|
|
This chapter has perhaps more illustrations than any other in the whole book. No wonder! A picture is worth a thousand words! This is not a formal reference to all administrative snap-ins' screens, menus, commands, features, or to the operations that they implement. Neither are all snap-ins discussed. I wound like to make the reader focus his or her attention on certain details and options that are unapparent or which might not be noticed upon first acquaintance with snap-ins intended to manage Active Directory. Using this "know-how" will allow you to organize your workplace more efficiently. The differences between the Windows 2000 and Windows .NET versions of the snap-ins are also considered.
This chapter unveils certain aspects involved in using the features of the administrative tools for managing Active Directory. Other typical administrative tasks carried out by these and other tools will be discussed in Chapter 8, "Common Administrative Tasks," and in other chapters, where specific tasks are described in detail.
Both Windows 2000 and Windows .NET systems use the same set of snap-ins for administering Active Directory. For the most part, these tools have not changed in the new version; they perform the same fnctions (although in Windows .NET, all of them have some additional features). Therefore, an administrator acquainted with Windows 2000-based domains can easily master commonly used operations in the Windows .NET environment.
After a Windows .NET Server has been promoted to a domain controller, new tools (listed in Table 7.1) will appear in the Administrative Tools group on the Start menu.
Icon | Tool name | Main operations performed by the tool |
---|---|---|
| ||
| Active Directory Domains and Trusts | Selecting a domain for management in large forests. Managing domain functional levels. Creating, verifying, and deleting trusts between domains |
| Active Directory Sites and Services | Creating and manipulating sites, transports, and subnets. Managing replication schedules and links. Triggering replication between domain controllers. Setting permissions on objects. Linking GPOs to sites. Enabling DCs to act as global catalog servers |
| Active Directory Users and Computers | Creating and manipulating AD objects (users, groups, OUs, etc.). Setting permissions for objects. Linking GPOs to domains and OUs. Managing domain functional levels. Transferring FSMO roles |
| Domain Controller Security Policy | In Windows 2000-based domains:
In Windows .NET-based domains:
|
| Domain Security Policy | In Windows 2000-based domains:
In Windows .NET-based domains:
|
| Group Policy Object Editor[1] | Editing GPOs linked to an Active Directory container (site, domain, OU) or stored on a local computer. This snap-in is not shown on the Start menu, but is accessible from other administrative snap-ins or can be added to a custom MMC console. |
[1]In Windows 2000, this snap-in is called Group Policy. |
These tools can be installed as a part of the Administration Tools Pack (see "Remote Administration" in Chapter 8, "Common Administrative Tasks") onto any client computer with Windows XP Professional or a member server with Windows .NET. The Security Policy snap-ins will not appear on the Start menu in that case.
Note | The Active Directory Schema Manager snap-in included in the Administration Tools Pack is also installed on domain client computers and appears on the Start menu. |
Important | It is not possible to install Windows .NET administrative snap-ins onto Windows 2000-based computers. |
Some other important tools (Table 7.2) for administering Active Directory are included in the Support Tools pack. These tools might be regarded as mandatory for an administrator, and are discussed later in this book.
Icon | Tool name | Main operations performed by the tool |
---|---|---|
| ||
| ADSI Edit (adsiedit.msc) | "Low-level" editing of the Active Directory objects that belong to any directory partition (application, domain, configuration, and schema). (The RootDSE object is also accessible.) Setting permissions on objects. |
| Active Directory Administration Tool (Ldp.exe) | Searching Active Directory and modifying directory objects using LDAP queries. |
| Active Directory Replication Monitor (replmon.exe) | Monitoring replication status and topology. Triggering replication. Monitoring FSMO roles and flags of domain controllers. |
|
|