Tools for Active Directory

When working with Active Directory, either as a developer or network administrator, there are various tools at your disposal. This section presents a brief summary of some of the tools available for Active Directory. I've mentioned a few of these already.

Administrative Tools

Windows 2000 contains a number of tools to manage Active Directory. They include Active Directory Domains and Trusts, Active Directory Sites and Services, and Active Directory Users and Computers. Domains and Trusts is used to administer trust relationships. Sites and Services is used to administer replication, and Users and Computers is used to administer objects in the domain partition of Active Directory. These tools are snap-ins for Microsoft Management Console (MMC) and are automatically installed on an Active Directory–enabled server. To remotely manage Active Directory, you must install the Windows 2000 Administrative Tools package (Adminpak.msi). This package can be installed from the I386 directory of the Windows 2000 Server or Windows 2000 Advanced Server CD-ROM. Once installed, these tools are accessible from the Control Panel by choosing Administrative Tools, as shown in Figure 2-13.

Figure 2-13 Administrative Tools folder showing icons for Active Directory Domains and Trusts, Active Directory Sites and Services, and Active Directory Users and Computers snap-ins.

Some of the Active Directory snap-ins have options that control what information is presented; these options are set from the View menu in MMC. Developers and administrators should consider enabling the Advanced Features option in the Active Directory Users and Computers snap-in, which will allow containers and objects that are hidden by default to be seen. Specifically, any object that has the showInAdvancedViewOnly attribute set to TRUE will be hidden unless Advanced Features is enabled.

Active Directory Schema

A useful tool that is not listed in the Administrative Tools folder is the Active Directory Schema snap-in for MMC that allows you to view the Active Directory schema. Although this tool is installed with the other Active Directory snap-ins, it's not listed on the menu in order to prevent causal users from browsing the schema. To run this tool, type schmmgmt.msc in the Run dialog box. You can also run this tool by adding the Active Directory Schema snap-in to MMC. If the Active Directory Schema snap-in is not listed as an available snap-in, you might need to register the schema component by running Regsvr32.exe schmmgmt.dll. Figure 2-14 shows how the Active Directory Schema snap-in looks.

Figure 2-14 Active Directory Schema snap-in.


Creating Custom Consoles

Throughout this book you'll see screen shots of consoles. Consoles are collections of administrative tools that use the Microsoft Management Console (MMC) architecture. The MMC application allows anyone to add snap-ins or other extensions to the user interface. When developing an application for Active Directory, you might find it convenient to group all the Active Directory–related snap-ins in one console. To create your own console, follow these steps:

  1. To start MMC, type mmc in the Run dialog box.
  2. Choose Add/Remove Snap-In from the Console menu.
  3. Click Add.
  4. Select an Active Directory snap-in, and then click Add for each snap-in you want to add to the current console.
  5. Click Close when you are finished, and then click OK.
  6. To change the console name, console mode, or specify other options, choose Options on the Console menu.
  7. To modify the console view, choose Customize on the View menu.
  8. When you've finished, choose Save from the Console menu to save this console as an .msc (console) file. You can place this file anywhere in your system.

All the supplied snap-ins are located in the System32 folder where Windows 2000 is installed (usually C:\Winnt\System32). This folder is part of the default search path so all the snap-ins can be executed from a command prompt or from the Run dialog box. For quick access to a particular snap-in without launching a custom console, type the name of the snap-in in the Run dialog box. The following are some commonly used snap-ins and their corresponding console file names:

Active Directory Domains and Trusts

domain.msc

Active Directory Sites and Services

dssite.msc

Active Directory Users and Computers

dsa.msc

Active Directory Schema

schmmgmt.msc


ADSI Edit

The ADSI Edit tool is another snap-in for MMC that allows you to browse the directory partitions easily and retrieve attribute-level information from objects using the Active Directory Service Interfaces (ADSI), discussed in Chapter 3. You can also use ADSI Edit to create new directory objects without using the user interface of the other Active Directory snap-ins. This tool is installed with the Windows 2000 Support Tools (Support\Tools\Setup.exe) on the Windows 2000 Server or Windows 2000 Advanced Server CD-ROM. You can run ADSI Edit by selecting it from the Windows 2000 Support Tools folder on the Programs menu or by adding the ADSI Edit snap-in to MMC. Figure 2-15 shows the ADSI Edit snap-in.

Figure 2-15 ADSI Edit snap-in.

Ldp

The Ldp tool allows you to perform low-level LDAP operations—such as connect, bind, search, modify, create, and delete—against any directory that supports LDAP. (I'll discuss LDAP in more detail in the next chapter.) Like ADSI Edit, this tool is installed with the Windows 2000 Support Tools (Support\Tools\Setup.exe) on the Windows 2000 Server or Windows 2000 Advanced Server CD-ROM. You can run Ldp by selecting Active Directory Administrative Tool (a misnomer) from the Windows 2000 Support Tools folder on the Programs menu or by running Ldp.exe. This tool is helpful when debugging difficult problems with Active Directory, but using it requires a through knowledge of LDAP. Figure 2-16 shows how Ldp looks.

Figure 2-16 Ldp.exe.

Ntdsutil

Ntdsutil is a powerful command-line tool that allows you to perform various administrative tasks for Active Directory. Ntdsutil allows administrators to maintain the Active Directory data store, perform restoration of directory data, create new domains, and control the various operation master roles. Additionally, you can use Ntdsutil to configure the LDAP policies for a server, such as how many connections are allowed at one time. Ntdsutil is installed by default with Windows 2000 in the Winnt\System32 folder. Figure 2-17 shows Ntdsutil in action.

Some people use Ntdsutil to configure the LDAP policy for page size. This is not a good practice. The LDAP policy for page size controls how many results are returned at one time by the server when queried. By default, Active Directory will return up to 1,000 objects that match the search criteria. This is known as a results page. Each page is a block of records that match the query. When the application wants the next page, it requests it from Active Directory and the process continues. Pages are useful to ensure that no single application ties up the Active Directory with large searches. However, using pages adds some complexity to simple search programs. Don't be tempted to increase the default page size of an Active Directory server, particularly a server that is acting as the global catalog. Instead, use page-enabled searches, as discussed in Chapter 5, "Searching Active Directory."

Figure 2-17 Ntdsutil.exe.

ADSI Viewer

The final tool I'll introduce is the one I find most useful in every day interaction with Active Directory. ADSI Viewer (Adsvw.exe) is part of the ADSI SDK 2.5, which is on this book's companion CD. ADSI Viewer is also a part of the Microsoft Platform SDK available from http://msdn.microsoft.com/windows2000/. Unlike ADSI Edit, ADSI Viewer allows searching and presents additional options for certain objects that have associated ADSI interfaces. It can also be used to communicate with other directory services and a Windows NT SAM database. Figure 2-18 shows ADSI Viewer with one window opened to a computer object and the bottom window showing the results of a search.

Figure 2-18 ADSI Viewer (Adsvw.exe) with object and query results shown in different windows.



MicrosoftR WindowsR 2000 Active DirectoryT Programming
MicrosoftR WindowsR 2000 Active DirectoryT Programming
ISBN: N/A
EAN: N/A
Year: 2001
Pages: 108

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net