Lesson 3: Active Directory Administration | MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000

There are several standard administration tasks involved with managing Active Directory. To perform these tasks, you use powerful and flexible Active Directory administrative tools that are included with Windows 2000 Server. These tools simplify directory service administration. You can use the standard consoles or you can use the MMC to create custom consoles that focus on individual management tasks. This lesson introduces the tasks and the Active Directory administrative tools and explains how they are perfomed using the MMC.

After this lesson, you will be able to

Describe the tasks required for Windows 2000 Active Directory administration
Describe the function of the Active Directory Users and Computers administrative console
Describe the function of the Active Directory Sites and Services administrative console
Describe the function of the Active Directory Domains and Trusts administrative console
Describe the function and components of MMC, including console trees, details panes, snap-ins, extensions, and console modes

Estimated lesson time: 25 minutes

Windows 2000 Active Directory Administration Tasks

Administering Windows 2000 Active Directory involves both configuration and day-to-day maintenance tasks. Administrative tasks can be grouped into the six categories, as described in Table 16.2.

Table 16.2 Active Directory Administration Tasks

Administrative category	Specific tasks
Configuring Active Directory	Plan, deploy, manage, monitor, optimize, and troubleshoot Active Directory, including the domain structure, organizational unit (OU) structure, and site structure. Determine an efficient site topology.
Administering users and groups	Plan, create, and maintain user and group accounts to ensure that each user can log on to the network and gain access to necessary resources.
Securing network resources	Administer, monitor, and troubleshoot authentication services. Plan, implement, and enforce a security policy to ensure protection of data and shared network resources, including folders, files, and printers.
Administering Active Directory	Manage the location and control of Active Directory objects. Plan and implement Active Directory backup and restore operations.
Administering the desktop computing environment	Deploy, install, and configure the desktop computing environment using group policy.
Securing Active Directory	Administer, monitor, and troubleshoot a security configuration. Plan and implement a policy to audit network events so that you can find security breaches.
Managing Active Directory	Monitor, maintain, and troubleshoot domain performance controller performance and Active Directory components using performance monitoring and diagnostic tools.
Installing Windows 2000 remotely	Use Remote Installation Services to deploy Windows 2000 remotely.

Active Directory Administrative Tools

The Active Directory administrative tools are installed automatically on computers configured as Windows 2000 domain controllers. The administrative tools are also available with the optional Administrative Tools package. This package can be installed on other versions of Windows 2000 to allow you to administer Active Directory from a computer that is not a domain controller. The following Active Directory standard administrative tools are available on the Administrative Tools menu of all Windows 2000 domain controllers:

Active Directory Domains and Trusts console
Active Directory Sites and Services console
Active Directory Users and Computers console

Active Directory Domains and Trusts Console

The Active Directory Domains and Trusts console helps you manage trust relationships between domains. These domains can be Windows 2000 domains in the same forest, Windows 2000 domains in different forests, pre-Windows 2000 domains, and even Kerberos V5 realms.

Using Active Directory Domains and Trusts, you can do the following:

Provide interoperability with other domains (such as pre-Windows 2000 domains or domains in other Windows 2000 forests) by managing explicit domain trusts
Change the mode of operation of a Windows 2000 domain from Mixed mode to Native mode
Add and remove alternate UPN suffixes used to create user logon names
Transfer the domain naming operations master role from one domain controller to another
Provide information about domain management

Active Directory Sites and Services Console

You provide information about the physical structure of your network by publishing sites to Active Directory using the Active Directory Sites and Services console. Active Directory uses this information to determine how to replicate directory information and handle service requests.

Active Directory Users and Computers Console

The Active Directory Users and Computers console allows you to add, modify, delete, and organize Windows 2000 user accounts, computer accounts, security and distribution groups, and published resources in your organization's directory. It also allows you to manage domain controllers and OUs.

Other Active Directory Administrative Tools

In addition to the Active Directory consoles provided on the Administrative Tools menu, there are several other tools provided for administering Active Directory.

Active Directory Schema Snap-In

The Active Directory Schema snap-in allows you to view and modify Active Directory schema. This snap-in is not available by default on the Administrative Tools menu. You must install it, and all of the Windows 2000 administration tools, using Add/Remove Programs in the Control Panel. Do not use the ADMINPAK.MSI file on the Windows 2000 Server CD-ROM to perform these operations.

Follow these steps to install the Active Directory Schema snap-in:

Log on as an Administrator.
Click Start, point to Settings, and then click Control Panel.
Double-click Add/Remove Programs.
On the Add/Remove Programs dialog box, click Change Or Remove Programs, click Windows 2000 Administration Tools, and then click Change.
On the Welcome To The Windows 2000 Administration Tools Setup Wizard page, click Next.
On the Setup Options page, click Install All Of The Administrative Tools, and then click Next.
The wizard installs the Windows 2000 Administration Tools. When it finishes, click Finish.
Close the Add/Remove Programs dialog box, and then close the Control Panel.
Click Start, and then click Run.
In the Open box, type mmc and then click OK.
On the Console menu, click Add/Remove Snap-In.
In the Add/Remove Snap-In dialog box, click Add.
In the Add Standalone Snap-In dialog box, in the Snap-In column, double-click Active Directory Schema, click Close, and then click OK.
To save this console, from the Console menu, click Save.

IMPORTANT
Modifying the Active Directory schema is an advanced operation that is best performed by experienced programmers or system administrators. For detailed information about modifying the Active Directory schema, see the Microsoft Active Directory Programmer's Guide.

Active Directory Support Tools

Several additional tools that can be used to configure, manage, and debug Active Directory are available in the Windows 2000 Support Tools. The Windows 2000 Support Tools are included on the Windows 2000 CD-ROM in the \Support\Tools folder. These tools are intended for use by Microsoft support personnel and experienced users.

To use Active Directory support tools you must first install the Windows 2000 Support Tools on your computer.

Follow these steps to install the Windows 2000 Support Tools:

Start Windows 2000. You must log on as a member of the Administrator group to install these tools.
Insert the Windows 2000 CD into your CD-ROM drive.
When the Microsoft Windows 2000 CD screen appears, click Browse This CD.
Browse to the \Support\Tools directory.
Click SETUP.EXE.
Follow the instructions that appear on your screen.

The Setup program installs all Windows 2000 Support Tools files onto your hard disk and requires a maximum of 18.2 megabytes (MB) of free space.

Setup creates a Windows 2000 Support Tools folder within the Programs folder on the Start menu. For detailed information about individual tools, click the Tools Help menu item. Graphical User Interface (GUI) tools can be selected from the Tools menu.

Setup also adds the \Program Files\Resource Kit directory (or the directory name you choose for installing the tools) to your computer's Path statement.

Table 16.3 describes the support tools that pertain to Active Directory.

Table 16.3 Active Directory Support Tools

Tool	Used to
ACLDIAG.EXE: ACL Diagnostics¹	Determine whether a user has been granted or denied access to an Active Directory object. It can also be used to reset access control lists to their default state.
ADSI Edit³	View all objects in the directory (includ- ing schema and configuration naming contexts), modify objects, and set access control lists on objects.
DFSUTIL.EXE: Distributed File System Utility¹	Manage all aspects of distributed file system (Dfs), check the configuration concurrency of Dfs servers, and display the Dfs topology.
DNSCMD.EXE: DNS Server Troubleshooting Tool¹	Check dynamic registration of DNS resource records including secure DNS update. Is also used to deregister resource records.
DSACLS.EXE¹	View or modify the access control lists of objects in Active Directory.
DSASTAT.EXE: Active Directory Diagnostic Tool¹	Compare naming contexts on domain controllers and detect differences.
LDP.EXE: Active Directory Administration Tool²	Allow Lightweight Directory Access Protocol (LDAP) operations to be performed against Active Directory.
MOVETREE.EXE: Active Directory Object Manager¹	Move Active Directory objects such as OUs and users between domains in a single forest.
NETDOM.EXE: Windows 2000 Domain Manager¹	Manage Windows 2000 domains and trust relationships.
NLTEST.EXE¹	Provide a list of primary domain controllers, force a shutdown, provide information about trusts and replication.
REPADMIN.EXE: Replication Diagnostics Tool¹	Check replication consistency between replication partners, monitor replication status, display replication metadata, force replication events and knowledge consistency checker recalculation.
REPLMON.EXE: Active Directory Replication Monitor²	Graphically display replication topology, monitor replication status (including policies), force replication events and knowledge consistency checker recalculation.
SDCHECK.EXE: Security Descriptor Check Utility¹	Check ACL propagation and replication for specified objects in the directory. This tool enables an administrator to determine if ACLs are being inherited correctly and if ACL changes are being replicated from one domain controller to another.
SIDwalker: Security Administration Tools	Manage access control policies on Windows 2000 and Windows NT systems. SIDwalker consists of three separate programs: Showaccs.exe¹ and Sidwalk.exe¹ for examining and changing access control entries, and Security Migration Editor³ for editing mapping between old and new security IDs (SIDs).

¹ command-line tool
² graphical user interface tool
³ Microsoft Management Console snap-in

For more information about Active Directory support tools, see the Microsoft Windows Server 2000 Resource Kit.

Active Directory Service Interfaces

Active Directory Service Interfaces (ADSI) provides a simple, powerful, object-oriented interface to Active Directory. ADSI makes it easy for programmers and administrators to create programs utilizing directory services by using high-level tools such as Microsoft Visual Basic, Java, C, or Visual C++ as well as ActiveX Scripting Languages, such as VBScript, JScript, or PerlScript, without having to worry about the underlying differences between the different namespaces. ADSI is a fully programmable automation object for use by administrators.

ADSI enables you to build or buy programs that give you a single point of access to multiple directories in your network environment, whether those directories are based on LDAP or another protocol.

Microsoft Management Console

The MMC is a tool used to create, save, and open collections of administrative tools, which are called consoles. When you access the Active Directory administrative tools, you are accessing the MMC for that tool. The Active Directory Domains and Trusts, Active Directory Sites and Services, and Active Directory Users and Computers administrative tools are each a console. The console does not provide management functions itself, but is the program that hosts management applications called snap-ins. You use snap-ins to perform one or more administrative tasks.

There are two types of MMCs: preconfigured and custom. Preconfigured MMCs contain commonly used snap-ins, and they appear on the Administrative Tools menu. You create custom MMCs to perform a unique set of administrative tasks. You can use both preconfigured and custom MMCs for remote administration.

Preconfigured MMCs

Preconfigured MMCs contain snap-ins that you use to perform the most common administrative tasks. Windows 2000 installs a number of preconfigured MMCs during installation. Preconfigured MMCs have the following characteristics:

They contain one or more snap-ins that provide the functionality to perform a related set of administrative tasks.
They function in User mode. Because preconfigured MMCs are in User mode, you cannot modify them, save them, or add additional snap-ins. However, when you create custom consoles, you can add as many preconfigured consoles as you want as snap-ins to your custom console.
They vary, depending on the operating system that the computer is running and the installed Windows 2000 components. Windows 2000 Server and Windows 2000 Professional have different preconfigured MMCs.
They might be added by Windows 2000 when you install additional components. Optional Windows 2000 components might include additional preconfigured MMCs that Windows 2000 adds when you install a component. For example, when you install the DNS service, Windows 2000 also installs the DNS console.

Table 16.4 lists the typical preconfigured MMCs in Windows 2000 and their function.

Table 16.4 Preconfigured MMCs

Preconfigured MMC	Function
Active Directory Domains and Trusts ^1,2	Manages the trust relationships between domains
Active Directory Sites and Services ^1,2	Creates sites to manage the replication of Active Directory information
Active Directory Users and Computers ^1,2	Manages users, computers, security groups, and other objects in Active Directory
Component Services	Configures and manages COM+ applications
Computer Management	Manages disks and provides access to other tools to manage local and remote computers
Configure Your Server ¹	Sets up and configures Windows services for your network
Data Sources (ODBC)	Adds, removes, and configures Open Database Connectivity (ODBC) data sources and drivers
DHCP ^1,2	Used to configure and manage the Dynamic Host Configuration Protocol (DHCP) service
Distributed File System (DFS) ¹	Creates and manages DFSs that connect shared folders from different computers
DNS ^1,2	Manages the DNS service, which translates DNS computer names to IP addresses
Domain Controller Security Policy ^1,2	Used to view and modify security policy for the Domain Controllers OU
Domain Security Policy ^1,2	Used to view and modify security policy for the domain, such as user rights and audit policies
Event Viewer	Displays monitoring and troubleshooting messages from Windows and other programs
Internet Services Manager ¹	Manages Internet Information Services (IIS), the Web server for Internet and intranet Web sites
Licensing ¹	Manages client access licensing for a server product
Local Security Policy ³	Used to view and modify local security policy, such as user rights and audit policies
Performance	Displays graphs of system performance and configures data logs and alerts
Routing and Remote Access ¹	Used to configure and manage the Routing and Remote Access service
Server Extensions Administrator ¹	Used to administer Microsoft FrontPage Server Extensions and FrontPage extended webs
Services	Starts and stops services
Telnet Server Administration ¹	Used to view and modify telnet server settings and connections

¹ MMC not available on Windows 2000 Professional.
² MMC not available on Windows 2000 Server standalone server.
³ MMC not available on Windows 2000 Server domain controller.

Custom MMCs

You can use many of the preconfigured MMCs for administrative tasks. However, there will be times when you need to create your own custom MMCs. Although you can't modify preconfigured consoles, you can combine multiple preconfigured snap-ins with third-party snap-ins that perform related tasks to create custom MMCs. You can then do the following:

Save the custom MMCs to use again.
Distribute the custom MMCs to other administrators.
Use the custom MMCs from any computer to centralize and unify administrative tasks.

Creating custom MMCs allows you to meet your administrative requirements by combining snap-ins that you use to perform common administrative tasks. By creating a custom MMC, you do not have to switch between different programs or different preconfigured MMCs because all of the snap-ins that you need to perform your job are located in the custom MMC.

Consoles are saved as files and have an .msc extension. All the settings for the snap-ins contained in the console are saved and restored when the file is opened, even if the console file is opened on a different computer or network.

Console Tree and Details Pane

Every MMC has a console tree. A console tree displays the hierarchical organization of the snap-ins contained with the MMC. As you can see in Figure 16.10, this MMC contains the Device Manager on the local computer and the Disk Defragmenter snap-ins.

Figure 16.10 A sample MMC

The console tree organizes snap-ins that are part of the MMC. This allows you to easily locate a specific snap-in. Items that you add to the console tree appear under the console root. The details pane lists the contents of the active snap-in.

Every MMC contains the Action menu and the View menu. The choices on these menus are context-sensitive, depending on the current selection in the console tree.

Snap-Ins

Snap-ins are applications that are designed to work in an MMC. Use snap-ins to perform administrative tasks. There are two types of snap-ins: standalone snap-ins and extension snap-ins.

Standalone Snap-Ins

Standalone snap-ins are usually referred to simply as snap-ins. Use stand-alone snap-ins to perform Windows 2000 administrative tasks. Each snap-in provides one function or a related set of functions. Windows 2000 Server comes with standard snap-ins. Windows 2000 Professional includes a smaller set of standard snap-ins.

Extension Snap-Ins

Extension snap-ins are usually referred to simply as extensions. They are snap-ins that provide additional administrative functionality to another snap-in. The following are characteristics of extensions:

Extensions are designed to work with one or more standalone snap-ins, based on the function of the standalone snap-in. For example, the Software Installation extension is available in the Group Policy snap-in; however, it is not available in the Disk Defragmenter snap-in, because Software Installation does not relate to the administrative task of disk defragmentation.
When you add an extension, Windows 2000 displays only extensions that are compatible with the standalone snap-in. Windows 2000 places the extensions into the appropriate location within the standalone snap-in.
When you add a snap-in to a console, MMC adds all available extensions by default. You can remove any extension from the snap-in.
You can add an extension to multiple snap-ins.

Figure 16.11 demonstrates the concept of snap-ins and extensions. A toolbox (an MMC) holds a drill (a snap-in). You can use a drill with its standard drill bit, and you can perform additional functions with different drill bits (extensions).

Figure 16.11 Snap-ins and extensions

Some standalone snap-ins, such as the Computer Management snap-in, can use extensions that provide additional functionality. However, some snap-ins, like Event Viewer, can act as a snap-in or an extension.

Console Options

Use console options to determine how each MMC operates by selecting the appropriate console mode. The console mode determines the MMC functionality for the person who is using a saved MMC. The two available console modes are Author mode and User mode.

Author Mode

When you save an MMC in Author mode, you enable full access to all MMC functionality, which includes modifying the MMC. Save the MMC using Author mode to allow those using it to do the following:

Add or remove snap-ins
Create new windows
View all portions of the console tree
Save MMCs

NOTE
By default, all new MMCs are saved in Author mode.

User Mode

Usually, if you plan to distribute an MMC to other administrators, you save the MMC in User mode. When you set an MMC to User mode, users cannot add snap-ins to, remove snap-ins from, or save the MMC.

There are three types of User modes that allow different levels of access and functionality. Table 16.5 describes when to use each User mode.

Table 16.5 MMC Console User Modes

User mode	Use when
Full Access	You want to allow users to navigate between snap-ins, open new windows, and gain access to all portions of the console tree.
Limited Access, Multiple Windows	You do not want to allow users to open new windows or gain access to a portion of the console tree. You want to allow users to view multiple windows in the console.
Limited Access, Single Window	You do not want to allow users to open new windows or gain access to a portion of the console tree. You want to allow users to view only one window in the console.

Lesson Summary

In this lesson you learned about Active Directory administration tasks, which include configuring Active Directory, administering users and groups, securing network resources, administering Active Directory, administering the desktop computing environment, securing Active Directory, managing Active Directory performance, and installing Windows 2000 remotely.

You also learned about the Active Directory administrative tools you can use to accomplish these tasks. The Active Directory Domains and Trusts console manages the trust relationships between domains. The Active Directory Sites and Services console creates sites to manage the replication of Active Directory information. The Active Directory Users and Computers console manages users, computers, security groups, and other objects in Active Directory.

The MMC is a tool used to create, save, and open collections of administrative tools, called consoles. MMCs hold one or more management applications, called snap-ins, which you use to perform administrative tasks. Preconfigured MMCs contain commonly used snap-ins, and they appear on the Administrative Tools menu. You create custom MMCs to perform a unique set of administrative tasks. You can use both preconfigured and custom MMCs for remote administration.

You learned that every MMC has a console tree. The console tree displays the hierarchical organization of the snap-ins that are contained within that MMC. This allows you to locate a specific snap-in easily. The details pane lists the contents of the active snap-in. You also learned that there are two types of snap-ins: standalone snap-ins and extension snap-ins.

Finally, in this lesson you learned about console options. You use console options to determine how each MMC operates by selecting the appropriate console mode. The two available console modes are Author mode and User mode. When you save an MMC in Author mode, you enable full access to all MMC functionality, which includes modifying the MMC. When you set an MMC to User mode, users cannot add snap-ins to, remove snap-ins from, or save the MMC.