Several sets of tools are available for managing Active Directory, including graphical administration tools, command-line tools, and support tools. Active Directory Administration Tools The Active Directory administration tools are provided as snap-ins to the Microsoft Management Console (MMC). The key tools you'll use to manage Active Directory are: -
Active Directory Users And Computers Used to manage users, groups, computers, and organizational units -
Active Directory Domains And Trusts Used to work with domains, domain trees, and domain forests -
Active Directory Sites And Services Used to manage sites and subnets -
Resultant Set Of Policy Used to view current policy for a user on a system and to plan policy changes If you're running Microsoft Windows Server 2003, you can add the related snap-ins to any updateable console or access the tools directly on the Administrative Tools menu. If you're using another computer with access to a Windows Server 2003 domain, the tools won't be available until you install them. One technique for installing these tools is covered in the section entitled "Tools and Configuration" in Chapter 1 , "Overview of Microsoft Windows Server 2003 System Administration," but you could also create a software installation package for the tools that would be distributed and installable through Active Directory. For Windows Server 2003, these tools have been enhanced to allow you to perform tasks that you couldn't perform with the original Windows 2000 toolset. You can now: -
Select multiple resources individually Hold down the Ctrl key and then click the left mouse button on each object you want to select. -
Select a series of resources at once Hold down the Shift key, select the first object, and then click the last object. -
Drag resources to new locations Select the objects you want to move and press and hold down the left mouse button while moving the mouse. -
Edit and set properties of multiple resources Select the objects you want to work with, right-click, and then select the operation, such as Add To Group , Disable Account, or Properties. Another Active Directory administration tool you might want to use is the Active Directory Schema snap-in. You use Active Directory Schema to manage and modify directory schema. If you have loaded the AdminPak, you can add the Active Directory Schema snap-in to an MMC by completing the following steps: -
Open the Run dialog box by clicking Start and then clicking Run. -
Type mmc in the Open text box and then click OK. This opens the MMC. -
In MMC, click File, and then click Add/Remove Snap-In. This opens the Add/ Remove Snap-In dialog box. -
In the Standalone tab, click Add. -
In the Add Standalone Snap-In dialog box, click Active Directory Schema and then click Add. -
Click Close and then click OK. -
Right-click Active Directory Schema in the console tree and then select Connect To. This displays the Connection Settings dialog box. -
In the Connection Settings dialog box, the information for the default domain (the one that you're logged in to) should be provided automatically. Click OK, or enter the necessary information to access a different domain and then click OK. You can now view and manage the Active Directory schema for the domain. Active Directory Command-Line Tools Several tools are provided to let you manage Active Directory from the command line. You can use: -
DSADD Adds computers, contacts, groups, organizational units, and users to Active Directory. Type dsadd objectname /? at the command line to display help information on using the command, such as dsadd computer /? . -
DSGET Displays properties of computers, contacts, groups, organizational units, users, sites, subnets, and servers registered in Active Directory. Type dsget objectname /? at the command line to display help information on using the command, such as dsget subnet /? . -
DSMOD Modifies properties of computers, contacts, groups, organizational units, users, and servers that already exist in Active Directory. Type dsmod objectname /? at the command line to display help information on using the command, such as dsmod server /? . -
DSMOVE Moves a single object to a new location within a single domain or renames the object without moving it. Type dsmove /? at the command line to display help information on using the command. -
DSQUERY Finds computers, contacts, groups, organizational units, users, sites, subnets, and servers in Active Directory using search criteria. Type dsquery /? at the command line to display help information on using the command. -
DSRM Removes objects from Active Directory. Type dsrm /? at the command line to display help information on using the command. -
NTDSUTIL To view site, domain, and server information, manage operations masters, and perform database maintenance of Active Directory. Type ntdsutil /? at the command line to display help information on using the command. Active Directory Support Tools Many Active Directory tools are provided in the support toolkit. A list of some of the most useful support tools you can use to configure, manage, and troubleshoot Active Directory is shown in Table 7-1. Table 7-1. Quick Reference for Active Directory Support Tools Support Tool | Executable Name | Description | Active Directory Administration Tool | Ldp.exe | Performs Lightweight Directory Access Protocol (LDAP) operations on Active Directory | Active Directory Replication Monitor | Replmon.exe | Manages and monitors replication using a graphical user interface (GUI) | Directory Services Access Control Lists Utility | Dsacls.exe | Manages access control lists for objects in Active Directory | Distributed File System Utility | Dfsutil.exe | Manages the Distributed File System (DFS) and displays DFS information | DNS Server Troubleshooting Tool | Dnscmd.exe | Manages properties of Domain Name System (DNS) servers, zones, and resource records | Move Tree | Movetree.exe | Moves objects from one domain to another | Replication Diagnostics Tool | Repadmin.exe | Manages and monitors replication using the command line | Security Descriptor Check Utility | Sdcheck.exe | Checks access control list propagation, replication, and inheritance | Security ID Checker | Sidwalker.exe | Sets access control lists on objects previously owned by moved, deleted, or orphaned accounts | Windows Domain Manager | Netdom.exe | Allows domain and trust relationships management from the command line | |