Active DirectoryTools

Previous page
Table of content
Next page

Active DirectoryTools

The three main tools for administering Active Directory are the following MMC consoles, which are also the names of the corresponding MMC snap-ins:

Active Directory Domains and Trusts ( domain.msc )

Used to administer certain aspects of domains and trusts. This tool is discussed under DomainTools later in this chapter.

Active Directory Sites and Services ( dssite.msc )

Used to create sites and manage directory replication between them. This tool is discussed under SiteTools later in this chapter.

Active Directory Users and Computers ( dsa.msc )

Used to create and manage Active Directory objects such as users, computers, groups, and printers. This tool is discussed later in this section.

You can access these tools several ways:

  • Start Programs Administrative Tools select the appropriate tool.

  • Add the appropriate snap-in to a new or existing MMC console.

  • Install the WS2003 Administrative Tools Pack on an XP or WS2003 machine and use the Active Directory Management convenience console, which contains all three of these snap-ins plus DNS.

  • Type the filename associated with the tool ( domain.msc , dssite.msc , or dsa.msc ) at the command prompt or use Start Run.

Other tools used to administer certain aspects of Active Directory include:

Active Directory Migration Tool (ADMT)

An MMC snap-in used to simplify the migration of users, groups, and computers in NT 4.0 domains to Active Directory domains

Active Directory Schema

An MMC snap-in used to add a new class or attribute to the Active Directory schema

adprep

A command-line tool used to prepare an existing W2K forest or domain for upgrading to WS2003

dsadd , dsget , dsmod , dsmove , dsquery , and dsrm

New command-line tools that enable you to find and manage users, groups, computers, and OUs

ldifde

A command-line tool that enables you to batch import/export information to/from Active Directory using the LDAP Data Interchange Format (LDIF) standard

Ldp

A GUI utility in \SUPPORT\TOOLS on the product CD that allows you to perform LDAP searches against Active Directory to view and modify information not visible in the GUI tools for managing Active Directory

ntdsutil

A command-line tool used to perform maintenance on certain aspects of Active Directory, such as performing an offline defragmentation to compact the datastore

In addition, a number of command-line tools in the \SUPPORT\TOOLS folder on the WS2003 product CD can be used to administer certain aspects of Active Directory. These tools include DCDiag , Dnscmd , DSAStat , MoveTree , Netdom , NETDiag , NLTest , Repadmin , and several others that can be found in the SUPPORT.CAB cabinet file and can be installed using the SUPTOOLS.MSI Windows Installer package file.

Active Directory Users and Computers

Active Directory Users and Computers is one of the WS2003 tools you will use frequently as an administrator. You can use this tool to create Active Directory objects representing users, groups, computers, printers, and shared folders. You can also use it to create OUs, delegate authority over OUs to trusted users, link Group Policy Objects (GPOs) to domains and OUs, and manage certain aspects of domain controllers. The console tree of this tool displays the domain you have selected and the hierarchy of OUs (if any) that make up the logical structure of the domain. The console tree also includes a number of default containers:

Builtin

Contains various domain local groups in the domain, such as Administrators and Users.

Computers

Contains computer accounts for member servers and workstations in the domain.

Domain Controllers

Contains domain controllers for the domain.

Foreign Security Principals

Contains SIDs associated with objects from external trusted domains.

Users

Contains built-in user accounts, global groups, and a few domain local groups. This container is also the default container for accounts upgraded from downlevel NT domains.

There are also some additional hidden containers that are rarely used in day-to-day administration of Active Directorylater in this section I describe how to make these containers visible.

New to this version is the Saved Queries folder, which lets administrators create and save LDAP queries that search for specific types of Active Directory objects. For example, you can create queries to find all disabled user accounts, all users with nonexpiring passwords, and so on. When you execute a saved query, you can simultaneously modify all the objects found. This new bulk-edit feature of WS2003 is much easier than the W2K approach of creating custom ADSI scripts for similar purposes.

Action Menu

Here is a brief summary of the kinds of tasks you can perform using the Action menu once you select a node in the console tree or an object in the details pane:

Active Directory Users and Computers

Select this node to connect to another domain or domain controller, view or change the operations masters for the domain, or raise the domain functional level.

Saved Queries

Select this node to create a new query and create subfolders for organizing your queries. Select a query to edit it or export it as an XML file, which can then be imported into the Saved Queries folder of a different domain.

Any domain

Select this node to delegate authority for the domain, apply Group Policy to the domain, invoke the Resultant Set of Policy (RSoP) Wizard, create OUs or other objects within the domain, and perform other tasks listed under Active Directory Users and Computers earlier in this section.

Any OU

Select this node to delegate authority for the OU, move the OU within the domain, apply Group Policy to the OU, or invoke the RSoP Wizard.

Any user, computer, group, or other object

The actions you can perform depend on the type of object you select. For example, right-clicking on a computer object and selecting Manage will open a Computer Management console with the selected computer having the focus.

View Menu

The View menu includes a few interesting options:

Users, Groups, and Computers as containers

This option allows User, Group, and Computer objects to be displayed in the console tree as containers. You might think that selecting a Group object in the console tree would display the group's members in the details pane, but unfortunately , this is not so, so the feature has little usefulness .

Advanced Features

This option toggles on or off various hidden containers, including LostAndFound, System, NTDS Quotas, and Program Data. The one of most interest here is System, which has subcontainers representing various networking services you have installed, such as DFS, DNS, RAS, and so on. Don't modify anything in these containers unless you really know what you're doing!

Advanced Features also displays two hidden tabs on properties sheets of objects:

Object tab

Displays the canonical name of the object or where it is logically located within Active Directory, in case you're interested.

Security tab

Lets you modify the permissions of objects in Active Directory. Changing these without knowing what you're doing can really cause problems!

Filter Options

This option lets you set up a filter to display one or more types of published objectsfor example, to display user accounts only. Filters provide a quick way of narrowing the focus when you are looking for something and have thousands of objects to wade through.


Previous page
Table of content
Next page
Windows Server 2003 in a Nutshell
Windows Server 2003 in a Nutshell
ISBN: 0596004044
EAN: 2147483647
Year: 2003
Pages: 415
Authors: Mitch Tulloch
BUY ON AMAZON
MySQL Stored Procedure Programming
VBScript Programmers Reference
C++ GUI Programming with Qt 3
Visual C# 2005 How to Program (2nd Edition)
Postfix: The Definitive Guide
Cultural Imperative: Global Trends in the 21st Century
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy