Additional Study Topics: Utilities | Groups | Migration Issues | RIS
I.
Managing
Active Directory objects
All items in
Active Directory are known as objects. Management of the objects includes creating,
publishing, moving, and removing the various types of objects in and between Active
Directory domains.
A. Moving Active
Directory objects
1. The first
part of AD management involves the direct manipulation of preexisting objects within the
domain.
2. Why move
objects?
a. Changes or
growth in company hierarchy
i.
Structure and
design of the AD will normally match the structure and design of the company itself.
b. Creation of
new domain
i.
Normally
related to company growth or reorganization, there are times when the current domain
structure is not sufficient to meet that of the current or future organization
c. Movement of
users from one location to another
i.
It is not
uncommon for employees to frequently move between different physical locations of a
company, especially in technology-based organizations in which the company is constantly
changing focus and direction.
d. Hardware
upgrades
e. Network
maintenance
3. How to move
objects
a. Moving
objects within a domain
i.
Objects can
be moved individually or en masse, and are very simple to move, although there are a
number of security concerns.
ii.
Any
permissions set directly for the object remain; any permission or restriction that
governed the object the OU came from will be removed.
iii.
Any
permission associated with the new OU to which the object is being moved will now apply to
the object.
b. Moving objects
across domains
i.
Domains, even
within AD, are independent entities which don’t share much data with other domains.
When moving objects between domains there are two tools that can be used: MOVETREE and the
NETDOM utility.
ii.
Using
MOVETREE to move an OU from one domain to another: Located in the Support\Tools folder of
the Windows 2000 Server Setup CD-ROM. Cannot move computer objects.
iii.
The NETDOM
utility: An installable tool located on the Windows 2000 CD-ROM, the NetDom utility is
used to move member servers and workstations from one domain to another.
B. Publishing
resources in Active Directory
1. What are
published resources?
a. Network
resources within AD, which can be searched for
b. Can include a
number of different types of objects:
i.
Users and
groups
ii.
Shared
folders
iii.
Shared
printers
iv.
Computers
v.
Network
services (such as DNS, DHCP, and WinLogon)
2. How to
publish a resource: Varies slightly depending on the object.
a. Publishing
users, groups, and computers
i.
Published to
the AD automatically
ii.
Can be
searched through a variety of different methods
b. Publishing a
shared folder
i.
Once the
folder has already been shared, the object can be published using the Users and Computers
MMC snap-in.
c. Publishing a
shared printer
i.
Printers
hosted on Windows 2000 servers are published automatically.
ii.
Printers
hosted on non-Windows 2000 servers have to be manually added using the Users and Computers
MMC snap-in.
d. Publishing
network services
i.
Used to ease
administration responsibility and to easily find all servers hosting a particular resource
C. Locating
objects in Active Directory
1. Information
stored in Active Directory is only useful if it is available for practical use on the
network. The search features of AD and the ease in which objects can be identified within
the AD fields are key benefits to AD over flat NT domains.
2. What is
stored in Active Directory
a. User accounts
i.
Information
on all users created on the domain, including the user’s logon name, real name,
security preferences, e-mail accounts, and configuration
b. Contacts
i.
Basically
shared Rolodex entries, containing information about a particular person without actually
creating an account for the person within AD
ii.
Very
important when AD is integrated with Exchange
c. User and
computer groups
d. Shared
folders
e. Printers
f. Computers
g. Domain
controllers
h. Organizational
units
i.
Preconfigured
OUs as well as those created by administrators
3. Searching
Active Directory
a. Administrators
can use the Users and Computers MMC snap-in to search and find objects in the domains.
b. Users can use
the Search feature on their Start menu, provided they are using Windows 2000 desktops or
have installed the AD client on their Windows 95 and 98 desktops.
D. Creating and
managing accounts manually or by scripting
1. Manual
creation versus scripting
a. Scripts allow
for the creation of multiple objects simultaneously in the domain, but involve more time,
effort, and configuration responsibilities, and add a degree of risk.
b. Manual
creation allows for individual account creation. It is quick and foolproof, but limited
when implementing large installations. Note: Exercise 10-7 in the text should not be
necessary, as the concepts should already be firmly implanted in your students’
minds.
2. Creating an
account manually
a. Users and
Computers MMC snap-in
3. Scripting the
creation of accounts
a. Support for
VBScript and JavaScript configurations
b. LDIF
c. Requires some
programming language experience
E. Controlling
access to Active Directory objects
1. AD
permissions enable you to control access to objects, including computers, printers, and
network resources such as shared folders.
2. Degrees of
granularity
a. The higher
the degrees of granular control, the greater the security
b. The lesser
the control, the greater the ease in administrative overhead
3. Objects and
attribute permissions
a. Work in the
same basic way as NTFS, with the exception of when an object is moved (covered earlier)
4. Standard
Active Directory permissions
a. Full Control
i.
Should be
given only to administrators
ii.
Gives the
ability to create and change all data as well as the permissions associated with the
object itself
b. Read
i.
Allows users
to only view the objects and associated attributes
c. Write
i.
Allows users
to change objects
d. Create All
Child Objects
i.
Allows users
to create child objects in an existing OU
e. Delete All
Child Objects
i.
Allows users
to remove objects from an OU
5. Special
Active Directory permissions
a. Used to give
specific control to specific users
b. Should be
used very sparingly, as the standard permissions are normally sufficient
6. Inheritance
of Active Directory object permissions
a. Similar to
NTFS in terms of permissions flow
b. Permissions
can be inherited from objects higher in the OU chain
c. Inheritance
is the default, but can be stopped by selecting Allow Inheritable Permissions from the
objects Properties tab
F. Delegating
administrative control of objects in Active Directory
1. Why delegate
control?
a. Delegation is
normally used in organizations with multiple IT staffs.
b. May include a
central network administration team and distributed helpdesks
2. How to
delegate control
a. Normally
authenticated on the OU level, and normally given less than administrative privileges
b. Use the
Delegation Wizard to automate the delegation process
II.
Managing
Active Directory performance
A. Monitoring,
maintaining, and troubleshooting domain controller performance
1. Event logs
a. Application
log
i.
Most AD-aware
applications will post their events to the application log’s files within the local
computer’s settings.
ii.
Common
applications monitored through this log include Exchange and SQL.
b. Security log
i.
Used to store
all security events configured as being monitored by the administrator
ii.
It is common
to have this log empty, due to lack of administrator configuration (not lack of
configuration events).
c. System log
i.
Events posted
by the OS itself
d. Directory
service log
i.
Events
relating to the AD services
e. DNS server
logs
i.
Events
relating to the Domain Name System
f. File
replication service logs
B. Performance
Monitor counters
1. System
Monitor
a. Allows you to
view, collect, and manage real-time performance data on selected performance counters
b. Data can be
managed in graph, histogram, and report formats.
2. Statistics
counters
a. Show totals
per second for a specific counter
3. Ratio
counters
a. Show
percentage of the total
4. Accumulative
counters
a. Show the
accumulated total since the AD was last started
C. Performance
logs and alerts
1. Used to
create counter logs, trace logs, and system alerts
2. By default,
all administrators have permissions to create the logs.
3. Others can be
given the rights through permissions in the registry.
D. Monitoring,
maintaining, and troubleshooting Active Directory components
1. Domain Name
System
a. All events
are written to the event logs.
b. Each event is
classified based on its importance.
2. DNS debug
logging options
a. Special
logging feature which is disabled by default
b. Debugging
allows for the monitoring of almost every event that takes place within the service,
including client and other server interaction.
3. Troubleshooting
Domain Name System
a. Be sure DNS
server is started
b. Reload the
zone if the data seems inconsistent
c. Make sure the
master is available if DNS server is hosting secondary zones
4. Schema
a. One schema
exists for all domains in the forest.
b. Hosted by the
Schema Master FSMO server, and all changes must be coordinated through that server
c. Attributes
added to the schema can be disabled, but never removed.
5. Additional
tools for Active Directory support
a. A variety of
other tools provided with the Windows 2000 CD-ROM that can be used to support AD. These
tools are for advanced administration only, and their specific configuration and use
should be beyond the scope of the exam.
i.
LDP: Used to
modify and support LDAP operations
ii.
REPLMON
(Replication Monitor): Can be used to force synchronizations between various domain
controllers on the network
iii.
REPADMIN
– Used to diagnose replication problems with AD Servers
iv.
DSASTAT:
Command-line tool used to compare and detect differences between naming contexts on domain
controllers
v.
SDCHECK:
Shows the security descriptor for any selected object in Active Directory
vi.
NLTEST: Tests
and forces synchronization of trust relationships, and can be used to force the shutdown
of Windows 2000 domain controllers
vii.
ACLDIAG: Used
to diagnose problems with permissions set on Active Directory objects
viii.
DSACLS: Used
to view and change the permissions on AD objects