|
ACL Editor and Inheritance of Permissions
Microsoft Knowledge Base Article: 178170
- Windows 2000 Active Directory provides
a user interface (UI) to modify the
access control permissions for objects
within the directory. This UI is referred
to as the Access Control List (ACL)
Editor. This article addresses a concept
of inheritance used by the ACL Editor
that administrators should be aware
of.
Active
Directory Basics: Working with Windows
2000 Security Templates Part 1
Active Directory security templates
let you set and apply network policies
for multiple users in one fell swoop.
This not only eliminates tedious repetition
of common tasks but also ensures accuracy.
Here author Brien Posey shows you how
security templates work and how to use
them. Source: Breinposey.com
Active
Directory Basics: Working With Windows
2000 Security Templates, Part 2
In Part 1 of this article series, author
Brien Posey discussed how you can use
templates to apply a preset level of
security to your Win2K network. Here
he shows you how to use the Security
Configuration and Analysis Tool to create
custom templates based on your existing
security structure. Source: Breinposey.com
|
Active
Directory Database Sizing
Previous versions of the Windows NT© network
operating system restricted directory use in
some network administration functions, such
as administrating users and user groups. The
Windows 2000 Active Directory extends these
functions and other capabilities, and opens
the use of the directory as a data store and
as a means for network services or directory-enabled
applications to publish information in an enterprise-wide
network. This article is excerpted from "Optimizing
Network Traffic," a part of the Microsoft Press
'Notes From the Field' series that outlines
the best system management practices and procedures
based on the real-world experiences of Microsoft
Consulting Services (MCS). Source: Microsoft.com
Active Directory Users, Computers, and Groups
This white paper introduces administrators to
the way users, computers, and groups are organized
and how user authentication and authorization
are used to provide security. Source: Microsoft.com
Allowing
or Denying Access
There are a million reasons why you might want
to regulate the Active Directory under Windows
2000. In this article, I'll discuss some situations
in which the default Active Directory permissions
might not be appropriate. Source: EarthWeb
Backing
up and restoring Active Directory
In Windows NT, all information about user accounts
and the enterprise configuration is stored within
the Registry. This means that to back up this
information, you only have to back up the Registry.
Source: EarthWeb
Configuring Account
Policies in Active Directory
Microsoft Knowledge Base Article: 255550 - When
you are configuring account policies (such as
password policies and account lockout policies)
in Active Directory, bear in mind that Windows
2000 allows only one domain account policy.
This is the account policy applied to the root
domain
Controlling the Active
Directory Search Buffer Size
Microsoft Knowledge Base Article: 243281 - To
improve the query response time when you are
searching for Active Directory objects in a
Windows 2000-based organization, searches are
limited to 10,000 objects by default. However,
you may need to increase this limit as your
organization grows. This article describes how
to control the buffer size that is allocated
for storing the number of objects that are returned
by a query search.
Configuring
Windows 2000 DNS to Support Active Directory
This scenario shows how you can design an infrastructure
for Microsoft Windows 2000 Domain Name
System (DNS) servers that simplifies DNS management
and that supports the Active Directory directory
service by enabling computers to locate domain
controllers. It also shows how you can use Active
Directory to enhance DNS security and reliability.
Source: Microsoft.com
Defragmentation of
the Active Directory Database
Microsoft Knowledge Base Article: 229602 The
underlying Extensible Storage engine (ESE) for
the Active Directory database uses the quickest
method to fill database pages, which is not
always the most efficient method.
Deleting Objects
from Active Directory Using Ldp.exe
Microsoft Knowledge Base Article: 244344 Describes
how an administrator can remove objects from
Active Directory by using the Ldp.exe tool.
Guide
to Active Directory Design
This white paper presents a
brief summary and overview of current design
principles for corporations that are in the
planning stages of deploying Microsoft©
Windows? 2000 Server and Microsoft
Active Directory©. This white paper presents
some of the high-level design decision points
that a large corporation must consider and validate
within the corporation's environment. Source:
Microsoft.com (Sept 11, 2000)
HOW TO: Add UPN Suffixes
to a Forest
Microsoft Knowledge Base Article: 243629 - This
article describes how to add UPN suffixes to
a forest. Adding these suffixes gives you the
ability to use a friendly user-logon name that
does not match the domain's or parent domains'
naming structure.
How to Allow Non-Root
or Enterprise Administrators to Authorize RIS
Servers in Active Directory
Microsoft Knowledge Base Article: 239004 For
Remote Installation Service (RIS) servers to
begin to service clients, they must first be
authorized by Dynamic Host Configuration Protocol
(DHCP) by using the DHCP Management snap-in.
HOW TO: Assign Access
Control Permissions on the Properties of an
Active Directory Object Microsoft Knowledge
Base Article: 218596 - In Microsoft Windows
2000, administrators can apply access control
permissions to Active Directory objects. Administrators
can also apply access control permissions to
properties of a specific Active Directory object.
This functionality provides the administrator
detailed control over what users can do in their
environment.
HOW TO: Audit Active
Directory Objects
Microsoft Knowledge Base Article: 314955 - This
step-by-step article describes how to use Windows
2000 auditing to track user activities and system-wide
events in Active Directory.
How to Automate Ntdsutil.exe
Using a Script
Microsoft Knowledge Base Article: 243267 Ntdsutil.exe
is a command-line utility that enterprise and
domain administrators can use to manage and
repair Active Directory. It is a menu-driven
tool designed for interactive use, but you can
also run it by using scripting and automation.
HOW TO: Change the
Default Selection in the Active Directory Manager
Snap-in
Microsoft Knowledge Base Article: 214676 - This
article describes how to select a different
domain controller from the command line or within
the snap-in. When you start the Active Directory
Users and Computers Microsoft Management Console
(MMC) snap-in, a particular Windows 2000 domain
controller is selected. Actions taken by the
administrator, such as creating users, occur
on the domain controller that is selected by
default. These changes are then replicated to
other domain controllers by the Active Directory
replication process. The domain that is selected
is the domain of the currently logged-on user,
and a domain controller for that domain is selected
by default.
How to Configure
Active Directory Certificate Mapping
Microsoft Knowledge Base Article: 272175 - This
article describes how to configure Active Directory
certificate mapping. Active Directory certificate
mapping enables a user with a trusted public
key to access directory resources without typing
a user name and a password.
How to Configure
Active Directory on a Home Network
Microsoft Knowledge Base Article: 260362 - This
article contains information to simplify installation
of Active Directory on a home network by identifying
common configuration issues. For additional
information about any of the information described
in this article, refer to Windows..
HOW TO: Configure
Active Directory Accounts and Groups for Wireless
Access in Windows 2000 Microsoft Knowledge
Base Article: 318750 - This step-by-step article
describes how to configure both user accounts
and computer accounts to support wireless access
in a Windows 2000 domain.
HOW TO: Configure
Server Settings in Windows 2000
Microsoft Knowledge Base Article: 320824 - This
step-by-step article describes how to configure
Windows 2000 server settings by using the Active
Directory Sites and Services snap-in.
How to Convert DNS
Primary Server to Active Directory Integrated
Microsoft Knowledge Base Article: 198437 Describes
how to convert a primary DNS server to an Active
Directory Integrated Primary server, force replication
to another domain controller, and add the new
domain controller as a DNS server.
HOW TO: Create Windows
2000 Active Directory Server
Microsoft Knowledge Base Article: 300921 - This
articles describes how to install and configure
a new Active Directory in a laboratory environment
that includes Windows 2000 and Active Directory.
Note that you will need two networked servers
that are running Windows 2000 Server or Windows
2000 Advanced Server.
How to Create a Child
Domain in Active Directory and Delegate the
DNS Namespace to the Child Domain
Microsoft Knowledge Base Article: 255248 - You
may want to create a child domain and then delegate
the Domain Name System (DNS) namespace to a
domain controller located in this child domain
for any the following reasons:
How to Create a Computer
Object in the Active Directory for a Windows
NT 4.0 BDC
Microsoft Knowledge Base Article: 221826 - In
the Active Directory, computer accounts created
in Server Manager are displayed as user objects.
Microsoft Windows NT 4.0 (and earlier versions)
BDC computer accounts are displayed as user
objects if they were created with Server Manager
HOW
TO: Create a Container to List Printers in Active
Directory
Microsoft Knowledge Base Article: 303161 - This
article describes how to create a container
in which to list your printers in Active Directory
directory service. By default, printers are
not displayed when you use My Network Places
to browse Active Directory. This article describes
how to use the ADSI Edit tool that is included
with the Microsoft Windows 2000 Support Tools
to add a container in which to the list printers
that are published in Active Directory. By doing
so, users can either find the folder that contains
the printers in My Network Places or add a network
place to the folder that contains the printers.
How to Create
a Cross-Reference to an External Domain in Active
Directory
Microsoft Knowledge Base Article: 241737
- Request for Comment (RFC) 2251 defines a referral
that allows a Lightweight Directory Access Protocol
(LDAP) server to send the Distinguished Name
(DN) of another LDAP server in response to a
client's search request.
HOW TO: Create and
Configure a Site Link in Active Directory
Microsoft Knowledge Base Article: 316812 - This
step-by-step article describes how to create
and configure a site link in Active Directory.
Note that for the site link to become active,
there must be at least two sites available in
Active Directory.
HOW TO: Create and
Configure a Site Link in Active Directory in
Windows 2000
Microsoft Knowledge Base Article: 316812 - This
step-by-step article describes how to create
and configure a site link in Active Directory.
Note that for the site link to become active,
there must be at least two sites available in
Active Directory.
HOW TO: Create a
Single Domain Tree with Two Domains in Windows
2000
Microsoft Knowledge Base Article: 317696 - Every
Domain Name System (DNS) name of a child domain
in a hierarchy contains the name of the parent
domain. This step-by-step article describes
how to create a continuous namespace that spans
two domains by adding a child domain.
How To Delegate the
Unlock Account Right
Microsoft Knowledge Base Article: 294952 - This
article describes the process to delegate the
right to unlock locked user accounts to a particular
group or user in Active Directory.
How to Display and
Administer All Users in Active Directory
Microsoft Knowledge Base Article: 237548 An
administrator may want to generate a list of
users in Active Directory. Once the users are
displayed, the administrator can select multiple
accounts to administer. Although you cannot
change all of the user properties for multiple
users,
How to Distribute
Terminal Services Client Using Active Directory
TechNet article Q236573 describing how to distribute
the Windows Terminal Services Client by using
a group policy in Active Directory.
How to Enable Auditing With the Security Configuration
Editor
By Allistair Lowe-Norris , Windows NT Magazine,
October 1998.
How to Enable Auditing
of Directory Service Access
Microsoft Knowledge Base Article: 232714 - Administrators
can monitor access to Active Directory, causing
successful and "failed" audit attempts to be
logged in the Directory Service event log. This
event log is present only on Windows 2000 domain
controllers.
How to Enable Diagnostic
Event Logging for Active Directory Services
Microsoft Knowledge Base Article: 220940 - You
can enable enhanced event logging for certain
Windows 2000 services. This may be useful for
debugging purposes. This logging is set to disabled
by default because the amount of data that can
be logged can quickly fill the event log.
HOW TO: Enumerate
Attributes Replicated to the Global Catalog
Microsoft Knowledge Base Article: 230663 - This
step-by-step article describes how to enumerate
attributes replicated in the Global catalog.
To obtain information about all of the objects
in a Windows 2000 enterprise, query the global
catalog. The global catalog consists of all
objects in every domain in the enterprise. However,
only selected attributes are replicated to the
Global Catalog for each object.
How to Find FSMO
Role Holders (Servers)
Microsoft Knowledge Base Article: 234790 - This
article describe how to find the servers that
hold the Flexible Single Master Operation (FSMO)
roles in a forest.
HOW TO: Identify
Group Policy Objects in the Active Directory
and SYSVOL
Microsoft Knowledge Base Article: 216359 - When
you are troubleshooting the application of a
group policy, it may be necessary to validate
that the appropriate objects are in the Active
Directory and that the file structure is correct
in SYSVOL on each domain controller on which
the Group Policy Object (GPO) is replicated.
A key piece of information in this process is
the Globally Unique Identifier (GUID) associated
with the GPO. This article discusses identifying
a GPO with its GUID
HOW TO: Install and
Configure a Windows 2000 DHCP Server in an Active
Directory Domain
Microsoft Knowledge Base Article: 300429 - This
step-by-step article describes how to build
and configure a new Windows 2000 DHCP Server
in a Windows 2000 Active Directory domain. The
Windows 2000 DHCP service provides clients with
IP addresses, and information such as the location
of their default gateway, DNS servers, and WINS
servers.
HOW TO: Move Users,
Groups, and OUs Within a Domain
Microsoft Knowledge Base Article: 313066 - This
step-by-step article explains how to move users,
groups, and organizational units (OUs) within
a domain. You can move Active Directory objects
such as users, groups, and OUs from one location
to another when organizational or administration
How to Move the Ntds.dit
File or Log Files
Microsoft Knowledge Base Article: 257420 - This
article describes how to move the Active Directory
database file, Ntds.dit, and the Active Directory
log files to different drives to improve performance.
(updated 3/28/2001)
How to Optimize Active
Directory Replication in a Large Network
Microsoft Knowledge Base Article: 244368 - This
article describes how to optimize Active Directory
replication in large network configurations.
HOW TO: Pre-stage
Windows 2000 Computers in Active Directory
Microsoft Knowledge Base Article: 283771 - This
article describes how to pre-stage computer
names for Windows 2000-based computers, as you
can in Microsoft Windows NT 4.0, to allow only
those computer names to be added to Active Directory.
How to Prevent Domain
Controllers from Dynamically Registering DNS
Names
Microsoft Knowledge Base Article: 198767 By
default, the Netlogon service on a domain controller
registers dynamic Domain Name Service (DNS)
records to advertise Active Directory directory
service services. This behavior can be disabled
with a registry setting.
How to Publish Certificates
to the Active Directory from a Standalone Certification
Authority
TechNet article Q246572. Excerpt from this page:
A Web server that hosts the certification authority
certificate enrollment Web pages must be configured
for domain authentication, and the certificate
request must include an attribute specifying
the user certificate template.
How to Remove Data
in the Active Directory After an Unsuccessful
Domain Controller Demotion
Microsoft Knowledge Base Article: 216498. Describes
how to remove data in the Active Directory after
an unsuccessful domain controller demotion.
How to Remove Orphaned
Domains from Active Directory
Microsoft Knowledge Base Article: 230306 Normally,
when the last domain controller for a domain
is demoted, the administrator selects the "This
server is the last domain controller in the
domain" option in the DCPromo tool, which removes
the domain meta-data from Active Directory.
HOW TO: Remove Orphaned
Domains from Active Directory Without Demoting
the Domain Controllers
Microsoft Knowledge Base Article: 251307 - This
article describes how to remove an orphaned
domain and its servers from Active Directory
when there is no active domain controller for
the domain. You may need to perform this method,
for example, if the only domain controller for
a domain has failed with no chance of recovery.
Or, if some of the domain controllers were physically
removed without being demoted first.
How to Rename User
Accounts in Windows 2000 Active Directory
Microsoft Knowledge Base Article: 260390 - This
article describes how to rename user accounts
in Active Directory.
How to Set Up ADMT
for Windows NT 4.0 to Windows 2000 Migration
Microsoft Knowledge Base Article: 260871 - You
can use the Active Directory Migration tool
(ADMT) to migrate users, groups, and computers
from one domain to another. This article describes
how to perform a migration from a Microsoft
Windows NT 4.0-based domain to a Windows 2000-based
domain.
HOW TO: Set up a
One-Way Non-Transitive Trust
Microsoft Knowledge Base Article: 309682 - Windows
2000 domains in the same forest share transitive
trust relationships with one another. There
is an implicit transitive trust between the
root domains in each tree in the Windows 2000
forest.
How to Troubleshoot
an "Internal Error" Error Message During the
Replication Phase of Dcpromo
Microsoft Knowledge Base Article: 265090 - This
article describes how to troubleshoot an "internal
error" error message that you may receive during
the replication phase of the Active Directory
Installation Wizard (Dcpromo).
How to Use Active
Directory Migration Tool Version 2 to Migrate
from Windows 2000 to Windows .NET Server
Microsoft Knowledge Base Article: 326480 - This
article describes how to set up the Active Directory
Migration Tool (ADMT) to migrate from a Windows
2000-based domain to a Windows .NET Server-based
domain.
How to Use the Adsvw
Tool to Browse the Active Directory
TechNet Article Q186749 describing how to use
the Active Directory Services Viewer toll to
browse the structure of an Active Directory.
HOW TO: Use Lbridge.cmd
to Replicate System Policies Between Windows
2000 and Windows NT 4.0 Domain Controllers
Microsoft Knowledge Base Article: 317368 - This
step-by-step article describes how to use the
Lbridge.cmd script to replicate system policies
from a Windows 2000-based domain controller
to a Microsoft Windows NT 4.0-based domain controller.
How to Use the MoveTree
Utility to Move Objects Between Domains in a
Single Forest
Microsoft Knowledge Base Article: 238394 - MoveTree.exe
is a command-line utility that enables administrators
to move Active Directory objects such as organizational
units, users, and so on, between domains in
a single forest.
How to Use Netsh.exe
to Authorize, Unauthorize and List DHCP Servers
in Active Directory
Microsoft Knowledge Base Article: 303351 - This
article describes how to use the Netsh.exe tool
to authorize or unauthorize DHCP servers in
Active Directory, and also to see what servers
are authorized for the current domain.
How to Verify an
Active Directory Installation
Microsoft Knowledge Base Article: 298143 - This
article describes how to verify an Active Directory
installation.
Modifying
Default Permissions
In case you missed Part 1 In the first article,
I discuss a variety of situations in which it
might be beneficial to change the permissions
on the Active Directory. As you probably know,
the Active Directory is actually nothing more
than a database. Source: EarthWeb
Performing Offline
Defragmentation of the Active Directory Database
Microsoft Knowledge Base Article: 232122
Active Directory automatically performs online
defragmentation of the database at certain intervals
(by default, every 12 hours) as part of the
Garbage Collection process. Online defragmentation
does not reduce the size of the database file
Publishing a Printer
in Windows 2000 Active Directory
Microsoft Knowledge Base Article: 234619 - Windows
2000-based and non-Windows 2000-based computers
that have shared printers can publish printers
in Active Directory so that the printers can
be searched for easily.
Publishing a Shared
Folder in Windows 2000 Active Directory
Microsoft Knowledge Base Article: 234582 - You
can publish any shared network folder, including
a distributed file system (Dfs) folder, in Active
Directory. Creating a Shared folder object in
Active Directory does not automatically share
the folder.
Setting an Attribute's
searchFlags Property to Be Indexed for ANR
Microsoft Knowledge Base Article: 243311 - Ambiguous
Name Resolution (ANR) is a search algorithm
implemented by Windows 2000 Active Directory
for easier searching. Selected attributes are
defined by the schema as being indexed for ANR.
Setting
up DNS and the Active Directory
Setting up DNS and the Active Directory Operating
System Beta 3 Technical Walkthrough Abstract.
Source: Microsoft TechNet CD Online
Setting Up the Domain
Name System for Active Directory
Microsoft Knowledge Base Article: 237675 - The
Domain Name System (DNS) is the Active Directory
locator in Windows 2000. Active Directory clients
and client tools use DNS to locate domain controllers
for administration and logon. You must have
a DNS server installed and configured for Active
Directory and the associated client software
to function correctly. This article guides you
through the required DNS configuration.
Step
by Step Guide to adding Domain Controllers
Use this document to continue setting up the
common infrastructure network for Active Directory
step-by-step guides. This guide will provide
you with the procedures to configure a computer
running Windows 2000 Server as the first domain
controller of a child domain of the parent domain
Reskit, and configure an additional domain controller
to function as a replication partner. Source:
Microsoft.com (Jan 28, 2000)
Step-by-Step
Guide to Managing Active Directory
This guide introduces you to administration
of the Windows 2000 Active Directory service.
The procedures demonstrate how to use the Active
Directory Users and Computers snap-in to add,
move, delete, and alter the properties for objects
such as users, contacts, groups, servers, printers,
and shared folders.
Step-by-Step
Guide to Setting up ISM-SMTP Replication
This guide describes how to configure Simple
Mail Transfer Protocol (SMTP) replication between
two Windows 2000©based domains. It also briefly
describes the Inter-site Messaging (ISM) architecture
within the Windows 2000 Active Directory service.
Step-by-Step
Guide to Active Directory Sites and Services
This guide explains how to use the Active Directory
Sites and Services snap-in to administer replication
topology both within a site in a local area
network (LAN) and between sites in a wide area
network (WAN).
Step-by-Step
Guide to Using Active Directory Schema and Display
Specifiers
This step-by-step guide introduces you to advanced
administration of the Microsoft Windows 2000
Active Directory service, using the Active Directory
Schema snap-in and display specifier modification.
You can add and modify classes and attributes
in the schema and extend both the Administrative
Tools and the Windows shell by modifying attributes
in display specifiers.
Step-by-Step
Guide to Bulk Import and Export to Active Directory
This guide introduces batch administration of
the Active Directory using both the LDAP Data
Interchange Format (LDIF) utility and a simple
program you can write in VBScript
Using LDIFDE to Import/Export
Directory Objects to the Active Directory
Microsoft Knowledge Base Article: 237677 - The
LDAP Data Interchange Format (LDIF) is a draft
Internet standard for a file format that may
be used for performing batch operations against
directories that conform to the LDAP standards.
Using Ldp.exe
to Find Data in the Active Directory
Microsoft Knowledge Base Article: 224543 - LDP.EXE
is a Windows 2000 Resource Kit utility that
can be used to perform LDAP (Lightweight Directory
Access Protocol) searches against the Active
Directory for specific information given search
criteria.
Using Terminal Services
for Remote Administration of Windows 2000 DCs
in Directory Service Restore Mode
Microsoft Knowledge Base Article: 256588 - Some
low-level maintenance of the Windows 2000 Active
Directory requires that Windows 2000 domain
controllers (DCs) boot to Directory Service
Restore mode. Configuring Windows 2000 domain
controllers with Terminal Services in Remote
Administration mode permits administrators to
perform operations requiring Directory Service
Restore mode without having to be present at
the console of the server. This article describes
the use of Terminal Services to transition a
Windows 2000 domain controller between online
and Directory Service Restore mode.
Viewing Deleted
Objects in Active Directory
Microsoft Knowledge Base Article: 258310 - When
an Active Directory object is deleted, a small
portion of the object remains for a specified
period of time so that other domain controllers
that are replicating changes will become aware
of the deletion. |
