enterprise Admins group.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Consult network change-control records that your organization maintains.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Use Ldp.exe or the ADSI Edit snap-in to view the data that is contained in the partition. </maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section><maml:section>
<maml:title>Determine if it is safe to delete the last replica</maml:title><maml:introduction>
<maml:para>Removing the last replica of an application directory partition causes the permanent loss of any data that is contained in the partition. If you have identified the applications that are using the application directory partition, consult the documentation that is provided with those applications to determine if there is any reason to keep the data. If the applications that use the application directory partition are out of service, it is probably safe to remove the partition.</maml:para>

<maml:para>If it is not safe to delete the last replica, or if you cannot determine whether or not it is safe and you must demote the domain controller that holds the last replica of a particular application directory partition, follow these steps: </maml:para>

<maml:list class="ordered">
<maml:listItem>
<maml:para>Add a replica of the partition on another domain controller.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Wait for the contents of the application directory partition to replicate to the domain controller that holds the new replica.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Remove the replica of the partition on the domain controller to be demoted by using the partition management subcommand of Ntdsutil.exe. For more information, see the Ntdsutil partition management topic in Command Reference (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=94210</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=94210"></maml:uri></maml:navigationLink>). </maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section><maml:section>
<maml:title>Identify the partition deletion tool that is provided by the application</maml:title><maml:introduction>
<maml:para>Most applications that create application directory partitions provide a tool to remove the partitions. When possible, always delete an application directory partition by using the tool that the application provides. For example, to delete a Telephony API (TAPI) partition, use the Tapicfg.exe command-line tool. Refer to an application's documentation for information about removing application directory partitions that the application creates and uses.</maml:para>

<maml:para>If you cannot identify the application that created the application directory partition or if your application does not provide a tool to delete application directory partitions that it created, you can use the Ntdsutil command-line tool. Use the partition management subcommand of <maml:computerOutputInline>ntdsutil</maml:computerOutputInline> to remove the application directory partition. </maml:para>

<maml:alertSet class="caution"><maml:title>Caution </maml:title>
<maml:para>If possible, use the application's tool for managing its application directory partitions. The application may keep other data in addition to Active Directory–managed data for the application directory partitions. If you use Ntdsutil to manage the application directory partition, the two sets of data might cause a conflict.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Improve Security and Reduce Network Traffic for a Branch Office by Deploying an RODC</maml:title><maml:introduction>
<maml:para>A read-only domain controller (RODC) hosts read-only partitions of the Active Directory database. RODCs provide a way for you to deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as an extranet or for specific application support. Because RODC administration can be delegated to a domain user or a security group, an RODC is well suited for a site that does not have a user who is a member of the Domain Admins group.</maml:para>

<maml:para>Before you can install an RODC, the forest functional level must be Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. You can install an RODC on a full installation or a Server Core installation ofWindows Server 2008 R2. You can also perform a staged RODC installation, in which the installation is completed in two stages. For more information about performing a staged RODC installation, see <maml:navigationLink><maml:linkText>Performing a Staged Installation of a Read-Only Domain Controller</maml:linkText><maml:uri href="mshelp://windows/?id=e470dd1b-507b-436e-a17b-3ddcb5bb5044"></maml:uri></maml:navigationLink>. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Deploying an RODC</maml:title><maml:introduction>
<maml:para>The following table lists the steps that you can take to deploy an RODC.</maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Step</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Raise the forest functional level to Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Raising the Functional Levels (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93174</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93174"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Run <maml:computerOutputInline>adprep /forestprep</maml:computerOutputInline>.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Prepare a Windows 2000 or Windows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2 (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93242</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93242"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Run <maml:computerOutputInline>adprep /domainprep /gpprep</maml:computerOutputInline>.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Prepare a Windows 2000 or Windows Server 2003 Domain for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2 (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93243</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93243"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Run <maml:computerOutputInline>adprep /rodcprep</maml:computerOutputInline>.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Prepare a Forest for a Read-Only Domain Controller (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93244</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93244"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Install at least one writable domain controller that runs Windows Server 2008 or Windows Server 2008 R2. For fault tolerance, you can deploy multiple writable domain controllers.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Steps for Installing AD DS (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93245</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93245"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Install an RODC, either by performing a normal installation or by performing a staged installation.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Performing a Staged RODC Installation (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93246</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93246"></maml:uri></maml:navigationLink>)</maml:para>

<maml:para>Installing an Additional Domain Controller (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93254</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93254"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction>

</maml:section></maml:sections></maml:content><maml:relatedLinks type="seeAlso"><maml:title>See Also</maml:title><maml:navigationLink><maml:linkText>Performing a Staged Installation of a Read-Only Domain Controller</maml:linkText><maml:uri href="mshelp://windows/?id=e470dd1b-507b-436e-a17b-3ddcb5bb5044"></maml:uri></maml:navigationLink></maml:relatedLinks></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Simplify Management of User and Computer Accounts by Using Group Policy to Apply Common Configurations</maml:title><maml:introduction>
<maml:para>Group Policy simplifies administration and reduces information technology (IT) costs by automating the management of user accounts and computer accounts. By using the Group Policy Management Console (GPMC), an administrator can implement security settings efficiently; enforce IT policies; and distribute software consistently across sites, domains, or organizational units (OUs) that the administrator selects.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Using Group Policy</maml:title><maml:introduction>
<maml:para>The following table lists the steps that you can take to use Group Policy on a server running Windows Server 2008. </maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Step</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>If necessary, install the Group Policy Management Console by using the Add Features Wizard in Server Manager. If you are prompted to do so, restart the server after you install the Group Policy Management Console.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Click <maml:ui>Start</maml:ui>, click <maml:ui>Server Manager</maml:ui>, and then click <maml:ui>Add Features</maml:ui>. Select the <maml:ui>Group Policy Management Console</maml:ui> check box, click <maml:ui>Next</maml:ui>, and then click <maml:ui>Install</maml:ui>.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Review information about using Group Policy, including references for creating and editing custom ADMX files. </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Group Policy (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93212</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93212"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Common Configurations for Active Directory Domain Services</maml:title><maml:introduction>
<maml:para>This section includes topics about common configurations for Active Directory Domain Services (AD DS). You can access all of these topics on the <maml:ui>Active Directory Domain Services</maml:ui> server role page in Server Manager. Under <maml:ui>Resources and Support</maml:ui>, you can view a description for each configuration in this list, and you can click links for more information from online resources. </maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Improve Active Directory Redundancy by Adding Another Domain Controller</maml:linkText><maml:uri href="mshelp://windows/?id=695c2fad-f7d1-4075-8402-127581ecb172"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Optimize Resource Access or Network Utilization by Deploying an Additional Domain</maml:linkText><maml:uri href="mshelp://windows/?id=f7cd8568-60c6-490f-952b-7981f6b76ce0"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Improve Security and Reduce Network Traffic for a Branch Office by Deploying an RODC</maml:linkText><maml:uri href="mshelp://windows/?id=a61e3e1e-17df-45da-8aa7-8c479e835259"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Ensure Successful Active Directory Operations by Managing Operations Master Roles</maml:linkText><maml:uri href="mshelp://windows/?id=62919f2e-6873-431b-b3da-36d27e544da9"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Optimize Network Utilization Across Geographic Locations by Adding an Active Directory Site</maml:linkText><maml:uri href="mshelp://windows/?id=04516079-76bb-4def-8856-c5534c411238"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Share Resources with Other Forests by Creating Trust Relationships</maml:linkText><maml:uri href="mshelp://windows/?id=2005bba5-0ecc-4b67-8596-18bd75d57d02"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Help Prepare for Disaster Recovery by Performing Routine Backups of the Active Directory Database</maml:linkText><maml:uri href="mshelp://windows/?id=29f83de8-d4d6-4db6-90bc-1741ece46aec"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Reduce Directory Size and Ensure Its Integrity and Performance by Performing Offline Defragmentation</maml:linkText><maml:uri href="mshelp://windows/?id=59840570-41e6-4eaf-ac40-0505e7765a7a"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Improve Resource Access Efficiency by Using Security Groups</maml:linkText><maml:uri href="mshelp://windows/?id=5ce13491-3a1c-4935-af59-70e27dae6144"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Ensure That DNS Clients Can Locate Domain Controllers by Configuring DNS Support for AD DS</maml:linkText><maml:uri href="mshelp://windows/?id=09ca3b92-5e7a-4154-9d18-5be2c54b9bb7"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Simplify Active Directory Administration by Delegating Management of Users, Computers, and Other Network Resources</maml:linkText><maml:uri href="mshelp://windows/?id=6e082c82-6315-42be-b5a1-6f4647bfa5e8"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Simplify Management of User and Computer Accounts by Using Group Policy to Apply Common Configurations</maml:linkText><maml:uri href="mshelp://windows/?id=a9a06564-b6e2-4287-8e4b-05a4a07a6bb8"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Consolidate Servers by Retiring a Domain Controller and Removing AD DS from the Server</maml:linkText><maml:uri href="mshelp://windows/?id=859ed5a8-79b6-42e9-8e70-967f8d4fd4fb"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Ensure That Clients Can Access Resources by Configuring Time Synchronization Throughout the Forest</maml:linkText><maml:uri href="mshelp://windows/?id=f21782b3-e3b6-4c60-a51b-9e136d6ac7e4"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Enable Advanced Features by Raising the Domain or Forest Functional Level</maml:linkText><maml:uri href="mshelp://windows/?id=4332bca8-b13f-45bc-a8a4-d22ef6f0e0b8"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Ensure Replication of Group Policy Objects and Network Scripts in SYSVOL by Using FRS and DFS Replication</maml:linkText><maml:uri href="mshelp://windows/?id=c0a2bc79-a198-4fcf-a515-38484850366c"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Ensure Replication of Group Policy Objects and Network Scripts in SYSVOL by Using FRS and DFS Replication</maml:title><maml:introduction>
<maml:para> Windows Server 2008 R2 contains both the File Replication Service (FRS) and new Distributed File System (DFS) Replication to replicate SYSVOL. FRS enables interoperability with domain controllers that run Windows 2000 Server or Windows Server 2003. After these domain controllers are removed from the domain or upgraded to Windows Server 2008 or Windows Server 2008 R2, you can raise the domain functional level to use DFS Replication of SYSVOL. DFS Replication is a new state-based, multimaster replication engine that supports scheduling and bandwidth throttling. It uses a new compression algorithm to replicate only the changes when files are updated.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Using FRS and DFS Replication</maml:title><maml:introduction>
<maml:para>The following table lists references to help you use FRS and DFS Replication on a server running Windows Server 2008 R2. </maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Step</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>FRS is used to replicate SYSVOL by default unless the domain functional level is Windows Server 2008.To use DFS Replication to replicate SYSVOL, raise the domain functional level to Windows Server 2008 or Windows Server 2008 R2.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Raising the Functional Levels (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93174</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93174"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Review information about using DFS Replication.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>File Services (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93167</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93167"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>If necessary, migrate from FRS to DFS Replication. </maml:para>
</maml:entry>
<maml:entry>
<maml:para>File Services (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93167</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93167"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Placing Active Directory Domain Services Files</maml:title><maml:introduction>
<maml:para>When you install Active Directory Domain Services (AD DS), you specify where the Active Directory database, log files, and the SYSVOL shared folder will be placed on the server. The database stores information about the users, computers, and other objects on the network. The log files record activities that are related to AD DS, such as information about an object being updated. SYSVOL stores Group Policy objects and scripts. By default, SYSVOL is part of the operating system files in the %windir% directory.</maml:para>

<maml:para>Consider the following factors when you decide where to place AD DS files:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Backup and recovery</maml:linkText><maml:uri href="mshelp://windows/?id=ce4f829a-7b01-4b43-84a4-a896bd9bff2a#BKMK_Backup"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Performance</maml:linkText><maml:uri href="mshelp://windows/?id=ce4f829a-7b01-4b43-84a4-a896bd9bff2a#BKMK_Perf"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections><maml:section address="BKMK_Backup">
<maml:title>Backup and recovery considerations for placing AD DS files</maml:title><maml:introduction>
<maml:para>For a simple installation in which the server has only one hard disk, you can simply accept the default installation settings that are supplied by the Active Directory Domain Services Installation Wizard. However, you must create at least two volumes on that one hard disk. One volume is required for critical-volume data and another volume is required for backup. </maml:para>

<maml:para>When you use Windows Server Backup or the Wbadmin.exe command-line tool to back up a domain controller, you must back up at least the system state data so that you can use the backup to recover the server. The volume that you use to store the backups cannot be the same volume that hosts system state data. This requirement can affect where you decide to place AD DS files. The system components that make up system state data depend on the server roles that are installed on the computer. The system state data includes at least the following data, plus additional data, depending on the server roles that are installed:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Registry</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>COM+ Class Registration database</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Boot files</maml:para>
</maml:listItem>
<maml:listItem><maml:para>Active Directory Certificate Services (AD CS) database</maml:para></maml:listItem>
<maml:listItem>
<maml:para>Volume that hosts the Active Directory database (Ntds.dit)</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Volume that hosts the Active Directory database log files</maml:para>
</maml:listItem>
<maml:listItem><maml:para>SYSVOL directory</maml:para></maml:listItem>
<maml:listItem><maml:para>Cluster service information</maml:para></maml:listItem>
<maml:listItem><maml:para>Microsoft Internet Information Services (IIS) metadirectory</maml:para></maml:listItem>
<maml:listItem><maml:para>System files that are under Windows Resource Protection</maml:para></maml:listItem>
</maml:list>

<maml:para>For example, if you are installing AD DS on a server that has one hard disk, you might create the following logical volumes to accommodate backups:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Drive C, which hosts all the critical volume data</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Drive D, which is used as a target for Windows Server Backup or Wbadmin.exe</maml:para>
</maml:listItem>
</maml:list>

<maml:para>For more information about backing up and recovering a domain controller, see the Step-by-Step Guide for Active Directory Domain Services Backup and Recovery (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93077</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93077"></maml:uri></maml:navigationLink>). </maml:para>
</maml:introduction></maml:section><maml:section address="BKMK_Perf">
<maml:title>Performance considerations for placing AD DS files</maml:title><maml:introduction>
<maml:para>For more complex installations, you may configure your hard disk storage to optimize the performance of AD DS. Because the database and log files utilize disk storage space in different ways, you can improve AD DS performance by devoting separate hard disk spindles for each. </maml:para>

<maml:para>For example, suppose that a server has four available hard disk drives that are labeled as follows:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Drive C, which includes the operating system files</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Drive D, which is not used</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Drive E, which is not used</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Drive F, which is used for backup</maml:para>
</maml:listItem>
</maml:list>

<maml:para>On this server, you can improve AD DS performance the most by installing the database and log files on separate drives that are devoted to those resources, such as drives D and E. This can help improve the performance of searches against the database because one disk spindle can be devoted solely to that activity. If a large number of changes are ever made at one time, this configuration also reduces the chance of bottlenecks developing on the disk that hosts the log files. You can place SYSVOL on drive C with the operating system files.</maml:para>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configuring Additional Domain Controller Options</maml:title><maml:introduction>
<maml:para>You can choose additional installation options for a domain controller during Active Directory Domain Services (AD DS) installation. For example, you can install the DNS Server service or make the server a global catalog server or a read-only domain controller (RODC). The following sections explain these additional installation options in more detail. These sections also explain how the options interact with each other.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>DNS server option</maml:title><maml:introduction>
<maml:para>Installing the DNS Server service on a domain controller makes that domain controller a Domain Name System (DNS) server. The default setting for the <maml:ui>DNS server</maml:ui> option depends on the following factors:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>The deployment configuration that you choose, for example, adding a new domain or adding an additional domain controller for an existing domain</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Your current DNS environment</maml:para>
</maml:listItem>
</maml:list>

<maml:para>The following table lists the default settings for installing a DNS server for the various AD DS deployment configurations.</maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Deployment configuration</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Default setting for DNS server installation</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para>New forest</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The DNS server is installed by default.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>New domain</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The DNS server is installed by default if the wizard detects a DNS infrastructure in the parent domain.</maml:para>

<maml:para>The DNS server is not installed by default if the wizard does not detect a DNS infrastructure. </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>New domain tree</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The DNS server is installed by default if the wizard detects a DNS infrastructure in the forest root domain.</maml:para>

<maml:para>The DNS server is not installed by default if the wizard does not detect a DNS infrastructure.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Additional domain controller</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The DNS server is installed by default if the wizard detects a DNS infrastructure in the domain.</maml:para>

<maml:para>The DNS server option is not available if the wizard does not detect a DNS infrastructure in the domain. </maml:para>
</maml:entry></maml:row>
</maml:table>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If the DNS server is already installed before you start the Active Directory Domain Services Installation Wizard but the Active Directory domain does not have a DNS infrastructure, the DNS server continues to resolve names for any file-based zones that it hosts but it will not host any Active Directory–integrated DNS zones for the domain in which it is a domain controller. </maml:para>
</maml:alertSet>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>DNS client settings</maml:title><maml:introduction>
<maml:para>When you install an additional domain controller in an existing domain, the Active Directory Domain Services Installation Wizard verifies that the DNS client settings are correctly configured on the server. If the DNS client settings are not correctly configured with the IP address of a preferred DNS server, the wizard returns an error and you must correct the problem before you can continue. </maml:para>

<maml:para>You can then choose to manually configure the DNS client settings correctly. If you are creating a new forest that does not have an existing DNS infrastructure, you can also choose to have the wizard automatically install the DNS Server service and configure the DNS client settings with the IP address of the local DNS server.</maml:para>

<maml:para>If you choose to have the wizard configure DNS client settings when it installs the DNS Server service (an option that is available only when you are creating a new forest), the <maml:ui>DNS server</maml:ui> check box on the <maml:ui>Additional Domain Controller Options</maml:ui> page is selected and it cannot be cleared. You must install the DNS Server service at this point or click <maml:ui>Back</maml:ui> through the wizard until you are again provided the option to manually configure the DNS client settings. </maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section><maml:section address="BKMK_GC">
<maml:title>Global catalog option</maml:title><maml:introduction>
<maml:para>Because the first domain controller in a forest must be a global catalog server, the <maml:ui>Global catalog</maml:ui> check box is selected and it cannot be cleared when you create a forest. The check box is also selected by default when you install an additional domain controller in an existing domain. However, you can clear this check box if you do not want the additional domain controller to be a global catalog server.</maml:para>

<maml:para>When you create a new child domain or domain tree, the <maml:ui>Global catalog</maml:ui> check box is not selected by default because the first domain controller in the new domain hosts all domain-wide operations master roles (also known as flexible single master operations or FSMO roles), including the infrastructure operations master role. In a multidomain forest, you may encounter problems if you host the infrastructure master role on a global catalog server, unless all of the domain controllers in the domain are global catalog servers. </maml:para>

<maml:para>Therefore, if you decide to install the global catalog on the first domain controller in a new child domain or domain tree, either transfer the infrastructure master role after you install additional domain controllers in the domain or ensure that all the additional domain controllers that you install in the domain are also global catalog servers.</maml:para>

<maml:para>As you install additional writable domain controllers, the Active Directory Domain Services Installation Wizard validates that the infrastructure master is hosted on a suitable domain controller and it provides you with options to remedy any problems that can arise with the installation options that you choose. For more information, see <maml:navigationLink><maml:linkText>Validation checks for the options that you select</maml:linkText><maml:uri href="mshelp://windows/?id=d2d11b40-f929-4abd-849e-314222a283d0#BKMK_Validate"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>RODC option</maml:title><maml:introduction>
<maml:para>In a staged installation of an RODC, the <maml:ui>Read-only domain controller</maml:ui> check box is selected and it cannot be cleared when you create the RODC account. The <maml:ui>Additional Domain Controller Options</maml:ui> page does not appear when you attach the server to the RODC account. </maml:para>

<maml:para>If you are installing an additional domain controller in a domain but you are not performing a staged installation, the <maml:ui>Read-only domain controller</maml:ui> check box is cleared by default. You can select it unless conditions in your environment prevent RODC installation. If conditions in your environment do prevent RODC installation, the RODC check box is cleared and it cannot be selected. The following conditions prevent RODC installation:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>You are installing the first domain controller in a new forest.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>You are installing the first domain controller in a new domain.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>The forest functional level is not Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>There are no writable domain controllers running Windows Server 2008 or Windows Server 2008 R2 in the domain in which you want to install the RODC.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section><maml:section>
<maml:title>How additional installation options interact</maml:title><maml:introduction>
<maml:para>If you select the <maml:ui>Read-only domain controller</maml:ui> check box, the wizard automatically selects the <maml:ui>DNS server</maml:ui> check box unless this option cannot be selected, for example, when no current DNS infrastructure exists for that domain. If you clear the <maml:ui>DNS server</maml:ui> check box after the wizard selects it, the wizard warns you that clients in the branch office might not be able to locate the RODC if you do not also install the DNS server. </maml:para>

<maml:para>The <maml:ui>Global catalog </maml:ui>check box might also be selected by default, depending on the other installation options that you select. By default, if you select the <maml:ui>Read-only domain controller </maml:ui>check box, the wizard automatically selects the <maml:ui>Global catalog </maml:ui>check box. For more information about other installation options in which the <maml:ui>Global catalog </maml:ui>check box is selected by default, see <maml:navigationLink><maml:linkText>Global catalog option</maml:linkText><maml:uri href="mshelp://windows/?id=d2d11b40-f929-4abd-849e-314222a283d0#BKMK_GC"></maml:uri></maml:navigationLink> earlier in this topic. </maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Additional information about the options that you select</maml:title><maml:introduction>
<maml:para>The Active Directory Domain Services Installation Wizard updates the <maml:ui>Additional information</maml:ui> text box with information about your environment, based on the default selections and the options that you select on the <maml:ui>Additional Domain Controller Options</maml:ui> page. As you change your selections, the wizard dynamically updates the messages that appear in this text box. </maml:para>

<maml:para>For example, if you select the <maml:ui>Global catalog </maml:ui>check box, the wizard updates the <maml:ui>Additional information</maml:ui> text box to indicate how many other global catalog servers are deployed in the domain and site. This information can help you confirm that you are installing AD DS with the options that you planned. </maml:para>

<maml:para>The wizard also updates the <maml:ui>Additional information</maml:ui> text box to indicate if any existing conditions in your environment currently prevent any of the options from being available. For example, if no writable domain controller in your domain is running Windows Server 2008 or Windows Server 2008 R2, the wizard clears the <maml:ui>Read-only domain controller</maml:ui> check box, makes this option unavailable, and writes a message in the <maml:ui>Additional information</maml:ui> text box that states that there must be a writable domain controller running Windows Server 2008 or Windows Server 2008 R2 in the domain to install an RODC. </maml:para>
</maml:introduction></maml:section><maml:section address="BKMK_Validate">
<maml:title>Validation checks for the options that you select</maml:title><maml:introduction>
<maml:para>After you select your options on the <maml:ui>Additional Domain Controller Options</maml:ui> page and then click <maml:ui>Next</maml:ui>, the wizard performs the following validation checks before it continues:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Infrastructure master check</maml:linkText><maml:uri href="mshelp://windows/?id=d2d11b40-f929-4abd-849e-314222a283d0#BKMK_IMCheck"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Adprep /rodcprep check</maml:linkText><maml:uri href="mshelp://windows/?id=d2d11b40-f929-4abd-849e-314222a283d0#BKMK_AdprepCheck"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Validation of static IP address</maml:linkText><maml:uri href="mshelp://windows/?id=d2d11b40-f929-4abd-849e-314222a283d0#BKMK_StaticCheck"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section address="BKMK_IMCheck">
<maml:title>Infrastructure master check</maml:title><maml:introduction>
<maml:para>If you select the option to install an additional domain controller in a domain, the Active Directory Domain Services Installation Wizard selects the <maml:ui>Global catalog</maml:ui> check box by default. If you are installing a writable domain controller (the <maml:ui>Read-only domain controller</maml:ui> check box is cleared) and you also clear the <maml:ui>Global catalog</maml:ui> check box, the wizard checks whether the infrastructure master role is currently hosted on a global catalog server in the domain. If it is, the wizard prompts you to transfer the role to the domain controller that you are installing. You can either click <maml:ui>Yes</maml:ui> to transfer the infrastructure master role to this domain controller or click <maml:ui>No</maml:ui> to correct the configuration later. </maml:para>
</maml:introduction></maml:section>

<maml:section address="BKMK_AdprepCheck">
<maml:title>Adprep /rodcprep check</maml:title><maml:introduction>
<maml:para>If you are installing an RODC, the wizard verifies that the <maml:computerOutputInline>adprep /rodcprep</maml:computerOutputInline> command completed successfully and that the changes that result from the command are replicated throughout the forest. If the <maml:computerOutputInline>adprep /rodcprep</maml:computerOutputInline> command does not complete successfully or the changes are not yet replicated, you receive an error message that states that the command must be run before you can continue with the installation. If you receive this message, run <maml:computerOutputInline>adprep /rodcprep</maml:computerOutputInline> again on any computer in the forest or wait until the changes are replicated throughout the forest. </maml:para>
</maml:introduction></maml:section>

<maml:section address="BKMK_StaticCheck">
<maml:title>Validation of static IP address</maml:title><maml:introduction>
<maml:para>If you select the <maml:ui>DNS server</maml:ui> check box, the Active Directory Domain Services Installation Wizard verifies that all of the physical network adapters for the server have a static address, including a static IP version 4 (IPv4) address and a static IP version 6 (IPv6) address if they are both available. Although you can complete the AD DS installation without using a static IP address, this is not recommended because clients can have trouble contacting the domain controller if its IP address changes. For more information about setting a static IP address, see <maml:navigationLink><maml:linkText>Configuring TCP/IP and DNS Client Settings</maml:linkText><maml:uri href="mshelp://windows/?id=183d02af-b5d5-4a94-bf75-213d7100aec7"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Update Root Hints on the DNS Server</maml:title><maml:introduction>
<maml:para>You can use root hints to prepare servers that are authoritative for nonroot zones so that they can discover authoritative servers that manage domains at a higher level or in other subtrees of the DNS domain namespace. These root hints are essential for servers that are authoritative at lower levels of the namespace when they locate and find other servers under these conditions.</maml:para>

<maml:para>Membership in the <maml:phrase>Administrators</maml:phrase> group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=83477</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=83477"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:procedure><maml:title>To update root hints on the DNS server</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open DNS Manager.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click the applicable DNS server.</maml:para>

<maml:para><maml:phrase>Where?</maml:phrase></maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>DNS/<maml:replaceable>applicable DNS server</maml:replaceable></maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Root Hints</maml:ui> tab.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Modify server root hints as follows:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>To add a root server to the list, click <maml:ui>Add</maml:ui>, and then specify the name and IP address of the server to be added to the list.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>To modify a root server in the list, click <maml:ui>Edit</maml:ui>, and then specify the name and IP address of the server to be modified in the list.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>To remove a root server from the list, select it in the list, and then click <maml:ui>Remove</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>To copy root hints from a DNS server, click <maml:ui>Copy from server</maml:ui>, and then specify the IP address of the DNS server from which you want to copy a list of root servers to use in resolving queries. These root hints will not overwrite any existing root hints.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>To open DNS Manager, click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>DNS</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Updating Root Hints</maml:linkText><maml:uri href="mshelp://windows/?id=7fc91f3b-c926-4dd7-a9f5-8d140d261a14"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual>GIF89a//&&||R__?VV9f_rrLiiFBB,99&		YLL3&&YYBMM9rffL??/33&_̙|iLL9	rrVե||L9o?/_L9?/&<	3&o_/			  //00//00))??OO&s&&33__``??ooppOOLLVVYYeeff``3&&̙ssO??ز߿pppooo```___PPPOOO@@@???000///   ,H*\ȰÇ#JHŋ3jȱc7CIɓ(S\ɲ?iI͛8sSE2h1hNϣH*]ʴiǟA7H@CQXjʵk60J? ]˶ۜm$]b˷߿&0!Xǐ
&l08ϠC\YװclPf^dv9`ͻУs]B
c3xXļsËI]4g|)S`gݽE	EP
U"Thfv ($h($-@AiBAU
J -#nDiH&L6PF)wI-8@5fBiv
#YӐTlpiSGd)#6P]@IfkJ硈&袌:'ve.pa:hB6*ꨤjBcy e! nuM+Mՙe80!t~Tfmr+&T{]k覫ñ8A]tP]VEUK赕afLd>2;!Qgw@q+vRG"+d(ls5/
,q:JQ]YM{Tpv3K3׳su[0_]eG<vݠr}vuؘ6ɽ^=8)Y]*eqÜy>z~w硳$©k΂-iz~ڀyMk)z`Wiu}o.={:sv:¾h޺ET!5G=n$%psy7:IO㣞淵j"ãGd)n(@EvA
Pk\Xt=]qoo1E?Lx+
P>>Idao7GG1nl9ٷ(9Pl\2
p;Xr\)\ZL£:U.Đ̤&79?O)8H25`8V4R#A蔋@S0(R&bG?eS~m0;d4(L&S+Y&RNaĜ z+gԙZVsa{J@AdWxSgMG;tljcDCA47v*Ju')I4+s8uD
]EŤQ>lK[j;3
aJSG:Q=z-wQғŋ,VjSUOk՘nt=V*T7lKt-*ŔP
UuDhPVՍ浯9}^غg[0%X]i
V.5N:ɁհpgGXv4"
HĬ.[;-?	ݫd#Vqꐷ-*neA~УTj[:וiUr}Z7P
+u.N{x3	ƽ_|yuJ|_pF{aJup`ߨY !	8#.&5UD0|D;^
kM0MALXB7%p-.Vd?|Uј!~%իOV/THqer:P{ka2O5sM|eTDrdKw#lnsˆ^a=Cmdk[[`&ElJg2Ғ-4b:tGͶO:"&9SzfC<wV]jXk뜥%\$y׼~H}BQd7dvh<c4NNXpg{url/#VϽ0ۢo|xkrݲwxEVepmMy+*
W!7~Hg<q6#-ó%Wg>q4Ϲa~s\@?.j<@WyƏ+]Lo̟KTկ~{\׭
o|.v^}nwft;4A\!-NƩJ I^ㅏ<f]`;rƇSGo)9UDHseUL3$pwKRG
=$,ղN-&u}A?A*Re8QBOD:SU}km?+'nF_+WTCAzm1zQI#uT{k7/~A|؁]0{} g!
+(A-82^10~=Pw`'mp'ZVǴE98eb1U(/1l !{[8	t)a)ʗ{J WzJP0qrHW9ćc2 #cw/RB(7g9чNa'&}"+`{00wt@RS"X|Sqaa8zp0AQ0H^sy(ht10#)b<xXr8`ajb2g5},X5 i"9$Y0{'-hN-p}&xQfGcAU֐xEY׶##H+@P0Xp7O%.Yh -#n)tᏖ~r2fub]u!%df^!]d=1U0(X#HdE2J#ahl<%&)䘓@5-.yșʹN]*_PƘ
a9MF;c)eYb䙜] ICqA-$%-YIp?Y~bIHx#<t9ӠjFGfeM6eѡP ZT *ͩq7QQ&P8%*Id0-(; 7})f"ϩb%ʝzyHKqb`tEq)INǣǒ%F8t?Yq6pec&ڥJj&V*JѢe*og
TVPZzZ:p,B`r  i&! e O{ y9fe!ʥ:zHq1L	x?U&KꚪM`r`8~)ʤ)n8eBp_2zOPrHXA%74ѯZ;Y௽1F+p)CX? 0{0 klp#V}j-a/PC)k-K1˧2	8!	0~G;J<jY?Pɵ 5BѶ.@3댇cL~}7;,HkK%*`q봸Zhdaj{[{V˰!A	q>a)/K*MPA,r P!хuQ9͑L1O;,[$aQP8&qcA'˚&kM%qQ|r
pAK)0I
P&8(Y-qVsM
6(4o.s\YR`a}BwOƒqVwp<Zw N?Hl[qNjdž|ȊlmȎjȒ,]<ɖ5s^Sj)oz\
ʗZbL1yFWHb	WzʨcNJʙ^<ݹ=6֥#˙&\̮Llb\a	!]b˴ܝLLhb|I\ESϑJ	Q&!	^ʶլi
a#ѐۉf]
\~x.21=65
zta8&BxDYZG헕9EfIͲU|O-ωqհm\Jh%b;juldةS]w cvng$=~fϽ|]8-זZך&ٞ!ڢ]Aڦڪڮьٲ]%۶ۈۼٴmܮ=ĭ}ܦ-ܞЭ=ݖ]؝wG]6}-=]T~|x==g
u}`i[Bx
xI!.Ha~n%!N#')>Ӹqv:*@~9C<nrS0^6T#K=wͷ{c7}A kE+n.xM02tuqw7nXpM> )貱O~B(~V{)lV)%grNNVUP+#%;jQľ*WǞj0;kHLr;-SG^/̎,t!}eTQN&{LIfo.-XYA3=cƃ0x{]=zܑ|Ox\&q`+02n?
ɓ"4_tI׊C1׬WK?F/H/X!mXO_-{K̩E,ZGlil
)};GIF89a//&&||R__?VV9f_rrLiiFBB,99&		YLL3RR<&&YYBrffL??/33&_̙|siLL9	rrVϟ&22|))s&&33i##??LLLLffYYo@@rrssŋƌM993&&̙ssfMMҦزٳ߿pppooo```___PPPOOO@@@???000///   ,FT`TFbXH× կ\LHX" #j6  ŋ10ه$Jɓ({yٗ#
92͛8sbs0@H@S$IH*	 @ڂ-JҫXl
`SVJYkL|U[Š{ݻ҆`!k(]̸b%m!3-LMZ48KXϰc]KFn`;m]הM9ڶk#U|g.؅!ONz9O]:uֳ_j(M(ObGEmNN L#wfgy!B
+0D"ML8`"(∕(8EIEi3qHSdKL\!(E‘H&ydEOւIh=B#[W`<Hؐd9)PI%m,VZ9Äl)H]`|)Qf&*$PAZ(6|)g
{ MЈ١)*.hcDof)|j:D^Ot_TȃRjx񚈯|E$x#,[~
Զk`˝h@[Ѻg"&
>HljbL_.)@T@,r]B1wG 2dLL<F-(4e5FG EFRw=u
0NC1^10%jǝ a,8]L@'M*e:#JQ"k9b*էkz+BEVю N:n?<ț*~||o|*G:Gp'r=*?}~S2~)?_?#?J10!<:p
|	Z
zwvl;
Q-|3})Qp=
!1E<D2:|"m()ʰVt!-rф^LEЅ183Z`8Z#Iq0WGHpB =`:{"F
U$6CT!$6NBqI(3I`,gIZ̥.w^2~0FvrL	ٗKf:Ќ4IjZ̦63	!a8!l%YL(s<Iz$sͫEhHvI!ħBІ:'ZBl!T.
HGJҒT<EcI!v(}V#&ͩNwxԧi6Qʈڦ~~2@. UhTZuyhU9Au[*>TUaa2hZ?B^ֆN_;npO!cg]v
L[+LxWATҎ+f
h>-fYm=[JlCP,[$:E,}EL&
a.dbx
om{Wonr5/m+UoOo{_w%,Q9_p%i498
| V*&p锭ޕjo_w-ngIU^s$>oM\UgQc6=0!dp)SOxhNp&[|Ou
qyKx#汗Koכl3{Z SVȃ8HUȆTt4$<aFt)[qeXsSfkxa1Y'Vcς3!%+@	.n4(MYFGҝ5iC^Ꮉ9;M:tqim+߮:܎vMr h].fkmiljo-rnAg]+!o͊<a2~G:ϸƵ
k`ϳĦ OW>Ԏ<'Kk'捧^ym3	O{/st?liLe6gM˙w\G/9wn.OWoOv|`8NK-Wnܾz=_osKN=^<
q7{7Bz9E\ˮZCg5۾{>]=uy^5?蟩u_>1js_s?n/|;o7iO}=ɟ}?7tgU|~|uw6Gpc}r'~woW~|sX|~W(ȀLwh6{lxmG~wfx{SWc>x~X5XHJ'dtKVxׄpG1QXbHUZ
Qg#8%c؆nue(
Ɛ7Sxlxg`R j-SwfHz,hz.83hRhO
Ճ}gbWDȇ"%<?c7F؁S(8~$2fH{@f\W;V~lly[>؋}Bb.,cg'8sXjw|X@,
8{9&،$cgyHXhnXzpz<#=)==_U}z(87hM嘌(}Hgђ"==2iS	}'ɑ9[HMy~!YD'O3"<c<Íh8Y툎C	ZḎXm9R9T36ks~(it9y)VXU<x|f ؙyQy9T}ISi)C	t
=Y=y9	MIOy9ԈXٍs?ɕ8Yؙ	92q繞yɞ90))k+ٟ7R98"
|eZ<'BĠʡ 
:-&U35%z.jw),6Z1:5z<FӢ=:4ǝE#Dʣ4KjMJAVj?JIz\ڡY]U*f9Ozl
Vdm{`*vowy3P⤎ȧj0`j:$ŨuqJ1Z* 6grJ*XZ4KګNNqBϧJ*Ț'T&J:B

PTq+4}1pP"3tAJ "]'@(
O5Zj
PF슰dRNү
	L?7rrj 5ֱ.u5"_R{!0݀+"Q0FW3w*"R 

0RO"JG˴qdlJ
 H
Y(6a
])"b;+fI;Bvo2b°>!LRo!`@4/\P:i[(@6o1%O
^PW	I@,op#(b#Tq0 WZ`uѼl*h y:i:Kl%S;".Yj~[<2x#єG!4{T{F1av!V(27`02<4<aAP瓛köS>;?×5LN,a3 hEh(Hm' (T <+M" PFd%0UEJPNvxz|)1З<99ĸ=|ĪG\04ǎȐN&ӥ/(o"!tka+Kk
ci£x{<ȁC(W"#TLV,}aO1rbVKL
B<>,lE̛ٓs8i5G+R O̠L#̌ʂ̰Ӡ	ˍK?ϯ\дL&.@δb3$
XQ!U"c PZ"L00ltp p!0}KQ5"<p#ͺ&%+p#`۫J`#`Kn,#`Ԏ)"
Hx9<P+$`0Sj
X#1]ٔm̲+ M|wܰҷbq
=Ԑv	F K;q
{qچ
=E]ۍ5
Pൾ0}3Ҫ}H!	PҔuѽ

pJ[xݚloT.EKl+й,YDknVɄg@M	Vư]`VhVˍߌL<	τ. +ξ ]P
 k+P6(hE^fd?pHжl=l	Dl<웍gn&0>0(+u(
х>"=@N`a4LjNHMYl@Q'NIX\$n>^&+\`];@GNpnsHϫN;n<
\뗠R+^Rd]n
ͭ޿|# nCg+LH3@7`kQLA3EkM8ə	p[:J\.O9Ѝ	4/Z<᪞?_&ϱ0+Moj.䃬kʙNOJRy~f%2|gjÚcZ!Oޞ\9X~?y?_z+B߃99
׬˦@:\ݣ/@ð\$[iꜯQ;GIF89a//&&||R__?VV9f_rrLiiF99&		YLL3&&YYBrffL??/33&_̙|siLL9	rrVi__O漼&33??LLffƌ3&&̙زٳ߿xxxpppooo```___PPPOOO@@@???000///,,,$$$   ,7CVL:^G8Ц[>PĴ[^BG0`#JFA48ď CL1&ؑÑ0cʜy]ȱK@
EebXrӧP%v,Z
,4ׯ`q
uc*^n]5۷p3ŢYj^nmLÈ+^̸ǐ#KLc.|H9j]byr}9ӨS^ͺװc˞M9P:hmNȓ+̉9U^ν&N{^p0mO7+9q,_;6߁_ALqEzAN(}yxKQ4a=^HA=Z*J`8⏃W"kV$'"+Ey4aQHE;ܸWp
9`vexc>S{i¶d+MްCPJ9Yph֙UdF&jYT<"zha%]GVhjF)3q
2'uclq)韛jekZw)](,6,]^!9 m{gb{[")(l:ݲ!Ynvhh3-Rټn{qr{/؂Ұuٍ<Œ\?ձ>/z=/m26R3lc[68;z*ԛ{<7;1V+-,0jٸ2[Se[Vl'}JE_83^gN@.\ӌH樧˙A_蔋FC@my+^;w-6/dOOK['Q81Fw
, ۣiϲ+l>އBכp<0~F"rDŽ>Ū{S;0t[rQ/@P1`	UB؁S4AhAⰆ3D`(¿C^e"CjЃNN(<?4n8&Z1]=|:H5/X-G*0.0UT^|Y^l$'0>&7yK+AD(1JE>L*eIN,hKdKՒM.]RDSfiK2H";_mo|%qJB3'2ph3GH:SP"ϙ;H32iOsOjDXSu
z@ sATwCDω771rⓟ(vt!["UJGuNq\LD+:5$]QMtT79To;=6f1ma P%V/ծj>=`by}g
jZ*^Qjc\ƙgUyB^5AW^r[KԖ.Yܠmu8yui;zѻNֱ~aaӨuA?:4J$l/KV7a4UMF>m%_s$:7qUn$.}ua7nw˶w%z#e&"덯^Ro}eNNp+
oًa\Px vSWtįWI30Y/3w̼[@VUQ X.K*y nr}e
KٽTr|,k\0gwd47I6mIB:Xtߦh<
AZ9418*,ьpˏ)0Mo^s`N1H %`='YMbؐ9rݓ]ns]
c%Ύ=
(yROrE­wMr[4=%~ii7y-!Nx">с@ۡ	0x88>
+>N*w$88΄-P:>T;B9xP'b2q(Îl9@!r/QBnr,6P]2;n5 #B@@`J^^x	Hڮ5Օol#24eOi(@қ=p`#|ߨ]bm<<mN*A#,%^ʅ2JPc@NtX]`pHCxwJRC9_?yWֿ,AJ7g0uGP!2|ס #Pz`(7 i$X&x(*,.P~Ae#4xTK4T4HT@3(R'9BHEE4Ђ*Nh(w
*'&#t@@[o၂MLl؆npr)3h~5zTw~7|(cOBO5x4?20( |ЀQp' ehDi(N{x$N胢=~ȈԆ(W±T}@?^
X?xO=؇Q?H
O8*ޤQWO# ph5L<w(6	Oy!	H0s.tQXAp{A`yy%L1 Px_ap
\A:4awQ@Y8~#gFiI9MvVAv|LLYuV.yt1 p 0fqv'DXqR9<0{r)&2r^pmܦrh!/VmDJ`*uu雬8Q!`Li o!Y0+> 
ynCwC1qLs7oJH9
y4Wti!xXr^@֨'YmIp*
2
	:ZʡB'X#J:p-&y?+[GТ2GPP%PG@J9&^h\b]:faazj`idxkzfo"m:eȃ4SXLh~jeJ$Kb~zfꊍdzZNƍd:Z:fui!j:ڬ*
6:]hjںt4J݈~J~WVGޘBaZGŊxxz:R!eةz
{S&ʱbVڈ90/43[87<
;۳@
?
H(;	^PFHK
A״0
F;T["A`(Y
U!ڷj Ng`xfhK	
ĶXqok`q	snXv{ѷn	*@vviye=1^8xGlҹ۵:Fa	.`;(0Hw
KI˛kp_(9Z^ K`tHrB'q1]{xH;[kگ5iÿ^=0|'30oN2r9\cʥLxn-w#L_
8*C-|k^#چ7^$yɽC9ЊM0_P#RU5G[Vr!ac\9ik8QR%>1;s̳9}z\}ܳ*Gz=l<:{q0MBl[@yBeɝ:?0$ʮDXʰ˲<˴\˘(3hڑk4	yL	[؋|ˤէ
RE"ԼlNVlw~٬`˲Պl>"{|A3x͵Ȩa(Ú
늑DU*{J;<maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Using Forwarders</maml:title><maml:introduction>
<maml:para>To use forwarders to manage the Domain Name System (DNS) traffic between your network and the Internet, configure your network's firewall to allow only one DNS server to communicate with the Internet. When you configure the other DNS servers in your network to forward queries that they cannot resolve locally to that DNS server, it acts as your forwarder. For more information about forwarders, see <maml:navigationLink><maml:linkText>Understanding Forwarders</maml:linkText><maml:uri href="mshelp://windows/?id=52ec32f6-5eda-4d6a-8e38-809fee243b71"></maml:uri></maml:navigationLink>. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Forwarding sequence</maml:title><maml:introduction>
<maml:para>The order of the IP addresses that are listed as forwarders on a DNS server determines the sequence in which the IP addresses are used. After the DNS server forwards the query to the forwarder with the first IP address, it waits a short period of time for an answer from that forwarder (according to the DNS server's forwarding time-out setting) before resuming the forwarding operation with the next IP address. It continues this process until it receives an affirmative answer from a forwarder.</maml:para>

<maml:para>For example, in the following illustration the DNS servers with the first and second forwarder IP addresses do not respond to the DNS server. The DNS server with the third forwarder IP address responds, and the query is forwarded to that DNS server.</maml:para>

<maml:para><maml:embedObject><maml:caption>Forwarding sequence</maml:caption><maml:objectUri href="mshelp://windows/?id=a94424e0-d4de-41f8-8893-7e8e9f465bbd" mimeType="image/gif"><maml:summary>Outsourced VPN remote access</maml:summary></maml:objectUri></maml:embedObject></maml:para>

<maml:para>Unlike conventional resolution, where a roundtrip time (RTT) is associated with each server, the IP addresses in the forwarders list are not ordered according to roundtrip time. You must reorder them manually to change the preference.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Conditional forwarders</maml:title><maml:introduction>
<maml:para>Conditional forwarders are DNS servers that forward queries according to domain names. Rather than having a DNS server forward all queries it cannot resolve locally to a forwarder, you can configure DNS servers to forward queries to different forwarders according to the specific domain names that are contained in the queries. Forwarding according to domain names improves conventional forwarding by adding a name-based condition to the forwarding process. </maml:para>

<maml:para>The conditional forwarder setting for a DNS server consists of the following:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>The domain names for which the DNS server will forward queries</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>One or more DNS server IP addresses for each domain name that is specified</maml:para>
</maml:listItem>
</maml:list>

<maml:para>When a DNS client or server performs a query operation against a DNS server, the DNS server checks to determine if the query can be resolved with its own zone data or the data stored in its cache. If the DNS server is configured to forward for the domain name that is designated in the query, the query is forwarded to the IP address of a forwarder that is associated with that domain name. For example, in the following illustration, each of the queries for the domain names is forwarded to a DNS server that is associated with the domain name.</maml:para>

<maml:para><maml:embedObject><maml:caption>Conditional forwarder</maml:caption><maml:objectUri href="mshelp://windows/?id=624dd3fb-47aa-402e-87f8-773e8e9b828f" mimeType="image/gif"><maml:summary>Dial-up and VPN remote access</maml:summary></maml:objectUri></maml:embedObject></maml:para>

<maml:para>If the DNS server has no forwarder listed for the name that is designated in the query, it attempts to resolve the query using standard recursion. For more information, see <maml:navigationLink><maml:linkText>Configure a DNS Server to Use Forwarders</maml:linkText><maml:uri href="mshelp://windows/?id=e324865f-1cbe-42ec-bf18-a220c0e26fe6"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>You can use conditional forwarders to improve name resolution between internal (private) DNS namespaces that are not part of the DNS namespace of the Internet. Such DNS namespaces may be a result of a company merger. When you configure the DNS servers in one internal namespace to forward all queries to the authoritative DNS servers in a second internal namespace, conditional forwarders enable name resolution between the two namespaces without performing recursion on the DNS namespace of the Internet. This enhancement to name resolution also avoids your DNS servers performing recursion to your internal root for different namespaces within your network. </maml:para>

<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>A DNS server cannot forward queries for the domain names in the zones that it hosts. For example, the authoritative DNS server for the zone widgets.tailspintoys.com cannot forward queries according to the domain name widgets.tailspintoys.com. The DNS server that is authoritative for widgets.tailspintoys.com can forward queries for DNS names that end with hr.widgets.tailspintoys.com, if hr.widgets.tailspintoys.com is delegated to another DNS server.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section><maml:section>
<maml:title>Conditional forwarder domain name length</maml:title><maml:introduction>
<maml:para>When a DNS server that is configured with a conditional forwarder receives a query for a domain name, it compares that domain name with its list of domain name conditions and uses the longest domain name condition that corresponds to the domain name in the query. For example, in the next illustration, the DNS server performs the following conditional forwarding logic to determine how a query for a domain name will be forwarded:</maml:para>

<maml:list class="ordered">
<maml:listItem>
<maml:para>The DNS server receives a query for toys.widgets.tailspintoys.com.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>It compares that domain name with both tailspintoys.com and widgets.tailspintoys.com.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>The DNS server determines that widgets.tailspintoys.com is the domain name that more closely matches the domain name query.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>The DNS server forwards the query to the DNS server with the IP address 172.31.255.255, which is associated with widgets.tailspintoys.com.</maml:para>
</maml:listItem>
</maml:list>

<maml:para><maml:embedObject><maml:caption>Conditional forwarding based on domain name length</maml:caption><maml:objectUri href="mshelp://windows/?id=10853d03-fe57-4f44-b77f-aa7dddd20a39" mimeType="image/gif"><maml:summary>Ethernet switch access</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure a DNS Server to Use Forwarders</maml:title><maml:introduction>
<maml:para>A forwarder is a Domain Name System (DNS) server on a network that is used to forward DNS queries for external DNS names to DNS servers outside that network. You can also configure your server to forward queries according to specific domain names using conditional forwarders. </maml:para>

<maml:para>A DNS server on a network is designated as a forwarder when the other DNS servers in the network are configured to forward the queries that they cannot resolve locally to that DNS server. By using a forwarder, you can manage name resolution for names outside your network, such as names on the Internet, which can improve the efficiency of name resolution for the computers in your network. For more information about forwarders and conditional forwarders, see <maml:navigationLink><maml:linkText>Understanding Forwarders</maml:linkText><maml:uri href="mshelp://windows/?id=52ec32f6-5eda-4d6a-8e38-809fee243b71"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>Membership in the <maml:phrase>Administrators</maml:phrase> group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=83477</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=83477"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Configuring a DNS server to use forwarders</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Using the Windows interface</maml:linkText><maml:uri href="mshelp://windows/?id=e324865f-1cbe-42ec-bf18-a220c0e26fe6#BKMK_winui"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Using a command line</maml:linkText><maml:uri href="mshelp://windows/?id=e324865f-1cbe-42ec-bf18-a220c0e26fe6#BKMK_cmd"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section address="BKMK_winui"><maml:title></maml:title><maml:introduction>
<maml:procedure><maml:title>To configure a DNS server to use forwarders using the Windows interface</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open DNS Manager.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click the applicable DNS server.</maml:para>

<maml:para><maml:phrase>Where?</maml:phrase></maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>DNS/<maml:replaceable>Applicable DNS server</maml:replaceable></maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Forwarders</maml:ui> tab, under <maml:ui>DNS domain</maml:ui>, click a domain name.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Selected domain's forwarder IP address list</maml:ui>, type the IP address of a forwarder, and then click <maml:ui>Add</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>To open DNS Manager, click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>DNS</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>To create a new domain name, click <maml:ui>New</maml:ui>, and then, under <maml:ui>DNS domain</maml:ui>, type the domain name. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>When you specify a conditional forwarder, select a DNS domain name before you enter an IP address.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>By default, the DNS server waits five seconds for a response from one forwarder IP address before it tries another forwarder IP address. In <maml:ui>Number of seconds before forward queries time out</maml:ui>, you can change the number of seconds that the DNS server waits. When the server has exhausted all forwarders, it attempts standard recursion.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If you want the DNS server to only use forwarders and not attempt any further recursion if the forwarders fail, select the <maml:ui>Do not use recursion for this domain</maml:ui> check box.</maml:para>

<maml:para>You can disable recursion for the DNS server so that it will not perform recursion on any query. If you disable recursion on the DNS server, you will not be able to use forwarders on the same server. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Do not enter a forwarder's IP address more than once in a DNS server's forwarders list because it is a more reliable or geographically closer server. If you prefer one of the forwarders, put that forwarder first in the series of forwarder IP addresses.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>You cannot use a domain name in a conditional forwarder if the DNS server hosts a primary zone, secondary zone, or stub zone for that domain name. For example, if a DNS server is authoritative for the domain name <maml:replaceable>corp.contoso.com</maml:replaceable> (that is, it hosts the primary zone for that domain name), you cannot configure that DNS server with a conditional forwarder for <maml:replaceable>corp.contoso.com</maml:replaceable>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>You can prevent common problems that are associated with forwarders by configuring your DNS servers to avoid overusing your forwarders.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>

<maml:section address="BKMK_cmd"><maml:title></maml:title><maml:introduction>
<maml:procedure><maml:title>To configure a DNS server to use forwarders using a command line</maml:title><maml:introduction><maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction></maml:section></maml:sections></maml:introduction><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open a command prompt.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Type the following command, and then press ENTER:</maml:para>

<dev:code>dnscmd &lt;ServerName&gt; /ResetForwarders &lt;MasterIPaddress ...&gt; [/TimeOut &lt;Time&gt;] [/Slave]
</dev:code>
</maml:section></maml:sections></maml:step></maml:procedure>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Parameter</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Description</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para>dnscmd</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Specifies the name of the command-line tool for managing DNS servers.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>&lt;ServerName&gt;</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.). </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>/ResetForwarders</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Required. Configures a forwarder. </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>&lt;MasterIPaddress...&gt;</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Required. Specifies a space-separated list of one or more IP addresses of the DNS servers where queries are forwarded. You may specify a list of space-separated IP addresses.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>/TimeOut</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Specifies the timeout setting. The timeout setting is the number of seconds before unsuccessful forward queries time out.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>&lt;Time&gt;</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Specifies the value for the <maml:computerOutputInline>/TimeOut</maml:computerOutputInline> parameter. The value is in seconds. The default timeout is five seconds.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>/Slave</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Determines whether or not the DNS server uses recursion when it queries for the domain name that is specified by <maml:replaceable>ZoneName</maml:replaceable>.</maml:para>
</maml:entry></maml:row>
</maml:table>

<maml:para>To view the complete syntax for this command, at a command prompt, type the following command, and then press ENTER:</maml:para>

<dev:code>dnscmd /ResetForwarders /help </dev:code>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>To open an elevated Command Prompt window, click <maml:ui>Start</maml:ui>, point to <maml:ui>All Programs</maml:ui>, click <maml:ui>Accessories</maml:ui>, right-click <maml:ui>Command Prompt</maml:ui>, and then click <maml:ui>Run as administrator</maml:ui>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>To set the conditional forwarder for a zone, use the following command:</maml:para>

<dev:code>dnscmd &lt;ServerName&gt; /ZoneAdd &lt;ZoneName&gt; /Forwarder &lt;MasterIPaddress ...&gt; [/TimeOut &lt;Time&gt;] [/Slave]</dev:code>

<maml:para>The <maml:phrase>/ZoneAdd</maml:phrase> command adds the zone specified by the <maml:replaceable>ZoneName </maml:replaceable>parameter. The parameter <maml:replaceable>IPAddress</maml:replaceable> is the IP address where the DNS server will forward unsolvable DNS queries. The <maml:phrase>/Slave</maml:phrase> parameter sets the DNS server as a subordinate server. The <maml:phrase>/NoSlave</maml:phrase> parameter (default setting) sets the DNS server as a nonsubordinate server, which means that it will perform recursion. The <maml:phrase>/Timeout</maml:phrase> and <maml:replaceable>Time</maml:replaceable> parameters are described in the previous table.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>To view a zone that is added only as a conditional forwarder, use the following command:</maml:para>

<dev:code>dnscmd &lt;ServerName&gt; /ZoneInfo &lt;ZoneName&gt;</dev:code>
</maml:listItem>

<maml:listItem>
<maml:para>To reset the forwarder IP addresses for a conditional forwarder domain name, use the following command: </maml:para>

<dev:code>dnscmd &lt;ServerName&gt; /ZoneResetMasters &lt;ZoneName&gt; [/Local] [&lt;ServerIPs&gt;]</dev:code>

<maml:para>The <maml:computerOutputInline>/Local</maml:computerOutputInline> parameter sets the local master list for Active Directory–integrated forwarders. The <maml:replaceable>ServerIPs</maml:replaceable> parameter is the list of one or more IP addresses of master servers for the zone. Master servers may include DNS servers that host primary or secondary copies of the zone, but they should not include DNS server IP addresses in such a way that two DNS servers that host copies of a zone use each other as master servers. Such a configuration makes the forwarding path cyclical.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>You cannot use a domain name in a conditional forwarder if the DNS server hosts a primary zone, secondary zone, or stub zone for that domain name. For example, if a DNS server is authoritative for the domain name <maml:replaceable>corp.contoso.com</maml:replaceable> (that is, it hosts the primary zone for that domain name), you cannot configure that DNS server with a conditional forwarder for <maml:replaceable>corp.contoso.com</maml:replaceable>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>You can prevent common problems that are associated with forwarders by configuring your DNS servers to avoid overusing your forwarders.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Using Forwarders</maml:linkText><maml:uri href="mshelp://windows/?id=e2dd91d6-441f-4175-9d1d-d152d148d73c"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Manually Configuring a DNS Server for Active Directory Domain Services Integration</maml:title><maml:introduction>
<maml:para>If you are installing Domain Name System (DNS) on a domain controller and you cancel the Active Directory Domain Services Installation Wizard before the DNS server installation is completed, the DNS server role might be installed but not configured to support AD DS. Allowing the wizard to complete the DNS installation and configuration is strongly recommended. However, if you do cancel the wizard, complete the following steps as necessary to ensure that the DNS server is configured correctly for AD DS integration:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Configure DNS client settings. For more information, see <maml:navigationLink><maml:linkText>Configuring TCP/IP and DNS Client Settings</maml:linkText><maml:uri href="mshelp://windows/?id=183d02af-b5d5-4a94-bf75-213d7100aec7"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Create all necessary DNS delegation records. For more information, see <maml:navigationLink><maml:linkText>Creating or Updating a DNS Delegation</maml:linkText><maml:uri href="mshelp://windows/?id=9922023d-94c4-4e9b-a04e-446b5464bca5"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Configure forwarders. For more information, see <maml:navigationLink><maml:linkText>Understanding Forwarders</maml:linkText><maml:uri href="mshelp://windows/?id=52ec32f6-5eda-4d6a-8e38-809fee243b71"></maml:uri></maml:navigationLink>, <maml:navigationLink><maml:linkText>Using Forwarders</maml:linkText><maml:uri href="mshelp://windows/?id=e2dd91d6-441f-4175-9d1d-d152d148d73c"></maml:uri></maml:navigationLink>, and <maml:navigationLink><maml:linkText>Configure a DNS Server to Use Forwarders</maml:linkText><maml:uri href="mshelp://windows/?id=e324865f-1cbe-42ec-bf18-a220c0e26fe6"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Configure root hints if necessary. For more information, see <maml:navigationLink><maml:linkText>Updating Root Hints</maml:linkText><maml:uri href="mshelp://windows/?id=7fc91f3b-c926-4dd7-a9f5-8d140d261a14"></maml:uri></maml:navigationLink> and <maml:navigationLink><maml:linkText>Update Root Hints on the DNS Server</maml:linkText><maml:uri href="mshelp://windows/?id=d354d108-0112-4e35-8530-d90417f3d185"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Convert any necessary file-backed zones to Active Directory–integrated zones. For more information, see <maml:navigationLink><maml:linkText>Change the Zone Type</maml:linkText><maml:uri href="mshelp://windows/?id=3739d3bb-38d5-48da-b9bf-d80401baf053"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Performing a Staged Installation of a Read-Only Domain Controller</maml:title><maml:introduction>
<maml:para>You can perform a staged installation of a read-only domain controller (RODC), in which different individuals complete the installation in two stages. You can use the Active Directory Domain Services Installation Wizard to complete each stage of the installation.</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Using Advanced Mode Installation</maml:linkText><maml:uri href="mshelp://windows/?id=66a228ff-5c99-4ac9-928d-ba460461d3be"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Configuring Additional Domain Controller Options</maml:linkText><maml:uri href="mshelp://windows/?id=d2d11b40-f929-4abd-849e-314222a283d0"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Delegating Read-Only Domain Controller Installation and Administration</maml:linkText><maml:uri href="mshelp://windows/?id=4cf83c2c-ecc7-4db7-b397-a2181e789b09"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Specifying Password Replication Policy</maml:linkText><maml:uri href="mshelp://windows/?id=e6e3cd78-023f-4377-952e-9cda33be0420"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Selecting a Read-Only Domain Controller Account</maml:linkText><maml:uri href="mshelp://windows/?id=60016765-34aa-49b3-8fea-1308ecfc0e43"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Description of a staged RODC installation</maml:title><maml:introduction>
<maml:para>The first stage of the installation creates an account for the RODC in Active Directory Domain Services (AD DS). The second stage of the installation attaches the actual server that will be the RODC to the account that was previously created for it.</maml:para>

<maml:para>During the first stage, the Active Directory Domain Services Installation Wizard records all data about the RODC that will be stored in the distributed Active Directory database, such as the RODC's domain controller account name and the site in which it will be placed. This stage must be performed by a member of the Domain Admins group. </maml:para>

<maml:para>The user who creates the RODC account can also specify at that time which users or groups can complete the next stage of the installation. The next stage of the installation can be performed in the branch office by any user or member of a group who has been delegated the right to complete the installation when the account was created. This stage does not require any membership in built-in groups such as the Domain Admins group. If the user who creates the RODC account does not specify any delegate to complete the installation (and administer the RODC), only a member of the Domain Admins group or the Enterprise Admins group can complete the installation. </maml:para>

<maml:para>During the second stage of the installation, the wizard installs AD DS on the server that will become the RODC. This stage typically occurs in the branch office where the RODC is deployed. During this stage, all AD DS data that resides locally, such as the database, log files, and so on, is created on the RODC itself. The installation source files can be replicated to the RODC from another domain controller over the network, or you can use the install from media (IFM) feature. When you use IFM, use Ntdsutil.exe to create the installation media that is specifically created for an RODC installation. For more information about using IFM, see <maml:navigationLink><maml:linkText>Installing from Media</maml:linkText><maml:uri href="mshelp://windows/?id=66b093ee-b131-4a8d-b5bb-09c0d1f50a08"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>The server that will become the RODC must not be joined to the domain before you try to attach it to the RODC account. As part of the installation, the Active Directory Domain Services Installation Wizard automatically detects whether the name of the server matches the names of any RODC accounts that have been created in advance for the domain. When the wizard finds a matching account name, it prompts the user to use that account to complete the RODC installation.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Scenario for performing a staged installation</maml:title><maml:introduction>
<maml:para>When an organization uses staged installation, it can deploy a domain controller to a branch office location more efficiently than it could with previous versions of Windows Server. For example, a member of the Domain Admins group in a central location can create an RODC account in AD DS. This stage of the installation completes all the deployment tasks that require Domain Admin credentials, such as creating the computer account for the domain controller, specifying the site for it, and creating an associated NTDS Settings object for the server. </maml:para>

<maml:para>When a member of the Domain Admins group creates the RODC account, he or she can delegate to another user or security group the right to complete the RODC installation at the branch office location. The task of attaching the server to the existing RODC account does not have to be performed by a member of the Domain Admins group. Any delegated administrator (or delegated group member) that the member of the Domain Admins group specifies during the first stage of the installation can perform this task. </maml:para>

<maml:para>The organization can order and ship the server directly to the branch office location where the RODC installation can be completed. In the past, domain controllers for branch offices often had to be ordered and shipped to a central location or staging site to be built before they were in turn shipped to the branch office location where they were to be deployed. As an alternative, installation media was created in a central location and then shipped to the branch office location to complete the domain controller installation. Staged installation of an RODC streamlines the domain controller deployment process by eliminating these intermediary installation steps. </maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>How to perform staged installations</maml:title><maml:introduction>
<maml:para>Before you can install an RODC, you must prepare your forest by running <maml:computerOutputInline>adprep /rodcprep</maml:computerOutputInline>. For more information about preparing your forest by running <maml:computerOutputInline>adprep</maml:computerOutputInline>, see <maml:navigationLink><maml:linkText>Choosing an Active Directory Domain Services Deployment Configuration</maml:linkText><maml:uri href="mshelp://windows/?id=35762977-9b9e-4ef5-99be-73f6838cc158"></maml:uri></maml:navigationLink>. </maml:para>

<maml:para>You can then create the RODC account by using the Active Directory Users and Computers snap-in. In the console tree, either right-click the <maml:ui>Domain Controllers</maml:ui> container or click the <maml:ui>Domain Controllers</maml:ui> container and click <maml:ui>Action</maml:ui>, and then click <maml:ui>Pre-create Read-only Domain Controller account</maml:ui>. </maml:para>

<maml:para>You can also create an RODC account by running <maml:computerOutputInline>dcpromo</maml:computerOutputInline> at the command line, but the command must also specify the name of the domain where you are installing the RODC. At the command line, type the following command, and then press ENTER:</maml:para>

<maml:para><maml:computerOutputInline>dcpromo /CreateDCAccount /ReplicaDomainDNSName:</maml:computerOutputInline><maml:replaceable>DomainName</maml:replaceable></maml:para>

<maml:para>Where <maml:replaceable>DomainName</maml:replaceable> is the name of the domain where you plan to install an RODC.</maml:para>

<maml:para>After you create the RODC account, it appears in the <maml:ui>Domain Controllers</maml:ui> container as an unoccupied domain controller account until a delegated user attaches the server to it. </maml:para>

<maml:para>After the delegated administrator assigns a static IP address and configures the DNS client settings for the server, he or she can run the Active Directory Domain Services Installation Wizard to attach the server in the branch office to the existing RODC account. To attach the server to the existing account, open a command prompt on the server that will become the domain controller, type the following command, and then press ENTER:</maml:para>

<maml:para><maml:computerOutputInline>dcpromo /UseExistingAccount:Attach</maml:computerOutputInline></maml:para>

<maml:para>The delegated administrator is notified that the AD DS binaries are being installed. Then, the Active Directory Domain Services Installation Wizard automatically starts the second stage of the installation. The delegated administrator can add the <maml:computerOutputInline>/adv</maml:computerOutputInline> parameter to the <maml:computerOutputInline>dcpromo</maml:computerOutputInline> command or select the <maml:ui>Use advanced mode installation</maml:ui> check box on the <maml:ui>Welcome to the Active Directory Domain Services Installation Wizard</maml:ui> page in the wizard to specify the following additional installation options:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Whether to replicate data over the network or from media </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Which domain controller to use as an installation partner</maml:para>
</maml:listItem>
</maml:list>

<maml:para>On the <maml:ui>Network Credentials</maml:ui> page of the wizard, the delegated administrator must enter the name of any domain in the forest where the RODC is being installed, along with alternate credentials to use for the installation. Alternate credentials are required to attach the server to an existing domain controller account because it must be performed by a domain user. However, the delegated administrator originally logged on to the server with a local administrator account because that server was not yet joined to the domain. Therefore, the delegated administrator must now specify the domain user account (or an account that is a member of the delegated administration group) that was delegated the right to install and administer the RODC when the member of the Domain Admins group created the account for the RODC. </maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Removing AD DS from an RODC</maml:title><maml:introduction>
<maml:para>A delegated administrator can remove AD DS from the RODC by running Dcpromo.exe. The Active Directory Domain Services Installation Wizard requests information, including the password for the new local Administrator account, that is required to remove AD DS and make the computer a stand-alone server. You must restart the server to complete the removal of AD DS. </maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Detecting computer name and account conflicts</maml:title><maml:introduction>
<maml:para>After the delegated administrator selects the name of the RODC account to attach the server to, the Active Directory Domain Services Installation Wizard verifies that the account is not currently used by an active domain controller. If the verification succeeds, the wizard automatically attempts to attach the server to that account and complete the installation. </maml:para>

<maml:para>If the wizard does not find a computer account with a matching name, it provides the delegated administrator with the chance to rename the server to another name that does match an existing computer account or to take other steps to remedy the name conflict. </maml:para>

<maml:para>If the wizard finds a matching domain controller account name but the account is enabled, the wizard attempts to contact that domain controller to verify that the domain controller is online. The wizard then proceeds as follows:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>If the wizard can verify that another domain controller with the same name is already online, it blocks completion of the AD DS installation. In this case, the server on which the RODC installation is being performed must be renamed with the name of an RODC account that is not already in use. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>If the wizard cannot verify that another domain controller with the same name is already online, it warns the delegated administrator that continuing with the installation will cause the domain controller that has the same account name to not function properly—if it is in fact online—despite the fact that it could not be contacted by the wizard.</maml:para>

<maml:para>This condition can occur if an attempt to attach the server to the existing account was made previously but that attempt was canceled before the installation completed. In this case, the status of the RODC account might be changed from disabled to enabled before the installation is completed. If this happens, the delegated administrator can click <maml:ui>OK</maml:ui> to continue after the warning. </maml:para>
</maml:listItem>
</maml:list>

<maml:para>For more information, see <maml:navigationLink><maml:linkText>Selecting a Read-Only Domain Controller Account</maml:linkText><maml:uri href="mshelp://windows/?id=60016765-34aa-49b3-8fea-1308ecfc0e43"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual>GIF89aup,u     ( ($($($ (((,($0(0( 0, 0,$4, 80 80$44484,840@4 <4,888@8(@8,@80@<4H<$@@@P@(HD<HHHYH(PLDaL,PPPYULiU,iU0YYYqY0a]Ua]Yaaaya0ya4eeeiea}e0}e4iiimmmm4qmmqqqq8yuuyyyy<}}}}@@DDHHLƝPΥP֮U޲Y]aae(K#*TH#JHŋ3jȱǏ CIE2'0hKMrt0Ƥ͛8sɳϟh(x"ѣHP ӧPJXFAׯ`ÊX@ֳG1|˶۷p9^1n&qwuHҷÈ?i,-#KxH<8CcL(S^ݴ˃O^vCָsi&ɉ#AȓwPs|<Еk1?繫_y3O~ŏ&}W |t`y	'.ȟgxIh`^!$F䙇!|w|'hcd5X,x x㑅"~߅<:a'}F"^Y~`eWcigepGщn^TnYqy'&EihZhHޤ7*I%S>9!3VbV%J
*Tأj($j+AJ+R#2첵.!^+
dڬF2[C*ꢻBJ.RRߏj8L:Uw	7lopO6qyNqƩ}h["왑UjjibٛiȺ+&%~<"렎%l:;+4V":8ʉj]k6\G5ϲh6ЗNZ}7mrVj877;ATa^s9e.HnzΥꬿUz/dnTz{ys|/ϼ?v+M}&_}oOqC~
O>ozD?g_s_?exNM叀xabPz2/F!M;E,ԝÄe+!!Vjw#:
+kA<#-hYbԩVu4P.z`H2hL3݌ [Pci@?ݙAV(Q,tᏀ IBL"MG*#y,D`Gf?a%/Gle0SO,Y\٦81'e&BKŵQZ^%PrK^rRvsaDbj
K,eA\TfyNukXx"gn"2hkrعydG4JMl;?2d`9,x9wV]EZԉO2)Pz(r`'nL"=	&NRnTJdvt=>Py
pANRgG'mZӞ4&,SA=SR	WÛ=:JB\8/*QXa`!T]uSk%z}S-j(HVxAf\vZңi$:‰ jSg76xZ˦k-b>ܪI홀{<zOf"&*ϸcnOe<nɹ.3Pջoh;[V׼݅ v^]i|_:ߙi~_Wk'^piZ0l]	»0Q
_Ѕ:sp^viwBUxk42pm63O,>P87#poW,XX.	2eUMB` ˢD@͞X0(8p@g`

\\  pDo;d
/Z)_!AVV2gw.$~5<s\QGP1c_Ҭ5m#ژ+g՛>쭃*;/fv{YP%:Z}3oSfsnz=m-rxR'Ýjf47Oy$cyfEUr07LFDty4F2F$XyJfY5:4=TL+~<*47Ͽ=Om^ןW%S%~r,
V%Ջv}hޢJ%h؋^ES=2_`WeL_ZeS
|Foax)Xzp}{whLp}x+u&>t"=lPSÄMWj
>wߟp/<~?pn?/xO9GG&X1IBCe111D04CB$/dVPB)(.+(fR})4h(6B8o4ԃ>x&@CB8Ee~E(DG-gyKDMHrrq(Q4zWbFg^7kdXfxhjl؆hx4nx<XXZ<P~kp{t8f:yZh(go#^GHuU;腁ԉHga:" (y{F16Rq;@ȋ]73Xb1xT#t1e&cX
gz"Q6-8!hTxu8t7nC``4lNlwwo`^wv>cVYߘ3tdqARR=~T sb"()Y1es'EP%F)p׊kVY3':qYN5V;Y^XpW3.N J)>x44Y5|}RÔeP"\o%7VTQ.COgI!bY>E-և+[UEsUaᅘ㥘ŘB_d4F@ChW}iDW3	֙vi)E)雋	)Ii	)ɜIɹyؙکÚ5}߹=ƛ|Ս#"s?!h_.?-u@QBc$i<J?H@*>(C&g3*֡ZE05GR0gFGrDAg<f@f؛۳$h=)=]SGE>80}f h𣘁H]:'9.=X>]@1
U@SQ:'ܶh$a(gr3yDw҄4TdH.tTqg|J|wpH}pOMUƨ$ouw.(|Fg
gPϪo7Qpǎh"ZSo:D蚮qڏl'>Q't18ᮙks6~eb2ǮQésئq:vP{θԆzpjPYC6zK@RPx8/Vx1J/|	Cv
Af%F˳-鯥g5岬珊UjwN3N۰y:tJ96xno{q':z&
zyײjuږB۵	Ner%{>Kr@8q۳:ͺo-q6X+Ns}w+TDKo{C˲?C";)[Q#˴ȪƊOk#O`8{+wjI7!)T}kx{aI7I5
k:þZ~Sv1tǒ1|PU<1˖KT̨^gm;*Q\˵hW+{WYcsYKo*k9I^"{;d[AInHHIM	'9EWM*;Yv[lwڿK%bo
xP!80f_GP΁R*WkmZ7рֺ+;mzm  6țմ3gU\wq+t|W]рGfEOYESW{ptXi+hۗ'T	ɻ);]L!e#eƲ>լ_QT |_fzκaT\
ϒU6Fh6Р6xД}*Щqpzpf 6ҫpўPLoܨ̯V7ð;]9=D\E<mmz5bY-C6v2dP0{Y{T*pIL<%{j
&tءzIxFdЌ˛
L=?B\*ؐ
0EƁX1MO-_5~02R)+maz
LQKE|ֈUd<w{=jvm|,,;wۿy7ɽ}7o/]*-Ldv:M\Oؒ;<maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Specifying Password Replication Policy</maml:title><maml:introduction>
<maml:para>The <maml:ui>Specify the Password Replication Policy</maml:ui> wizard page in the Active Directory Domain Services Installation Wizard appears when you create a read-only domain controller (RODC) account—but only if you select the <maml:ui>Use advanced mode installation</maml:ui> check box on the <maml:ui>Welcome to the Active Directory Domain Services Installation Wizard</maml:ui> page in the wizard. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>How the Password Replication Policy works</maml:title><maml:introduction>
<maml:para>The Password Replication Policy (PRP) determines how an RODC performs credential caching. Credential caching is the storage of user or computer credentials. </maml:para>
<maml:para>When users or computers in a site that is serviced by an RODC attempt to authenticate to the domain, by default the RODC cannot validate their credentials. The RODC then forwards the authentication request to a writable domain controller. However, there might be a set of security principals that may need to be able to authenticate in a site that is serviced by an RODC, even in cases where they have no connectivity to writable domain controllers.</maml:para>

<maml:para>For example, you might have a set of users and computers in a branch office that you want to be authenticated, even if there is no connectivity between the branch office and the sites that contain writable domain controllers. To resolve this issue, you can configure the PRP for that RODC to allow the passwords for those users to be cached on the RODC. If the account passwords are cached on the RODC, the RODC can authenticate those accounts when connectivity to writable domain controllers is not available.</maml:para>

<maml:para>The PRP acts as an access control list (ACL). It determines whether an RODC is permitted to cache credentials for an account. After the RODC receives a user or computer logon request, it attempts to replicate the credentials for that account from a writable domain controller that runs Windows Server 2008 or Windows Server 2008 R2. The writable domain controller refers to the PRP to determine if the credentials for the account should be cached. If the PRP allows the account to be cached, the writable domain controller replicates the credentials for that account to the RODC and the RODC caches them. During subsequent logons for that account, the RODC can authenticate the account by referring to the credentials that it has cached. The RODC does not have to contact the writable domain controller. </maml:para>


</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>The PRP in operation</maml:title><maml:introduction>

<maml:para>The PRP is defined by two multivalued Active Directory attributes that contain security principals (users, computers, and groups). Each RODC computer account has these two attributes: </maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>msDS-Reveal-OnDemandGroup</maml:phrase>, also known as the Allowed List</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:phrase>msDS-NeverRevealGroup</maml:phrase>, also known as the Denied List</maml:para>
</maml:listItem>
</maml:list>
<maml:para>To help manage the PRP, two other attributes that are related to the PRP are maintained for each RODC:</maml:para>
<maml:list class="unordered"><maml:listItem>
<maml:para><maml:phrase>msDS-RevealedList</maml:phrase>, also known as the Revealed List</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:phrase>msDS-AuthenticatedToAccountList</maml:phrase>, also known as the Authenticated to List</maml:para>
</maml:listItem></maml:list>
<maml:para>The <maml:phrase>msDS-Reveal-OnDemandGroup</maml:phrase> attribute specifies what security principals can have passwords cached on an RODC. By default, this attribute has one value, which is the <maml:phrase>Allowed RODC Password Replication Group</maml:phrase>. Because this domain local group has no members by default, no account passwords can be cached on any RODC by default. </maml:para>

<maml:para>This section explains how the Allowed List, Denied List, Revealed List, and Authenticated to List attributes are used.</maml:para>

<maml:para>When an RODC makes a request to replicate a user's password, the writable Windows Server 2008 domain controller that the RODC contacts allows or denies the request. To allow it or deny the request, the writable domain controller examines the values of the Allowed List and the Denied List for the RODC that presents the request.</maml:para>

<maml:para>If the account whose password is being requested by the RODC is in the Allowed List (rather than the Denied List) for that RODC, the request is allowed.</maml:para>

<maml:para>The following illustration shows how this operation proceeds.</maml:para>

<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=9252a22b-ed7e-41e6-94c8-8615694db76b" mimeType="image/gif"><maml:summary>Process for applying a Password Replication Policy</maml:summary></maml:objectUri></maml:embedObject></maml:para>

<maml:para>The Denied List takes precedence over the Allowed List. </maml:para>

<maml:para>For example, suppose an organization has a security group for administrators named Admins. The organization has one site named S1 and a security group named Emp_S1 that contains employees in the site. The organization has another site named S2 and a security group named Emp_S2 that contains employees in the site. </maml:para>

<maml:para>Site S2 has only an RODC. Bob is an administrator who works at the site S2. Therefore, he belongs to both groups Emp_S2 and Admins. When the RODC in site S2 is installed, the security groups that are listed in the following table are added to the PRP.</maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Security group</maml:para>
</maml:entry>
<maml:entry>
<maml:para>PRP setting</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para>Admins</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Denied</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Emp_S2</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Allowed</maml:para>
</maml:entry></maml:row>
</maml:table>

<maml:para>According to the specified policy, the credentials that can be cached on the RODC in site S2 are only the credentials for members of the Emp_S2 group that do not belong to Admins. Members of the Emp_S1 and Admins groups will never have their credentials cached on the RODC. Members of the Emp_S2 group may have their credentials cached on the RODC. Bob's credentials will never be cached on the RODC. </maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section><maml:section>
<maml:title>Default PRP settings</maml:title><maml:introduction>
<maml:para>Each RODC has a PRP that defines which accounts are allowed to have their passwords replicated to the RODC and which accounts are explicitly denied from having their passwords replicated to the RODC. The default policy specifies the groups and settings in the following table.</maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Group name</maml:para>
</maml:entry>
<maml:entry>
<maml:para>PRP setting</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para>Administrators</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Deny</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Server operators</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Deny</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Backup operators</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Deny</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Account operators</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Deny</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Denied RODC Password Replication Group</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Deny</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Allowed RODC Password Replication Group</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Allow</maml:para>
</maml:entry></maml:row>
</maml:table>

<maml:para>The Denied RODC Password Replication Group has the following domain account members by default:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>Cert Publishers</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Domain Admins</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Enterprise Admins</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Enterprise Domain Controllers</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Enterprise Read-Only Domain Controllers</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Group Policy Creator Owners</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>krbtgt</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Schema Admins</maml:para>
</maml:listItem>
</maml:list>

<maml:para>The Allowed RODC Password Replication Group has no members by default. </maml:para>

<maml:para>The default PRP improves the security of an RODC installation by ensuring that no account passwords are stored by default and that security-sensitive accounts (such as members of the Domain Admins group) are explicitly denied from ever having their passwords stored on the RODC. </maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Modifying the default PRP</maml:title><maml:introduction>
<maml:para>You can modify the default PRP when you create an account for the RODC or after the RODC account is created. To modify the default PRP after the RODC account is created, right-click the RODC account in the <maml:ui>Domain Controllers</maml:ui> organizational unit (OU) in the Active Directory Users and Computers snap-in, click <maml:ui>Properties</maml:ui>, and then click the <maml:ui>Password Replication Policy</maml:ui> tab. (To open the Active Directory Users and Computers snap-in, click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Active Directory Users and Computers</maml:ui>.)</maml:para>

<maml:para>To add accounts to the default PRP when you create the RODC account, click <maml:ui>Add</maml:ui> on the <maml:ui>Specify Password Replication Policy</maml:ui> wizard page, and then specify whether to allow or deny passwords for the account to be stored on the RODC. Then, use the <maml:ui>Select Users, Computers, or Groups</maml:ui> dialog box to select the accounts to add. </maml:para>

<maml:para>You must include the appropriate user, computer, and service accounts in the PRP to allow the RODC to satisfy authentication and service ticket requests locally. If you do not include the computer accounts that the branch users will use to log on to the network in the Allowed List, the RODC will not be able to satisfy requests for service tickets locally and it will rely on access to a writable domain controller to satisfy those requests. If the wide area network (WAN) is offline, this might cause a service outage.</maml:para>

<maml:para>The Deny setting takes precedence over the Allow setting. If both settings are specified for a given user—either directly, or indirectly because the user is a member of a security group that is specified (or nested within a specified security group)—the user's password cannot be stored on the RODC. It is important to note, however, that a user whose password cannot be stored on the RODC can still use the RODC for logon if the WAN connection to a writable domain controller is available. The password for the user is not replicated to the RODC, but the logon can be authenticated by the writable domain controller over the WAN.</maml:para>

<maml:para>The following table describes the advantages and disadvantages of three examples of configurations for a PRP.</maml:para>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Example</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Pros</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Cons</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para>No accounts are cached (default).</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Most secure—users are authenticated by a writable domain controller, and they get their Group Policy from the RODC for fast policy processing.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No offline access for anyone—a WAN is required for logon.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Most accounts are cached.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Ease of password management—this option is intended for organizations that care most about the manageability improvements of RODC, not security.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>More passwords are potentially exposed to an RODC.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Few accounts are cached.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Enables offline access for those users who need it, but provides more security than caching most accounts. </maml:para>
</maml:entry>
<maml:entry>
<maml:para>This method requires more detailed administration. You may have to map users and computers to each branch that has an RODC. You may also use tools, such as <maml:computerOutputInline>repadmin /prp</maml:computerOutputInline>, to move accounts that have authenticated to an RODC to a group that is in the Allowed List, or you may have to use Identity Lifecycle Manager (ILM) to automate that process.</maml:para>
</maml:entry></maml:row>
</maml:table>


<maml:para>The following sections explain each example in more detail.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>No accounts are cached</maml:title><maml:introduction>
<maml:para>This example provides the most secure option. No passwords are replicated to the RODC, except for the RODC computer account and its special krbtgt account. However, user and computer authentication relies on WAN availability. This example has the advantage of requiring little or no additional administrative configuration from the default settings. </maml:para>

<maml:para>You might choose to add your own security-sensitive user groups to the Denied List. Although no accounts are cached by default, adding your own security-sensitive user groups to the Denied List can protect those groups against accidental inclusion in the Allowed List, along with subsequent caching of their passwords on the RODC. </maml:para>

<maml:para>Note that the delegated RODC administrator account is not added automatically to the Allowed List. As a best practice, add the delegated RODC administrator account to the Allowed List to ensure that a delegated administrator can always log on to the RODC, regardless of whether the WAN connection to a writable domain controller is available. </maml:para>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Most accounts are cached</maml:title><maml:introduction>
<maml:para>This example is the simplest administrative mode, and it removes the dependency on WAN availability for user and computer authentication. In this example, you populate the Allowed List for all RODCs with groups that represent a significant portion of the user and computer population. The Denied List does not allow security-sensitive user groups, such as Domain Admins, from having passwords cached. Most other users, however, can have their passwords cached on demand. You might choose to add your own security-sensitive user groups to the Denied List.</maml:para>

<maml:para>This configuration is most appropriate in environments where the physical security of the RODC will not be at risk. For example, you might configure the PRP this way for an RODC that you have deployed in a secure location primarily to take advantage of its reduced replication and administration requirements.</maml:para>

<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>You must also add the users' computer accounts to the Allowed list so that those users can log on at the branch office when the WAN is offline. </maml:para>
</maml:alertSet>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Few accounts are cached</maml:title><maml:introduction>
<maml:para>This example restricts the accounts that can be cached. Typically, you define this distinctly for each RODC—each RODC has a different set of user and computer accounts that it is permitted to cache. This example is usually for a set of users who work at a particular physical location.</maml:para>

<maml:para>The advantage of this example is that a set of users will be able to log on to the network and be authenticated by the RODC in the branch office if the WAN is offline. At the same time, the scope of exposure for passwords is limited by the reduced number of users whose passwords can be cached. </maml:para>

<maml:para>There is administrative overhead associated with populating the Allowed List and the Denied List in this example. There is no default automated method for reading accounts from the known list of security principals who have authenticated against a given RODC, and there is no default method for populating the Allowed List with those accounts. You can use the <maml:computerOutputInline>repadmin /prp move</maml:computerOutputInline> command to move these accounts to a group that is in the Allowed List, or you can use scripts or applications such as ILM to build a process. </maml:para>

<maml:para>Although you can add user or computer accounts directly to the Allowed List, you should instead create a security group for each RODC, add it to the Allowed List and then add user and computer accounts to the security group. This way, you can use standard group management tools such as the Active Directory Users and Computers snap-in or the <maml:computerOutputInline>Dsadd</maml:computerOutputInline> or <maml:computerOutputInline>Dsmod</maml:computerOutputInline> command-line tools to manage which accounts can be cached on the RODC. </maml:para>

<maml:para>The <maml:computerOutputInline>repadmin /prp move</maml:computerOutputInline> command requires that you specify a security group. If the security group that you specify does not exist, it creates the group and adds it to the Allowed list. </maml:para>

<maml:para>As with the previous example, you must also add appropriate computer accounts to the Allowed List. </maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Ensure That Clients Can Access Resources by Configuring Time Synchronization Throughout the Forest</maml:title><maml:introduction>
<maml:para>The Windows Time service (also known as W32time) synchronizes the date and time for computers running on a Windows Server 2008 R2 network. The Windows Time service is essential to the successful operation of Kerberos authentication and, therefore, to Active Directory–based authentication. Any Kerberos-aware application, including most security services, relies on time synchronization between the computers that are participating in the authentication request. Active Directory domain controllers must also have synchronized clocks to help ensure accurate data replication.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Configuring time synchronization</maml:title><maml:introduction>
<maml:para>The following table lists the steps that you can take to configure time synchronization for computers in your organization.</maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Step</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>When you deploy the first domain in your forest, configure the primary domain controller (PDC) emulator operations master in that domain to synchronize from a valid Network Time Protocol (NTP) source. </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Configure the Windows Time Service (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93177</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93177"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Some Windows-based client computers do not automatically synchronize their time with the Active Directory domain. You can configure these computers to request time from a particular source, such as a domain controller in the domain. If you do not specify a source that is synchronized with the domain, each computer’s internal hardware clock governs its time.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Configuring Windows-Based Clients to Synchronize Time (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93178</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93178"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>If the local Windows Time service settings are not configured correctly, you may prefer to simply restore the Windows Time service to its default settings rather than spending time troubleshooting the problem.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Restoring the Windows Time Service to Default Settings (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93179</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93179"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Optimize Resource Access or Network Utilization by Deploying an Additional Domain</maml:title><maml:introduction>
<maml:para>By default, an Active Directory forest includes one domain. If necessary, you can deploy an additional domain to isolate the replication of domain data, such as computer accounts, user accounts, and group accounts. Domain data is replicated only to the domain controllers for that domain. You may create additional domains for business requirements, such as a planned acquisition of a business unit.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Deploying an additional domain</maml:title><maml:introduction>
<maml:para>The following table lists the steps that you can take to deploy an additional domain. </maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Step</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Reference</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Review domain design information and determine what (if any) additional domains you need.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Determining the Number of Domains Required (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93247</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93247"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:embedObject><maml:objectUri href="mshelp://windows/?id=3dd4f848-9c62-4403-bfe7-52364867ea8c" mimeType="image/gif"><maml:summary>Check box</maml:summary></maml:objectUri></maml:embedObject></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Complete the steps for deploying a regional domain.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Deploying Active Directory Regional Domains (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=93248</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=93248"></maml:uri></maml:navigationLink>)</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><?xml version="1.0" encoding="utf-8"?>
<HelpCollection Id="AD_DS" DTDVersion="1.0" FileVersion="" LangId="1033" Copyright="© 2005 Microsoft Corporation. All rights reserved." Title="Active Directory Domain Services (AD DS)" xmlns="http://schemas.microsoft.com/help/collection/2004/11">
	<CompilerOptions CompileResult="H1S" CreateFullTextIndex="Yes" BreakerId="Microsoft.NLG.en.WordBreaker">
		<IncludeFile File="AD_DS.H1F" />
	</CompilerOptions>
	<TOCDef File="AD_DS.H1T" Id="AD_DS_TOC" />
	<VTopicDef File="AD_DS.H1V" />
	<KeywordIndexDef File="AD_DS_AssetId.H1K" />
	<KeywordIndexDef File="AD_DS_BestBet.H1K" />
	<KeywordIndexDef File="AD_DS_LinkTerm.H1K" />
	<KeywordIndexDef File="AD_DS_SubjectTerm.H1K" />
	<ItemMoniker Name="!DefaultTOC" ProgId="HxDs.HxHierarchy" InitData="AnyString" />
	<ItemMoniker Name="!DefaultFullTextSearch" ProgId="HxDs.HxFullTextSearch" InitData="AnyString" />
	<ItemMoniker Name="!DefaultAssetIdIndex" ProgId="HxDs.HxIndex" InitData="AssetId" />
	<ItemMoniker Name="!DefaultBestBetIndex" ProgId="HxDs.HxIndex" InitData="BestBet" />
	<ItemMoniker Name="!DefaultAssociativeIndex" ProgId="HxDs.HxIndex" InitData="LinkTerm" />
	<ItemMoniker Name="!DefaultKeywordIndex" ProgId="HxDs.HxIndex" InitData="SubjectTerm" />
</HelpCollection><?xml version="1.0" encoding="utf-8"?>
<HelpFileList xmlns="http://schemas.microsoft.com/help/filelist/2004/11">
	<File Url="relatedAssets\3dd4f848-9c62-4403-bfe7-52364867ea8c.gif" />
	<File Url="assets\04516079-76bb-4def-8856-c5534c411238.xml" />
	<File Url="assets\09ca3b92-5e7a-4154-9d18-5be2c54b9bb7.xml" />
	<File Url="assets\183d02af-b5d5-4a94-bf75-213d7100aec7.xml" />
	<File Url="assets\2005bba5-0ecc-4b67-8596-18bd75d57d02.xml" />
	<File Url="assets\29f83de8-d4d6-4db6-90bc-1741ece46aec.xml" />
	<File Url="assets\339e0997-e4a6-4deb-b00e-d46ffdc4ed78.xml" />
	<File Url="assets\35762977-9b9e-4ef5-99be-73f6838cc158.xml" />
	<File Url="assets\3739d3bb-38d5-48da-b9bf-d80401baf053.xml" />
	<File Url="assets\4132ba61-18b0-4c82-bb9d-5f3c8fa9e09c.xml" />
	<File Url="assets\4332bca8-b13f-45bc-a8a4-d22ef6f0e0b8.xml" />
	<File Url="assets\4cf83c2c-ecc7-4db7-b397-a2181e789b09.xml" />
	<File Url="assets\51189958-f622-49f7-b944-823d4bd1bb68.xml" />
	<File Url="assets\528cfe92-0dd3-45bf-996c-b0ecfd1f8f37.xml" />
	<File Url="relatedAssets\d2d99fd8-5456-486d-95be-a01d6af7ae69.gif" />
	<File Url="assets\52ec32f6-5eda-4d6a-8e38-809fee243b71.xml" />
	<File Url="assets\54462cf1-d293-436c-b396-27925e13ede2.xml" />
	<File Url="assets\576d75af-26b6-4df8-903a-7579a81500d4.xml" />
	<File Url="assets\59840570-41e6-4eaf-ac40-0505e7765a7a.xml" />
	<File Url="assets\5ce13491-3a1c-4935-af59-70e27dae6144.xml" />
	<File Url="assets\60016765-34aa-49b3-8fea-1308ecfc0e43.xml" />
	<File Url="assets\62919f2e-6873-431b-b3da-36d27e544da9.xml" />
	<File Url="assets\66a228ff-5c99-4ac9-928d-ba460461d3be.xml" />
	<File Url="assets\66b093ee-b131-4a8d-b5bb-09c0d1f50a08.xml" />
	<File Url="assets\695c2fad-f7d1-4075-8402-127581ecb172.xml" />
	<File Url="assets\6b4fd0a5-62b0-4cb9-a01b-5dc21d9d8236.xml" />
	<File Url="assets\6dd108a2-b5a2-4b98-a67c-f654cf7d1741.xml" />
	<File Url="assets\6e082c82-6315-42be-b5a1-6f4647bfa5e8.xml" />
	<File Url="assets\702963cf-6d46-4cf8-bc5a-1877db288a84.xml" />
	<File Url="assets\7fc91f3b-c926-4dd7-a9f5-8d140d261a14.xml" />
	<File Url="assets\859ed5a8-79b6-42e9-8e70-967f8d4fd4fb.xml" />
	<File Url="assets\887e6f79-c332-4cb8-a0fe-8b5bfa2786e1.xml" />
	<File Url="assets\9539d62e-ac0c-4f30-bba7-5f5782a0cb85.xml" />
	<File Url="assets\9922023d-94c4-4e9b-a04e-446b5464bca5.xml" />
	<File Url="assets\9f4e0147-687f-46f3-9558-22b542e2c455.xml" />
	<File Url="assets\a2261e08-4875-4204-bb1e-69db914262a0.xml" />
	<File Url="assets\a61e3e1e-17df-45da-8aa7-8c479e835259.xml" />
	<File Url="assets\a9a06564-b6e2-4287-8e4b-05a4a07a6bb8.xml" />
	<File Url="assets\ae51cdda-4957-43b6-8d0f-1f8c1c108af0.xml" />
	<File Url="assets\c0a2bc79-a198-4fcf-a515-38484850366c.xml" />
	<File Url="assets\ce4f829a-7b01-4b43-84a4-a896bd9bff2a.xml" />
	<File Url="assets\d2d11b40-f929-4abd-849e-314222a283d0.xml" />
	<File Url="assets\d354d108-0112-4e35-8530-d90417f3d185.xml" />
	<File Url="relatedAssets\a94424e0-d4de-41f8-8893-7e8e9f465bbd.gif" />
	<File Url="relatedAssets\624dd3fb-47aa-402e-87f8-773e8e9b828f.gif" />
	<File Url="relatedAssets\10853d03-fe57-4f44-b77f-aa7dddd20a39.gif" />
	<File Url="assets\e2dd91d6-441f-4175-9d1d-d152d148d73c.xml" />
	<File Url="assets\e324865f-1cbe-42ec-bf18-a220c0e26fe6.xml" />
	<File Url="assets\e374bef1-c875-4792-b0f7-381549f53744.xml" />
	<File Url="assets\e470dd1b-507b-436e-a17b-3ddcb5bb5044.xml" />
	<File Url="relatedAssets\9252a22b-ed7e-41e6-94c8-8615694db76b.gif" />
	<File Url="assets\e6e3cd78-023f-4377-952e-9cda33be0420.xml" />
	<File Url="assets\f21782b3-e3b6-4c60-a51b-9e136d6ac7e4.xml" />
	<File Url="assets\f7cd8568-60c6-490f-952b-7981f6b76ce0.xml" />
</HelpFileList><?xml version="1.0" encoding="utf-8"?>
<VTopicSet DTDVersion="1.0" xmlns="http://schemas.microsoft.com/help/vtopic/2004/11">
	<Vtopic Url="relatedAssets\3dd4f848-9c62-4403-bfe7-52364867ea8c.gif">
		<Keyword Index="AssetId" Term="3dd4f848-9c62-4403-bfe7-52364867ea8c" />
	</Vtopic>
	<Vtopic Url="assets\04516079-76bb-4def-8856-c5534c411238.xml" RLTitle="Optimize Network Utilization Across Geographic Locations by Adding an Active Directory Site">
		<Attr Name="assetid" Value="04516079-76bb-4def-8856-c5534c411238" />
		<Keyword Index="AssetId" Term="04516079-76bb-4def-8856-c5534c411238" />
		<Keyword Index="AssetId" Term="04516079-76bb-4def-8856-c5534c4112381033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="04516079-76bb-4def-8856-c5534c411238" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\09ca3b92-5e7a-4154-9d18-5be2c54b9bb7.xml" RLTitle="Ensure That DNS Clients Can Locate Domain Controllers by Configuring DNS Support for AD DS">
		<Attr Name="assetid" Value="09ca3b92-5e7a-4154-9d18-5be2c54b9bb7" />
		<Keyword Index="AssetId" Term="09ca3b92-5e7a-4154-9d18-5be2c54b9bb7" />
		<Keyword Index="AssetId" Term="09ca3b92-5e7a-4154-9d18-5be2c54b9bb71033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="09ca3b92-5e7a-4154-9d18-5be2c54b9bb7" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\183d02af-b5d5-4a94-bf75-213d7100aec7.xml" RLTitle="Configuring TCP/IP and DNS Client Settings">
		<Attr Name="assetid" Value="183d02af-b5d5-4a94-bf75-213d7100aec7" />
		<Keyword Index="AssetId" Term="183d02af-b5d5-4a94-bf75-213d7100aec7" />
		<Keyword Index="AssetId" Term="183d02af-b5d5-4a94-bf75-213d7100aec71033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="183d02af-b5d5-4a94-bf75-213d7100aec7" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\2005bba5-0ecc-4b67-8596-18bd75d57d02.xml" RLTitle="Share Resources with Other Forests by Creating Trust Relationships">
		<Attr Name="assetid" Value="2005bba5-0ecc-4b67-8596-18bd75d57d02" />
		<Keyword Index="AssetId" Term="2005bba5-0ecc-4b67-8596-18bd75d57d02" />
		<Keyword Index="AssetId" Term="2005bba5-0ecc-4b67-8596-18bd75d57d021033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="2005bba5-0ecc-4b67-8596-18bd75d57d02" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\29f83de8-d4d6-4db6-90bc-1741ece46aec.xml" RLTitle="Help Prepare for Disaster Recovery by Performing Routine Backups of the Active Directory Database">
		<Attr Name="assetid" Value="29f83de8-d4d6-4db6-90bc-1741ece46aec" />
		<Keyword Index="AssetId" Term="29f83de8-d4d6-4db6-90bc-1741ece46aec" />
		<Keyword Index="AssetId" Term="29f83de8-d4d6-4db6-90bc-1741ece46aec1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="29f83de8-d4d6-4db6-90bc-1741ece46aec" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\339e0997-e4a6-4deb-b00e-d46ffdc4ed78.xml" RLTitle="Selecting an Installation Partner for Active Directory Domain Services">
		<Attr Name="assetid" Value="339e0997-e4a6-4deb-b00e-d46ffdc4ed78" />
		<Keyword Index="AssetId" Term="339e0997-e4a6-4deb-b00e-d46ffdc4ed78" />
		<Keyword Index="AssetId" Term="339e0997-e4a6-4deb-b00e-d46ffdc4ed781033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="339e0997-e4a6-4deb-b00e-d46ffdc4ed78" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\35762977-9b9e-4ef5-99be-73f6838cc158.xml" RLTitle="Choosing an Active Directory Domain Services Deployment Configuration">
		<Attr Name="assetid" Value="35762977-9b9e-4ef5-99be-73f6838cc158" />
		<Keyword Index="AssetId" Term="35762977-9b9e-4ef5-99be-73f6838cc158" />
		<Keyword Index="AssetId" Term="35762977-9b9e-4ef5-99be-73f6838cc1581033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="35762977-9b9e-4ef5-99be-73f6838cc158" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\3739d3bb-38d5-48da-b9bf-d80401baf053.xml" RLTitle="Change the Zone Type">
		<Attr Name="assetid" Value="3739d3bb-38d5-48da-b9bf-d80401baf053" />
		<Keyword Index="AssetId" Term="3739d3bb-38d5-48da-b9bf-d80401baf053" />
		<Keyword Index="AssetId" Term="3739d3bb-38d5-48da-b9bf-d80401baf0531033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="Operations_Operating" />
		<Attr Name="subject_productTechnology" Value="Networking_DNS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="3739d3bb-38d5-48da-b9bf-d80401baf053" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\4132ba61-18b0-4c82-bb9d-5f3c8fa9e09c.xml" RLTitle="Providing a Directory Services Restore Mode Administrator Password">
		<Attr Name="assetid" Value="4132ba61-18b0-4c82-bb9d-5f3c8fa9e09c" />
		<Keyword Index="AssetId" Term="4132ba61-18b0-4c82-bb9d-5f3c8fa9e09c" />
		<Keyword Index="AssetId" Term="4132ba61-18b0-4c82-bb9d-5f3c8fa9e09c1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="4132ba61-18b0-4c82-bb9d-5f3c8fa9e09c" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\4332bca8-b13f-45bc-a8a4-d22ef6f0e0b8.xml" RLTitle="Enable Advanced Features by Raising the Domain or Forest Functional Level">
		<Attr Name="assetid" Value="4332bca8-b13f-45bc-a8a4-d22ef6f0e0b8" />
		<Keyword Index="AssetId" Term="4332bca8-b13f-45bc-a8a4-d22ef6f0e0b8" />
		<Keyword Index="AssetId" Term="4332bca8-b13f-45bc-a8a4-d22ef6f0e0b81033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="4332bca8-b13f-45bc-a8a4-d22ef6f0e0b8" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\4cf83c2c-ecc7-4db7-b397-a2181e789b09.xml" RLTitle="Delegating Read-Only Domain Controller Installation and Administration">
		<Attr Name="assetid" Value="4cf83c2c-ecc7-4db7-b397-a2181e789b09" />
		<Keyword Index="AssetId" Term="4cf83c2c-ecc7-4db7-b397-a2181e789b09" />
		<Keyword Index="AssetId" Term="4cf83c2c-ecc7-4db7-b397-a2181e789b091033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="4cf83c2c-ecc7-4db7-b397-a2181e789b09" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\51189958-f622-49f7-b944-823d4bd1bb68.xml" RLTitle="Unattended Installation Return Codes">
		<Attr Name="assetid" Value="51189958-f622-49f7-b944-823d4bd1bb68" />
		<Keyword Index="AssetId" Term="51189958-f622-49f7-b944-823d4bd1bb68" />
		<Keyword Index="AssetId" Term="51189958-f622-49f7-b944-823d4bd1bb681033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="51189958-f622-49f7-b944-823d4bd1bb68" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\528cfe92-0dd3-45bf-996c-b0ecfd1f8f37.xml" RLTitle="Removing Active Directory Domain Services">
		<Attr Name="assetid" Value="528cfe92-0dd3-45bf-996c-b0ecfd1f8f37" />
		<Keyword Index="AssetId" Term="528cfe92-0dd3-45bf-996c-b0ecfd1f8f37" />
		<Keyword Index="AssetId" Term="528cfe92-0dd3-45bf-996c-b0ecfd1f8f371033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="528cfe92-0dd3-45bf-996c-b0ecfd1f8f37" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="relatedAssets\d2d99fd8-5456-486d-95be-a01d6af7ae69.gif">
		<Keyword Index="AssetId" Term="d2d99fd8-5456-486d-95be-a01d6af7ae69" />
	</Vtopic>
	<Vtopic Url="assets\52ec32f6-5eda-4d6a-8e38-809fee243b71.xml" RLTitle="Understanding Forwarders">
		<Attr Name="assetid" Value="52ec32f6-5eda-4d6a-8e38-809fee243b71" />
		<Keyword Index="AssetId" Term="52ec32f6-5eda-4d6a-8e38-809fee243b71" />
		<Keyword Index="AssetId" Term="52ec32f6-5eda-4d6a-8e38-809fee243b711033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="Operations_Operating" />
		<Attr Name="subject_productTechnology" Value="Networking_DNS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="52ec32f6-5eda-4d6a-8e38-809fee243b71" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\54462cf1-d293-436c-b396-27925e13ede2.xml" RLTitle="Providing Network Credentials to Install or Remove Active Directory Domain Services">
		<Attr Name="assetid" Value="54462cf1-d293-436c-b396-27925e13ede2" />
		<Keyword Index="AssetId" Term="54462cf1-d293-436c-b396-27925e13ede2" />
		<Keyword Index="AssetId" Term="54462cf1-d293-436c-b396-27925e13ede21033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="54462cf1-d293-436c-b396-27925e13ede2" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\576d75af-26b6-4df8-903a-7579a81500d4.xml" RLTitle="Installing Active Directory Domain Services">
		<Attr Name="assetid" Value="576d75af-26b6-4df8-903a-7579a81500d4" />
		<Keyword Index="AssetId" Term="576d75af-26b6-4df8-903a-7579a81500d4" />
		<Keyword Index="AssetId" Term="576d75af-26b6-4df8-903a-7579a81500d41033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="576d75af-26b6-4df8-903a-7579a81500d4" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\59840570-41e6-4eaf-ac40-0505e7765a7a.xml" RLTitle="Reduce Directory Size and Ensure Its Integrity and Performance by Performing Offline Defragmentation">
		<Attr Name="assetid" Value="59840570-41e6-4eaf-ac40-0505e7765a7a" />
		<Keyword Index="AssetId" Term="59840570-41e6-4eaf-ac40-0505e7765a7a" />
		<Keyword Index="AssetId" Term="59840570-41e6-4eaf-ac40-0505e7765a7a1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="59840570-41e6-4eaf-ac40-0505e7765a7a" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\5ce13491-3a1c-4935-af59-70e27dae6144.xml" RLTitle="Improve Resource Access Efficiency by Using Security Groups">
		<Attr Name="assetid" Value="5ce13491-3a1c-4935-af59-70e27dae6144" />
		<Keyword Index="AssetId" Term="5ce13491-3a1c-4935-af59-70e27dae6144" />
		<Keyword Index="AssetId" Term="5ce13491-3a1c-4935-af59-70e27dae61441033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="5ce13491-3a1c-4935-af59-70e27dae6144" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\60016765-34aa-49b3-8fea-1308ecfc0e43.xml" RLTitle="Selecting a Read-Only Domain Controller Account">
		<Attr Name="assetid" Value="60016765-34aa-49b3-8fea-1308ecfc0e43" />
		<Keyword Index="AssetId" Term="60016765-34aa-49b3-8fea-1308ecfc0e43" />
		<Keyword Index="AssetId" Term="60016765-34aa-49b3-8fea-1308ecfc0e431033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="60016765-34aa-49b3-8fea-1308ecfc0e43" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\62919f2e-6873-431b-b3da-36d27e544da9.xml" RLTitle="Ensure Successful Active Directory Operations by Managing Operations Master Roles">
		<Attr Name="assetid" Value="62919f2e-6873-431b-b3da-36d27e544da9" />
		<Keyword Index="AssetId" Term="62919f2e-6873-431b-b3da-36d27e544da9" />
		<Keyword Index="AssetId" Term="62919f2e-6873-431b-b3da-36d27e544da91033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="62919f2e-6873-431b-b3da-36d27e544da9" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\66a228ff-5c99-4ac9-928d-ba460461d3be.xml" RLTitle="Using Advanced Mode Installation">
		<Attr Name="assetid" Value="66a228ff-5c99-4ac9-928d-ba460461d3be" />
		<Keyword Index="AssetId" Term="66a228ff-5c99-4ac9-928d-ba460461d3be" />
		<Keyword Index="AssetId" Term="66a228ff-5c99-4ac9-928d-ba460461d3be1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="66a228ff-5c99-4ac9-928d-ba460461d3be" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\66b093ee-b131-4a8d-b5bb-09c0d1f50a08.xml" RLTitle="Installing from Media">
		<Attr Name="assetid" Value="66b093ee-b131-4a8d-b5bb-09c0d1f50a08" />
		<Keyword Index="AssetId" Term="66b093ee-b131-4a8d-b5bb-09c0d1f50a08" />
		<Keyword Index="AssetId" Term="66b093ee-b131-4a8d-b5bb-09c0d1f50a081033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="66b093ee-b131-4a8d-b5bb-09c0d1f50a08" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\695c2fad-f7d1-4075-8402-127581ecb172.xml" RLTitle="Improve Active Directory Redundancy by Adding Another Domain Controller">
		<Attr Name="assetid" Value="695c2fad-f7d1-4075-8402-127581ecb172" />
		<Keyword Index="AssetId" Term="695c2fad-f7d1-4075-8402-127581ecb172" />
		<Keyword Index="AssetId" Term="695c2fad-f7d1-4075-8402-127581ecb1721033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="695c2fad-f7d1-4075-8402-127581ecb172" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\6b4fd0a5-62b0-4cb9-a01b-5dc21d9d8236.xml" RLTitle="Overview of the Active Directory Domain Services Installation Wizard">
		<Attr Name="assetid" Value="6b4fd0a5-62b0-4cb9-a01b-5dc21d9d8236" />
		<Keyword Index="AssetId" Term="6b4fd0a5-62b0-4cb9-a01b-5dc21d9d8236" />
		<Keyword Index="AssetId" Term="6b4fd0a5-62b0-4cb9-a01b-5dc21d9d82361033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="6b4fd0a5-62b0-4cb9-a01b-5dc21d9d8236" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\6dd108a2-b5a2-4b98-a67c-f654cf7d1741.xml" RLTitle="Active Directory Domain Services">
		<Attr Name="assetid" Value="6dd108a2-b5a2-4b98-a67c-f654cf7d1741" />
		<Keyword Index="AssetId" Term="6dd108a2-b5a2-4b98-a67c-f654cf7d1741" />
		<Keyword Index="AssetId" Term="6dd108a2-b5a2-4b98-a67c-f654cf7d17411033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="6dd108a2-b5a2-4b98-a67c-f654cf7d1741" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\6e082c82-6315-42be-b5a1-6f4647bfa5e8.xml" RLTitle="Simplify Active Directory Administration by Delegating Management of Users, Computers, and Other Network Resources">
		<Attr Name="assetid" Value="6e082c82-6315-42be-b5a1-6f4647bfa5e8" />
		<Keyword Index="AssetId" Term="6e082c82-6315-42be-b5a1-6f4647bfa5e8" />
		<Keyword Index="AssetId" Term="6e082c82-6315-42be-b5a1-6f4647bfa5e81033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="6e082c82-6315-42be-b5a1-6f4647bfa5e8" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\702963cf-6d46-4cf8-bc5a-1877db288a84.xml" RLTitle="Performing Metadata Cleanup">
		<Attr Name="assetid" Value="702963cf-6d46-4cf8-bc5a-1877db288a84" />
		<Keyword Index="AssetId" Term="702963cf-6d46-4cf8-bc5a-1877db288a84" />
		<Keyword Index="AssetId" Term="702963cf-6d46-4cf8-bc5a-1877db288a841033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="702963cf-6d46-4cf8-bc5a-1877db288a84" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\7fc91f3b-c926-4dd7-a9f5-8d140d261a14.xml" RLTitle="Updating Root Hints">
		<Attr Name="assetid" Value="7fc91f3b-c926-4dd7-a9f5-8d140d261a14" />
		<Keyword Index="AssetId" Term="7fc91f3b-c926-4dd7-a9f5-8d140d261a14" />
		<Keyword Index="AssetId" Term="7fc91f3b-c926-4dd7-a9f5-8d140d261a141033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="7fc91f3b-c926-4dd7-a9f5-8d140d261a14" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\859ed5a8-79b6-42e9-8e70-967f8d4fd4fb.xml" RLTitle="Consolidate Servers by Retiring a Domain Controller and Removing AD DS from the Server">
		<Attr Name="assetid" Value="859ed5a8-79b6-42e9-8e70-967f8d4fd4fb" />
		<Keyword Index="AssetId" Term="859ed5a8-79b6-42e9-8e70-967f8d4fd4fb" />
		<Keyword Index="AssetId" Term="859ed5a8-79b6-42e9-8e70-967f8d4fd4fb1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="859ed5a8-79b6-42e9-8e70-967f8d4fd4fb" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\887e6f79-c332-4cb8-a0fe-8b5bfa2786e1.xml" RLTitle="Setting the Domain or Forest Functional Level">
		<Attr Name="assetid" Value="887e6f79-c332-4cb8-a0fe-8b5bfa2786e1" />
		<Keyword Index="AssetId" Term="887e6f79-c332-4cb8-a0fe-8b5bfa2786e1" />
		<Keyword Index="AssetId" Term="887e6f79-c332-4cb8-a0fe-8b5bfa2786e11033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="887e6f79-c332-4cb8-a0fe-8b5bfa2786e1" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\9539d62e-ac0c-4f30-bba7-5f5782a0cb85.xml" RLTitle="Choosing a Computer Name for the Domain Controller">
		<Attr Name="assetid" Value="9539d62e-ac0c-4f30-bba7-5f5782a0cb85" />
		<Keyword Index="AssetId" Term="9539d62e-ac0c-4f30-bba7-5f5782a0cb85" />
		<Keyword Index="AssetId" Term="9539d62e-ac0c-4f30-bba7-5f5782a0cb851033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="9539d62e-ac0c-4f30-bba7-5f5782a0cb85" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\9922023d-94c4-4e9b-a04e-446b5464bca5.xml" RLTitle="Creating or Updating a DNS Delegation">
		<Attr Name="assetid" Value="9922023d-94c4-4e9b-a04e-446b5464bca5" />
		<Keyword Index="AssetId" Term="9922023d-94c4-4e9b-a04e-446b5464bca5" />
		<Keyword Index="AssetId" Term="9922023d-94c4-4e9b-a04e-446b5464bca51033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="9922023d-94c4-4e9b-a04e-446b5464bca5" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\9f4e0147-687f-46f3-9558-22b542e2c455.xml" RLTitle="Using an Answer File">
		<Attr Name="assetid" Value="9f4e0147-687f-46f3-9558-22b542e2c455" />
		<Keyword Index="AssetId" Term="9f4e0147-687f-46f3-9558-22b542e2c455" />
		<Keyword Index="AssetId" Term="9f4e0147-687f-46f3-9558-22b542e2c4551033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="9f4e0147-687f-46f3-9558-22b542e2c455" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\a2261e08-4875-4204-bb1e-69db914262a0.xml" RLTitle="Removing Application Directory Partitions">
		<Attr Name="assetid" Value="a2261e08-4875-4204-bb1e-69db914262a0" />
		<Keyword Index="AssetId" Term="a2261e08-4875-4204-bb1e-69db914262a0" />
		<Keyword Index="AssetId" Term="a2261e08-4875-4204-bb1e-69db914262a01033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="a2261e08-4875-4204-bb1e-69db914262a0" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\a61e3e1e-17df-45da-8aa7-8c479e835259.xml" RLTitle="Improve Security and Reduce Network Traffic for a Branch Office by Deploying an RODC">
		<Attr Name="assetid" Value="a61e3e1e-17df-45da-8aa7-8c479e835259" />
		<Keyword Index="AssetId" Term="a61e3e1e-17df-45da-8aa7-8c479e835259" />
		<Keyword Index="AssetId" Term="a61e3e1e-17df-45da-8aa7-8c479e8352591033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="a61e3e1e-17df-45da-8aa7-8c479e835259" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\a9a06564-b6e2-4287-8e4b-05a4a07a6bb8.xml" RLTitle="Simplify Management of User and Computer Accounts by Using Group Policy to Apply Common Configurations">
		<Attr Name="assetid" Value="a9a06564-b6e2-4287-8e4b-05a4a07a6bb8" />
		<Keyword Index="AssetId" Term="a9a06564-b6e2-4287-8e4b-05a4a07a6bb8" />
		<Keyword Index="AssetId" Term="a9a06564-b6e2-4287-8e4b-05a4a07a6bb81033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="a9a06564-b6e2-4287-8e4b-05a4a07a6bb8" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\ae51cdda-4957-43b6-8d0f-1f8c1c108af0.xml" RLTitle="Common Configurations for Active Directory Domain Services">
		<Attr Name="assetid" Value="ae51cdda-4957-43b6-8d0f-1f8c1c108af0" />
		<Keyword Index="AssetId" Term="ae51cdda-4957-43b6-8d0f-1f8c1c108af0" />
		<Keyword Index="AssetId" Term="ae51cdda-4957-43b6-8d0f-1f8c1c108af01033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="ae51cdda-4957-43b6-8d0f-1f8c1c108af0" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\c0a2bc79-a198-4fcf-a515-38484850366c.xml" RLTitle="Ensure Replication of Group Policy Objects and Network Scripts in SYSVOL by Using FRS and DFS Replication">
		<Attr Name="assetid" Value="c0a2bc79-a198-4fcf-a515-38484850366c" />
		<Keyword Index="AssetId" Term="c0a2bc79-a198-4fcf-a515-38484850366c" />
		<Keyword Index="AssetId" Term="c0a2bc79-a198-4fcf-a515-38484850366c1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="c0a2bc79-a198-4fcf-a515-38484850366c" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\ce4f829a-7b01-4b43-84a4-a896bd9bff2a.xml" RLTitle="Placing Active Directory Domain Services Files">
		<Attr Name="assetid" Value="ce4f829a-7b01-4b43-84a4-a896bd9bff2a" />
		<Keyword Index="AssetId" Term="ce4f829a-7b01-4b43-84a4-a896bd9bff2a" />
		<Keyword Index="AssetId" Term="ce4f829a-7b01-4b43-84a4-a896bd9bff2a1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="ce4f829a-7b01-4b43-84a4-a896bd9bff2a" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\d2d11b40-f929-4abd-849e-314222a283d0.xml" RLTitle="Configuring Additional Domain Controller Options">
		<Attr Name="assetid" Value="d2d11b40-f929-4abd-849e-314222a283d0" />
		<Keyword Index="AssetId" Term="d2d11b40-f929-4abd-849e-314222a283d0" />
		<Keyword Index="AssetId" Term="d2d11b40-f929-4abd-849e-314222a283d01033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="d2d11b40-f929-4abd-849e-314222a283d0" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\d354d108-0112-4e35-8530-d90417f3d185.xml" RLTitle="Update Root Hints on the DNS Server">
		<Attr Name="assetid" Value="d354d108-0112-4e35-8530-d90417f3d185" />
		<Keyword Index="AssetId" Term="d354d108-0112-4e35-8530-d90417f3d185" />
		<Keyword Index="AssetId" Term="d354d108-0112-4e35-8530-d90417f3d1851033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="d354d108-0112-4e35-8530-d90417f3d185" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="relatedAssets\a94424e0-d4de-41f8-8893-7e8e9f465bbd.gif">
		<Keyword Index="AssetId" Term="a94424e0-d4de-41f8-8893-7e8e9f465bbd" />
	</Vtopic>
	<Vtopic Url="relatedAssets\624dd3fb-47aa-402e-87f8-773e8e9b828f.gif">
		<Keyword Index="AssetId" Term="624dd3fb-47aa-402e-87f8-773e8e9b828f" />
	</Vtopic>
	<Vtopic Url="relatedAssets\10853d03-fe57-4f44-b77f-aa7dddd20a39.gif">
		<Keyword Index="AssetId" Term="10853d03-fe57-4f44-b77f-aa7dddd20a39" />
	</Vtopic>
	<Vtopic Url="assets\e2dd91d6-441f-4175-9d1d-d152d148d73c.xml" RLTitle="Using Forwarders">
		<Attr Name="assetid" Value="e2dd91d6-441f-4175-9d1d-d152d148d73c" />
		<Keyword Index="AssetId" Term="e2dd91d6-441f-4175-9d1d-d152d148d73c" />
		<Keyword Index="AssetId" Term="e2dd91d6-441f-4175-9d1d-d152d148d73c1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="Operations_Operating" />
		<Attr Name="subject_productTechnology" Value="Networking_DNS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="e2dd91d6-441f-4175-9d1d-d152d148d73c" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\e324865f-1cbe-42ec-bf18-a220c0e26fe6.xml" RLTitle="Configure a DNS Server to Use Forwarders">
		<Attr Name="assetid" Value="e324865f-1cbe-42ec-bf18-a220c0e26fe6" />
		<Keyword Index="AssetId" Term="e324865f-1cbe-42ec-bf18-a220c0e26fe6" />
		<Keyword Index="AssetId" Term="e324865f-1cbe-42ec-bf18-a220c0e26fe61033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="Windows Longhorn Server" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="contentArea" Value="Operations_Operating" />
		<Attr Name="subject_productTechnology" Value="Networking_DNS" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="e324865f-1cbe-42ec-bf18-a220c0e26fe6" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\e374bef1-c875-4792-b0f7-381549f53744.xml" RLTitle="Manually Configuring a DNS Server for Active Directory Domain Services Integration">
		<Attr Name="assetid" Value="e374bef1-c875-4792-b0f7-381549f53744" />
		<Keyword Index="AssetId" Term="e374bef1-c875-4792-b0f7-381549f53744" />
		<Keyword Index="AssetId" Term="e374bef1-c875-4792-b0f7-381549f537441033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="e374bef1-c875-4792-b0f7-381549f53744" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\e470dd1b-507b-436e-a17b-3ddcb5bb5044.xml" RLTitle="Performing a Staged Installation of a Read-Only Domain Controller">
		<Attr Name="assetid" Value="e470dd1b-507b-436e-a17b-3ddcb5bb5044" />
		<Keyword Index="AssetId" Term="e470dd1b-507b-436e-a17b-3ddcb5bb5044" />
		<Keyword Index="AssetId" Term="e470dd1b-507b-436e-a17b-3ddcb5bb50441033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="e470dd1b-507b-436e-a17b-3ddcb5bb5044" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="relatedAssets\9252a22b-ed7e-41e6-94c8-8615694db76b.gif">
		<Keyword Index="AssetId" Term="9252a22b-ed7e-41e6-94c8-8615694db76b" />
	</Vtopic>
	<Vtopic Url="assets\e6e3cd78-023f-4377-952e-9cda33be0420.xml" RLTitle="Specifying Password Replication Policy">
		<Attr Name="assetid" Value="e6e3cd78-023f-4377-952e-9cda33be0420" />
		<Keyword Index="AssetId" Term="e6e3cd78-023f-4377-952e-9cda33be0420" />
		<Keyword Index="AssetId" Term="e6e3cd78-023f-4377-952e-9cda33be04201033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="e6e3cd78-023f-4377-952e-9cda33be0420" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\f21782b3-e3b6-4c60-a51b-9e136d6ac7e4.xml" RLTitle="Ensure That Clients Can Access Resources by Configuring Time Synchronization Throughout the Forest">
		<Attr Name="assetid" Value="f21782b3-e3b6-4c60-a51b-9e136d6ac7e4" />
		<Keyword Index="AssetId" Term="f21782b3-e3b6-4c60-a51b-9e136d6ac7e4" />
		<Keyword Index="AssetId" Term="f21782b3-e3b6-4c60-a51b-9e136d6ac7e41033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="f21782b3-e3b6-4c60-a51b-9e136d6ac7e4" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\f7cd8568-60c6-490f-952b-7981f6b76ce0.xml" RLTitle="Optimize Resource Access or Network Utilization by Deploying an Additional Domain">
		<Attr Name="assetid" Value="f7cd8568-60c6-490f-952b-7981f6b76ce0" />
		<Keyword Index="AssetId" Term="f7cd8568-60c6-490f-952b-7981f6b76ce0" />
		<Keyword Index="AssetId" Term="f7cd8568-60c6-490f-952b-7981f6b76ce01033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1763" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="f7cd8568-60c6-490f-952b-7981f6b76ce0" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
</VTopicSet><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpTOC>
<HelpTOC xmlns="http://schemas.microsoft.com/help/toc/2004/11" DTDVersion="1.0" Id="AD_DS_TOC" FileVersion="" LangId="1033" ParentNodeIcon="Book" PluginStyle="Hierarchical">
	<HelpTOCNode Url="mshelp://windows/?tocid=05d233e4-f78e-4240-9c68-746d658b91d1" Title="">
		<HelpTOCNode Url="mshelp://windows/?id=6dd108a2-b5a2-4b98-a67c-f654cf7d1741" Title="Active Directory Domain Services">
			<HelpTOCNode Url="mshelp://windows/?id=6b4fd0a5-62b0-4cb9-a01b-5dc21d9d8236" Title="Overview of the Active Directory Domain Services Installation Wizard" />
			<HelpTOCNode Url="mshelp://windows/?id=576d75af-26b6-4df8-903a-7579a81500d4" Title="Installing Active Directory Domain Services">
				<HelpTOCNode Url="mshelp://windows/?id=66a228ff-5c99-4ac9-928d-ba460461d3be" Title="Using Advanced Mode Installation" />
				<HelpTOCNode Url="mshelp://windows/?id=9539d62e-ac0c-4f30-bba7-5f5782a0cb85" Title="Choosing a Computer Name for the Domain Controller" />
				<HelpTOCNode Url="mshelp://windows/?id=183d02af-b5d5-4a94-bf75-213d7100aec7" Title="Configuring TCP/IP and DNS Client Settings" />
				<HelpTOCNode Url="mshelp://windows/?id=35762977-9b9e-4ef5-99be-73f6838cc158" Title="Choosing an Active Directory Domain Services Deployment Configuration" />
				<HelpTOCNode Url="mshelp://windows/?id=54462cf1-d293-436c-b396-27925e13ede2" Title="Providing Network Credentials to Install or Remove Active Directory Domain Services" />
				<HelpTOCNode Url="mshelp://windows/?id=d2d11b40-f929-4abd-849e-314222a283d0" Title="Configuring Additional Domain Controller Options" />
				<HelpTOCNode Url="mshelp://windows/?id=9922023d-94c4-4e9b-a04e-446b5464bca5" Title="Creating or Updating a DNS Delegation" />
				<HelpTOCNode Url="mshelp://windows/?id=887e6f79-c332-4cb8-a0fe-8b5bfa2786e1" Title="Setting the Domain or Forest Functional Level" />
				<HelpTOCNode Url="mshelp://windows/?id=ce4f829a-7b01-4b43-84a4-a896bd9bff2a" Title="Placing Active Directory Domain Services Files" />
				<HelpTOCNode Url="mshelp://windows/?id=66b093ee-b131-4a8d-b5bb-09c0d1f50a08" Title="Installing from Media" />
				<HelpTOCNode Url="mshelp://windows/?id=339e0997-e4a6-4deb-b00e-d46ffdc4ed78" Title="Selecting an Installation Partner for Active Directory Domain Services" />
				<HelpTOCNode Url="mshelp://windows/?id=4132ba61-18b0-4c82-bb9d-5f3c8fa9e09c" Title="Providing a Directory Services Restore Mode Administrator Password" />
				<HelpTOCNode Url="mshelp://windows/?id=9f4e0147-687f-46f3-9558-22b542e2c455" Title="Using an Answer File" />
				<HelpTOCNode Url="mshelp://windows/?id=e374bef1-c875-4792-b0f7-381549f53744" Title="Manually Configuring a DNS Server for Active Directory Domain Services Integration">
					<HelpTOCNode Url="mshelp://windows/?id=52ec32f6-5eda-4d6a-8e38-809fee243b71" Title="Understanding Forwarders" />
					<HelpTOCNode Url="mshelp://windows/?id=e2dd91d6-441f-4175-9d1d-d152d148d73c" Title="Using Forwarders" />
					<HelpTOCNode Url="mshelp://windows/?id=e324865f-1cbe-42ec-bf18-a220c0e26fe6" Title="Configure a DNS Server to Use Forwarders" />
					<HelpTOCNode Url="mshelp://windows/?id=7fc91f3b-c926-4dd7-a9f5-8d140d261a14" Title="Updating Root Hints" />
					<HelpTOCNode Url="mshelp://windows/?id=d354d108-0112-4e35-8530-d90417f3d185" Title="Update Root Hints on the DNS Server" />
					<HelpTOCNode Url="mshelp://windows/?id=3739d3bb-38d5-48da-b9bf-d80401baf053" Title="Change the Zone Type" />
				</HelpTOCNode>
			</HelpTOCNode>
			<HelpTOCNode Url="mshelp://windows/?id=e470dd1b-507b-436e-a17b-3ddcb5bb5044" Title="Performing a Staged Installation of a Read-Only Domain Controller">
				<HelpTOCNode Url="mshelp://windows/?id=66a228ff-5c99-4ac9-928d-ba460461d3be" Title="Using Advanced Mode Installation" />
				<HelpTOCNode Url="mshelp://windows/?id=d2d11b40-f929-4abd-849e-314222a283d0" Title="Configuring Additional Domain Controller Options" />
				<HelpTOCNode Url="mshelp://windows/?id=4cf83c2c-ecc7-4db7-b397-a2181e789b09" Title="Delegating Read-Only Domain Controller Installation and Administration" />
				<HelpTOCNode Url="mshelp://windows/?id=e6e3cd78-023f-4377-952e-9cda33be0420" Title="Specifying Password Replication Policy" />
				<HelpTOCNode Url="mshelp://windows/?id=60016765-34aa-49b3-8fea-1308ecfc0e43" Title="Selecting a Read-Only Domain Controller Account" />
			</HelpTOCNode>
			<HelpTOCNode Url="mshelp://windows/?id=528cfe92-0dd3-45bf-996c-b0ecfd1f8f37" Title="Removing Active Directory Domain Services">
				<HelpTOCNode Url="mshelp://windows/?id=54462cf1-d293-436c-b396-27925e13ede2" Title="Providing Network Credentials to Install or Remove Active Directory Domain Services" />
				<HelpTOCNode Url="mshelp://windows/?id=a2261e08-4875-4204-bb1e-69db914262a0" Title="Removing Application Directory Partitions" />
				<HelpTOCNode Url="mshelp://windows/?id=702963cf-6d46-4cf8-bc5a-1877db288a84" Title="Performing Metadata Cleanup" />
			</HelpTOCNode>
			<HelpTOCNode Url="mshelp://windows/?id=51189958-f622-49f7-b944-823d4bd1bb68" Title="Unattended Installation Return Codes" />
			<HelpTOCNode Url="mshelp://windows/?id=ae51cdda-4957-43b6-8d0f-1f8c1c108af0" Title="Common Configurations for Active Directory Domain Services">
				<HelpTOCNode Url="mshelp://windows/?id=695c2fad-f7d1-4075-8402-127581ecb172" Title="Improve Active Directory Redundancy by Adding Another Domain Controller" />
				<HelpTOCNode Url="mshelp://windows/?id=f7cd8568-60c6-490f-952b-7981f6b76ce0" Title="Optimize Resource Access or Network Utilization by Deploying an Additional Domain" />
				<HelpTOCNode Url="mshelp://windows/?id=a61e3e1e-17df-45da-8aa7-8c479e835259" Title="Improve Security and Reduce Network Traffic for a Branch Office by Deploying an RODC" />
				<HelpTOCNode Url="mshelp://windows/?id=62919f2e-6873-431b-b3da-36d27e544da9" Title="Ensure Successful Active Directory Operations by Managing Operations Master Roles" />
				<HelpTOCNode Url="mshelp://windows/?id=04516079-76bb-4def-8856-c5534c411238" Title="Optimize Network Utilization Across Geographic Locations by Adding an Active Directory Site" />
				<HelpTOCNode Url="mshelp://windows/?id=2005bba5-0ecc-4b67-8596-18bd75d57d02" Title="Share Resources with Other Forests by Creating Trust Relationships" />
				<HelpTOCNode Url="mshelp://windows/?id=29f83de8-d4d6-4db6-90bc-1741ece46aec" Title="Help Prepare for Disaster Recovery by Performing Routine Backups of the Active Directory Database" />
				<HelpTOCNode Url="mshelp://windows/?id=59840570-41e6-4eaf-ac40-0505e7765a7a" Title="Reduce Directory Size and Ensure Its Integrity and Performance by Performing Offline Defragmentation" />
				<HelpTOCNode Url="mshelp://windows/?id=5ce13491-3a1c-4935-af59-70e27dae6144" Title="Improve Resource Access Efficiency by Using Security Groups" />
				<HelpTOCNode Url="mshelp://windows/?id=09ca3b92-5e7a-4154-9d18-5be2c54b9bb7" Title="Ensure That DNS Clients Can Locate Domain Controllers by Configuring DNS Support for AD DS" />
				<HelpTOCNode Url="mshelp://windows/?id=6e082c82-6315-42be-b5a1-6f4647bfa5e8" Title="Simplify Active Directory Administration by Delegating Management of Users, Computers, and Other Network Resources" />
				<HelpTOCNode Url="mshelp://windows/?id=a9a06564-b6e2-4287-8e4b-05a4a07a6bb8" Title="Simplify Management of User and Computer Accounts by Using Group Policy to Apply Common Configurations" />
				<HelpTOCNode Url="mshelp://windows/?id=859ed5a8-79b6-42e9-8e70-967f8d4fd4fb" Title="Consolidate Servers by Retiring a Domain Controller and Removing AD DS from the Server" />
				<HelpTOCNode Url="mshelp://windows/?id=f21782b3-e3b6-4c60-a51b-9e136d6ac7e4" Title="Ensure That Clients Can Access Resources by Configuring Time Synchronization Throughout the Forest" />
				<HelpTOCNode Url="mshelp://windows/?id=4332bca8-b13f-45bc-a8a4-d22ef6f0e0b8" Title="Enable Advanced Features by Raising the Domain or Forest Functional Level" />
				<HelpTOCNode Url="mshelp://windows/?id=c0a2bc79-a198-4fcf-a515-38484850366c" Title="Ensure Replication of Group Policy Objects and Network Scripts in SYSVOL by Using FRS and DFS Replication" />
			</HelpTOCNode>
		</HelpTOCNode>
	</HelpTOCNode>
</HelpTOC><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="AssetId" /><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="BestBet" /><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="LinkTerm" /><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="SubjectTerm" /> Q`$:ڮ%TXJQaD	Dz<=aBkG!wu!3@@y{ř-RȶxH3ސy#%-!mvmc:צ@X2[B#V[Mf9A<nXtŒ*;*"쇟g^{ܑB HPAtXuBd>M#""P4M72%u+-6p7+ŽcI]*𽓭޽7>y-w#toO޷n{EüݛL1&={S{?oKǼϨ]P/c#a}gB!|.
{gyOwiSwr~_|#y
!WB-P4{+ݽ'
FQ~WzW!"~2SN?#k>Pg]>_E)QH]—fwc{۷8ӗ77Mc+{F{vzޢxgwﰵt޻I77{+{Q
*)[_t9_bГQ\D$"QJP('˓(IDG!:C9D:"33"2S)s71%{EB$f?jo'$^/~w(r=f]Xݿd|-L`r{NL쯉s[o!/ߛ7H۟p@/1xcGP?t&ַ$Vqx'֕RnbMo w/܉f\?@Ы;qeo8[j>ų/x!o}/qnoU␷qaW_y"KAx>B'Hz@н~ʼnT4r"
S_䚠ޗ{F2ro}#ÙT~Ov-n%|F0)&yQ*(~=]/G	< \@v.PЈX	fMg{idW+=aAIRld'Q>Q@% <AT[@9K\[O)zcʇ_XM	z=Ld2gLgp M!esOBqHK>DbBu3T@'`|n<|+W]:?,P:Ѓz[ˁ}0뵆.(ƣ
AXt!G"lC:\CX6!x6!A:CPiTCps
Xp-VA7cǜA-N{AkYC2}Ao]kw.йi@
Co_<>K.	
~[
Ce=7

.MG&EE%P%EET&E
 g+EmqV%\Q gA%(R0nKJAEs4E
֊r+W&xQ ^REz"fE
+Z(UQtPsU_Q"7iE
,X+8(WaQtxEE"L,9X,(ptYcQ (sOoLL:(2[ȩwOK2W2zc4zgլ?ν=g/LKȶN0izr_uݎ;0k*l8
9l6۠n=p
Y7ED⌇{Z(QE.Z_ދ2{UDt8[BV2
Qu?(YB!
P!QC@I
(-@j
M5DPB
(yP B
k((m@i
5PC!@]
y5P!aC@
46PB!
*l(ȳBІ
J([B!
Rm(hB چ
PC!@o
.HB
(nB
o(B
e7PC!@}4
o(B 
(hp ‡B

2p(ġB 
R(hq ƇB@q(ǡB х8PC!@I94P!C@Yt9PC!@i9P!C@y9PC!@:4P!C@t:PC!@.v@(^C!@:P!C@;P هB@;DPBj
(v@z_(!B
PC!@	ԞP@	PB ֍BN*00000000000000000000000000000000000000000000000000000000ɍJH bFD3@F d"h@ 4F D4F Dy#"Pj@$DT#"pG "p ҪFD@X"j@D@"DD@D&@*DX`Hh#"Zq ¶FD@D<@@D$@p9#5 $G"RrG 5 &G"rrG "(r *G"rG ",r .G"rG "0s 2G"2sG "4s R6G"rsG "8s G9#9#9#:#6G "Bl@$):#:9#B6G "It KG"tG "Mt<.T @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @F$?'x1+Se
o(w7}q
i=U*~*:}['yD~!>!EbD{
J"E`!'؃^@/a[ذ~'耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀耀???????????????????F#fe^8;,}x,l?```XXXXXXXX<X=bXXXXXXX/
`\ us4:Y<D dTe`dftg,t`J0
4~Fuz
5Xc[ksـ@<
j6z9Հ@nt|z<[Ϭ28X,1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C,(ɉ(((((((((((((((((((((((((((((((((((((((((((((((((((((+(g1C1C,!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!b!{2$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$J,JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJJ,1@C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1?x{r~9{a,$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$$JJ$J,J 1@C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1~@1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1c1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1cD1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1C1Cϼ1C1C2՘&3$ZϢ9X)bWU2t9i11=1˺Q6|ܱI|pΩ_9ELsOn\mK&6=i
2u꥟~zM'D-sWS?7s}/7"j?qJ/Nu%)B)Ƽc]?7Ì8)>a:C,qTg]K鲯G݊u_w$8o_
7a#)\G7,M3~1n~ XC,7aby(
@tYuCr{+
 `xEk?ߺ^^:\@7*Ϩ~sޢZl}}瞵j~jo5SR:fsU_xkH=[ޤeO}nv^kbMѡ	{Q
{ilwl^9>`vL:uDKDb+N:%-ȬE1SyEfWG.Lƺ^e"Ővi2yiq"]jѱ],L?&jvkDqS+x~)}bA"mw@ z7эh+2Pm=b2NZ>hΦ齱 ֭2[tc~ O+	U"}'4U7MVe]JZΖ{žh˹=	w@ϣH)!UAtf q6@=T5I)Ds	d=S_}>W6A_OuZ8/5tѷ0sH
՗q4ѼM +uf\&-yk^Uu Y\2@R
/pܮ$k[Z[-ZloJ{3
=za6)+jVjjJ
>Y!waAM sEvÌ9m\wcZp8]MQS&{ARc9?UPa&9eZC	|ۥzF+(|.܅Rٸk\ӓU
DAc?Fw=<yW~?%|{$	Hfa
E:T+zƸo2=]+TnAU+Afߊ'GQ
녥:_erq
RCR\gPrqhbWjA#+mZ}:rrY "vJ~Z/qO(A=A_X{%>r+{HqHKhADsZ{
T_˟u|'JD++I*\v>3%!Q0OyU+,?_hHWzVlӻ9VNLZpn۳c﨣UjZ}>}1
mJīf\eINp^M*Nxl*Px,gv>wJ	E6&#SViPQ1ֺԬҗ?"¯'~Qh浘kXm'%qs([b
:2K.δŞ6dct/4'3}ʫї>mPR2$pb=p]`MGf߄ˌi}Ce?d.A˗N\g_$)nb"3H׾]O-{W;
3!agg9v_k<PRX6DWvfn]Sf6[,+ևdYl+V
kfg_\瓲QX-Dtޚy]bFtGX./:gddmP)-
Wp/%S^^!9̥#E3ڶ!m:+\{UafMZkgaMp-.1nҙs7vdYAKj-?kr"u9hVD[^θދ/YAo`z^wzE	kVizfխ\тq1ɾ_x]|k~\^Snaw"x'Ԓ*b)Tx-r%yUSH͗=V:SR[eiIBcm{zĠ\'nr\VIJ+:k#\!S%#<G,CWϕZOd/~-yr֚;%N]Ibg˱w!jYeF`,6~brZ@zͲ+l:R>q5.Hēni.H~ oN&ԫ
OK=Os#{v6LW{_XgQ̙y=}缹tWn,rD[$Fb>F?臘B6]%~XNdm2sl8=v`	QN%Cwhrɦ֓i(sʈL#V)ǹ9c355[ry;ӏ#aky~UOu{
X7"Ħ9g+JtUg#[:~OY!EF2}lP cFZ=&Ӌ/PR<L%ajw$IR=GZ4"QU13ͺ-L&GrNF^'R2QM}d)kMvĮNq5-\wg#a?㼙s1s-R֖39EC#z,6]9<jfkyqcjT &E'\oi<hzLLbl8YZ7aY}v3s/ ltcLK{rKA/yy,c](On.O{|B8.^H$=M8"Lvѿkov+WpvOt_7Xt
;lo팡*h=]|G%UaLNUĿ?NƪNu|ԳصMG7ɾ1ǰ[|cg2Ln/.ѕC%{Ar3d9y5;[H=zUN}܆8QnDQdoWdמEeZ5
9b^OkZFrZ8;E|{l%3LK5Vr!ψ]҇dН4|t؊E^25'y[_(K>Tecd~^u_K<0Q+ԝtZ"Ϳ[v|j8:_wKqTB"
mٔ#mķnfKx!8U-Ge-zyrJ\qG^חF8$jj)V6
>U%Xʮ6b*G)9,k)^jI^	iOŧK2M-[%C2!pI,";zv=JUmb(M9O3D?C*#]nzؼhKϒ,kfg)7"&DQWlϽ@q):z5NGiJ9$
{_ȯ;ON?gZ+?P=Pș:|{9k
Xk?i*8s15l`htp9
Ͱg3Ð!}$1./Ŗ08g*ziVoLѭe\%FGyr0WuԬqzDomց]^pR/2+[łn	*a7h`	Ne᪒ŋ 6IFV}ۥ=mq6I+✊{KQdfzetwbO8|)#f`"am|&O#˱Tf>i$
ggb,b%w:$˜o'A^|Z_Dl:[W{L05/qcw[J=XUV}JM'lUU##_T]Ǟg;o?^-i^_eYL\=D[RZ*0{=Dl8d4rj+#\k<<恫*ʩ~S#_9hzB}]ޥtfm%%۔6yX9DcKm
D{w*ίnBW}ݵPf@d\a5Ռ9ʌTj,L027M}=~b~D3]6[Q7j~ꊶk7K&Uކe熓+jZuGvUgAabC%mW?%S*>+oLze}\[!fY+԰ř'8G6 mvƶ]^x;T0?߅gV-z$lKν5St7ԹZN^Qܷcbewd]4x

^u.Bdɽ$v+ȱW#t4}FnadKJ'{MMC%딫Xi|ܒJSztGYɢa
O4s?o2+˾0R/Tz{nGۺٮxj0GhS~B(ͲKIXxY^TGh^LX*~]r|Q٭RBx.oa|79jH2M<yFc䩝	fkX^֯6HwsJGgвggLdPVzY+ɋezK9|vT|q$uZ(:S܍Jח
q{>UGqRM:P<U2PYH&1=\8IH/رT"B特זS&ުZ9|%2pԪ\#U9Ҽ3jEiwUS9#|
Ѩ~LCwc?nAE
Nwl?gіpb(1+.F9L͌Ӿ}*ydYvgd0-8IkQFO,`ƞfTgK3l}7h"ƺZdGEsLY?'0"brWvF7&U,)fONYi44qZ#tvHsRZ5+q5! ܉%˯(h$6ZtEHD	o[w
gc	?2I#i;o#K4
Gc2˦<]|$woD=K\{c{R?C?]g2|[<k_aχ%I<'6
aذ6l
Æal6
aذ6l
ÆaOR<,n9]rC^yqdjZ)]g5tj6.իw)&d_f՚[>q(r*ўя-sm`fפZ<<C
˕c]ض~#̬ٳ{$R%:YKިC,)cژ.ݔy$&ZvD8QOsr67e%:vCTcy+J9:pQwrk"δ]mao]JU_g>\el>ߞ!\vzƂo
/DbQꐐn#sm*P}M^1̟!tp7g*'	$s6}{f!XƱQ	+ZzmI*XY&}g׵|=Fgd8N~f2ÉY
WeJoǖx$>+Vu3<ύViZ^[Am%EжA{*S/-4UޛW&jYjĤcZ]i<on11׏hɼ>|V}aI-נ8ʸ<
S^f
o+~Ew7oJc-rSaB|9U
ח\nh%܃%:cջdN(GK4zƆGsdт',i
abDqkfc")$vGmwTqyWc`q4$XC,8T1%uӝř!DC<f^/3M*k淊uAτ?~(V2IzVjL)j\83ۭL#qHXF;z=?ȻʥȋXyVwLUVZmu+Lq8G(J*b^&7npGws"a򠯹17s0}$=Upy"yz[!eR;jFq(3sg{0y\jQmsXkث̦a]cW<WkȘs}??MU%
\e춗]{Iʷi$c=OK`.zփd,֏M,3Dok,wj
XV6	Ėlv7"xr5i]`qj&b=TRG[`#T=-bGoI䏋Eq)KsꞨkH,C
QciԺ={Bɓ-8ջ?>\ӵG\c:4Ѵ{DA.h=ļK~#Zm'i^W!>?BlBۋ[sֈv]6漢k3*?O;(!Ps{"]ksXdR,r>(q݆NH.~Ig1=[g]]X|l*
U|G_e.m}P7󜼊zԱM@cYUC˹W?`Sr*Yٲͬ߱wsgN[tCǧ[46Iw3
I3Ub$V\QͩJڭEY=.rNdq|]ߩ&D1qfen(!emb4EK%}-z"lD.:
람:ďo҉J2ΉsjfvT7P:#
m1fִmVVY虗	Q(e+~vV-'Y^K.J>7*N3=lcgvǪ|-fsswdP5]f4Vaaަc)F#\APÜ0^l>F_(Q!xi@_|b*Nvjܫ麪nSoՉq-rQS`їrS;%A'錸,5݊w<zi|3dS=-sΒ,rzZ#̬t7&˜3a
q~?[=S^'.Zcև3~eǫRkfSjhO(nަtshZ9Ǘ
2b))igcf0(.qk槛t
iF<D.
6WuY)뗹Ii{nJvo_v[Z߇f*q4׌AsG,\٫7=]+#ze-=DiTU*UWsL)3aQ;df.Z@oNkaUgcSR[l%4ȝkDUk_L	u3>DZnQYu#[IG5Y.Z֔1LӤ6Çg֪Ѹ&j< ]eY^gחWU<^<z}RkvmY#pIZcl,\ydgKG[MSuH5joW筕SOF(8	G1f2߲¸uPXł;SqVZ@:~uFt,D쒊ݘa0 PH#huEWwjE`fkw,Qk-7]j4Y:~cuY%4Pv!+uY¢e.lQ9=Օo-6\-PS4W'(KgQS?d!O,rb
*G.D3+뚦k%m[Fܧ6	`;ؼvgY4Y,!PS*=bY7`"UctZ::A^Tecv= 0(aeШcn|,/z{_{,w&ub޾ejj=SA*"~&	7
co:Mdo%
B;M_dQoekz|C;OgpPzq[;"r_2/t+DK]|%FStoFIM/׿nxQ#(ߧ<F{k3".uLSͰ9)W͜F9n:g=7we@IݫۓӳsI
%6|uea		3Y-s_}¸JGڗmIj'$'MLho<3[zǓCm=a!+{ޣӽeNa U.zsê- ǰ+o6b)];2s6ϱ!x7cS:Θݥ+KFgd\yJCjuw^nnʐΊ=$MM;ơQ-77xef	}#ijѸ(W53;528#^1/M0ɶP2Zյ@L^;Yr*-|,JWe7)V#Lx
yEYf(tT%FQn1F_"Ί׿U=*LiZgS*gΊ(晿;GrmdD,l=sQ4w#Mq~nhP~yV/a^ISMׯ6DmdƋUL~#+tx8U΋Irt[O1S^΢
.-HJ졳yn3	o~Z_5{GԚ4bī98/)o	7HSRa^մ׏_?HNh]}QMߝ}3=c^
JdKϞʂ~tc_G'L	_w%b7l!>fOQK8|BA3x[!=?\dU&҈X:bcF3{BBZGAVͅ4IE>ʓkgeMy5R
?l]$.%\Ȕ^|aƎ
EӴ8"|q)^5iUzM^b-&kk
65[}{xSք	l=kG[F:=Hs֩U[S7vc.n<.BklDk\ob>xWYYi7EWJm
w;|MG?+I2a^Mq_"o&+AqiJ[*#oSRB1%阳nugxDr;/~+Ws0Whw^6L{R*7WuhyhxOZfL%gU!Lp{w\Ѩg"I[2<6_>Ƹp]Bfܯ%Cu]yh)y$\ڞ%s
Qʵ)U3GI08ڢotW"lrv'
jZ/s}m'O-޼y|g
ߺd9klJ&nsJɹT+QDy3ZjVDRJ`xO;g^و-:T3NW?,ˑ4H5-e5N9n#:i01l3
$O8za1~!؟d-a.zf({9<UT:6XHZ|e}Q/zS|uel4ף>4ØXKGIyf]D<zƜm
SdP~cYp[nD(Rj	Yɽ	KTرUڃCD0i׶`KeƤ?J^mъ3
%"Nܡ蠔W{uhG1PFq&6֠xmMt.tɬ]N1B>1Y-օ9`٘zZtޜN\[%*b4:'V`Ka_q1ܪ[zcα|&^g${IkOmM5羝X4vi;2rnk
-}*
Uc!y=UA#j)0/
x{1ʇXȳ)]4/Q.EM]"9p$Luȑ0'dFy#ht<K^yoHq}.e6MԷ=3*@ʔiAaIt܅`'pg/pC퟇}dDRzbbZ:W>Ƭ2<"y"^z"kqر*l<% kss3%F`
&fQMוr7WWVly<(*q`4R3&n+f/.ϸp5;]xK\"Gw#.~EdX<t^δEgL
[gH%HzJܝ#wBd
jtPG뫀sHZIx$;>?-:7.'ɬ䪹!b24*֕D)JJZ'

-t:`LL٥\JM#-jrkf$flFpݍx-HEK@FYtGxwr~)cH<N%{=wzŎ1D@('~Ǩ=	GKdȅ0rWjRM "cBfM9nIb+.?4
wLT&/4Z9?^t..mK
3
L!_by'q5f6mP!SUoBwĔL<.f(~'t`|wvmAeZxLBD7;
!L0-2GR=]od_oS95l:߷]4¶>r@U4"I.]njȄH	`{MgUj
b"9n'sR{"~:~ԯݪ*{;䨎À!jl1tq)h<}KIF9|fO”aL/kߵgAyX[)!Itŕv!X=KIH|*$ee>;-G㴅|3? ^]oagX\R9"KxoD)}do)}hBZ]#$9j0{Yl*!ԮL1FrO5m}ّ!	wueh^5u>˻H&/'[5dg0fU
tsoS*	U2EE_v3?WBY7GķۑfPKgW/H3ZK2#k<GcV|Z8`̌ ^<W)ev/޷pJ-7*4z̥Uc	a.ɦp{TdJ(SYt쇛sK?Eqj>0Ge{y£GE1 ?#,/mIT;.wc⸓-C*zE_PTm7jNiz0ojz-$ꉝ#LTqKKV9w'u9<yzXI,章wۚqԖRS?0d&gWhw˲K⡷4"H8nr-9^ab=qTl?o3z]b)%`9mˁ꺊˳s,&OV퍺g
y>x)NFfLH]d{4]HBE:pͯ>֜0z2e4AߨXl?QS2>~ݻ4a}OS`9Vy%Gz$1>
A룐Xk=ʴW2uDǡ}>ʤ
41~2zW2)=iq6[4Td\e?v=sfy/{ҽ8VQoG68ol~|Q(X0K5b9czJ>OY9?͞5;;5X+w}wǕY-&-{\H3ΎO_>6'SmiS8yn
Lj*yV139<䌐#f
7ޢd%2t]g:1w&B\Ç*Q>nbZ"CV
#[E8/{>K׭!ssF/m\_j+ԖhVQo!ܡr";).^yf"l3$x=3;clJ	g6J%E~tCUӵ:Qq39$Gf#sm(6k~=7<#E`#OHᆔ8}]0<nQMDν㑓`qfd,Wx9[|'ZOQj]k3BJcR苮$9\_v61ɵUlB$qbos6˕DnTOL{p_s#߻N)M5e~"&9f SJ|!c"VUlc^cũD\		Z~5iUQiu8xt~Cc._fE4ckߧU
phf&PuUʛF89~_tțR<.m;;'dEGkJm5͵ESsmjneW;[_w%ᴖmΡ ~($`Qiy'JpB;Zz]m%ʥ$cc8a|"Ͼ=ky8Q;hΣzJqC-D3~884ղo{\9sk6ȗҾ2	Oٕ|JE?C)L˔.Ǘ^>ߝ]/>G~=q%#z/z&~jVf]K5q}%ffu߷ϕӪYTF_UeYWxp.j*nhյܜA*H,֡	$_3|
ڇKv"d\cRHK9Ž189<$~TC|B~[w^:; [W)wRM	V'6t~tׇޥa}]lS2Hۼws\RMK3>fcu0ov/	pӢkZ
xL/%Z嶖w?F6SfNu͚ ҿ$≋rQ~Hi:4̝4|>x
;.@P.ˍ^U3a>7AW*I|XTp r?\&^jUψW`WiaZQ/#$=[>s3hen׊bK]{J5wMUmkd;)bVGEmq$ƈOEU;,#&/w^Go'OEB$zOʮ$ª <)OKZmzV[Vl3rtMI
x.hON:i͚}?<|gHiz)||{@m5}`V%	(j0T(?<
~Jf߇
͆]+~dsF?xw0+J#'?&E3#rM]+?;o
jAWvt~5'@Q8*y~v;OZ֌h{MIC<(;iBRQ&up}Ky٭Q?0TϦtctuS:"=SiꍥI1z1m:MKp}40n;#VRҩgCGˑo& ^Ϫ*vfUt􅩾99;%P9F\ZHZgdkӍ*]d1t.N3ѳ=ʴ9
6&kͣdNؕuf++fQH\^=<8V9|f\o*Rl7oi4{JsYNB=T6]XW=%<$,GPvԼ߰7`/	S﹬Ӿ$ٳn	3<;GldJG'X;֑dïH$kKCqCȅwJ5KUo|qInZbKNnY&x{qx*7)Ypi2l^zpqbinyO38&u!	[{ez%])f7
v¸aSZzP둪~}icҼr\7eJD'٭gc[5=&VZVu¥9R
N^$븤-6|Ec5Bn`(C}wnx0"#]w}+<kL[D?~e/|3/lcrsd$}#ڧXc݇>{J<N%3}j'CЛ]lO}	fahɏ빚L&:wKiBO
JvQ%9jBSt&rip;M_uf,g؉,{*wྑj?5창,sYg.;N3yrUE\[H]?L]c:WjfR)ܻ9`y:8_CytIV{3xfx-d>d$G}O6TxPcx<f>
̳{6PGQvʋt7ej`RsSmVaÏV~MZNU4+C^Z"B7jeK*:*_SgTt};M&&#w⼟R*E4#3_3 &	%KNeHcdMS[Dba`tMӒ\0\fL4;n92~△Z+&LOV5mᝫLڏт?t9^:o]$[AJqĵIgx._RQ5`jzcg.zLb̚px.IVEE)Ke>tx̀}4bZFz4+>x[ۧ6CLn"p$x#b#n{M7{ϔAOOԨAL_
ݻ	ڨwl~]%L|iQF>JbLh!nTkŸfggG8'ܑgkՠQBi7vB([lVkrmYVWx6="v_|=9–jy_j-[0@:^wPC|;ε`(͠ˣTׯ|]
UXwGXaG3ǟQ#K8}*3vVrqþ}BP6y,Iz/Hk.scqrԣG0N+0_Hjf.Õy3`;ڻ>y}+k'Pyjd}ct{TtN4,5m;2!s~rX۷,cԄ*Ky^}/w.L2j:nȺҚ$E4"{.خ?U
$ϧoG'3	‰hw~cԹzyl]z|do	
b}mM#Yjݶ,5ɪt'}^Mx[yԕ_x1BT]ξ팻r/m˫۔GˎbտǑ,|(?;U|m}鳖'aJɳ:G746nk_abQot=<gi
ut%˨q:گ&BbڼwZO?Wwa
g_DJOOswlX8Bwf()?^<aF76֋gȷSHjg?pw8?%Y,Q+PFṢ!_zWȣw|^1~ۻ4&Mp"d^_曭jjUyi
U\m^shaaZ'x芾ݾ0I`lߨob@hu!xm/xΏƻY@MA=qYyRǕ5!W3:>oź]a%@7xӭʾ{5G>7;T5U('I9=a~o'q2kn
B|'sc۫^Yo)l^KDӨBuc|7@BwD6t)F}|W=8Qug"ssiu1~"U
=uzћtf޻aTt
C׆q2|:p7Qg>\g-?C!{-E>IċfqO0.+Оw=`^/#G>َm qVp33":D`=x̕'"q.ݢ".qZxL+LW>RW3v~ǐP
8/~xs''pm3Puד;n&6h\/yNxQɉɜaaD\	_@zGz-i%lfLnޑ2}	p%}qo''μ~$py<+;=/ј=$gΧDY4E}])>
q{4}5^8
N5ġqѳ>ô
//.e͔)}E
G2O e!Ifzwm!*Ku>Kڌ{?0/	'l^05@
/D
R<_ޢn!\b5Q.?PfXxU+V׀^GgsO	'r2}C%uUK=Ї
T"}f͛Ƕ<x>ͩVrphI4e^Qթ#	,v?mºue3XE˟9(ϞxDE_Li-YɶU9ݷEDoG=.L',]Ͱ9|z-Z=`HxķǢg[z#Lm"'vX;G-,ܬSۦw+ac8N}Tk2~-ekD5YFFqJ
Ic/"9<1vOr㻲{5m$EDToaIiT1yf[zT"6^f}cǚQ RύT8GVfsy:Ϗ5iQ,eGO;'w:rܔfDZ^67j1PZW&i^	ZR)cwnBq(R^U֡N,n݅r=P(Dù
y%5ֆA/W&kw&y/xR;[dncždP^j?QNCPعtȆcOP'۩T{L"Qr52Fqtkhk*r+&Ȅ+9OuV,=(./Ӎf!Ný>曞.1ҋ$ˆu
buuKUrƊҤmFr'/N|ԞJ
!pSkڨK|kQSŽH5ߏM  oA0W630aT/swzt
jZ/zEvӝhH%{2z\ߒNRԓx65kM)̘v]0VcFYE`]Q[r=Xlg.yE<"WX㦝EٽTE!:Jd9oŬh2S-k_`_?w~eqh}grD<!]}v Om.:"g~\ؾ@帔W¯V~'jHGvV;*ILD{;RV6˹jŰ]LkX,"2QԉUMut]pEl
q;4˰aJYqԉڊTJd/6OYQ\E­ղm"vWke]TbEmO֚Qh}zKBL
S}Ǻ0ϼI5ڳ^ֲ_.^(
ҟ6cu"_~vH[H<gK͘Ce{ThwVBT# g	*ф^ǡQ-5|Bf,]*5~qa6}6,Ÿ*RwyfO#09:Ubv^5%~{Ѷ@C͒YBDIMCt͢Ѳr4/30[1kc*qltSZ7ʅz6em8
*^xf4Cn]W!!z&^nrs<V8i8iσsp69t5QPkw!tȏZ[wR-..(XovOQJ|NT.Uɬ;ʛ.0=Z]&v%:yYqhz(eXyzd[rQa#Z_t\͚+=3ro7XV~>^aloh\;	g\4j|qtˁ\e-rQ]B݃7+y:Z.!Ik(!6S˚g'j`6N5IBLٵnC!0Va\MʴcudkOCKܞpu<Z;gjElmDb	lbiBBZ%êK얻&])Ig5IeNMy.º	<CL>>	ٯq<fHav&G6[={F!Jj|tcʧ\JI<O-sN%D95a~qE#܁}cuKXϮ{sN(3Zb
T% u	~ğTu<"[VD=}dհ"|>FGde~|ҒỲ	$Vrd;_6r<06ky^7~T1Miڸu݄!{>Qaf6ilNVs`Qji[k]ajRm5_³ee.8J^d[AV[pF}{">jcλ\;0R+ٛh)޳vm̫mYЋ0J͂ݻeZmwf)qMq{dW䧒ɟ䴙ܗBLy9/	⢾0W}"TF}7s0F*]u^|c\MӑR\3?~TB-kf)(^>3cZ[ӅXzt,nbT֌X>#[#GHk[mMiލ,]ȘytjTU>ԠS1G1fZPxe^ʉ™1=Ӹ?y]KcXu;OVY+"cV7ثJq^"Uȫkg~>tjx哕#6o'y	Xb/N,AJO"ico5_Xateq}dӠ?:QyO^,Fȳq[WB¬\{Rdzw.Mt괪
E@vvό;j*yq„FմH*vmFUzuRcr5yz|I0C;TFڧ❟:Xl^B717v4ёRJuZ/.H[ۮJk.d,CI5GwB|0
-~_k-K[~B/.<\~
EO"Wvi񩭴5Gl13ǖn8CͽͨCN+ґiN+d|).d}UO>9~~c|1?W0l>fN&'&jű)W~k0;>xZeܝȮ""_˪lXSsy/dW33ZN%E^RezzavQ][Nط*2o4M<#5	
)^ziYأ(3ͱt}u{
]es[f:1z.Xm|^FK5:1*{Yx̕f_3.ovn0-u:Dhqݸ)xa7qEE\K&Φ]c>7]u_A=
7Í6ծrRS7DڅѢz8WKFrKdVOnS!꿆sYZ{gř~?L؞jSU"dql?zf|^g~{Z]5x)*=;Q|Uݢy֧l{3q<w=K_5򀂾s/}w1<wc'=CE<i{zrȗO?'wl{1KBhA|oǗц=K}zj֙y.[zfׂ.j?VEK*2WImMd1$rRSKF}<jrjfbA#E"hh+%'*DRep/}hmӫ=Ru9BH<^/	~_p=3g|a>G>oRdeԳzR]fԓ6n}׾C"JoܾjV#b_uR#[^d[HM'ilsKͳn44^
^6ݵIMuU2Qբ-+n\.Íhxa`Tk7obd`F٧뼚.\=OK8K^֖uY&s:f|݇Ͷ3ZU&߲/Cz=5"i	#N>ɞIS洤%ޘ;*%^RtٟksfNgsqƤ޷<+Ox9^K,mշ$-\Og
|UWu1_XΓbELcoW9a0 :fXϪs 7l,ڻ'q`ZRԩx~s!NӗQIjZլ6${ݯӕ$@r<5aͲ]'߈4m~!9k55rP(k"G^VZf^LѡQe4w1\6])R˛õ1:_/>~.
ApϲBeR_E0	I7Ԍ3޾#<tZ闇n%jflnj°r>}ϠML)D{M?I}"r}#7›5b"qڔZ&ng̗o*9e+'v_	T=	&!Lo.֯oѹOyWpʝ闼8q4|QymǵF2)[0P~>U?N\B8i@O{TƧɠʄGz-ZZꮎ?_Һa#sTͧƓh?ӚBne/Ĉy844ehZ	jU0Yk4-+H;]%E%n;<Jm/юЮ&K%:Xfj$ 0[#-}RTNR2͔޶gONa~7P/aPIq~BbR>#iy'PgNk8UkKjo'O7$a܉C)&}{LV7Dj^Jl֩nNuJu1s%Ƥ^ugfڽ"Dƒ*βlDeˊ5mT\/_,S]g(Rplʕ<%E>HRS5Nh#{V#[3vU.llݓQ
#_7fsRtCh֞(.еOw5L(.;
\HaP<;Q)fnw|c_gg_
ƽkXkASε`lyl4`]m5a~<Sk$Pk<BnG~ȳ4^:˹*:3bSڭ"DrX\uK}]-ƌF8xR9{}BNu|e\Q4!#-3>؅sA޿hcF>]>v	Od	#+4Ī,UVY.JgBdzz%ZdzF]1TqQQut,'?Ь|co:p.c6UPWFy7]f7NmV
7ş65@;xR;6jƌ[EL{8יlyσ|J'>AFnU#T3|Dҫ{(	瞓GXmVþj9*3»2ض$rd)N
VHb'Yy(k;A-b҆`zM6LNWΗ0V~/ݚkB[rfu¿BDQy[*hDvήU
n1]T,ʋ<<w?Ҳ GJ/(?Uc޳z!~݀hi<BV#kF=ZvMQ\Kga"ZVkc^I;#ul-]$ߞ#E/Sn;
ǒ.QD~3޿RrePyBۈG"Xxfܔզ4-))g&˪Ďic*Z}Ϣ:v[YDѧ|Yģ%rE.il8K\4eUz+ÚǵחSԙ59k}gn)h鶸5#I~}|޽`LKGT9\@Ռԟ6ES7迻`_?_EU5\c}X+(RyǗĻsDqô#t+D`u%=t0k2ELSeB33SRJvo/X[yr
̍Mυ7_].k_|.d??{1lǘ1?7;(؞܊N}jsHy'^9K+ekfuv.OSҟ3CqL~G󧺌Vߘn26gخ1J|9R7NmQ:YH-U|%,MG:9٧awl5ȍ;e7th35t6Һ;!GI+|UտhD)b5$S37UQ
{OGvp]v)BLz~o?5HY~5|Yϻ_Ng;sT9>!edf>}>oa\{kƻ;s`<Euؘj}PӻUUj~8UaF{8L5ԏNk2gw]r;njq^yf_%3#F\wɫ)?{Sp]JI19nKN]i?iutm0FXc?YWQgSHv@3@d{r,83D_aѵ("njuTNS%1GfSCl):LfAnNkL4o+\ڶ~H.Mmٛ!rb:ҸԗT =b[llWL(^eHj4!Nޥmn䯂GL̨5wzY]` bէWY,kOEu.It\׀ԝN_Յ<>'ҕ	z[f|)[	i+cVix߳fngzc&<
cr5s[+3CO
vM᎟KE+kU9xD;N3eH֣[aJ|#DzW{DJEhHо87̑v-[?*!~gլZ`^<Q3fO}rZ]0IŬ//a`D>Hmʨ>SNGn:w:Y/-ߙN_Gs3#=܉0ݐ:Xo8jv#^W1zڧ5aۮnMnLެszxq7Wnj*LpQ8%Ϲ&id7io|~b`̭;65V"6=,S5G}qhs@>%nNu*4Mi=HG5z6wiAM
rg6vbj#io≔D(_vu&Kf)WL3eDꇅpǶzYRjX&qM߭g[Q}K[̫CxїV_
+ɣ6)IG<n8,oCYBsfwRc^إzy/>s
_4~ |bHeg_O%Z=dѣ&dSIlǮ\x쭦SkKt󹭆,-X
=]rZo*_V8[De&3\F|f#׎vLG)KF2uGT`9zQ4Q+$ԅ?E`qqxq˗y91V~+C1*զPm6-CN-҅aHV6BoOXNN&%	Si>B0AŰE$@x9dU9J/[35-וD_#7-
e77mqrW<6<5&[3u*HcB2VyPHū[S5<BV)8c;Hփ@}[;RY<6Нj5ŅBRsQynfR2j FZ
߈#ЎGVM,YwE^7E?xz.x,~}W2uJq1wix{g72mmCFv팶9Y\*g3?EAJ1yOuEHR2<EiWI,%12vΩn<ϠDŽg[}挡$筑B^ׂxź㲶)lEcnCX!L?NmCQXb

#nLwd'MKV>p:pta׿\TG=xC:ս"1[oAϫuu0׾[f]syIN%זkFuLjK
شrV\]Fn-Ȏ
aTV5,K/[*<lyߝ3hjUrΠ|bgKqaR5=|ܙ[FSL&s]]tTͣ4u>㜉(hbGl:RmŶeR$i[Eܬe\5,hn?nUҚ7hzΑXqrco)d\<{?x!Yw?%ܓDgݶmx
dY`sbKSwYಅͬtekwuz>hE*]u:toH3bŦ-wSvcٸз07Ώcm$tM1זVb
-ҎS>t*Iڣ_f~XNOzvMC㊉؞tҍ.Ӿma"sGa	5ۘ;?=TVs
 {Z>!CqƞQKKiNh]Қ5E`:+TqzA䘊wݵ̤fYjEmWӶrbũ!૰:ݶ/٘
k1efۓҫ$K>Ϭ-o3EG[v|HԺ
zܪQW$36_\u+ӧ-#uvHv~X#+εܺA%lI
47qsݼ)4I8EntjciM
6Y5d5US_xG噵B[G"Ni3$oM[SlEkJ^%o"M--lU֭WvEV3ډł%Ij+*Lܻ(Goƙ)Xs6nf^XL79)Ym=~>O阱J?:lS6aHanz34(vk6g˴Ya63m%)qIOV\3qal&YL榔9#gh!d}#]ju:2UjH_\KUGNQ<gHqf$o
F2J?G}PJlpЎOb}j	ZU݌@	
jD8^F#7aUۄO͎1_"Yd'ʶ4ݼX7Y@M/Zܜ|m3e:T>vGRwiWsT`'C?snH84iYP~y_ASQRzg:)]<Rn<k6we֤M}2lbiKjf3mrme;l!RuL%ISx%vWY˙9SRφa]Zn(֖'>M O7շ2z"	:uReo	5(:*fMp95c&jֵ_Qq`VgåRQV>r5)IOWIDn6g8ҝƫ1nRIRL6enjfgrLLp2=ڎ~̻vXaTTWZ,H~Dxzbحr{.o^?/)
n
,dI^WZ?MbtG_aǹ򕎶tԱeW#KbU_SŎncU/R
+ ArꙅmXիa_{ht[JO_xXD5/(,*ss5ӳj{kΔJچv,zX$^{6ͷO"
r]Ѯ֍b
0ݖWZͷh/%A#Z	
w`1z\,+oZF	{.LvZ<|+cفBkW+Xgç[N7Y=eK#!)%G&PG' 
 @PH:Cj!b|
rPb:Q8X`˴15AD19J._(<7$zGݖն8z]ߣ	"U---.8{eG55Ye~MUP|1!YA5kZzjVZV/oEvC
uǨa`*dsnk?7zUז-fv1F]6[@Ƣ#Ҭ/	<ґcڐ.ObM+߹V:VW.̑ݮgpTNbB>])'>?5C<_z~y37ZC?tz,:٫H~go%]
QAfP/3Q{Ss0\g?e^5Drekj6􁞯lEwo^MVM6^9dtpB"Qf&-Mk1D'W~Z"ILWL"[͜jy]*nEdɵ,'\YLWmJov\ڕ)6
)jKLn#nӸ8dMcع/MO绋ۥ׶siNuoyK&)}
wpe:}ou}}hWW"?'Q'c	;yIBT =W#?*w2}U͓Rŀ}cHEb_]/km۵JB~k٧{mMn'CyU%YuYwDTi\I|]\Zm]<Τ?O"uwґsD&h<_
erisi[;6m$t$}fNsHa捹ԭ]u6kqWI7WW f"-bC֍fsk@-#/Whg'˺f`$A2[P0Et#6Z%"]Q¢+_NLcկ*қS+(/ke؉-2A_%3n	35|NʿZgk	[{^H9IG2oȭ]+V|jd>D`kLjj|1<~"TyE+~*Y97T;hY6(.يZY?Xh\iek(sc^Wbc3*1/?d*V}ʥ4]>Yüo!QWbbvcߣX99A$1dl?cw5ՙƙ7ͫDv)Ǖ*BߝfbXkl,"|칚f|34pݱ.i8R6i%dX#H1
Xf[PˎSjYEsğ/,uЛ]%WsNwsHG2l\v9JD$!{-$	7b~L˛=O
r޴d36訒bɘ>tdbXc_lmkbx@'$23XVfʕfriwfgx&NS<q^uiFɭhߗ{CbJuig~]R6=nrȁXv*ist&=̍o|WvQyf3j֌۸k|iD>Уf7QHUd@M.R-.>dҲ5c+5"~e_GS>.]m0/WJ"#3=u.kcx
<?x2;eKҦE'=	>៮բlVݱ=+F_m<|q$M?/}VIWmFIqe&7޹lڪ2wSLR2wˬEP> 3Lȕi6Ⱦ=Lol7L>R[_90?ռM,)$BnTԒW?]
oSSxm>^4dZ"żH?-Oj֥MZ*5
dZL5|j9t(jŹ9>ÆNi*FTKaЈަON\U6\:ݤRHV!eŅRBi0O'S)ȴ׺keT2m.}J6l_#/4b%M&Р#0}>."Xh-~/b-~oL=|'~~S¸C^8.\DӱҏQO	Z%Y3L;cl[6ʆ	Gr2uxYHW?h>;kyS,/o6zMEe[[m4ݤ^ɗjtJ꽧Xo\Y)}Nc2t;'cIYZ>gkֳ0s##ӲɥM~]aKT@;ϥ]DK^ts:D$P/ӑx⢹|Z)'}Eq@2J^;]nf2ɢٝK,q)ݙhZkƭ$֯:=8~OSӭ=_L:x6F.$ݖ
څ#TS6WA[Ē4!ՓKT&߅mЈ/k`qwOy!0ʤ+f[NGN|~_&'|Í_N>}W|"Al0sjbJHl/v^,y̋">d1YUS|^rm=.)d9#W*?[
xBQSz?sY_Z*j,,>AcOi6
Wj:uW+a#ȃEYwMbh
RH俌X;BGx3	?.?5K0Z3ȒI!=yjÚ/~ėj	H!BsK*QlUG<J-f-=^PݔuYʘ*]8bOmMCd˹*;ZZ•:;ӌ͕#sWt5xTȾs𻼡wsK-JfWD\-g%x+ߙ#w{+JʬatC7#3=3׆m9}$[ST|(%er:T8X嶑gckY窹C4<uWl꛻x{C5e᭏pPhU<x	kxS5ؐt0s-ub.yvA VA]?ՎLZ#"{D2pyG`o{Esb8E*ȕ˛ֶG;ydGj+<wO?_Y"32i-:n<	Zv8'L}&:1نtsޭ	OH[1\6\\[^>r=fh[s/
q+uIi[֨H;$$WGj xz\>?QlOʑK&NϢïaq9ٯFo6'K;T?o+=H]#__xFe+#Pt_*(,<6rZl:XDxkFVo#W%'aٽ<8=<ZabhWյRժtccwf.no\:$Glc+Z+?qiKH>iW
2r'788g#g'?Z2em7Gt~)cb^XS~bL岓s#;Vňt*TmdZ,KYǢ:3q)M^J=㌎([vy&M)Ϝu[uņ";
>n>rekaڞ!B0g;&?SB_=Qhhc9|gWڡ|NcԥG\-VHhTveWI\0՚ob7/'#b;5Hvmn@Q>	!HbQt4NuTNQvz{;'zu^>Tv:BF}dڹ~ʱ`=8=U
'x^m`3{isMJ9)mb1vWS
Z'篇~[x8~‚ȵSPQrg՟l$ak<@> 3oo3-e%א!Zee7G(>*|O_޶Y~g}=(L7,Tm"-FA_L(&ORdo˕>5jn)5^=jO;1)ߘ2UX/M!ifLTGL6.Bu^44+v&QVu
*YXwڣT:gye!)v?KORNzsBڅsa)dF薊aI}usDL!x`O&"ZίBd5WujwWTy1YJne+_jCH
H/nPi?TƋߏ>/C*MJtUt4^^JyiXСu녮SI?B{I~1	oF-3?g|6ݗeJis=FͺXX.n}a"ýΤ:Ms(G'xb۽^
RNa1`I!XBWtK
W]
JHQ;$v;_1lDyxFIuIJGrxa٧(Tx$XRrvRquiEN-RoY%qߖBD3DDݪQr$` 8pB_!3lC jp`1:w8uPB[#{VO@ Jq^\so9SLO#V3`4kw6T3|&(t[5W
H2sTK[͑&ݽ>I.v3sUӰ]DL
Б6v{yo3z2aYkOm+١rW/DZ6wt:)٨XO7qk
ȩZg7n|NA0!-AA>;|eʝ6uO`#z^DKɧ})`֏BS|7'/uqɞ_(ViG@~:Mvz9~F{&]iL?t(IE*&%ks|w+}d
){;^{R އ1ak}E|+[Tr[_$i2βy[
c;LӬEܖEG{ Zrە"՝0_(}1XIqCcA+TOrW/NLs¦}}.<r<	i9j.$EYgJLwF9cfW9^=%D>`?\)پʭi AReogjcU#{_B`)뇯oƄ	XOɺzgPФ⩧05♰I~}GAWVOps;)=.E9[%v; 1j&G
Η!~\I/Dna[#vl]3FF07ܟ`G_7;sB \+q뉫:My~u~7V]AUq{íFP.F硒e,8VUPWY+e1Ԉ:ˎs52
Xw~H$иgv껶S#٬ؑ駭 [7[
kCS~[^=wƥ8¹z5om̾0/͍;=Zkz]7izװзo~4-=}~@j"sZrfs|_mk`QBgp3#[gg9JRΐ5Byq) sx[<\^M,=Tk
˕734[uhv!2\wl~Grmg*^;NYݦ~ە$O2%Gu=#
Oh8gg޻7/o~vDrR-bh†״3=e~{'D@`F=ap;hˎސ/
-p
:ߣu3w?')f2ɦYpwpRu>n>v0{5R﯉ƹ_SXicLfge11qϽgGfZ3=zzeLo5pcpk Q\szi?MTظ[H{D
)rL]۪:z?T1F巠ۨ(F!^*LiI{{o"=SE_
ac-[/joq?:bSUq'X(eGPb#
wW!
P§/Z[r?Vu8~	mjd'4Um[ANXkO`{-![?T,@ub~r06W="(s$8xq:6ɞxr}gTpF
rsv6{_.@ʮsE4۳;6[5|{FGR%xFύejNYeXKsuE7%qEc,1$G8՜a	-g͉EΈUiT@’WS\pR\kr:zU#/vK|Y:T P.+X9p,vqu$I $nts98p8B7q76Ń4Q8%PNF=P;n.  @u nduu'+4P7oGNqt?։p<F"l)M_>CGP|-!j'FZ+
*7ڍ`kS
Y֎wܳn~
VL"83X4 䌨
-.}Ӗ u])m's#tVن9N#.k=Mq6B74)!i9*	adPzMhO~>`ݣE1CWJoo6c|wlw	WT2\C-&XBOC:e?vW@>Of.L4Mo%ޝ
w7[+L3fv.ںZmZ1#bՖٵ67ﻵa/Q`{ndz0d}{H'cwtAE斯SPjݕXx<{Ά>qls>BIWe6hYVz_" N5tZyӠx]&!e`ꋮNX?lZ׵_Z?7ƅjֺ-9D7Z
kebn:ŻFVU#S8O
C:]<VGD549_O)sp_>-C5Iq7?ЯSu~oq1D}n'b҈m`f^5	چSs^a.jJ>r%懻q[yD|Rݫ2WjxX3J[-gSm?]Kw[Dߣ)ywhMj
C+3xwsUDg٭!sso}-W&
:^	diAS(t|xXc{n"@jcMg,\جCoK"&ij@v`
c=؂0?u֒=,GZa۫sg٭3Q
xrT?C<Pc#xmj܃R|ҍ\Vbƶ/`rSM<<+6Bkvq^0Q,idyO"dbP+/_ͧ*;.]R32Vm%{yXg%B-∩BwH۞&f҈Yz靟FΌ
Qi
zh~/Xuտ<>{hw"T3Y#C*RRty롒{8Vx>gwO63z׵F^ؼ;4Bhax,~Esw\lyrlz/m:m
#ʵ2`w'Ġ{"&Ƚ=ʾPޮ_;@q(Sf]z:6
ʾ02X
٭`
6g
r[
u'h̓0t/i}Cgf@saf61}sͯ`|{z̳3Du "]A4Gx[9Ʊ6y訉R{°٢5ՖVq77r 61Hi^*jbuඏV|$įP&?B3{E6u2']~܆JjX6S!i~BwVeh˧6JxW

Hl>x;Z>>/ozɘ3qp+ПA
G']MfX=J:A}Ɋw6|3Fu}^R4X/"L,bJG!>Jqy:/,ZyZ\q~վVϷr51CryG>8kz1Yݦ$L0|,ߪ_2=INψ[g{iq`[8}l0OPs6?O
ǴNe7%ßα-k?a0#io/M%]הpg-pK@;Ct
i`gF!Y%k̹^Y;BTabse[e(D<E<V(SȏFNHs\&2Eͣ{"=;KrPVZK1*hg>|7 ޾cWҖBZ#iD}!
X^gqk;ПTLrDؑޠGĦb&1x'W?u
W'pB<ڳ`vбuwfإ͘&tqvj\vEN'xU\ͣэA;lts9B17{[cNVJEYH? 	R9[|w^f?soM9
+x@pV{O?WCOl8ӕս%^%J5i~(L;7$~E'VW\?7S3.'ɫ5Wԇ:Eb==@Gr\uWEF>
+v-SrUx(Na![t26pVtPX܌QCVRV)ib˭wE!FH
/,C$(Z)ChVͺB,k2HíYx`UGmVmm($?gXaYf
{oD$[R\	x#j%d$+i#]1N
l&,&YUDɎ9"nsɍԓ)I@	F;l>|ڇOXW5IDRN!A*V56{[nmA_5&N4m{f]1R97 Q%'ozG_D{Z4;:}[>!˞Ӕ/Dalt5,8[>
	"&~IOk:wΖ9	nYr^A-$^]G]p.-Ӭ$WI6wGͺnfe}+jb9y	sknK]Iu@$c_/.:Q3	Q<-.~}7ʹjeg]{/i"&gV冾Gc`}8a1<ǝ*l̍]>T}EOo~Et1ʝ27C.{(15L[~	UX6Yy|,(W\?Il<5i
bWiz2*dyIpFuG`Nm1\:1زrwKJ=>/H=%'lxmUm#e[IK(zI
/gOO.8~
ռ8IVfmֽfb_.r$v%:2+W`]G~W엏1a`z卒#w}sc}F:#/3SIj|q/lOH[T(rc}=AQKfRl$(ȦwfmOtT
%[5qᢱɦP-N{~1'쨍մ(K8̳7|E&矂&z߈F9
.і#و
ՂK;\toS)cV9|ʏ	DŽ]ʉ@#ƣL>ǵRrmSL&ʅ%_a|'1i7%ֆ[qi]E6[&?+xt΍[j5TX
%Rt:M{裕jT:鄚#^&gsDYlBc߁a^:A:ž=Vq[w)-6r-._^Klr'k|\&34Ģ]e^7N|tjWއwth-Z6:U^_©/;Fz*iͮC|Z:=d.2DӇ5TCgBLtٯ{̋5SwPURs©w=cV?/L-9+7?;}
bMΌ&eZXc{ئz><2[eP?Lϧs\Փ! {ɻcL9%Wcd
A5.;tslM˄?pO;?;JUqfF#g}]o=R䪽qě'3W
6gXOfRXJGDb
5v8̙j7ڲ4|<]wP1ʥpZ*;^[ՃF]YqUۇ?˵r%`X«'Z$9uqlbq3Y}+5L~3eM5fvmi|
E BO`=
Qo^_2ҮG|ѵiCCfݬOп^G󇌰şx#Gʞk '@u7?cܐ
g%WL-
?Ty^S'BœnjhRgKFr!LOrX=hwRߧA/I|݊ޥꌦT܅n֟p2xT+j~uqBAp@@7r_??ez!!!xAckFͭMZMhM;
P8!8<` 
sP ?́GFoBQ?_6t~O{&j߰;/lY=|5+(˚g_Çsݵ[w㊰:+w'.ǝ?+f73	O5d0uIm4lV#)eeBͳ.9Aִ<eڄ>N	TaG^ó[ o {eJ&F'@
|?1r}_aΌb|cě:tna/M/[6%{4gnRѲ(,&TcXZ'0Os#V[7R,)U2w-݋@.l#t]˩ԧW"/_&y|ĝUCc>wns3;
Gޗ7e}_Q۫J}i*qd$wшՆ(n"ۍ.wѮh*֚L_4S1Mlg!ލ-6MNr[4OHa7W9YZ3d魦{Z+Kqy)%t;f
Ng@B]=*Ar@cӹMH@<ڑ\g&RObM]ެ^I氒#SaZ24z%ZhP^Q~j˙՜	4-cʹ0ՈmqSݩ4Xa5@Z!*GH7o0;ji⤏-1mk@vS]oکRāp	Diq6Z&.n9ӺN	֖m"朦v`ErxoO7fjC;-R6eO!WNwG hE|k،̥E֟=f̿	CKlY29^<%/',q1~Kt"?6;|B|m!߰<0chHc!d,x6U2S=n@K)v|ycS3԰wrJf+솹5o.>z"S*ܮzPޞf_7#H#,A1!+OMOb?GxcL6mW#ڃRί
@b~ӻ~'/ [cûI8g1)H5W݅a ʣO[T_j`H_sd62ZDclHVhS].~'f$E^G;ŵj{JKe0&荅*mk+4/UMެ02;<

\*
(G#/)eAyӗ]:-
?a7+VF9NMg>dCH6't[*=A=JΓFWJ5?`ESTvgCl9iO=Kr{hhW	^Lt3P%:LN5;Ξ-FY8
q5`2LW-<Ff/tq4EtnUEA'G.<e͂pX{sįVx]AF$
/QwNR(\_71"f~f`tgOݙz?1r􋾎o^Ѝ]]-^E3ݏphzNi=~p7C&d9y'^\;Ohڶ^/ӯ/m:^!&4/چȤH-9$qO*2ۜp~<[ lޮ.v gХ8OՆsK"}ni>WN	f??5#Z!eE%>g+'c8Bi^r%7ٰ?=,Ab+?R8S0M
~ًy$~򤕹,7;d((my=ҟvPԮG)3BEO@rZۦC=
?$ 
Q]_Շ~*Wpm7Dt(}DG^P!ph0vg[Q.0
m>nu܄Q&hmY{$?MWE4WνN06)硣EŮDqw0ꥦ}M@ϯ뒔?^p>s;/wyqOag+=1`?-oK/^M̢'hVa_<O>ofK.s]V?y;lCd8r>V@n0ᐨhN>':>RCReW9{EڴRV/n"zX^N`M6ohG<\f`xW&fV.#FߜUm3{Ư`p]^<mԏi+z'dW
	ʏk?$;R~Eqvj=ׁ_Dž$!emon5V5|j\(+nUym^xg;{J?;tfm3vr5L|*O4sB2Ջ}sZ|Oh\.kʇit64.MW;Rk7P"@w_[iߦ5B9ˏ83o+p ^G^شgn?Aֱ5`̜/1q?/嘷W$|~[o5]	h4vn庪$3@s-@Hg\Ǘ{Ѝ
A?o8['rs\U-ET
Zx-bߴ>ߣw,;{Wѧ(Xc57˝NXcbu09=Nad93o6EWڴeëz|=q[z֬'?_tGpx_3^w0^Tf˙q
&oD&Tlo/qR[Ozz&TVsj:iǺiWޥNѩљL{fGWv':ƫR% /:NvR]G;L&$!oD̐njXİT/,Veg2'A/^-GlȗҀ?Ax$ҊI[˰d635h9[a:rsv~Q>ϑh-:f˪((^Xeŕc8ʲNHX~$yaMVUҩcY0b1SŠIؓSišyYɴ%9qz_bt:2 ğ/5vx}ˌ%*
o6лCYΞ;<VS:B2jɜC:eM0FL54<BߙR]ʷ[V
AvL-vs=`4
aƁPN;};~F6\!?
)'.e[X>Zu,8d5^dCtrs.J(t>q2O08%ceK7WH.j?|HYTm'=i">̮Rz+!|<{p?I/>o}΃BЁ
rgxdb?\V:F׶:2]?V}[n
܍/?EyQjf2%2Pl5/؀t|N5mtwgL~~SPKYꪘQ	 >R|8<QOMw6q#0/&_d}pO_ t_|F:DTjp$UU9r;
nfőejrap%}	4:̔Rރ#!)SHXa[)4]xRa]$>WdL`GrBLo-;wՏ|,
	[3B[]>ޘ?
G<̝3v1h7Q4KzUV7,ڵvqV7UĂċ0oc=[oxy̟*zl<nT߅?rj@)wv21y1s3;$H}clde͍
<IO`\FWXՔ6HhF{̚v>xjNN~c3"k[N]ZO'¥yѥ?gMmTۯOk[OˎJzI㪑P(/{ψţmmiGG۶CI
pe߱l'،bY:02ӎJZ#}B+-a^+ TDnejgR:97ڧ*M\\z`lAGrpSFOu}iv3OYk\{hL{'^Ν584s;]h/35cVbvH";f:[*s1ܫGOմl6LڽzG%ahu,
\xa~QnYSkw/-ɢg{[ز(/DN˵A)p/GJ_(dz4'	Υg̩€i{Ky'ƈ:O4*iު+/=uc93V?莔aLSTBPX%{=s(M ,a tj#y4eP@lH^_TRX,1й‚]\
HV}_zsYѸ@tD=vjO){Z35ڡT/x%<ﳎ_Oㄷ`pR@uSoUY)4_,mMSKdB&M5UnIZ#OBpKS~ ,
А,.TZ$A՝f
D,p{27I#Ԑ5Q&9HJ۪ss;$apV_AK-2[!0ҠlwDÉ&e%Tfo"%9fl,PPPAly\k*&2;ic{~ԁ>֋x@"|{9
!oըxj^K:R7&:`RmW;L&
	CRvQo \Ȃ%׹SmknIq5+mI,a	#oWfRI/^OV@%6
zQw[lJf"îJ[cZ롆pX>c^h	]>
V5*(wmi	:g(fS:$ofhHNS!` YnMM|;8PH,T҄і:P^Tcb"x;FVQcV!1x <a[RF+Utp v҇IeAao^bMts;CYQ7/]It15?x4LZO~Z3ۚq|_B>3?FeJaei^c^B/g^(
yKѳ߈atVQ]=%t;nNt9zSJƌsCF|鋀lv/pCA\xcmf0`:	l-P$'?$1X͘t6ߎy8vk.SY]L
4$h7:c7Hělӣh:6'ErN1hjݼ&XSOV.JgCP"@q}N]9i@A1:DhDv k<tl5}AgT:"-y!wO{RRU&pg|AgoO8`6`YM>,{~{PG`1nYd!yRQw[Ubmg``	'}@a4-Cg&v@owTȤ.w]|.w]|.w]|`mDex]_YI'wo$?y><9.D%L+3`˅&b?@H);zC̈#3-E._Mj`:ymxaa2\ЊW{=Yf6}8
޵V5rnm!by)DO=81	MVF3^iy5aJRER,(#s?XF1%|tT}[`J/r5n@M .aj
UW9DNDډJ|}$aKbC!DV7~*{Dk:jb)f&Dpk=T:e̖F	k?8ɰ=^>6!FG;Z</E=mr,;QqQ\IF\x<Q	gg'lcJt;&0"	"^$F I֠5]moZGSR:K52leo)+SжoLUu˖DM)DyۇEgli_CTԬj
X=bh#RiߟsC}qh2%S)Cyg	2"j3Wdt2SS8VLuj
f *,j@dT	Aw(`#BM=3cIПF?

Ջ-4z\˺t+IX#+i=ZNVJod6-L`U^}p<ɹB'/'0 g 0m
UPS,2&eCe7RJǧKB!RFخm_ӆDx=ȓ:B#²VV3 ,QB`.Vu}yɓ*gmcUB4+S9C\cDKੜ/:}
W^ ۣ&9Ny
8756Ajizƙlq4	ɽi(77?jƺK=g.vQ/کE黴cL,SuVT$clZbԱaݫ5n므ʊoH3ً9Иfْ
ȼ;;3tlcBEQ#揮Pf(s`9אdZNUM{uK`uPUk%OsQt
89z75(JZQ]cof٭#G*YlߒXn!\E&ftw6X
Xwk7"Tف'D2AG'&O5FjٻY	-
{Uh}z:?%Gr|z\%$332[9_bSwH+yI]#<gذ#ߗIqD?lt4%ǺdnR"3'MW(sӕF}5XzeFr=a%E>U0ҥMM9׬P5p,};0!qM4I)--֩ac?)Hi2ؠ)Aʬ)R0d胩9>;s
FiGVIIB4ZcG9AJXRW82<tcT!4Jԟ
)Js|)m%}-|lֺ։6t%ݒrD db qqܹBcU)ɕl#G3]dj;I9I?l	5:xOn"^O(1R^"탰7{Vh8贝Xgԏ̋}dm.K	-mZ(<
fbw?YF`XR#stlc8P
xRYxcwaƝ;3 $7ުmrg9t1OШ'
ia󓌯u
V5n9̟eܴHJbG9C}$׵`hI&<):<8|*}﹖ʃ)HWC]3nm|Z[&b3FD9UDHWM->մTm{*yg10FXcIty.&'RK_>ԀPcCdƆ͗&/*><W]axeqmݴfDzF	ik;Sjư52`dMU`Jkp1]M(/%:"`c
 -?lդނVOePaHF[Ekw`M  *88i>)j,ˊZPZ$Talm
wvwR)l[zCOqt'Ũcf2_Xzu[?)Cnk!^."(2f%EC|Y('	S)3%
 i

8|2OSD`2JcE>1L8SbFWJc-2(<JPEDŗweX۔ۛ$zwCZbVQLM[St+//;pOheAJ[%B&QppGG%q͵hE DWGNsC0bGOfDYrb:[9OY<| @VIa@3eYVY#˚v @48$$F19J!e@2^)NձG!ZuV@z#ճ{(Kjtvj&	&-@r~gH1r8 h2,]HHnrիS0QY7mO@$>º
 t9QU9"T
`k:%~7:u4NStA3OSS7p}`:O3<iz%V87<xu*Aޞs
kzIW9R+?6C,!u.:/<aV}=HG;TUr8g-7L[%30FjڀIˢ-ҺlUgiW+'MO)ҫbР#6φhLM,;b{X擼%&yW|!B z)L
(9F&ٸ+/TANȈToJ$Nة7R9v@o-(s_Ve'cɯߨj扑k:mV3a7[6mÐsh(N}~8Ht>E.t
-:+,$vp{
%zB/K/uJ
K-l˘nb<j*Qѷ~,ܭkBQ@B3sAϴ	͞"Ŕ=
=8c)P1SS^NxOQax^.osZjC9CiE#Xcx%kYGViyx؄%FQ`_d61qjH,(U%B[7#./x{ӁlHlW9rl
b7A_ܲ>͛aUe%8M*Z|BCJHX/јX̙	|鑷Ѡ)kW1^
'y;`նq2yWыA("UM&
@J̶C41چǦa:8gv
]jciԥ,鱔QS_]cw&cQ.Mtrc!5a4ϩ)|=9bk2xk_VpqIK:hIqzXLKoV=>ڬבյ(jFV)$L.]JȆPb0]Ӟ^VȻX̌K4PhZBݾc
i!t8Og9	08
L쩆rhbhdyRYDe2dFW"KKnmޗ0o(]<I{$cz~{Vq
(IK[`aiA%iNfyDuVo|FuO-qGI8]@e8{1<(8&|E
WnYۡb3D2Lb$_Bс*!mLW$NT,@#·4HU|vUfcښv$N&]ȱt2ZTJ*22lI
:6lH
#7,6UN;hu/h &KB*KU
/!:
:pK2
sگ};0lpy>jpb@+6FH0r^CsRӮ
ŤA7Zirwn;KM{R"S:iD,_ng2+@+GPgлRy7d1W&P5}
;m""M=r|vJ$MXu1,.2t5#\rhdɰw~"Y[LU_IWףR"FZ.v}*yΞu
hU&tmpքdT
/-""s0lB"
C'M栰'c!$/+Ћ
˂$ܘWPXʞ!t>vόn{E5,XnԳ
ꪖ_ur*!,UydY;I}hnXffZۙ8JlUqeqݷ\NuW0OSuFV:l	t(_-QYhHX7X蝼
6t'Af'HHZ<Ѭ9ے=uBGH(KVsPyjB'R~=w^8XԒ^EgvFt-M;信\"Aҿ%#Ӂ!Z(ڡ_$ʱ3pBAB3%=XpdݙS{t[,%i䜂(]`YRԣ3}z-}aM<X3H.WU⯞̺-NL0{|z*JǷ-ǧ4GPKK
I$FFu[h+
i-L1ZIb!!ש+x^󒬹6ީ$Z8W-PVCkꏉEp
1_4XC6Joj5ޫVsa`۱=i\ELe5Q"i0yf.`+==F.4  V#EH	zj?g8P`@oupϴr1QXS*jLh*ebat٦ffmڢnlDGاa
*$5;v	D=hzռB_.4ve)+Ga(Qn@}Pl@ʷU0n%;;C	@HTU/d^([Ej@t'Y
8Q ]K‚%
JDpR(8i*7|mL>]N"}0vnDhT^Gva*w	bY`n1m
$j,Ua!w<@upbF_Y]5G+',iȧ
Qr!XJ
{eCS*X4 2b3d>65,5UArOVbF8HۃLmYln* H74@k?{`3[:ms՗䦣9PW],3+'/v}\P[]ȸ+h5)-:9%E&z Y
1ʊ5JglxR*'€ .,0gP))ۤSIޔrsmD	hujA$ک<@	B&"&LY9%UG/ϲ)b[cX
:"CZ$c*Gʃd`nuH'Epb2\<cBw
ac$YUoTr'8(ipE#sSHH"+] <q-5Ir64vF*u~
DIK驀]&sЄw$FJx<.al[ Z-C<_C%W"	[)</}cʍ<1ۑiI<{͜2
HO}DdHSJrV.C=cYj:pb]͔)i!"t"u̸UI#]m`fK N̚IR;Y`^i
0<	2@GALvt.]XxV:LJ},M	iT%)W	
Ѻ\6)cI |\ڣFBbp*±{
;K#mACzC"fM_v
X,"UR25z3ٴ"G" lZQҟSsɋIdMU]{.?JtMݻ@RBL%r(3Hi~JyLwͦ̓b(Gv$-CR2 )b'{
F!SJ6i\I؅_WXg}l^#L|0H_m*Q1D<i8R|
ԭ=<KC55P?DD,hs/H_Kj*v|z<V񐉡zg< A$,KY@/"sK
TX՘ra3+UQCLP0$! YvPpn%x-TkF |K=%4MQI{|L̑
iZw⨆r_PWlPTe #_+@JQJ^1CXDi=50mثM65@U$y[h,ϢKYh6;&H$j;!cѧ˓7>s'EC7 ld59Qᇆ>O?r6sF(%4@RN4K#u7w'6ࡃM̊C%
67jlyÂNe31	` UHN|x<@$7Q??Ы0:x,Ɨ
&p,H S-'tDÕ偳R*J|[-f IJHÒU!gh3aR3Qj+%@~3m-
F=Nʼ⏎Ū(abhlWq!BHI~BYogZ,<ߴa@VU&O8Y\r͆SojF3'AnQU0: 608DQolϡ7pUp0O@-0j/Q.}6R`U٪J? nHZ
$ *2b	g6|,98`C,
ACТ]!5Ra"C*
A;_*
	J-VL$|zSZ&p%	_u`+0н9×Q|"@*YB2-8Cr05z|R(pFLbTaE4**Іk(Cuݱ1g I:60&{Cȓb R) w8a0h
_3/oAF-(lQ!%b^GB-yrwAM$,RA*M#!zA4O(\>5rlrtMyhpi	|UB w>ݹN8h؂{MlKT+ޥIj;Iz	/qסh$'D AH,X @;_AWVy %iZԢ3þ&Hp!M>R&_,,tgTCB;^kHoİRU՛P
a'6 {8;=HD)-B]<hSwfcUy6pj$Tp:tfv%)#6L+W7%:@0\ۢj`N%cg
)7cS`E 	&m$r'
6-,g㣉7/&7)im4M),A҄a$JcPMNh~V2ك
צq]
CΙMu/M\#cD@צ`ZZ%ŷ9V9HEOppBim	8Ksjkw5
吵/Ac_fUCS
gs0_ӯƮ
@`8WppBZS1N]\$’Labs0V
vNnU#BM;-qւcdD0l5Ml-v!7	F1BZ$xw"sE)$Ln֍&={&f:8GMM9
-MA5*.ntޘhOtB-=pB*f>bH*4u%&8hS௪j~撍7`?L]Ittᔇ:Fw2,j.]Ynl]AVSh041	!`.OCb2Śؖ>3Ҧoԕt^•]@lUq2X'Eդ3r*gϦƄ1T,=Sd@,=1VMTSλK37<4àUx8A)U0Uէђ)|CTdA8|`LpekAߎq]J<;7mPˍrwf)$na(x v9";:CD'Y1|o"KypѡHcZX!Cv$ZAu
o!X^0r-&M-4DZ1v3m
.ᓐN}w
02Iok/&y+& jgp5`nPS%"S䳼+
'ԬWy&ʦKJ$A]%{O}a?Y9@h2|R;3>%*|R#ֱRkCke!ξB%:Nنޣro^biy2lh	gH ۝h+kxX)gUWgpBv=7FW
CI͵JE"l&׼z"06)Y\*.tBmu4}ݮmʀ)5o7!5tBDE"D46+*'</h8z8 Hg S17'Wu߫:f@p/Um
Xz'hcQI3L5ݕ/z_X.HhPO#/o4E/D_+oo5Wn.uڟ9]WH{N u}߾~}'3.2pd@rhqBo4{۟wogFK?Ωǿߘ5NGSDZCvK͊OEʯ#\F8l~!Ҟ7:'qr\[bn?5Ј(Bꦹ%_}k?㫴!l/:m(˕Qv-Nr?3OFwΫvBv﷩w$wrʨN}̝u4^s9Bp>Oܗx<ҹDpu;::I>qиseø:ޙW>I?̀jw
jƟ{~9U+~Py3mc`77/y{TEtץ]S=f_r<4'v qWCGB#xC
VDO6{O)[$I?V֫-Qwv=ws:krk%p1纆a~3sܤhlʨ
v&JՓ3r./)Qda:}H;[
o}<:ՙM{Ux*mRpTSYN1g09+f3fy?k!@;#2CGa}7xfyuf1uMw~?\!dL2R>ҘLS
* 
Th>WvQ7/Wv%\UL.6ں?~uDŽ̿klL+eL(B.@SG3-Ȇm:C!dYМ!2D7PZQ9۞-h(f*~tA\51=$d'(T2ꡄesGA3$ug($.PY"QKcEĩo4s٘j:BцFLu15ΌHOQ
z}EӕZYM!{L[ȢfVXUnJG{|#Y{ZdM1wRw-c@цȨUoCWTg3P̢TC~PtKle1ӟgݩCz;9P,y[I);	{:SUW^޶фi~yߕymq{s}ԼsW>ťc[	FQ(>ge*)F

L oYU-[+WGs*r|Grjc2u!KtNl;dUha~C3_VBX׏& kAϽWi>E4A4GWIN8)gYuD!@]%-ǝaݑFu|E>C{va<-T%}kWGreeJcCWo$&RUnNݛzpqS\Q|6*9X2cwh v~Dzh!ny\}Q;@'gAy}aPT歺g4/U!;i`P>qTݘAUGʃGRnVS>ѢUC5u!ˏMUB>ljcdPX>OQt^pƩ؎hίYYSdEDUP+굹0"f(zJR':GZBT]1Ρ6_;M=L"+^ȰX]Lr"Q=.cj+-jVxGGNTW5&kɟ$(BXwALNծ\QfsP]/myV'R?܌@%q;	#akXِGS䏔`ϩa!iSS9%_1矦\#5=#THrZ+.$3AӼ>W(:zMuV/r!uq5s*lj/3)BSUU9BO`>q+b'ǶlB~*9;[a5MEΨMjU9:ŅwZ*OMe}s3Xt=4!èJk@IXrk[_Ӓ"UXn@`^1uљf|Z
	M!SRN[1Fp}ThyS8n,~S#!Q9`<t
H_Q˦z"DA~[B-H#ֆuRYT
5'CptZ~^UYPVDK^8R֎._Wc>{7vŌ[=׫:oUJv%
vcApP_Qڑ6yʚ=].k3&fF,M%j܈|ç	vjhٌ<9&ȞPcv=^?i	
vjyA)'{r?	#lUO!d/~:yO }bظ@[/J/1oT^	8rU/qqN546M晟&xE_d7:y~n?WƼےm^}.xӘ>5|=fsA|~YƋdF?^?o[|dٽI}_}^gt'Y]fiCҾpґe 	7l;fiIxC?m7g9kE_Tً)\fT%HļSH™t3G3Om͇̾!L;_5t=I>t4L0v o
{FkT@ IG6ga}Dm0>t1^=F^oaf2l9VG烳^wU*m	 /#]{7
atwWaqpHpv.NH:/ջ.e	:\/[8 z¼
zŊ(cS?eJn4aˌJHl0xhabwYr\Wpn`ө8LmA8Ώc,]qx ީ] %l^e.x<&[wG.`\Wb?]y=#]9qxt_I"2nh[J2~a^v8vʨ-Kr^H]5P\tU8d;2Zx<qPٝ>@hw8ӷRaul^^iw9W;0Ŏnʹan<`Ku/-{.g]څޥĒ6׬OaQwiΒˠz[_y]ȣ\b£Js.yr
Ts/軐#Wh9tU?!;CmxJہ f+CC\c^Z[Syn_a
f~!
!BC@7>spg`w@!G$			B.Nͻݞ.C}C]YK\@2a;0x&qcRd]G-]v'!B*-T&eArDCr4`?**P2Q84Q29DL1F
LW
1GO(NU7.][2)m
q".Y\qKHj(6I_G*ˎXf,f%Ze,Ptr-e$D2鄑kY3)H%~\KqY[&U,A8$+Ta/\?k+
O{2J/gv$2}-o KYoIlkoYƷH$:/
}Lbc^}u;buDUX̮I]`]"yWp$F/,HUeѺK^u#Aǵu_kE::{\\UKo#s2u(H-62w2P+2.	b}Lbȼ;@$ƃ&11RII 2/-#ek~DbER&1_?pPfvq{B~Kƈu###9J%w`HH$d^c$VFW%Y"K DH:9^浥$|NuuUd2hHȼ-	`sk0S&11R/52a iQ~s蠖Ykԅ28
e#UHXxݔ	xՁ%:
zUX):mc#ec$fH^zlHyT2H6r4K񭼢Q#3#Oe>myN'4'!
)ؽ
|tn]
1D g*9Ooo
j!"Iy;9[o$]vޘxd/zۂ";YYl)GnKz^JYW!e;۪|Pwsy6&qE9W>y,Ǧ98:Tl0(F6VhV,WBc~&XO]SqJ7Yp/h9J^qf.)e_mK3ot|nOdQE6{lFeLN4͍Ӛp?(JO_ZhdcTC{_j>\KYYL !	?6>-Jϸ>ck+_GOceU\f]5tcOOFtp7nݧ3RjYSu_#?XީQBIg閟z8ỤW>?ѣInxc6 RFV|bacUkI I,d6NVU3\ve֥لfI٩&%ޙ&YQB7sJfl5
!`S!hkmTIV6f6{UrP.>ىjV~o2>O~w)Td|zV8D	u|S3K&Sn)
IBOVVV%
Ir{ۤm%e]%{BUsW,N۷	-(>ШcgU\1RBu>jL)zJHW
^XR\}ե1!eH+^\,5%ka#g`Mas2DzK= SMN
l
6;N&+(BX<YISżɦD[;zuHi9[-Uy]SDR7K,Hz#@76tHfBj!DRm‰ub{! Co^laʹ*öK	͇)jj]d݈}c>D%]e8Y~{|B}Ak6dDR[Hb:lJ(/EqVқ}B]k-$d@JfzZ,+?E<E/u("X@h_gE_j" /}{EtPsFv`|+
ob"8FpNq/72kCA?ǁ#Z5`SQ4*gD
*ψ2ψr9oDoGOl%sIM
O'oxxg7+ƗdLxr<&u}+M?YvFv[3"VoP)ht|ʿa[beg8Iz9}Oڥ_~S}өzzS{1nwM@'M~Z67?
'&(
=ߨke56VޠyS8#Oۖ;Ko[o\~73xo\A~F7ֳ6'M3uzlp'&r+|xMo\kHxoo,h8㛔o[?	JY֠tzL0>mo(i[%RK)ߥd+\]dzE_<#\?IZ%o׋eaU#	ѾLP]j%{z	]%$S:4P<?i+ӧ:A>-4[eRkx~"i+|W
[|RΟݢg$DzWV5%)gf-.~jz{7`N6초ɧKfȴ:t%wTZqvQ¨Bz[}$+J::+5Io=CAX{'tK`L"9ckN14i
X$I/a3:WWcOAh%%GA]N;h)03R4bZY47;BbVځoXfGPqM:wqz;ZAevGaq*;OtRwZeV`:iGVǨ;{0f4
wfXfw[XmVǠ;F0fw1X
lu`FC:8!wZh9
e+nGv#Q5
if}SaqAf;7p<cKp>"lX-!@ pl89p7hwa儺8:^A#EN2ag}F݉@MJ<(Nyy Qls|o
X>Yj˂KaE9:`7qy'n#U4Xd=GWs5ЩlADyqul圹,
~+rHDS֍S-Q۫ѶJh:kT3Ď͜lܺG@Mt>zO6I!9
\`ir[,A,B%A.=s[fK4a
$0r`N/ӀxL38L4f|?}n@aԝlv
?0_
N2u>Pm[>An1;AHaKX?[nfeiFvƜ4aē:@czX<>-6ወ	
*
hǶ̓) p
j^7blΆ,[ϕTcL56>sܶNO_KMw۟vC!1gsI-EA/~klX<$[ÊBɏ4^3Դi@fɰA"
yY
!M,FMiX0MZ/ >
Ӡ
z<~eo9`$`TluE2MX+;˶s~(aAylm _|s:
`<<>M_ u%"oiU/DB1oHe:ZlyEKKq;݅(++2;4"!`҂u7R&yvY\>klŒX:B@ДVJJpfpPmֹ3Ł@Т@]F23w9~hiQSLd6H&idL=	=L"BSfH+bB +وe̐3cF1<yM	LCpϘ2F7;:^wV#3֙~ݿuJؼ dz%x&%T3=dG}iegn2ww&=}3;G,sϨTfGqg,E͋$(t߬+SMsv}7+G9#UyE~)Ղ(O(wگCO]M+0ϑej}#3&3՟&Ռ刾c+h&թ~759"/*nwC]
Q|\ߤePVLX54\uUJ>;9J7ɎR]<xig$?W^?)]8T	r0,7NRf*z,y'xջXj+υlXXU\+5Rq6HNoSyE8U4oc\U.PECXJvg1OnhGi'LZ}aTMK]U[|lrؾO{6cr0W>OVaq]I<s<L,t
	0A=/CqwyCv`ΡAZt+ib:aWVa&H‚=WU':Lj%|7~&6ϲ<q|e|OX`#_hɬ:=8恽`a>J
[[[1agrz8,ݗ0x(J]j*rat>oQqKg5tvq<+r;1ll'LWtX6;A%r^pЈ躖YׁEǨ<
W`9"19q6:q~>L6b`IX9r%ZfVcߍNòΏ}=kN ?0|Wk=Mxn"Kwɖet*agĮgET;U7BPQRRQGRRD	6?*ۉ	PiAI	Q@kIQV\X"pH6@0~Uݳ2X/'xZORzYHcB.'%bWY		_ڍ)SߤPIW6i~A5=FoYdhK2ΣD#aLL=t'ޓ`RY!&ځ
%.4eը:.c{[HT~Ӡɟ1
,MV5ڌ[™m6Q1
E۫F$p5ǣ
g5^0C9]~FĶ4av,i
ڙ/0xD[+Zp@}śUoBlO3X_/rC.M.]3:8eObYM
'ΡŸ׌?;\:O.[)'#Y]>vz3Ki֖2J_wwNZ, |
)}xyŻnzB~kx _cDD>{~Mdra},~h1
lTSGXbل<*??*#_g:jOS.^xk{Sww^y>k*OWP)|@nBz7t* OlۣXבոzY2(w͒0<m[V^-g?}amo^9jΦnNQgXxHlvO۝orJh/!nzS"o<#bCzF8XĊ?EHw7E*R}e~VCf*Q9NqrOk0^0l<-bEf7LXqG"2IޯEwqb:L.<FJTzpv	(n%*(c|V

Anon7 - 2022
AnonSec Team