Active directory is the directory service of Windows 2000. It identifies all
resources on a network and makes them available to users, applications and the
system itself. It also replicates directory information (redundancy/partly or
full) and secures the objects within the directory. Resources within the Active Directory are grouped into domains. A
domain is the basic unit for replication.
Each domain has one or more domain controllers that store the following
directory partitions :
| Schema information. The schema contains the objects that Active Directory can contain and which attributes can be used for them. Each domain controller in a forest uses the same schema configuration. |
| Configuration information. This partition describes the logical configuration of the forest, e.g. the domains, sites, etc. All domain controllers in a forest use the same configuration information. |
| Domain data. This partition contains the security principals (users, computers, groups) for the domain for which the server is a domain controller. This information is only replicated to domain controllers of the same domain. A global catalog server contains a partly copy of the domain data of other domains. |
Active directory uses the domain name system for its name system. It can contain various name spaces.
Information between the directory and applications is exchanged by using LDAP version two and tree (RFC 1777). LDAP is a version of the X500 protocol used to access directories.
The Active Directory supports several name formats. Some examples :
| RFC 822 Names in the someone@somedomain format. |
| HTTP URL http://domain/path-to-page (Uniform Resource Locator) |
| UNC \\microsoft.com\xl\budget.xls based on shared items. |
| LDAP URL RFD 17999 eg. LDAP://someserver.Microsoft.com/CN=firstnameLastname OU=sys,OU=product,OU=Division,DC=devel. CN = Common name OU = Organizational unit DC = Domain competent name |
Within the Active Directory, resources are ordered with a logical structure. Containers obtain objects and objects contain attributes. An organizational unit contains objects like user accounts, groups, computers, printers etc. Each of these objects has attributes like first name, last name, department, email address etc.
An organizational unit is a container that can be used to order objects within a domain into logical administrative groups. The ou's should be a hierarchical structure based on the administration model of the company.. Choose to use different domains instead of OU's if the resources in both groups have bad WAN-connections or if they require different security policies. Otherwise prefer the usage of OU's above domains.
Consider to create an organizational unit within a domain if you want to :
| To reflect your company's organization within a domain. |
| To delegate administrative level per organizational unit. |
| To accommodate organizational changes. Users can be moved fast within organizational units, less fast within domains. |
| Group objects to locate similar network resources, e.g temporary employees. |
| Restrict visibility of network resources. Users can only view objects to which they have access. |
The core unit of the logical structure in the Active Directory is the domain.
Each domain is a logical group of computers that share a central database, the
directory. This directory contains user-accounts and the security information of
the domain and is part of the Active Directory. This Active Directory contains
the directory information (user-accounts and security settings) and other
information (E.g. services, printers, policies etc). The directory information is stored
on domain controllers that store and handle all security aspects of a domain.
By grouping objects within one or more domains you can reflect your company's
organization. Each domain only stores information about objects that it
contains, but all network objects do exist. Microsoft recommends a maximum of
1.5 million accounts or 10 million objects per domain. Compaq did test to 16 million accounts.
A domain is a security boundary. Access is controlled by Access Control
Lists. These ACL's
control files, directories, printers, Active Directory objects etc. All security
policies and settings do not cross from one domain to the other. The domain
administrator has only absolute rights within that domain.
A domain can be part of a forest or a sub domain in a tree, in both
situations the same DNS domain name is required. You can use internally the same
DNS name as the external (internet) DNS name or use a different one. The first
issue that occurs if you use the same name for internal and external DNS is that
external clients should not be able to reach internal ones. This can be solved
by using two different DNS zones, one for internal and one for external. Another
issue is that internal clients need to be able to connect to external (web)
servers. This can be solved by duplicating the external DNS zone internally and
by modifying the proxy so that the companies domain name is handled as an
internal domain.
When you choose a domain name, keep the following things in mind :
| Using the same internal- and external DNS name will give users the same logon name as their e-mail address. If the DNS names are different the logon names can be made the same but it requires extra actions. |
| Using the same internal- and external DNS name requires extra DNS and proxy actions to make the external (web) servers available for internal clients and to prevent external clients from accessing internal clients. |
| Always register both the internal- and external DNS name. If another company registers the internal name DNS lookup problems can occur. |
| The domain name can't probably be changed. |
| Only use standard characters in the DNS name (A-Z,a-z,0-9 and -) as described in RFC 1035. UniCode can be used if all DNS servers support this. |
| Don't uses deeper hierarchical DNS names than five levels and keep the domain names short (max. 63 characters non-case-sensitive, easy to remember and unique. |
The main benefits of domains are scalability, central maintenance and a single logon process for the users.
When you determine the domain structure, look at the functions with the business environment (departments), the physical network and the way administration should take place. (centralized or decentralized). Reasons for separate domains are :
| Different business needs. |
| Decentralized management. (administration) |
| Different password policies. (security) |
| Large number of objects. |
| Different internet names of departments. |
| More control on replication traffic. |
A tree is a grouping of domains that share contiguous name space namespace. All domains within a single tree share a common schema that defines all objects that can be stored with the Active Directory. They also share a global catalog which is the central repository of information about all objects in a tree. You cannot add already-existing domains to a tree.
A forest is a grouping of hierarchical arrangement of one or more domain trees that form a disjoint namespace. All trees in a forest share a common schema and all domains in a forest share a common global catalog. The first domain created is the root forest domain. You cannot add already-existing trees to a forest.
The physical structure of the Active Directory is based on sites. A site is a
group of resources on the same LAN. Sites are spilt if there is a slow
connection (<128 Kbps available bandwidth) so replication can be done efficiently. Each site can
contain multiple domains and one domain can have multiple sites. When planning a
site combine only those subnets with at least reliable 512 Kb connections that
have at least 128 Kb available for replication.
Configuring sites will give the ability to control replication traffic and will
let users use local domain controllers to log on and use local DFS shares.
By default an DefaultIPSiteLink is created between every sites. These links are
transitive (A connects B, B connect C, so A replicates also to C) and are
maintained by the KCC. (Knowledge Consistency Checker) This KCC also manager the
inter-site replication. The site links can be
customized via costs (1 to 32767, default 100) and schedules to determine how
replication takes place and how clients log on.
When planning the implementation of a namespace and the Active Directory consider the physical office locations, future growth and reorganizations. If you have already a registered domain name you can consider using this to :
| Have consistent tree names for internal and external resources. |
| Use the same logon and user names for internal and external resources. |
| Reserve no more than one namespace. |
When using the same namespace, you must create two separate DNS zones for your organization. One for internal resources, one for external resources.
When using two different namespaces for internal and external resources, you have to reserve to namespaces. You should use two namespaces if :
| Clear distinction between internal and external resources. |
| Separate internal and external resource management. |
| Simple client browser and proxy client configuration. |
A schema contains the formal definition of the contents and structure of the
Active Directory. It contains the object classes (computer, groups, users) that
must be available and the definition of the objects. (object name, object
identifiers, may and must attributes, parent class etc.). It also contains the
attributes that are required and optional (first name, last name etc.) and their
definitions (object name, object id, syntax, limitations etc.)
A default schema is installed when the first domain controller in a forest is
installed. It contains definitions for objects and properties that are commonly
used (user account, computers, etc.) and objects that are used by the Active
Directory internally.
The Active Directory schema is extensible via the Schema Manager snap-in (schmmgmt.msc,
part of the support tools that can be installed via Add/Remove programs), the
Active Directory Services Interface (ADSI) or installation programs. (e.g.
Exchange 2000). This can only be done by an account that is part of the Schema
administrators group. The modifications are done on the Schema master and will
cause replication traffic to all domain controllers in the forest.
Every object within the Active Directory is identified by a name. Active
directory uses the following naming conventions :
Every object has a distinguished name that uniquely identifies an object. This allows a client to find the object within the directory. It contains the name of the domain and the full path through the container :
/DC=COM/DC=Microsoft/OU=dev/CN=Users/CN = Firstname Lastname
DC = Domain Component name
OU = Organizational Unit name
CN = Common Name
Distinguished names must be unique. Active directory does not allow duplicate entries. Distinguished names are described in RFC 1779.
The relative distinguished name is an attribute of an object. E.g. John Doe. You can have duplicate RDN's with the Active Directory but not within an organizational unit.
When an object is created it gets a 128-bit GUID. This never changes, even if the object is renamed or moved.
User accounts have a friendly name. It is a combination of the user's name and the DNS name of the tree in which the account exist. (eg firstname.l@microsoft.com, l is the first letter of the lastname)
| Diving into the AD schema (Windows 2000 magazine Sept 2001) |
| Extending the AD schema (Windows 2000 magazine) |
Replication is used to synchronize the Active Directory data between domain
controllers. The domain controllers of one or more domains should be stored in
sites where the sites represents a physical presentation of the network. Each
site is a collection of one or more ip subnets with fast and reliable
connections that can contain one or more domains. Sites are managed via the
Active Directory Sites and Services manager. (dssite.msc)
Before data can be replicated (default via port 135 for intra-site replication) a connection object is required between the domain
controllers. These connection objects are uni-directional and are created
automatically by the Active Directory replication topology generator (KCC, by
default every 15 minutes) or by the administrator. The connections are based on
pull-replication and are stored in the NTDS settings of the domain controller
that should receive the replicated data. Connection objects are created for
connections between domain controllers in the same sites and in separate sites.
Within a site, Active Directory generates a ring topology of connection objects
to replicate data when needed. (at least once per hour but replications waits 5
minutes for other changes)
This defines the path for directory updates. It flows from one domain controller
to the other until all controllers received the updates. The topology ensures
that there are at least two replication paths from each domain controller to
another. This ensures that replication still continues if one controller is
down. Active directory periodically analyzes the replication topology within a
site to see if it is still efficient. If a new domain controller is added, the
topology is automatically reviewed. Replication within a site is not compressed
to reduce processor load on the domain controller. (An exception is an NT 4.0
domain controller being upgrade. During the upgrade process, the information
replicated between the Windows 2000 domain controller and the upgraded machine
will be compressed)
Between sites replication does not occur automatically. Site links must be
created to connect the sites. A site link contains the following information :
| Sites. The sites that are physically connected via the site link. A site link can contain two or more sites. Each of these sites contains a bridgehead server. This (dedicated) server receives the updates from the other sites and distributes it within its own site. It also collects the update within its own site to be replicated to other sites. A bridgehead server is automatically selected by the KCC if it is not specified by the administrator. | ||||
| Transport protocol. Site links can transfer information via IP or
SMTP.
| ||||
| Replication availability. Schedule when the data should be replicated. | ||||
| Replication frequency. Sets how often replication should take place during the replication schedule. The minimum frequency is every 15 minutes, the maximum 10080 minutes. (one week) | ||||
| Costs. What are the costs of the site link ? By default the costs are 100. When multiple site links are available to a site, the available site link with the lowest cost is used by the KCC to replicate data and to logon users. |
The repadmin resource kit utility can e.g be used to force synchronization (/sync, /syncall), to trigger the kcc to check the connections (/kcc) or to get information about replication partners (/showreps, /showmeta). Replmon can be used to get a graphical overview of the Active Directory replication.
The site links are transitive and can, by default, only be created by
enterprise administrators. The KCC uses the site links to create
connection objects between domain controllers in separate sites.
A site link bridge is a collection of two or more site links that are used to
created a transitive link. E.g if the are three sites A ----- (20) B (50) ----
C. The site link between A and B costs 20, the site link between B and C 50.
When the domain controllers in site B are available, they will arrange that data
is replicated between A and C. If they are not available, no replication will
occur. To solve this a site link between A and C can be created. Another option
is to create a site link bridge between A and C that contains the site links
between A and B and between B and C. The costs of this connections will than be
70. As by default the option 'Bridge all site links' is on, building bridges is
only useful when this option is off as the option already automatically creates
bridges.
When replicating data to sites, Windows 2000 uses compression (1:10 results) and
routing costs.
To determine which attributes should be replicated each domain controller
maintains it's own Update Sequence Number. (USN). This is a 64-bit value that is
increased by one every time the domain controller receives an update. (an
original update or via a replication) This USN is stored in the following ways :
| As the local USN of the attribute when it has changed via an original update or replication. |
| As the maximum local USN per object is stored as the USNchanged attribute for each object. |
| As the originating USN of the attribute. This value is only updated when it's an original (not replicated) update. This value is replicated within Active Directory. |
Each domain controller contains the latest USN from the domain controllers
from which it received updates. This value is called the high-watermark. When
asking for updates only attributes with an USN higher than the high-watermark
are replicated
A domain controller contains an up-to-dateness vector of each other domain
controller to see which updates of attributes are already replicated.
.
To prevent replication loops, Active Directory uses the Originating write
property of an object to see if an object was changed by a user. This object
only increases if an update is made by a user, not when it is changed due to
replication. If the Originating write property on the same object did change on
two domain controller, this indicates a conflict caused by two users changing
the same object on different domain controllers. In this case the object with
the highest Originating write property wins. If the property is the same on both
object, the object with the latest timestamp is replicated. If the timestamps
also match, the object with the highest GUID is replicated.
During replication, only changed attributes are replicated, not the whole
object. (e.g the user's name instead of all the data of the user)
The global catalog is a central read-only repository of information about objects in
a tree or a forest. The Active Directory automatically generates the contents
from the domains that make part of the Directory.
The global catalog is a service and physical storage that contains read-only replicas of
selected objects of the Active Directory. By default it contains a replica of
those objects that are used for a search (names, user-id's etc.) and those object needed to find
the full replica. (attributes with a value isMemberOfPartialAttributeSet True)
These objects maintain the security as specified in the domain they were created
and are available for queries on port 3268.
By using the global catalog, objects can be found anywhere
in the network without full domain information replication. The schema manager
can be used to define which objects should be included in the global catalog
replication process. It is recommended that every
major site does have a global catalog server. When a domain is in native mode,
a global catalog server is required for users to logon. The global catalog servers
provides group membership of the users. In two situations a global
catalog server is not required :
| A cached profile is available on the client. (The user did logon before on the machine) |
| A user of the DomainAdmins group logs on. |
Global catalog server also provide universal group information to domain
controllers during the logon process. If a global catalog server isn't
accessible, a network user won't be able to log on.
By default only the first domain controller in the forest is a global catalog server. You can enable or disable
a global catalog on a server via the Active Directory Sites and Services mmc.
On the NTDS properties of a server you can enable or disable the global
catalog.
| Determining whether a Win2K DC is a GC (Windows 2000 magazine) |
| Active Directory forests and the global catalog (Windows 2000 magazine) |
There are five Flexible Single Master Operation roles within a forest. By default the first server in a forest or domain gets these roles but they can be changed.
There is one schema master per forest which has the ability to update the Active Directory schema. The schema master can be found via the Active Directory Schema mmc.
There is one domain naming master per forest that is responsible for maintaining the forest-wide domain name space (adding and removing domains). It has the task to check that no duplicate NetBIOS domain names or FQDNs occur in the forest. As it checks the global catalog service, it is recommended to use a global catalog server for this role. The domain naming master can be found via the Active Directory Domains and Trust mmc. Right-click the domain and select Operation masters.
There is one infrastructure master per domain. It is responsible for updating
SID's and DN's in a cross domain reference to maintain consistency of objects
for interdomain operations. The infrastructure master should not be placed on a
global catalog server. It's responsible for maintaining the group-to-users
reference when member are changed or renamed.
The infrastructure master can be found via the Active Directory Users and
Computers mmc. Right-click the domain and select Operation masters.
There is one PDC emulator per domain. It has a few tasks :
| The PDC emulator offers compatibility to Windows NT 4.0 domain controllers in a mixed mode domain to enable directory replication. It also gives pre-Windows 2000 clients the ability to change the passwords. |
| The PDC emulator gets information as soon as a password in the domain is changed. When a client logs on to a domain controller and the password is invalid, this domain controller than checks with the PDC emulator to see if the password just changed. This prevent password synchronization time differences from preventing a user from logging on. |
| The PDC emulator arranges account lock-outs. |
| The PDC emulator is the master browser for NT clients. |
| The PDC emulator handles down-level NTLM logons. |
| On the PDC emulator, group policy changes are made by default. |
| The PDC emulator is also the highest entry in the w32Time hierarchy. The PDC emulator of the root domain is the highest entry, other PDC emulators synchronize with it. Domain controllers and member server synchronize with the PDC emulator of the domain. |
The PDC emulator can be found via the Active Directory Users and Computers mmc. Right-click the domain, and select Operation masters. By default the first domain controller in a domain is the PDC emulator.
There is one RID master per domain. This server is responsible for the
creation of unique SID's within a domain. It provides the domain controllers in
a domain with a range of SID's (512 per set) that they can use to create new objects. (users,
computers, groups).
Another task of the RID master is to provide security descriptors (ACL's
and events to be audit) to NT clients. The RID master is also responsible for moving objects
between domains.
The RID master can be found via the Active Directory Users and Computers mmc.
Right-click the domain, and select Operation masters.
Normally the operation roles are changed via the mmc's when the servers are available by selecting Operation Master and connecting to the domain controller that should get the role. (or via NTDSUtil)
If the old operation
master is unavailable use NTDSutil to seize the operation roles. (NTDSutil -
roles - connections - connect to server servername - quit- seize role
to migrate)
This should only be done if the original operation master does not come
online anymore. (seizing an operation master role).
Exceptions are the PDC emulator role, this role can be moved via the Active
Directory Users and Computers mmc without major impact.
The infrastructure master can also be seized, but it should not be moved to
a global catalog server.
If you move the RID master or the domain naming master, the old
server cannot be brought back online. You have to re-install Active Directory on
them. (dcpromo). An old schema master should never be brought back online before
it is completely reinstalled.
You can also use the resource kit utility dumpfsmos.cmd , dcdiag /v or use
NTDSUtil - domain management - Connections - Connect to server domain
controller - quit - Operation target - List roles for server to find the
roles of a server.
To create the Active Directory you can use the Active Directory Installation Wizard. It can be started from the administrative tools or via dcpromo.exe and requires 250 mb of free disk space and a NTFS partition for sysvol. After starting it, you have the following possibilities :
| Add a domain controller to an existing domain for load balancing and redundancy. |
| Create the first domain controller for a new domain. In this case you can create a new child domain in an existing domain or a new domain tree. This domain tree can be part of an existing forest or creating a new forest. |
The dcpromo-wizard also allows the ability to remove Active Directory from a domain controller to make it a member stand-alone server. If all active directories are removed from all domain controllers in a domain, the domain is gone.
When installing the Active Directory, it creates the following items :
Default the database and the log files are stored in the systemroot\Ntds. For
performance reason it's best to put them on different disks. (use ntdsutil to
relocate the files)
ntds.dit stores most user information. The file is a modified Access database, a
Extensible System Engine. (ESE) It is recommended to put the database on NTFS,
but it's not required. You can compact, check the integrity or repair the
ntds.dit file after restarting in directory service restore mode with the
NTDSUtil program. This utility can also be used to move the database and it's
log files in directory service restore mode. For more info see appendix C of the Windows 2000 server
resource kit. The Active Directory database is defragmented automatically every 12 hours.
An offline defragmentation can be done by restarting the server in Directory
Service Restore mode and using NTDSUtil - Files - Compact to [path]. NTDSUtil
uses the esentutl /d option to defrag the ntds.dit file.
The systemroot\sysvol share does contain a folder structure that contains
scripts and some group policies for both the current domain and the enterprise.
The volume that contains the share must be NTFS 5.0. This folder cannot be moved
without reinstalling Active Directory on the machine.
Replication of the sysvol-share takes place on the same schedule of Active
Directory replication.
Domain controllers have to following tasks :
| Active Directory information. All domain controllers maintain a complete copy of the Active Directory domain they are member of. They also control the modifications and replicate the changes to other domain controllers. |
| Validation. Domain controllers validate user's login on to the domain. |
| Provide information. Domain controller provide information about domain resources (e.g. printers, services etc.) to clients. |
Each domain controller in a forest contains the following three partitions in which data can be written :
| Domain directory partition. This partition contains the userid's, computers accounts, etc. for a domain. You can use the Users and computer MMC to edit the contents of this partition. |
| Schema directory partition. This partition contains the schema container. It can be modified with the AD schema editor. |
| Configuration directory partition. This partition contains
configuration objects for the entire forest such as sites, services and
directory partitions. You can use the ADSI editor to modify this
information. |
| Sizing guidelines for Windows 2000 domain controller and global catalog server |
| Active Directory sizer (Windows 2000 magazine) |
| Win2K Professional domain-controller selection (Windows 2000 magazine) |
| Troubleshooting DNS-related AD logon problems, part 2 (Windows & .net magazine, feb 2002) |
|
Troubleshooting DNS-related AD logon problems, part 1 (Windows 2000 magazine) |
There a two domain modes :
When you first install or upgrade a domain controller, it runs in mixed mode. This allows the controller to communicate with non-Windows 2000 domain controllers.
After all non-Windows 2000 domain controllers have been upgraded, you can switch to native mode. This disables down-level supports and the ability to add NT 4.0 domain controllers. All domain controllers will act as peers. You can switch to native mode via the Domain Tree management snap in. This is a one way process ! Switching to native mode will bring the following changes :
| All domain controller will be able to handle updates. (multi-master instead of the PDC emulator in mixed -mode) |
| Universal groups and domain local groups will be available. |
| Global and domain local groups can be nested. |
| NT 4.0 DLL support becomes unavailable on the domain controllers. |
| NT 4.0 domain controllers will not be updated anymore and new NT 4.0 domain controllers cannot be add. |
Within Windows 2000 there are two types of trusts :
A two way transitive trust is laid between parent and child domains within a tree and between the toplevel domains in a forest (every domain connected with the forest root domain). As a result of the transitive trusts, users in one domain can access resources to which they have granted permissions in all other domains in a tree as their logon process is trusted by the other domains in the tree.
This is a relationship between domains that are not part of the same forest. This capability is provided to support connections to existing Windows NT 3/4 domains, windows 2000 domains in different forests and MIT Kerberos V5 zones.
A shortcut trust can be made between lower level domains within one forest. It will increase the authentication speed.
Microsoft recommends using a single domain model if possible but more domains within the namespace can be part of tree. Consider using a tree if :
| The organization is decentralized and different administrators administer different resources. |
| You have organizations in different countries and want to use the local language to administer. |
| You have slow links. Creating multiple domains decreases the amount of replication. |
By default security settings are set on trees. Each member of the build-in Domain Admins group does only have control over the resources in that domain. Administrative privileges do not flow down a tree. A member of the administrator in the root domain does not by default have administrative privileges in any other domain. An administrator in another domain can be given administrative privileges to a domain by grating individual rights for specific objects and organizational units or by adding the account to the domain administrative group.
Most common objects :
| User accounts. Enables a logon to a domain. |
| Groups. A collection of user accounts, groups or computers. |
| Shared folders. A pointer to a shared folder. Shares are also stored in the registry. |
| Printers. A pointer to a printer. Printers are also stored in the registry. Printers are automatically added to the Active Directory. |
| Computers. Info about a computer that is member of a domain. |
| Domain controllers. Description, DNS name downlevel name, version os, location and responsible person. |
| Organizational units. Used to organize Active Directory objects. |
Each Active Directory object does have two ACL's which can be used to assign administrative privileges for a specific user of group for a OU, a group of OU's or just a single object. The permissions that can be set differ per object. (eg password reset on users, not on a printer). Just like with ACL on NTFS, a user will get the most permissions if he is in two groups except if a permission is denied. Types of ALC's :
| DACL. Discretionary Access Control list. This list controls which user-, group- or computer SID are allowed or denied to access the object. |
| SACL. System Access Control list. This list tells which events have to be audited. |
A user can get standard and special permissions. Standard permissions are :
| View. View the object and its attributes, the owner and the permissions. |
| Write. Change all object attributes. |
| Delete. All Child Objects. Remove any type of object from a OU. |
| Create. All Child Objects. Add any type of child object to a OU. |
| Full control. All other tasks plus change permissions and take ownership. |
The user's access token containing his/her individual SID's, the SID of the group he's member of and the user rights (privileges) is compared with the ACL's Access Control Entries (ACE) to determine the final permissions of a user.
When moving in object within Active Directory, the following security issues are important :
| Permissions that were set to the individual object remain. |
| Permissions that were inherited from the old parent disappear. |
| Permissions from the new parent are inherited. |
The security reference monitor (kernel modus) handles security on Active Directory objects.
Three service levels contain information that is needed to query records from the Active Directory database :
| Directory System Agent (DSA). This agent builds an hierarchy
between the relations in the database and offers API's to access the
database. This API's are :
| ||||||||
| Database layer. This is the abstraction level between the applications and the database. | ||||||||
| Extensible Storage Engine. This engine communicates with the records in the \winnt\ntds\NTDS.DIT file on the domain controller. |
See summary backup and recovery.
| Backing up and restore Active directory (TechRepublic) |
| Backing up and restoring AD (Windows 2000 magazine) |
| AD disaster recovery (Windows 2000 magazine) |
| Active directory disaster recovery (Microsoft) |
The Directory service client for Windows 9x and Windows NT 4.0 is available in the \clients\win9x folder of the Windows 2000 installation cd-rom. (dsclient.exe). It enables clients to access Active Directory information via LDAP. It also makes the clients AD aware which has the following benefits :
| Site information is used to connect to the closest domain controller. It uses the domain's NetBIOS name (not DNS !) and the DNS server specified in the TCP/IP settings to detect the closest domain controller. If no Windows 2000 domain controller in the site is found, a random Windows 2000 domain controller is used. If no Windows 2000 domain controller is available, a NT 4.0 domain controller is used. |
| Pre-Windows 2000 clients are able to change the password on multiple domain controllers instead of only the PDC (emulator). |
| DFS tries to connect to the closest server based on the domain controller detection mechanism. |
| ADSI interface to change Active directory attributes. |
| NTLM version 2 logon authentication. |
DSclient is not supported on Windows ME.
To provide authentication over a firewall, at least TCP port 88 must be open for Kerberos.
| How to Configure a Firewall for Domains and Trusts (Q179442) |
| Windows NT, Terminal Server, and Microsoft Exchange Services Use TCP/IP Ports (Q150543) |
Tool to query or set permissions on Active Directory objects. Part of the support tools.
Tool the determine the required size of the domain controllers.
| Active Directory sizer (Windows 2000 magazine) |
MMC console to access to Active Directory. Part of the support tools.
This tool can be used to im- and export Active Directory data via comma-separated files.
| HOW TO: Use Csvde to Import Contacts and User Objects into Active Directory (Q327620) |
Domain controller diagnostics tool.
Programs to check and modify DFS and DNS information in the Active Directory. Part of the support tools.
Program to check and modify ACL's on objects in the Active Directory. Part of the support tools.
Active Directory diagnostic tool. Program to check naming conventions on domain controllers. Part of the support tools.
Tool in \winnt\system32 to defrag, recovery, check integrity, upgrade, dump or repair Extensible Storage Engine databases.
Active Directory administration tool. Use LDAP to access Active Directory. It can for example be used to few the SIDhistory on an account. Part of the support tools.
This tool can be used to im- and export Active Directory data from or to other directory services. It can also be used to modify data within Active Directory.
Active Directory object manager. Program to move OU's, groups, users and computers between domains within a forest. It should connect to the RID master of the source domain.
Program to check end-to-end network and distributed services functions.
Windows 2000 domain manager. Program to check and maintain Windows 2000 trusts and other domain information. It can be used to create trusts and to move or create computer accounts. Part of the support tools.
Various functions like finduser, force synchronization, secure channel query, shutdown, etc.
This tool in \winnt\system32 can be used to get info about the ntds.dit file,
to compact the ntds.dit file, to repair the ntds.dit file, to change to path of
the ntds.dit file and the logs, to do
an authoritative restore, to compact the file, to clean up old domain controllers via metadata
cleanup or to change fsmo roles.
For more info about NTDSUtil see appendix C of the Windows 2000 server resource
kit.
Windows Server 2003 includes the Rendom utility that will let you change both the DNS and NetBIOS name and move domains within the forest.
The tool operates in a 3-stage process:
| The /list switch creates an XML file with the current forest structure. |
| The /prepare switch edits the XML file to the desired structure, then runs the file on each domain controller (DC) to ensure the DCs are ready. |
| The /upload switch uploads the new structure. |
All domein controllers in the forest must run Windows 2003 and that the forest functionality mode is at least Windows .NET.
| Windows Server 2003 Domain Rename Tools |
Replication diagnostic tool. Checks the status of the replication and can force replication. Also gives the ability to use Knowledge Consistency Checker to rebuild the replication schema. Part of the support tools.
Active Directory Replication Monitor. Graphical interface to show, change and force replications. Part of the support tools.
Security Descriptor check utility. Can be used to check if ACL's with the Directory. Part of the support tools.
Security administration tool. Uses showaccs.exe and sidwalk.exe to view permissions. Sidwalker.msc can be used to migrate permissions e.g when SIDHistory is used during a domain reconstruction. Part of the support tools.
Last update : 5 March 2003
