Active DirectoryTasks

This section covers common (and not so common but important) administrative tasks concerning the general administration of Active Directory. For more specific tasks relating to administering domains, trusts, user accounts, and so on, refer to the related topics elsewhere in this chapter. For example, to learn how to manage domain controllers, see Domain Controller ; to learn how to configure user accounts, see Users ; and so on. Note that all tasks in this section involve using the Active Directory Users and Computers console unless otherwise indicated.

Audit Active Directory

You can use auditing to detect unauthorized attempts to access Active Directory:

Right-click the Domain Controllers node Properties Group Policy select Default Domain Controller Policy Edit Computer Configuration Windows Settings Security Settings Local Policies Audit Policy right-click Audit Directory Services Access Properties select Define these policy settings choose to audit success and/or failure events

Auditing of access to Active Directory on all domain controllers in the domain takes effect once the GPO settings have propagated to other domain controllers (usually within five minutes). Directory service access events are logged in the Security log on each domain controller and can be viewed with Event Viewer.

For fresh installs of new WS2003 domain controllers in a new domain, Active Directory security auditing is enabled by default. If you upgraded from W2K domain controllers, you must enable auditing manually, as described earlier.

You can also audit specific objects within Active Directory. First, follow the steps described earlier, then make the Security tab visible on properties sheets of objects by View Advanced Features, and then specify auditing for an object by:

Right-click on an object (such as a user or computer) Properties Security Advanced Auditing Add specify the user or group whose access to the object you want to audit Object tab select Successful and/or Failed for each type of access you want to audit for the object Properties tab select Successful and/or Failed for Read or Write actions you want to audit for the object

For more information, see Auditing later in this chapter.

Back Up Active Directory

See Backup later in this chapter for information on this.

Create an Object

Right-click a domain, container, or OU New select the type of object you want to create (user, group, computer...) type a name and specify other common properties of the object

After you create an object in Active Directory, you can configure it further by opening its properties sheet. For more information on configuring Active Directory objects, see Groups , Printing , and Users later in this chapter.

Create a Saved Query

Saved queries let you quickly access a desired set of Active Directory objects. For example, you can create queries to display all disabled user accounts, all color printers, all computers whose names start with SRV, and so on.

Right-click Saved Queries New Query

Give the query a friendly name you can remember, specify a query root (the container on which the query runs, including its subcontainers), and define the type of query you want to create. For quick and dirty queries, select Common Query, which provides several options for user, group, and computer accounts. To execute a saved query later, just select it in the console tree and view the results in the details pane. You can edit queries after you create them and organize large numbers of queries in folders, sort of like Favorites in Internet Explorer but without the webbish look. If you're into LDAP, you can view the actual query string when you create the query.

Install Active Directory

Installing Active Directory means creating the first domain controller, the forest, and the forest root domain for your company's network. There are two ways to do this. The first method starts with a freshly installed standalone WS2003 machine and is suitable mainly for new networks:

Administrative Tools Manage Your Server Add or Remove a Role Typical configuration for a first server specify DNS name for your forest root domain (e.g., mycompany.local ) accept or modify default NetBIOS name for domain specify IP address of DNS forwarder for external (Internet) name resolution

At the completion of this process, your server will have a static IP address (if it didn't have one already) and Active Directory installed on it. It will also be a DNS server and, if no DHCP server is detected on your network, a DHCP server as well. To verify the actions performed, check Configure Your Server.log in the \Windows\Debug folder.

Note that if you use this method on a member server already belonging to an existing WS2003 domain, the Typical configuration for a first server option is not displayed. Instead, you can select Manage Your Server Add or Remove a Role Domain Controller (Active Directory), which starts the Active Directory Installation Wizard, allowing you to convert your member server into a domain controller for the existing domain or to create a new child domain or root domain of a new tree (note that you need to be a member of the Enterprise Admins group to do this).

Before installing Active Directory together with DNS on W2K, it was necessary to ensure that your server's TCP/IP settings point to its own IP address as its DNS server. On WS2003, the process for installing Active Directory now takes care of this automatically.

A more flexible method for installing Active Directory is to use the Active Directory Installation Wizard:

Insert product CD Start Run dcpromo Domain controller for a new domain Domain in a new forest specify DNS name for your forest root domain accept or modify NetBIOS name for domain accept or modify default location for NTDS and SYSVOL folders Install and configure the DNS server on this computer and set this computer to use this DNS server as its preferred DNS server specify default permissions for users and groups (select pre-W2K compatibility option only if you still have downlevel NT domain controllers on your network) specify password for Directory Services Restore Mode

Either method makes the machine the first domain controller of the root domain of the forest. The machine is also a DNS server and a global catalog server for the domain. If you used the second method and want your users to have access to the Internet, you will need to manually configure a DNS forwarder to your ISP's name server; see DNS later in this chapter for directions.

You can also remove Active Directory by removing the Domain Controller role in Manage Your Server or by running the Active Directory Installation Wizard again. Removing Active Directory from all your domain controllers means your domain no longer exists, an action that of course has consequences for your users (they can no longer log on to the domain to access network resources).

Move an Object

Right-click an object Move

You can create OUs and move objects to these OUs to facilitate delegation and application of Group Policy. See Delegation and Group Policy later in this chapter for more information.

New to the Active Directory Users and Computers console in WS2003 is the ability to drag and drop objects between containers. At last!

Publish a Resource

Publishing a resource means creating an object in Active Directory to represent the resource. This helps users locate the resource on the network in order to access it. Most resources, such as users, groups, computers, and printers, are published automatically in Active Directory. Two exceptions to this are shared folders on network file servers and downlevel shared printers that are managed by print servers not running WS2003 as their operating system; these resources must be published manually.

To publish a shared folder:

Right-click on the OU where you want to publish the shared folder New Shared Folder specify a friendly name for the resource specify the UNC path to the shared folder

After publishing the folder, you can open its properties sheet and add a description and a list of keywords to help users find the folder when they need it.

To publish a downlevel shared printer:

Right-click on the OU where you want to publish the printer New Printer specify the UNC path to the printer

Once users find this printer in Active Directory, they can connect to it or manage its properties, depending on their permissions.

Upgrade to Active Directory

For information about upgrading from NT domains to Active Directory or from a W2K version of Active Directory to the WS2003 version, see Active Directory (O'Reilly).