|
General Administration
Microsoft
Active Directory Management Pack Guide
Microsoft© Operations Manager (MOM) 2000 Active
Directory Management Pack (ADMP) Service Pack 1
(SP1) provides a monitoring and management system
for the Active Directory© directory service that
is integrated with MOM. ADMP can help you to
improve the availability, performance, and security
of Active Directory implementation. With ADMP, MOM
provides central monitoring and automatic problem
resolution for large networks, continuously
monitoring Active Directory components. Source: Microsoft.com
Administering Active
Directory
This section covers: Administering other domains. Delegating administration. Transferring operations master roles.
From the Windows 2000 Advanced Server Online Documentation.
Source: Microsoft.com
|
|
Advancing Time on Production Computers and the Effect on Active Directory and FRS
Microsoft Knowledge Base Article: 289668 - In the course of troubleshooting Active Directory or File Replication Service (FRS - replication issues, as the administrator, you may want to advance the system time of a computer to make the content of one computer have authority over another,
or to force deletion of tombstoned objects in Active Directory.
AD Delegation: Beyond the Basics
AD's delegation abilities can enhance IT productivity securely.
These real-world examples can help you design and deploy an AD
delegation model that meets the needs of your environment.
Source: Windows & .NET Magazine (Aug 2002)
Bulk Import and Export to Active Directory
This guide introduces batch
administration of the Active DirectoryTM
service, using both the LDAP Data Interchange Format (LDIF)
utility and a simple program you can write using the Visual
Basic© Scripting Edition (VBScript) development system. Using
these tools, you can export, import, and modify objects such as
users, contacts, groups, servers, printers, and shared folders. Source:
Microsoft.com
Common Default Attributes Set for Active Directory and Global Catalog
Microsoft Knowledge Base Article: 257203 - The Windows 2000 schema contains a large number of object attributes that administrators can use. The attributes typically required by Windows 2000 are enabled by default when the first domain controller is installed; a number of these attributes are used by both Active Directory and the global catalog (GC). These attributes have the Index this attribute in the Active Directory and Replicate this attribute to the Global Catalog options selected in their properties. You can change both the number of attributes selected and which specific attributes are used by using the Active Directory Schema snap-in in Microsoft Management Console (MMC). However, in most cases, there is no need to modify any of these attributes. Carefully consider any changes to these default settings before making changes.
DCDiag and NetDiag in Windows 2000 Facilitate Domain Join and DC Creation
Microsoft Knowledge Base Article: 265706 - This article describes the functionality that has been added to the versions of the Domain Controller Diagnostics (Dcdiag.exe) and Network Diagnostics (Netdiag.exe) tools that are included in Windows 2000.
Default Active Directory Attributes in the Windows 2000 Schema
Microsoft Knowledge Base Article: 257218 - The Windows 2000 schema contains a large number of object attributes that administrators can choose for use. The attributes normally required by Active Directory are enabled by default when the first domain controller is installed, and
have the "Index this attribute in the Active Directory" check box selected
in their properties.
Default Global Catalog Attributes in Windows 2000 Active Directory Schema
Microsoft Knowledge Base Article: 256938 - The schema contains a large number of object attributes that are either available for use or already enabled by default in Active Directory. A number of these object attributes are pre-selected in the GC by default; these default attributes are replicated among all GCs in the organization.
Description of RID Attributes in Active Directory
Microsoft Knowledge Base Article: 305475 - This article describes RID-related attributes in Active
Directory.
DNS and Active Directory
This page contains links to valuable resources about Active
Directory and DNS.
Source: Microsoft.com
HOW TO: Change Default Permissions for Objects That Are Created in the Active Directory
Microsoft Knowledge Base Article: 265399 - This step-by-step article describes how to modify Active Directory object attributes.
The example in this article changes the defaultSecurityDescriptor
attribute of the Organizational Unit object to remove the Read
permission from the members of the Authenticated Users group.
HOW TO: Complete a Semantic Database Analysis for the Active Directory Database by Using Ntdsutil.exe
Microsoft Knowledge Base Article: 315136 - This step-by-step article describes how to run the semantic checker on the Active Directory database. Unlike the file management commands, which test the integrity of the database with respect to the ESENT database semantics, the semantic...
How Dcpromo.exe Adds Display Specifiers to Active Directory Forests
Microsoft Knowledge Base Article: 308592 - You use Active Directory promotion (Dcpromo.exe - to add domain controllers to Windows 2000 server forests. This article describes the role of Dcphelp.exe in the Dcpromo process for adding display specifiers to Active
Directory.
HOW TO: Enable Active Directory Access Auditing in Windows 2000
Microsoft Knowledge Base Article: 314977 - This step-by-step article describes how to enable Active Directory access auditing in Windows 2000. The Active Directory should be audited to assess when authorized and unauthorized access is attempted.
You can configure auditing of the Active Directory database.
After you enable auditing, you can view the audit information in
the Directory Service log that is located in the Event Viewer.
Note that this log is only present on computers that are acting
as Active Directory domain controllers. This article describes
how you can enable Active Directory for auditing access.
HOW TO: Manage Groups in Active Directory in Windows 2000
Microsoft Knowledge Base Article: 320054 - This article explains how to manage groups in Active Directory. About Groups: Groups are Active Directory or local computer objects that can contain users, contacts, computers, and other groups.
How to Pre-stage Windows 2000 Computers in Active Directory
Microsoft Knowledge Base Article: 283771 - This article describes how to pre-stage computer names for Windows 2000-based computers, as you can in Microsoft Windows NT 4.0, to allow only those computer names to be added to Active
Directory.
How
to Remove Data in the Active Directory After an Unsuccessful
Domain Controller Demotion
Microsoft Knowledge Base Article: 216498 - This article
describes how to remove data in the Active Directory after an
unsuccessful domain controller demotion.
How Windows 95 and Windows 98 Directory Services Client Uses AD Site Information
Microsoft Knowledge Base Article: 249841 - Site awareness is a key feature in Directory Services (DS) Client. The following article describes new Microsoft Windows 95 and Microsoft Windows 98 behavior in locating Domain Controllers (DCs) when the DS Client is installed and the user is
logged.
Installing
and Using Active Directory Support Tools
Because the Active Directory is a part of the core Windows 2000
operating system, it's easy to take it for granted. After all,
the Active Directory quietly works in the background, servicing
the needs of your enterprise.
Source: EarthWeb (Dec 14, 2000)
Know the ins and outs of using and administering Active Directory Service
New technology features present obvious benefits to end users, but along with the benefits come challenges as well. Microsoft's Active Directory Service (ADS), which is new to Windows 2000, offers multiple new features that make network administrators, software developers and
software vendors more efficient. However, certain ADS functionality should be examined closely to ensure your organization can realize its full potential. Source: Windows2000 Advantage (Nov 1999)
Making
Active Directory Easier
Network administrators won't see the full benefits of
a Windows 2000 upgrade until the last domain controller is cut over - and that
can take a year or more. Here's what users such as Eric Kornau at Cincinnati
State Technical and Community College are doing to speed the transition and
ease administration headaches of running a mixed environment. Source: ComputerWorld
(Aug 6, 2001)
Memory Usage By the Lsass.exe Process on Windows 2000-Based Domain Controllers
Microsoft Knowledge Base Article: 308356 - This article describes some Lsass.exe process basics, best practices for the configuration of the Lsass.exe process, and expectations of memory usage. This article should be used as a guide in the analysis of Lsass.exe performance and memory
use on Windows 2000-based domain controllers (DCs). The
information in this article may be useful if you have questions
about how to tune and configure servers and DCs to optimize this
engine.
Monitoring
Active Directory: How and Why to Monitor Active Directory
Performance
With Windows 2000 comes the need to monitor new and different
processes on your server. Source: EarthWeb (Oct 18, 2000)
Monitoring
Active Directory: Using System Monitor Counters
Take an in-depth look at some of the counters you can use to
monitor the Active Directory in Windows 2000 servers, including
the largest and most useful counters: inbound and outbound DRA
counters.
Source: EarthWeb (Oct 18, 2000)
New Registry Key to Remove LM Hashes from Active Directory and Security Account Manager Q299656 - Microsoft Knowledge Base Article Windows 2000 Service Pack 2 (SP2 - offers compatibility with authentication to previous version of windows, such as Microsoft Windows NT. The authentication methods that support these downlevel systems are LanMan (LM -, Windows NT LanMan
(NTLM)
Primary and Active Directory Integrated Zones Differences
Microsoft Knowledge Base Article: 227844 - With Windows 2000, after you create your first domain controller, you can change your domain name server (DNS) zone from primary to Active Directory
integrated.
Practice
Proactive AD Maintenance
AD is the heart of your Win2K
network. Learn what to do to ensure maximum uptime
and availability of your AD-based network. Source:
Windows & .NET Magazine (August 2002)
Step-by-Step Guide to Managing the Active Directory
This guide introduces you to administration of the Windows 2000 Active Directory service. The procedures demonstrate how to use the Active Directory Users and Computers snap-in to add, move, delete, and alter the properties for objects such as users, contacts, groups, servers,
printers, and shared folders. Source: Microsoft.com (March 2000)
The Definitive Guide to Windows 2000 Administration
An online book written by Sean Daily and Darren Mar-Elia.
Sponsored by Quest Software.
Source: Realtimepublishers
Tips
and Tricks Guide to Active Directory Administration
So your company has decided to migrate from NT to Windows 2000
and Active Directory. What's next? Someone needs to design,
migrate and manage this new and highly efficient infrastructure.
This eBook will save you time and help you maximize your
administration of Microsoft Active Directory. You'll learn the
tips and tricks that give experienced administrators the edge in
enterprise environments, including tips on migrating to Active
Directory, using scripts to automate administration, organizing
the Directory for security, decentralizing administration
through delegation, performance tuning your Directory
infrastructure, and much more. Source: Realtimepublishers
User State Migration Tool
The User State Migration Tool (USMT) is a command-line utility, allowing administrators to migrate a
user's data and settings as part of a large-scale deployment
process. Source: Microsoft.com (Oct 2000)
Using the Active Directory schema
Covers issues in extending the schema. When to extend the schema. Before extending the schema. Last modified 11-Oct-1999
Domains and Trusts
Active Directory Domains and Trusts Overview
Active Directory Domains and Trusts helps you manage trust relationships between. domains. . Last modified 11-Oct-1999
HOW TO: Configure One-Way Non-Transitive Trusts in Windows 2000
Microsoft Knowledge Base Article: 315053 - This step-by-step article describes how to configure one-way non-transitive trusts in Windows 2000.
HOW TO: Create a Trust Between a Windows 2000 Domain and a Windows NT 4.0 Domain
Microsoft Knowledge Base Article: 306733 - This article describes how to create a trust between a Windows 2000 domain and a Windows NT 4.0 domain.
The creation of a trust between a Windows 2000 domain and a
Windows NT 4.0 domain is similar to establishing a trust between
two Windows NT 4.0 domains. When you establish a trust
relationship between two domains, users in one domain can obtain
access to resources that are located in another trusted domain.
In this article, the Windows 2000 NetBIOS domain name is
"W2KDOMAIN," and the Windows NT 4.0 NetBIOS domain
name is "NTDOMAIN". Note that NETBIOS name resolution
must be used to enable trust between the two domains.
How to Determine Trust Relationship Configurations
Microsoft Knowledge Base Article:
228477 - Multiple methods exist for administrators to view the configuration of trust relationships for the domain and perform maintenance on these relationships, both locally and remotely. This article discusses the different tools that can
be used
HOW TO: Establish Trusts with a Windows NT-Based Domain
Microsoft Knowledge Base Article: 308195 - This article describes how to establish a trust relationship between a Microsoft Windows NT 4.0-based domain and a Windows 2000-based
domain.
Using Active Directory Domains and Trusts
Discuss information that you must consider when planning and installing or upgrading.
Understanding Active Directory Domains and Trusts.
Last modified 11-Oct-1999
Windows 2000 Certification Authority Configuration to Publish Certificates in Active Directory of Trusted Domain
Microsoft Knowledge Base Article: 281271 - In the following scenario, if a user from the same domain as a Root Certification Authority (CA) requests a certificate, the issued certificate is published in Active Directory. However, if the user is from a child domain, this process is not
successful
A Windows NT 4.0 Domain May Update the Trust Account Password on a Non-Primary Domain Controller
Microsoft Knowledge Base Article: 317178 - If a Windows NT 4.0-based domain trusts a Windows 2000-based domain, the trust password is changed every seven days by default. When the primary domain controller (PDC) for the Windows NT 4.0-based domain tries to change the password for the
trust, the password change is sent to the domain controller with
which it has already established a secure channel in the trusted
domain. The domain controller in the trusted domain to which the
password change is sent to may not hold the PDC operations
master role.
Cannot Set Up Trust in Window 2000 Domain from Windows NT 4.0
When you are using User Manager for Domains from Microsoft Windows NT 4.0 to establish a trust from a Windows 2000-based domain to any other domain, you may receive an error message.
Error Message When You Change the Trust to Bidirectional After an In-Place Migration
Microsoft Knowledge Base Article: 306101 - After an in-place migration of a trusted domain from Microsoft Windows NT 4.0 to Windows 2000, when you create a trust relationship in the opposite direction by using the Domain and Trusts Management console, the following error message is
Unable to Establish an Explicit Trust Between Windows 2000-Based Domains
Microsoft Knowledge Base Article: 312003 - When you attempt to establish an explicit trust between two Windows 2000-based domains that are in different forests, you may receive the following error
message:
You May Be Unable to Establish a Trust Relationship Between Windows 2000 and Windows NT Domains
Microsoft Knowledge Base Article: 295335 - You may be unable to establish a trust relationship between a Windows 2000 domain and a Windows NT domain. When you try to add the trust from the Windows 2000 domain, you may receive the following error message:
Database Management
Active Directory Database Sizing
Microsoft Article excerpted from the MS Press "Optimizing Network Traffic" Book.
Global Catalog
Default Global Catalog Attributes in Windows 2000 Active Directory Schema
Microsoft Knowledge Base Article: 256938 - The schema contains a large number of object attributes that are either available for use or already enabled by default in Active Directory. A number of these object attributes are pre-selected in the GC by default; these default
attribute
Domain Controllers Continue to Use Global Catalog Server After It Has Been Demoted
Microsoft Knowledge Base Article: 293421 - After you demote a
server from a global catalog server to a domain controller,
other domain controllers that used that server for universal
group enumeration may continue to use the server even though it
no longer is participating in global catalog replication. This
can cause some queries to return outdated or incomplete
information.
Global Catalog Attributes and Replication Properties
Microsoft Knowledge Base Article: 232517 - Global Catalogs contain commonly-searched attributes from all Naming Contexts of a forest. An attribute is included in the Global Catalog if the partialAttributeSet property of attribute is set to TRUE in the schema Naming Context.
Global Catalog Server Requirement for User and Computer Logon
Microsoft Knowledge Base Article: 216970 -
As part of the logon process, a security token is constructed by the Local Security Authority (LSA) that contains
the Security Identifiers (SIDs) of groups of which the user is a member (for both the domain and the local computer)
HOW TO: Add an Attribute to the Global Catalog
Microsoft Knowledge Base Article: 313992 - This step-by-step article describes how to add an attribute to the global catalog. By using the Active Directory Schema, you can specify additional attributes to be kept in the global catalog. This helps to speed up search queries across a
domain for an attribute that is not included by default in the
global catalog.
How to Control What Data Is Stored in the Global Catalog
Microsoft Knowledge Base Article: 229662 - The Global Catalog contains a partial replica of the domain Active Directory for every domain in an enterprise forest. The Global Catalog server replicates a copy of all objects from every domain in the forest, but only contains a
subset of the data
HOW TO: Create or Move a Global Catalog
Microsoft Knowledge Base Article: 313994 - This article explains how to create and how to move a global catalog
server.
How to Disable Requirement that a Global Catalog Server Be Available to Validate User Logons
Microsoft Knowledge Base Article: 241789 - Placement of Global Catalog servers in remote sites is usually desired to improve performance in user logon time, searches and other actions requiring communication with Global Catalog servers, and to reduce wide area network (WAN)
traffic.
How to Enumerate Attributes Replicated to the Global Catalog
Microsoft Knowledge Base ArticleQ230663 - Describes how to enumerate attributes replicated in the Global catalog.
How to Use the Replication Monitor to Determine the Operations Master and Global Catalog Roles
Microsoft Knowledge Base Article: 297230 - This article describes how to use the Active Directory Replication Monitor (ReplMon.exe - tool to determine the servers that hold the operations master roles in a forest as well as the domain controllers and global catalog servers for the forest.
FSMO Roles
HOW TO: View and Transfer FSMO Roles in the Graphical User Interface
Microsoft Knowledge Base Article: 255690 - There are five Flexible Single Master Operations (FSMO) roles in a Windows 2000 forest. There are two ways to transfer a FSMO role in Windows 2000. This article describes how to transfer all five FSMO roles by using Microsoft Management Console
Windows 2000 Active Directory FSMO Roles
Microsoft Knowledge Base Article: 197132 discusses a Beta release of a Microsoft product. The information in this article is provided as-is and is subject to change URL:
Last modified 09-Aug-1999
FSMO Placement and Optimization on Windows 2000 Domain Controllers
Microsoft Knowledge Base Article: 223346 - Windows 2000 domain controllers support multi-master updates for the replication of objects (such as user and computer accounts) in the Active Directory. In a multi-master model, objects and their properties can originate on any domain controller
Schema Updates
How to Modify Schema Information Using the Ldifde Utility
Microsoft Knowledge Base Article: 283791 -
This article describes how to use the Windows 2000 Ldifde utility to modify Active Directory schema class attributes.
HOW TO: Upgrade the Schema to Upgrade Domain Controllers to Released Version of Windows 2000
Microsoft Knowledge Base Article: 240427 - Microsoft supports upgrading Windows 2000 servers running versions later than RC1 rather than requiring a clean installation. Upgrading to later builds requires one or more schema changes that have been made to these builds. This article describes how to check the schema version, how to perform the operating system upgrade, and how to perform the schema upgrade.
Schema Updates Require Write Access to Schema in Active Directory
Microsoft Knowledge Base Article: 285172 -
This article discusses schema updates.
Security
Best Practice Guide for Securing Active Directory
Installations and Day-to-Day Operations: Part I
A breach in Active Directory security can result in
the loss of network resource access by legitimate
clients or in the disclosure of potentially
sensitive information. Such information disclosure
can occur for data that is stored on network
resources or from the Active Directory database
itself. To avoid these situations, organizations
need more extensive information and support to
ensure enhanced security for their NOS
environments. This guide addresses this need for
organizations that have new, as well as existing,
Active Directory deployments. Part I of the guide
contains recommendations for protecting domain
controllers from potential attacks of known origin
and recommendations for establishing secure
administrative policies and practices.
Part II of the guide contains recommendations
for detecting attacks, defending against known and
unknown threats, and recovering from attacks.
Source: TechNet
Securing
Windows 2000 Active Directory (Part 1)
Protecting active directory©s integrity is paramount. This
article will focus on active directory security and will be
written in two parts. Active directory is the windows 2000
information repository that needs to be kept very secure. Active
directory has vital service dependencies such as DNS which
changes the scope of what needs to remain secure. I will focus
on actions that you can take in order to safeguard the active
directory service. Source: WindowSecurity.com
Securing
Windows 2000 Active Directory (Part 2)
Protecting active directory©s integrity is paramount. This is
the second article in the two part series that focuses on active
directory security. Active directory is the windows 2000
information repository that needs to be kept very secure. Active
directory has vital service dependencies such as DNS which
changes the scope of what needs to remain secure. I will focus
on actions that you can take in order to safeguard the active
directory service. Source: WindowSecurity.com
Backup and Recovery
Active Directory Backup Is Canceled If a File Is Busy
Microsoft Knowledge Base Article 328423 - The process of backing up Active Directory Backup is canceled if a busy file is encountered. The Active Directory backup process returns error code 0XC8000408 (JET_errFileAccessDenied) and you must start the backup process again from the beginning.
Active
Directory Disaster Recovery
This paper discusses the steps for recovering a domain
controller from a disaster such as a database malfunction caused
by hardware or software failure. Such a disaster generally
renders the domain controller useless and prevents the machine
from booting normally. Another cause of disaster is the human
kind, in which an error is involved and erroneous data is
replicated to other domain controllers in the enterprise. This
paper provides information about recovering a domain controller
running Active Directory and no other services. If other
services are installed on the machine, such as Domain Name
System (DNS) or Internet Information Service (IIS), some other
steps may be required, but they are not included in this
paper.
Authoritative Restore of Active Directory and Impact on Trusts and Computer Accounts
Microsoft Knowledge Base Article: 216243 - The Authoritative Restore feature allows an administrator to select specific objects or subtrees of objects from an archived Active Directory database and restore them to a domain controller.
Note that doing so causes Active Directory replication to
replicate this restored state (the System State) of objects,
overwriting the copies currently held on all domain controllers
within the domain. The restored objects receive a USN greater
than the current set of domain objects.
Authoritative Restore of Groups Can Result in Inconsistent Membership Information Across Domain Controllers
Microsoft Knowledge Base Article: 280079 - After you perform an authoritative restore of users and groups, the membership in the restored groups may be inconsistent across domain
controllers.
Backup and Recovery of the Distributed Services
Downloadable document in Word format.
Backup and Restore of RID Flexible Single-Master Operations Domain Controller Causes Duplicate SIDs
Microsoft Knowledge Base Article: 307725 - When you back up and then restore the Directory service on a relative ID (RID) operations master (also known as flexible single-master operations or FMSO) domain controller (DC), duplicate Security ID (SID) events may appear in Event Viewer
Backup of the Active Directory Has 60-Day Useful Life
Microsoft Knowledge Base Article: 216993 - Windows Backup,
the backup tool included in the Administrative Tools folder on
Windows 2000 servers, can back up and restore the Active
Directory on Windows 2000 domain controllers. These backups can
be performed while the domain controller is online. You can
restore these backups only when the domain controller is booted
into Directory Services Restore mode using the F8 key when the
server is starting.
Description of the ©Restore in Progress? Registry Key in Active
Directory
Microsoft Knowledge Base Article: 814167 - This article
describes the registry values for the registry key that is
created when you restore Active Directory on a Windows 2000
Server-based computer.
Disaster Recovery of Active Directory on Dissimilar Hardware
Microsoft Knowledge Base Article: 263532 - This article discuses disaster recovery of the Active Directory on different hardware than it was originally on. This procedure may be necessary if, due to a catastrophic event, there is no other domain controller (DC) and similar hardware
Restoring
Active Directory from Backup Media
Restoring Active Directory from Backup Media Active Directory
Backup and Restore You can also restore Active Directory
information on a domain controller by restoring the System State
data from backup media. This restores Active Directory as well
as the other System State components on which Active Directory
depends.
Repairing and Recovering AD
Repair and recover your crucial Active Directory service with
these useful processes. Source: Windows & .NET Magazine
(September 2002)
Windows 2000: Active Directory Disaster Recovery
During this session, we will discuss the different types
of Active Directory disaster recovery, and explain the steps
needed to perform both authoritative and non-authoritative
restores. March 19, 2002 Length 1 hr 55 min.
Possible Active Directory Inconsistency after You Restore a Domain Controller
Microsoft Knowledge Base Article: 316829 - Restoring a domain controller may cause inconsistencies between domain controllers. If this occurs, some lingering objects may be present on the restored domain controller. Also, new objects on the restored domain controller are not replicated out.
|
