1 Chapter 3, Active Directory Administration Tasks and Tools

|1| Chapter 3, Active Directory Administration Tasks and Tools

Chapter 3, Lesson 1

|2| Active Directory Administration Tasks

1. Microsoft Windows 2000 Active Directory Administration Tasks

|3| A. Categories

1. Configuring Active Directory

a. Plan, deploy, manage, monitor, optimize, and troubleshoot Active Directory, including the domain, OU, and site structures

b. Determine an efficient site topology

2. Administering users and groups

a. Plan, create, and maintain user and group accounts

b. Ensure that each user can log on to the network and gain access to necessary resources

3. Securing network resources

a. Administer, monitor, and troubleshoot authentication services

b. Plan, implement, and enforce a security policy

c. Ensure protection of data and shared network resources, including folders, files, and printers

4. Administering Active Directory

a. Manage the location and control of Active Directory objects

b. Plan and implement Active Directory backup and restore operations

5. Administering the desktop computing environment

a. Deploy, install, and configure the desktop computing environment using group policy

6. Securing Active Directory

a. Administer, monitor, and troubleshoot a security configuration

b. Plan and implement a policy to audit network events so that you can find security breaches

7. Managing Active Directory performance

a. Monitor, maintain, and troubleshoot domain controller performance and Active Directory components

8. Installing Windows 2000 remotely

a. Use Remote Installation Services to deploy Windows 2000 Professional remotely

|4| Chapter 3, Lesson 2

|5| Active Directory Administrative Tools

1. Tools

A. Overview

1. Installed automatically and available on the Administrative Tools menu on computers configured as Windows 2000 domain controllers

2. Also available with the optional Administrative Tools package

3. Use Microsoft Management Console (MMC) to create custom consoles that focus on single management tasks

|6| B. Active Directory Domains and Trusts console

1. Assists management of trust relationships between domains

a. Windows 2000 domains in the same or different forests

b. Pre–Windows 2000 domains

c. Kerberos V5 realms

2. Use the Active Directory Domains and Trusts console to

a. Provide interoperability with other domains by managing explicit domain trusts

b. Change the mode of operation of a Windows 2000 domain from mixed mode to native mode

c. Add and remove alternative user principal name (UPN) suffixes used to create user logon names

d. Transfer the domain naming operations master role from one domain controller to another

e. Provide information about domain management

|7| C. Active Directory Sites and Services console

1. Publish sites to Active Directory to provide information about the physical structure of a network.

2. Active Directory uses this information to determine how to replicate directory information and handle service requests.

|8| D. Active Directory Users and Computers console

1. Adds, modifies, deletes, and organizes Windows 2000 user accounts, computer accounts, security and distribution groups, and published resources in the organization’s directory

2. Manages domain controllers and OUs

|9| 2. Other Tools

A.  Active Directory Schema snap-in

1. Allows the administrator to view and modify Active Directory schema

2.  Not available by default on the Administrative Tools menu

Note Administrative tools not found in the Administrative Tools menu must be installed using Add/Remove Programs in the Control Panel

3.  Must be installed using Add/Remove Programs in the Control Panel

B. Active Directory support tools

1. Overview

a. Additional tools that can be used to configure, manage, and debug Active Directory are included on the Windows 2000 CD in the \Support\Tools folder.

b. Intended for use by Microsoft support personnel and experienced users

c. Requires 18.2 MB of free disk space to install

d. Setup creates a Windows 2000 Support Tools folder within the Programs folder on the Start menu.

e. Click the Tools Help menu item for detailed information about individual tools.

f. GUI tools can be selected from the Tools menu.

g.  Adds the \Program Files\Resource Kit directory to the computer’s PATH statement

|10| 2. Support Tools (MMC Snap-In)

a. ADSI Edit: Used to view all objects in the directory, modify objects, and set access control lists on objects

b. SIDwalker: Security Administration Tools

(1) Used to manage access control policies on Windows 2000 and Windows NT systems

(2) Consists of three separate programs

(3) SHOWACCS.EXE and SIDWALK.EXE are command-line tools for examining and changing access control entries.

(4) Security Migration Editor is an MMC snap-in tool for editing mapping between old and new security IDs (SIDs).

|11| 3. Support Tools (GUI)

a.  LDP.EXE: Active Directory Administration Tool: Allows LDAP operations to be performed against Active Directory

b.  REPLMON.EXE: Active Directory Replication Monitor: Displays replication topology, monitors replication status, forces replication events, and recalculates knowledge consistency checker

|12| 4. Support Tools (Command Line)

a.  ACLDIAG.EXE: ACL Diagnostics: Used to determine whether a user has been granted or denied access to an Active Directory object and reset ACL to default state

b. DFSUTIL.EXE: Distributed File System Utility: Manages all aspects of Dfs, including checking the configuration concurrency of Dfs servers and displaying the Dfs topology

c. DNSCMD.EXE: DNS Server Troubleshooting Tool: Checks dynamic registration of DNS resource records, including secure DNS update, and deregisters resource records

c.  DSACLS.EXE: Used to view or modify the access control lists of objects in Active Directory

d.  DSASTAT.EXE: Active Directory Diagnostic Tool: Compares naming contexts on domain controllers and detects differences

e.  MOVETREE.EXE: Active Directory Object Manager: Moves Active Directory objects such as OUs and users between domains in a single forest

g. NETDOM.EXE: Windows 2000 Domain Manager: Used to manage Windows 2000 domains and trust relationships

h.  NLTEST.EXE provides a list of primary domain controllers, forces shutdown, and provides information about trusts and replication

i.  REPADMIN.EXE: Replication Diagnostics Tool: Checks replication consistency between replication partners, monitors replication status, displays replication metadata, forces replication events, and recalculates knowledge consistency checker

j. SDCHECK.EXE: Security Descriptor Check Utility

(1) Checks access control list propagation and replication for specified objects in the directory

(2)  Enables an administrator to determine whether access control lists are being inherited correctly and whether access control list changes are being replicated from one domain controller to another

|13| C. Active Directory Service Interfaces (ADSI)

1. Provides a simple, powerful, object-oriented interface to Active Directory

2. Makes it easy for programmers and administrators to create programs utilizing directory services by using high-level tools without having to worry about the underlying differences between the different namespaces

3. Fully programmable automation object for use by administrators

4. Provides the ability to build or buy programs that give a single point of access to multiple directories in a network environment, whether those directories are based on LDAP or another protocol

|14| 3. The Microsoft Management Console (MMC)

A. Overview

1. Used to create, save, and open collections of administrative tools

2. Does not provide management functions itself, but is the program that hosts management applications called snap-ins

3. Uses snap-ins to perform one or more administrative tasks

4. Preconfigured MMCs contain commonly used snap-ins, which appear on the Administrative Tools menu.

5. Custom MMCs are created to perform a unique set of administrative tasks.

6. Preconfigured and custom MMCs can be used for remote administration.

|15| B. Preconfigured MMCs

1. Contain one or more snap-ins that provide the functionality to perform a related set of administrative tasks

2. Function in User mode; unable to modify, save, or add snap-ins

3. Windows 2000 Server and Windows 2000 Professional have different preconfigured MMCs.

4.  Added by Windows 2000 when additional components are installed

Note When custom consoles are created, any number of preconfigured consoles can be added as snap-ins to the custom console.

|16| C. Typical preconfigured MMCs

|17| 1. Available on Windows 2000 Professional, Windows 2000 Server stand-alone server, and Windows 2000 Server domain controllers

a. Component Services: Configures and manages COM+ applications

b. Computer Management: Manages disks and provides access to other tools to manage local and remote computers

c. Data Sources (ODBC): Adds, removes, and configures Open Database Connectivity (ODBC) data sources and drivers

d. Event Viewer: Displays monitoring and troubleshooting messages from Windows and other programs

e. Performance: Displays graphs of system performance and configures data logs and alerts

f. Services: Starts and stops services

|18| 2. Available on Windows 2000 Server stand-alone server and domain controllers

a. Configure Your Server: Sets up and configures Windows services for the network

b. Distributed File System: Creates and manages DFS’s that connect shared folders from different computers

c. Internet Services Manager: Manages Internet Information Services (IIS), the Web server for Internet and intranet Web sites

d. Licensing: Manages client access licensing for a server product

e. Routing and Remote Access: Used to configure and manage the Routing and Remote Access service

f. Server Extensions Administrator: Used to administer Microsoft FrontPage Server Extensions and FrontPage extended webs

g. Telnet Server Administration: Used to view and modify telnet server settings and connections

|19| 3. Available only on Windows 2000 Server domain controllers

a. Active Directory Domains and Trusts: Manages the trust relationships between domains

b. Active Directory Sites and Services: Creates sites to manage the replication of Active Directory information

c. Active Directory Users and Computers: Manages users, computers, security groups, and other objects in Active Directory

d. DHCP: Used to configure and manage the DHCP service

e. DNS: Manages the DNS service, which translates DNS computer names to IP addresses

f. Domain Controller Security Policy: Used to view and modify security policy for the Domain Controllers organizational unit

g. Domain Security Policy: Used to view and modify security policy for the domain, such as user rights and audit policies

|20| 4. Available on Windows 2000 Professional and Windows 2000 Server stand-alone server

a. Local Security Policy: Used to view and modify local security policy, such as user rights and audit policies

D. Custom MMCs

1. Combine multiple preconfigured snap-ins with third-party snap-ins that perform related tasks to create custom MMCs

2. Distribute custom MMCs to other administrators

3. Use custom MMCs from any computer to centralize and unify administrative tasks

4. Consoles are saved as files with the extension .msc and restored when the file is opened, even if the console file is opened on a different computer or network.

|21| E. Console tree and details pane

1. Every MMC has a console tree, which displays the hierarchical organization of the snap-ins contained with an MMC.

2. Every MMC contains the Action menu and the View menu; choices on these menus are context-sensitive, depending on the current selection in the console tree.

3. The console tree organizes snap-ins that are part of an MMC, which allows a snap-in to be easily located.

4. Items that are added to the console tree appear under the console root.

5. The details pane lists the contents of the active snap-in.

|22| F. Snap-ins

1. Overview

a. Applications that are designed to work in an MMC

b. Used to perform administrative tasks

c. Two types: stand-alone and extension

|23| 2. Stand-alone snap-ins

a. Usually referred to simply as snap-ins

b. Used to perform Windows 2000 administrative tasks

c. Provide one function or a related set of functions

|24| 3. Extension snap-ins

a. Referred to simply as extensions

b. Provide additional administrative functionality to another snap-in

c. Designed to work with one or more stand-alone snap-ins

d. Windows 2000 displays only extensions that are compatible with the stand-alone snap-in and places them in the appropriate location.

e. When a snap-in is added to a console, MMC adds all available extensions by default.

f. Extensions can be added to multiple snap-ins.

g. Some stand-alone snap-ins can use extensions that provide additional functionality.

h. Some snap-ins can act as a snap-in or an extension.

G. Console options

1. Overview

a. Selecting the appropriate console mode from the console options determines how each MMC operates.

b. Console mode determines the MMC functionality for the person using a saved MMC.

b.  The two available console modes are Author mode and User mode.

|25| 2. Author mode

a. Full access to all MMC functionality

b. Adds or removes snap-ins

c. Creates new windows

d. Views all portions of the console tree

f.  Saves MMCs

Note By default, all new MMCs are saved in Author mode.

|26| 3. User mode

a. Users cannot add or remove snap-ins, or save the MMC.

b. Three types of user modes allow different levels of access and functionality:

(1) Full Access: Allows user to navigate between snap-ins, open new windows, and gain access to all portions of the console tree

(2) Limited Access, Multiple Windows: Does not allow user to open new windows or gain access to a portion of the console tree; allows user to view multiple windows in the console

(3) Limited Access, Single Window: Does not allow user to open new windows or gain access to a portion of the console tree; allows user to view only one window in the console

|27| Chapter 3, Lesson 3

Using Microsoft Management Consoles

1. Using Preconfigured MMCs

A. Click Start, point to Programs, and then click Administrative tools

B. Right-click My Computer and select Manage to view the Computer Management preconfigured console

2. Using Custom MMCs

A. To create a custom MMC, you must open an empty console and then add the snap-ins needed to perform the desired administrative tasks

B. To open an empty console, click Start, click Run, type mmc in the Open box, and then click OK

|28| C. Options on the Console menu

1. New: Create a new custom MMC console

2. Open: Use a saved MMC console

3. Save or Save As: Use the MMC console later

4. Add/Remove Snap-In: Add or remove one or more snap-ins and their associated extensions to or from an MMC console

5. Options: Configure the console mode and create a custom MMC console

|29| 3. Using MMCs for Remote Administration

A. Snap-in for remote administration can be set up when a custom MMC is created.

B. Remote administration allows administrative tasks to be performed from any location.

C. The design of each snap-in dictates whether or not it can be used for remote administration.

D. Specific snap-ins designed for remote administration must be used.