What is Active Directory
Originally created in the year 1996, Active Directory, also referred as an AD, was first used with Windows 2000 Server as a directory service for Windows domain networks. Active Directory is a special purpose database, which serves as a central location for authenticating and authorizing all the users and computers within a network. Active Directory uses the Lightweight Directory Access Protocol (LDAP), an application protocol used for accessing and maintaining directory information services distributed over an IP network. What is Active Directory? The basic internal structure of the Active Directory consists of a hierarchical arrangement of Objects which can be categorized broadly into resources and security principles. Some of the examples of Active Directory objects are users, computers, groups, sites, services, printers, etc. Every Object is considered as a single entity with some specific set of attributes. The attributes of Objects along with the kind of objects that can be stored in the AD are defined by a Schema. The intrinsic framework of Active Directory is divided into a number of levels on the basis of visibility of objects. An AD network can be organized in four types of container structure namely, Forest, Domains, Organizational Units and Sites.
y y y
Forests: It is a collection of AD objects, their attributes and set of attribute syntax. Domain: Domain is a collection of computers objects in the AD which share a common set of policies, a name and a database of their members. Organizational Units: OUs are containers in which domains are grouped. They are used to create a hierarchy for the domain to resemble the structure of the Active Directory's company in organizational terms. Sites: Sites are independent of domains and OU structure and are considered as physical groups defined by one of more IP subnets. They are used to distinguish between locations connected by low- and high-speed connections.
Primarily, AD has three levels or logical divisions viz., Forest, Tree and Domain. A Domain is at the lowest level of an entire network and is identified by its DNS (Domain Name Structure). A Tree is a collection of one of more domains in a network while a Forest is a collection of Trees sharing a common global catalog, directory configuration, directory schema and logical structure. Forest is at the highest level of the logical structure and corresponds to the security boundaries within which the AD objects are accessible. Within a domain, all the objects are grouped in Organizational Units or OUs, so that administrative tasks can be simplified. With OUs, a domain can be divided in a hierarchical manner to resemble the managerial or departmental structure of an organization. Organizational units are also considered as containers which can hold other OUs of the domain. Group Policies in the form of Group Policy Objects (GPOs) are generally applied to the OUs and administrative powers are also delegated at the OUs.
Sites are physical groupings rather than logical structures and are used to control network traffic caused due to Active Directory replication. Sites are also used to refer the clients to the nearest domain through a Domain Controller (DC). All the information contained in the Active Directory is physically held in one more domain controller. Each DC has a copy of the Active Directory and when changes take place in any server, the information gets replicated in all the DC containing a copy of the Active Directory. This process is termed as Active Directory Replication. Replication in the Active Directory is triggered each time an Object is created, deleted, moved or modified.
Active Directory Schema
All the objects and their attributes within an Active Directory are defined in a schema, which is an Active Directory component. Since Active Directory stores information from various applications and services, all that information is standardized with the help of a schema. The AD schema defines how the data is stored and how the directory service will retrieve, update or replicate the data while ensuring data integrity. In Active Directory, Objects are the main storage units and are defined under the AD schema. The directory queries the schema for appropriate object definition each time some information is to be handled. The AD creates the objects and stores data in it as per the definition available in the schema, since the schema controls the type of information that can be stored in the objects. Data types which exist in schema definitions can only be stored in the objects. In order to store a new data type, a new object definition must be first created in the schema. The object definitions in the AD schema contain all the object attributes along with the definitions of the attribute relationships. For example, a User object will contain an attribute user¶s logon name. This attribute will in turn contain other attributes like syntax of the logon name. All the object attributes and the attributes within are defined in the schema of the Active Directory. Building Active Directory Schema During the creation of forest at the time of Active Directory installation, the default schema is also created. The default schema gets replicated in each new domain thereafter created within the forest and each Domain Controller gets access to a copy of the default schema. This is necessary for creating objects within the domain as the DC must have the object definitions required for creating objects and store or retrieve information in the Active Directory. The replication topology of Active Directory ensures that every domain controller will be able to write changes in the AD database and replicate those changes to other DCs in the same forest as well. Active Directory Schema architecture Schema is the Active Directory component that defines all the AD objects and their attributes so as to store data. The physical structure of Active Directory schema comprises the object definitions. The schema is stored in the schema partition of the directory and defines the following:
y y y
Objects used to store data in the directory The rules which govern the structure of the objects The directory structure and its content
The above definitions consist of objects, attributes and classes, the details of which are mentioned below: Schema components 1. 2. 3. 4. 5. Objects Attributes Classes Schema objects schema objects
Active Directory Domain
In a network, a domain is a collection of computers and resources which have a common namespace and share a common security database. The namespace of domains are stored in the DNS which is primarily a hierarchical structure of services and object names. For a domain in an active directory that shares the common AD database, the active directory and DNS namespace have to be the same. Administrative controls and security policies are implemented on a domain basis and are valid for individual domains only. Within a domain, administrators can create and manage different resources and objects. An active directory domain contains various AD objects like users, groups, computers, OU, etc. Therefore, it can be said that a domain is the core logical structure of the active directory, while the physical structures are the domain controllers and sites. When more than one domain is grouped together, a domain tree is formed. Every domain within a domain tree shares a contiguous DNS namespace and naming structure. In a domain tree, the root domain is referred to as the Parent domain while the multiple domains added to it are referred as the Child Domains. A group of multiple domain trees is termed as a forest. Within a forest, the domains are linked by two-way transitive trusts and share a common global catalog and schema. The root domain in a forest contains the specific groups like the Domain Naming Master Role, Schema Master Role, Enterprise Admins group and Schema Admins group. Domain Functional Levels The domain functional levels control and restrict all the functions performed in a domain. If the domain functional level is upgraded to Windows Server 2003 functional level, a few advanced active directory features become available:
Windows 2000 Native supports domain controllers running Windows 2000 and Windows Server 2003.
y y y
Windows 2000 Mixed supports domain controllers running Windows NT 4.0, Windows 2000 and Windows Server 2003. Windows Server 2003 Interim supports domain controllers running Windows NT 4.0 and Windows Server 2003. Windows Server 2003 supports domain controllers running Windows Server 2003.
Domain Design Factor While designing an active directory domain, the following factors should be kept in mind: 1. Business requirements: Depending on the business requirements of the organization, the logical structure of active directory must be designed. 2. Geographical factors: In order to control replication of different regions within the enterprise, it is best to create and implement a geographic domain design so that the domain controllers replicate the changes only in their local domain. 3. Domain Name strategy: Domain name should be unique. Each domain is assigned a NetBIOS name and DNS name. 4. WAN link costs: The cost of implementing WAN links varies in different countries.
Active Directory Server
Windows Active Directory is used to manage application settings, corporate identities, business information and system credentials in an organization. The Active Directory server performs all these tasks with the help of certain technologies which are explained below: Active Directory Domain Services (AD DS) The Active Directory Domain Service is the central location of the directory where information about security configuration settings, authentication requests and every AD object within the domain or forest is stored. From this centralized location, AD administrators can control, access and manage the entire directory along with its objects, resources and services like users, computers, groups, applications, printer, etc. Active Directory Lightweight Directory Services (AD LDS) The Active Directory Lightweight Directory Service also known as the active director application mode (ADAM) is used to store directory compliant applications in the database. The AD LDS consists of two components, to provide location for security accounts and application configuration and directory data. AD LDS service is deployed only to the servers which support the directory applications. Active Directory Rights Management Services (AD RMS) The intellectual property of an organization should be secured from potential infringement and the Active Directory Rights Management Service is used in this respect. The AD RM component of Windows Server 2008 R2 is used to encrypt and secure sensitive documents and web services.
This Active Directory server service ensures that objects which have the right to access a resource in the domain network can only do so. Configured rights such as to open, print, modify, forward or take any other action is defined in the rights-managed information of the AD RMS. Active Directory Federation Services (AD FS) The Active Directory Federation Services is a highly extensible, secure and internet-scalable service providing identity access solution. With this service, organizations are able to authenticate users from their partner organizations and grant the external users access rights of domain resources of your organization. The AD FS technology is also used to integrate the domain resources and un-trusted resources within an organization. Active Directory Certificate Services (AD CS) The Active Directory Certificate Services is used to enhance the security of certificates that prove the identity of users and computers within an organization. This service for Active Directory server is also used for data encryption during transmission across unsecured networks. AD CS enhances the security of certificates by binding the identity of an object, device or service to their respective private key. By storing the private key along with the certificate within the AD, protects the identity. Furthermore, it becomes easier to retrieve appropriate data upon placing application request.
Active Directory Users
Active Directory data store contains information about network resources which can be accessed from within a domain. These network resources consists of users, computers, groups, security policies, printers, services, etc that are termed as Active Directory Objects. Of these AD objects, we will discuss about User objects in the following section. A user object (user account) in the directory enables end users to log on to the Windows Server. This object is made up of attributes such as user logon name, first name, last name, display name and contact number to name a few. In order to create a new user object in the Active Directory, the following steps must be followed: 1. Click Start, Administrative Tools, and the Active Directory Users And Computers console. 2. In the console tree, select the OU wherein the new user object will be created. 3. From the Action menu, click New then click User. 4. In the New Object ± User dialog box, enter information for the fields listed below: First name, Initials, Last name, Full name (automatically populated), User logon name, User logon name (pre-Windows 2000). 5. Click Next. 6. Enter a password in the Password field and verify the password in the Confirm password field. 7. The user has to specify a new password at next logon. Click Next. 8. Verify the settings entered on the Summary screen.
9. Click Finish. A new user object with the specified settings will be created. A user requires an Active Directory user account to log on to a computer or domain, thus it can be said that the user account establishes an identity for the user. With the help of the user account, a user gets authenticated and is authorized to use the domain resources. Other than that, user objects are also used as service accounts for applications where a service is granted access rights for specific network resources. Active Directory user objects are also referred to as Security Principals since that emphasizes the security implemented by the OS for these objects. Every security principal is assigned an SID during their creation which is a unique security ID. With this SID, user objects are able to log on to a network and access the domain resources.
Active Directory Attributes
Windows Active Directory schema contains a large number of attributes which the administrators can choose to define different AD objects. The actual values assigned to attributes are stored in the Active Directory that is enabled by default during the installation of the first domain controller. Index this attribute in the Active Directory property of the domain controller helps administrators to enable the default attributes. The Active Directory schema map-in present in the MMC is the place from where administrators can select specific attributes µn¶ number of time. Apart from the default attributes, additional attributes can also be added to the AD by extending the Active Directory schema structure. Once an attribute is assigned to an object, the attribute Schema thus created gets replicated in the Global Catalog (GC). Therefore, in order to modify any default attribute which gets replicated to the Active Directory GC, one must modify the schema. For this, the administrator must be made a member of the group ³Schema Admins´ and a registry key must be set to the Schema Master. Since schema modification is a complex procedure, Active Directory attributes are rarely modified. In the following section, we will see some of the commonly used Active Directory attributes, their syntaxes, meanings and what objects contain them in the default AD schema map-in. userAccountControl (user) This attribute contains a set of bit flags defining certain properties of user objects. It takes the form of a 32-bit integer and is a combination of the following bit values: Value Description:
y y y
1 The logon script will be executed. 2 The user account is disabled. 8 A home directory is required.
y y y y y
16 The account is locked out. 32 The account does not require a password. 64 Account is not allowed to change password. 512 The account is a typical user account. 65536 The account password never expires.
accountExpires (user) This attribute defines the date on which a user account will expire. It takes the form of a long (64 bit) integer. The ADSearch Convert function is used to convert this value into a textual date. sAMAccountName (user, computer, group) This attribute describes the downlevel name of the object, which is seen by downlevel administrative tools and other pre-windows 200x tools. It takes the form of a single valued string. logonHours (user) This attribute defines the times which a user is allowed to log on. It takes the form of an octet string. The ADSearch Convert function is used to convert this binary data (octet string) into a more meaningful set of data. member (group) This attribute defines the objects which are members of a group. It takes the form of a multivalued string, where each of the string elements defines the distinguished name of a member. If the member is a Foreign Security Principal, the distinguished name will be in the form "CN=sid", where sid is the SID of the member. objectSid (all security principals) This attribute contains the security identifier of an AD object used to represent an object in various places on the network (Active Directory, File System ACLs, etc.) It takes the form of a raw binary string, with each set of two characters representing one byte of the binary data. The ADSearch Convert function is used to convert this binary value into a useful textual value. objectClass (all objects) This attribute represents the inheritance hierarchy of objects classes. It takes the form of a multivalued string. objectGUID (all objects) This attribute defines a GUID which is a unique identifier of an object within the AD. It takes the form of a raw binary string, with each set of two characters representing one byte of binary data.
The ADSearch Convert function is used to convert the raw binary data retrieved from the attribute into a readable form. dc (domainDNS) This attribute defines the uplevel name of a domain or the leaf part of the distinguished name of the domain.
Active Directory Users and Computers
In an Active Directory network, users and computers are important Objects types which are the logical representation of the actual end users and systems configured to a domain within an organization. Active Directory service offers individual accounts to users and computers for administrative ease and secure authentication and authorization. To maange user and computer accounts, Active Directory Users and Computers snap-in console is used. AD user authentication is done to confirm the identity of all the Active Directory users who log on to a domain. Authentication allows users to access resources like data, system libraries, shares, applications, devices, etc. located anywhere in the network. AD user authorization is provided to secure the resources of a network from unauthorized access. The user accounts are authenticated to grant access rights to users depending on the access control permissions attached to the objects. Some of the common terminologies used with User and computer accounts are given below:
y y y
User rights: User rights can be both logon rights and privileges assigned to users and groups. Access Control Permissions: Permissions such as Read, Write, No Access, etc are assigned to all the objects as well as to the object properties. Access tokens: An access token is created each time a user logs in and represents user accounts. It contains three elements, viz., Individual SID, Group SID and User Rights. An access token s not updated until the next user logon. SIDs: In a Windows Server system, SID is a unique security code that identifies a specific user, group or computer. o Individual SID: Represents a logged on user o Group SID: Represents a logged on user¶s group membership. Access Control List (ACL): Every Active Directory object is associated with the following two ACLs: o Discretionary Access Control List (DACL): Contains a list of all user accounts, groups, and computers which are allowed or denied access to the object. o System Access Control List (SACL): Defines the events which are audited for a user or a group. Access Control Entry (ACE): Every DACL or SACL contains a list of ACEs, which hold permissions that are granted or denied to users, groups and computers listed in the
DACL or SACL. The ACE list consists of a SID along with the corresponding permission like Write access. Similar to the user accounts, Active Directory computer accounts are provided with authentication and authorization in order to audit the access of computers in the network. Active Directory Users and Computers together are termed as Security Principles since the operating system often implements certain security for these entities. Security Principles are primarily directory objects which are automatically assigned SIDs (Security IDs) upon creation. Objects which have a valid SID can log on to the network and access available domain resources. Every User and Computer account is assigned some Group Policy in the form of Group Policy Objects (GPO). The group policy configuration settings are associated with Organizational units, domains and sites which contain user and computer accounts. When a Group Policy is applied to a container, it either affects all the constituent objects or a specified set of objects. Group Policies help in configuring the security options, managing applications and desktop appearance, assigning scripts and moving folders from local computers to network systems. The Group Policies are applied to users during their logon time and to computers during their boot time.
Active Directory Rights Management Services
Active Directory Rights Management Services (AD RMS), which was previously termed as Windows rights management services is a type of information rights management used to encrypt and limit access to corporate documents. This selective functionality denial service is used on Microsoft Windows and is used by companies to encrypt information stored in the form of documents, web pages and corporate e-mails. This service is further used to prevent the decryption of protected content by specific groups or users or to prevent certain operations on the encrypted documents like printing, copying, editing, forwarding, deleting. With the help of Active Directory rights management services and client, an organization¶s security strategy can be augmented. This can be done by protecting the information store by imposing usage policies and protect the sensitive information like customer data, financial reports, product specifications, etc. Since AD RMS includes a Windows Server 2008 R2 based server running the AD RMS server role handling all the certificates, licensing, the database server and the RMS client, its deployment has the following benefits :
Encryption of sensitive information : Organizations are able to create customized usage policy templates which can be applied to the information so as to safeguard them. Persistent protection : For better information protection, AD RMS augments the existing perimeter based security solutions including ACLs, firewalls, etc, by locking their usage rights. Flexible technology : AD RMS allows independent software vendors (ISVs) and developers to enable applications and services like the content management systems to further protect the server based solutions such as record management, e-mail gateways, archival systems and automated workflows.
Given below are some of the key features of Active Directory rights management services :
y y y y y y
Identity federation support Microsoft federation gateway support Inclusion of AD RMS as a server role Administration through MMC (Microsoft Management Console) Integration with Active Directory Federation (AD FS) Self enrollment of AD RMS servers
Therefore we see that Active Directory rights management services is a format and application ± agnostic technology that is used to provide services to create information protection solutions. Types of content which can be protected using AD RMS include e-mail messages, intranet web sites and documents. This service is mostly beneficial to IT planers, IT analysts, professionals responsible for supporting existing RMS infrastructure and IT security architects who deploy information protection technology.
Active Directory Browser
Active Directory management is possible with the help of Windows Support Tools utility provided by Microsoft. The Windows support tool Ldp.exe is used by administrators as an Active Directory browser to perform LDAP searches against the directory. The Lightweight Directory Access Protocol utility allows administrators to search specific information through a given search criteria. This client utility can be used to browse and query an LDAP based directory service such as the Active Directory. To use LDP utility, the first step should be to connect and bind to the Active Directory for authentication. Following are the steps required to connect to the Active Directory; 1. On the Connections menu, click Connect. 2. In the dialog box, type the directory server name and click OK. Note: If the directory server name is not specified, the LDP will connect you to your logon server (LOGONSERVER) or to the last server that was accessed. Once the connection with the Active Directory is established, a message containing ³RootDSE´ information is send. This is the information which you will require to use the ldp.exe utility as an Active Directory browser. In order to bind to the directory, on the Connections menu, click Bind to authenticate yourself to the AD. Once you are connected and authenticated to the Active Directory, you can browse for information depending on the permissions assigned to your account. For attributes and parts of the AD tree for which access is denied, information will not be displayed. Since the Active Directory is LDAP compliant, all its information is arranged in a hierarchical tree structure. Therefore, to browse through the structure, the correct LDAP query must be used.
To browse through the directory, it is first important to view its tree structure. Following are the steps: 1. On the View menu, click Tree and enter the base Distinguished Name (DN). 2. Enable the Auto Base DN Query option and click OK to connect to the defaultNamingContext of the tree root. The Active Directory tree structure will be displayed in the left pane of the LDP utility, which on expanding displays all the objects and containers. Double click on any object on the directory tree to view its attributes and attribute information on the right pane of the LDP utility. Results are displayed either in String format or Binary format depending on the configuration of Value Parsing option (In the Options dialog box, click General and change the Value Parsing option to String). In String format, object attributes are displayed as follows: Ldp: Binary blob The LDP utility overwrites the older results with new information; therefore; increase the buffer size to retain more data. It is possible to save the results in plain text format and export the search results.
Active Directory Query
To search specific information in the Active Directory structure is a tedious task for administrators without the help of structured queries. With Active Directory query, locating users, computers, groups, contacts, sites, OUs, subnets and servers become easy. Of the many command-line tools available for Active Directory management with different versions of Windows server, the Dsquery tool is used an Active Directory query utility. With the help of this tool, specific search criteria can be executed through queries to quickly search information. This built-in tool is available if Active Directory domain Services (AD DS) server role is installed. The dsquery command is run from an elevated command prompt. Following are the steps to open it; Click Start, right-click Command Prompt and click Run as Administrator. Following are the different syntaxes used with the dsquery commands to search Active Directory information:
y y y
Dsquery computer: Finds computers in the directory by matching the search criteria specified. Dsquery contact: Finds contacts in the directory that matches the search criteria being specified. Dsquery group: Finds groups in the directory by matching the search criteria being specified. If the predefined search criteria in this command are insufficient, use the general version of the query command, dsquery *
Dsquery ou: Finds organizational units (OUs) in the Active Directory data store that match search criteria being specified. If the predefined search criteria in this command are insufficient, use the more general version of the query command, dsquery * Dsquery site: Finds sites in Active Directory matching the specified search criteria. If the predefined search criteria in this command are insufficient, use the more general version of the query command, dsquery * Dsquery server: Finds domain controller servers according to the specified search criteria. If the predefined search criteria in this command are insufficient, use the more general version of the query command, dsquery * Dsquery user: Finds user accounts in the Active Directory as per the search criteria. If the predefined search criteria in this command are insufficient, use the more general version of the query command, dsquery * Dsquery quota: Finds quota specifications in the directory data store matching the specified search criteria. Quota specification is used to determine the maximum number of directory objects that a specified security principal can own in a particular directory partition. If the predefined search criteria in this command are insufficient, use the more general version of the query command, dsquery * Dsquery partition: Finds partition objects in Active Directory that matches the specified search criteria. If the predefined search criteria in this command are insufficient, use the more general version of the query command, dsquery * Dsquery *: According to the criteria specified in an LDAP query, searches for any Active Directory object.
Active Directory Viewer
In order to easily navigate through the entire Active Directory database, view object properties and attributes, view the AD schema and execute searches, Microsoft has come with Active Directory Explorer (AD Explorer). AD Explorer is an advanced Active Directory viewer and editor with which administrators can traverse through the AD internal structure, view the properties, permissions and attributes of AD objects without opening separate dialog boxes and edit them as well. Apart from being used as an Active Directory viewer, AD Explorer is also capable of saving the snapshots of the AD database for viewing or comparing them offline. Once a saved snapshot is loaded, it is possible to navigate through it and explore it with the help of the AD Explorer. The comparison functionality of this viewer helps administrators to compare two snapshots of AD database in terms of changes made in the objects, attributes and security permissions. This particular utility is quite similar to another Active Directory viewer ADSI Edit which supports Windows Server 2003 and 2008 R2, even though ADSI Edit lacks the snapshot functionality. Furthermore, in AD Explorer, it is possible to book mark the AD objects which is often handy while viewing same objects repeatedly. Another advantage that AD explorer offers is fast navigating speed between objects that offered by the ADUC snap-in. With just a single click, all the object attributes can be viewed using AD Explorer. Moreover, the values of object attributes can be copied to the clipboard and emailed
Modification of Active Directory objects is also possible with AD Explorer, however not all objects can be modified, especially if they are once deleted. Thus, reanimating tombstone objects is not possible with AD Explorer. Also, the snapshots created with this Active Directory viewer utility cannot be used as a backup. Furthermore, the comparison report or output of two snapshots cannot be exported. If the Active Directory is the current mode, the AD explorer does not allow snapshots to be taken.
Active Directory Utilities
Active Directory¶s directory services maintenance utility (ntdsutil.exe) is a command line tool that is used to provide management facilities for the AD. Maintenance of Active Directory database, management and control of single master operations, creation of application directory partitions, removal of metadata left by domain controllers, SAM management, resetting DSRM password, transferring FSMO role to a domain controller and many other tasks can be carried out using the directory services maintenance utility. This menu-driven tool is designed for interactive use; however, it can also be run with the help of scripting commands. Some of the most common tasks which can be performed using ntdsutil.exe are summarized below:
y y y y
Authoritative restore: In an authoritative restore, specific data marked as current is prevented from getting overwritten during the replication process. During an authoritative restore process, all the changes made to restore an object, which occur after creating the backup, are lost. Ntdsutil.exe is used to perform an authoritative restore in tandem with system utilities of Windows Server 2003. Configurable Settings: Manages configurable settings. Domain Management: Used to create Naming Contexts and add replicas to the Application Directory Partition of DNS. Files: This functionality is available only on booting the server into Directory Restore Mode. It checks the integrity of NTDS.DIT and moves all associated databases. Roles (FSMO maintenance): Used to map the single operations master to corresponding domain controller. For this function, ntdsutil.exe must be used along with NetDom or Active Directory snap-ins. Reset DSRM password: Password of directory service restore mode can be reset using this utility. Security Account Management: checking of duplicate SIDs, especially during metadata cleanup.
Active Directory utilities are available with Windows server 2008 and Windows server 2008 R2, provided the AD DS and AD LDS server role are installed. Ntdsutil.exe is also available upon installing Active Directory Domain Services Tools, which are part of RSAT (Remote server Administration Tools). Steps to run the command line utility ntdsutil.exe are given below:
Click Start> right click Command Prompt> Run as administrator
In the elevated command prompt run ntdsutil.exe.
In case only AD LSD server role is installed and not AD DS server role, Active Directory utilities such as dsdbutil.exe and dsmgmt.exe can be used instead of ntdsutil.exe for performing the same tasks.
Active Directory Reporter
Reports generated for various activities conducted on the Windows Active Directory aid administrators keep a record for reference use. Active Directory reports arm administrators with important information about AD infrastructure and Ad components including objects, sites, groups, domains, OUs, groups, etc. Active Directory reporter tools are useful applications which help in generating general, configuration and audit Active Directory reports. These reports help in processing data about user accounts, service level availability issues, Active Directory trending, etc. The Active Directory management pack for Microsoft Operations Manager (MOM) offers a predefined set of reports which are specifically designed to monitor the performance as well as the availability of all the Active Directory services. The management pack for MOM generates comprehensive reports, including those on service availability, service health and reports providing estimation on capacity planning. However, the AD replication monitoring report is disabled in the management pack by default. To enable this report, administrators are required to enable the data collection report using the configuration information provided in the Active Directory Latency Performance Data Collection- Sources Rule Group descriptions. The Active Directory reporter utility of the Management Pack offer different types of reports, some of which are explained in the next section. Some of the reports which provide data about AD configuration information are mentioned below:
y y y y
AD Domain Controllers : gives a list of all domain controllers, their IP addresses and sites within a selected domain. AD Role Holders : Provides a list of all computers which hold one or more operations master role or act as global catalog servers. AD Replication Objects : Summarizes the AD replication topology and offers a list of connection objects. AD Replication Links : Gives the summary of current replication site link configuration for Active Directory.
Reports which provide information about Active Directory disk space are as follows :
AD DC Disk Space : This report summarizes the disk space usage and free space for Active Directory database and log volumes. This report helps administrators to predict the volume sizes as per the current growth rate.
The reports through which administrators obtain information about Active Directory operations are given below :
AD Domain Changes : This report provides data about the significant changes made in the domain like addition or removal of domain controllers and movement of PDC emulator operations master. AD Machine Account Authentication Failures : This report summarizes data about workstations which are unable to authenticate and is turn prevent Group Policy updates and software distribution to computers. AD SAM Account Errors : Provides report on events which indicate that SAM has detected an error and also give information on corrective guidance.
Reports which provide information on Active Directory replication process are as follows :
AD Replication Bandwidth : this report provides a summary for both compressed and uncompressed replication bandwidth over a selected period. This report is used in capacity planning. AD Replication Latency : provides data about minimum average and maximum replication latency per naming context, per domain controller. This report is used to verify service legal agreements (SLA) within a domain or forest.
Active Directory Backup
The Active Directory service works as a database where information about an entire network is stored. Therefore, it is essential to backup this Active Directory database to avoid any kind of disastrous situation. Active Directory is usually backed up as a part of a system state or a collection of system components depending upon each other. It is mandatory that administrators backup and also restore the system components like the system registry, boot files, class registration database, SYSVOL, AD database, checkpoint file (Edb.chk), transaction logs and the reserved transaction logs together. In order to successfully restore data from a backup, the Active Directory backup should be performed intelligently and must be recreated after regular time periods. It is essential to select the domain controllers which must be backed up as well as the backup content. Moreover, any backup that is older than the tombstone lifetime (TSL) value (default 60 days) set in the AD is not considered a good backup. Restoring the Active Directory In case of database corruption in the Active Directory or any other hardware or software failure, administrators are required to restore the data from the available AD backup. Furthermore, restoration is required when any AD object get deleted or modified. The Active Directory database can be restored in different ways, of which Active Directory¶s own replication process is one. Upon replication, all the latest changes or modifications get synchronized in every domain controller. The Backup Utility can also be used to restore the replicated content from the backup copy without the need of reconfiguring the domain controller.
Selection of the appropriate restoration method There are three types of restoration procedure which administrators can choose to recover the backup data of a corrupt Active Directory. Following are the details Active Directory backup methods: Primary restore: This method is use when all the domain controllers of a domain are lost and there is a need of rebuilding the domain from the scratch. The Primary restore method works by rebuilding the first domain controller in the domain. The primary restore can be performed on local computer by the group members, provided they are delegated for this responsibility. The domain administrator can perform primary restore on the domain. Non-authoritative (Normal) restore: Normal restore method reinstates the AD data to the state before the backup was created. The data is then upgraded through the replication process. a normal restore can be performed on a domain controller only by the domain admin. Authoritative restore: In an authoritative restore, some specific data is marked as current, which is prevented from getting overwritten during the replication process. Later in tandem with the normal restore method, the current authoritative data is replicated through the domain. During an authoritative restore process, all the changes made to restore an object, which occur after the backup are lost. Ntdsutil, a command line utility is used to perform an authoritative restore along with system utilities of Windows Server 2003.
Active Directory Cleanup
Over time, user and computer accounts become obsolete or redundant which raises the need to eliminate them. The Active Directory Cleanup Wizard is a utility which is developed to eliminate such redundant or duplicate object accounts by merging them. Duplicate user and computer objects usually result when multiple directories are migrated to a new domain or the Active Directory is upgraded to a new server. The Active Directory Cleanup Wizard, searches for such redundant objects or accounts and merges them. All the accounts, their attributes and properties are merged into a single user account so as to remove duplicity from the AD database. This in turn helps is improving the performance of the Exchange servers. The functionalities of the Active Directory Cleanup Wizard can be summarized as follows:
y y y y
It identifies all the duplicate objects to be merged by searching in the Windows NT accounts Reviews and modifies the merge operations after the selection of accounts Exports and imports list of accounts so that administrators can save the details of the merge operation as a .csv file for the purpose of review. order to run the wizard, command line tools can be used.
The Active Directory Cleanup Wizard however cannot be used to clean up the server metadata, and for this another utility, ntdsutil.exe is used. Ntdsutil.exe is a command line tool that can be run to execute the metadata cleanup process. This utility is a default tool installed on each domain controller. In the process of metadata cleanup, every Active Directory data used to identify the domain controller during the replication process is removed. The metadata cleanup procedure is appropriate only for those domain controllers which were not demoted using the utility dcpromo.exe. On a domain controller that is running Windows Server 2003 with Service Pack 1 (SP1), executing ntdsutil.exe also removes File Replication Service (FRS) connections. Furthermore, the process also transfers the FSMO roles (master operation roles) held by the demoted domain controllers. Following are the steps to be followed to execute a metadata cleanup procedure: To clean up server metadata: 1. Open a command prompt. 2. Type the following command, and then press Enter: ntdsutil 3. At the ntdsutil: prompt, type: metadata cleanup 4. At the metadata cleanup: prompt, type: remove selected server ServerName Or remove selected server ServerName1 on ServerName2 5. To verify that the server was removed, type list servers in site, and then press Enter. 6. Ensure that the domain controller you wanted to remove is not displayed in the command output. 7. At the metadata cleanup: and ntdsutil: prompts, type: quit
Active Directory Auditing
Within the context of Active Directory, auditing involves keeping track of user account status, group memberships and user privileges. Other than that active directory auditing also comprises keeping track of account activity, folder accesses and file permissions. Windows Server 2008 offers domain services auditing features for Active Directory to track down changes made in the objects and object attributes. This AD DS feature of Windows Server 2008 shows audit logs containing details about the changes made to object attributes, the new and old attribute value and who made the changes. In windows server 2008 based Active Directory, the Audit Directory Service access policy is displayed into four subcategories, which are as follows: 1. Directory Service Access 2. Directory Service Changes
3. Directory Service Replication Of these four, the Directory Service Changes subcategory provides the ability to audit the changes for AD objects. Changes such as creating, moving, modifying and un-deleting a user objects can be audited with the AD DS auditing feature. Some of the capabilities of the audit policy provided in AD DS are mentioned below:
y y y
After modification of object attribute, the AD DS logs the old and new attribute value. If the attribute has multiple values, the value which changes due to the modification operation is logged. Upon creation of a new object, all the attribute values populated during creation are logged into. When an object is moved, the old and new location within the domain is logged. If the object is moved to a different domain, a create event is generated on target domain¶s DC. Upon object un-deletion, the new location where the object is moved to is logged. If the object attributes are also changed during the un-deletion operation, their new values are also logged in.
Steps to Configure Auditing for Specific Active Directory Objects Once the audit policy setting is configured, it is possible to configure audit policy for specific objects like users, groups, OUs and computers. This is done by specifying both the users whose access is to be audited and the type of access to be audited. Following are the steps used to configure actve directory auditing of specific AD objects: 1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers. 2. Make sure that Advanced Features is selected on the View menu by making sure that the command has a check mark next to it. 3. Right-click the Active Directory object that you want to audit, and then click Properties. 4. Click the Security tab, and then click Advanced. 5. Click the Auditing tab, and then click Add. 6. Complete one of the following: o Type the name of either the user or the group whose access you want to audit in the Enter the object name to select box, and then click OK. o In the list of names, double-click either the user or the group whose access you want to audit. 7. Click to select either the Successful check box or the Failed check box for the actions that you want to audit, and then click OK. 8. OK.
Windows 2003 Active Directory
Active Directory 2003 comes with some advanced features primarily in the Management Tools provided in the adminpak.msi. Some of the new feature and advancements are discussed below:
y y y
Windows 2003 Active Directory comes with the ability to create and store queries in Active Directory Users and Computers. Administrators can now create queries to display users, computers, or any other object based on any attribute. Microsoft has included some predefined query criteria in the new AD version. Active Directory / Application Mode, a feature better than the previous ADAM can be used to run in the context of nominated account by configuring it separately from the AD replication schedules. Furthermore, multiple instances of ADAM can run on the same system to test different schema setups easily. Linked Value Replication allows single values of multi-value attributes to be replicated between servers Also included is Cached Credentials that allows users at remote locations (which have a domain controller running), to logon without a connection to a Global Catalogue server. Keeping in mind the bandwidth saving category the µInstall of Replica from Media´ feature allows administrators to install a copy of the Active Directory database via a network copy, or a CD or any other media. This is turn eliminates the dependency on the replication process to take place across the network.
Windows 2003 Active Directory consists of three logical partitions, namely, Domain, Configuration and Schema. These logical units are stored in the ntds.dit file present on the domain controller. To manage these three different AD components, three tools, viz., Active Directory users and computers, Active Directory sites and ADSIEdit are used respectively. Installation of Active Directory goes together with the correct setup of DNS server running on the network. The reliance of an Active Directory service on the DNS is so much it is the first point of call when fixing problems with AD replication or AD operation. Once Windows 2003 Server is installed on a stand-alone server, run the Active Directory Wizard in order to create a new AD domain or forest. The next step will be to convert the system running Windows Server 2003 into the first DC of the forest (domain). The following procedure will explain how the computer with Windows Server 2003 is converted into the first domain controller: Insert the Windows Server 2003 CD-ROM into system¶s drive. Click Start, click Run, and then type dcpromo. OK to start the Active Directory Installation Wizard, and then click Next. Domain controller for a new domain, and then click Next. Click Domain in a new forest, and then click Next. Specify the full DNS name for the new domain or that of the existing DNS infrastructure. Click Next. 7. Accept the default domain NetBIOS name. Click Next. 8. Set the database and log file location to the default setting of the c:\winnt\ntds folder, and then click Next. 9. Set the SYSVOL folder location to the default setting of the c:\winnt\sysvol folder, and then click Next. 10. Click Install and configure the DNS server on this computer, and then click Next. 1. 2. 3. 4. 5. 6.
11. Click Permissions compatible only with Windows 2000 or Windows Server 2003 servers or operating systems, and then click Next. 12. The password for the Directory Services Restore Mode (DSRM) Administrator is set by using a secure password format. Click Next. 13. Review and confirm the options that you selected, and then click Next. 14. The installation of Active Directory proceeds. 15. you are prompted, restart the computer. After the computer restarts, confirm that the Domain Name System (DNS) service location records for the new domain controller have been created.
windows 2008 Active Directory
Windows 2008 is fast replacing the ageing Windows Server 2003 and Windows Server 2003 R2 domain controllers. Upgrading from the earlier versions of the Windows Server DC to Windows Server 2008 without disturbing the Active Directory is however a challenge. The shift requires selecting the best possible method of migration and other important steps involved in the process. Let us first look at the options available for migration from Windows 2003/ 2003 R2 Active Directory service to Windows 2008 Active Directory. In-place Upgrading: Both Windows server 2003 and 2003 R2 can be upgraded in-place to Windows 2008 Server. For in-place upgrading, administrators are required to run adrep.exe before initiating the up gradation process in the domain controllers. Adrep.exe is executed to prepare the Active Directory environment before introducing Windows Server 2008 domain controller. This Microsoft utility is run with the following commands in Windows 2008 Active Directory: 'ADPREP /FORESTPREP' (For Schema Master) 1. Executed on domain controller Schema Master FSMO 2. Updates the AD forest 3. Does not change the "Partial Attribute Set" 'ADPREP /DOMAINPREP' (For Infrastructure Master) 1. Executed on Infrastructure Master FSMO 2. Updates the AD domain ADPREP /DOMAINPREP /GPPREP' (For Infrastructure Master) 1. Executed on the Infrastructure Master FSMO 2. Updates AD domain and the SYSVOL ADPREP /RODCPREP (For Read only domain controllers- optional)
1. Executed on the Domain Naming Master FSMO 2. Updates permissions on application partitions for an RODC to be able to participate in their replication 3. Only executed when upgrading from W2K3 AD Restructuring: In this method, administrators are required to restructure the entire Active Directory structure. For this all the resources have to be moved from one domain to another. Active Directory Migration Tool (ADMT) is the best utility that is used for restructuring the Windows 2008 Active Directory environment. Transitioning: With transitioning, it is possible to add the Windows 2008 domain controllers to the existing Active Directory environment. In this migration process, the first step must be to move the FSMO (Flexible Single Master Operations) roles. Next, the previous domain controller must be demoted to remove it from the new domain on Windows Server 2008. Of all the three methods, transitioning to Windows Active Directory 2008 is best since restructuring means creating the entire directory from the scratch and with in-place upgrading administrators are stuck with limited upgrade paths. Whereas transition procedure allows administrators to retain the existing Active Directory layouts, schema, objects, contents and group policies.
Active Directory Download
For Active Directory download, flexible directory enabled applications offered by Microsoft ADAM (Active Directory application mode) can be downloaded from the Microsoft¶s site. However, before download, the Active Directory installation requirements must be met. Without complying by the essential requirements, it is not possible to set up a new AD domain or domain controller in the AD. Following are the pre-requisites before Active Directory download and install:
y y y y y y y y y
An NTFS partition with enough free space Administrator's credentials The correct version of the OS A NIC Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway) A network connection (to a hub or to another computer via a crossover cable) An operational DNS server (can be installed on the DC itself) A Domain name to be used The Windows Server 2003 CD media (i386 folder)
Installing Active Directory Domain Services (AD-DS) For Active Directory running on windows server 2008, the installation of Active Directory domain services (AD-DS) role on the server must precede the installation of Active Directory. The AD DS role enables the Windows server to act as domain controller and must be installed
prior to running dcpromo. Following are the steps to install the AD-DS through Server Manager/Initial Configuration Tasks method: Roles can be added from Server Manager and initiated from the Initial Configuration Tasks wizard. 1. Open Server Manager by clicking the icon in the Quick Launch toolbar, or from the Administrative Tools folder. 2. Wait till it finishes loading, then click on Roles followed by Add Roles link. 3. In the Before you begin window, click Next. 4. In the Select Server Roles window, click to select Active Directory Domain Services, and then click Next. 5. Click Next again. 6. In the Confirm Installation Selections, read the provided information, and then click Next. 7. Once the process is complete, click Close. Installing Active Directory 1. Going back to the Server Manager, click on the Active Directory Domain Services link. 2. Click on the DCPROMO link. OR To run DCPROMO, enter the command in the Run command 3. The Active Directory Domain Services Installation Wizard will appear. Click Next. 4. In the Operating System Compatibility window, click Next. 5. In the Choosing Deployment Configuration window, click on "Create a new domain in a new forest" and click Next. 6. Enter an appropriate name for the new domain. Click Next. The wizard will perform checks to see if the domain name is not already in use on the local network. Pick the right forest function level and the domain function level. Windows 2000 mode is the default, and allows addition of Windows 2000, Windows Server 2003 and Windows Server 2008 DC servers to the forest you're creating. The AD DS Installation wizard performs checks to confirm proper configuration of DNS on the local network. If no DNS server is configured, the wizard will prompt you to automatically install DNS on this server. Note: The first DC must also be the Global Catalog but not a Read Only Domain controller. The next step must be to change the paths for the AD database, log files and SYSVOL folder followed by entering the password for the Active Directory Recovery Mode. In the Summary window, click Next after reviewing your selections. The wizard starts creating the Active Directory domain. After the process is complete, click Finish and reboot your system.
The server now acts as a Domain Controller. To test its functionalities you can use the AD management tools such as Active Directory Users and Computers.
How to Use Active Directory
Active directories enable organizations to arrange their computer data and network and store and process information in a centralized location. This is because Active Directory is a highly scalable directory service that enables efficient management of network resources. The technology on which Active Directory is based on is fairly advanced and requires a lot of expertise to manage entire directory related tasks. Therefore, to understand how to use Active Directory, we will first start with an overview of this directory service. The Active Directory technology is based on standard Internet protocols that help you design the exact structure of your network. It uses the DNS ( Domain Name System) to organize the groups of computers into domains, which are further organized into hierarchical structures. DNS is an integral part of the Active Directory. It must be first configured in the network even before installing the Active Directory. Once DNS is configured, the Active Directory can be installed by running the Active Directory Installation Wizard. Following is the procedure: Click Start, click Run, type dcpromo in the Open field and then click OK When no domain exists, the wizard helps you create a new domain to configure the Active Directory. Upon the completion of the installation process, you will find that the AD is divided into a logical structure and a physical structure with a virtual partition. The logical structure comprises the domains, domain trees, forests and organization units, while the physical structure consists of sites and subnets. The logical structures help you arrange the AD objects and manage their network accounts along with the shared resources. The physical structures on the other hand enable you to map the physical network structure of the organization, facilitate network communication and set physical boundaries. The Active Directory domain is a set of computers sharing common resources from the AD database, having a unique domain name and its own set of security policies and trust relationships with other network domains. Within a domain¶s database information, objects like user accounts, groups, computer accounts, folders, printers and shared resources are stored. A forest comprises of one or multiple domains which share common directory data. Organizational units are logical containers or subgroups within a domain which represent the functional structure of an organization. Organizational units (OUs) are used to arrange the AD objects into groups, assign group policies to them and delegate authority to the domain resources. Since Active Directory is the foundation of Windows distributed networks, administrators can use it for locating objects such as users, security policies, distributed components, shared resources, etc. in a network domain. Windows Active Directory is accessed through WMI by creating set of references to every object and class contained in the AD data store. By accessing
the directory through WMI, administrators create WMI-enabled applications to access the Active Directory information. These interfaces in turn aids administrators to create new instances, retrieve classes and instances, modify or delete instances, query Active Directory and enumerate classes and instances.
Active Directory Administration
Active Directory administration in a large network is not easy and because of this, organizational units (OUs) are created so as to distribute the administrative tasks. Distribution of the administrative tasks to other administrators through the process of delegating of administration is quite common at enterprise level AD management. In literal terms, delegation of administration is establishing access control lists (ACLs) on OUs and user accounts with an AD. Since more than one administrator is allowed to manage the Active Directory wit delegation of controls, this method yields more ROI and a more flexible approach to Active Directory administration. It can be said that delegation of administration allows domain admin to offload specific tasks to specific administrators for specific AD objects in the Active Directory structure. Based on the structure of your Active Directory, especially the design of Organizational Units, delegation of administration can be implemented. In fact, apart from Deployment of Group Policies, delegation of administration must be the other important design goal for an AD. Before implementing Delegation of Administration, some factors should be determined in advance, such as follows: 1. User location: Whether centralized or distributed over remote sites. 2. Administrator role: Whether one department is managed by a single administrator or the relationship is all-in-all. 3. Administrator rights: Whether different admin staffs are employed for handling user and computer accounts. 4. Group membership: Whether managers of departments are required to control membership in their own groups or call the administrator to manage the group membership. 5. User passwords: whether department managers must control password resetting or the administrator. Steps to implement Delegation of Administration Control The delegation control wizard is used to delegate administrative control tasks such as creating, deleting or managing user and computer accounts. The following steps will help you to implement the delegation of common administrative tasks: Start the Delegation of Control Wizard by performing the following steps: 1. Open Active Directory Users and Computers. 2. In the console tree, double click the domain node.
3. In the Details menu, right click the organizational unit, click delegate control, and click Next. Select the groups or users to which common administrative tasks will be delegated to using the following steps: 1. On the Users or Groups page, click Add. 2. In the select Users, computers, or Groups, write the names of the users and groups to which control of the organizational unit has to be delegated, click OK and Next. Assign common tasks to delegate. To do so, perform the following common tasks: 1. On the tasks to delegate page, click delegate the following common tasks. 2. On the tasks to delegate page, select the tasks to be delegated and click OK. 3. Click Finish.
AD Management Tool
Windows Active Directory, a hierarchical directory structure used for storing information and data about networks and domains of large enterprises can be viewed at three levels; namely, the domains, trees and the forests. Objects, resources and services are the main components that make up an Active Directory database. However, the magnitude of data contained in the directory makes its management quite difficult. Especially, for dynamic businesses, where major changes take place in the organizational structure to incorporate growth, mergers and divisions, AD management is a challenging task. Managing the user and computer accounts, assigning group policies and creating or removing new objects, migrating the entire Active Directory, managing user accounts on the Exchange server are some of the major responsibilities that an AD manager has to deal with. Migrating user accounts, groups, Exchange mailboxes and OUs from one domain to another is not a matter of a few scripted codes. Nevertheless, migration is often executed during merging and restructuring domains. Transitions of such a kind require planning along with the removal of certain security restrictions on domain controllers. The process of migrating and re-migrating user passwords, global and universal groups, user and computer accounts, workstations, local and remote servers along with other AD data from the source to the target domain is a daunting task. Moreover, carrying out all these changes without impacting the users is a bigger challenge. The native ADMT tool helps in this regard; however, it is recommended that no more than 100 accounts are migrated at a time. Deletion of user and computer accounts is another issue faced by administrator which requires a lengthy procedure to tackle. Locating the corresponding domain controller, disconnecting it from the network, rebooting the server in the DSRM mode and running utilities like the ntdsutil.exe to perform authoritative restore on the deleted objects takes a lot of time and effort. Moreover, obtaining the DN (distinguished name) of all the deleted objects, and finally reconnecting the DC to the network, especially when an OU is missing also takes up time.
Management issues also arise when new objects are to be created as everyday new employees join organizations. Creating new objects, assigning them exchange accounts and configuring their access rights policies imply using different support tools, command-line utilities and services. Also, auditing active directories on several categories without creating a bottleneck in the network traffic or the security events of the domain controller takes up an important task in AD management. Furthermore, executing all these tasks, without impacting the end users or affecting the workflow is crucial. Therefore, in lieu of all the support tools and in-built utilities, administrators are preferring third party tools to simplify the tasks.
Active Directory Monitoring
In order to maintain a consistent directory data and optimum level of service, monitoring the Active Directory and its services is essential. By monitoring important indicators, administrators are able to avert potential risks and large scale problems. Organizations with many domains and remote sites often employ automated monitoring systems for their Active Directory service for timely consolidation and resolution of issues. Active Directory monitoring is of immense benefit to the administrators. With the use of monitoring systems such as Microsoft Operations Manager (MOM), it is possible to get a centralized control over the entire forest and monitor the vital indicators. Some of the key benefits of AD monitoring can be summarized as follows:
y y y y y y y
Quick resolution of issues while they are at low priority Higher service levels because of improved system reliability Improvement in schedule flexibility Better possibility of prioritizing workload Increased system ability to cope with periodic service outages Reduction in help desk support issues More reliable resource utilization and faster logon time
Levels of Active Directory monitoring The level or degree of monitoring depends on various factors such as size of your organization, cost associated with service outages and time required to identify and resolve a potential problem. Small sized organizations with few domains, sites and domain controllers can simply use the in-built tools provided with Windows Server 2000. For larger enterprises with more domains, DCs and sites and those which cannot afford productivity loses due to service outages can employ monitoring solutions like MOM (Microsoft Operation Manager). In enterprise level monitoring systems, agents and local services are used in order to collect the monitoring data and consolidate those results with a centralized console. Furthermore, to reduce the network traffic and increase the system performance, these systems make use of the physical network topology.
Since Active Directory depends on various independent services distributed over remote locations and numerous devices, systematic monitoring is required. With increased network size and scalability issues, effective monitoring helps tackle the following problems:
y y y y y
Domain controller failure: Domain controllers stop functioning if a drive containing the file Ntds.dit runs out of disk space. Application failure: Applications such as MS Exchange can fail if the address book queries into the directory fail. Security policy failure: If some problem occurs during the replication of the SYSVOL shared folder GPOs and security policies fail and are not applied properly to clients. Inconsistent directory data: Upon replication failure for an extended period of time, reanimated AD objects require more time for elimination. Logon failure: In a domain, logon failures occur when a trust relationship or name resolution fails, or when a global catalog server is unable determine its universal group membership. Account lockout: Whenever replication process fails between several domain controllers or the PDC emulator becomes unavailable out in a domain, user accounts get locked out.
Active Directory Management Tools
The most common management tool used to manage Active Directory is the Microsoft Management Console (MMC). This Microsoft console offers interfaces where Active Directory snap-ins can be loaded, which in turn provide specific functionalities for administering the Active Directory service. Using the MMC interface of Active Directory management tools, administrators create custom console tools to manage the domains, AD objects, OUs, group policies, etc. Of the various MMC snap-ins used to manage the Active Directory, the following Active Directory management tools are used extensively:
Active Directory Users and Computers snap-in: This console is used create, manage and configure Active Directory objects like Users, Groups, Computers and OUs. Active Directory Domains and Trusts: This console is used to manage domains, domain trees, domain trust relationships, domain modes and forests. It is also used to configure user principle name (UPN) suffixes. Directory Sites and Services: This tool is used to manage domain controller replication and create, configure and manage AD sites and subnets. Directory Schema: This console is used to view and change the AD schema which contains object and attribute definitions. However, this MMC snap-in is not included in the Administrative Tools pack and has to be installed manually to create an MMC for it. Set of Policy: This console enables administrators to view the current user policy with respect to a system. This tool also helps in changing group policies.
Active Directory Users and Computers snap-in
Apart from managing user accounts, groups, computer accounts, OUs, etc, the Active Directory Users and Computers snap-in is also used to set, create and view permissions; move, create or delete objects, create domain controller and manage the OU containers. Active Directory Domains and Trust Console The administrative tasks which can be performed using the Active Directory Domain and Trust Console are as follows:
y y y y y
View the console tree of a forest listing all the domains. Change the domain mode or domain functional level from mixed mode to native mode or to functional level. Configure domains in other Windows Server forests for interoperability and specify trust relationships between the domains. Transfer the master role of domain naming operations from one domain controller to another domain controller. Add , delete and change the user principal name (UPN) suffixes.
The Active Directory Schema Snap-In Schema in Active Directory is used to define the objects which are stored in the AD database along with the object attributes. The Active Directory schema snap-in helps in viewing the schema and modifying them. Active Directory Sites and Service snap-in The Active Directory sites and service console is used to perform administrative tasks on the sites which are used during the AD replication process. Site management is crucial as well as complicated in an Active Directory service. This console helps administrators to configure connections between AD sites and specify the replication process. Within the containers provided with the installation of this snap-in, administrators are able to create new sites and manage them in the network. The Default-First-Site-Name, the Inter-Site Transports container and the Subnets container can be easily managed with this console.
MS Active Directory Tools
Microsoft Active Directory support tools are provided to administrators so that the entire directory service can be managed with efficiency and problems (if any) be diagnosed. In order to use Microsoft Active Directory tools, one has to install them from the windows 2000 installation CD. In the Browse This CD option, navigate through CD directory and select \SUPPORT\TOOLS directory and run the program SETUP.EXE. Once the setup program gets completed, all the Windows Support Tools are added to the Start menu. Details of the some of the Microsoft Active Directory tools are given below: Active Directory Administration Tool (LDAP tool)
Since Active Directory is a lightweight directory access protocol based system, administrators can perform the basic LDAP functions on it. Functions such as adding, searching, deleting or modifying an object can be performed with the AD administrative tool, also known as the LDAP tool. The Active Directory administration tool has 5 different options in its menu bar. Of those options, administrators must first select the Connect option from the Connection menu. After entering information like the server name and LDAP port number, the AD administration tool tries to connect to the server. Once the connection with the server is established, a summary of the Active Directory status of the server is displayed. Active Directory Replication Monitor Active Directory replication process takes place in every domain site and is conducted by the replicating the changed AD status in every domain controller. The complexity involved in Active Directory replication makes its administration error prone. Monitoring the replication process is important as different issues or problems may crop up with added domain controllers. The Active Directory replication monitor tool helps in this respect. This tool is used to monitor all the servers and the domain controller as well as view the current replication status of the Active Directory. Moreover, this AD tool also lets administrators to manually force replication, if needed. Active Directory Migration Tool The Active Directory migration tool is used to securely migrate from Windows NTR to Windows R 2000 Server Active Directory service. Furthermore, this tool allows administrators to restructure the Active Directory domains in windows 2000. The ADMT task wizard also allows migration of users, groups, computers and Exchange Server mailboxes to new domain. Any potential problems arising before migration process can be identified and sorted out by this tool. Upon computer migration or during resource translation, the ADMT automatically installs services also called Agents on the source computers so that administrators are not required to manually load the tool on each computer. After the migration process gets terminated, the tool again uninstalls the agent automatically.
Active Directory Admin Tools
Active Directory management is a vital administrative process, especially for a large network. In order to manage the Active Directory service, two types of administrative methods are followed, which are mentioned below:
Administrative tools which utilize a GUI from where all the AD components can be managed Command-line tools
Some command line tools come with Windows Server 2003 which can be used to manage the AD objects and other components of the Active Directory. The administrative tool on the other hand is the Microsoft Management Console (MMC), which provides an interface to load in the
Active Directory snap-ins. The MMC snap-ins offer specific functionalities for administration and also offers provision to create custom contro active directory adminl tools or load multiple snap-ins in a single console. However, before administrator start using the Active Directory admin tools; it is essential to install the tools in a system running Windows OS. By doing so, it becomes possible to manage computer¶s Windows Server from a remote system other than a Domain Controller. The step by step installation procedure of the Active Directory administrative tools on a local computer are explained below: Prerequisite: Administrative permissions for the local computer are required before installing and running the Windows Administrative Tools. 1. From the CD ROM that comes along with any version of Windows Server, open the I386 folder. 2. Double-click the Adminpak.msi file. 3. Click Next and then click Finish. The Adminpak.msi file installs the Active Directory administrative tools, as well as the Terminal Services Client and Cluster Administrator. Once the adminpak.msi is installed and the workstation is configured accordingly, the following server administrative tools will be available for managing the Active Directory:
y y y y y y y y y y y y y y y y y y y
Active Directory Domains and Trusts Active Directory Schema Active Directory Sites and Services Directory Users and Computers Authority Administrator Manager Administration Kit DHCP Distributed File System DNS Internet Authentication Service Services Manager Admission Control Boot Disk Generator (part of Remote Installation Services) Storage and Remote Access Telephony Terminal Services Manager, Licensing, and Client Connection Manager WINS
MS Windows Active Directory Tools
We have discussed about the various command line Active Directory tools, Windows Active Directory tools (support tools) and MMC snap-ins which are used to manage an Active Directory service. However, apart from these administrative tools, Active Directory management tasks can also be performed with the help of scripts. Active Directory scripts lets administrators to automate tasks, batch jobs and build reports according to the AD changes. Windows Script (WS) and its supporting technology such as the ADSI (Active Directory Service Interfaces) enable administrators to build custom scripts to manage the directories in Windows 2000 and NT environment. Scripting Active Directory tasks is considered easier and the core interfaces helps in accomplishing the majority of AD management tasks. To begin with, let us first understand what ADSI is. ADSI (Active Directory Service Interface) is a set of automated-enabled COM objects that helps in managing multiple heterogeneous directories. The COM interface developed for Microsoft¶s Active Directory, referred to as the ADSI, and is used in all of Microsoft¶s graphical Windows Active Directory tools. ADSI supports the LDAP (version 3) and by virtue many of LDAP based directories, including the Windows Active Directory. ADSI can be used to write directory management scripts in any COM compliant scripting environment like for Windows Script Host (WSH), VBScripts, JScript, and more. The ADSI further supports ADO queries through OLE DB. The interfaces in the ADSI help administrators to create, delete and modify AD objects and their properties. ADSI offers more than 50 interfaces, of which three core interfaces lets administrators perform the AD tasks. ADSI can help you create, modify and delete almost any of the AD objects like user accounts, computers, groups, OUs, sites and subnets. Furthermore, the scripts make it possible to generate custom reports and extend the schema by adding attributes and new classes to it. For executing an ADSI script, it is essential to complete some basic steps. For example, to create an AD user object the following four steps will have to be followed: 1. Use VBScript's GetObject function to connect to the target container that will hold the new user. set Container = GetObject ("LDAP://192.168.1.105:59822/DC=NET/DC=COMCAST/DC=IL/DC=HSD1" & Where) 2. Next create the new user object using ADSI¶s Create method $objUser = $objADSI.Create($Class, $strUserName) 3. With the help of ADSI¶s Put and PutEx methods provided in the IAD interface, set the optional and mandatory properties of the user object. $objUser.Put(³sAMAccountName´, ³*****´) 4. To write the new object to the Active Directory, use ADSI¶s SetInfo method that is also provided in the IAD interface. $objUser.setInfo()
Active Directory Tools
There are a series of command line tools available with different versions of Windows Server used to manage Active Directory management tools. Most of these Active Directory tools are available with the adminpak.msi (Microsoft¶s Administration Tools Pack) and allows server management. Some of the Windows Support tools that can be used to manage the Active Directory components are given below:
Acldiag: The ACL Diagnostics command line tool is used to detect modifications or discrepancies in the ACLs (Access Control Lists) of AD objects and report the same. It is further used to delegate security template to ACLs, thereby eliminating and restoring incomplete delegations. ADSI Edit (adsiedit.msc): The Active Directory Service Interfaces Editor is a LDAP editor which is used to manage the AD objects and their attributes. This tool offers a view of every AD object and attribute from where administrators can query and edit them. Clonepr: The Clone Principal tool is used to migrate users from Windows NT to Windows 2000 or Windows Server 2003 by creating clones of all the users and groups present in Windows NT in the migrating server. Dsacls: This tool is used to display and change permissions of the ACEs (access control entries) in the ACLs (access control list) of the AD objects. Dsastat: The Directory service Utility tool is a command-line diagnostic tool used to compare differences between the directory trees, domain controllers across replicas either in the same or different domains. This tool retrieves capacity statistics in return and compares the attributes of the replicated objects. Ldp: The LDP tool is primarily a LDAP client that is sued by Active Directory users to perform operations against any LDAP compatible directory service. This tool helps in viewing AD objects and their metadata. Movetree.exe: This command line tool also referred as Active Directory Object Manager is used to move AD objects between domains for domain consolidation and operations supporting restructuring the organization. Repadmin: This is a Replication Diagnostics Tool used to diagnose Active Directory replication problems between Windows Domain Controllers. It is also used to view the AD replication topology, and create the replication topology in order to view the replication events between domain controllers. Replmon: The Active Directory replication monitor is used to view the low-level status of Active Directory replication and the replication topology in a graphical format. This tool is further used to monitor the performance of the DC replication and view forcesynchronization between domain controllers. Sdcheck: The Security Descriptor Check utility is a command line tool used to display the security descriptor for any AD object. The security descriptors contain the ACLs which define the permissions which the users enjoy over the Active Directory objects. Search: The Active Directory Search Tool is used to perform searches in the Active Directory and gain information against the LDAP server. Setspn: The Manipulate Service Principal Names for Accounts is used to read, modify and delete the SPN (Service Principal Names) directory properties of Active Directory service accounts. This tool is used to view the current SPNs, add or delete the supplemental SPNs and reset the default SPNs.
Sidwalker.exe: This tool is used to configure the ACLs of AD objects which belong to either moved or deleted accounts.
The above mentioned active directory Windows support tools are available in the Windows Support Tools toolkit. With the help of these Active Directory tools, it is possible to configure, manage and troubleshoot active directory.
Free Active Directory Tools
Active Directory administration tool includes the installation CDs of Windows 2000 and 2000 Advanced Server. These free Active Directory tools lest administrators manage the server remotely from any system running windows 2000. These administration tools contain the MMC snap-ins which is used to manage the Active Directory objects and resources. In order to install the windows 2000 Administration Tools on a local system, the following steps must be followed: 1. Open the I386 folder on the Windows 2000 Server CD-ROM. 2. Double-click the Adminpak.msi file. 3. Click Next, and then click Finish. The Adminpak.msi file installs the Active Directory administrative tools including the administrative tools like Terminal Services Client and Cluster Administrator. Once the adminpak.msi is installed, the following free Active Directory tools are available:
Active Directory Uses and Computers (ADUC): This MMC console can be used only by the Domain Admins and Enterprise Admins group. With this snap-in, administrators can create, move, delete, locate and configure objects like user accounts, computers, groups, contacts, domain, OUs, shared folders and printers. Furthermore, ADUC is also used to manage GPOs (Group Policy Objects) including windows settings, Security settings, Public key policies, Automatic Certificate requests, etc. Active Directory Connector (ADC): This free Active Directory tool is used to simplify administrative tasks among multiple directory services. It is further used replicate AD information through LDAP utility. The ADC console hosts all the active AD components, maps objects for replication and supports multiple connections on one server. Directory Domains and Trusts: This MMC snap-in is used to administer domain trust domain function level, forest function level and user principal name (UPN) suffixes. Directory Sites and Services: This MMC console is used to administer the replication process of the directory data within all sites of an AD DS forest. Using this snap-in it is also possible to view the service-specific objects published in the AD DS. LDIFDE bulk schema modification tool: Using this tool, administrators can export, import and modify objects like users, OUs, groups, contacts, groups, servers and shared folders. CSVDE bulk schema update tool: The Comma Separated Values Data Exchange tool is used to import new objects into the Active Directory with the help of a CSV source file. Using this tool, it is also possible to export existing objects to a CSV file (ad.csv).