|1| Chapter 3, Active Directory Administration
Tasks and Tools
Chapter 3, Lesson 1
|2| Active Directory Administration Tasks
1. Microsoft Windows 2000 Active Directory
Administration Tasks
|3| A. Categories
1. Configuring Active Directory
a. Plan, deploy, manage, monitor, optimize,
and troubleshoot Active Directory, including the domain, OU, and site
structures
b. Determine an efficient site topology
2. Administering users and groups
a. Plan, create, and maintain user and group
accounts
b. Ensure that each user can log on to the
network and gain access to necessary resources
3. Securing network resources
a. Administer, monitor, and troubleshoot
authentication services
b. Plan, implement, and enforce a security
policy
c. Ensure
protection of data and shared network resources, including folders, files, and
printers
4. Administering Active Directory
a. Manage the location and control of Active
Directory objects
b. Plan and implement Active Directory backup
and restore operations
5. Administering the desktop computing
environment
a. Deploy, install, and configure the desktop
computing environment using group policy
6. Securing Active Directory
a. Administer, monitor, and troubleshoot a
security configuration
b. Plan and implement a policy to audit
network events so that you can find security breaches
7. Managing Active Directory performance
a. Monitor, maintain, and troubleshoot domain
controller performance and Active Directory components
8. Installing Windows 2000 remotely
a. Use Remote Installation Services to deploy
Windows 2000 Professional remotely
|4| Chapter 3, Lesson 2
|5| Active Directory Administrative Tools
1. Tools
A. Overview
1. Installed automatically and available on
the Administrative Tools menu on computers configured as Windows 2000 domain
controllers
2. Also available with the optional
Administrative Tools package
3. Use Microsoft Management Console (MMC) to
create custom consoles that focus on single management tasks
|6| B. Active Directory Domains and Trusts
console
1. Assists management of trust relationships
between domains
a. Windows 2000 domains in the same or
different forests
b. Pre–Windows 2000 domains
c. Kerberos V5
realms
2. Use the Active Directory Domains and
Trusts console to
a. Provide interoperability with other
domains by managing explicit domain trusts
b. Change the mode of operation of a Windows
2000 domain from mixed mode to native mode
c. Add and remove alternative user principal
name (UPN) suffixes used to create user logon names
d. Transfer the domain naming operations
master role from one domain controller to another
e. Provide information about domain
management
|7| C. Active Directory Sites and Services
console
1. Publish sites to Active Directory to
provide information about the physical structure of a network.
2. Active Directory uses this information to
determine how to replicate directory information and handle service requests.
|8| D. Active Directory Users and Computers
console
1. Adds, modifies, deletes, and organizes
Windows 2000 user accounts, computer accounts, security and distribution
groups, and published resources in the organization’s directory
2. Manages domain controllers and OUs
|9| 2. Other Tools
A.
Active
Directory Schema snap-in
Note Modifying the Active Directory schema is an advanced operation
that is best performed programmatically by experienced programmers or system
administrators. For detailed information about modifying the Active Directory
schema, see the Microsoft Active
Directory Programmer’s Guide.
1. Allows the administrator to view and
modify Active Directory schema
2.
Not available by
default on the Administrative Tools menu
Note Administrative tools not found in the Administrative Tools menu
must be installed using Add/Remove Programs in the Control Panel
3.
Must be
installed using Add/Remove Programs in the Control Panel
Note See pages 63–64 of the textbook for detailed
instructions on how to install the Active Directory Schema snap-in.
B. Active Directory support tools
1. Overview
a. Additional tools that can be used to
configure, manage, and debug Active Directory are included on the Windows 2000
CD in the \Support\Tools folder.
b. Intended for use by Microsoft support
personnel and experienced users
c. Requires 18.2 MB of free disk space to
install
d. Setup creates a Windows 2000 Support Tools
folder within the Programs folder on the Start menu.
e. Click the Tools Help menu item for
detailed information about individual tools.
f. GUI tools can be selected from the Tools
menu.
g.
Adds the \Program
Files\Resource Kit directory to the computer’s PATH statement
Note See page 64 of the textbook for detailed instructions on
how to install the Active Directory Support Tools.
Note
The following list of support
tools are grouped together based on whether they are MMC snap-in tools (ADSI
Edit and SIDwalker), GUI tools (LDP.EXE and
REPLMON.EXE), or command-line tools (the rest of the tools in the following
list). Table 3.2 in the textbook organizes them in alphabetical order.
|10| 2. Support
Tools (MMC Snap-In)
a. ADSI Edit: Used to view all objects in the
directory, modify objects, and set access control lists on objects
b. SIDwalker:
Security Administration Tools
(1) Used to manage access control policies on
Windows 2000 and Windows NT systems
(2) Consists of three separate programs
(3) SHOWACCS.EXE and SIDWALK.EXE are
command-line tools for examining and changing access control entries.
(4) Security Migration Editor is an MMC snap-in
tool for editing mapping between old and new security IDs (SIDs).
|11| 3. Support
Tools (GUI)
a.
LDP.EXE: Active
Directory Administration Tool: Allows LDAP operations to be performed against
Active Directory
Note For more information about LDP.EXE, see Chapter 14 of
the textbook, page 540, “Managing Active Directory Performance.”
b.
REPLMON.EXE:
Active Directory Replication Monitor: Displays replication topology, monitors
replication status, forces replication events, and recalculates knowledge
consistency checker
Note For more information about REPLMON.EXE, see Chapter 14
of the textbook, page 541, “Managing Active Directory Performance.”
|12| 4. Support
Tools (Command Line)
a.
ACLDIAG.EXE: ACL
Diagnostics: Used to determine whether a user has been granted or denied access
to an Active Directory object and reset ACL to default state
Note For more information about ACLDIAG.EXE, see Chapter 14
of the textbook, page 544, “Managing Active Directory Performance.”
b. DFSUTIL.EXE: Distributed File System
Utility: Manages all aspects of Dfs, including
checking the configuration concurrency of Dfs servers
and displaying the Dfs topology
c. DNSCMD.EXE: DNS Server Troubleshooting
Tool: Checks dynamic registration of DNS resource records, including secure DNS
update, and deregisters resource records
c.
DSACLS.EXE: Used
to view or modify the access control lists of objects in Active Directory
Note For more information about DSACLS.EXE, see Chapter 14 of
the textbook, page 545, “Managing Active Directory Performance.”
d.
DSASTAT.EXE:
Active Directory Diagnostic Tool: Compares naming contexts on domain
controllers and detects differences
Note For more information about DSASTAT.EXE, see Chapter 14
of the textbook, page 543, “Managing Active Directory Performance.”
e.
MOVETREE.EXE:
Active Directory Object Manager: Moves Active Directory objects such as OUs and
users between domains in a single forest
Note For more information about MOVETREE.EXE, see Chapter 11
of the textbook, page 364, “Administering Active Directory.”
g. NETDOM.EXE: Windows 2000 Domain Manager:
Used to manage Windows 2000 domains and trust relationships
h.
NLTEST.EXE
provides a list of primary domain controllers, forces shutdown, and provides
information about trusts and replication
Note For more information about NLTEST.EXE, see Chapter 14 of
the textbook, page 544, “Managing Active Directory Performance.”
i.
REPADMIN.EXE:
Replication Diagnostics Tool: Checks replication consistency between
replication partners, monitors replication status, displays replication
metadata, forces replication events, and recalculates knowledge consistency
checker
Note For more information about REPADMIN.EXE, see Chapter 14
of the textbook, page 543, “Managing Active Directory Performance.”
j. SDCHECK.EXE: Security Descriptor Check
Utility
(1) Checks access control list propagation and
replication for specified objects in the directory
(2)
Enables an
administrator to determine whether access control lists are being inherited
correctly and whether access control list changes are being replicated from one
domain controller to another
Note For more information about SDCHECK.EXE, see Chapter 14
of the textbook, page 543, “Managing Active Directory Performance.”
Note For more information about the Active Directory support
tools, see the Microsoft Windows 2000
Resource Kit.
|13| C. Active Directory Service Interfaces (ADSI)
1. Provides a simple, powerful,
object-oriented interface to Active Directory
2. Makes it easy for programmers and
administrators to create programs utilizing directory services by using
high-level tools without having to worry about the underlying differences
between the different namespaces
3. Fully programmable automation object for
use by administrators
4. Provides the ability to build or buy
programs that give a single point of access to multiple directories in a
network environment, whether those directories are based on LDAP or another
protocol
|14| 3. The Microsoft Management
Console (MMC)
A. Overview
1. Used to create, save, and open
collections of administrative tools
2. Does not provide management functions
itself, but is the program that hosts management applications called snap-ins
3. Uses snap-ins to perform one or more
administrative tasks
4. Preconfigured MMCs
contain commonly used snap-ins, which appear on the Administrative Tools menu.
5. Custom MMCs are
created to perform a unique set of administrative tasks.
6. Preconfigured and custom MMCs can be used for remote administration.
|15| B. Preconfigured MMCs
1. Contain one or more snap-ins that provide
the functionality to perform a related set of administrative tasks
2. Function in User mode; unable to modify,
save, or add snap-ins
3. Windows 2000 Server and Windows 2000
Professional have different preconfigured MMCs.
4.
Added by Windows
2000 when additional components are installed
Note When custom consoles are created, any number of
preconfigured consoles can be added as snap-ins to the custom console.
|16| C. Typical preconfigured MMCs
|17| 1. Available
on Windows 2000 Professional, Windows 2000 Server stand-alone server, and Windows
2000 Server domain controllers
a. Component Services: Configures and manages
COM+ applications
b. Computer Management: Manages disks and
provides access to other tools to manage local and remote computers
c. Data Sources (ODBC): Adds, removes, and
configures Open Database Connectivity (ODBC) data sources and drivers
d. Event Viewer: Displays monitoring and
troubleshooting messages from Windows and other programs
e. Performance: Displays graphs of system
performance and configures data logs and alerts
f. Services: Starts and stops services
|18| 2. Available
on Windows 2000 Server stand-alone server and domain controllers
a. Configure Your
Server: Sets up and configures Windows services for the network
b. Distributed
File System: Creates and manages DFS’s that connect
shared folders from different computers
c. Internet Services Manager: Manages
Internet Information Services (IIS), the Web server for Internet and intranet
Web sites
d. Licensing: Manages client access licensing
for a server product
e. Routing and
Remote Access: Used to configure and manage the Routing and Remote Access
service
f. Server Extensions Administrator: Used to
administer Microsoft FrontPage Server Extensions and FrontPage extended webs
g. Telnet Server
Administration: Used to view and modify telnet server settings and connections
|19| 3. Available
only on Windows 2000 Server domain controllers
a. Active
Directory Domains and Trusts: Manages the trust relationships between domains
b. Active Directory Sites and Services:
Creates sites to manage the replication of Active Directory information
c. Active Directory Users and Computers:
Manages users, computers, security groups, and other objects in Active
Directory
d. DHCP: Used to configure and manage the
DHCP service
e. DNS: Manages the DNS service, which
translates DNS computer names to IP addresses
f. Domain Controller Security Policy: Used
to view and modify security policy for the Domain Controllers organizational
unit
g. Domain Security Policy: Used to view and modify
security policy for the domain, such as user rights and audit policies
|20| 4. Available
on Windows 2000 Professional and Windows 2000 Server stand-alone server
a. Local Security Policy: Used to view and
modify local security policy, such as user rights and audit policies
D. Custom MMCs
1. Combine multiple preconfigured snap-ins
with third-party snap-ins that perform related tasks to create custom MMCs
2. Distribute custom MMCs
to other administrators
3. Use custom MMCs
from any computer to centralize and unify administrative tasks
4. Consoles are saved as files with the
extension .msc and restored when the file is opened,
even if the console file is opened on a different computer or network.
|21| E. Console tree and details pane
1. Every MMC has a console tree, which
displays the hierarchical organization of the snap-ins contained with an MMC.
2. Every MMC contains the Action menu and
the View menu; choices on these menus are context-sensitive, depending on the
current selection in the console tree.
3. The console tree organizes snap-ins that are part of an MMC, which allows a snap-in to be easily
located.
4. Items that are added to the console tree
appear under the console root.
5. The details pane lists the contents of
the active snap-in.
|22| F. Snap-ins
1. Overview
a. Applications that are designed to work in
an MMC
b. Used to perform administrative tasks
c. Two types: stand-alone and extension
|23| 2. Stand-alone
snap-ins
a. Usually referred to simply as snap-ins
b. Used to perform Windows 2000
administrative tasks
c. Provide one function or a related set of
functions
|24| 3. Extension
snap-ins
a. Referred to
simply as extensions
b. Provide additional administrative
functionality to another snap-in
c. Designed to work with one or more
stand-alone snap-ins
d. Windows 2000 displays only extensions that
are compatible with the stand-alone snap-in and places them in the appropriate
location.
e. When a snap-in is added to a console, MMC
adds all available extensions by default.
f. Extensions can be added to multiple snap-ins.
g. Some stand-alone snap-ins can use
extensions that provide additional functionality.
h. Some snap-ins can act as a snap-in or an
extension.
G. Console options
1. Overview
a. Selecting the appropriate console mode
from the console options determines how each MMC operates.
b. Console mode determines the MMC
functionality for the person using a saved MMC.
b.
The two
available console modes are Author mode and User mode.
Note Additional console options can be set using group policy. For
information on setting group policies, see Chapter 12 of the textbook,
“Administering a Group Policy.”
|25| 2. Author
mode
a. Full access to all MMC functionality
b. Adds or removes snap-ins
c. Creates new windows
d. Views all portions of the console tree
f.
Saves MMCs
Note By default, all new MMCs are
saved in Author mode.
|26| 3. User mode
a. Users cannot add or remove snap-ins, or
save the MMC.
b. Three types of user modes allow different
levels of access and functionality:
(1) Full Access: Allows user to navigate
between snap-ins, open new windows, and gain access to all portions of the
console tree
(2) Limited Access, Multiple Windows: Does not
allow user to open new windows or gain access to a portion of the console tree;
allows user to view multiple windows in the console
(3) Limited Access, Single Window: Does not
allow user to open new windows or gain access to a portion of the console tree;
allows user to view only one window in the console
|27| Chapter 3, Lesson 3
Using Microsoft Management Consoles
1. Using Preconfigured MMCs
A. Click Start, point to Programs, and then
click Administrative tools
B. Right-click My Computer and select Manage
to view the Computer Management preconfigured console
2. Using Custom MMCs
A. To create a custom MMC, you must open an
empty console and then add the snap-ins needed to perform the desired
administrative tasks
B. To open an empty console, click Start,
click Run, type mmc
in the Open box, and then click OK
|28| C. Options on the Console menu
1. New: Create a
new custom MMC console
2. Open: Use a saved MMC console
3. Save or Save As: Use the MMC console
later
4. Add/Remove Snap-In: Add or remove one or
more snap-ins and their associated extensions to or from an MMC console
5. Options: Configure the console mode and
create a custom MMC console
|29| 3. Using MMCs
for Remote Administration
A. Snap-in for remote administration can be
set up when a custom MMC is created.
B. Remote administration allows
administrative tasks to be performed from any location.
C. The design of each snap-in dictates
whether or not it can be used for remote administration.
D. Specific snap-ins designed for remote
administration must be used.
E. If the snap-in is available for remote
administration, Windows 2000 prompts for the target computer to administer.
F. The Windows 2000 Administration Tools
Setup Wizard is simply a means for loading administrative tools to a remote
machine.
|30| Chapter 3, Lesson 4
Using Task Scheduler
|31| 1. Introduction to Task Scheduler
|32| A. Scheduled tasks are saved in the Scheduled
Tasks folder in the Control Panel folder in My Computer and on the Accessories,
System Tools menu.
B. Access scheduled tasks on another computer
by browsing that computer’s resources using My Network Places; allows tasks to
be moved from one computer to another.
C. Use Task Scheduler to
1. Run maintenance utilities at specific
intervals
2. Run programs when there is less demand
for computer resources
D. Scheduled Task Wizard
1. Accessed in the Scheduled Tasks folder by
double-clicking Add Scheduled Task
|33| 2. Options
a. Program to run: The applications to be
scheduled
b. Task name: A descriptive name for the task
c. Frequency: How often Windows 2000 will
perform the task
d. Time and date: Start time and start date for the task to occur
e. Name and password: User name and password;
application will run under the security settings for this user account
f. Advanced properties: Select this check
box to display the Advanced Properties dialog box after clicking Finish
|34| 3. Advanced
properties
a. Task: Change the scheduled task, add
parameters, or change the user account
b. Schedule: Set and display multiple
schedules for the same task
c. Settings: Set options that can delete or
stop a task, start or stop a task based on idle or nonidle
time, start or stop a task if a computer is running on batteries, or wake the
computer to run a task
d. Security: Change the list of users and
groups that have permission to perform the task, or change the permissions for
a specific user or group