CHAPTER 11
ADMINISTERING ACTIVE DIRECTORY
Lesson 1:
Locating Active Directory Objects
Active Directory stores information about objects on the network. Each object is a distinct, named set
of attributes that represents a specific network entity.
Understanding Common Active Directory Objects
Adding new resources to your network creates new Active Directory objects that represent these
resources.
======================================================================
Object Type Contents
======================================================================
User Account The information that allows a user to log on to Windows
2000, such as user logon name.
Contact Info, about the person, telephone number, e-mail etc.
Group A collection of user accounts, groups or computers.
Shared folder A pointer to the shared folder on a computer. A
Pointer contains the address of certain data, rather than the
data itself.
Printer A pointer to a printer on a computer.
Computer The info. about a computer that is a member of the domain.
Domain The info. about the computer, including DNS name
Controllers
Organizational Contains other objects, including other OUs. Used to
Unit (OU) organize Active Directory objects.
=======================================================================
Using Find
To locate Active Directory objects, open the Active Directory Users and Computers console located in
the Administrative Tools folder.
=====================================================================
winads11.html PAGE 2 2002/02/25
Right click on the domain or container, and select Find. The Find dialog box provides options that
allow you to search the global catalog to locate Active Directory objects. The global catalog contains
a partial replica of the Entire Directory, so it stores information about every object in a domain tree or
forest. Active Directory automatically generates the contents of the global catalog from the domains
that make up the directory.
Lesson Summary:
Organizational Units, Domain controllers, shared folders, and computers.
resourced object.
Active Directory.
Lesson 2:
Controlling Access to Active Directory Objects
Windows 2000 uses an object-based security model to implement access control for all Active
Directory objects. This security model is similar to the one that Windows 2000 uses to implement
Microsoft Windows NT file system (NTFS) security. Every Active Directory object has a security
descriptor that defines who has the permissions to gain access to the object and what type of access
is allowed.
Understanding Active Directory Permissions
Active Directory permissions provide security for resources by allowing you to control who can gain
access to individual objects or object attributes and the type of access that you will allow.
Active Directory Security
Use Active Directory permissions to determine who has the permissions to gain access to the object
and what type of access is allowed. An administrator or the object owner must assign permissions to
the object before permissions, called the access control list (ACL), for every Active Directory object.
The ACL for an object lists who can access the object and the specific actions that each user can
perform on an object.
=====================================================================
winads11.html PAGE 3 2002/02/25
Object Permissions
The object type determines which permissions you can select. Permissions vary for different object types.
A user can be a member of multiple groups, each with different permissions that provide different levels
of access to objects. When you assign a permission to a user for access to an object and that user is a
member of a group to which you assigned a different permissions, the user’s effective permissions are
the combination of the user and group permissions.
You can allow or deny permissions. Denied permissions take precedence over any permissions that
you otherwise allow for user accounts and groups. If you deny a user permission to gain access to an
object, the user will not have the permissions, even if you allow the permission for a group of which the
user is a member. You should deny permission to a specific user who is a member of a group with
allowed permissions.
NOTE: Always ensure that all objects have a least one user with the Full Control permission. Failure
to do so might result in some objects being inaccessible to the person using the Active Directory Users
and Computers console, even an administrator, unless object ownership is changed.
Standard Permissions and Special Permissions
You can set standard permissions and special permissions on objects. Standard permissions are the
most frequently assigned permissions and are composed on special permissions. Special permissions
provide you with a finer degree of control for assigning access to objects.
Assigning Active Directory Permissions
You can use the Active Directory Users and Computers console to set standard permissions for
objects and attributes of objects. You use the Security tab of the Properties for the object to assign
permissions.
IMPORTANT: You must select Advanced Features on the View menu to access the Security tab
and assign standard permissions for an object.
If the check boxes under Permissions are shaded, then the object has inherited permissions from the
parent object. To prevent an object from inheriting permissions from a parent folder, clear the Allow
Inheritable Permissions From Parent to Propagate To This Object check box.
=====================================================================
winads11.html PAGE 4 2002/02/25
Using Permissions Inheritance
Similar to file and folder permissions inheritance, permissions inheritance for Active Directory objects
minimizes the number of times that you need to assign permissions for objects. When you assign
permissions, you can apply the permissions to child objects, which propagates the permissions to
all of the child objects for a parent object.
For example, you can assign Full Control permission to a group for an OU that contains printers and
then propogate this permission to all child objects. The result is that all group members can administer
all printers in the OU.
You can specify permissions inheritance so that a child object does not inherit permissions from its
parent object by clearing the Allow Inheritable Permissions From Parent To Propogate To This
Object check box. When you prevent inheritance, only the permissions that you explicitly assign
to the object apply. You use the Security Tab in the Properties dialog box to prevent permissions
inheritance.
When you prevent
permissions inheritance, Windows 2000 allows you to
Copy previously inherited permissions to the object. The new explicit permissions for the object
are a copy of the permissions that it previously inherited from its parent object. Then, according to
your needs, you can make any necessary changes to the permissions.
Remove previously inherited permissions from the object. Windows 2000 removes any previously
inherited permissions. No permissions exits for the object. Then, accordingly to your needs, you
can assign any permissions for the object.
Lesson Summary:
can gain access to it. Windows 2000 stores a list of user access permissions, called the
ACL, for every Active Directory object.
Delete All Child Objects.
to assign permissions for objects. When you assign permissions, you can apply the
permissions to child objects, which propagates the permissions inheritance for a given
parent object.
=====================================================================
winads11.html PAGE 5 2002/02/25
Lesson 3:
Publishing Resources in Active Directory
As an administrator, you need to be able to provide secure and selective publication of network
resources to network users and make it easy for users to find information.
Publishing Resources in Active Directory
Resources that can be published in the directory include objects such as users, computers,
printers, folders, files and network services.
Publishing Users and Computers
User and computer accounts are added to the directory using Active Directory Users and
Computers console. Information about the accounts that is useful for other network users is
published automatically.
Publishing Shared Resources
Publishing information about shared resources such as printers, folders, and files makes it easy for
users to find these resources on the network. Windows 2000 network printers are automatically
published in the directory when installed. Information about Windows NT printers and shared
folders can be published in the directory using the Active Directory Users and Computers console.
Publishing Network Services
Network-enabled services, such as Certificate Services, can be published in the directory so
administrators can find and administer them using the Active Directory Sites and Services console.
Categories of Service Information
Binding and configuration information are the two types in information frequently published using
Active Directory:
that conform to a service-centric model. By publishing the bindings for these kinds of services,
Windows 2000 can automatically establish connections with services. Machine-centric services
are typically handled on a service-by-service basis and should not be published to the directory.
=====================================================================
winads11.html PAGE 6 2002/02/25
allows you to distribute current configuration information for these applications to all clients in the
domain. The configuration information is accessed by client applications as needed. This eases
application configuration for users and give you more control over application behaviors.
Characteristics of Service Information
Service information that you publish to the directory is most effective if it has the following characteristic:
certain areas of the network should not be published. If not widely used, this information wastes
network resources, since it is published to every domain controller in the domain.
sense to publish only service information that changes less frequently than two replication intervals.
For intra-site replication, the maximum replication period is 15 minutes, and for inter-site replication,
the maximum replication period is configured based on the replication interval of the site link used
for the replication.
to use. The information should be relatively small in size.
Lesson 4:
Moving Active Directory Objects
You move objects from one location to another when organizational or administrative functions
change, for example, when an employee moves from one department to another.
Moving Objects
In the logical environment, you can move objects within and between domains in Active Directory.
In the physical environment, you can move domain controllers between sites.
=====================================================================
winads11.html PAGE 7 2002/02/25
Moving Objects within a Domain
To reduce administrative overhead, you can move objects with identical security requirements into
an OU or container within a domain. You can then assign access permissions to the OU or
container and all objects in it.
NOTE: To simplify assignment of permissions for printers, move printers on different print servers
that require identical permissions to the same OU or container. Printers are located in the
Computer objects for the printer server. To view a printer, click View, then click Users, Groups
and Computers as Containers.
Moving Objects Between Domains
To support domain consolidation or organizational restructuring operations, Windows 200 allows
you to move objects between domains. The MOVETREE command-line utility is used to move
Active Directory objects such as organizational units, users, and groups between domains in a
single forest, with some exceptions. This tool is available in Windows 2000 Support Tools. The
Windows 2000 Support Tools are included on the CD-ROM under Support/Tools folder.
The distinguished name of the moved object reflects its new position in the hierarchy. The
object’s globally unique identifier (GUID) is unchanged by a move or rename.
As users and groups are migrated from one domain to another, they are given a new security
identifier (SID). To
preserve the security credentials of an account when it is moved from one
domain to another, Windows 2000 supports SIDHistory, a security attribute available only in
Windows 2000 native mode.
As users and groups are moved from one domain to another, to reduce the administrative
overhead of resetting ACLs and ownership of resources, the old SID is added to the
SIDHistory attribute for the new object. Whenever users log on, any SIDs present in their
SID history, or any SIDs present in the SIDHistory of a group of which the users are members,
are added to their access token, and they are given permissions and ownership to any
resources that they previously had.
MOVETREE allows an OU to be moved to another domain, keeping all of the linked group
policy objects (GPOs) in the old domain intact. The GPO link is moved and continues to work,
although clients receive their group policy settings from the GPOs located in the old domain.
=====================================================================
winads11.html PAGE 8 2002/02/25
Supported MOVETREE Operations
The following operations are supported with the MOVETREE utility:
Move and object or a nonempty container to a different domain. Valid only within the
same forest.
Move Domain Local and
Global groups between domains without members and within
domains with members. Valid only within the same forest.
Move Universal groups with members within and between domains. Valid only within the
same forest.
Unsupported MOVETREE Operations
Some objects and information are not moved. Objects that are not moved are classified as
orphaned objects and are placed in an “orphan” container in the LostAndFound container in
the source domain. The LostAndFound container is visible in the Active Directory Users and
Computers console in Advanced View. The orphan container is named using the GUID of
the parent container being moved and it contains the objects that were selected for the
MOVETREE operations. Specifically, objects and information that cannot be moved by
using the MOVETREE utility are:
intact so that security is not compromised. The domain join information for computer objects.
its subordinate objects. However, the MOVETREE utility does not disjoin a computer from
its source domain and rejoin it to the target domain. For this reason, the NETDOM utility is
recommended to move computer objects.
personal data, encrypted files, smart cards, and public key certificates. Group policies would
need to be applied to the users, groups, or computers.
domain. Objects in the Builtin, ForeginSecurityPrincipals, System, and LostAndFound containers.
=====================================================================
winads11.html PAGE 9 2002/02/25
MOVETREE may fail due to some of the following error conditions:
user is currently creating child objects under the source object that is selected fro the mover
operation. Either the source or destination domain has invalid credentials.
Moving Users
Moving users between domains is supported with the following restrictions:
If the user object contains any objects, the move operation fails. The user object must be a
leaf object. If a security accounts manager (SAM) constraint is met, the move operation fails.
SAM constraints include when the user’s samAccountName already exists in the destination
domain, or if the user’s password length does not meet the password restrictions in the target
domain. If the user object belongs to a Global group from the source domain, its membership
is voided and the move operation fails. This is because a Global group can only have a
member in the same domain, thereby preventing movement of any member of a Global group.
However, there is one exception: If the user object belongs to the Domain Users group (without
belonging to any other Global groups) and the Domain Users group is this user object’s Primary
group, then the move operation succeeds. It succeeds because when a user object is created,
the system automatically places it into the Domain Users group and assigns the Domain Users
group as its Primary group.
Moving Groups
Like users, groups can be moved between domains, with similar restrictions:
If its membership and its reverse memberships do not fulfill the requirements of its type, the
operation fails.
=====================================================================
winads11.html PAGE 10 2002/02/25
Moving Objects Between Domains
Using MOVETREE
Before using the MOVETREE utility, verify that you have the necessary privileges to perform
this operation. The MOVETREE utility can be used from the command line and can be called
from a batch file to script user and group creation.
To move objects between domains using MOVETREE:
***** See page 366 to
367 *****
MOVETREE Log Files
The following log files are created after the MOVETREE operation. They are located in the
directory where you performed the MOVETREE operation.
operation’s precheck phase (or test phase).
Moving Workstations or Member Servers Between
Domains
You can use NETDOM: Windows 2000 Domain Manager support tools to move a workstation or
member server from one domain to another. This tool is available in the Windows 2000 Support
Tools on the CD-ROM \SUPPORT\TOOLS folder.
***** See the
parameters on page 367 – 368 *****
=====================================================================
winads11.html PAGE 11 2002/02/25
NETDOM Command Example
To move a workstation named mywksta from its current domain into the mydomain domain, you
would enter the following command:
Netdom^move^/d:mydomain^mywksta^/ud:mydoamin\admin^/pd:password
If the destination is a Windows 2000 domain, the SID History for the workstation is updated,
retaining the security permissions that the computer account had previously.
Moving Domain Controllers Between
Sites
In general, you can install a domain controllers into a site that has existing domain controllers.
The exception to this rule is the first domain controller installed, which automatically creates the
Default-First-Site-Name site. You cannot create a first domain controller in any site but
Default-First-Site-Name, but you can create a domain controller in a site that has a previously
existing domain controller and then move it to another site. Therefore, after the first domain
controller has been installed, creating Default-First-Site-Name, you can create other domain
controllers in this site and then move them to alternative sites.
** See the practice exercises on page 368 **
Lesson Summary:
command-line.
NETDOM command utility.
=====================================================================
winads11.html PAGE 12 2002/02/25
Lesson 5:
Delegating Administrative Control of Active Directory Objects
Guidelines for Delegating Control
You delegate administrative control of objects by assigning permissions to the object to allow
users or groups of users to administer the objects. An administrator can delegate the following
types of control:
Lesson 5:
Delegating Administrative Control of Active Directory Objects
Guidelines for Delegating Control
You delegate administrative control of objects by assigning permissions to the object to allow users
or groups of users to administer the objects. An administrator can delegate the following types of
control:
specific OU or container.
a specific OU container
Because tracking permissions at the OU or container level is easier than tracking permissions on
objects or object attributes, the most common method of delegating administrative control is to
assign permissions at the OU or container level. Assigning permissions at the OU or container level
allows you to delegate administrative control for the objects that are contained in the OU or container.
Use the Delegation Of Control Wizard to assign permissions at the OU or container level.
For example, you can delegate administrative control by assigning Full Control for an OU to the
appropriate manager, only within his or her area of responsibility. By delegating control of the OU
to the manager, you can decentralize administrative operations and issues. This reduces your
administration time and costs by distributing administrative control closer to its points of service.
To help you delegate administrative control, you may want to
follow these suggestions:
=====================================================================
winads11.html PAGE 13 2002/02/25
Delegation of Control Wizard
The Delegation Of Control Wizard steps you though the process of assigning permissions at the
OU or container level. More specialized permissions must be manually assigned.
Guidelines for Administering Active Directory
The following are best practices for administering Active Directory:
You can move objects later, but this might create extra work.
are important to your organization. Use deny permissions
sparingly.
responsibility and can be held accountable. Provide training for users who have control of
objects. Ensure that the users to whom you delegate responsibility understand their
responsibilities and know how to perform the administrative tasks.
Lesson Summary:
control for the objects that are contained in the OU or container.
for delegating control.
Lesson 6:
Backing Up Active Directory
When you create a backup, you need to conduct several preliminary tasks, and then perform a
number of tasks using the Backup Wizard.
=====================================================================
winads11.html PAGE 14 2002/02/25
Performing Preliminary Tasks
An important part of backing up Active Directory is performing the preliminary tasks. One task
that you must do is ensuring that the files that you want to back up are closed. You should notify
users to close the files before backing up so they will not loose any files. Applications using the
system or users who cannot be notified ( such as users logged on through the Internet) will have
their sessions terminated.
If you use a removable media device, make sure that the following preliminary tasks occur:
backing up to tape, you must attach the tape device to the computer on which you run
Windows Backup.
that a tape is loaded in the tape drive.
What to Back Up
The first phase of using the Backup Wizard to back up Active Directory is to specify that you
want to back up only
For Windows 2000 Server operating systems, the system state data comprises the registry, the
COM+ Class Registration database, system boot files, and the Certificate Services database
(if the server is a certificate server).
Where to Store the Backup
After you indicate that you need to backup
about the backup media.
After you provide the media information, the Backup Wizard displays the wizard settings and
provides the opportunity to do either of the following:
=====================================================================
winads11.html PAGE 15 2002/02/25
Start the backup. If you click Finish, during the backup process, the Backup Wizard displays
status information about the backup job in the Backup Process dialog box.
Specify advanced backup options. If you click Advanced, the Backup Wizard allows you to
select the advanced backup settings.
NOTE: When the backup process is complete, you can choose to view the backup report,
which is in the backup log. A backup log is a text file that records backup operations. It is
stored on the hard disk of the computer on which you are running Windows Backup.
Scheduling Active Directory Backup Jobs
Scheduling and Active Directory backup job means that you can have an unattended backup
job occur later when users are not at work and files are closed.
Lesson Summary:
medium or file name.
Lesson 7:
Restoring Active Directory
Like the backup process, when you choose to restore Active Directory, you can only restore all
of the
database, system boot files, the SYSVOL directory, the Active Directory, and the Certificate
Services database (if the server is a certificate server).
If you are restoring the
want to perform a nonauthoritative restore or an authoritative restore. The default method or
restoring the
=====================================================================
winads11.html PAGE 16 2002/02/25
Nonauthoritative Restore
In nonauthoratiative mode, any
component of the
omain controller, such as Active Directory directory service, will be brought up to date by
replication after you restore the data. For example, if the last backup was performed a week
ago, and the
the backup operation will be replicated from the other domain controllers. The Active
Directory replication system will update the restored data with newer data from your other
servers.
Authoritative Restore
If you do not want to replicate the changes that have been made subsequent to the last backup
operation you must perform an authoritative restore. For example, you must perform an
authoritative restore if you inadvertently delete users, groups or OUs from Active Directory
and you want to restore the system so that the deleted objects are recovered and replicated.
To authoritatively restore Active Directory data, you must run the NTDSUTIL utility after you
have performed a nonauthoratative restore of the
server. The NTDSUTIL utility can be found in the systemroot\system32 directory and
accompanying documentation within the Windows 2000 Help files (available from the Start
Menu).
Performing a Nonauthoritative
Restore
To restore the
special safe mode called Directory Services Restore Mode. This allows you to restore the
SYSVOL directory and Active Directory
database. You can only restore
on a local computer. You cannot restore the System State data on a remote computer.
NOTE: If you restore the
the restored data, Backup will
erase the
and replace it with the
State data to an alternate location, only the registry files, SYSVOL directory files, and system
boot files are restored to the alternate location. The Active Directory database, Certificate
Services, database, and COM+ Class Registration database are not restored if you designate
an alternate location.
=====================================================================
winads11.html PAGE 17 2002/02/25
NOTE: When you restart the computer in Directory Services Restore Mode, you must log on
as an Administrator by using a valid Security Accounts Manager (SAM) account name and
password, not the Active Directory Administrator’s name and password. This is because
Active Directory is offline, and account verification cannot occur. Rather, the SAM accounts
database is used to control access to Active Directory while it is offline. You specified this
password when you set up Active Directory.
Specifying Advanced Restore Settings
The Advanced settings in the Restore Wizard vary, depending on the type of backup media
from which you are restoring.
*** See the table on
page 385 ***
After you have
finished the Restore Wizard, Windows Backup does the following:
Prompts you to verify your selection of the source media to use to restore data. After the
verification, Windows Backup starts the restore process.
Displays status information about the restore process. As with a backup process, you can
choose to view the report (restore log) of the restore. It contains information about the restore,
such as the number of files that have been restored and the duration of the restore process.
Performing an Authoritative Restore
An authoritative restore occurs after a nonauthoritative restore and designates the entire directory,
a subtree, or individual objects to be recognized as authoritative with respect to replica domain
controllers in the forest. The NTDSUTIL utility allows you to mark objects as authoritative so
that they are propagated through replication, thereby updating existing copies of those objects
throughout the forest.
NOTE: When you restart the computer in Directory Services Restore Mode, you must log on
as an Administrator by using a valid SAM account name and password, not the Active Directory
Administrator’s name and password. This is because Active Directory is offline and account
verification cannot occur. Rather SAM accounts database is used to control access to Active
Directory while it is offline.
=====================================================================
winads11.html PAGE 18 2002/02/25
When the restored domain controller is online and connected to the network, normal replication
brings the restored domain controller up to date with any changes from the additional domain
controllers that were not overridden by the authoritative restore.
Because the objects that are restored have the same object GUID and object SID, security
remains intact, and object dependencies are maintained.
Additional Tasks for Authoritatively Restoring the
Entire Active Directory Database
When you authoritatively restore the entire Active Directory database, you also must perform an
additional procedure involving the SYSVOL directory. To ensure the proper elements are
authoritatively restored, you must also:
Copy the SYSVOL directory on the alternate location over the existing one after the SYSVOL
share is published.
When you authoritatively restore a portion of the Active Directory database (including policy
objects), you also must perform an additional procedure involving the SYSVOL directory. To
ensure the proper elements are authoritatively restored, you must also:
Copy only policy folders (identified by the GUID) corresponding to the restored Policy objects
from the alternate location after the SYSVOL share is published. Then, copy them over the
existing ones.
When authoritatively restoring either the entire Active Directory database or selected objects, it is
important that you copy the SYSVOL and policy data from the alternate location after the
SYSVOL share is published. If the computer is in a replicated domain, it may take several
minutes before the SYSVOL share is published because it needs to synchronize with its
replication partners.
Lesson Summary:
replicated with another domain controller, such as Active Directory directory service,
will be brought up to data by replication after you restore the data.
=====================================================================
winads11.html PAGE 19 2002/02/25
operation are not restored; the deleted objects are recovered and replicated.
computer in a special safe mode called Directory Services Restore Mode. This
allows you to restore the SYSVOL directory and Active Directory directory services
database.
and then use the NTDSUTIL utility to mark objects as authoritative so that they are
propagated through replication.
Lesson 8:
Troubleshooting Active Directory
See the charts on pages 389 and 390