This action might not be possible to undo. Are you sure you want to continue?
Originally created in the year 1996, Active Directory, also referred as an AD, was first used with Windows 2000 Server as a directory service for Windows domain networks. Active Directory is a special purpose database, which serves as a central location for authenticating and authorizing all the users and computers within a network. Active Directory uses the Lightweight Directory Access Protocol (LDAP), an application protocol used for accessing and maintaining directory information services distributed over an IP network. What is Active Directory? The basic internal structure of the Active Directory consists of a hierarchical arrangement of Objects which can be categorized broadly into resources and security principles. Some of the examples of Active Directory objects are users, computers, groups, sites, services, printers, etc. Every Object is considered as a single entity with some specific set of attributes. The attributes of Objects along with the kind of objects that can be stored in the AD are defined by a Schema. The intrinsic framework of Active Directory is divided into a number of levels on the basis of visibility of objects. An AD network can be organized in four types of container structure namely, Forest, Domains, Organizational Units and Sites.
y y y
Forests: It is a collection of AD objects, their attributes and set of attribute syntax. Domain: Domain is a collection of computers objects in the AD which share a common set of policies, a name and a database of their members. Organizational Units: OUs are containers in which domains are grouped. They are used to create a hierarchy for the domain to resemble the structure of the Active Directory's company in organizational terms. Sites: Sites are independent of domains and OU structure and are considered as physical groups defined by one of more IP subnets. They are used to distinguish between locations connected by low- and high-speed connections.
Primarily, AD has three levels or logical divisions viz., Forest, Tree and Domain. A Domain is at the lowest level of an entire network and is identified by its DNS (Domain Name Structure). A Tree is a collection of one of more domains in a network while a Forest is a collection of Trees sharing a common global catalog, directory configuration, directory schema and logical structure. Forest is at the highest level of the logical structure and corresponds to the security boundaries within which the AD objects are accessible. Within a domain, all the objects are grouped in Organizational Units or OUs, so that administrative tasks can be simplified. With OUs, a domain can be divided in a hierarchical manner to resemble the managerial or departmental structure of an organization. Organizational units are also considered as containers which can hold other OUs of the domain. Group Policies in the form of Group Policy Objects (GPOs) are generally applied to the OUs and administrative powers are also delegated at the OUs.
Sites are physical groupings rather than logical structures and are used to control network traffic caused due to Active Directory replication. Sites are also used to refer the clients to the nearest domain through a Domain Controller (DC). All the information contained in the Active Directory is physically held in one more domain controller. Each DC has a copy of the Active Directory and when changes take place in any server, the information gets replicated in all the DC containing a copy of the Active Directory. This process is termed as Active Directory Replication. Replication in the Active Directory is triggered each time an Object is created, deleted, moved or modified.
Active Directory Schema
All the objects and their attributes within an Active Directory are defined in a schema, which is an Active Directory component. Since Active Directory stores information from various applications and services, all that information is standardized with the help of a schema. The AD schema defines how the data is stored and how the directory service will retrieve, update or replicate the data while ensuring data integrity. In Active Directory, Objects are the main storage units and are defined under the AD schema. The directory queries the schema for appropriate object definition each time some information is to be handled. The AD creates the objects and stores data in it as per the definition available in the schema, since the schema controls the type of information that can be stored in the objects. Data types which exist in schema definitions can only be stored in the objects. In order to store a new data type, a new object definition must be first created in the schema. The object definitions in the AD schema contain all the object attributes along with the definitions of the attribute relationships. For example, a User object will contain an attribute user¶s logon name. This attribute will in turn contain other attributes like syntax of the logon name. All the object attributes and the attributes within are defined in the schema of the Active Directory. Building Active Directory Schema During the creation of forest at the time of Active Directory installation, the default schema is also created. The default schema gets replicated in each new domain thereafter created within the forest and each Domain Controller gets access to a copy of the default schema. This is necessary for creating objects within the domain as the DC must have the object definitions required for creating objects and store or retrieve information in the Active Directory. The replication topology of Active Directory ensures that every domain controller will be able to write changes in the AD database and replicate those changes to other DCs in the same forest as well. Active Directory Schema architecture Schema is the Active Directory component that defines all the AD objects and their attributes so as to store data. The physical structure of Active Directory schema comprises the object definitions. The schema is stored in the schema partition of the directory and defines the following:
y y y
Objects used to store data in the directory The rules which govern the structure of the objects The directory structure and its content
The above definitions consist of objects, attributes and classes, the details of which are mentioned below: Schema components 1. 2. 3. 4. 5. Objects Attributes Classes Schema objects schema objects
Active Directory Domain
In a network, a domain is a collection of computers and resources which have a common namespace and share a common security database. The namespace of domains are stored in the DNS which is primarily a hierarchical structure of services and object names. For a domain in an active directory that shares the common AD database, the active directory and DNS namespace have to be the same. Administrative controls and security policies are implemented on a domain basis and are valid for individual domains only. Within a domain, administrators can create and manage different resources and objects. An active directory domain contains various AD objects like users, groups, computers, OU, etc. Therefore, it can be said that a domain is the core logical structure of the active directory, while the physical structures are the domain controllers and sites. When more than one domain is grouped together, a domain tree is formed. Every domain within a domain tree shares a contiguous DNS namespace and naming structure. In a domain tree, the root domain is referred to as the Parent domain while the multiple domains added to it are referred as the Child Domains. A group of multiple domain trees is termed as a forest. Within a forest, the domains are linked by two-way transitive trusts and share a common global catalog and schema. The root domain in a forest contains the specific groups like the Domain Naming Master Role, Schema Master Role, Enterprise Admins group and Schema Admins group. Domain Functional Levels The domain functional levels control and restrict all the functions performed in a domain. If the domain functional level is upgraded to Windows Server 2003 functional level, a few advanced active directory features become available:
Windows 2000 Native supports domain controllers running Windows 2000 and Windows Server 2003.
. AD administrators can control. Each domain is assigned a NetBIOS name and DNS name. corporate identities. Active Directory Lightweight Directory Services (AD LDS) The Active Directory Lightweight Directory Service also known as the active director application mode (ADAM) is used to store directory compliant applications in the database. The AD LDS consists of two components. 2. WAN link costs: The cost of implementing WAN links varies in different countries. it is best to create and implement a geographic domain design so that the domain controllers replicate the changes only in their local domain. Geographical factors: In order to control replication of different regions within the enterprise. Active Directory Rights Management Services (AD RMS) The intellectual property of an organization should be secured from potential infringement and the Active Directory Rights Management Service is used in this respect. The Active Directory server performs all these tasks with the help of certain technologies which are explained below: Active Directory Domain Services (AD DS) The Active Directory Domain Service is the central location of the directory where information about security configuration settings. resources and services like users. business information and system credentials in an organization. Windows Server 2003 supports domain controllers running Windows Server 2003.0 and Windows Server 2003.y y y Windows 2000 Mixed supports domain controllers running Windows NT 4. to provide location for security accounts and application configuration and directory data. Active Directory Server Windows Active Directory is used to manage application settings. From this centralized location. etc. applications. the following factors should be kept in mind: 1. 3. access and manage the entire directory along with its objects. the logical structure of active directory must be designed. The AD RM component of Windows Server 2008 R2 is used to encrypt and secure sensitive documents and web services. groups. Business requirements: Depending on the business requirements of the organization. printer. 4. Windows Server 2003 Interim supports domain controllers running Windows NT 4. AD LDS service is deployed only to the servers which support the directory applications. authentication requests and every AD object within the domain or forest is stored.0. Domain Design Factor While designing an active directory domain. Domain Name strategy: Domain name should be unique. computers. Windows 2000 and Windows Server 2003.
modify. AD CS enhances the security of certificates by binding the identity of an object. This object is made up of attributes such as user logon name. protects the identity. services. . and the Active Directory Users And Computers console. Initials. Click Next. 5. etc that are termed as Active Directory Objects. With this service. Administrative Tools. Enter a password in the Password field and verify the password in the Confirm password field. printers. User logon name (pre-Windows 2000). 8. Full name (automatically populated).This Active Directory server service ensures that objects which have the right to access a resource in the domain network can only do so. Click Next. Last name. In the console tree. select the OU wherein the new user object will be created. we will discuss about User objects in the following section. In the New Object ± User dialog box. 7. The user has to specify a new password at next logon. By storing the private key along with the certificate within the AD. click New then click User. it becomes easier to retrieve appropriate data upon placing application request. A user object (user account) in the directory enables end users to log on to the Windows Server. This service for Active Directory server is also used for data encryption during transmission across unsecured networks. Configured rights such as to open. groups. Active Directory Users Active Directory data store contains information about network resources which can be accessed from within a domain. the following steps must be followed: 1. Furthermore. 3. organizations are able to authenticate users from their partner organizations and grant the external users access rights of domain resources of your organization. computers. print. secure and internet-scalable service providing identity access solution. forward or take any other action is defined in the rights-managed information of the AD RMS. Active Directory Federation Services (AD FS) The Active Directory Federation Services is a highly extensible. User logon name. Active Directory Certificate Services (AD CS) The Active Directory Certificate Services is used to enhance the security of certificates that prove the identity of users and computers within an organization. Click Start. display name and contact number to name a few. enter information for the fields listed below: First name. 6. 2. From the Action menu. security policies. In order to create a new user object in the Active Directory. Verify the settings entered on the Summary screen. Of these AD objects. last name. The AD FS technology is also used to integrate the domain resources and un-trusted resources within an organization. device or service to their respective private key. These network resources consists of users. 4. first name.
With this SID. Other than that. 8 A home directory is required. additional attributes can also be added to the AD by extending the Active Directory schema structure. Click Finish. The actual values assigned to attributes are stored in the Active Directory that is enabled by default during the installation of the first domain controller. 2 The user account is disabled. Active Directory Attributes Windows Active Directory schema contains a large number of attributes which the administrators can choose to define different AD objects. The Active Directory schema map-in present in the MMC is the place from where administrators can select specific attributes µn¶ number of time. we will see some of the commonly used Active Directory attributes. A user requires an Active Directory user account to log on to a computer or domain. Once an attribute is assigned to an object. It takes the form of a 32-bit integer and is a combination of the following bit values: Value Description: y y y 1 The logon script will be executed. the administrator must be made a member of the group ³Schema Admins´ and a registry key must be set to the Schema Master. Index this attribute in the Active Directory property of the domain controller helps administrators to enable the default attributes. meanings and what objects contain them in the default AD schema map-in. their syntaxes. user objects are also used as service accounts for applications where a service is granted access rights for specific network resources. thus it can be said that the user account establishes an identity for the user. one must modify the schema. With the help of the user account. Since schema modification is a complex procedure. a user gets authenticated and is authorized to use the domain resources. userAccountControl (user) This attribute contains a set of bit flags defining certain properties of user objects. . In the following section. Active Directory user objects are also referred to as Security Principals since that emphasizes the security implemented by the OS for these objects. Therefore. in order to modify any default attribute which gets replicated to the Active Directory GC. user objects are able to log on to a network and access the domain resources. A new user object with the specified settings will be created. Apart from the default attributes. Every security principal is assigned an SID during their creation which is a unique security ID. the attribute Schema thus created gets replicated in the Global Catalog (GC). Active Directory attributes are rarely modified. For this.9.
The ADSearch Convert function is used to convert this binary data (octet string) into a more meaningful set of data. with each set of two characters representing one byte of binary data. If the member is a Foreign Security Principal.) It takes the form of a raw binary string. 512 The account is a typical user account.y y y y y 16 The account is locked out. It takes the form of a single valued string. computer. where each of the string elements defines the distinguished name of a member. sAMAccountName (user. 64 Account is not allowed to change password. It takes the form of a long (64 bit) integer. The ADSearch Convert function is used to convert this binary value into a useful textual value. group) This attribute describes the downlevel name of the object. member (group) This attribute defines the objects which are members of a group. . objectSid (all security principals) This attribute contains the security identifier of an AD object used to represent an object in various places on the network (Active Directory. objectClass (all objects) This attribute represents the inheritance hierarchy of objects classes. File System ACLs. It takes the form of a multivalued string. 65536 The account password never expires. where sid is the SID of the member. with each set of two characters representing one byte of the binary data. logonHours (user) This attribute defines the times which a user is allowed to log on. It takes the form of a raw binary string. objectGUID (all objects) This attribute defines a GUID which is a unique identifier of an object within the AD. which is seen by downlevel administrative tools and other pre-windows 200x tools. It takes the form of an octet string. the distinguished name will be in the form "CN=sid". accountExpires (user) This attribute defines the date on which a user account will expire. It takes the form of a multivalued string. The ADSearch Convert function is used to convert this value into a textual date. etc. 32 The account does not require a password.
Some of the common terminologies used with User and computer accounts are given below: y y y y y y User rights: User rights can be both logon rights and privileges assigned to users and groups. SID is a unique security code that identifies a specific user. o System Access Control List (SACL): Defines the events which are audited for a user or a group. Group SID and User Rights. users and computers are important Objects types which are the logical representation of the actual end users and systems configured to a domain within an organization. devices. etc. Authentication allows users to access resources like data. Access Control List (ACL): Every Active Directory object is associated with the following two ACLs: o Discretionary Access Control List (DACL): Contains a list of all user accounts. To maange user and computer accounts. Access Control Permissions: Permissions such as Read. An access token s not updated until the next user logon. located anywhere in the network. Access tokens: An access token is created each time a user logs in and represents user accounts. and computers which are allowed or denied access to the object. Active Directory service offers individual accounts to users and computers for administrative ease and secure authentication and authorization. AD user authorization is provided to secure the resources of a network from unauthorized access. AD user authentication is done to confirm the identity of all the Active Directory users who log on to a domain. etc are assigned to all the objects as well as to the object properties. No Access. groups and computers listed in the . which hold permissions that are granted or denied to users. Write. The user accounts are authenticated to grant access rights to users depending on the access control permissions attached to the objects. viz. Active Directory Users and Computers In an Active Directory network.. dc (domainDNS) This attribute defines the uplevel name of a domain or the leaf part of the distinguished name of the domain. applications. system libraries. SIDs: In a Windows Server system. groups.The ADSearch Convert function is used to convert the raw binary data retrieved from the attribute into a readable form. group or computer. shares. Active Directory Users and Computers snap-in console is used. Individual SID. It contains three elements. o Individual SID: Represents a logged on user o Group SID: Represents a logged on user¶s group membership. Access Control Entry (ACE): Every DACL or SACL contains a list of ACEs.
copying. The Group Policies are applied to users during their logon time and to computers during their boot time. This selective functionality denial service is used on Microsoft Windows and is used by companies to encrypt information stored in the form of documents. Active Directory Rights Management Services Active Directory Rights Management Services (AD RMS). The ACE list consists of a SID along with the corresponding permission like Write access. domains and sites which contain user and computer accounts. licensing. editing. by locking their usage rights. the database server and the RMS client. Since AD RMS includes a Windows Server 2008 R2 based server running the AD RMS server role handling all the certificates. This service is further used to prevent the decryption of protected content by specific groups or users or to prevent certain operations on the encrypted documents like printing. web pages and corporate e-mails. Objects which have a valid SID can log on to the network and access available domain resources. The group policy configuration settings are associated with Organizational units. e-mail gateways. deleting. its deployment has the following benefits : y y y Encryption of sensitive information : Organizations are able to create customized usage policy templates which can be applied to the information so as to safeguard them. Active Directory computer accounts are provided with authentication and authorization in order to audit the access of computers in the network. an organization¶s security strategy can be augmented. product specifications. Active Directory Users and Computers together are termed as Security Principles since the operating system often implements certain security for these entities. firewalls. When a Group Policy is applied to a container. Persistent protection : For better information protection. it either affects all the constituent objects or a specified set of objects. etc.DACL or SACL. managing applications and desktop appearance. This can be done by protecting the information store by imposing usage policies and protect the sensitive information like customer data. assigning scripts and moving folders from local computers to network systems. Similar to the user accounts. etc. . financial reports. which was previously termed as Windows rights management services is a type of information rights management used to encrypt and limit access to corporate documents. archival systems and automated workflows. Flexible technology : AD RMS allows independent software vendors (ISVs) and developers to enable applications and services like the content management systems to further protect the server based solutions such as record management. forwarding. Every User and Computer account is assigned some Group Policy in the form of Group Policy Objects (GPO). With the help of Active Directory rights management services and client. Group Policies help in configuring the security options. Security Principles are primarily directory objects which are automatically assigned SIDs (Security IDs) upon creation. AD RMS augments the existing perimeter based security solutions including ACLs.
Types of content which can be protected using AD RMS include e-mail messages. click Connect. To use LDP utility. Once the connection with the Active Directory is established. Once you are connected and authenticated to the Active Directory. This is the information which you will require to use the ldp. Note: If the directory server name is not specified. IT analysts. Following are the steps required to connect to the Active Directory.Given below are some of the key features of Active Directory rights management services : y y y y y y Identity federation support Microsoft federation gateway support Inclusion of AD RMS as a server role Administration through MMC (Microsoft Management Console) Integration with Active Directory Federation (AD FS) Self enrollment of AD RMS servers Therefore we see that Active Directory rights management services is a format and application ± agnostic technology that is used to provide services to create information protection solutions. intranet web sites and documents. the correct LDAP query must be used. 2. This client utility can be used to browse and query an LDAP based directory service such as the Active Directory. professionals responsible for supporting existing RMS infrastructure and IT security architects who deploy information protection technology. you can browse for information depending on the permissions assigned to your account. a message containing ³RootDSE´ information is send. . The Windows support tool Ldp. In order to bind to the directory.exe utility as an Active Directory browser. all its information is arranged in a hierarchical tree structure. This service is mostly beneficial to IT planers. 1. For attributes and parts of the AD tree for which access is denied. to browse through the structure. on the Connections menu. The Lightweight Directory Access Protocol utility allows administrators to search specific information through a given search criteria. information will not be displayed. Therefore. Active Directory Browser Active Directory management is possible with the help of Windows Support Tools utility provided by Microsoft. the LDP will connect you to your logon server (LOGONSERVER) or to the last server that was accessed. In the dialog box. click Bind to authenticate yourself to the AD. type the directory server name and click OK. Since the Active Directory is LDAP compliant.exe is used by administrators as an Active Directory browser to perform LDAP searches against the directory. On the Connections menu. the first step should be to connect and bind to the Active Directory for authentication.
right-click Command Prompt and click Run as Administrator. subnets and servers become easy. Following are the steps to open it. Results are displayed either in String format or Binary format depending on the configuration of Value Parsing option (In the Options dialog box. computers. therefore.To browse through the directory. contacts. If the predefined search criteria in this command are insufficient. click Tree and enter the base Distinguished Name (DN). This built-in tool is available if Active Directory domain Services (AD DS) server role is installed. Enable the Auto Base DN Query option and click OK to connect to the defaultNamingContext of the tree root. With Active Directory query. Dsquery contact: Finds contacts in the directory that matches the search criteria being specified. it is first important to view its tree structure. dsquery * . groups. specific search criteria can be executed through queries to quickly search information. locating users. OUs. With the help of this tool. the Dsquery tool is used an Active Directory query utility. In String format. Double click on any object on the directory tree to view its attributes and attribute information on the right pane of the LDP utility. Following are the different syntaxes used with the dsquery commands to search Active Directory information: y y y Dsquery computer: Finds computers in the directory by matching the search criteria specified. 2. It is possible to save the results in plain text format and export the search results. object attributes are displayed as follows: Ldp: Binary blob The LDP utility overwrites the older results with new information. sites. Following are the steps: 1. The Active Directory tree structure will be displayed in the left pane of the LDP utility. Click Start. Dsquery group: Finds groups in the directory by matching the search criteria being specified. Of the many command-line tools available for Active Directory management with different versions of Windows server. increase the buffer size to retain more data. Active Directory Query To search specific information in the Active Directory structure is a tedious task for administrators without the help of structured queries. which on expanding displays all the objects and containers. click General and change the Value Parsing option to String). use the general version of the query command. On the View menu. The dsquery command is run from an elevated command prompt.
it is possible to navigate through it and explore it with the help of the AD Explorer. dsquery * Dsquery partition: Finds partition objects in Active Directory that matches the specified search criteria. even though ADSI Edit lacks the snapshot functionality. all the object attributes can be viewed using AD Explorer. attributes and security permissions. If the predefined search criteria in this command are insufficient. Quota specification is used to determine the maximum number of directory objects that a specified security principal can own in a particular directory partition. If the predefined search criteria in this command are insufficient. Furthermore. Once a saved snapshot is loaded. dsquery * Dsquery site: Finds sites in Active Directory matching the specified search criteria. use the more general version of the query command. use the more general version of the query command. Another advantage that AD explorer offers is fast navigating speed between objects that offered by the ADUC snap-in. dsquery * Dsquery *: According to the criteria specified in an LDAP query. it is possible to book mark the AD objects which is often handy while viewing same objects repeatedly. With just a single click. searches for any Active Directory object.y y y y y y y Dsquery ou: Finds organizational units (OUs) in the Active Directory data store that match search criteria being specified. use the more general version of the query command. dsquery * Dsquery quota: Finds quota specifications in the directory data store matching the specified search criteria. use the more general version of the query command. If the predefined search criteria in this command are insufficient. Active Directory Viewer In order to easily navigate through the entire Active Directory database. Apart from being used as an Active Directory viewer. AD Explorer is an advanced Active Directory viewer and editor with which administrators can traverse through the AD internal structure. the values of object attributes can be copied to the clipboard and emailed . dsquery * Dsquery user: Finds user accounts in the Active Directory as per the search criteria. use the more general version of the query command. If the predefined search criteria in this command are insufficient. The comparison functionality of this viewer helps administrators to compare two snapshots of AD database in terms of changes made in the objects. view the AD schema and execute searches. dsquery * Dsquery server: Finds domain controller servers according to the specified search criteria. If the predefined search criteria in this command are insufficient. in AD Explorer. Microsoft has come with Active Directory Explorer (AD Explorer). AD Explorer is also capable of saving the snapshots of the AD database for viewing or comparing them offline. permissions and attributes of AD objects without opening separate dialog boxes and edit them as well. If the predefined search criteria in this command are insufficient. Moreover. This particular utility is quite similar to another Active Directory viewer ADSI Edit which supports Windows Server 2003 and 2008 R2. view the properties. use the more general version of the query command. view object properties and attributes.
Active Directory utilities are available with Windows server 2008 and Windows server 2008 R2. Ntdsutil. Configurable Settings: Manages configurable settings.Modification of Active Directory objects is also possible with AD Explorer. creation of application directory partitions. Steps to run the command line utility ntdsutil.exe) is a command line tool that is used to provide management facilities for the AD.exe are given below: y Click Start> right click Command Prompt> Run as administrator . Thus. especially if they are once deleted.exe is used to perform an authoritative restore in tandem with system utilities of Windows Server 2003. If the Active Directory is the current mode. which occur after creating the backup. the comparison report or output of two snapshots cannot be exported. During an authoritative restore process. all the changes made to restore an object. which are part of RSAT (Remote server Administration Tools). Reset DSRM password: Password of directory service restore mode can be reset using this utility. provided the AD DS and AD LDS server role are installed. Domain Management: Used to create Naming Contexts and add replicas to the Application Directory Partition of DNS. Furthermore. Also. especially during metadata cleanup. Maintenance of Active Directory database. This menu-driven tool is designed for interactive use. For this function. Files: This functionality is available only on booting the server into Directory Restore Mode. Some of the most common tasks which can be performed using ntdsutil. resetting DSRM password. It checks the integrity of NTDS. Security Account Management: checking of duplicate SIDs. removal of metadata left by domain controllers. however.exe is also available upon installing Active Directory Domain Services Tools. are lost. the AD explorer does not allow snapshots to be taken. Roles (FSMO maintenance): Used to map the single operations master to corresponding domain controller. reanimating tombstone objects is not possible with AD Explorer. the snapshots created with this Active Directory viewer utility cannot be used as a backup. Ntdsutil. it can also be run with the help of scripting commands. transferring FSMO role to a domain controller and many other tasks can be carried out using the directory services maintenance utility.exe must be used along with NetDom or Active Directory snap-ins. ntdsutil.DIT and moves all associated databases. Active Directory Utilities Active Directory¶s directory services maintenance utility (ntdsutil.exe are summarized below: y y y y y y y Authoritative restore: In an authoritative restore. specific data marked as current is prevented from getting overwritten during the replication process. SAM management. management and control of single master operations. however not all objects can be modified.
AD Replication Links : Gives the summary of current replication site link configuration for Active Directory.exe. their IP addresses and sites within a selected domain. service level availability issues. configuration and audit Active Directory reports. The management pack for MOM generates comprehensive reports. etc. AD Replication Objects : Summarizes the AD replication topology and offers a list of connection objects. Active Directory reports arm administrators with important information about AD infrastructure and Ad components including objects.exe and dsmgmt. groups. service health and reports providing estimation on capacity planning. Active Directory trending. . AD Role Holders : Provides a list of all computers which hold one or more operations master role or act as global catalog servers. including those on service availability. Active Directory reporter tools are useful applications which help in generating general. domains. The Active Directory management pack for Microsoft Operations Manager (MOM) offers a predefined set of reports which are specifically designed to monitor the performance as well as the availability of all the Active Directory services. administrators are required to enable the data collection report using the configuration information provided in the Active Directory Latency Performance Data Collection. groups. Active Directory utilities such as dsdbutil. Active Directory Reporter Reports generated for various activities conducted on the Windows Active Directory aid administrators keep a record for reference use. the AD replication monitoring report is disabled in the management pack by default. Reports which provide information about Active Directory disk space are as follows : y AD DC Disk Space : This report summarizes the disk space usage and free space for Active Directory database and log volumes. sites. This report helps administrators to predict the volume sizes as per the current growth rate. To enable this report. These reports help in processing data about user accounts.y In the elevated command prompt run ntdsutil.exe for performing the same tasks. OUs. The Active Directory reporter utility of the Management Pack offer different types of reports. In case only AD LSD server role is installed and not AD DS server role. some of which are explained in the next section.exe can be used instead of ntdsutil. Some of the reports which provide data about AD configuration information are mentioned below: y y y y AD Domain Controllers : gives a list of all domain controllers.Sources Rule Group descriptions. However. etc.
The Backup Utility can also be used to restore the replicated content from the backup copy without the need of reconfiguring the domain controller. class registration database. any backup that is older than the tombstone lifetime (TSL) value (default 60 days) set in the AD is not considered a good backup. transaction logs and the reserved transaction logs together. The Active Directory database can be restored in different ways. it is essential to backup this Active Directory database to avoid any kind of disastrous situation. Active Directory is usually backed up as a part of a system state or a collection of system components depending upon each other. per domain controller. administrators are required to restore the data from the available AD backup. AD SAM Account Errors : Provides report on events which indicate that SAM has detected an error and also give information on corrective guidance. Upon replication. checkpoint file (Edb. AD Replication Latency : provides data about minimum average and maximum replication latency per naming context. It is mandatory that administrators backup and also restore the system components like the system registry. It is essential to select the domain controllers which must be backed up as well as the backup content. SYSVOL. In order to successfully restore data from a backup. restoration is required when any AD object get deleted or modified.chk). AD database. Active Directory Backup The Active Directory service works as a database where information about an entire network is stored. Furthermore. Reports which provide information on Active Directory replication process are as follows : y y AD Replication Bandwidth : this report provides a summary for both compressed and uncompressed replication bandwidth over a selected period. This report is used to verify service legal agreements (SLA) within a domain or forest.The reports through which administrators obtain information about Active Directory operations are given below : y y y AD Domain Changes : This report provides data about the significant changes made in the domain like addition or removal of domain controllers and movement of PDC emulator operations master. all the latest changes or modifications get synchronized in every domain controller. boot files. Restoring the Active Directory In case of database corruption in the Active Directory or any other hardware or software failure. the Active Directory backup should be performed intelligently and must be recreated after regular time periods. of which Active Directory¶s own replication process is one. Moreover. . Therefore. AD Machine Account Authentication Failures : This report summarizes data about workstations which are unable to authenticate and is turn prevent Group Policy updates and software distribution to computers. This report is used in capacity planning.
The Primary restore method works by rebuilding the first domain controller in the domain. The Active Directory Cleanup Wizard is a utility which is developed to eliminate such redundant or duplicate object accounts by merging them. All the accounts. some specific data is marked as current. This in turn helps is improving the performance of the Exchange servers. Authoritative restore: In an authoritative restore. Non-authoritative (Normal) restore: Normal restore method reinstates the AD data to the state before the backup was created.csv file for the purpose of review. which occur after the backup are lost. which is prevented from getting overwritten during the replication process. The functionalities of the Active Directory Cleanup Wizard can be summarized as follows: y y y y It identifies all the duplicate objects to be merged by searching in the Windows NT accounts Reviews and modifies the merge operations after the selection of accounts Exports and imports list of accounts so that administrators can save the details of the merge operation as a . The Active Directory Cleanup Wizard. Ntdsutil. The primary restore can be performed on local computer by the group members. user and computer accounts become obsolete or redundant which raises the need to eliminate them. a normal restore can be performed on a domain controller only by the domain admin. order to run the wizard. all the changes made to restore an object. their attributes and properties are merged into a single user account so as to remove duplicity from the AD database. provided they are delegated for this responsibility. command line tools can be used. The domain administrator can perform primary restore on the domain. . Duplicate user and computer objects usually result when multiple directories are migrated to a new domain or the Active Directory is upgraded to a new server. searches for such redundant objects or accounts and merges them. Active Directory Cleanup Over time. Later in tandem with the normal restore method.Selection of the appropriate restoration method There are three types of restoration procedure which administrators can choose to recover the backup data of a corrupt Active Directory. Following are the details Active Directory backup methods: Primary restore: This method is use when all the domain controllers of a domain are lost and there is a need of rebuilding the domain from the scratch. a command line utility is used to perform an authoritative restore along with system utilities of Windows Server 2003. The data is then upgraded through the replication process. During an authoritative restore process. the current authoritative data is replicated through the domain.
The metadata cleanup procedure is appropriate only for those domain controllers which were not demoted using the utility dcpromo. type: metadata cleanup 4. This utility is a default tool installed on each domain controller. type list servers in site.exe also removes File Replication Service (FRS) connections. Ensure that the domain controller you wanted to remove is not displayed in the command output. executing ntdsutil.The Active Directory Cleanup Wizard however cannot be used to clean up the server metadata. Open a command prompt. type: remove selected server ServerName Or remove selected server ServerName1 on ServerName2 5. At the ntdsutil: prompt. Other than that active directory auditing also comprises keeping track of account activity. and for this another utility. Type the following command. group memberships and user privileges. Directory Service Changes . Directory Service Access 2. the new and old attribute value and who made the changes.exe is a command line tool that can be run to execute the metadata cleanup process. ntdsutil. In windows server 2008 based Active Directory. 2. Ntdsutil. Following are the steps to be followed to execute a metadata cleanup procedure: To clean up server metadata: 1. and then press Enter. To verify that the server was removed. type: quit Active Directory Auditing Within the context of Active Directory.exe. the Audit Directory Service access policy is displayed into four subcategories. and then press Enter: ntdsutil 3. On a domain controller that is running Windows Server 2003 with Service Pack 1 (SP1). At the metadata cleanup: and ntdsutil: prompts. auditing involves keeping track of user account status.exe is used. At the metadata cleanup: prompt. 7. In the process of metadata cleanup. This AD DS feature of Windows Server 2008 shows audit logs containing details about the changes made to object attributes. the process also transfers the FSMO roles (master operation roles) held by the demoted domain controllers. Furthermore. 6. every Active Directory data used to identify the domain controller during the replication process is removed. Windows Server 2008 offers domain services auditing features for Active Directory to track down changes made in the objects and object attributes. folder accesses and file permissions. which are as follows: 1.
and then click Active Directory Users and Computers. double-click either the user or the group whose access you want to audit. Click to select either the Successful check box or the Failed check box for the actions that you want to audit. If the object attributes are also changed during the un-deletion operation. the Directory Service Changes subcategory provides the ability to audit the changes for AD objects. point to Administrative Tools. Click the Security tab. all the attribute values populated during creation are logged into.3. If the object is moved to a different domain. 5. 4. and then click Advanced. This is done by specifying both the users whose access is to be audited and the type of access to be audited. groups. Following are the steps used to configure actve directory auditing of specific AD objects: 1. Right-click the Active Directory object that you want to audit. and then click Add. moving. Some of the capabilities of the audit policy provided in AD DS are mentioned below: y y y y After modification of object attribute. Make sure that Advanced Features is selected on the View menu by making sure that the command has a check mark next to it. Some of the new feature and advancements are discussed below: . Windows 2003 Active Directory Active Directory 2003 comes with some advanced features primarily in the Management Tools provided in the adminpak. Directory Service Replication Of these four. o In the list of names. 7. and then click OK. the old and new location within the domain is logged. 8. OK. and then click OK. and then click Properties. it is possible to configure audit policy for specific objects like users.msi. the AD DS logs the old and new attribute value. If the attribute has multiple values. Upon object un-deletion. Changes such as creating. a create event is generated on target domain¶s DC. OUs and computers. Click the Auditing tab. the value which changes due to the modification operation is logged. 6. Upon creation of a new object. their new values are also logged in. point to Programs. the new location where the object is moved to is logged. 3. Click Start. When an object is moved. Steps to Configure Auditing for Specific Active Directory Objects Once the audit policy setting is configured. Complete one of the following: o Type the name of either the user or the group whose access you want to audit in the Enter the object name to select box. 2. modifying and un-deleting a user objects can be audited with the AD DS auditing feature.
Domain. Microsoft has included some predefined query criteria in the new AD version. 2. Once Windows 2003 Server is installed on a stand-alone server. 4. 7. viz. Domain controller for a new domain. Installation of Active Directory goes together with the correct setup of DNS server running on the network. a feature better than the previous ADAM can be used to run in the context of nominated account by configuring it separately from the AD replication schedules. Click Install and configure the DNS server on this computer. Keeping in mind the bandwidth saving category the µInstall of Replica from Media´ feature allows administrators to install a copy of the Active Directory database via a network copy.y y y y y Windows 2003 Active Directory comes with the ability to create and store queries in Active Directory Users and Computers. to logon without a connection to a Global Catalogue server. 10. 9. three tools. 8. click Run. and then click Next. This is turn eliminates the dependency on the replication process to take place across the network. and then click Next. and then click Next. The following procedure will explain how the computer with Windows Server 2003 is converted into the first domain controller: Insert the Windows Server 2003 CD-ROM into system¶s drive. 6. and then click Next. Set the SYSVOL folder location to the default setting of the c:\winnt\sysvol folder. namely. computers. Configuration and Schema. 3. 5. multiple instances of ADAM can run on the same system to test different schema setups easily. Click Next. Specify the full DNS name for the new domain or that of the existing DNS infrastructure. To manage these three different AD components. Accept the default domain NetBIOS name. OK to start the Active Directory Installation Wizard. or a CD or any other media. Active Directory / Application Mode. Active Directory users and computers. Set the database and log file location to the default setting of the c:\winnt\ntds folder. and then click Next. Click Start. Linked Value Replication allows single values of multi-value attributes to be replicated between servers Also included is Cached Credentials that allows users at remote locations (which have a domain controller running). Administrators can now create queries to display users. 1. Active Directory sites and ADSIEdit are used respectively. Windows 2003 Active Directory consists of three logical partitions. These logical units are stored in the ntds. or any other object based on any attribute.dit file present on the domain controller. The next step will be to convert the system running Windows Server 2003 into the first DC of the forest (domain). run the Active Directory Wizard in order to create a new AD domain or forest. Furthermore. .. The reliance of an Active Directory service on the DNS is so much it is the first point of call when fixing problems with AD replication or AD operation. and then click Next. Click Domain in a new forest. Click Next. and then type dcpromo.
exe is executed to prepare the Active Directory environment before introducing Windows Server 2008 domain controller. Updates the AD forest 3. you are prompted. 13. Updates the AD domain ADPREP /DOMAINPREP /GPPREP' (For Infrastructure Master) 1. This Microsoft utility is run with the following commands in Windows 2008 Active Directory: 'ADPREP /FORESTPREP' (For Schema Master) 1. Click Next. Executed on the Infrastructure Master FSMO 2. 12. Upgrading from the earlier versions of the Windows Server DC to Windows Server 2008 without disturbing the Active Directory is however a challenge. confirm that the Domain Name System (DNS) service location records for the new domain controller have been created. Click Permissions compatible only with Windows 2000 or Windows Server 2003 servers or operating systems. The shift requires selecting the best possible method of migration and other important steps involved in the process. 15.exe before initiating the up gradation process in the domain controllers. For in-place upgrading. windows 2008 Active Directory Windows 2008 is fast replacing the ageing Windows Server 2003 and Windows Server 2003 R2 domain controllers.11. restart the computer. Review and confirm the options that you selected.optional) . Does not change the "Partial Attribute Set" 'ADPREP /DOMAINPREP' (For Infrastructure Master) 1. The password for the Directory Services Restore Mode (DSRM) Administrator is set by using a secure password format. In-place Upgrading: Both Windows server 2003 and 2003 R2 can be upgraded in-place to Windows 2008 Server. Updates AD domain and the SYSVOL ADPREP /RODCPREP (For Read only domain controllers. Executed on domain controller Schema Master FSMO 2. The installation of Active Directory proceeds. and then click Next. and then click Next. Adrep. administrators are required to run adrep. 14. After the computer restarts. Executed on Infrastructure Master FSMO 2. Let us first look at the options available for migration from Windows 2003/ 2003 R2 Active Directory service to Windows 2008 Active Directory.
For this all the resources have to be moved from one domain to another.1. However. the installation of Active Directory domain services (AD-DS) role on the server must precede the installation of Active Directory. it is possible to add the Windows 2008 domain controllers to the existing Active Directory environment. it is not possible to set up a new AD domain or domain controller in the AD. administrators are required to restructure the entire Active Directory structure. Without complying by the essential requirements. flexible directory enabled applications offered by Microsoft ADAM (Active Directory application mode) can be downloaded from the Microsoft¶s site. Only executed when upgrading from W2K3 AD Restructuring: In this method. subnet mask and . Active Directory Migration Tool (ADMT) is the best utility that is used for restructuring the Windows 2008 Active Directory environment. The AD DS role enables the Windows server to act as domain controller and must be installed . objects. transitioning to Windows Active Directory 2008 is best since restructuring means creating the entire directory from the scratch and with in-place upgrading administrators are stuck with limited upgrade paths.optional . Transitioning: With transitioning. In this migration process. Updates permissions on application partitions for an RODC to be able to participate in their replication 3.default gateway) A network connection (to a hub or to another computer via a crossover cable) An operational DNS server (can be installed on the DC itself) A Domain name to be used The Windows Server 2003 CD media (i386 folder) Installing Active Directory Domain Services (AD-DS) For Active Directory running on windows server 2008. Whereas transition procedure allows administrators to retain the existing Active Directory layouts. Executed on the Domain Naming Master FSMO 2. before download. the previous domain controller must be demoted to remove it from the new domain on Windows Server 2008. contents and group policies. the first step must be to move the FSMO (Flexible Single Master Operations) roles. Of all the three methods. Active Directory Download For Active Directory download. Following are the pre-requisites before Active Directory download and install: y y y y y y y y y An NTFS partition with enough free space Administrator's credentials The correct version of the OS A NIC Properly configured TCP/IP (IP address. the Active Directory installation requirements must be met. schema. Next.
1. Following are the steps to install the AD-DS through Server Manager/Initial Configuration Tasks method: Roles can be added from Server Manager and initiated from the Initial Configuration Tasks wizard. log files and SYSVOL folder followed by entering the password for the Active Directory Recovery Mode. 5.prior to running dcpromo. 5. Wait till it finishes loading. 4. enter the command in the Run command 3. and then click Next. In the Confirm Installation Selections. Once the process is complete. . If no DNS server is configured. 2. In the Choosing Deployment Configuration window. 6. Open Server Manager by clicking the icon in the Quick Launch toolbar. Note: The first DC must also be the Global Catalog but not a Read Only Domain controller. Going back to the Server Manager. Click Next. and then click Next. click to select Active Directory Domain Services. The wizard will perform checks to see if the domain name is not already in use on the local network. Click Next again. 6. click Next. Windows 2000 mode is the default. the wizard will prompt you to automatically install DNS on this server. click Close. Pick the right forest function level and the domain function level. The Active Directory Domain Services Installation Wizard will appear. then click on Roles followed by Add Roles link. In the Summary window. 3. Windows Server 2003 and Windows Server 2008 DC servers to the forest you're creating. click on the Active Directory Domain Services link. 2. Click on the DCPROMO link. click Next after reviewing your selections. In the Before you begin window. The wizard starts creating the Active Directory domain. and allows addition of Windows 2000. The AD DS Installation wizard performs checks to confirm proper configuration of DNS on the local network. Click Next. In the Operating System Compatibility window. click on "Create a new domain in a new forest" and click Next. OR To run DCPROMO. Enter an appropriate name for the new domain. Installing Active Directory 1. 7. The next step must be to change the paths for the AD database. or from the Administrative Tools folder. click Next. read the provided information. 4. In the Select Server Roles window. click Finish and reboot your system. After the process is complete.
How to Use Active Directory Active directories enable organizations to arrange their computer data and network and store and process information in a centralized location. assign group policies to them and delegate authority to the domain resources. forests and organization units. objects like user accounts. The technology on which Active Directory is based on is fairly advanced and requires a lot of expertise to manage entire directory related tasks. while the physical structure consists of sites and subnets. Within a domain¶s database information. the Active Directory can be installed by running the Active Directory Installation Wizard. the wizard helps you create a new domain to configure the Active Directory. Organizational units are logical containers or subgroups within a domain which represent the functional structure of an organization. It must be first configured in the network even before installing the Active Directory. To test its functionalities you can use the AD management tools such as Active Directory Users and Computers. Organizational units (OUs) are used to arrange the AD objects into groups. shared resources. The logical structure comprises the domains. which are further organized into hierarchical structures. groups. domain trees. A forest comprises of one or multiple domains which share common directory data. Upon the completion of the installation process. folders. Once DNS is configured. The physical structures on the other hand enable you to map the physical network structure of the organization. printers and shared resources are stored. Windows Active Directory is accessed through WMI by creating set of references to every object and class contained in the AD data store. The logical structures help you arrange the AD objects and manage their network accounts along with the shared resources. type dcpromo in the Open field and then click OK When no domain exists. click Run.The server now acts as a Domain Controller. Therefore. security policies. in a network domain. etc. The Active Directory domain is a set of computers sharing common resources from the AD database. you will find that the AD is divided into a logical structure and a physical structure with a virtual partition. The Active Directory technology is based on standard Internet protocols that help you design the exact structure of your network. Since Active Directory is the foundation of Windows distributed networks. computer accounts. This is because Active Directory is a highly scalable directory service that enables efficient management of network resources. DNS is an integral part of the Active Directory. facilitate network communication and set physical boundaries. having a unique domain name and its own set of security policies and trust relationships with other network domains. administrators can use it for locating objects such as users. to understand how to use Active Directory. By accessing . It uses the DNS ( Domain Name System) to organize the groups of computers into domains. Following is the procedure: Click Start. distributed components. we will first start with an overview of this directory service.
3. administrators create WMI-enabled applications to access the Active Directory information. Active Directory Administration Active Directory administration in a large network is not easy and because of this. 2. In fact. Based on the structure of your Active Directory. 2. organizational units (OUs) are created so as to distribute the administrative tasks. 4. User passwords: whether department managers must control password resetting or the administrator. . Before implementing Delegation of Administration. Steps to implement Delegation of Administration Control The delegation control wizard is used to delegate administrative control tasks such as creating. modify or delete instances. retrieve classes and instances. delegation of administration can be implemented. delegation of administration is establishing access control lists (ACLs) on OUs and user accounts with an AD. The following steps will help you to implement the delegation of common administrative tasks: Start the Delegation of Control Wizard by performing the following steps: 1. Administrator rights: Whether different admin staffs are employed for handling user and computer accounts. especially the design of Organizational Units. Group membership: Whether managers of departments are required to control membership in their own groups or call the administrator to manage the group membership. query Active Directory and enumerate classes and instances. Distribution of the administrative tasks to other administrators through the process of delegating of administration is quite common at enterprise level AD management. some factors should be determined in advance. such as follows: 1. this method yields more ROI and a more flexible approach to Active Directory administration. These interfaces in turn aids administrators to create new instances. In literal terms. double click the domain node. Administrator role: Whether one department is managed by a single administrator or the relationship is all-in-all.the directory through WMI. delegation of administration must be the other important design goal for an AD. It can be said that delegation of administration allows domain admin to offload specific tasks to specific administrators for specific AD objects in the Active Directory structure. In the console tree. deleting or managing user and computer accounts. Open Active Directory Users and Computers. User location: Whether centralized or distributed over remote sites. 5. apart from Deployment of Group Policies. Since more than one administrator is allowed to manage the Active Directory wit delegation of controls.
click OK and Next. groups. disconnecting it from the network. 3. Select the groups or users to which common administrative tasks will be delegated to using the following steps: 1. Assign common tasks to delegate. resources and services are the main components that make up an Active Directory database. However. click Add. On the Users or Groups page. it is recommended that no more than 100 accounts are migrated at a time. a hierarchical directory structure used for storing information and data about networks and domains of large enterprises can be viewed at three levels. global and universal groups. for dynamic businesses. especially when an OU is missing also takes up time. click delegate control. Moreover. mergers and divisions. namely. Nevertheless. and finally reconnecting the DC to the network. perform the following common tasks: 1. Click Finish. and click Next. Managing the user and computer accounts. where major changes take place in the organizational structure to incorporate growth. Objects. Exchange mailboxes and OUs from one domain to another is not a matter of a few scripted codes. the magnitude of data contained in the directory makes its management quite difficult. 2. however. computers. Locating the corresponding domain controller. or Groups. click delegate the following common tasks. To do so. migrating the entire Active Directory. Deletion of user and computer accounts is another issue faced by administrator which requires a lengthy procedure to tackle. On the tasks to delegate page. Moreover. local and remote servers along with other AD data from the source to the target domain is a daunting task. migration is often executed during merging and restructuring domains.3. select the tasks to be delegated and click OK. Transitions of such a kind require planning along with the removal of certain security restrictions on domain controllers. user and computer accounts. On the tasks to delegate page. AD management is a challenging task. carrying out all these changes without impacting the users is a bigger challenge. In the select Users. right click the organizational unit. 2. assigning group policies and creating or removing new objects. managing user accounts on the Exchange server are some of the major responsibilities that an AD manager has to deal with. the domains. Especially. The process of migrating and re-migrating user passwords. obtaining the DN (distinguished name) of all the deleted objects. write the names of the users and groups to which control of the organizational unit has to be delegated. workstations. AD Management Tool Windows Active Directory. In the Details menu. The native ADMT tool helps in this regard. Migrating user accounts. . trees and the forests.exe to perform authoritative restore on the deleted objects takes a lot of time and effort. rebooting the server in the DSRM mode and running utilities like the ntdsutil.
command-line utilities and services. Active Directory monitoring is of immense benefit to the administrators. DCs and sites and those which cannot afford productivity loses due to service outages can employ monitoring solutions like MOM (Microsoft Operation Manager). Furthermore. Creating new objects. it is possible to get a centralized control over the entire forest and monitor the vital indicators. monitoring the Active Directory and its services is essential. auditing active directories on several categories without creating a bottleneck in the network traffic or the security events of the domain controller takes up an important task in AD management. sites and domain controllers can simply use the in-built tools provided with Windows Server 2000. agents and local services are used in order to collect the monitoring data and consolidate those results with a centralized console. administrators are preferring third party tools to simplify the tasks. Some of the key benefits of AD monitoring can be summarized as follows: y y y y y y y Quick resolution of issues while they are at low priority Higher service levels because of improved system reliability Improvement in schedule flexibility Better possibility of prioritizing workload Increased system ability to cope with periodic service outages Reduction in help desk support issues More reliable resource utilization and faster logon time Levels of Active Directory monitoring The level or degree of monitoring depends on various factors such as size of your organization. assigning them exchange accounts and configuring their access rights policies imply using different support tools. in lieu of all the support tools and in-built utilities.Management issues also arise when new objects are to be created as everyday new employees join organizations. Also. For larger enterprises with more domains. With the use of monitoring systems such as Microsoft Operations Manager (MOM). By monitoring important indicators. cost associated with service outages and time required to identify and resolve a potential problem. Active Directory Monitoring In order to maintain a consistent directory data and optimum level of service. Organizations with many domains and remote sites often employ automated monitoring systems for their Active Directory service for timely consolidation and resolution of issues. executing all these tasks. without impacting the end users or affecting the workflow is crucial. Small sized organizations with few domains. Therefore. to reduce the network traffic and increase the system performance. . these systems make use of the physical network topology. In enterprise level monitoring systems. administrators are able to avert potential risks and large scale problems. Furthermore.
systematic monitoring is required. Active Directory Domains and Trusts: This console is used to manage domains. group policies. However. AD objects. or when a global catalog server is unable determine its universal group membership. manage and configure Active Directory objects like Users. this MMC snap-in is not included in the Administrative Tools pack and has to be installed manually to create an MMC for it. administrators create custom console tools to manage the domains. domain trees. user accounts get locked out. Security policy failure: If some problem occurs during the replication of the SYSVOL shared folder GPOs and security policies fail and are not applied properly to clients. Set of Policy: This console enables administrators to view the current user policy with respect to a system. which in turn provide specific functionalities for administering the Active Directory service. Using the MMC interface of Active Directory management tools. Active Directory Management Tools The most common management tool used to manage Active Directory is the Microsoft Management Console (MMC). domain trust relationships. Active Directory Users and Computers snap-in . OUs. Of the various MMC snap-ins used to manage the Active Directory.Since Active Directory depends on various independent services distributed over remote locations and numerous devices. Directory Schema: This console is used to view and change the AD schema which contains object and attribute definitions. effective monitoring helps tackle the following problems: y y y y y y Domain controller failure: Domain controllers stop functioning if a drive containing the file Ntds. logon failures occur when a trust relationship or name resolution fails. With increased network size and scalability issues. etc. Directory Sites and Services: This tool is used to manage domain controller replication and create. configure and manage AD sites and subnets. Computers and OUs. Groups. Logon failure: In a domain. Account lockout: Whenever replication process fails between several domain controllers or the PDC emulator becomes unavailable out in a domain. Application failure: Applications such as MS Exchange can fail if the address book queries into the directory fail. It is also used to configure user principle name (UPN) suffixes. the following Active Directory management tools are used extensively: y y y y y Active Directory Users and Computers snap-in: This console is used create. reanimated AD objects require more time for elimination. This Microsoft console offers interfaces where Active Directory snap-ins can be loaded. Inconsistent directory data: Upon replication failure for an extended period of time.dit runs out of disk space. This tool also helps in changing group policies. domain modes and forests.
Change the domain mode or domain functional level from mixed mode to native mode or to functional level. Add . The Active Directory schema snap-in helps in viewing the schema and modifying them. all the Windows Support Tools are added to the Start menu. The Active Directory Schema Snap-In Schema in Active Directory is used to define the objects which are stored in the AD database along with the object attributes. create or delete objects. create and view permissions. Transfer the master role of domain naming operations from one domain controller to another domain controller. OUs.Apart from managing user accounts. administrators are able to create new sites and manage them in the network. MS Active Directory Tools Microsoft Active Directory support tools are provided to administrators so that the entire directory service can be managed with efficiency and problems (if any) be diagnosed. Active Directory Sites and Service snap-in The Active Directory sites and service console is used to perform administrative tasks on the sites which are used during the AD replication process. the Active Directory Users and Computers snap-in is also used to set. Active Directory Domains and Trust Console The administrative tasks which can be performed using the Active Directory Domain and Trust Console are as follows: y y y y y View the console tree of a forest listing all the domains. the Inter-Site Transports container and the Subnets container can be easily managed with this console. Within the containers provided with the installation of this snap-in. In order to use Microsoft Active Directory tools. move. navigate through CD directory and select \SUPPORT\TOOLS directory and run the program SETUP. In the Browse This CD option. etc. delete and change the user principal name (UPN) suffixes. The Default-First-Site-Name. Once the setup program gets completed. one has to install them from the windows 2000 installation CD. computer accounts. Configure domains in other Windows Server forests for interoperability and specify trust relationships between the domains. This console helps administrators to configure connections between AD sites and specify the replication process. create domain controller and manage the OU containers. Details of the some of the Microsoft Active Directory tools are given below: Active Directory Administration Tool (LDAP tool) . Site management is crucial as well as complicated in an Active Directory service. groups.EXE.
especially for a large network. Moreover. The administrative tool on the other hand is the Microsoft Management Console (MMC). The Active Directory administration tool has 5 different options in its menu bar. administrators must first select the Connect option from the Connection menu. After entering information like the server name and LDAP port number. the ADMT automatically installs services also called Agents on the source computers so that administrators are not required to manually load the tool on each computer. this tool allows administrators to restructure the Active Directory domains in windows 2000. a summary of the Active Directory status of the server is displayed. Active Directory Migration Tool The Active Directory migration tool is used to securely migrate from Windows NTR to Windows R 2000 Server Active Directory service. Furthermore. Once the connection with the server is established. groups. The complexity involved in Active Directory replication makes its administration error prone. Any potential problems arising before migration process can be identified and sorted out by this tool. After the migration process gets terminated. also known as the LDAP tool. computers and Exchange Server mailboxes to new domain. two types of administrative methods are followed. deleting or modifying an object can be performed with the AD administrative tool. administrators can perform the basic LDAP functions on it.Since Active Directory is a lightweight directory access protocol based system. which are mentioned below: y y Administrative tools which utilize a GUI from where all the AD components can be managed Command-line tools Some command line tools come with Windows Server 2003 which can be used to manage the AD objects and other components of the Active Directory. if needed. the tool again uninstalls the agent automatically. which provides an interface to load in the . searching. The ADMT task wizard also allows migration of users. the AD administration tool tries to connect to the server. this AD tool also lets administrators to manually force replication. Functions such as adding. This tool is used to monitor all the servers and the domain controller as well as view the current replication status of the Active Directory. Of those options. Monitoring the replication process is important as different issues or problems may crop up with added domain controllers. The Active Directory replication monitor tool helps in this respect. Active Directory Admin Tools Active Directory management is a vital administrative process. In order to manage the Active Directory service. Active Directory Replication Monitor Active Directory replication process takes place in every domain site and is conducted by the replicating the changed AD status in every domain controller. Upon computer migration or during resource translation.
Click Next and then click Finish. open the I386 folder. The MMC snap-ins offer specific functionalities for administration and also offers provision to create custom contro active directory adminl tools or load multiple snap-ins in a single console.msi file installs the Active Directory administrative tools. From the CD ROM that comes along with any version of Windows Server.msi is installed and the workstation is configured accordingly. By doing so. The Adminpak. before administrator start using the Active Directory admin tools. it is essential to install the tools in a system running Windows OS. and Client Connection Manager WINS MS Windows Active Directory Tools . Once the adminpak. Licensing. it becomes possible to manage computer¶s Windows Server from a remote system other than a Domain Controller. 2. Double-click the Adminpak. 1.msi file. The step by step installation procedure of the Active Directory administrative tools on a local computer are explained below: Prerequisite: Administrative permissions for the local computer are required before installing and running the Windows Administrative Tools.Active Directory snap-ins. as well as the Terminal Services Client and Cluster Administrator. the following server administrative tools will be available for managing the Active Directory: y y y y y y y y y y y y y y y y y y y Active Directory Domains and Trusts Active Directory Schema Active Directory Sites and Services Directory Users and Computers Authority Administrator Manager Administration Kit DHCP Distributed File System DNS Internet Authentication Service Services Manager Admission Control Boot Disk Generator (part of Remote Installation Services) Storage and Remote Access Telephony Terminal Services Manager. 3. However.
To begin with. use ADSI¶s SetInfo method that is also provided in the IAD interface. Active Directory management tasks can also be performed with the help of scripts. computers. set Container = GetObject ("LDAP://192. ADSI (Active Directory Service Interface) is a set of automated-enabled COM objects that helps in managing multiple heterogeneous directories. The COM interface developed for Microsoft¶s Active Directory.105:59822/DC=NET/DC=COMCAST/DC=IL/DC=HSD1" & Where) 2. $objUser. For executing an ADSI script. ADSI offers more than 50 interfaces.1. the scripts make it possible to generate custom reports and extend the schema by adding attributes and new classes to it. including the Windows Active Directory. sites and subnets. ADSI supports the LDAP (version 3) and by virtue many of LDAP based directories. Windows Active Directory tools (support tools) and MMC snap-ins which are used to manage an Active Directory service. Next create the new user object using ADSI¶s Create method $objUser = $objADSI. it is essential to complete some basic steps.We have discussed about the various command line Active Directory tools. JScript. groups. to create an AD user object the following four steps will have to be followed: 1. apart from these administrative tools. let us first understand what ADSI is. of which three core interfaces lets administrators perform the AD tasks. VBScripts. and more. Scripting Active Directory tasks is considered easier and the core interfaces helps in accomplishing the majority of AD management tasks. The interfaces in the ADSI help administrators to create. batch jobs and build reports according to the AD changes. However. To write the new object to the Active Directory. modify and delete almost any of the AD objects like user accounts. For example. With the help of ADSI¶s Put and PutEx methods provided in the IAD interface.Put(³sAMAccountName´. set the optional and mandatory properties of the user object. Furthermore. Windows Script (WS) and its supporting technology such as the ADSI (Active Directory Service Interfaces) enable administrators to build custom scripts to manage the directories in Windows 2000 and NT environment. $strUserName) 3.168. and is used in all of Microsoft¶s graphical Windows Active Directory tools. $objUser. OUs. ADSI can help you create. ADSI can be used to write directory management scripts in any COM compliant scripting environment like for Windows Script Host (WSH). Use VBScript's GetObject function to connect to the target container that will hold the new user. ³*****´) 4. referred to as the ADSI.Create($Class.setInfo() Active Directory Tools . Active Directory scripts lets administrators to automate tasks. The ADSI further supports ADO queries through OLE DB. delete and modify AD objects and their properties.
This tool helps in viewing AD objects and their metadata. thereby eliminating and restoring incomplete delegations. Replmon: The Active Directory replication monitor is used to view the low-level status of Active Directory replication and the replication topology in a graphical format. This tool is used to view the current SPNs.msc): The Active Directory Service Interfaces Editor is a LDAP editor which is used to manage the AD objects and their attributes. This tool offers a view of every AD object and attribute from where administrators can query and edit them. Some of the Windows Support tools that can be used to manage the Active Directory components are given below: y y y y y y y y y y y y Acldiag: The ACL Diagnostics command line tool is used to detect modifications or discrepancies in the ACLs (Access Control Lists) of AD objects and report the same. It is further used to delegate security template to ACLs. . It is also used to view the AD replication topology. Sdcheck: The Security Descriptor Check utility is a command line tool used to display the security descriptor for any AD object. Movetree.msi (Microsoft¶s Administration Tools Pack) and allows server management. This tool retrieves capacity statistics in return and compares the attributes of the replicated objects. Clonepr: The Clone Principal tool is used to migrate users from Windows NT to Windows 2000 or Windows Server 2003 by creating clones of all the users and groups present in Windows NT in the migrating server. and create the replication topology in order to view the replication events between domain controllers. Dsacls: This tool is used to display and change permissions of the ACEs (access control entries) in the ACLs (access control list) of the AD objects.exe: This command line tool also referred as Active Directory Object Manager is used to move AD objects between domains for domain consolidation and operations supporting restructuring the organization. Ldp: The LDP tool is primarily a LDAP client that is sued by Active Directory users to perform operations against any LDAP compatible directory service. Repadmin: This is a Replication Diagnostics Tool used to diagnose Active Directory replication problems between Windows Domain Controllers. This tool is further used to monitor the performance of the DC replication and view forcesynchronization between domain controllers. domain controllers across replicas either in the same or different domains. The security descriptors contain the ACLs which define the permissions which the users enjoy over the Active Directory objects. Dsastat: The Directory service Utility tool is a command-line diagnostic tool used to compare differences between the directory trees.There are a series of command line tools available with different versions of Windows Server used to manage Active Directory management tools. Most of these Active Directory tools are available with the adminpak. ADSI Edit (adsiedit. modify and delete the SPN (Service Principal Names) directory properties of Active Directory service accounts. Setspn: The Manipulate Service Principal Names for Accounts is used to read. Search: The Active Directory Search Tool is used to perform searches in the Active Directory and gain information against the LDAP server. add or delete the supplemental SPNs and reset the default SPNs.
groups. Furthermore. OUs.msi file installs the Active Directory administrative tools including the administrative tools like Terminal Services Client and Cluster Administrator. Directory Domains and Trusts: This MMC snap-in is used to administer domain trust domain function level. 3. locate and configure objects like user accounts. the following free Active Directory tools are available: y y y y y y Active Directory Uses and Computers (ADUC): This MMC console can be used only by the Domain Admins and Enterprise Admins group. shared folders and printers. groups. contacts. CSVDE bulk schema update tool: The Comma Separated Values Data Exchange tool is used to import new objects into the Active Directory with the help of a CSV source file. It is further used replicate AD information through LDAP utility. These administration tools contain the MMC snap-ins which is used to manage the Active Directory objects and resources. import and modify objects like users. 2. maps objects for replication and supports multiple connections on one server. Using this snap-in it is also possible to view the service-specific objects published in the AD DS. the following steps must be followed: 1. domain. etc. The above mentioned active directory Windows support tools are available in the Windows Support Tools toolkit. Public key policies. LDIFDE bulk schema modification tool: Using this tool. Automatic Certificate requests. delete. forest function level and user principal name (UPN) suffixes. .y Sidwalker.csv). Free Active Directory Tools Active Directory administration tool includes the installation CDs of Windows 2000 and 2000 Advanced Server. Click Next. Open the I386 folder on the Windows 2000 Server CD-ROM. administrators can create. ADUC is also used to manage GPOs (Group Policy Objects) including windows settings. Security settings. These free Active Directory tools lest administrators manage the server remotely from any system running windows 2000. Using this tool. Double-click the Adminpak.msi is installed. The ADC console hosts all the active AD components. Once the adminpak. it is also possible to export existing objects to a CSV file (ad. Directory Sites and Services: This MMC console is used to administer the replication process of the directory data within all sites of an AD DS forest. and then click Finish. move.msi file. In order to install the windows 2000 Administration Tools on a local system. computers. The Adminpak. administrators can export. manage and troubleshoot active directory. groups. contacts. Active Directory Connector (ADC): This free Active Directory tool is used to simplify administrative tasks among multiple directory services. OUs. it is possible to configure.exe: This tool is used to configure the ACLs of AD objects which belong to either moved or deleted accounts. With this snap-in. With the help of these Active Directory tools. servers and shared folders.