|
General Administration
Microsoft
Active Directory Management Pack Guide
Microsoftİ Operations Manager (MOM)
2000 Active Directory Management Pack
(ADMP) Service Pack 1 (SP1) provides
a monitoring and management system for
the Active Directoryİ directory service
that is integrated with MOM. ADMP can
help you to improve the availability,
performance, and security of Active
Directory implementation. With ADMP,
MOM provides central monitoring and
automatic problem resolution for large
networks, continuously monitoring Active
Directory components. Source: Microsoft.com
Administering
Active Directory
This section covers: Administering
other domains. Delegating administration.
Transferring operations master roles.
From the Windows 2000 Advanced Server
Online Documentation. Source: Microsoft.com
|
Advancing Time on
Production Computers and the Effect on Active
Directory and FRS
Microsoft Knowledge Base Article: 289668 - In
the course of troubleshooting Active Directory
or File Replication Service (FRS - replication
issues, as the administrator, you may want to
advance the system time of a computer to make
the content of one computer have authority over
another, or to force deletion of tombstoned
objects in Active Directory.
AD
Delegation: Beyond the Basics
AD's delegation abilities can enhance IT productivity
securely. These real-world examples can help
you design and deploy an AD delegation model
that meets the needs of your environment. Source:
Windows & .NET Magazine (Aug 2002)
Bulk
Import and Export to Active Directory
This guide introduces batch administration of
the Active DirectoryTM service, using
both the LDAP Data Interchange Format (LDIF)
utility and a simple program you can write using
the Visual Basicİ Scripting Edition (VBScript)
development system. Using these tools, you can
export, import, and modify objects such as users,
contacts, groups, servers, printers, and shared
folders. Source: Microsoft.com
Common
Default Attributes Set for Active Directory
and Global Catalog
Microsoft Knowledge Base Article: 257203 - The
Windows 2000 schema contains a large number
of object attributes that administrators can
use. The attributes typically required by Windows
2000 are enabled by default when the first domain
controller is installed; a number of these attributes
are used by both Active Directory and the global
catalog (GC). These attributes have the Index
this attribute in the Active Directory and Replicate
this attribute to the Global Catalog options
selected in their properties. You can change
both the number of attributes selected and which
specific attributes are used by using the Active
Directory Schema snap-in in Microsoft Management
Console (MMC). However, in most cases, there
is no need to modify any of these attributes.
Carefully consider any changes to these default
settings before making changes.
DCDiag and NetDiag
in Windows 2000 Facilitate Domain Join and DC
Creation
Microsoft Knowledge Base Article: 265706 - This
article describes the functionality that has
been added to the versions of the Domain Controller
Diagnostics (Dcdiag.exe) and Network Diagnostics
(Netdiag.exe) tools that are included in Windows
2000.
Default Active Directory
Attributes in the Windows 2000 Schema
Microsoft Knowledge Base Article: 257218 - The
Windows 2000 schema contains a large number
of object attributes that administrators can
choose for use. The attributes normally required
by Active Directory are enabled by default when
the first domain controller is installed, and
have the "Index this attribute in the Active
Directory" check box selected in their properties.
Default
Global Catalog Attributes in Windows 2000 Active
Directory Schema
Microsoft Knowledge Base Article: 256938 - The
schema contains a large number of object attributes
that are either available for use or already
enabled by default in Active Directory. A number
of these object attributes are pre-selected
in the GC by default; these default attributes
are replicated among all GCs in the organization.
Description of RID
Attributes in Active Directory
Microsoft Knowledge Base Article: 305475 - This
article describes RID-related attributes in
Active Directory.
DNS and
Active Directory
This page contains links to valuable resources
about Active Directory and DNS. Source: Microsoft.com
HOW
TO: Change Default Permissions for Objects That
Are Created in the Active Directory
Microsoft Knowledge Base Article: 265399
- This step-by-step article describes how to
modify Active Directory object attributes. The
example in this article changes the defaultSecurityDescriptor
attribute of the Organizational Unit object
to remove the Read permission from the members
of the Authenticated Users group.
HOW
TO: Complete a Semantic Database Analysis for
the Active Directory Database by Using Ntdsutil.exe
Microsoft Knowledge Base Article: 315136 - This
step-by-step article describes how to run the
semantic checker on the Active Directory database.
Unlike the file management commands, which test
the integrity of the database with respect to
the ESENT database semantics, the semantic...
How
Dcpromo.exe Adds Display Specifiers to Active
Directory Forests
Microsoft Knowledge Base Article: 308592 - You
use Active Directory promotion (Dcpromo.exe
- to add domain controllers to Windows 2000
server forests. This article describes the role
of Dcphelp.exe in the Dcpromo process for adding
display specifiers to Active Directory.
HOW
TO: Enable Active Directory Access Auditing
in Windows 2000
Microsoft Knowledge Base Article: 314977 - This
step-by-step article describes how to enable
Active Directory access auditing in Windows
2000. The Active Directory should be audited
to assess when authorized and unauthorized access
is attempted. You can configure auditing of
the Active Directory database. After you enable
auditing, you can view the audit information
in the Directory Service log that is located
in the Event Viewer. Note that this log is only
present on computers that are acting as Active
Directory domain controllers. This article describes
how you can enable Active Directory for auditing
access.
HOW
TO: Manage Groups in Active Directory in Windows
2000
Microsoft Knowledge Base Article: 320054 - This
article explains how to manage groups in Active
Directory. About Groups: Groups are Active Directory
or local computer objects that can contain users,
contacts, computers, and other groups.
How
to Pre-stage Windows 2000 Computers in Active
Directory
Microsoft Knowledge Base Article: 283771 - This
article describes how to pre-stage computer
names for Windows 2000-based computers, as you
can in Microsoft Windows NT 4.0, to allow only
those computer names to be added to Active Directory.
How
to Remove Data in the Active Directory After
an Unsuccessful Domain Controller Demotion
Microsoft Knowledge Base Article: 216498 - This
article describes how to remove data in the
Active Directory after an unsuccessful domain
controller demotion.
How
Windows 95 and Windows 98 Directory Services
Client Uses AD Site Information
Microsoft Knowledge Base Article: 249841 - Site
awareness is a key feature in Directory Services
(DS) Client. The following article describes
new Microsoft Windows 95 and Microsoft Windows
98 behavior in locating Domain Controllers (DCs)
when the DS Client is installed and the user
is logged.
Installing
and Using Active Directory Support Tools
Because the Active Directory is a part of the
core Windows 2000 operating system, it's easy
to take it for granted. After all, the Active
Directory quietly works in the background, servicing
the needs of your enterprise. Source: EarthWeb
(Dec 14, 2000)
Know
the ins and outs of using and administering
Active Directory Service
New technology features present obvious benefits
to end users, but along with the benefits come
challenges as well. Microsoft's Active Directory
Service (ADS), which is new to Windows 2000,
offers multiple new features that make network
administrators, software developers and software
vendors more efficient. However, certain ADS
functionality should be examined closely to
ensure your organization can realize its full
potential. Source: Windows2000 Advantage
(Nov 1999)
Making
Active Directory Easier
Network administrators won't see the full benefits
of a Windows 2000 upgrade until the last domain
controller is cut over - and that can take a
year or more. Here's what users such as Eric
Kornau at Cincinnati State Technical and Community
College are doing to speed the transition and
ease administration headaches of running a mixed
environment. Source: ComputerWorld (Aug
6, 2001)
Memory
Usage By the Lsass.exe Process on Windows 2000-Based
Domain Controllers
Microsoft Knowledge Base Article: 308356
- This article describes some Lsass.exe process
basics, best practices for the configuration
of the Lsass.exe process, and expectations of
memory usage. This article should be used as
a guide in the analysis of Lsass.exe performance
and memory use on Windows 2000-based domain
controllers (DCs). The information in this article
may be useful if you have questions about how
to tune and configure servers and DCs to optimize
this engine.
Monitoring
Active Directory: How and Why to Monitor Active
Directory Performance
With Windows 2000 comes the need to monitor
new and different processes on your server.
Source: EarthWeb (Oct 18, 2000)
Monitoring
Active Directory: Using System Monitor Counters
Take an in-depth look at some of the counters
you can use to monitor the Active Directory
in Windows 2000 servers, including the largest
and most useful counters: inbound and outbound
DRA counters. Source: EarthWeb (Oct 18,
2000)
New
Registry Key to Remove LM Hashes from Active
Directory and Security Account Manager
Q299656 - Microsoft Knowledge Base Article Windows
2000 Service Pack 2 (SP2 - offers compatibility
with authentication to previous version of windows,
such as Microsoft Windows NT. The authentication
methods that support these downlevel systems
are LanMan (LM -, Windows NT LanMan (NTLM)
Primary and Active
Directory Integrated Zones Differences
Microsoft Knowledge Base Article: 227844 - With
Windows 2000, after you create your first domain
controller, you can change your domain name
server (DNS) zone from primary to Active Directory
integrated.
Practice Proactive AD Maintenance
AD is the heart of your Win2K
network. Learn what to do to ensure maximum
uptime and availability of your AD-based network.
Source: Windows & .NET Magazine (August
2002)
Step-by-Step
Guide to Managing the Active Directory
This guide introduces you to administration
of the Windows 2000 Active Directory service.
The procedures demonstrate how to use the Active
Directory Users and Computers snap-in to add,
move, delete, and alter the properties for objects
such as users, contacts, groups, servers, printers,
and shared folders. Source: Microsoft.com
(March 2000)
The Definitive Guide to Windows 2000 Administration
An online book written by Sean Daily and
Darren Mar-Elia. Sponsored by Quest Software.
Source: Realtimepublishers
Tips
and Tricks Guide to Active Directory Administration
So your company has decided to migrate from
NT to Windows 2000 and Active Directory. What's
next? Someone needs to design, migrate and manage
this new and highly efficient infrastructure.
This eBook will save you time and help you maximize
your administration of Microsoft Active Directory.
You'll learn the tips and tricks that give experienced
administrators the edge in enterprise environments,
including tips on migrating to Active Directory,
using scripts to automate administration, organizing
the Directory for security, decentralizing administration
through delegation, performance tuning your
Directory infrastructure, and much more. Source:
Realtimepublishers
User
State Migration Tool
The User State Migration Tool (USMT) is a command-line
utility, allowing administrators to migrate
a user's data and settings as part of a large-scale
deployment process. Source: Microsoft.com
(Oct 2000)
Using
the Active Directory schema
Covers issues in extending the schema. When
to extend the schema. Before extending the schema.
Last modified 11-Oct-1999
Domains and Trusts
Active
Directory Domains and Trusts Overview
Active Directory Domains and Trusts helps you
manage trust relationships between. domains.
. Last modified 11-Oct-1999
HOW
TO: Configure One-Way Non-Transitive Trusts
in Windows 2000
Microsoft Knowledge Base Article: 315053 - This
step-by-step article describes how to configure
one-way non-transitive trusts in Windows 2000.
HOW
TO: Create a Trust Between a Windows 2000 Domain
and a Windows NT 4.0 Domain Microsoft
Knowledge Base Article: 306733 - This article
describes how to create a trust between a Windows
2000 domain and a Windows NT 4.0 domain. The
creation of a trust between a Windows 2000 domain
and a Windows NT 4.0 domain is similar to establishing
a trust between two Windows NT 4.0 domains.
When you establish a trust relationship between
two domains, users in one domain can obtain
access to resources that are located in another
trusted domain. In this article, the Windows
2000 NetBIOS domain name is "W2KDOMAIN," and
the Windows NT 4.0 NetBIOS domain name is "NTDOMAIN".
Note that NETBIOS name resolution must be used
to enable trust between the two domains.
How to Determine
Trust Relationship Configurations
Microsoft Knowledge Base Article: 228477 - Multiple
methods exist for administrators to view the
configuration of trust relationships for the
domain and perform maintenance on these relationships,
both locally and remotely. This article discusses
the different tools that can be used
HOW
TO: Establish Trusts with a Windows NT-Based
Domain
Microsoft Knowledge Base Article: 308195 - This
article describes how to establish a trust relationship
between a Microsoft Windows NT 4.0-based domain
and a Windows 2000-based domain.
Using
Active Directory Domains and Trusts
Discuss information that you must consider when
planning and installing or upgrading.
Understanding
Active Directory Domains and Trusts.
Last modified 11-Oct-1999
Windows 2000 Certification
Authority Configuration to Publish Certificates
in Active Directory of Trusted Domain
Microsoft Knowledge Base Article: 281271 - In
the following scenario, if a user from the same
domain as a Root Certification Authority (CA)
requests a certificate, the issued certificate
is published in Active Directory. However, if
the user is from a child domain, this process
is not successful
A
Windows NT 4.0 Domain May Update the Trust Account
Password on a Non-Primary Domain Controller
Microsoft Knowledge Base Article: 317178 - If
a Windows NT 4.0-based domain trusts a Windows
2000-based domain, the trust password is changed
every seven days by default. When the primary
domain controller (PDC) for the Windows NT 4.0-based
domain tries to change the password for the
trust, the password change is sent to the domain
controller with which it has already established
a secure channel in the trusted domain. The
domain controller in the trusted domain to which
the password change is sent to may not hold
the PDC operations master role.
Cannot
Set Up Trust in Window 2000 Domain from Windows
NT 4.0
When you are using User Manager for Domains
from Microsoft Windows NT 4.0 to establish a
trust from a Windows 2000-based domain to any
other domain, you may receive an error message.
Error
Message When You Change the Trust to Bidirectional
After an In-Place Migration
Microsoft Knowledge Base Article: 306101 - After
an in-place migration of a trusted domain from
Microsoft Windows NT 4.0 to Windows 2000, when
you create a trust relationship in the opposite
direction by using the Domain and Trusts Management
console, the following error message is
Unable
to Establish an Explicit Trust Between Windows
2000-Based Domains
Microsoft Knowledge Base Article: 312003 - When
you attempt to establish an explicit trust between
two Windows 2000-based domains that are in different
forests, you may receive the following error
message:
You
May Be Unable to Establish a Trust Relationship
Between Windows 2000 and Windows NT Domains
Microsoft Knowledge Base Article: 295335 - You
may be unable to establish a trust relationship
between a Windows 2000 domain and a Windows
NT domain. When you try to add the trust from
the Windows 2000 domain, you may receive the
following error message:
Database Management
Active
Directory Database Sizing
Microsoft Article excerpted from the MS Press
"Optimizing Network Traffic" Book.
Global Catalog
Default Global Catalog
Attributes in Windows 2000 Active Directory
Schema
Microsoft Knowledge Base Article: 256938 - The
schema contains a large number of object attributes
that are either available for use or already
enabled by default in Active Directory. A number
of these object attributes are pre-selected
in the GC by default; these default attribute
Domain Controllers
Continue to Use Global Catalog Server After
It Has Been Demoted
Microsoft Knowledge Base Article: 293421 - After
you demote a server from a global catalog server
to a domain controller, other domain controllers
that used that server for universal group enumeration
may continue to use the server even though it
no longer is participating in global catalog
replication. This can cause some queries to
return outdated or incomplete information.
Global Catalog
Attributes and Replication Properties
Microsoft Knowledge Base Article: 232517
- Global Catalogs contain commonly-searched
attributes from all Naming Contexts of a forest.
An attribute is included in the Global Catalog
if the partialAttributeSet property of attribute
is set to TRUE in the schema Naming Context.
Global Catalog
Server Requirement for User and Computer Logon
Microsoft Knowledge Base Article: 216970
- As part of the logon process, a security token
is constructed by the Local Security Authority
(LSA) that contains the Security Identifiers
(SIDs) of groups of which the user is a member
(for both the domain and the local computer)
HOW
TO: Add an Attribute to the Global Catalog
Microsoft Knowledge Base Article: 313992 - This
step-by-step article describes how to add an
attribute to the global catalog. By using the
Active Directory Schema, you can specify additional
attributes to be kept in the global catalog.
This helps to speed up search queries across
a domain for an attribute that is not included
by default in the global catalog.
How to Control
What Data Is Stored in the Global Catalog
Microsoft Knowledge Base Article: 229662
- The Global Catalog contains a partial replica
of the domain Active Directory for every domain
in an enterprise forest. The Global Catalog
server replicates a copy of all objects from
every domain in the forest, but only contains
a subset of the data
HOW
TO: Create or Move a Global Catalog
Microsoft Knowledge Base Article: 313994 - This
article explains how to create and how to move
a global catalog server.
How to Disable
Requirement that a Global Catalog Server Be
Available to Validate User Logons
Microsoft Knowledge Base Article: 241789
- Placement of Global Catalog servers in remote
sites is usually desired to improve performance
in user logon time, searches and other actions
requiring communication with Global Catalog
servers, and to reduce wide area network (WAN)
traffic.
How
to Enumerate Attributes Replicated to the Global
Catalog
Microsoft Knowledge Base ArticleQ230663
- Describes how to enumerate attributes replicated
in the Global catalog.
How
to Use the Replication Monitor to Determine
the Operations Master and Global Catalog Roles
Microsoft Knowledge Base Article: 297230 - This
article describes how to use the Active Directory
Replication Monitor (ReplMon.exe - tool to determine
the servers that hold the operations master
roles in a forest as well as the domain controllers
and global catalog servers for the forest.
FSMO Roles
HOW
TO: View and Transfer FSMO Roles in the Graphical
User Interface
Microsoft Knowledge Base Article: 255690 - There
are five Flexible Single Master Operations (FSMO)
roles in a Windows 2000 forest. There are two
ways to transfer a FSMO role in Windows 2000.
This article describes how to transfer all five
FSMO roles by using Microsoft Management Console
Windows
2000 Active Directory FSMO Roles
Microsoft Knowledge Base Article: 197132 discusses
a Beta release of a Microsoft product. The information
in this article is provided as-is and is subject
to change URL:
Last modified 09-Aug-1999
FSMO
Placement and Optimization on Windows 2000 Domain
Controllers
Microsoft Knowledge Base Article: 223346 - Windows
2000 domain controllers support multi-master
updates for the replication of objects (such
as user and computer accounts) in the Active
Directory. In a multi-master model, objects
and their properties can originate on any domain
controller
Schema Updates
How to Modify Schema
Information Using the Ldifde Utility
Microsoft Knowledge Base Article: 283791 - This
article describes how to use the Windows 2000
Ldifde utility to modify Active Directory schema
class attributes.
HOW
TO: Upgrade the Schema to Upgrade Domain Controllers
to Released Version of Windows 2000
Microsoft Knowledge Base Article: 240427 - Microsoft
supports upgrading Windows 2000 servers running
versions later than RC1 rather than requiring
a clean installation. Upgrading to later builds
requires one or more schema changes that have
been made to these builds. This article describes
how to check the schema version, how to perform
the operating system upgrade, and how to perform
the schema upgrade.
Schema Updates Require
Write Access to Schema in Active Directory
Microsoft Knowledge Base Article: 285172 - This
article discusses schema updates.
Security
Best
Practice Guide for Securing Active Directory
Installations and Day-to-Day Operations: Part
I
A breach in Active Directory security can result
in the loss of network resource access by legitimate
clients or in the disclosure of potentially
sensitive information. Such information disclosure
can occur for data that is stored on network
resources or from the Active Directory database
itself. To avoid these situations, organizations
need more extensive information and support
to ensure enhanced security for their NOS environments.
This guide addresses this need for organizations
that have new, as well as existing, Active Directory
deployments. Part I of the guide contains recommendations
for protecting domain controllers from potential
attacks of known origin and recommendations
for establishing secure administrative policies
and practices. Part
II of the guide contains recommendations
for detecting attacks, defending against known
and unknown threats, and recovering from attacks.
Source: TechNet
Securing
Windows 2000 Active Directory (Part 1)
Protecting active directoryİs integrity is paramount.
This article will focus on active directory
security and will be written in two parts. Active
directory is the windows 2000 information repository
that needs to be kept very secure. Active directory
has vital service dependencies such as DNS which
changes the scope of what needs to remain secure.
I will focus on actions that you can take in
order to safeguard the active directory service.
Source: WindowSecurity.com
Securing
Windows 2000 Active Directory (Part 2)
Protecting active directoryİs integrity is paramount.
This is the second article in the two part series
that focuses on active directory security. Active
directory is the windows 2000 information repository
that needs to be kept very secure. Active directory
has vital service dependencies such as DNS which
changes the scope of what needs to remain secure.
I will focus on actions that you can take in
order to safeguard the active directory service.
Source: WindowSecurity.com
Backup and Recovery
Active
Directory Backup Is Canceled If a File Is Busy
Microsoft Knowledge Base Article 328423 - The
process of backing up Active Directory Backup
is canceled if a busy file is encountered. The
Active Directory backup process returns error
code 0XC8000408 (JET_errFileAccessDenied) and
you must start the backup process again from
the beginning.
Active
Directory Disaster Recovery
This paper discusses the steps for recovering
a domain controller from a disaster such as
a database malfunction caused by hardware or
software failure. Such a disaster generally
renders the domain controller useless and prevents
the machine from booting normally. Another cause
of disaster is the human kind, in which an error
is involved and erroneous data is replicated
to other domain controllers in the enterprise.
This paper provides information about recovering
a domain controller running Active Directory
and no other services. If other services are
installed on the machine, such as Domain Name
System (DNS) or Internet Information Service
(IIS), some other steps may be required, but
they are not included in this paper.
Authoritative Restore
of Active Directory and Impact on Trusts and
Computer Accounts
Microsoft Knowledge Base Article: 216243 - The
Authoritative Restore feature allows an administrator
to select specific objects or subtrees of objects
from an archived Active Directory database and
restore them to a domain controller. Note that
doing so causes Active Directory replication
to replicate this restored state (the System
State) of objects, overwriting the copies currently
held on all domain controllers within the domain.
The restored objects receive a USN greater than
the current set of domain objects.
Authoritative Restore
of Groups Can Result in Inconsistent Membership
Information Across Domain Controllers
Microsoft Knowledge Base Article: 280079 - After
you perform an authoritative restore of users
and groups, the membership in the restored groups
may be inconsistent across domain controllers.
Backup
and Recovery of the Distributed Services
Downloadable document in Word format.
Backup
and Restore of RID Flexible Single-Master Operations
Domain Controller Causes Duplicate SIDs
Microsoft Knowledge Base Article: 307725 - When
you back up and then restore the Directory service
on a relative ID (RID) operations master (also
known as flexible single-master operations or
FMSO) domain controller (DC), duplicate Security
ID (SID) events may appear in Event Viewer
Backup
of the Active Directory Has 60-Day Useful Life
Microsoft Knowledge Base Article: 216993
- Windows Backup, the backup tool included in
the Administrative Tools folder on Windows 2000
servers, can back up and restore the Active
Directory on Windows 2000 domain controllers.
These backups can be performed while the domain
controller is online. You can restore these
backups only when the domain controller is booted
into Directory Services Restore mode using the
F8 key when the server is starting.
Description
of the İRestore in Progress? Registry Key in
Active Directory
Microsoft Knowledge Base Article: 814167 - This
article describes the registry values for the
registry key that is created when you restore
Active Directory on a Windows 2000 Server-based
computer.
Disaster
Recovery of Active Directory on Dissimilar Hardware
Microsoft Knowledge Base Article: 263532 - This
article discuses disaster recovery of the Active
Directory on different hardware than it was
originally on. This procedure may be necessary
if, due to a catastrophic event, there is no
other domain controller (DC) and similar hardware
Restoring Active Directory from Backup
Media
Restoring Active Directory from Backup Media
Active Directory Backup and Restore You can
also restore Active Directory information on
a domain controller by restoring the System
State data from backup media. This restores
Active Directory as well as the other System
State components on which Active Directory depends.
Repairing
and Recovering AD
Repair and recover your crucial Active Directory
service with these useful processes. Source:
Windows & .NET Magazine (September
2002)
Windows
2000: Active Directory Disaster Recovery
During this session, we will discuss
the different types of Active Directory disaster
recovery, and explain the steps needed to perform
both authoritative and non-authoritative restores.
March 19, 2002 Length 1 hr 55 min.
Possible
Active Directory Inconsistency after You Restore
a Domain Controller
Microsoft Knowledge Base Article: 316829 - Restoring
a domain controller may cause inconsistencies
between domain controllers. If this occurs,
some lingering objects may be present on the
restored domain controller. Also, new objects
on the restored domain controller are not replicated
out. |
