ACL Editor and Inheritance of Permissions
Microsoft Knowledge Base Article: 178170 - Windows 2000 Active Directory provides a user interface (UI) to modify the access control permissions for objects within the directory. This UI is referred to as the Access Control List (ACL) Editor. This article addresses a concept of inheritance used by the ACL Editor that administrators should be aware of.
Directory Basics: Working with Windows 2000 Security Templates
Active Directory security templates let you set and apply network policies for multiple users in one fell swoop. This not only eliminates tedious repetition of common tasks but also ensures accuracy. Here
author Brien Posey shows you how security templates work and how to use them.
Directory Basics: Working With Windows 2000 Security Templates,
In Part 1 of this article series, author Brien Posey discussed
how you can use templates to apply a preset level of security to
your Win2K network. Here he shows you how to use the Security
Configuration and Analysis Tool to create custom templates based
on your existing security structure. Source: Breinposey.com
Active Directory Database Sizing
Previous versions of the Windows NT© network operating system restricted directory use in some network administration functions, such as administrating users and user groups. The Windows 2000 Active Directory extends these functions and other capabilities, and opens the use of the
directory as a data store and as a means for network services or directory-enabled applications to publish information in an enterprise-wide network. This article is excerpted from "Optimizing Network Traffic," a part of the Microsoft
Press 'Notes From the Field' series that outlines the best system management practices and procedures based on the real-world experiences of Microsoft Consulting Services (MCS).
Directory Users, Computers, and Groups
This white paper introduces administrators to the way users,
computers, and groups are organized and how user authentication
and authorization are used to provide security. Source: Microsoft.com
or Denying Access
There are a million reasons why you might want to regulate the
Active Directory under Windows 2000. In this article, I'll
discuss some situations in which the default Active Directory
permissions might not be appropriate. Source: EarthWeb
up and restoring Active Directory
In Windows NT, all information about user accounts and the
enterprise configuration is stored within the Registry. This
means that to back up this information, you only have to back up
the Registry. Source: EarthWeb
Configuring Account Policies in Active Directory
Microsoft Knowledge Base Article: 255550 - When you are configuring account policies (such as password policies and account lockout policies) in Active Directory, bear in mind that Windows 2000 allows only one domain account policy. This is the account policy applied to the root domain
Controlling the Active Directory Search Buffer Size
Microsoft Knowledge Base Article: 243281 - To improve the query response time when you are searching for Active Directory objects in a Windows 2000-based organization, searches are limited to 10,000 objects by default. However, you may need to increase this limit as your
organization grows. This article describes how to control the
buffer size that is allocated for storing the number of objects
that are returned by a query search.
Windows 2000 DNS to Support Active Directory
This scenario shows how you can design an infrastructure for
Microsoft Windows 2000 Domain Name System (DNS) servers
that simplifies DNS management and that supports the Active
Directory directory service by enabling computers to locate
domain controllers. It also shows how you can use Active
Directory to enhance DNS security and reliability. Source:
Defragmentation of the Active Directory Database
Microsoft Knowledge Base Article: 229602 The underlying Extensible Storage engine (ESE) for the Active Directory database uses the quickest method to fill database pages, which is not always the most efficient method.
Deleting Objects from Active Directory Using Ldp.exe
Microsoft Knowledge Base Article: 244344 Describes how an administrator can remove objects from Active Directory by using the Ldp.exe tool.
to Active Directory Design
This white paper presents a brief
summary and overview of current design principles for
corporations that are in the planning stages of deploying
Microsoft© Windows? 2000 Server and
Microsoft Active Directory©. This white paper presents some of
the high-level design decision points that a large corporation
must consider and validate within the corporation's environment.
Source: Microsoft.com (Sept 11, 2000)
HOW TO: Add UPN Suffixes to a Forest
Microsoft Knowledge Base Article: 243629 - This article describes how to add UPN suffixes to a forest. Adding these suffixes gives you the ability to use a friendly user-logon name that does not match the domain's or parent domains' naming structure.
How to Allow Non-Root or Enterprise Administrators to Authorize RIS Servers in Active Directory
Microsoft Knowledge Base Article: 239004 For Remote Installation Service (RIS) servers to begin to service clients, they must first be authorized by Dynamic Host Configuration Protocol (DHCP) by using the DHCP Management snap-in.
HOW TO: Assign Access Control Permissions on the Properties of an Active Directory Object
Microsoft Knowledge Base Article: 218596 - In Microsoft Windows 2000, administrators can apply access control permissions to Active Directory objects. Administrators can also apply access control permissions to properties of a specific Active Directory object. This functionality
provides the administrator detailed control over what users can
do in their environment.
HOW TO: Audit Active Directory Objects
Microsoft Knowledge Base Article: 314955 - This step-by-step article describes how to use Windows 2000 auditing to track user activities and system-wide events in Active
How to Automate Ntdsutil.exe Using a Script
Microsoft Knowledge Base Article: 243267 Ntdsutil.exe is a command-line utility that enterprise and domain administrators can use to manage and repair Active Directory. It is a menu-driven tool designed for interactive use, but you can also run it by using scripting and automation.
HOW TO: Change the Default Selection in the Active Directory Manager Snap-in
Microsoft Knowledge Base Article: 214676 - This article describes how to select a different domain controller from the command line or within the snap-in. When you start the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, a particular Windows 2000
domain controller is selected. Actions taken by the
administrator, such as creating users, occur on the domain
controller that is selected by default. These changes are then
replicated to other domain controllers by the Active Directory
replication process. The domain that is selected is the domain
of the currently logged-on user, and a domain controller for
that domain is selected by default.
How to Configure Active Directory Certificate Mapping
Microsoft Knowledge Base Article: 272175 - This article describes how to configure Active Directory certificate
mapping. Active Directory certificate mapping enables a user
with a trusted public key to access directory resources without
typing a user name and a password.
How to Configure Active Directory on a Home Network
Microsoft Knowledge Base Article: 260362 - This article contains information to simplify installation of Active Directory on a home network by identifying common configuration issues. For additional information about any of the information described in this article, refer to Windows..
HOW TO: Configure Active Directory Accounts and Groups for Wireless Access in Windows 2000
Microsoft Knowledge Base Article: 318750 - This step-by-step article describes how to configure both user accounts and computer accounts to support wireless access in a Windows 2000
HOW TO: Configure Server Settings in Windows 2000
Microsoft Knowledge Base Article: 320824 - This step-by-step article describes how to configure Windows 2000 server settings by using the Active Directory Sites and Services snap-in.
How to Convert DNS Primary Server to Active Directory Integrated
Microsoft Knowledge Base Article: 198437 Describes how to convert a primary DNS server to an Active Directory Integrated Primary server, force replication to another domain controller, and add the new domain controller as a DNS server.
HOW TO: Create Windows 2000 Active Directory Server
Microsoft Knowledge Base Article: 300921 - This articles describes how to install and configure a new Active Directory in a laboratory environment that includes Windows 2000 and Active
Directory. Note that you will need two networked servers that are running Windows 2000 Server or Windows
2000 Advanced Server.
How to Create a Child Domain in Active Directory and Delegate the DNS Namespace to the Child Domain
Microsoft Knowledge Base Article: 255248 - You may want to create a child domain and then delegate the Domain Name System (DNS) namespace to a domain controller located in this child domain for any the following reasons:
How to Create a Computer Object in the Active Directory for a Windows NT 4.0 BDC
Microsoft Knowledge Base Article: 221826 - In the Active Directory, computer accounts created in Server Manager are displayed as user objects. Microsoft Windows NT 4.0 (and earlier versions) BDC computer accounts are displayed as user objects if they were created with Server
HOW TO: Create a Container to List Printers in Active Directory
Microsoft Knowledge Base Article: 303161 - This article
describes how to create a container in which to list your
printers in Active Directory directory service. By default,
printers are not displayed when you use My Network Places to
browse Active Directory. This article describes how to use the
ADSI Edit tool that is included with the Microsoft Windows 2000
Support Tools to add a container in which to the list printers
that are published in Active Directory. By doing so, users can
either find the folder that contains the printers in My Network
Places or add a network place to the folder that contains the
How to Create a Cross-Reference to an External Domain in Active Directory
Microsoft Knowledge Base Article: 241737 - Request for Comment (RFC) 2251 defines a referral that allows a Lightweight Directory Access Protocol (LDAP) server to send the Distinguished Name (DN) of another LDAP server in response to a client's search request.
HOW TO: Create and Configure a Site Link in Active Directory
Microsoft Knowledge Base Article: 316812 - This step-by-step article describes how to create and configure a site link in Active Directory. Note that for the site link to become active, there must be at least two sites available in Active
HOW TO: Create and Configure a Site Link in Active Directory in Windows 2000
Microsoft Knowledge Base Article: 316812 - This step-by-step article describes how to create and configure a site link in Active Directory. Note that for the site link to become active, there must be at least two sites available in Active
HOW TO: Create a Single Domain Tree with Two Domains in Windows 2000
Microsoft Knowledge Base Article: 317696 -
Every Domain Name System (DNS) name of a child domain in a hierarchy contains the name of the parent domain. This step-by-step article describes how to create a continuous namespace that spans two domains by adding a child
How To Delegate the Unlock Account Right
Microsoft Knowledge Base Article: 294952 - This article describes the process to delegate the right to unlock locked user accounts to a particular group or user in Active
How to Display and Administer All Users in Active Directory
Microsoft Knowledge Base Article: 237548 An administrator may want to generate a list of users in Active Directory. Once the users are displayed, the administrator can select multiple accounts to administer. Although you cannot change all of the user properties for multiple users,
How to Distribute Terminal Services Client Using Active Directory
TechNet article Q236573 describing how to distribute the Windows Terminal Services Client by using a group policy in Active Directory.
How to Enable Auditing With the Security Configuration Editor
By Allistair Lowe-Norris , Windows NT Magazine, October 1998.
How to Enable Auditing of Directory Service Access
Microsoft Knowledge Base Article: 232714 - Administrators can monitor access to Active Directory, causing successful and "failed" audit attempts to be logged in the Directory Service event log. This event log is present only on Windows 2000 domain
How to Enable Diagnostic Event Logging for Active Directory Services
Microsoft Knowledge Base Article: 220940 - You can enable enhanced event logging for certain Windows 2000 services. This may be useful for debugging purposes. This logging is set to disabled by default because the amount of data that can be logged can quickly fill the event log.
HOW TO: Enumerate Attributes Replicated to the Global Catalog
Microsoft Knowledge Base Article: 230663 - This step-by-step article describes how to enumerate attributes replicated in the Global catalog. To obtain information about all of the objects in a Windows 2000 enterprise, query the global catalog. The global catalog consists of all objects
in every domain in the enterprise. However, only selected
attributes are replicated to the Global Catalog for each object.
How to Find FSMO Role Holders (Servers)
Microsoft Knowledge Base Article: 234790 - This article describe how to find the servers that hold the Flexible Single Master Operation (FSMO) roles in a
HOW TO: Identify Group Policy Objects in the Active Directory and SYSVOL
Microsoft Knowledge Base Article: 216359 - When you are troubleshooting the application of a group policy, it may be necessary to validate that the appropriate objects are in the Active Directory and that the file structure is correct in SYSVOL on each domain controller on which the
Group Policy Object (GPO) is replicated. A key piece of
information in this process is the Globally Unique Identifier (GUID)
associated with the GPO. This article discusses identifying a
GPO with its GUID
HOW TO: Install and Configure a Windows 2000 DHCP Server in an Active Directory Domain
Microsoft Knowledge Base Article: 300429 - This step-by-step article describes how to build and configure a new Windows 2000 DHCP Server in a Windows 2000 Active Directory domain. The Windows 2000 DHCP service provides clients with IP addresses, and information such as the location
of their default gateway, DNS servers, and WINS servers.
HOW TO: Move Users, Groups, and OUs Within a Domain
Microsoft Knowledge Base Article: 313066 - This step-by-step article explains how to move users, groups, and organizational units (OUs) within a domain. You can move Active Directory objects such as users, groups, and OUs from one location to another when organizational or administration
How to Move the Ntds.dit File or Log Files
Microsoft Knowledge Base Article: 257420 - This article describes how to move the Active Directory database file, Ntds.dit, and the Active Directory log files to different drives to improve performance. (updated 3/28/2001)
How to Optimize Active Directory Replication in a Large Network
Microsoft Knowledge Base Article: 244368 - This article describes how to optimize Active Directory replication in large network configurations.
HOW TO: Pre-stage Windows 2000 Computers in Active Directory
Microsoft Knowledge Base Article: 283771 - This article describes how to pre-stage computer names for Windows 2000-based computers, as you can in Microsoft Windows NT 4.0, to allow only those computer names to be added to Active
How to Prevent Domain Controllers from Dynamically Registering DNS Names
Microsoft Knowledge Base Article: 198767 By default, the Netlogon service on a domain controller registers dynamic Domain Name Service (DNS) records to advertise Active Directory directory service services. This behavior can be disabled with a registry setting.
How to Publish Certificates to the Active Directory from a Standalone Certification Authority
TechNet article Q246572. Excerpt from this page: A Web server that hosts the certification authority certificate enrollment Web pages must be configured for domain authentication, and the certificate request must include an attribute specifying the user certificate template.
How to Remove Data in the Active Directory After an Unsuccessful Domain Controller Demotion
Microsoft Knowledge Base Article: 216498. Describes how to remove data in the Active Directory after an unsuccessful domain controller demotion.
How to Remove Orphaned Domains from Active Directory
Microsoft Knowledge Base Article: 230306 Normally, when the last domain controller for a domain is demoted, the administrator selects the "This server is the last domain controller in the domain" option in the DCPromo tool, which removes the domain meta-data from Active
HOW TO: Remove Orphaned Domains from Active Directory Without Demoting the
Microsoft Knowledge Base Article: 251307 -
This article describes how to remove an orphaned domain and its servers from Active Directory when there is no active domain controller for the domain. You may need to perform this method, for example, if the only domain controller for a domain
has failed with no chance of recovery. Or, if some of the domain
controllers were physically removed without being demoted first.
How to Rename User Accounts in Windows 2000 Active Directory
Microsoft Knowledge Base Article: 260390 - This article describes how to rename user accounts in Active Directory.
How to Set Up ADMT for Windows NT 4.0 to Windows 2000 Migration
Microsoft Knowledge Base Article: 260871 - You can use the Active Directory Migration tool (ADMT) to migrate users, groups, and computers from one domain to another. This article describes how to perform a migration from a Microsoft Windows NT 4.0-based domain to a Windows 2000-based
HOW TO: Set up a One-Way Non-Transitive Trust
Microsoft Knowledge Base Article: 309682 - Windows 2000 domains in the same forest share transitive trust relationships with one another. There is an implicit transitive trust between the root domains in each tree in the Windows 2000 forest.
How to Troubleshoot an "Internal Error" Error Message During the Replication Phase of Dcpromo
Microsoft Knowledge Base Article: 265090 - This article describes how to troubleshoot an "internal error" error message that you may receive during the replication phase of the Active Directory Installation Wizard
How to Use Active Directory Migration Tool Version 2 to Migrate from Windows 2000 to Windows .NET Server
Microsoft Knowledge Base Article: 326480 - This article describes how to set up the Active Directory Migration Tool (ADMT) to migrate from a Windows 2000-based domain to a Windows .NET Server-based domain.
How to Use the Adsvw Tool to Browse the Active Directory
TechNet Article Q186749 describing how to use the Active Directory Services Viewer toll to browse the structure of an Active Directory.
HOW TO: Use Lbridge.cmd to Replicate System Policies Between Windows 2000 and Windows NT 4.0 Domain Controllers
Microsoft Knowledge Base Article: 317368 - This step-by-step article describes how to use the Lbridge.cmd script to replicate system policies from a Windows 2000-based domain controller to a Microsoft Windows NT 4.0-based domain
How to Use the MoveTree Utility to Move Objects Between Domains in a Single Forest
Microsoft Knowledge Base Article: 238394 - MoveTree.exe is a command-line utility that enables administrators to move Active Directory objects such as organizational units, users, and so on, between domains in a single forest.
How to Use Netsh.exe to Authorize, Unauthorize and List DHCP Servers in Active Directory
Microsoft Knowledge Base Article: 303351 - This article describes how to use the Netsh.exe tool to authorize or unauthorize DHCP servers in Active Directory, and also to see what servers are authorized for the current domain.
How to Verify an Active Directory Installation
Microsoft Knowledge Base Article: 298143 - This article describes how to verify an Active Directory installation.
In case you missed Part 1 In the first article, I discuss a
variety of situations in which it might be beneficial to change
the permissions on the Active Directory. As you probably know,
the Active Directory is actually nothing more than a database.
Performing Offline Defragmentation of the Active Directory Database
Microsoft Knowledge Base Article: 232122 Active Directory automatically performs online defragmentation of the database at certain intervals (by default, every 12 hours) as part of the Garbage Collection process. Online defragmentation does not reduce the size of the database
Publishing a Printer in Windows 2000 Active Directory
Microsoft Knowledge Base Article: 234619 - Windows 2000-based and non-Windows 2000-based computers that have shared printers can publish printers in Active Directory so that the printers can be searched for
Publishing a Shared Folder in Windows 2000 Active Directory
Microsoft Knowledge Base Article: 234582 -
You can publish any shared network folder, including a distributed file system (Dfs) folder, in Active Directory. Creating a Shared folder object in Active Directory does not automatically share the folder.
Setting an Attribute's searchFlags Property to Be Indexed for ANR
Microsoft Knowledge Base Article: 243311 - Ambiguous Name Resolution (ANR) is a search algorithm implemented by Windows 2000 Active Directory for easier searching. Selected attributes are defined by the schema as being indexed for
Setting up DNS and the Active Directory
Setting up DNS and the Active Directory Operating System Beta 3 Technical Walkthrough Abstract. Source: Microsoft TechNet CD Online
Setting Up the Domain Name System for Active Directory
Microsoft Knowledge Base Article: 237675 - The Domain Name System (DNS) is the Active Directory locator in Windows 2000. Active Directory clients and client tools use DNS to locate domain controllers for administration and logon. You must have a DNS server installed and configured
for Active Directory and the associated client software to
function correctly. This article guides you through the required
Step by Step Guide to adding Domain Controllers
Use this document to continue setting up the common infrastructure network for Active Directory step-by-step guides. This guide will provide you with the procedures to configure a computer running Windows 2000 Server as the first domain controller of a child domain of the parent
domain Reskit, and configure an additional domain controller to function as a replication partner. Source: Microsoft.com (Jan 28, 2000)
Step-by-Step Guide to Managing Active Directory
This guide introduces you to administration of the Windows 2000 Active Directory service. The procedures demonstrate how to use the Active Directory Users and Computers snap-in to add, move, delete, and alter the properties for objects such as users, contacts, groups, servers,
printers, and shared folders.
Step-by-Step Guide to Setting up ISM-SMTP Replication
This guide describes how to configure Simple Mail Transfer Protocol (SMTP) replication between two Windows 2000©based domains. It also briefly describes the Inter-site Messaging (ISM) architecture within the Windows 2000 Active Directory service.
Step-by-Step Guide to Active Directory Sites and Services
This guide explains how to use the Active Directory Sites and Services snap-in to administer replication topology both within a site in a local area network (LAN) and between sites in a wide area network (WAN).
Step-by-Step Guide to Using Active Directory Schema and Display Specifiers
This step-by-step guide introduces you to advanced administration of the Microsoft Windows 2000 Active Directory service, using the Active Directory Schema snap-in and display specifier modification. You can add and modify classes and attributes in the schema and extend both the
Administrative Tools and the Windows shell by modifying attributes in display specifiers.
Step-by-Step Guide to Bulk Import and Export to Active Directory
This guide introduces batch administration of the Active Directory using both the LDAP Data Interchange Format (LDIF) utility and a simple program you can write in VBScript
Using LDIFDE to Import/Export Directory Objects to the Active Directory
Microsoft Knowledge Base Article: 237677 - The LDAP Data Interchange Format (LDIF) is a draft Internet standard for a file format that may be used for performing batch operations against directories that conform to the LDAP standards.
Using Ldp.exe to Find Data in the Active Directory
Microsoft Knowledge Base Article: 224543 - LDP.EXE is a Windows 2000 Resource Kit utility that can be used to perform LDAP (Lightweight Directory Access Protocol) searches against the Active Directory for specific information given search
Using Terminal Services for Remote Administration of Windows 2000 DCs in Directory Service Restore Mode
Microsoft Knowledge Base Article: 256588 - Some low-level maintenance of the Windows 2000 Active Directory requires that Windows 2000 domain controllers (DCs) boot to Directory Service Restore mode. Configuring Windows 2000 domain controllers with Terminal Services in Remote
Administration mode permits administrators to perform operations
requiring Directory Service Restore mode without having to be
present at the console of the server. This article describes the
use of Terminal Services to transition a Windows 2000 domain
controller between online and Directory Service Restore mode.
Viewing Deleted Objects in Active Directory
Microsoft Knowledge Base Article: 258310 - When an Active Directory object is deleted, a small portion of the object remains for a specified period of time so that other domain controllers that are replicating changes will become aware of the deletion.