Chapter 7: Domain Manipulation Tools

This chapter has perhaps more illustrations than any other in the whole book. No wonder! A picture is worth a thousand words! This is not a formal reference to all administrative snap-ins' screens, menus, commands, features, or to the operations that they implement. Neither are all snap-ins discussed. I wound like to make the reader focus his or her attention on certain details and options that are unapparent or which might not be noticed upon first acquaintance with snap-ins intended to manage Active Directory. Using this "know-how" will allow you to organize your workplace more efficiently. The differences between the Windows 2000 and Windows .NET versions of the snap-ins are also considered.

This chapter unveils certain aspects involved in using the features of the administrative tools for managing Active Directory. Other typical administrative tasks carried out by these and other tools will be discussed in Chapter 8, "Common Administrative Tasks," and in other chapters, where specific tasks are described in detail.

Basic Active Directory Administrative Snap-ins

Both Windows 2000 and Windows .NET systems use the same set of snap-ins for administering Active Directory. For the most part, these tools have not changed in the new version; they perform the same fnctions (although in Windows .NET, all of them have some additional features). Therefore, an administrator acquainted with Windows 2000-based domains can easily master commonly used operations in the Windows .NET environment.

After a Windows .NET Server has been promoted to a domain controller, new tools (listed in Table 7.1) will appear in the Administrative Tools group on the Start menu.

Table 7.1: Standard Tools for Administering Active Directory


Tool name

Main operations performed by the tool

Active Directory Domains and Trusts

Selecting a domain for management in large forests. Managing domain functional levels. Creating, verifying, and deleting trusts between domains

Active Directory Sites and Services

Creating and manipulating sites, transports, and subnets. Managing replication schedules and links. Triggering replication between domain controllers. Setting permissions on objects. Linking GPOs to sites. Enabling DCs to act as global catalog servers

Active Directory Users and Computers

Creating and manipulating AD objects (users, groups, OUs, etc.). Setting permissions for objects. Linking GPOs to domains and OUs. Managing domain functional levels. Transferring FSMO roles

Domain Controller Security Policy

In Windows 2000-based domains:

  • Editing the Security Settings node of the GPO linked to the Domain Controllers OU.

In Windows .NET-based domains:

  • Editing any settings in the GPO linked to the Domain Controllers OU.

Domain Security Policy

In Windows 2000-based domains:

  • Editing the Security Settings node of the GPO linked to a domain container.

In Windows .NET-based domains:

  • Editing any settings in the GPO linked to a domain container.

Group Policy Object Editor[1]

Editing GPOs linked to an Active Directory container (site, domain, OU) or stored on a local computer. This snap-in is not shown on the Start menu, but is accessible from other administrative snap-ins or can be added to a custom MMC console.

[1]In Windows 2000, this snap-in is called Group Policy.

These tools can be installed as a part of the Administration Tools Pack (see "Remote Administration" in Chapter 8, "Common Administrative Tasks") onto any client computer with Windows XP Professional or a member server with Windows .NET. The Security Policy snap-ins will not appear on the Start menu in that case.


The Active Directory Schema Manager snap-in included in the Administration Tools Pack is also installed on domain client computers and appears on the Start menu.


It is not possible to install Windows .NET administrative snap-ins onto Windows 2000-based computers.

Some other important tools (Table 7.2) for administering Active Directory are included in the Support Tools pack. These tools might be regarded as mandatory for an administrator, and are discussed later in this book.

Table 7.2: Some Additional Tools for Maintaining Active Directory (from Support Tools)


Tool name

Main operations performed by the tool

ADSI Edit (adsiedit.msc)

"Low-level" editing of the Active Directory objects that belong to any directory partition (application, domain, configuration, and schema). (The RootDSE object is also accessible.) Setting permissions on objects.

Active Directory Administration Tool (Ldp.exe)

Searching Active Directory and modifying directory objects using LDAP queries.

Active Directory Replication Monitor (replmon.exe)

Monitoring replication status and topology. Triggering replication. Monitoring FSMO roles and flags of domain controllers.

Windows  .NET Domains & Active Directory
Windows .NET Server 2003 Domains & Active Directory
ISBN: 1931769001
EAN: 2147483647
Year: 2002
Pages: 154 © 2008-2017.
If you may any questions please contact us: