Domain Modes and Functional Levels
Let us first discuss certain general domain and forest functionalities that, to some degree, are common for both Windows 2000 and Windows .NET domains. Windows 2000 domains can operate in either default mixed mode when a domain can contain Windows 4.0 Backup Domain Controllers, BDC or native mode when a domain contains only Windows 2000-based domain controllers . When a domain's mode is changed to native, the following considerations should be taken into account Domain controllers DC no longer...
Delegating Administrative Control
One of the most remarkable features that Active Directory realizes is the possibility of delegating all or part of administrative power over an OU or a directory container to a group or a user in both Windows 2000 and Windows .NET domains . Delegation of control is essentially the same thing as wizard-aided granting of permissions on Active Directory objects to a user or group. You can manually assign the permissions necessary for performing this administrative task to a user or group, but this...
Group Policy Verification Tool GPOToolexe RK
Group Policy Verification Tool allows you to Check the internal consistency of the specified or all group policy objects that are stored on the selected domain controller or all DCs. These DCs can be located in the current or specified domain. The tool verifies both the directory service and SYSVOL parts of each GPO. Check replication of GPOs by comparing replicas instances of each GPO on different domain controllers. The tool can be run with any credentials on any domain computer. Note The...
Roles Managing FSMO Roles
NTDSutil allows an administrator to manipulate FSMO roles to view and transfer them. See Chapter 7, Common Administrative Tasks,to learn how to dump names of all FSMO role owners. In this section, we'll discuss how to designate a DC as a role owner by using NTDSutil. You can choose either of the following options Seize role this command designates the connected server as the specified role master. The command must be used only when the DC the current master has severely crashed and cannot be...
Windows NET Server Domains Active Directory
Copyright 2003 A-LIST, LLC All rights reserved. No part of this publication may be reproduced in any way, stored in a retrieval system of any type, or transmitted by any means or media, electronic or mechanical, including, but not limited to, photocopy, recording, or scanning, without prior permission in writing from the publisher. 295 East Swedesford Rd. PMB 285 Wayne, PA 19087 702-977-5377 FAX mail alistpublishing.com http www.alistpublishing.com All brand names and product names mentioned in...
Verifying Replication
DCdiag allows an administrator to resolve replication problems quite well. Let us suppose that a site contains three domain controllers, one of which is refusing to replicate with its partners. The following command will test all DCs and check replication issues on each DC C gt dcdiag test Replications a v Only failed replication events will be included in the resulting report. The output of this command is the following Verifying that the local machine netdc1, is a DC. Connecting to directory...
How Can the User Find an FSMO Master
Basically, in Active Directory-based domains Windows 2000 and Windows .NET , there are five FSMO roles, and every forest contains at least five Active Directory objects, which know the names of these operations' masters. Windows .NET domains support application directory partitions, and each created partition has its own Infrastructure Master. Thus, the total number of operation masters in a single domain forest can exceed five. In addition, every new domain in the forest introduces three...
Using the RunAs Command
Due to security requirements, it is not recommended that you be permanently logged on to the system domain with a user account that has full administrative privileges. Windows 2000 XP .NET offers a very helpful command RunAs. This command allows a system administrator to carry out common tasks using an account with restricted or normal user rights, and to start a specific command on behalf of a power user this can be an administrator account or an account with some additional rights . Thus, it...
Basic Active Directory Administrative Snapins
Both Windows 2000 and Windows .NET systems use the same set of snap-ins for administering Active Directory. For the most part, these tools have not changed in the new version they perform the same fnctions although in Windows .NET, all of them have some additional features . Therefore, an administrator acquainted with Windows 2000-based domains can easily master commonly used operations in the Windows .NET environment. After a Windows .NET Server has been promoted to a domain controller, new...
Kerberos List KListexe RK
This command-line tool has practically the same possibilities and features as the Kerberos Tray tool described earlier. This tool has the following commands klist tgt displays the initial TGT. klist tickets lists all cached tickets. klist purge allows you to delete a specific ticket in a dialog. Here is an example of such a dialog Server krbtgt SUBDOM.NET.DOM NET.DOM KerbTicket Encryption Type RSADSI RC4-HMAC NT End Time 6 12 2002 1 33 40 Renew Time 6 18 2002 15 33 40 Purge y n y Deleting...
Server Component RPingsexe
The server component performs only two RPC functions Echo and Stats. You can run it with all available protocols or select only one protocol -p parameter . If, for instance, only the TCP IP protocol is installed on the server computer, R Pings.exe displays the following messages while starting the names of endpoints are shown in bold these names will be displayed by clients later see Fig. 11.2 N iimi her J I HinyiL P folritaUQUf f Lirop jt I Sue ill Jl hkc Hn mug utlftn Mi it tin menu rciwnn...
Moving and Renaming Objects
Moving and renaming an object are essentially the same LDAP operations Modify DN . This means that you cannot move or rename objects using the WinNT provider You simply specify different source and target containers for a move operation, and the same container for a rename operation. While moving, the object can retain or change its name. The following script moves a user from one OU to another. The MoveHere method of the IADsContainer interface is used. Important The source and destination...
Renaming Domains
The Windows .NET version of Active Directory allows administrators to change domain names and, thus, reconstruct the forest. This procedure is not intended to be a routine operation and is only possible when the forest functional level has been raised to Windows .NET. The rename procedure is not simple and includes a step-by-step process that requires use of the RenDom.exe utility see the link in Appendix A and depends on the kind of rename operation. The simplest case is when you rename a...
Database Integrity
The Files menu also contains two commands Recover and Integrity that can be used to detect corruption of the Active Directory database with respect to the ESENT database semantics and to perform some operations for its recovery. The Windows 2000 version of NTDSutil also contains the Repair command in the Files menu. All of these commands may require a lot of time to run this primarily depends on the actual size of the database. The Repair command should not be run without first consulting with...
Appendix C ADSI Interfaces Supported by the LDAP and WinNT Providers
The following table lists all interfaces 42 in total supported by either the LDAP or WinNT provider, or by both of them. The last column indicates one of 10 categories to which an interface belongs. First of all, get acquainted with the core interfaces. Interface name LDAP WinNt Category
Example Finding Deleted Objects
Deleted Active Directory objects so called tombstones are stored in a hidden Deleted Objects container for a pre-configured period of time, and then permanently purged during garbage collection. This container cannot be accessed by using standard snap-ins. The Show Deleted Object control controlType 1.2.840.113556.1.4.417 and search command allow you to retrieve the tombstones. You must have administrative privileges. Start Ldp.exe and carry out the following operations 1. Connect to a DC, and...
Windows Resource Kit
The Windows Support Tools can be regarded as a subset of the Windows Resource Kit, a separately purchased product that contains hundreds of various utilities as well as comprehensive printed documentation. There are two versions of the Kit Server and Professional. Many of the tools described below are present in both versions. The Windows 2000 Resource Kit requires about 60 MB of the hard disk. The good news is that the Windows 2000 Resource Kits both Professional and Server versions including...
Managing Replication Status DSA Options
Each Directory System Agent DSA is represented in Active Directory by an object of the nTDSDSA class named CN NTDS Settings that belongs to the appropriate server object in the Configuration partition. You can view the attributes of DSA objects with the ADSI Edit snap-in. DSA objects have the options attribute, which significantly affects their state and behavior. An administrator can set the value of this attribute by using RepAdmin with an undocumented parameter options. Let us discuss a few...
Exact policies applied to the computer account Resultant Set Of Policies for
N A this means that the GPOs that affect this computer account do not contain policy settings of that kind Startup Scripts LastExecuted 2 28 49 PM Shutdown Scripts GPO Default Domain Policy account policies can be defined at the domain level only Computer Setting N A GPO Default Domain Policy Policy PasswordHistorySize Computer Setting 3 GPO Default Domain Policy Computer Setting N A GPO Default Domain Policy Policy LockoutBadCount Computer Setting N A GPO Default Domain Policy Policy...
Active Directory Service Interfaces ADSI
- MSDN Library Platform SDK, ADSI, and other technical programming information Active Directory Service Interfaces Overview links to resources and downloads It is advisable to download the updated version from the Microsoft Platform SDK page. You can only select and download the necessary files Microsoft Active Directory Services Interfaces 2.5 and SDK or Active Directory SDK code and documentation MSDN Online Windows Development Center Online documentation click Networking and Directory...
Analyzing RSoP Data in Domain
From the Active Directory Users and Computers snap-in, you can obtain the RSoP data for any user, computer, and OU. The Active Directory Sites and Services snap-in will help you to run an RSoP query on a site. In all cases, the Resultant Set of Policy Wizard is used to prepare a query. There is nothing difficult in testing groups policy settings, and you will see this yourself if you run the wizard two or three times. Using an example, let us discuss how to prepare an RSoP query for a domain or...
Using IADsTools
The IADsTools DLL contains over 180 functions see the full list in Appendix D , which administrators can use when performing various tasks - from retrieving some domain configuration data to triggering replication of a directory partition. This facility is not supported, so you may refrain from using a function if you encounter problems. We will consider only a few examples of using IADsTools for scripting administrative tasks. You can easily expand their basic approach to other functions.
Seizing a Role
Suppose a DC that holds the Infrastructure FSMO role was destroyed, and you want this role to be designated to another DC. The following dialog shows how to forcibly transfer the role to a new candidate server netdcl.net.dom comments are in bold square brackets server connections Connect to server netdcl.net.dom Connected to netdcl.dom using credentials of locally logged on user fsmo maintenance Seize infrastructure master The Role Seizure Confirmation Dialog will appear click Yes. First, the...
Windows Domain Scenario
To pre-create a computer account for a Windows NT 4.0 BDC, log on to the domain using an administrative account on any Windows 2000 domain member, and perform the following operations 1. Start the Server Manager enter srvmgr at the command prompt , which is supported with Windows 2000. Do not use the Server Manager from the Windows NT 4.0 installation 2. Select Add to Domain from the Computer menu. 3. Select Windows NT Backup Domain Controller, enter the BDC computer name, and click Add, then...
Retrieving Information from a RootDSE
From the following script, you can learn how to access the RootDSE object and use two popular interfaces, namely, lADsPropertyList and lADsPropertyEntry. RootDSE is the main source of information about names of Active Directory partitions and Directory Service Agents. See Chapter 2, Active Directory Terminology and Concepts, for detailed information on RootDSE. This script can also serve as an example of handling ADSI errors. Listing 17.2. getRootDSE.vbs Reading the Attributes of a RootDSE...
Requirements and Restrictions
The Active Directory can be installed only if several critical conditions are met. The Active Directory Installation Wizard DCpromo.exe will check different parameters depending on the type of DC that is being created. Among these conditions are the following Active Directory can be installed only on a NTFS 5.0 formatted disk partition. This partition must have at least 250 MB of free space. This does not mean that all that space will be employed at once the default size of the Active Directory...
IP Deny List
The IP Deny List command is available in the Windows 2000 version of NTDSutil, but may not be in the Windows .NET version. If it is not, you can manually configure the list of IP addresses using the ADSI Edit snap-in see Appendix B . To increase the security of a DC, an administrator can use the IP Deny List command that is applied only to the Default-Query Policy object see also the next section . This list contains IP addresses, from which a domain controller will not accept LDAP queries. A...
Running Administrative Tools from the Context Menu
You can select an administrative tool in one of the following ways Select the tool in the Start Programs Administrative Tools menu or Start All Programs Administrative Tools . Open the window that contains all the tools. Click Start All Programs Administrative Tools, and select either Open or Open All Users in the context menu. The former command will open the window that only contains the tools created by the user, while the latter opens the window that contains all tools installed by default....
Advertising a Server as a Domain Controller
Here are the methods that will allow you to identify whether a Windows 2000- or Windows .NET-based server is a domain controller after its promotion or normal reboot The registry key must contain the NTDS subkey. Enter net accounts at the command prompt. The Computer role of a domain controller is PRIMARY, while standalone servers identify themselves as SERVERS. Enter net start at the command prompt. The list of running services must contain the Kerberos Key Distribution Center KDC service....
Chapter Active Directory Terminology and Concepts
This chapter relates to basic Active Directory elements, features, and requirements that will be mentioned repeatedly in the other chapters of the book. You should have a solid understanding of all these concepts and ideas before you go any further. If a term is not clear to you, you can easily find detailed information in other sources. For example, you can use the search function and quickly find an exhaustive description of any term including its relation to other Active Directory elements...
Selecting a Domain Controller
A Group Policy Object Editor snap-in is always targeted to a specific preferred domain controller. Notice the This list obtained from line in Fig. 7.35. By default, all Group Policy Object Editor snap-ins started on computers that belong to the sample domain net.dom will select the name DC. There are some rules that define this behavior of the snap-in. To verify or change the default settings of a Group Policy Object Editor snap-in, point to the root node in the tree pane and click View DC...
Adding and Removing Partition Replicas
To provide fault tolerance or increase the performance of an application partition, you should create a copy of that partition on several domain controllers, i.e., add them as partition replicas. The following command designates the NETDC2 domain controller as a replica of the app-part.net.dom application partition domain management Add NC Replica DC App-Part, DC net, DC dom netdc2.subdom.net.dom domain management List NC Replicas DC App-Part, DC net, DC dom The application directory partition...
Viewing Information on Network Topology
Information about the site in a multiple site network a client computer is connected to is not configured on that computer in any way. The site is selected on the basis of client and subnet IP address data. The following command will help you to find the site to which the local or remote computer has been connected after it has been booted and logged on to the domain The command completed successfully Add server lt computerName gt for a remote computer. Sometimes, a domain controller can serve...
Searching Active Directory for Objects
There are several ways of treating directory objects of the same type enumerating objects . Generally, the most preferable way is the following one 1. Use ActiveX Data Objects ADO for searching Active Directory, and obtain a set of necessary objects. Remember that access through ADO is read-only 2. Bind directly to an object found. 4. Repeat Steps 2 and 3 for the next object found. Nevertheless, it is also possible to filter out, or enumerate child objects located in containers. This approach...
Other Name Types Used in Active Directory
SAM Pre-Windows 2000 Account Names. SAM account names are required for compatibility with down-level clients. A SAM name must be unique within a domain. Globally Unique Identifiers - the Globally Unique Identifier GUID is a 128-bit number, which uniquely identifies the object when it is created. It never changes and ensures that the object will be addressed even if it has been renamed or moved. Fully Qualified Domain Name FQDN is also known as the full computer name this is a concatenation of...
Chapter Configuring and Troubleshooting Active Directory Domains
Certainly, the title of this chapter encompasses a broad topic that cannot be fully covered even in a dozen books. We will discuss only certain issues here, ones that you inevitably encounter in your practice, and that you should not forget about. See also Chapter 9, General Characteristics and Purpose of System Tools, that will help you to select the necessary tools and utilities for your work, and simplify the troubleshooting process. Do not neglect these very useful tools Though alas, in...
Windows NET Support Tools
Sometimes, administrators forget or simply do not know that each Windows 2000 or Windows .NET as well as Windows XP installation CD contains a pack of powerful tools named Windows Support Tools. This pack is the same for both Professional and Server versions of Windows 2000. Windows .NET servers have more recent versions of the Support Tools then Windows XP. This pack must be installed separately from the operation system itself. Run the Setup.exe or Suptools.msi file from the SUPPORT TOOLS...
Normal Replication Intervals
There are two default methods of replicating object changes in Active Directory forests Change notification is usually used between DCs within a site. If a DC updates an object attribute, it will send notification to its first replication partner within a specified time interval 5 minutes by default . Then, the partner pulls the changes from the originating DC. You can change the default interval 300 seconds by modifying the Replicator notify pause after modify secs value under the registry...
Moving an OU Subtree
Moving OUs with all their child objects is arguably the most attractive feature of MoveTree. You must take into consideration the fact that when an OU is moved, it retains all links with Group Policy Objects GPOs assigned to this OU. It is necessary to re-create these GPOs in the new domain, and break the links with GPOs from the old domain. Suppoce, for example, we would like to move the Personnel OU from the net.dom domain to the subdom.net.dom domain and rename it Staff. You must have...
WellKnown SIDs and RIDs
Let us first clarify some terms used below. A unique Security Identifier SID of a security principal i.e., user, computer, or group account is used to grant access rights to shared network resources to a principal. The SID is composed of two parts a unique domain part, which is the same for all principals within the domain where they reside, and a Relative Identifier RID , which uniquely identifies the principal in the domain. Note Windows .NET domains offer a new security principle class...
Making a Custom MMC Console
Most standard administrative tools can be started from the Start Administrative Tools menu, or can be added to a custom MMC console. Such tools as the Active Directory Schema Manager snap-in or the Group Policy Object Editor snap-in should always be initially added to an MMC document 1. Enter mmc in the Start Run window. 2. Press lt Ctrl gt lt M gt , or select the Console Add Remove Snap-in command. Click Add in the window that is open. 3. Select the desired snap-in in the Add Standalone...
Active Directory Essentials and Components
Let us first consider what essential information is necessary to comprehend in order to deploy and manage both Windows 2000 and Windows .NET domains. You may skip this section, if you are familiar with Active Directory basics, and go to the new features' description. The Active Directory elements considered in this section will be addressed later, in subsequent chapters. If you find that you are not completely grasping the meaning of a particular word, just search for it in Help and Support...
Parameters
Table 12.1 lists some of the most frequently used parameters of both utilities -LDIFDE and CSVDE. Table 12.1 Some Parameters of the LDIFDE and CSVDE Utilities Meaning or value if the Parameter Description and comments parameter is Input or output filename. -f con can be used for output to the console. Required parameter DC name Port number. The Global Catalog port 3268 can also be used The name of the DC the user is currently logged on to -d Search base Domain naming context -c Replace all...
Active Directory Sites and Services Snapin
The Active Directory Sites and Services snap-in is the main GUI tool that allows an administrator to configure Active Directory as a distributed network service. Other administrative tools consider Active Directory as a whole, at a logical level. You might almost forget about this snap-in in a small, single-site network with just a few domain controllers. However, in large networks with many sites, this snap-in becomes one of the essential administrative tools. The Active Directory Sites and...
LDAP Default Query Policy
By default, the Default Query Policy is used albeit not set on every domain controller. It is stored in the CN Default Query Policy, CN Query-Policies,CN Directory Service,CN Windows object. The lDAPAdminLimits attribute contains all LDAP administrative limits. To assign a query policy to a site, create a query policy object and specify its distinguished name in the queryPolicyObject attribute of the NTDS Site Settings object of the nTDSSiteSettings object class . Every site has a similar...
Remote Administration Scripts
The Windows 2000 Server Resource Kit contains a collection of scripts called Remote Administration Scripts. Windows .NET Server Resource Kit will most likely include them, too. Professional versions of the Resource Kits also contain many useful scripts. You can use these scripts not only for performing various administrative tasks, but as a cookbook, too, while learning ADSI basics and creating your own scripts. All scripts are located in the Ras.cab file on the Windows 2000 Resource Kit CD and...
Working with Container Objects Domains and OUs
When working with container objects, you must always remember that the combination of the search base and the LDAP filter defines the result of the operation either you export only container objects of the specified type, or you export an entire container. Compare, for example, the following two commands. The first command exports all OU objects from the current domain remember the default values for the omitted -l, -d, and -p parameters The second command exports an entire subtree, i.e., all...
Active Directory Diagnostic Tool NTDSutilexe Sys
This utility is automatically installed into every domain controller in the System-Roor system32 folder . One could hardly say that this tool is for everyday use, but every administrator must be familiar with its features since it is used in certain operations that are very important for Active Directory functioning, such as Active Directory restore, offline defragmentation, FSMO role manipulating, and so on. However, NTDSutil has become one of the major tools for deploying and maintaining...
Referrals and Their Effect on Search Results
In practice, referrals are very important in search operations, as they may greatly influence the results. The Chase referrals box in the Search Options window see Fig. 12.12, left determines whether or not the server generates LDAP referrals when trying to find objects. By default, the box is not checked, since this improves the performance of the search. However, in some cases, if this box is checked, an error can occur lt 10 gt Result lt 10 gt 0000202B RefErr Some other scenarios in which...
Working with Global Catalog
Being able to work directly with a global catalog GC server may be helpful while troubleshooting the problems related to GC replication. You can connect to different GC servers and compare the values of stored attributes see also the description of DsaStat.exe in Chapter 11, Verifying Network and Distributed Services . You can also verify the representation of attributes in a GC. This process can be controlled via the Active Directory Schema Manager snap-in, see the next section. Note Only some...