|1| Chapter 11, Administering Active Directory
|2| Chapter 11, Lesson 1
Locating Active Directory Objects
|3| 1. Overview
A. Active Directory stores information about
objects on the network.
B. Each object is a distinct, named set of
attributes that represents a specific network entity.
C. Active Directory is designed to provide
information to queries about directory objects from both users and programs.
2. Understanding Common Active Directory
Objects
|4| A. Common object types and their contents
1. User account: Information that allows a
user to log on to Windows 2000; many optional fields
2. Contact: Information about a person with
a connection to the organization; many optional fields
3. Group: Collection of user accounts,
groups, or computers used to simplify administration
4.
Shared folder: A
pointer to the shared folder on a computer; contains the address of certain
data rather than the data itself
Note Shared
folders and printers exist in the registry of a computer. When a shared folder
is published in Active Directory, an object is created that contains a pointer
to the shared folder.
5. Printer: Pointer to a printer on a
computer; must manually publish a printer on a computer that is not in Active
Directory
6. Computer: Information about a computer
that is a member of the domain
7. Domain controllers: Information about a
domain controller
8. Organizational unit (OU): Contains other
objects, including other OUs; used to organize Active Directory objects
|5| 3. Using
Find
|6| A. Overview
1. Locating Active Directory objects begins
by opening the Active Directory Users and Computers console, located in the
Administrative Tools folder, right-clicking a domain or container in the
console tree, and then clicking Find.
2. The Find dialog box provides options that
allow the global catalog to be searched for Active Directory objects.
3. The Find dialog box helps create an LDAP
query that will be executed against the directory or a specific OU.
4. The global catalog contains a partial
replica of the entire directory, so it stores information about every object in
a domain tree or forest.
5. Because the global catalog contains a
partial replica of the entire directory, users can find information regardless
of which domain in the tree or forest contains the data.
6. Active Directory automatically generates
the contents of the global catalog from the domains that make up the directory.
B. Options in the Find dialog box
1. Find
a. List of object types that can be searched
b. Includes users, contacts, groups,
computers, printers, shared folders, OUs, and custom search
c. Custom search builds the LDAP query or
allows users to enter their own LDAP query based on the parameters they enter.
2. In
a. List of locations that can be searched
b. Includes the entire Active Directory, a
specific domain, or an OU
3. Browse
a. A button that allows the selection of the
path for the search
4. Advanced
a. A context-sensitive tab in which the
search criteria to locate the object needed is defined
b. Provides an array of choices when users,
contacts, groups, computers, printers, shared folders, or OUs are searched
c. Requires manual typing of the query when
custom search is selected
5. Field
a. A context-sensitive list of the attributes
that can be searched, based on the object type selected
b. Located in the Advanced tab
6. Condition
a. A context-sensitive list of the methods
available to further define the search for an attribute
b. Located in the Advanced tab
7. Value
a. A box that allows entry of the value for
the condition of the field (attribute) being used to search the Directory
b. Located in the Advanced tab
c. Requires that a value be entered for an
object’s attribute before that attribute can be used to search for the object
8. Search Criteria
a. A box that lists each search criteria
defined
b. A search criterion is defined by using the
Field list, Condition list, and Value box, and then clicking Add.
c. A search criteria is removed by selecting
the criteria and then clicking Remove.
d. Adding or removing search criteria narrows
or widens the search, respectively.
9. Find Now
a. A button used to begin a search after
search criteria are defined
10. Stop
a. A button used to stop a search
b. Items found up to the point of stopping
the search are displayed.
11. Clear All
a. A button used to clear the specified
search criteria
12. Results
a. A box that opens at the bottom of the Find
window
b. Displays the results of the search after
Find Now is clicked
|7| Chapter 11, Lesson 2
Controlling Access to Active Directory Objects
|8| 1. Overview
A. Windows 2000 uses an object-based security
model to implement access control for all Active Directory objects.
B. This security model is similar to the one
that Windows 2000 uses to implement NTFS.
C. Every Active Directory object has a
security descriptor that defines who has the permissions to gain access to the
object and what type of access is allowed.
D. Windows 2000 uses these security
descriptors to control access to objects.
2. Understanding Active Directory Permissions
|9| A. Active Directory security
1. Permissions provide security for
resources by controlling who can gain access to individual objects or object
attributes and the type of access allowed.
2. An administrator or the object owner must
assign permissions to the object before users can gain access to the object.
3. An access control list (ACL) is a stored
list of user access permissions for every Active Directory object.
4. The ACL for an object lists who can
access the object and the specific actions that each user can perform on the
object.
5. Permissions assign administrative
privileges to a specific user or group for an OU, a hierarchy of OUs, or a
single object without assigning administrative permissions for controlling
other Active Directory objects.
|10| B. Object permissions
1. The object type determines which
permissions can be selected.
2. Permissions vary for different object
types.
3. A user can be a member of multiple
groups, each with different permissions that provide different levels of access
to objects.
4. When assigning a permission to a user for
access to an object, and that user is a member of a group that is assigned a
different permission, the user’s effective permissions are the combination of
the user and group permissions.
5. Permissions can be allowed or denied.
6. Denied permissions take precedence over
any permissions that are otherwise allowed for user accounts and groups.
4.
Permissions
should be denied only when it is absolutely necessary to deny permission to a
specific user who is a member of a group with allowed permissions.
Note Always
ensure that all objects have at least one user with the Full Control
permission. Failure to do so might result in some objects being inaccessible to
the person using the Active Directory Users and Computers console, even an
administrator, unless object ownership is changed.
|11| C. Standard permissions and special
permissions
1. Overview
a. Both standard permissions and special
permissions can be set on objects.
b. Standard permissions are the most
frequently assigned permissions and are composed of special permissions.
c. Special permissions provide a finer
degree of control for assigning access to objects.
|12| 2. Standard object permissions and the type
of access allowed
a. Full Control: Change permissions and take
ownership, plus perform the tasks allowed by all other standard permissions
b. Read: View objects and object attributes,
the object owner, and Active Directory permissions
c. Write: Change object attributes
d. Create All Child Objects: Add any type of
child object to an OU
e. Delete All Child Objects: Remove any type
of object from an OU
|13| 3. Assigning
Active Directory Permissions
|14| A. Overview
1. The Active Directory Users and Computers
console is used to set standard permissions for objects and attributes of
objects.
2. The Security tab of the Properties dialog
box for the object is used to assign permissions.
3. The Properties dialog box is different
for each object type.
4. When the check boxes under Permissions
are shaded, the object has inherited permissions from the parent object.
5. To prevent an object from inheriting
permissions from a parent folder, clear the Allow Inheritable Permissions From
Parent To Propagate To This Object check box.
6. Special permissions are accessible
through the Advanced button.
Note Select
Advanced Features on the View menu to access the Security tab and assign
standard permissions for an object.
B. To assign standard permissions for an
object
1. In Active Directory Users and Computers,
on the View menu, ensure that Advanced Features is selected.
2. Select an object, click Properties on the
Action menu, and then click the Security tab in the Properties dialog box for
the object.
3. To assign standard permissions:
a. To add a new permission, click Add, click
the user account or group to which to assign permissions, click Add, and then
click OK.
b. To change an existing permission, click
the user account or group.
4. Under Permissions, select the Allow check
box or the Deny check box for each permission to be added or removed.
C. To view special permissions
1. In the Security tab in the Properties
dialog box for the object, click Advanced.
|15| 2. In the Access Control Settings For dialog
box for the object, in the Permissions tab, click the entry to view in the
Permissions Entries list, and then click View/Edit.
|16| 3. In the Permission Entry For dialog box
for the object, view the special permissions on the appropriate tab:
a. Object tab: View special object
permissions assigned to the user or group
d.
Properties tab:
View user or group read and write access to specific object properties.
Note Avoid
assigning permissions for specific properties of objects, because this can
complicate system administration. Errors can result, such as Active Directory
objects not being visible, thereby preventing users from completing tasks.
|17| 4. Using
Permissions Inheritance
|18| A. Similar to file and folder permissions
inheritance
B. Minimizes the number of times permissions
need to be assigned for objects
C. When permissions are assigned, applying
the permissions to child objects propagate the permissions to all the child
objects for a parent object.
D. Shaded check boxes indicate which
permissions are inherited.
|19| E. Permissions for a given object can be
propagated to all child objects.
F. Permissions inheritance can be prevented.
G. When copying previously inherited
permissions, the permissions for that object start out exactly the same as
those inherited from the current parent object.
H. Any permissions for the parent object that
are modified after blocking inheritance no longer apply.
I. When previously inherited permissions
are removed, Windows 2000 removes existing permissions and assigns no
additional permissions to the object; permissions must then be assigned for the
object.
|20| 5. Preventing
Permissions Inheritance
A. Overview
1. Permissions inheritance can be prevented
so that a child object does not inherit permissions from its parent object.
2. Clearing the Allow Inheritable
Permissions From Parent To Propagate To This Object check box, located on the
Security tab in the Properties dialog box, prevents permissions inheritance.
3. Only the permissions that are explicitly
assigned to the object apply.
|21| B. Actions allowed by Windows 2000 when
permissions inheritance is prevented
1. Copy previously inherited permissions to
the object.
a. The new explicit permissions for the
object are a copy of the permissions that it previously inherited from its
parent object.
b. Any changes can be made to the
permissions, as needed.
2. Remove previously inherited permissions
from the object.
a. Windows 2000 removes any previously
inherited permissions.
b. No permissions exist for the object.
c. Any permissions can be assigned for the
object, as needed.
|22| Chapter 11, Lesson 3
Publishing Resources in Active Directory
|23| 1. Overview
A. Administrators need to be able to provide
secure and selective publication of network resources to network users and make
it easy for users to find information.
B. The directory stores this information for
rapid retrieval and integrates Windows 2000 security mechanisms to control
access.
|24| 2. Resources
A. Computers
B. Printers
C. Folders
D. Files
E. Network services
|25| 3. Users
and Computers
A. User and computer accounts are added to
the directory using the Active Directory Users and Computers console.
B. Information about the accounts that is
useful for other network users is published automatically.
C. Information, such as account security
information, is made available only to certain administrator groups.
|26| 4. Shared
Resources
A. Overview
1. Publishing information about shared
resources, such as printers, folders, and files, makes it easy for users to
find these resources on the network.
2. Windows 2000 network printers are
automatically published in the directory when installed.
3. Information about Windows NT printers and
shared folders can be published in the directory using the Active Directory
Users and Computers console.
B. To publish a shared folder
1. Click Start, point to Programs, point to
Administrative Tools, and then click Active Directory Users And Computers
2. In the console tree, double-click the domain
node
3. Right-click the container in which to add
the shared folder, point to New, and click Shared Folder
4. In the New Object-Shared Folder dialog
box, type the name of the folder in the Name box
5. In the Network Path box, type the UNC
name (\\server\share\) that is to be published in the directory, and then click OK
6. The shared folder appears in the
directory in the container selected.
D.
To
publish a Windows NT printer
Note The
Windows NT printer must be installed before publishing in Active Directory. To
install a Windows NT printer, click Start, point to Settings, and then click
Printers.
1. Click Start, point to Programs, point to
Administrative Tools, and then click Active Directory Users And Computers
2. In the console tree, double-click the
domain node
3. In the console tree, right-click the
container in which to publish the printer, point to New, and then click Printer
4. In the New Object-Printer dialog box,
type the UNC name to publish in the directory in the Network Path Of The
Pre–Windows 2000 Print Share box, and then click OK
5. The Windows NT printer appears in the
directory in the folder selected.
5. Network Services
|27| A. Overview
1. Network-enabled services can be published
in the directory so that administrators can find and administer them using the
Active Directory Sites and Services console.
2. A service, rather than computers or
servers, should be published.
3. Publishing a service allows
administrators to focus on managing the service regardless of which computer is
providing the service or where the computer is located.
4. Additional services or applications can
be published in the directory using Active Directory programming interfaces.
5. The qualities that make a service
appropriate for publishing may be better understood by understanding how Active
Directory uses services.
B. Categories of service information
|28| 1. Binding information
a. Allows clients to connect to services that
do not have well-known bindings and that conform to a service-centric model
b. Publishing the bindings for these kinds of
services enables Windows 2000 to automatically establish connections with
services.
c. Machine-centric services are typically
handled on a service-by-service basis and should not be published to the directory.
|29| 2. Configuration information
a. Can be common across client applications
b. Publishing configuration information
allows the distribution of current configuration information for these
applications to all clients in the domain.
c. Accessed by client applications as
needed, which eases application configuration for users and gives more control
over application behaviors
|30| C. Characteristics of service information
1. Useful to many clients
a. Information that is useful only to a small
set of clients or only in certain areas of the network should not be published.
b. Information that is not widely used wastes
network resources.
c. Service information is published to every
domain controller in the domain.
2. Relatively stable and unchanging
a. Only service information that changes less
frequently than two replication intervals should be published.
b. For intra-site replication, the maximum
replication period is 15 minutes.
c. For inter-site replication, the maximum
replication period is configured based on the replication interval of the site
link used for the replication.
d. Object properties that change more
frequently create excessive demands on network resources.
e. Property values may be out of date until
updates are published, which can take as long as the maximum replication
period.
f. Having properties out of date until
updates are published must not create unacceptable conditions.
3. Well-defined, reasonable properties
a. Information that is of a consistent form
is easier for services to use.
b. The information should be relatively small
in size.
D. Example of service publication
1. Use Active Directory Sites and Services
to publish service information.
2. To set security permissions and delegate
control of certificate templates
a. Log on to the system as Administrator
b. Click Start, point to Programs, point to
Administrative Tools, and then click Active Directory Sites And Services
c. In the console tree, click Active
Directory Sites And Services
d. On the View menu, click Show Services Node
e. In the console tree, click Active
Directory Sites And Services, click Services, click Public Key Services, and
click Certificate Templates
f. For each certificate template for which
security permissions are to be set, double-click the certificate template in
the details pane to open properties
g. On the Properties dialog box for the
certificate template, click the Security tab and set the security permissions
accordingly
h. Click OK
i. These changes apply only to certificate templates
in the current domain.
|31| Chapter 11, Lesson 4
Moving Active Directory Objects
|32| 1. Moving
Objects
A. In the logical environment, objects can be
moved within and between domains in Active Directory.
B. In the physical environment, domain controllers
can be moved between sites.
|33| 2. Moving
Objects Within a Domain
A. Overview
1. Objects with identical security
requirements should be moved into an OU or a container within a domain.
2. Permissions should be assigned to the OU
or container and all objects in it.
B. To move objects within a domain
1. In Active Directory Users and Computers,
select the object to move, and then, from the Action menu, click Move
|34| 2. In the Move dialog box, select the OU or
container to which you want the object to move, and then click OK
|35| C. Moving objects between OUs or containers
1. Permissions assigned directly to objects
remain the same.
2. Objects inherit permissions from the new
OU or container.
3. Previously inherited permissions from the
old OU or container no longer affect the objects.
4.
Multiple objects
can be moved at the same time.
Note To
simplify the assignment of permissions for printers, move printers on different
print servers that require identical permissions to the same OU or container.
Printers are located in the Computer object for the printer server. To view a
printer, click View, and then click Users, Groups, And Computers As Containers.
|36| 3. Moving
Objects Between Domains
A. Overview
1. Moving objects between domains supports
domain consolidation or organizational restructuring operations.
2. Moving an object involves taking an
existing object and moving it below an existing parent.
3. The distinguished name of the moved
object reflects its new position in the hierarchy.
4. An object’s GUID is unchanged by a move
or rename.
5. As users and groups are migrated from one
domain to another, they are given a new SID.
6. Windows 2000 supports SIDHistory.
a. SIDHistory is a security attribute
available only in Windows 2000 native mode.
b. SIDHistory is used to preserve the
security credentials of an account when it is moved from one domain to another.
c. The old SID is added to the SIDHistory
attributes for the new object, which reduces the administrative overhead of resetting
ACLs and ownership of resources.
d. Any SIDs present in the SIDhistory are
added to their access token.
e. SIDs are given permissions and ownership
to any resources that they previously had.
7. MOVETREE command-line utility
a. Used to move Active Directory objects
between domains in a single forest
b. Available in Windows 2000 Support Tools,
located in the \SUPPORT\TOOLS folder
c. Allows an OU to be moved to another
domain, keeping all the linked group policy objects (GPOs) in the old domain intact
d. Moves the GPO link, which continues to
work, although clients receive their group policy settings from the GPOs
located in the old domain
|37| B. Supported MOVETREE operations
1. Move an object or a nonempty container to
a different domain; valid only within the same forest
2. Move Domain Local and Global groups
between domains without members and within domains with members; valid only
within the same forest
3. Move Universal groups with members within
and between domains; valid only within the same forest
|38| C. Unsupported MOVETREE operations
1. Overview
a. Some objects and information are not
moved.
b. Objects that are not moved are classified
as orphaned objects and are placed in an “orphan” container in the LostAndFound
container in the source domain.
(1) The LostAndFound container is visible in
the Active Directory Users and Computers console in Advanced View.
(2) The orphan container is named using the
GUID of the parent container being moved and contains the objects that were
selected for the MOVETREE operation.
2. Objects and information that can’t be
moved with the MOVETREE utility
|39| a. Group membership
(1) Local and Domain Global groups that contain
members
(2) Universal group memberships remain intact
so that security is not compromised.
b. Domain join information for computer
objects
(1) The domain join information for computer
objects
(2) The MOVETREE utility can move a computer
object from one domain to another, along with its subordinate objects.
c. Associated object data
(1) Includes group policies, user profiles,
logon scripts, users’ personal data, encrypted files, smart cards, and public
key certificates
(2) Group policies need to be applied to the
users, groups, or computers.
(3) New smart cards and certificates need to be
issued from the Certificate Authority in the new domain.
(4) Applying group policies and issuing new
smart cards and certificates can be performed by using additional scripts or
management tools, such as the Remote Administration Scripts, in conjunction
with MOVETREE.
d. Objects
(1) System objects: Identified by the
objectClass being marked as systemOnly
(2) Objects in the configuration or schema
naming contexts
(3) Objects in the special containers in the
domain; Builtin, ForeignSecurityPrincipals, System, and LostAndFound containers
(4) Any object with the same name as an object
that already exists in the target domain
|40| 3. Error conditions that may cause MOVETREE
failures
a. The source domain controller cannot
transfer the relative identifier master role owner.
b. The source object is locked due to another
operation in progress.
c. Either the source or destination domain
has invalid credentials.
d. The destination knows the source object is
deleted, but the source does not know.
e. A failure at the destination domain
controller
f. The source and destination have a schema
mismatch.
|41| D. Moving users
1. Moving users between domains is
supported.
2. Several restrictions apply that will
cause the move operation to fail.
a. The user object contains one or more
objects; the user object must be a leaf object.
b. A SAM constraint is met; constraints
include when the user’s samAccountName already exists in the destination
domain, or when the user’s password length does not meet the password
restrictions in the target domain.
e.
The user object
belongs to a Global group from the source domain; the user object’s membership
is voided because a Global group can only have a member in the same domain.
Note If
the user object belongs to the Domain Users group (without belonging to any
other Global groups), and the Domain Users group is this user object’s Primary
group, then the move operation succeeds.
|42| E. Moving groups
1. Moving groups between domains is
supported.
2. Several restrictions apply that will
cause the move operation to fail:
a. The group object contains any object.
b. The group object’s membership and reverse
memberships do not fulfill the requirements of its type.
c. The group’s samAccountName exists on the
destination domain.
|43| F. Moving objects between domains using
MOVETREE
1. Overview
a. The necessary privileges must exist to
perform this operation.
b. MOVETREE can be used from the command line
and can be called from a batch file to script user and group creation.
|44| 2. Moving objects between domains using
MOVETREE
a. movetree {/start| /startnocheck |
/continue | /check} /s SrcDSA /d DstDSA /sdn SrcDN /ddn DstDN [/u [Domain\]Username /p Password]
[verbose] [{/? | /help}]
(1) /start: Initiates a MOVETREE operation;
includes a /check operation by default
(2) /continue: Continues the execution of a
previously paused or failed MOVETREE operation
(3) /check: Performs a test run of the MOVETREE
operation, checking the whole tree without moving any objects
(4) /s SrcDSA:
The source server’s fully qualified primary DNS name
(5) /d DstDSA:
The destination server’s fully qualified primary DNS name
(6) /sdn SrcDN:
The distinguished name of the leaf, container, or subtree that is to be moved
from the source domain
(7) /ddn DstDN:
The distinguished name of the leaf, container, or subtree that is being moved
to the destination location
(8) /u [Domain\]Username /p Password: Runs MOVETREE under the credentials of a valid username
and password; a domain can be specified as well
(9) /verbose: Displays more details about the
operation as it runs
(10) /? or /help: Displays syntax information
|45| G. MOVETREE log files
1. Overview
a. Created after the MOVETREE operation
b. Located in the directory where the
MOVETREE operation was performed
|46| 2. Log files
a. MOVETREE.ERR: Lists any errors encountered
during the MOVETREE operation
b. MOVETREE.LOG: Lists statistical results of
the MOVETREE operation
c. MOVETREE.CHK: Lists any potential errors
or conflicts detected during the move operation’s precheck phase
|47| 4. Moving
Workstations or Member Servers Between Domains
A. Overview
1. Moving a workstation or member server
from one domain to another can be performed with NETDOM, the Windows 2000
Domain Manager support tool.
2. NETDOM is available in the Windows 2000
Support Tools included on the Windows 2000 CD-ROM in the \SUPPORT\TOOLS folder.
|48| B. Moving a workstation or member server
1. netdom move /D:domain [/OU:ou_path]
[/Ud:User /Pd:{Password|*}] [/Uo:User /Po:{Password|*}] [/Reboot:[time_in_seconds]]
(1) /domain: Domain that the workstation or
member server should belong to after the operation is completed
(2) /OU:ou_path: Name of a destination OU in
/D:domain
(3) /Ud:User: User account used to make the connection
with the domain specified by the /D argument; the current user account is used
otherwise.
(4) /Pd:{password|*}: Password of the user
account specified with /Uo; if *, the password is prompted for
(5) /Uo:User: User account used to make the
connection with the object on which the action is to be performed; if this
option is not specified, the current user account is used
(6) /Po:{Password|*}
: Password of the user account specified with /Uo; if *, then the password is
prompted for
(7) /Reboot:[time_in_seconds]: Specifies that
the computer being moved should be shut down and automatically rebooted after
the operation has completed; default is 20 seconds
|49| 5. Moving
Domain Controllers Between Sites
A. Overview
1. A domain controller can be installed into
a site that has existing domain controllers, except the first domain controller
installed, which automatically creates the Default-First-Site-Name site.
2. A first domain controller cannot be
created in any site but Default-First-Site-Name, but a domain controller can be
created in a site that has a previously existing domain controller and then
moved to another site.
3. After the first domain controller has
been installed, creating Default-First-Site-Name, other domain controllers can
be created in this site and then moved to alternative sites.
4. The preceding procedure may also be used
to move member servers between sites.
B. To move a domain controller between sites
1. In Active Directory Sites and Services,
select the domain controller that is to be moved and then click Move on the
Action menu
|50| 2. In the Move Server dialog box, select the
site to which the domain controller is to be moved
|51| Chapter 11, Lesson 5
Delegating Administrative Control of Active Directory Objects
|52| 1. Guidelines
for Delegating Control
A. Overview
1. Administrative control of objects is
delegated by assigning permissions to the object, allowing users or groups of
users to administer the objects.
2. Tracing permissions at the OU or
container level is easier than tracking permissions on objects or object
attributes.
3. The most common method of delegating
administrative control is to assign permission at the OU or container level.
4. Assigning permissions at the OU or
container level allows the delegation of administrative control for the objects
that are contained in the OU or container.
5. The Delegation Of Control Wizard is used
to assign permissions at the OU or container level.
|53| B. Types of control to delegate
1. Permissions to change properties on a
particular container
2. Permissions to create, modify, or delete
objects of a specific type in a specific OU or container
3. Permissions to modify specific properties
on objects of a specific type in a specific OU or container
|54| C. Ways
to delegate administrative control
1. Assign control at the OU or container
level whenever possible
a. Allows for easier tracking of permission
assignments
b. Tracking permission assignments becomes
more complex for objects and object attributes.
2. Use the Delegation Of Control Wizard
a. Assigns permissions only at the OU or
container level
b. Simplifies the process of assigning object
permissions by stepping through the process
3. Track the delegation of permission
assignments
a. Allows records maintenance, making review
of security settings easy
4. Follow business requirements
a. Follow any guidelines the organization has
in place for delegating control.
|55| 2. Delegation
Of Control Wizard
A. Overview
1. The wizard steps through the process of assigning
permissions at the OU or container level.
2. Specialized permissions must be manually
assigned.
3. The wizard is started by clicking the OU
or container for which to delegate control and then clicking Delegate Control
on the Action menu.
|56| B. Delegation Of Control Wizard options
1. Users Or Groups: Select the user accounts
or groups to which to delegate control
2. Tasks To Delegate: Select common tasks
from a list or create custom tasks to delegate
3. Active Directory Object Type: Select the
scope of the tasks to delegate
4. Permissions: Select one of the following
permissions to delegate:
a. General: The most commonly assigned
permissions available for the object
b. Property-Specific: Permissions that can be
assigned to the attributes of the object
c. Creation/Deletion Of Specific Child
Objects: Permissions to create and delete child objects
|57| 3. Guidelines
for Administering Active Directory
A. In larger organizations, coordinate Active
Directory structure with other administrators; moving objects later will create
extra work.
B. When creating Active Directory objects
such as user accounts, complete all attributes that are important to the
organization; provides flexibility when searching for objects.
C. Use deny permissions sparingly.
D. Always ensure that at least one user has
Full Control for each Active Directory object; failure to do so might result in
objects being inaccessible.
E. Ensure that delegated users take
responsibility and can be held accountable.
F. Provide training for users who have
control of objects.
|58| Chapter 11, Lesson 6
Backing Up Active Directory
|59| 1. Performing
Preliminary Tasks
A. Overview
1. An important part of backing up Active
Directory is performing the preliminary tasks.
2. The files to be backed up must be closed.
3. Users must be instructed to close files
before the backup begins.
4. Applications using the system or users
who cannot be notified will have their sessions terminated when backup begins.
5. Windows Backup does not back up files
that are locked by applications.
6. E-mail or the Send Console Message dialog
box can be used to send administrative messages to users.
|60| B. Preliminary tasks for the removable media
device
1. The backup device must be attached to a
computer on the network and turned on; the tape device must be attached to the
computer on which Windows Backup is to run.
2. The media device must be listed on the
Windows 2000 Hardware Compatibility List (HCL).
3. The media must be loaded in the media
device.
2. The Backup Wizard
A. To start the Backup Wizard
1. Log on to the domain as Administrator,
point to Start, point to Programs, point to Accessories, point to System Tools,
and then select Backup
2. Select Backup Wizard on the Welcome To
The Windows 2000 Backup And Recovery Tools page
3. Click Next to begin using the Backup
Wizard
4. Proceed through the What To Back Up,
Where To Store The Back Up, Where To Store The Backup, and Advanced Backup
Settings pages as needed
5. On the Completing The Backup Wizard page,
click Finish
|61| 3. What
to Back Up
|62| A. Only System State
data should be backed up.
B. System
State data comprises the
registry, the COM+ Class Registration database, system boot files, and the
Certificate Services database.
C. If the server is a domain controller,
Active Directory and the SYSVOL directory are also contained in the System State
data.
D. All of the System
State data relevant to the computer is
backed up; individual components of the System State
data cannot be chosen for backup.
E. The System State
data should be backed up on a local computer only; it cannot be backed up on a
remote computer.
|63| 4. Where
to Store the Backup
A. Backup media options
|64| 1. Backup Media Type
a. Tape or file
b. A file can be located on any disk-based
medium, including a hard disk, shared folder, or removable disk.
2. Backup Media Or File Name
a. Location where Windows Backup will store
the data
b. For a tape, enter the tape name.
c. For a file, enter the path for the backup
file.
|65| B. Backup Wizard options
1. Start the backup: If Finish is clicked,
the Backup Wizard displays status information about the backup job in the
Backup Progress dialog box.
4.
Specify advanced
backup options: If Advanced is clicked, the wizard offers advanced backup
settings.
Note A
backup log is a text file that records backup operations. It is stored on the
hard disk of the computer on which Windows Backup is running.
5. Specifying Advanced Backup Settings
|66| A. Advanced backup settings pages
1. Type Of Backup
a. Select The Type Of Backup Operation To
Perform option
(1) Choose the backup type used for this backup
job: Normal,
Copy, Incremental, Differential, or Daily
b. Backup Migrated Remote Storage Data option
(1) If checked, backs up data that Hierarchical
Storage Manager (HSM) has moved to remote storage
2. How To Backup
a. Verify Data After Backup option
(1) Confirms that files are correctly backed up
(4)
If checked,
compares the backup data and the source data to verify that they are the same
Note Microsoft
recommends that you select Verify Data After Backup.
b. Use Hardware Compression, If Available
option
(1) If checked, enables hardware compression
for tape devices that support it
(2) If the tape device does not support
hardware compression, this check box is unavailable.
3. Media Options
a. If The Archive Media Already Contains
Backups option
(1) Options that specify whether to append or
replace the existing backup on the backup media
(2) Choose Append This Backup To Media to store
multiple backup jobs on a storage device
(3) Choose Replace The Data On The Media With
This Backup if only the most recent backup data needs to be saved, and not
previous backup jobs
b. Allow Only The Owner And The Administrator
Access To The Backup Data And To Any Backups Appended To This Media option
(1) Allows restriction of who can gain access
to the completed backup file or tape
(2) Available only if replacing an existing
backup on a backup medium, rather than appending to the backup medium
(3) If backing up Active Directory, click this
option to prevent others from getting copies of the backup data.
4. Backup Label
a. Backup Label option
(1) The name and description can be specified
for the backup job.
(2) The name and description appear in the backup
log.
(3) The default set is Set Created Date At Time.
(4) The name and description can be changed to
a more intuitive name.
b. Media Label option
(1) Allows the name of the backup medium to be
specified
(2) The default name is Media Created Date At Time.
(3) The first time that a new medium is backed
up or an existing backup job is overwritten, the medium name, such as Active
Directory, can be specified.
5. When To Back Up
a. When To Back Up options
(1) Options that allow Now or Later to be specified
(2) If Later is chosen, the job name and start
date must be specified.
(3) The backup schedule can also be set.
b. Job Name option
(1) Allows the backup job name to be specified
c. Start Date option
(1) Allows the backup start date to be set
d. Set Schedule option
(1) Allows the backup schedule to be set
|67| B. Backup Wizard Provides the Opportunity to do Either of the Following:
1. Finish the backup process
a. The Backup Wizard displays the Completing
The Backup Wizard settings and then presents the option to finish and
immediately start the backup.
b.
During backup, the wizard displays
status information about the backup job.
2. Back up later
a.
Additional dialog boxes are shown to
schedule the backup process to occur later.
|68| 6. Scheduling
Active Directory Backup Jobs
A. Overview
1. An unattended backup job can occur later,
when users are not at work and files are closed.
2. Active Directory backup jobs should be
scheduled to occur at regular intervals.
3. Windows 2000 integrates Windows Backup
with the Task Scheduler service.
B. To schedule a backup
1. Click Later on the When To Back Up page
of the Backup Wizard
a. The task Scheduler service presents the
Set Account Information dialog box, prompting for the password.
d.
The user account
must have the appropriate user rights and permissions to perform backup jobs.
Note If
the Task Scheduler service is not running or not set to start automatically,
Windows 2000 displays a dialog box prompting to start the service. Click OK and
the Set Account Information dialog box appears.
2. Enter the password in the Password box
and Confirm Password box, and then click OK
a. The When To Back Up page appears.
b. Provide a name for the backup job; by
default, the wizard displays the present date and time for the start date.
3. Type the appropriate name in the Job Name
box
4. Click Set Schedule to set a different
start date and time; this causes Task Scheduler to display the Schedule Job
dialog box
a. Set the date, time, and number of occurrences
for the backup job to repeat.
b. Display all the scheduled tasks for the
computer by selecting the Show Multiple Schedules check box.
c. Displaying the tasks helps to prevent
scheduling multiple tasks on the same computer at the same time.
5. Click the Advanced button to schedule how
long the backup can last and for how many days, weeks, months, or years this
schedule is to continue
6. After the backup job is scheduled,
Windows Backup places the backup job on the calendar in the Schedule Jobs tab
in Windows Backup.
7. The backup job automatically starts at
the time that is specified.
|69| Chapter 11, Lesson 7
Restoring Active Directory
|70| 1. Preparing
to Restore Active Directory
A. As with the backup process, only the System State
data that was backed up can be restored, including the registry, the COM+ Class
Registration database, system boot files, the SYSVOL directory, Active
Directory, and the Certificate Services database.
B. Individual components of the System State
data cannot be restored.
C. If the System State
data is being restored to a domain controller, the choice of whether to perform
a nonauthoritative restore or an authoritative restore must be specified.
D. The default method of restoring the System State
data to a domain controller is nonauthoritative.
|71| 2. Nonauthoritative
Restore
A. Any component of the System State
that is replicated with another domain controller is brought up to date by
replication after the data is restored.
B. The Active Directory replication system
updates the restored data with newer data from other servers.
|72| 3. Authoritative
Restore
A. If the changes that have been made
subsequent to the last backup operation should not be replicated, an
authoritative restore must be performed.
B. An authoritative restore must be performed
if users, groups, or OUs are inadvertently deleted from Active Directory and
the system needs to restore so that the deleted objects are recovered and
replicated.
C. The NTDSUTIL utility must be run after
performing a nonauthoritative restore of the System State
data but before the server is restarted.
D. NTDSUTIL allows the objects to be marked
as authoritative.
|73| E. Marking an object as authoritative changes
its update sequence number so that it is higher than any other update sequence
number in the Active Directory replication system.
F. Using NTDSUTIL ensures that replicated or
distributed data that has been restored is properly replicated or distributed
throughout the organization.
G. NTDSUTIL can be found in the systemroot\system32 directory;
accompanying documentation is located within the Windows 2000 Help files.
|74| 4. Performing
a Nonauthoritative Restore
A. Overview
1. To restore the System State
data on a domain controller, the computer first must be started in a special
safe mode called Directory Services Restore Mode.
2. The special safe mode allows the SYSVOL
directory and Active Directory directory services database to be restored.
3. System State
data can be restored only on a local computer, not a remote computer.
Note If
the System State
data is restored and an alternate location for the restored data is not
designated, Backup erases the System State data currently on the computer and replaces it
with the System State data being restored. Also, if the System State
data is restored to an alternate location, only the registry files, SYSVOL
directory files, and system boot files are restored to the alternate location.
The Active Directory directory services database, Certificate Services database,
and COM+ Class Registration database are not restored if an alternate location
is designated.
B. To nonauthoritatively restore Active
Directory
1. Restart the computer
2. During the phase of startup where the
operating system is normally selected, press F8
3. On the Windows 2000 Advanced Options
Menu, select Directory Services Restore Mode and press Enter to ensure that the
domain controller is offline and is not connected to the network
4. At the Please Select The Operating System
To Start prompt, select Microsoft Windows 2000 Server and press Enter
5.
Log on as
Administrator
Note When
the computer is restarted in Directory Services Restore Mode, log on as an
Administrator by using a valid SAM account name and password, not the Active
Directory administrator’s name and password. This must be done because Active
Directory is offline and account verification cannot occur. Rather, the SAM
accounts database is used to control access to Active Directory while it is
offline. This password was specified when Active Directory was set up.
6. On the Desktop message box that warns
that Windows is running in Safe Mode, click OK
7. Point to Start, point to Programs, point
to Accessories, point to System Tools, and then select Backup
8. On the Welcome To The Windows 2000 Backup
and Recovery Tools page, select Restore Wizard
9. Click Next to begin using the Restore
Wizard
|75| 10. In the Restore Wizard’s What To Restore
page, expand the media type that contains the data to restore or click Import
File; this can be either tape or file media
11. Expand the appropriate media set until the
data to restore is visible; a backup set or specific files and folders can be
restored
12. Select the data to restore and then click
Next
13. Do one of the following:
a. Click Finish to start the restore process.
The Restore Wizard requests verification for the source of the restore media
and then performs the restore. During the restore, the Restore Wizard displays
status information about the restore.
b. Click Advanced to specify advanced restore
options
5. Specifying Advanced Restore Settings
|76| A. Restore Wizard advanced restore options
1. Where To Restore page: Restore Files To
option
a. Choice of a target location for the data
to be restored
(1) Original Location: Replaces corrupted or
lost data
(2) Alternate Location: Restores an older
version of a file to the folder designated
(3) Single Folder: Consolidates the files from
a tree structure into a single folder
2. How To Restore page: When Restoring Files
That Already Exist option
a. Choice of whether or not to overwrite
existing files
(1) Do Not Replace The File On My Disk:
Prevents accidental overwriting of existing data; this is the default
(2) Replace The File On Disk Only If It Is
Older Than The Backup Copy: Verifies that the most recent copy exists on the
computer
(3) Always Replace The File On Disk: Windows
Backup does not provide a confirmation message if it encounters a duplicate
file name during the restore operation.
3. Advanced Restore Options page: Select The
Special Restore Options You Want To Use option
a. Choice of whether or not to restore
security or special system files
(1) Restore Security: Applies the original
permission to files that are being restored to a Windows NTFS volume; security
settings include access permissions, audit entries, and ownership; only
available if backing up from and restoring to NTFS volume
(2) Restore Removable Storage Database:
Restores the configuration database for removable storage management (RSM)
devices and the media pool settings; located in systemroot\system32\Ntmsdata
(3) Restore Junction Points, Not The Folders
And File Data They Reference: Restores junction points on the hard disk, as
well as the data to which the junction points refer
|77| B. Windows Backup functions after completion
of the Restore Wizard
1. Prompts for verification of the selection
of the source media to use to restore data; after verification, Windows Backup
starts the restore process
2. Displays status information about the restore
process
6. Performing an Authoritative Restore
A. Overview
|78| 1. Authoritative restore operation
a. An authoritative restore occurs after a
nonauthoritative restore and designates the entire directory, a subtree, or
individual objects to be recognized as authoritative with respect to replica
domain controllers in the forest.
b. The NTDSUTIL utility allows objects to be
marked as authoritative so that they are propagated through replication,
thereby updating existing copies of those objects throughout the forest.
|79| 2. After the authoritative restore
operation:
a. Normal replication brings the restored
domain controller up to date with any changes from the additional domain
controllers that were not overridden by the authoritative restore.
b. Replication also propagates the
authoritatively restored object(s) to other domain controllers in the forest.
c. The deleted objects that were marked as
authoritative are replicated from the restored domain controller to the
additional domain controllers.
d. Because the restored objects have the same
object GUID and object SID, security remains intact and object dependencies are
maintained.
B. To authoritatively restore Active
Directory
1. Perform a nonauthoritative restore as
described previously
2. Restart the computer
3. During the phase of startup where the
operating system is normally selected, press F8
4. On the windows 2000 Advanced Startup
Options Menu, select Directory Services Restore Mode and press Enter; this
ensures that the domain controller is offline and is not connected to the
network
5. Select Windows 2000 Server
6. Log on as Administrator
7. On the Desktop message box that warns
that Windows is running in Safe Mode, click OK
8. Point to Start, point to Programs, point
to Accessories, and then select Command Prompt
9. At the command prompt, type ntdsutil and press Enter
10. At the NTDSUTIL prompt, type authoritative restore and press Enter
11. At the authoritative restore prompt:
a. To authoritatively restore the entire
directory, type restore database and
press Enter.
b. To authoritatively restore a portion or
subtree of the directory, such as an OU, use the OU’s distinguished name, type restore subtree <subtree distinguished name>,
and press Enter.
c. To authoritatively restore the entire
directory and override the version increase, type restore database verinc <version increase> and press
Enter.
d. To authoritatively restore a subtree of
the directory and override the version increase, type restore subtree <subtree
distinguished name> verinc <version increase> and press
Enter.
Note The
authoritative restore opens the NTDS.DIT, increases version numbers, counts the
records that need updating, verifies the number of records updated, and reports
completion. If a version number increase is not specified, one is automatically
calculated.
12. Type quit
and press Enter to exist the NTDSUTIL utility, and then close the Command
Prompt window
13. Restart the domain controller in normal
mode and connect the restored domain controller to the network
|80| C. Additional tasks for authoritatively
restoring the entire Active Directory database
1. Overview
a. An additional procedure involving the
SYSVOL directory must be performed to ensure the integrity of the computer’s
group policy.
b. Which additional procedure should be
performed depends on whether the entire Active Directory database or only a
portion is being authoritatively restored.
2. If the entire Active Directory database
is being authoritatively restored, the SYSVOL directory from the alternate
location must be copied over the existing one after the SYSVOL share is
published.
3. If only a portion of the Active Directory
database is being authoritatively restored, only policy folders (identified by
the GUID) corresponding to the restored Policy objects are copied from the
alternate location. After the SYSVOL share is published, they are copied over
the existing ones.
4. Restoring the Active Directory database
or selected objects
a. The SYSVOL and policy data are copied from
the alternate location after the SYSVOL share is published.
b. If the computer is in a replicated domain
it may take several minutes before the SYSVOL share is published because it
needs to synchronize with its replication partners.
c. If all computers in the domain are
authoritatively restored and restarted at the same time each will be waiting,
indefinitely, to synchronize with each other.
d. One of the domain controllers should be
restored first so that its SYSVOL share can be published, and then the other
computers should be restored nonauthoritatively.
|81| Chapter 11, Lesson 8
Troubleshooting Active Directory
1. Active Directory Troubleshooting Scenarios
|82| A. Symptom: Cannot add or remove a domain
1. Cause: The domain-naming master is not available;
possibly caused by a network connectivity problem or failure of the computer
holding the domain naming master role
2. Solution: Resolve the network
connectivity problem; repair or replace the domain naming master computer; may
be necessary to seize the domain naming master role
|83| B. Symptom: Cannot create objects in Active
Directory
1. Cause: The relative ID master is not
available; may be caused by a network connectivity problem or a failure of the
computer holding the relative ID master role
2. Solution: Resolve the network
connectivity problem or repair or replace the computer holding the relative ID
master role; may be necessary to seize the relative ID master role
|84| C. Symptom: Cannot modify the schema
1. Cause: Schema master is not available;
may be caused by a network connectivity problem or a failure of the computer
holding the schema master role
2. Solution: Resolve the network
connectivity problem or repair or replace the computer holding the schema
master role; may be necessary to seize the schema master role
|85| D. Symptom: Changes to group memberships are
not taking effect
1. Cause: Infrastructure master is not
available; may be caused by a network connectivity problem or a failure of the
computer holding the infrastructure master role
2. Solution: Resolve the network
connectivity problem or repair or replace the computer holding the
infrastructure master role; may be necessary to seize the infrastructure master
role
|86| E. Symptom: Clients without Active Directory
client software installed cannot log on
1. Cause: Primary domain controller emulator
is not available; may be caused by a network connectivity problem or a failure
of the computer holding the primary domain controller emulator role
2. Solution: Resolve the network
connectivity problem or repair or replace the computer holding the primary
domain controller emulator role; may be necessary to seize the primary domain
controller emulator role
|87| F. Symptom: Clients are unable to access
resources in another domain
1. Cause: A failure of the trust between the
domains has occurred
2. Solution: Reset and verify the trust
between the domains; the PDC emulator must be available for a trust to be
successfully reset