LabMice.net - The Windows 2000\XP\.NET Resource Index
Home | About Us | Search

Last Updated December 10, 2003

 

Active Directory
  Getting Started
  Administration
  ADSI
  Book Reviews
  Deployment
  Domain Controllers
  Group Policy
  How To Guides
  Install & Configure
  LDAP
  Replication
  Troubleshooting
    
  

 

 

 

 

 

 

 

Active Directory Administration

Active Directory is Microsoft's answer to Novell's Directory Services. It promises to support a single unified view of all objects on a network (no matter what size) and locating and managing resources faster and easier. Based on the Lightweight Directory Access Protocol, and the Directory Services in Exchange 5.5, this could be a major advance for Microsoft if it works well. A bit of warning to Admin's with no Novell experience - setting up a Directory Tree is no small task and should be planned carefully. A small amount of mismanagement in the early planning phases will be costly later when your network grows.  
Resources...

General Administration

Microsoft Active Directory Management Pack Guide
Microsoft© Operations Manager (MOM) 2000 Active Directory Management Pack (ADMP) Service Pack 1 (SP1) provides a monitoring and management system for the Active Directory© directory service that is integrated with MOM. ADMP can help you to improve the availability, performance, and security of Active Directory implementation. With ADMP, MOM provides central monitoring and automatic problem resolution for large networks, continuously monitoring Active Directory components. Source: Microsoft.com

Administering Active Directory
This section covers: Administering other domains. Delegating administration. Transferring operations master roles. From the Windows 2000 Advanced Server Online Documentation. Source: Microsoft.com

Advancing Time on Production Computers and the Effect on Active Directory and FRS 
Microsoft Knowledge Base Article: 289668 - In the course of troubleshooting Active Directory or File Replication Service (FRS - replication issues, as the administrator, you may want to advance the system time of a computer to make the content of one computer have authority over another, or to force deletion of tombstoned objects in Active Directory.

AD Delegation: Beyond the Basics
AD's delegation abilities can enhance IT productivity securely. These real-world examples can help you design and deploy an AD delegation model that meets the needs of your environment.
Source: Windows & .NET Magazine (Aug 2002)

Bulk Import and Export to Active Directory
This guide introduces batch administration of the Active DirectoryTM service, using both the LDAP Data Interchange Format (LDIF) utility and a simple program you can write using the Visual Basic© Scripting Edition (VBScript) development system. Using these tools, you can export, import, and modify objects such as users, contacts, groups, servers, printers, and shared folders. 
Source: Microsoft.com

Common Default Attributes Set for Active Directory and Global Catalog
Microsoft Knowledge Base Article: 257203 - The Windows 2000 schema contains a large number of object attributes that administrators can use. The attributes typically required by Windows 2000 are enabled by default when the first domain controller is installed; a number of these attributes are used by both Active Directory and the global catalog (GC). These attributes have the Index this attribute in the Active Directory and Replicate this attribute to the Global Catalog options selected in their properties. You can change both the number of attributes selected and which specific attributes are used by using the Active Directory Schema snap-in in Microsoft Management Console (MMC). However, in most cases, there is no need to modify any of these attributes. Carefully consider any changes to these default settings before making changes. 

DCDiag and NetDiag in Windows 2000 Facilitate Domain Join and DC Creation
Microsoft Knowledge Base Article: 265706 - This article describes the functionality that has been added to the versions of the Domain Controller Diagnostics (Dcdiag.exe) and Network Diagnostics (Netdiag.exe) tools that are included in Windows 2000. 

Default Active Directory Attributes in the Windows 2000 Schema
Microsoft Knowledge Base Article: 257218 - The Windows 2000 schema contains a large number of object attributes that administrators can choose for use. The attributes normally required by Active Directory are enabled by default when the first domain controller is installed, and have the "Index this attribute in the Active Directory" check box selected in their properties. 

Default Global Catalog Attributes in Windows 2000 Active Directory Schema
Microsoft Knowledge Base Article: 256938 - The schema contains a large number of object attributes that are either available for use or already enabled by default in Active Directory. A number of these object attributes are pre-selected in the GC by default; these default attributes are replicated among all GCs in the organization. 

Description of RID Attributes in Active Directory 
Microsoft Knowledge Base Article: 305475 - This article describes RID-related attributes in Active Directory. 

DNS and Active Directory
This page contains links to valuable resources about Active Directory and DNS.
Source: Microsoft.com  

HOW TO: Change Default Permissions for Objects That Are Created in the Active Directory
Microsoft Knowledge Base Article: 265399  - This step-by-step article describes how to modify Active Directory object attributes. The example in this article changes the defaultSecurityDescriptor attribute of the Organizational Unit object to remove the Read permission from the members of the Authenticated Users group. 

HOW TO: Complete a Semantic Database Analysis for the Active Directory Database by Using Ntdsutil.exe 
Microsoft Knowledge Base Article: 315136 - This step-by-step article describes how to run the semantic checker on the Active Directory database. Unlike the file management commands, which test the integrity of the database with respect to the ESENT database semantics, the semantic... 

How Dcpromo.exe Adds Display Specifiers to Active Directory Forests 
Microsoft Knowledge Base Article: 308592 - You use Active Directory promotion (Dcpromo.exe - to add domain controllers to Windows 2000 server forests. This article describes the role of Dcphelp.exe in the Dcpromo process for adding display specifiers to Active Directory. 

HOW TO: Enable Active Directory Access Auditing in Windows 2000 
Microsoft Knowledge Base Article: 314977 - This step-by-step article describes how to enable Active Directory access auditing in Windows 2000. The Active Directory should be audited to assess when authorized and unauthorized access is attempted. You can configure auditing of the Active Directory database. After you enable auditing, you can view the audit information in the Directory Service log that is located in the Event Viewer. Note that this log is only present on computers that are acting as Active Directory domain controllers. This article describes how you can enable Active Directory for auditing access. 

HOW TO: Manage Groups in Active Directory in Windows 2000 
Microsoft Knowledge Base Article: 320054 - This article explains how to manage groups in Active Directory. About Groups: Groups are Active Directory or local computer objects that can contain users, contacts, computers, and other groups. 

How to Pre-stage Windows 2000 Computers in Active Directory 
Microsoft Knowledge Base Article: 283771 - This article describes how to pre-stage computer names for Windows 2000-based computers, as you can in Microsoft Windows NT 4.0, to allow only those computer names to be added to Active Directory. 

How to Remove Data in the Active Directory After an Unsuccessful Domain Controller Demotion 
Microsoft Knowledge Base Article: 216498 - This article describes how to remove data in the Active Directory after an unsuccessful domain controller demotion. 

How Windows 95 and Windows 98 Directory Services Client Uses AD Site Information 
Microsoft Knowledge Base Article: 249841 - Site awareness is a key feature in Directory Services (DS) Client. The following article describes new Microsoft Windows 95 and Microsoft Windows 98 behavior in locating Domain Controllers (DCs) when the DS Client is installed and the user is logged.

Installing and Using Active Directory Support Tools
Because the Active Directory is a part of the core Windows 2000 operating system, it's easy to take it for granted. After all, the Active Directory quietly works in the background, servicing the needs of your enterprise.
Source: EarthWeb (Dec 14, 2000)

Know the ins and outs of using and administering Active Directory Service
New technology features present obvious benefits to end users, but along with the benefits come challenges as well. Microsoft's Active Directory Service (ADS), which is new to Windows 2000, offers multiple new features that make network administrators, software developers and software vendors more efficient. However, certain ADS functionality should be examined closely to ensure your organization can realize its full potential. Source: Windows2000 Advantage (Nov 1999)

Making Active Directory Easier
Network administrators won't see the full benefits of a Windows 2000 upgrade until the last domain controller is cut over - and that can take a year or more. Here's what users such as Eric Kornau at Cincinnati State Technical and Community College are doing to speed the transition and ease administration headaches of running a mixed environment. Source: ComputerWorld (Aug 6, 2001)

Memory Usage By the Lsass.exe Process on Windows 2000-Based Domain Controllers
Microsoft Knowledge Base Article: 308356 - This article describes some Lsass.exe process basics, best practices for the configuration of the Lsass.exe process, and expectations of memory usage. This article should be used as a guide in the analysis of Lsass.exe performance and memory use on Windows 2000-based domain controllers (DCs). The information in this article may be useful if you have questions about how to tune and configure servers and DCs to optimize this engine. 

Monitoring Active Directory: How and Why to Monitor Active Directory Performance
With Windows 2000 comes the need to monitor new and different processes on your server. Source: EarthWeb (Oct 18, 2000)

Monitoring Active Directory: Using System Monitor Counters
Take an in-depth look at some of the counters you can use to monitor the Active Directory in Windows 2000 servers, including the largest and most useful counters: inbound and outbound DRA counters.
Source: EarthWeb (Oct 18, 2000)

New Registry Key to Remove LM Hashes from Active Directory and Security Account Manager Q299656 - Microsoft Knowledge Base Article Windows 2000 Service Pack 2 (SP2 - offers compatibility with authentication to previous version of windows, such as Microsoft Windows NT. The authentication methods that support these downlevel systems are LanMan (LM -, Windows NT LanMan (NTLM) 

Primary and Active Directory Integrated Zones Differences
Microsoft Knowledge Base Article: 227844 - With Windows 2000, after you create your first domain controller, you can change your domain name server (DNS) zone from primary to Active Directory integrated. 

Practice Proactive AD Maintenance
AD is the heart of your Win2K network. Learn what to do to ensure maximum uptime and availability of your AD-based network. Source: Windows & .NET Magazine (August 2002)

Step-by-Step Guide to Managing the Active Directory
This guide introduces you to administration of the Windows 2000 Active Directory service. The procedures demonstrate how to use the Active Directory Users and Computers snap-in to add, move, delete, and alter the properties for objects such as users, contacts, groups, servers, printers, and shared folders. Source: Microsoft.com (March 2000)

The Definitive Guide to Windows 2000 Administration
An online book written by Sean Daily and Darren Mar-Elia. Sponsored by
Quest Software. Source: Realtimepublishers

Tips and Tricks Guide to Active Directory Administration
So your company has decided to migrate from NT to Windows 2000 and Active Directory. What's next? Someone needs to design, migrate and manage this new and highly efficient infrastructure. This eBook will save you time and help you maximize your administration of Microsoft Active Directory. You'll learn the tips and tricks that give experienced administrators the edge in enterprise environments, including tips on migrating to Active Directory, using scripts to automate administration, organizing the Directory for security, decentralizing administration through delegation, performance tuning your Directory infrastructure, and much more. Source: Realtimepublishers

User State Migration Tool
The User State Migration Tool (USMT) is a command-line utility, allowing administrators to migrate a user's data and settings as part of a large-scale deployment process. Source: Microsoft.com (Oct 2000)

Using the Active Directory schema
Covers issues in extending the schema. When to extend the schema. Before extending the schema. Last modified 11-Oct-1999


Domains and Trusts

Active Directory Domains and Trusts Overview
Active Directory Domains and Trusts helps you manage trust relationships between. domains. . Last modified 11-Oct-1999

HOW TO: Configure One-Way Non-Transitive Trusts in Windows 2000 
Microsoft Knowledge Base Article: 315053 - This step-by-step article describes how to configure one-way non-transitive trusts in Windows 2000. 

HOW TO: Create a Trust Between a Windows 2000 Domain and a Windows NT 4.0 Domain Microsoft Knowledge Base Article: 306733 - This article describes how to create a trust between a Windows 2000 domain and a Windows NT 4.0 domain. The creation of a trust between a Windows 2000 domain and a Windows NT 4.0 domain is similar to establishing a trust between two Windows NT 4.0 domains. When you establish a trust relationship between two domains, users in one domain can obtain access to resources that are located in another trusted domain. In this article, the Windows 2000 NetBIOS domain name is "W2KDOMAIN," and the Windows NT 4.0 NetBIOS domain name is "NTDOMAIN". Note that NETBIOS name resolution must be used to enable trust between the two domains. 

How to Determine Trust Relationship Configurations
Microsoft Knowledge Base Article: 228477 - Multiple methods exist for administrators to view the configuration of trust relationships for the domain and perform maintenance on these relationships, both locally and remotely. This article discusses the different tools that can be used 

HOW TO: Establish Trusts with a Windows NT-Based Domain 
Microsoft Knowledge Base Article: 308195 - This article describes how to establish a trust relationship between a Microsoft Windows NT 4.0-based domain and a Windows 2000-based domain. 

Using Active Directory Domains and Trusts
Discuss information that you must consider when planning and installing or upgrading. 

Understanding Active Directory Domains and Trusts.
Last modified 11-Oct-1999

Windows 2000 Certification Authority Configuration to Publish Certificates in Active Directory of Trusted Domain
Microsoft Knowledge Base Article: 281271 - In the following scenario, if a user from the same domain as a Root Certification Authority (CA) requests a certificate, the issued certificate is published in Active Directory. However, if the user is from a child domain, this process is not successful 


A Windows NT 4.0 Domain May Update the Trust Account Password on a Non-Primary Domain Controller 
Microsoft Knowledge Base Article: 317178 - If a Windows NT 4.0-based domain trusts a Windows 2000-based domain, the trust password is changed every seven days by default. When the primary domain controller (PDC) for the Windows NT 4.0-based domain tries to change the password for the trust, the password change is sent to the domain controller with which it has already established a secure channel in the trusted domain. The domain controller in the trusted domain to which the password change is sent to may not hold the PDC operations master role. 

Cannot Set Up Trust in Window 2000 Domain from Windows NT 4.0
When you are using User Manager for Domains from Microsoft Windows NT 4.0 to establish a trust from a Windows 2000-based domain to any other domain, you may receive an error message. 

Error Message When You Change the Trust to Bidirectional After an In-Place Migration  
Microsoft Knowledge Base Article: 306101 - After an in-place migration of a trusted domain from Microsoft Windows NT 4.0 to Windows 2000, when you create a trust relationship in the opposite direction by using the Domain and Trusts Management console, the following error message is  

Unable to Establish an Explicit Trust Between Windows 2000-Based Domains 
Microsoft Knowledge Base Article: 312003 - When you attempt to establish an explicit trust between two Windows 2000-based domains that are in different forests, you may receive the following error message: 

You May Be Unable to Establish a Trust Relationship Between Windows 2000 and Windows NT Domains 
Microsoft Knowledge Base Article: 295335 - You may be unable to establish a trust relationship between a Windows 2000 domain and a Windows NT domain. When you try to add the trust from the Windows 2000 domain, you may receive the following error message:


Database Management

Active Directory Database Sizing 
Microsoft Article excerpted from the MS Press "Optimizing Network Traffic" Book.


Global Catalog

Default Global Catalog Attributes in Windows 2000 Active Directory Schema
Microsoft Knowledge Base Article: 256938 - The schema contains a large number of object attributes that are either available for use or already enabled by default in Active Directory. A number of these object attributes are pre-selected in the GC by default; these default attribute 

Domain Controllers Continue to Use Global Catalog Server After It Has Been Demoted
Microsoft Knowledge Base Article: 293421 - After you demote a server from a global catalog server to a domain controller, other domain controllers that used that server for universal group enumeration may continue to use the server even though it no longer is participating in global catalog replication. This can cause some queries to return outdated or incomplete information. 

Global Catalog Attributes and Replication Properties
Microsoft Knowledge Base Article: 232517 - Global Catalogs contain commonly-searched attributes from all Naming Contexts of a forest. An attribute is included in the Global Catalog if the partialAttributeSet property of attribute is set to TRUE in the schema Naming Context. 

Global Catalog Server Requirement for User and Computer Logon
Microsoft Knowledge Base Article: 216970 - As part of the logon process, a security token is constructed by the Local Security Authority (LSA) that contains the Security Identifiers (SIDs) of groups of which the user is a member (for both the domain and the local computer) 

HOW TO: Add an Attribute to the Global Catalog 
Microsoft Knowledge Base Article: 313992 - This step-by-step article describes how to add an attribute to the global catalog. By using the Active Directory Schema, you can specify additional attributes to be kept in the global catalog. This helps to speed up search queries across a domain for an attribute that is not included by default in the global catalog. 

How to Control What Data Is Stored in the Global Catalog
Microsoft Knowledge Base Article: 229662 - The Global Catalog contains a partial replica of the domain Active Directory for every domain in an enterprise forest. The Global Catalog server replicates a copy of all objects from every domain in the forest, but only contains a subset of the data 

HOW TO: Create or Move a Global Catalog 
Microsoft Knowledge Base Article: 313994 - This article explains how to create and how to move a global catalog server. 

How to Disable Requirement that a Global Catalog Server Be Available to Validate User Logons
Microsoft Knowledge Base Article: 241789 - Placement of Global Catalog servers in remote sites is usually desired to improve performance in user logon time, searches and other actions requiring communication with Global Catalog servers, and to reduce wide area network (WAN) traffic. 

How to Enumerate Attributes Replicated to the Global Catalog
Microsoft Knowledge Base ArticleQ230663 - Describes how to enumerate attributes replicated in the Global catalog. 

How to Use the Replication Monitor to Determine the Operations Master and Global Catalog Roles
Microsoft Knowledge Base Article: 297230 - This article describes how to use the Active Directory Replication Monitor (ReplMon.exe - tool to determine the servers that hold the operations master roles in a forest as well as the domain controllers and global catalog servers for the forest. 


FSMO Roles

HOW TO: View and Transfer FSMO Roles in the Graphical User Interface 
Microsoft Knowledge Base Article: 255690 - There are five Flexible Single Master Operations (FSMO) roles in a Windows 2000 forest. There are two ways to transfer a FSMO role in Windows 2000. This article describes how to transfer all five FSMO roles by using Microsoft Management Console 

Windows 2000 Active Directory FSMO Roles
Microsoft Knowledge Base Article: 197132 discusses a Beta release of a Microsoft product. The information in this article is provided as-is and is subject to change URL: 
Last modified 09-Aug-1999

FSMO Placement and Optimization on Windows 2000 Domain Controllers 
Microsoft Knowledge Base Article: 223346 - Windows 2000 domain controllers support multi-master updates for the replication of objects (such as user and computer accounts) in the Active Directory. In a multi-master model, objects and their properties can originate on any domain controller 


Schema Updates

How to Modify Schema Information Using the Ldifde Utility 
Microsoft Knowledge Base Article: 283791 - This article describes how to use the Windows 2000 Ldifde utility to modify Active Directory schema class attributes. 

HOW TO: Upgrade the Schema to Upgrade Domain Controllers to Released Version of Windows 2000 
Microsoft Knowledge Base Article: 240427 - Microsoft supports upgrading Windows 2000 servers running versions later than RC1 rather than requiring a clean installation. Upgrading to later builds requires one or more schema changes that have been made to these builds. This article describes how to check the schema version, how to perform the operating system upgrade, and how to perform the schema upgrade. 

Schema Updates Require Write Access to Schema in Active Directory 
Microsoft Knowledge Base Article: 285172 - This article discusses schema updates. 


Security

Best Practice Guide for Securing Active Directory Installations and Day-to-Day Operations: Part I
A breach in Active Directory security can result in the loss of network resource access by legitimate clients or in the disclosure of potentially sensitive information. Such information disclosure can occur for data that is stored on network resources or from the Active Directory database itself. To avoid these situations, organizations need more extensive information and support to ensure enhanced security for their NOS environments. This guide addresses this need for organizations that have new, as well as existing, Active Directory deployments. Part I of the guide contains recommendations for protecting domain controllers from potential attacks of known origin and recommendations for establishing secure administrative policies and practices. Part II of the guide contains recommendations for detecting attacks, defending against known and unknown threats, and recovering from attacks. Source: TechNet

Securing Windows 2000 Active Directory (Part 1)
Protecting active directory©s integrity is paramount. This article will focus on active directory security and will be written in two parts. Active directory is the windows 2000 information repository that needs to be kept very secure. Active directory has vital service dependencies such as DNS which changes the scope of what needs to remain secure. I will focus on actions that you can take in order to safeguard the active directory service. Source: WindowSecurity.com

Securing Windows 2000 Active Directory (Part 2)
Protecting active directory©s integrity is paramount. This is the second article in the two part series that focuses on active directory security. Active directory is the windows 2000 information repository that needs to be kept very secure. Active directory has vital service dependencies such as DNS which changes the scope of what needs to remain secure. I will focus on actions that you can take in order to safeguard the active directory service. Source: WindowSecurity.com
 


Backup and Recovery

Active Directory Backup Is Canceled If a File Is Busy
Microsoft Knowledge Base Article 328423 - The process of backing up Active Directory Backup is canceled if a busy file is encountered. The Active Directory backup process returns error code 0XC8000408 (JET_errFileAccessDenied) and you must start the backup process again from the beginning. 

Active Directory Disaster Recovery
This paper discusses the steps for recovering a domain controller from a disaster such as a database malfunction caused by hardware or software failure. Such a disaster generally renders the domain controller useless and prevents the machine from booting normally. Another cause of disaster is the human kind, in which an error is involved and erroneous data is replicated to other domain controllers in the enterprise. This paper provides information about recovering a domain controller running Active Directory and no other services. If other services are installed on the machine, such as Domain Name System (DNS) or Internet Information Service (IIS), some other steps may be required, but they are not included in this paper. 

Authoritative Restore of Active Directory and Impact on Trusts and Computer Accounts
Microsoft Knowledge Base Article: 216243 - The Authoritative Restore feature allows an administrator to select specific objects or subtrees of objects from an archived Active Directory database and restore them to a domain controller. Note that doing so causes Active Directory replication to replicate this restored state (the System State) of objects, overwriting the copies currently held on all domain controllers within the domain. The restored objects receive a USN greater than the current set of domain objects. 

Authoritative Restore of Groups Can Result in Inconsistent Membership Information Across Domain Controllers 
Microsoft Knowledge Base Article: 280079 - After you perform an authoritative restore of users and groups, the membership in the restored groups may be inconsistent across domain controllers. 

Backup and Recovery of the Distributed Services  
Downloadable document in Word format.

Backup and Restore of RID Flexible Single-Master Operations Domain Controller Causes Duplicate SIDs 
Microsoft Knowledge Base Article: 307725 - When you back up and then restore the Directory service on a relative ID (RID) operations master (also known as flexible single-master operations or FMSO) domain controller (DC), duplicate Security ID (SID) events may appear in Event Viewer 

Backup of the Active Directory Has 60-Day Useful Life
Microsoft Knowledge Base Article: 216993 - Windows Backup, the backup tool included in the Administrative Tools folder on Windows 2000 servers, can back up and restore the Active Directory on Windows 2000 domain controllers. These backups can be performed while the domain controller is online. You can restore these backups only when the domain controller is booted into Directory Services Restore mode using the F8 key when the server is starting.

Description of the ©Restore in Progress? Registry Key in Active Directory
Microsoft Knowledge Base Article: 814167 - This article describes the registry values for the registry key that is created when you restore Active Directory on a Windows 2000 Server-based computer.

Disaster Recovery of Active Directory on Dissimilar Hardware 
Microsoft Knowledge Base Article: 263532 - This article discuses disaster recovery of the Active Directory on different hardware than it was originally on. This procedure may be necessary if, due to a catastrophic event, there is no other domain controller (DC) and similar hardware  

Restoring Active Directory from Backup Media
Restoring Active Directory from Backup Media Active Directory Backup and Restore You can also restore Active Directory information on a domain controller by restoring the System State data from backup media. This restores Active Directory as well as the other System State components on which Active Directory depends.

Repairing and Recovering AD
Repair and recover your crucial Active Directory service with these useful processes. Source: Windows & .NET Magazine (September 2002)

Windows 2000: Active Directory Disaster Recovery
During this session, we will discuss the different types of Active Directory disaster recovery, and explain the steps needed to perform both authoritative and non-authoritative restores. March 19, 2002 Length 1 hr 55 min.

Possible Active Directory Inconsistency after You Restore a Domain Controller 
Microsoft Knowledge Base Article: 316829 - Restoring a domain controller may cause inconsistencies between domain controllers. If this occurs, some lingering objects may be present on the restored domain controller. Also, new objects on the restored domain controller are not replicated out. 


Entire contents
© 1999 LabMice.net
All rights reserved

This site and its contents are Copyright 1999-2003 by LabMice.net. Microsoft, NT, BackOffice, MCSE, and Windows are registered trademarks of Microsoft Corporation. Microsoft Corporation in no way endorses or is affiliated with LabMice.net. The products referenced in this site are provided by parties other than LabMice.net. LabMice.net makes no representations regarding either the products or any information about the products. Any questions, complaints, or claims regarding the products must be directed to the appropriate manufacturer or vendor.