There are several standard administration tasks involved with managing Active Directory. To perform these tasks, you use powerful and flexible Active Directory administrative tools that are included with Windows 2000 Server. These tools simplify directory service administration. You can use the standard consoles or you can use the MMC to create custom consoles that focus on individual management tasks. This lesson introduces the tasks and the Active Directory administrative tools and explains how they are perfomed using the MMC.
After this lesson, you will be able to
Estimated lesson time: 25 minutes
Administering Windows 2000 Active Directory involves both configuration and day-to-day maintenance tasks. Administrative tasks can be grouped into the six categories, as described in Table 16.2.
Table 16.2 Active Directory Administration Tasks
Administrative category | Specific tasks |
---|---|
Configuring Active Directory | Plan, deploy, manage, monitor, optimize, and troubleshoot Active Directory, including the domain structure, organizational unit (OU) structure, and site structure. Determine an efficient site topology. |
Administering users and groups | Plan, create, and maintain user and group accounts to ensure that each user can log on to the network and gain access to necessary resources. |
Securing network resources | Administer, monitor, and troubleshoot authentication services. Plan, implement, and enforce a security policy to ensure protection of data and shared network resources, including folders, files, and printers. |
Administering Active Directory | Manage the location and control of Active Directory objects. Plan and implement Active Directory backup and restore operations. |
Administering the desktop computing environment | Deploy, install, and configure the desktop computing environment using group policy. |
Securing Active Directory | Administer, monitor, and troubleshoot a security configuration. Plan and implement a policy to audit network events so that you can find security breaches. |
Managing Active Directory | Monitor, maintain, and troubleshoot domain performance controller performance and Active Directory components using performance monitoring and diagnostic tools. |
Installing Windows 2000 remotely | Use Remote Installation Services to deploy Windows 2000 remotely. |
The Active Directory administrative tools are installed automatically on computers configured as Windows 2000 domain controllers. The administrative tools are also available with the optional Administrative Tools package. This package can be installed on other versions of Windows 2000 to allow you to administer Active Directory from a computer that is not a domain controller. The following Active Directory standard administrative tools are available on the Administrative Tools menu of all Windows 2000 domain controllers:
The Active Directory Domains and Trusts console helps you manage trust relationships between domains. These domains can be Windows 2000 domains in the same forest, Windows 2000 domains in different forests, pre-Windows 2000 domains, and even Kerberos V5 realms.
Using Active Directory Domains and Trusts, you can do the following:
You provide information about the physical structure of your network by publishing sites to Active Directory using the Active Directory Sites and Services console. Active Directory uses this information to determine how to replicate directory information and handle service requests.
The Active Directory Users and Computers console allows you to add, modify, delete, and organize Windows 2000 user accounts, computer accounts, security and distribution groups, and published resources in your organization's directory. It also allows you to manage domain controllers and OUs.
In addition to the Active Directory consoles provided on the Administrative Tools menu, there are several other tools provided for administering Active Directory.
The Active Directory Schema snap-in allows you to view and modify Active Directory schema. This snap-in is not available by default on the Administrative Tools menu. You must install it, and all of the Windows 2000 administration tools, using Add/Remove Programs in the Control Panel. Do not use the ADMINPAK.MSI file on the Windows 2000 Server CD-ROM to perform these operations.
Follow these steps to install the Active Directory Schema snap-in:
IMPORTANT
Modifying the Active Directory schema is an advanced operation that is best performed by experienced programmers or system administrators. For detailed information about modifying the Active Directory schema, see the Microsoft Active Directory Programmer's Guide.
Several additional tools that can be used to configure, manage, and debug Active Directory are available in the Windows 2000 Support Tools. The Windows 2000 Support Tools are included on the Windows 2000 CD-ROM in the \Support\Tools folder. These tools are intended for use by Microsoft support personnel and experienced users.
To use Active Directory support tools you must first install the Windows 2000 Support Tools on your computer.
Follow these steps to install the Windows 2000 Support Tools:
The Setup program installs all Windows 2000 Support Tools files onto your hard disk and requires a maximum of 18.2 megabytes (MB) of free space.
Setup creates a Windows 2000 Support Tools folder within the Programs folder on the Start menu. For detailed information about individual tools, click the Tools Help menu item. Graphical User Interface (GUI) tools can be selected from the Tools menu.
Setup also adds the \Program Files\Resource Kit directory (or the directory name you choose for installing the tools) to your computer's Path statement.
Table 16.3 describes the support tools that pertain to Active Directory.
Table 16.3 Active Directory Support Tools
Tool | Used to |
---|---|
ACLDIAG.EXE: ACL Diagnostics1 | Determine whether a user has been granted or denied access to an Active Directory object. It can also be used to reset access control lists to their default state. |
ADSI Edit3 | View all objects in the directory (includ- ing schema and configuration naming contexts), modify objects, and set access control lists on objects. |
DFSUTIL.EXE: Distributed File System Utility1 | Manage all aspects of distributed file system (Dfs), check the configuration concurrency of Dfs servers, and display the Dfs topology. |
DNSCMD.EXE: DNS Server Troubleshooting Tool1 | Check dynamic registration of DNS resource records including secure DNS update. Is also used to deregister resource records. |
DSACLS.EXE1 | View or modify the access control lists of objects in Active Directory. |
DSASTAT.EXE: Active Directory Diagnostic Tool1 | Compare naming contexts on domain controllers and detect differences. |
LDP.EXE: Active Directory Administration Tool2 | Allow Lightweight Directory Access Protocol (LDAP) operations to be performed against Active Directory. |
MOVETREE.EXE: Active Directory Object Manager1 | Move Active Directory objects such as OUs and users between domains in a single forest. |
NETDOM.EXE: Windows 2000 Domain Manager1 | Manage Windows 2000 domains and trust relationships. |
NLTEST.EXE1 | Provide a list of primary domain controllers, force a shutdown, provide information about trusts and replication. |
REPADMIN.EXE: Replication Diagnostics Tool1 | Check replication consistency between replication partners, monitor replication status, display replication metadata, force replication events and knowledge consistency checker recalculation. |
REPLMON.EXE: Active Directory Replication Monitor2 | Graphically display replication topology, monitor replication status (including policies), force replication events and knowledge consistency checker recalculation. |
SDCHECK.EXE: Security Descriptor Check Utility1 | Check ACL propagation and replication for specified objects in the directory. This tool enables an administrator to determine if ACLs are being inherited correctly and if ACL changes are being replicated from one domain controller to another. |
SIDwalker: Security Administration Tools | Manage access control policies on Windows 2000 and Windows NT systems. SIDwalker consists of three separate programs: Showaccs.exe1 and Sidwalk.exe1 for examining and changing access control entries, and Security Migration Editor3 for editing mapping between old and new security IDs (SIDs). |
1 command-line tool
2 graphical user interface tool
3 Microsoft Management Console snap-in
For more information about Active Directory support tools, see the Microsoft Windows Server 2000 Resource Kit.
Active Directory Service Interfaces (ADSI) provides a simple, powerful, object-oriented interface to Active Directory. ADSI makes it easy for programmers and administrators to create programs utilizing directory services by using high-level tools such as Microsoft Visual Basic, Java, C, or Visual C++ as well as ActiveX Scripting Languages, such as VBScript, JScript, or PerlScript, without having to worry about the underlying differences between the different namespaces. ADSI is a fully programmable automation object for use by administrators.
ADSI enables you to build or buy programs that give you a single point of access to multiple directories in your network environment, whether those directories are based on LDAP or another protocol.
The MMC is a tool used to create, save, and open collections of administrative tools, which are called consoles. When you access the Active Directory administrative tools, you are accessing the MMC for that tool. The Active Directory Domains and Trusts, Active Directory Sites and Services, and Active Directory Users and Computers administrative tools are each a console. The console does not provide management functions itself, but is the program that hosts management applications called snap-ins. You use snap-ins to perform one or more administrative tasks.
There are two types of MMCs: preconfigured and custom. Preconfigured MMCs contain commonly used snap-ins, and they appear on the Administrative Tools menu. You create custom MMCs to perform a unique set of administrative tasks. You can use both preconfigured and custom MMCs for remote administration.
Preconfigured MMCs contain snap-ins that you use to perform the most common administrative tasks. Windows 2000 installs a number of preconfigured MMCs during installation. Preconfigured MMCs have the following characteristics:
Table 16.4 lists the typical preconfigured MMCs in Windows 2000 and their function.
Table 16.4 Preconfigured MMCs
Preconfigured MMC | Function |
---|---|
Active Directory Domains and Trusts 1,2 | Manages the trust relationships between domains |
Active Directory Sites and Services 1,2 | Creates sites to manage the replication of Active Directory information |
Active Directory Users and Computers 1,2 | Manages users, computers, security groups, and other objects in Active Directory |
Component Services | Configures and manages COM+ applications |
Computer Management | Manages disks and provides access to other tools to manage local and remote computers |
Configure Your Server 1 | Sets up and configures Windows services for your network |
Data Sources (ODBC) | Adds, removes, and configures Open Database Connectivity (ODBC) data sources and drivers |
DHCP 1,2 | Used to configure and manage the Dynamic Host Configuration Protocol (DHCP) service |
Distributed File System (DFS) 1 | Creates and manages DFSs that connect shared folders from different computers |
DNS 1,2 | Manages the DNS service, which translates DNS computer names to IP addresses |
Domain Controller Security Policy 1,2 | Used to view and modify security policy for the Domain Controllers OU |
Domain Security Policy 1,2 | Used to view and modify security policy for the domain, such as user rights and audit policies |
Event Viewer | Displays monitoring and troubleshooting messages from Windows and other programs |
Internet Services Manager 1 | Manages Internet Information Services (IIS), the Web server for Internet and intranet Web sites |
Licensing 1 | Manages client access licensing for a server product |
Local Security Policy 3 | Used to view and modify local security policy, such as user rights and audit policies |
Performance | Displays graphs of system performance and configures data logs and alerts |
Routing and Remote Access 1 | Used to configure and manage the Routing and Remote Access service |
Server Extensions Administrator 1 | Used to administer Microsoft FrontPage Server Extensions and FrontPage extended webs |
Services | Starts and stops services |
Telnet Server Administration 1 | Used to view and modify telnet server settings and connections |
1 MMC not available on Windows 2000 Professional.
2 MMC not available on Windows 2000 Server standalone server.
3 MMC not available on Windows 2000 Server domain controller.
You can use many of the preconfigured MMCs for administrative tasks. However, there will be times when you need to create your own custom MMCs. Although you can't modify preconfigured consoles, you can combine multiple preconfigured snap-ins with third-party snap-ins that perform related tasks to create custom MMCs. You can then do the following:
Creating custom MMCs allows you to meet your administrative requirements by combining snap-ins that you use to perform common administrative tasks. By creating a custom MMC, you do not have to switch between different programs or different preconfigured MMCs because all of the snap-ins that you need to perform your job are located in the custom MMC.
Consoles are saved as files and have an .msc extension. All the settings for the snap-ins contained in the console are saved and restored when the file is opened, even if the console file is opened on a different computer or network.
Every MMC has a console tree. A console tree displays the hierarchical organization of the snap-ins contained with the MMC. As you can see in Figure 16.10, this MMC contains the Device Manager on the local computer and the Disk Defragmenter snap-ins.
Figure 16.10 A sample MMC
The console tree organizes snap-ins that are part of the MMC. This allows you to easily locate a specific snap-in. Items that you add to the console tree appear under the console root. The details pane lists the contents of the active snap-in.
Every MMC contains the Action menu and the View menu. The choices on these menus are context-sensitive, depending on the current selection in the console tree.
Snap-ins are applications that are designed to work in an MMC. Use snap-ins to perform administrative tasks. There are two types of snap-ins: standalone snap-ins and extension snap-ins.
Standalone snap-ins are usually referred to simply as snap-ins. Use stand-alone snap-ins to perform Windows 2000 administrative tasks. Each snap-in provides one function or a related set of functions. Windows 2000 Server comes with standard snap-ins. Windows 2000 Professional includes a smaller set of standard snap-ins.
Extension snap-ins are usually referred to simply as extensions. They are snap-ins that provide additional administrative functionality to another snap-in. The following are characteristics of extensions:
Figure 16.11 demonstrates the concept of snap-ins and extensions. A toolbox (an MMC) holds a drill (a snap-in). You can use a drill with its standard drill bit, and you can perform additional functions with different drill bits (extensions).
Figure 16.11 Snap-ins and extensions
Some standalone snap-ins, such as the Computer Management snap-in, can use extensions that provide additional functionality. However, some snap-ins, like Event Viewer, can act as a snap-in or an extension.
Use console options to determine how each MMC operates by selecting the appropriate console mode. The console mode determines the MMC functionality for the person who is using a saved MMC. The two available console modes are Author mode and User mode.
When you save an MMC in Author mode, you enable full access to all MMC functionality, which includes modifying the MMC. Save the MMC using Author mode to allow those using it to do the following:
NOTE
By default, all new MMCs are saved in Author mode.
Usually, if you plan to distribute an MMC to other administrators, you save the MMC in User mode. When you set an MMC to User mode, users cannot add snap-ins to, remove snap-ins from, or save the MMC.
There are three types of User modes that allow different levels of access and functionality. Table 16.5 describes when to use each User mode.
Table 16.5 MMC Console User Modes
User mode | Use when |
---|---|
Full Access | You want to allow users to navigate between snap-ins, open new windows, and gain access to all portions of the console tree. |
Limited Access, Multiple Windows | You do not want to allow users to open new windows or gain access to a portion of the console tree. You want to allow users to view multiple windows in the console. |
Limited Access, Single Window | You do not want to allow users to open new windows or gain access to a portion of the console tree. You want to allow users to view only one window in the console. |
In this lesson you learned about Active Directory administration tasks, which include configuring Active Directory, administering users and groups, securing network resources, administering Active Directory, administering the desktop computing environment, securing Active Directory, managing Active Directory performance, and installing Windows 2000 remotely.
You also learned about the Active Directory administrative tools you can use to accomplish these tasks. The Active Directory Domains and Trusts console manages the trust relationships between domains. The Active Directory Sites and Services console creates sites to manage the replication of Active Directory information. The Active Directory Users and Computers console manages users, computers, security groups, and other objects in Active Directory.
The MMC is a tool used to create, save, and open collections of administrative tools, called consoles. MMCs hold one or more management applications, called snap-ins, which you use to perform administrative tasks. Preconfigured MMCs contain commonly used snap-ins, and they appear on the Administrative Tools menu. You create custom MMCs to perform a unique set of administrative tasks. You can use both preconfigured and custom MMCs for remote administration.
You learned that every MMC has a console tree. The console tree displays the hierarchical organization of the snap-ins that are contained within that MMC. This allows you to locate a specific snap-in easily. The details pane lists the contents of the active snap-in. You also learned that there are two types of snap-ins: standalone snap-ins and extension snap-ins.
Finally, in this lesson you learned about console options. You use console options to determine how each MMC operates by selecting the appropriate console mode. The two available console modes are Author mode and User mode. When you save an MMC in Author mode, you enable full access to all MMC functionality, which includes modifying the MMC. When you set an MMC to User mode, users cannot add snap-ins to, remove snap-ins from, or save the MMC.