LabMice.net - The Windows 2000\XP\.NET Resource Index
Home | About Us | Search

Last Updated December 10, 2003

 

Active Directory
  Getting Started
  Administration
  ADSI
  Book Reviews
  Deployment
  Domain Controllers
  Group Policy
  How To Guides
  Install & Configure
  LDAP
  Replication
  Troubleshooting

 

 

 

 

 

Active Directory "How to" Articles

Our growing collection of instructional articles for Active Directory Administration...
Resources...

ACL Editor and Inheritance of Permissions
Microsoft Knowledge Base Article: 178170 - Windows 2000 Active Directory provides a user interface (UI) to modify the access control permissions for objects within the directory. This UI is referred to as the Access Control List (ACL) Editor. This article addresses a concept of inheritance used by the ACL Editor that administrators should be aware of.

Active Directory Basics: Working with Windows 2000 Security Templates Part 1
Active Directory security templates let you set and apply network policies for multiple users in one fell swoop. This not only eliminates tedious repetition of common tasks but also ensures accuracy. Here author Brien Posey shows you how security templates work and how to use them. Source: Breinposey.com

Active Directory Basics: Working With Windows 2000 Security Templates, Part 2
In Part 1 of this article series, author Brien Posey discussed how you can use templates to apply a preset level of security to your Win2K network. Here he shows you how to use the Security Configuration and Analysis Tool to create custom templates based on your existing security structure. Source: Breinposey.com

Active Directory Database Sizing
Previous versions of the Windows NT© network operating system restricted directory use in some network administration functions, such as administrating users and user groups. The Windows 2000 Active Directory extends these functions and other capabilities, and opens the use of the directory as a data store and as a means for network services or directory-enabled applications to publish information in an enterprise-wide network. This article is excerpted from "Optimizing Network Traffic," a part of the Microsoft Press 'Notes From the Field' series that outlines the best system management practices and procedures based on the real-world experiences of Microsoft Consulting Services (MCS).
Source: Microsoft.com

Active Directory Users, Computers, and Groups
This white paper introduces administrators to the way users, computers, and groups are organized and how user authentication and authorization are used to provide security. Source: Microsoft.com

Allowing or Denying Access
There are a million reasons why you might want to regulate the Active Directory under Windows 2000. In this article, I'll discuss some situations in which the default Active Directory permissions might not be appropriate. Source: EarthWeb

Backing up and restoring Active Directory
In Windows NT, all information about user accounts and the enterprise configuration is stored within the Registry. This means that to back up this information, you only have to back up the Registry. Source: EarthWeb

Configuring Account Policies in Active Directory
Microsoft Knowledge Base Article: 255550 - When you are configuring account policies (such as password policies and account lockout policies) in Active Directory, bear in mind that Windows 2000 allows only one domain account policy. This is the account policy applied to the root domain 

Controlling the Active Directory Search Buffer Size
Microsoft Knowledge Base Article: 243281 - To improve the query response time when you are searching for Active Directory objects in a Windows 2000-based organization, searches are limited to 10,000 objects by default. However, you may need to increase this limit as your organization grows. This article describes how to control the buffer size that is allocated for storing the number of objects that are returned by a query search.

Configuring Windows 2000 DNS to Support Active Directory
This scenario shows how you can design an infrastructure for Microsoft Windows 2000 Domain Name System (DNS) servers that simplifies DNS management and that supports the Active Directory directory service by enabling computers to locate domain controllers. It also shows how you can use Active Directory to enhance DNS security and reliability.
Source: Microsoft.com

Defragmentation of the Active Directory Database
Microsoft Knowledge Base Article: 229602 The underlying Extensible Storage engine (ESE) for the Active Directory database uses the quickest method to fill database pages, which is not always the most efficient method.  

Deleting Objects from Active Directory Using Ldp.exe
Microsoft Knowledge Base Article: 244344 Describes how an administrator can remove objects from Active Directory by using the Ldp.exe tool. 

Guide to Active Directory Design
This white paper presents a brief summary and overview of current design principles for corporations that are in the planning stages of deploying Microsoft© Windows? 2000 Server and Microsoft Active Directory©. This white paper presents some of the high-level design decision points that a large corporation must consider and validate within the corporation's environment. Source: Microsoft.com (Sept 11, 2000)

HOW TO: Add UPN Suffixes to a Forest 
Microsoft Knowledge Base Article: 243629 - This article describes how to add UPN suffixes to a forest. Adding these suffixes gives you the ability to use a friendly user-logon name that does not match the domain's or parent domains' naming structure. 

How to Allow Non-Root or Enterprise Administrators to Authorize RIS Servers in Active Directory
Microsoft Knowledge Base Article: 239004 For Remote Installation Service (RIS) servers to begin to service clients, they must first be authorized by Dynamic Host Configuration Protocol (DHCP) by using the DHCP Management snap-in. 

HOW TO: Assign Access Control Permissions on the Properties of an Active Directory Object Microsoft Knowledge Base Article: 218596 - In Microsoft Windows 2000, administrators can apply access control permissions to Active Directory objects. Administrators can also apply access control permissions to properties of a specific Active Directory object. This functionality provides the administrator detailed control over what users can do in their environment. 

HOW TO: Audit Active Directory Objects 
Microsoft Knowledge Base Article: 314955 - This step-by-step article describes how to use Windows 2000 auditing to track user activities and system-wide events in Active Directory. 

How to Automate Ntdsutil.exe Using a Script
Microsoft Knowledge Base Article: 243267 Ntdsutil.exe is a command-line utility that enterprise and domain administrators can use to manage and repair Active Directory. It is a menu-driven tool designed for interactive use, but you can also run it by using scripting and automation. 

HOW TO: Change the Default Selection in the Active Directory Manager Snap-in 
Microsoft Knowledge Base Article: 214676 - This article describes how to select a different domain controller from the command line or within the snap-in. When you start the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, a particular Windows 2000 domain controller is selected. Actions taken by the administrator, such as creating users, occur on the domain controller that is selected by default. These changes are then replicated to other domain controllers by the Active Directory replication process. The domain that is selected is the domain of the currently logged-on user, and a domain controller for that domain is selected by default.

How to Configure Active Directory Certificate Mapping
Microsoft Knowledge Base Article: 272175 - This article describes how to configure Active Directory certificate mapping. Active Directory certificate mapping enables a user with a trusted public key to access directory resources without typing a user name and a password. 

How to Configure Active Directory on a Home Network
Microsoft Knowledge Base Article: 260362 - This article contains information to simplify installation of Active Directory on a home network by identifying common configuration issues. For additional information about any of the information described in this article, refer to Windows.. 

HOW TO: Configure Active Directory Accounts and Groups for Wireless Access in Windows 2000 Microsoft Knowledge Base Article: 318750 - This step-by-step article describes how to configure both user accounts and computer accounts to support wireless access in a Windows 2000 domain.

HOW TO: Configure Server Settings in Windows 2000 
Microsoft Knowledge Base Article: 320824 - This step-by-step article describes how to configure Windows 2000 server settings by using the Active Directory Sites and Services snap-in.

How to Convert DNS Primary Server to Active Directory Integrated
Microsoft Knowledge Base Article: 198437 Describes how to convert a primary DNS server to an Active Directory Integrated Primary server, force replication to another domain controller, and add the new domain controller as a DNS server.

HOW TO: Create Windows 2000 Active Directory Server
Microsoft Knowledge Base Article: 300921 - This articles describes how to install and configure a new Active Directory in a laboratory environment that includes Windows 2000 and Active Directory. Note that you will need two networked servers that are running Windows 2000 Server or Windows 2000 Advanced Server.

How to Create a Child Domain in Active Directory and Delegate the DNS Namespace to the Child Domain
Microsoft Knowledge Base Article: 255248 - You may want to create a child domain and then delegate the Domain Name System (DNS) namespace to a domain controller located in this child domain for any the following reasons: 

How to Create a Computer Object in the Active Directory for a Windows NT 4.0 BDC
Microsoft Knowledge Base Article: 221826 - In the Active Directory, computer accounts created in Server Manager are displayed as user objects. Microsoft Windows NT 4.0 (and earlier versions) BDC computer accounts are displayed as user objects if they were created with Server Manager 

HOW TO: Create a Container to List Printers in Active Directory
Microsoft Knowledge Base Article: 303161 - This article describes how to create a container in which to list your printers in Active Directory directory service. By default, printers are not displayed when you use My Network Places to browse Active Directory. This article describes how to use the ADSI Edit tool that is included with the Microsoft Windows 2000 Support Tools to add a container in which to the list printers that are published in Active Directory. By doing so, users can either find the folder that contains the printers in My Network Places or add a network place to the folder that contains the printers.

How to Create a Cross-Reference to an External Domain in Active Directory
Microsoft Knowledge Base Article: 241737 - Request for Comment (RFC) 2251 defines a referral that allows a Lightweight Directory Access Protocol (LDAP) server to send the Distinguished Name (DN) of another LDAP server in response to a client's search request.

HOW TO: Create and Configure a Site Link in Active Directory 
Microsoft Knowledge Base Article: 316812 - This step-by-step article describes how to create and configure a site link in Active Directory. Note that for the site link to become active, there must be at least two sites available in Active Directory.

HOW TO: Create and Configure a Site Link in Active Directory in Windows 2000 
Microsoft Knowledge Base Article: 316812 - This step-by-step article describes how to create and configure a site link in Active Directory. Note that for the site link to become active, there must be at least two sites available in Active Directory. 

HOW TO: Create a Single Domain Tree with Two Domains in Windows 2000 
Microsoft Knowledge Base Article: 317696 -
Every Domain Name System (DNS) name of a child domain in a hierarchy contains the name of the parent domain. This step-by-step article describes how to create a continuous namespace that spans two domains by adding a child domain.

How To Delegate the Unlock Account Right
Microsoft Knowledge Base Article: 294952 - This article describes the process to delegate the right to unlock locked user accounts to a particular group or user in Active Directory. 

How to Display and Administer All Users in Active Directory
Microsoft Knowledge Base Article: 237548 An administrator may want to generate a list of users in Active Directory. Once the users are displayed, the administrator can select multiple accounts to administer. Although you cannot change all of the user properties for multiple users, 

How to Distribute Terminal Services Client Using Active Directory
TechNet article Q236573 describing how to distribute the Windows Terminal Services Client by using a group policy in Active Directory.

How to Enable Auditing With the Security Configuration Editor 
By Allistair Lowe-Norris , Windows NT Magazine, October 1998.

How to Enable Auditing of Directory Service Access
Microsoft Knowledge Base Article: 232714 - Administrators can monitor access to Active Directory, causing successful and "failed" audit attempts to be logged in the Directory Service event log. This event log is present only on Windows 2000 domain controllers. 

How to Enable Diagnostic Event Logging for Active Directory Services
Microsoft Knowledge Base Article: 220940 - You can enable enhanced event logging for certain Windows 2000 services. This may be useful for debugging purposes. This logging is set to disabled by default because the amount of data that can be logged can quickly fill the event log. 

HOW TO: Enumerate Attributes Replicated to the Global Catalog 
Microsoft Knowledge Base Article: 230663 - This step-by-step article describes how to enumerate attributes replicated in the Global catalog. To obtain information about all of the objects in a Windows 2000 enterprise, query the global catalog. The global catalog consists of all objects in every domain in the enterprise. However, only selected attributes are replicated to the Global Catalog for each object. 

How to Find FSMO Role Holders (Servers)
Microsoft Knowledge Base Article: 234790 - This article describe how to find the servers that hold the Flexible Single Master Operation (FSMO) roles in a forest. 

HOW TO: Identify Group Policy Objects in the Active Directory and SYSVOL 
Microsoft Knowledge Base Article: 216359 - When you are troubleshooting the application of a group policy, it may be necessary to validate that the appropriate objects are in the Active Directory and that the file structure is correct in SYSVOL on each domain controller on which the Group Policy Object (GPO) is replicated. A key piece of information in this process is the Globally Unique Identifier (GUID) associated with the GPO. This article discusses identifying a GPO with its GUID 

HOW TO: Install and Configure a Windows 2000 DHCP Server in an Active Directory Domain
Microsoft Knowledge Base Article: 300429 - This step-by-step article describes how to build and configure a new Windows 2000 DHCP Server in a Windows 2000 Active Directory domain. The Windows 2000 DHCP service provides clients with IP addresses, and information such as the location of their default gateway, DNS servers, and WINS servers. 

HOW TO: Move Users, Groups, and OUs Within a Domain 
Microsoft Knowledge Base Article: 313066 - This step-by-step article explains how to move users, groups, and organizational units (OUs) within a domain. You can move Active Directory objects such as users, groups, and OUs from one location to another when organizational or administration

How to Move the Ntds.dit File or Log Files 
Microsoft Knowledge Base Article: 257420 - This article describes how to move the Active Directory database file, Ntds.dit, and the Active Directory log files to different drives to improve performance. (updated 3/28/2001) 

How to Optimize Active Directory Replication in a Large Network
Microsoft Knowledge Base Article: 244368 - This article describes how to optimize Active Directory replication in large network configurations. 

HOW TO: Pre-stage Windows 2000 Computers in Active Directory 
Microsoft Knowledge Base Article: 283771 - This article describes how to pre-stage computer names for Windows 2000-based computers, as you can in Microsoft Windows NT 4.0, to allow only those computer names to be added to Active Directory. 

How to Prevent Domain Controllers from Dynamically Registering DNS Names
Microsoft Knowledge Base Article: 198767 By default, the Netlogon service on a domain controller registers dynamic Domain Name Service (DNS) records to advertise Active Directory directory service services. This behavior can be disabled with a registry setting.

How to Publish Certificates to the Active Directory from a Standalone Certification Authority
TechNet article Q246572. Excerpt from this page: A Web server that hosts the certification authority certificate enrollment Web pages must be configured for domain authentication, and the certificate request must include an attribute specifying the user certificate template.

How to Remove Data in the Active Directory After an Unsuccessful Domain Controller Demotion
Microsoft Knowledge Base Article: 216498. Describes how to remove data in the Active Directory after an unsuccessful domain controller demotion. 

How to Remove Orphaned Domains from Active Directory
Microsoft Knowledge Base Article: 230306 Normally, when the last domain controller for a domain is demoted, the administrator selects the "This server is the last domain controller in the domain" option in the DCPromo tool, which removes the domain meta-data from Active Directory. 

HOW TO: Remove Orphaned Domains from Active Directory Without Demoting the Domain Controllers 
Microsoft Knowledge Base Article: 251307 -
This article describes how to remove an orphaned domain and its servers from Active Directory when there is no active domain controller for the domain. You may need to perform this method, for example, if the only domain controller for a domain has failed with no chance of recovery. Or, if some of the domain controllers were physically removed without being demoted first.

How to Rename User Accounts in Windows 2000 Active Directory
Microsoft Knowledge Base Article: 260390 - This article describes how to rename user accounts in Active Directory. 

How to Set Up ADMT for Windows NT 4.0 to Windows 2000 Migration
Microsoft Knowledge Base Article: 260871 - You can use the Active Directory Migration tool (ADMT) to migrate users, groups, and computers from one domain to another. This article describes how to perform a migration from a Microsoft Windows NT 4.0-based domain to a Windows 2000-based domain. 

HOW TO: Set up a One-Way Non-Transitive Trust  
Microsoft Knowledge Base Article: 309682 - Windows 2000 domains in the same forest share transitive trust relationships with one another. There is an implicit transitive trust between the root domains in each tree in the Windows 2000 forest.

How to Troubleshoot an "Internal Error" Error Message During the Replication Phase of Dcpromo
Microsoft Knowledge Base Article: 265090 - This article describes how to troubleshoot an "internal error" error message that you may receive during the replication phase of the Active Directory Installation Wizard (Dcpromo). 

How to Use Active Directory Migration Tool Version 2 to Migrate from Windows 2000 to Windows .NET Server
Microsoft Knowledge Base Article: 326480 - This article describes how to set up the Active Directory Migration Tool (ADMT) to migrate from a Windows 2000-based domain to a Windows .NET Server-based domain. 

How to Use the Adsvw Tool to Browse the Active Directory
TechNet Article Q186749 describing how to use the Active Directory Services Viewer toll to browse the structure of an Active Directory.

HOW TO: Use Lbridge.cmd to Replicate System Policies Between Windows 2000 and Windows NT 4.0 Domain Controllers 
Microsoft Knowledge Base Article: 317368 - This step-by-step article describes how to use the Lbridge.cmd script to replicate system policies from a Windows 2000-based domain controller to a Microsoft Windows NT 4.0-based domain controller. 

How to Use the MoveTree Utility to Move Objects Between Domains in a Single Forest
Microsoft Knowledge Base Article: 238394 - MoveTree.exe is a command-line utility that enables administrators to move Active Directory objects such as organizational units, users, and so on, between domains in a single forest.

How to Use Netsh.exe to Authorize, Unauthorize and List DHCP Servers in Active Directory 
Microsoft Knowledge Base Article: 303351 - This article describes how to use the Netsh.exe tool to authorize or unauthorize DHCP servers in Active Directory, and also to see what servers are authorized for the current domain.

How to Verify an Active Directory Installation 
Microsoft Knowledge Base Article: 298143 - This article describes how to verify an Active Directory installation. 

Modifying Default Permissions
In case you missed Part 1 In the first article, I discuss a variety of situations in which it might be beneficial to change the permissions on the Active Directory. As you probably know, the Active Directory is actually nothing more than a database. Source: EarthWeb

Performing Offline Defragmentation of the Active Directory Database
Microsoft Knowledge Base Article: 232122  Active Directory automatically performs online defragmentation of the database at certain intervals (by default, every 12 hours) as part of the Garbage Collection process. Online defragmentation does not reduce the size of the database file 

Publishing a Printer in Windows 2000 Active Directory 
Microsoft Knowledge Base Article: 234619 - Windows 2000-based and non-Windows 2000-based computers that have shared printers can publish printers in Active Directory so that the printers can be searched for easily. 

Publishing a Shared Folder in Windows 2000 Active Directory
Microsoft Knowledge Base Article: 234582 - You can publish any shared network folder, including a distributed file system (Dfs) folder, in Active Directory. Creating a Shared folder object in Active Directory does not automatically share the folder. 

Setting an Attribute's searchFlags Property to Be Indexed for ANR
Microsoft Knowledge Base Article: 243311 - Ambiguous Name Resolution (ANR) is a search algorithm implemented by Windows 2000 Active Directory for easier searching. Selected attributes are defined by the schema as being indexed for ANR. 

Setting up DNS and the Active Directory
Setting up DNS and the Active Directory Operating System Beta 3 Technical Walkthrough Abstract. Source: Microsoft TechNet CD Online

Setting Up the Domain Name System for Active Directory
Microsoft Knowledge Base Article: 237675 - The Domain Name System (DNS) is the Active Directory locator in Windows 2000. Active Directory clients and client tools use DNS to locate domain controllers for administration and logon. You must have a DNS server installed and configured for Active Directory and the associated client software to function correctly. This article guides you through the required DNS configuration. 

Step by Step Guide to adding Domain Controllers
Use this document to continue setting up the common infrastructure network for Active Directory step-by-step guides. This guide will provide you with the procedures to configure a computer running Windows 2000 Server as the first domain controller of a child domain of the parent domain Reskit, and configure an additional domain controller to function as a replication partner. Source: Microsoft.com (Jan 28, 2000)

Step-by-Step Guide to Managing Active Directory
This guide introduces you to administration of the Windows 2000 Active Directory service. The procedures demonstrate how to use the Active Directory Users and Computers snap-in to add, move, delete, and alter the properties for objects such as users, contacts, groups, servers, printers, and shared folders.

Step-by-Step Guide to Setting up ISM-SMTP Replication
This guide describes how to configure Simple Mail Transfer Protocol (SMTP) replication between two Windows 2000©based domains. It also briefly describes the Inter-site Messaging (ISM) architecture within the Windows 2000 Active Directory service.

Step-by-Step Guide to Active Directory Sites and Services
This guide explains how to use the Active Directory Sites and Services snap-in to administer replication topology both within a site in a local area network (LAN) and between sites in a wide area network (WAN).

Step-by-Step Guide to Using Active Directory Schema and Display Specifiers
This step-by-step guide introduces you to advanced administration of the Microsoft Windows 2000 Active Directory service, using the Active Directory Schema snap-in and display specifier modification. You can add and modify classes and attributes in the schema and extend both the Administrative Tools and the Windows shell by modifying attributes in display specifiers.

Step-by-Step Guide to Bulk Import and Export to Active Directory
This guide introduces batch administration of the Active Directory using both the LDAP Data Interchange Format (LDIF) utility and a simple program you can write in VBScript

Using LDIFDE to Import/Export Directory Objects to the Active Directory
Microsoft Knowledge Base Article: 237677 - The LDAP Data Interchange Format (LDIF) is a draft Internet standard for a file format that may be used for performing batch operations against directories that conform to the LDAP standards. 

Using Ldp.exe to Find Data in the Active Directory
Microsoft Knowledge Base Article: 224543 - LDP.EXE is a Windows 2000 Resource Kit utility that can be used to perform LDAP (Lightweight Directory Access Protocol) searches against the Active Directory for specific information given search criteria.

Using Terminal Services for Remote Administration of Windows 2000 DCs in Directory Service Restore Mode
Microsoft Knowledge Base Article: 256588 - Some low-level maintenance of the Windows 2000 Active Directory requires that Windows 2000 domain controllers (DCs) boot to Directory Service Restore mode. Configuring Windows 2000 domain controllers with Terminal Services in Remote Administration mode permits administrators to perform operations requiring Directory Service Restore mode without having to be present at the console of the server. This article describes the use of Terminal Services to transition a Windows 2000 domain controller between online and Directory Service Restore mode. 

Viewing Deleted Objects in Active Directory
Microsoft Knowledge Base Article: 258310 - When an Active Directory object is deleted, a small portion of the object remains for a specified period of time so that other domain controllers that are replicating changes will become aware of the deletion. 


Entire contents
© 1999 LabMice.net
All rights reserved

This site and its contents are Copyright 1999-2003 by LabMice.net. Microsoft, NT, BackOffice, MCSE, and Windows are registered trademarks of Microsoft Corporation. Microsoft Corporation in no way endorses or is affiliated with LabMice.net. The products referenced in this site are provided by parties other than LabMice.net. LabMice.net makes no representations regarding either the products or any information about the products. Any questions, complaints, or claims regarding the products must be directed to the appropriate manufacturer or vendor.