active directory - habib

8/8/2019 Active Directory - Habib

1/58

Administering Active Directory


2/58

Also Visit http://snetengineer.blogspot.com

Using Active Directory Administration Tools

Two main tools are used to administer Active Directory:

Active Directory administrative consoles

Active Directory-specific tools in Windows Support Tools

Active Directory Administrative Consoles

The Active Directory administrative consoles are installed automatically on computers configured asdomain controllers. The administrative consoles can also be installed on other servers or workstationsusing the Administrative Tools Package (AdminPack). This enables you to administer ActiveDirectory from a computer that is not a domain controller. The installation of this tool is available onthe Windows CD at \I386\adminpack.msi. It is also available on your Windows Server 2003 installationpartition at %systemroot%\system32\adminpack.msi.

The following administrative consoles are available on the Administrative Tools menu of all WindowsServer 2003 domain controllers:

Active Directory Domains and Trusts console

Active Directory Sites and Services console

Active Directory Users and Computers console

Note The Active Directory Schema snap-in is also available on a computer configured as adomain controller, but must be installed manually.

2
http://snetengineer.blogspot.com/http://snetengineer.blogspot.com/http://snetengineer.blogspot.com/


3/58


Active Directory Domains and Trusts Console

Using Active Directory Domains and Trusts, you can:

Managing domain trusts.

Change the domain functional level

Change the forest functional level

Add and remove alternate User Principal Name (UPN) suffixes.

Transfer the domain naming operations master role from one domain controller toanother.

Domain Functional Levels

Domain functional levels provide a way to enable domain-wide Active Directory features. Four domainfunctional levels are available for Windows Server 2003 family: Windows 2000 mixed (default),

Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003.

Domain Functional Level Domain Controllers

Windows 2000 mixed(default)

Windows NT 4.0Windows 2000 Server familyWindows Server 2003 family

Windows 2000 nativeWindows 2000 Server familyWindows Server 2003 family

Windows Server 2003 interimWindows NT 4.0Windows Server 2003 family

Windows Server 2003 Windows Server 2003 family

Windows Server 2003 Active Directory does not automatically enable advanced features, even if alldomain controllers within a domain are running Windows Server 2003. Instead, an administratorraises a domain to a specific functional level to safely enable advanced features.

Integrating Windows Server 2003 into Existing Domains

You can initiate an upgrade from Windows 2000 to Windows Server 2003 in one of two ways:

By upgrading an existing Windows 2000 based domain controller to Windows Server 2003.

By using the Active Directory Installation Wizard to install Active Directory on a Windows Server2003 member server.

To prepare the Windows 2000 domain for the upgrade to Windows Server 2003, you must use theActive Directory Preparation tool (ADPrep.exe). ADPrep.exe prepares the forest and the domain for anActive Directory upgrade by performing a collection of operations prior to installation of the firstWindows Server 2003 domain controller. ADPrep.exe is located on the Windows Server 2003 operatingsystem CD. ADPrep.exe copies the files 409.csv and dcpromo.csv from the installation CD to the localcomputer to prepare the Active Directory forest and domain.

The ADPrep.exe tool merges your current schema with new schema information that the tool provides,preserving previous schema modifications in your environment. You must successfully run adprep

3


4/58


/forestprep in a forest before you can prepare the domain by using adprep /domainprep. Runadprep /forestprep on the Schema Operations Master. Within each domain in which you plan to installa Windows Server 2003 domain controller, you must successfully run adprep /domainprep on theInfrastructure Operations Master before you upgrade the first domain controller or join a WindowsServer 2003 member server or stand-alone server as an additional domain controller.

Microsoft recommends that you have at least Service Pack (SP) 2 installed on your domain controllersbefore running Adprep. SP2 fixed a critical AD bug, which can manifest itself when extending the

schema.

Each time it runs, ADPrep.exe creates a log file that can help you troubleshoot errors. The log filedocuments each step of the forest preparation process. Each ADPrep log file is located in a subfolderwithin the %SystemRoot%\system32\debug\adprep directory. Each subfolder is stamped with the dateand time when ADPrep was run.

When you are upgrading a Windows 2000 domain controller to Windows Server 2003, Winnt32.exeverifies that the forest and domain have been prepared. If you have not prepared the forest and thedomain in which the new domain controller will be a member, Winnt32.exe fails, the upgradeterminates, and you are notified that you must run ADPrep.exe. You cannot upgrade Windows 2000domain controllers to Windows Server 2003 before running ADPrep.exe

Once youve run both /forestprep and /domainprep and allowed time for the changes to replicate toall domain controllers, you can then start upgrading your domain controllers to Windows Server 2003or installing new Windows Server 2003 domain controllers.

Supported Upgrade Paths

When you convert from Windows 2000 mixed or Windows Server 2003 interim functional level tothe Windows 2000 native or Windows Server 2003 functional level, keep in mind the following:

Support for preWindows 2000 replication ceases. Because preWindows 2000 replication is gone,you can no longer have any domain controllers in your domain that are not running Windows2000 Server or later.

You can no longer add new preWindows 2000 domain controllers to the domain.

The server that served as the Primary Domain Controller (PDC) during migration is no longer thedomain master; all domain controllers begin acting as peers.

Caution If you raise the domain and forest functional levels to Windows Server 2003, this actioncannot be reversed.

To change the domain functional level to Windows 2000 native or Windows Server 2003, completethe following steps:

4


5/58


1. Click Start, select Administrative Tools, and then click Active Directory Domains AndTrusts.

2. Right-click the domain and then click RaiseDomainFunctionalLevel.

3. On the Raise Domain Functional Level dialog box, in the Select An Available DomainFunctional Level list, select the domain functionality you want and then click Raise.

4. In the Raise Domain Functional Level message box, click OK.

5


6/58


Forest Functional Levels

Forest functional levels provide a way to enable forest-wide Active Directory features within yournetwork environment. Three forest functional levels are available:

Windows 2000 When you first install or upgrade a domain controller to a Windows Server2003 OS, the forest is set to run in the Windows 2000 functional level. The Windows 2000functional level allows a Windows Server 2003 domain controller to interact with domain

controllers in the forest running Windows NT 4, Windows 2000, or Windows Server 2003.

Windows Server 2003 interim The Windows Server 2003 interim functional level allows adomain controller running the Windows Server 2003 to interact with domain controllers in thedomain running Windows NT 4 or Windows Server 2003. The Windows Server 2003 interimfunctional level is an option only when upgrading the first Windows NT domain to a new forest.

Windows Server 2003 The Windows Server 2003 functional level allows a domain controllerrunning the Windows Server 2003 to interact only with domain controllers running WindowsServer 2003.

To change the forest functional level to Windows Server 2003, complete the following steps:


2. Right click the Active Directory Domains And Trusts node and then click Raise ForestFunctional Level.

3. On the Raise Forest Functional Level dialog box, click Raise.

6


7/58


4. In the Raise Forest Functional Level message box, click OK.

UPN Suffixes

When you create a user account in Active Directory, you give that user a logon name, a pre-Windows2000 user logon name, and a user principle name (UPN)1suffix. This UPN identifies the domain inwhich the user account is located. The UPN suffix usually is the domain name of the domain wherethe account is created, or an alternative name used for logon purposes.

Note The concept of UPNs can be confusing initially. Keep in mind that a UPN has no relationwhatsoever to a DNS or Active Directory domain name. Despite the fact that it can have the samename as a valid domain within your forest, it is just a label that is used as part of a user account name.Remember, it is the SID associated with your user account that determines what domain it belongs to.

The purpose of using a UPN is to allow users to continue using the same logon name, even if thedomain their account is associated with changes. Because the UPN is not mapped to a specific domain,it does not need to change when you move a user account from one domain to another within yourforest.

The following figure shows the UPN of a new account created in the ICT.com domain. The user creating

the account configures the user logon name, and Active Directory Users and Computers suggestsa pre-Windows 2000 logon name. The UPN suffix is appended to the user logon name to create theentire user principle name.

1A user principal name uses the username with the @ symbol, and then the UPN suffix.

7


8/58


By default, this UPN suffix will be the same as the DNS domain name where the account is beingcreated. In most instances, this default UPN suffix will be the only one the user account will ever need.However, you can use alternative UPN suffixes to simplify logon when logging on to other domainsthroughout the forest. These alternative UPN suffixes are "aliases" created for the domains in theforest, and let a user log on using a UPN different than the one they are assigned by default. Whymight this desired?

Well, you might consider using an alternate UPN suffix for a domain when the domain is very deep in atree hierarchy. This long domain name would be hard to enter when using a user principle name to logon. For example, if your organization uses a deep domain tree, the domain name can be long. The

default user UPN for a user in such a domain might be sales.chi.MUT.com. Creating a UPN suffix of"MUT" would allow the user to log on using the much simpler logon name ofuser@MUT.

To add or remove UPN suffixes, complete the following steps:


2. Right click the Active Directory Domains And Trusts node and then click Properties.

8
http://snetengineer.blogspot.com/http://snetengineer.blogspot.com/mailto:user@contosomailto:user@contosohttp://snetengineer.blogspot.com/


9/58


3. On the Active Directory Domains And Trusts dialog box, in the UPN Suffixes tab, do one ofthe following:

4. Click OK.

5. If you need to add more alternative suffixes, simply repeat the procedure as necessary.

9


10/58


To test the results of your new suffix, open up the Active Directory Users and Computers consoleand either go through the process of creating a new user or go into the properties of an existing useraccount and access the Account tab. In either case you should have your new alternative UPNavailable as an option on the drop-down list next to the User Logon Name.

Note Something important to consider is that if you remove a suffix that is in use, user accounts thatreference that suffix will not be able to authenticate.

Active Directory Sites and Services ConsoleYou provide information about the physical structure of your network by publishing sites to ActiveDirectory using the Active Directory Sites And Services console. Active Directory uses this informationto determine how to replicate directory information and handle service requests.

As shown in the following figure, the Active Directory Sites and Services console has a number ofcontainers that provide information and functions on creating and maintaining sites. When a domain isfirst installed on a DC, a site object named Default-First-Site-Name is created. This container can (andshould) be renamed to something that is meaningful to the business.

10


11/58


The Inter-Site Transport container is used to create and store site links. A site linkis a connectionbetween sites. Links created under the IP container use the Internet Protocol (IP) as their transportprotocol, while those created under SMTP use the Simple Mail Transport Protocol (SMTP).

The Subnets container is used to create and store objects containing information about subnets on

your network. Subnets are collections of neighboring computers that are subdivided within thenetwork, using a common network ID. Using the Subnets container, you can group different subnetstogether to build a site.

Active Directory Users And Computers Console

The Active Directory Users And Computers console allows you to add, modify, delete, and organize useraccounts, computer accounts, groups, and published resources in your organization's directory. It alsoallows you to manage domain controllers and OUs. Also, by using this console, you can raise thedomain functional level.

When an object is deleted, there must be something left to replicate to other domain controllers so thatthey will learn about the deleted object. This is why Active Directory doesn't immediately delete anobject, but instead turns it into a tombstone. After this, it takes quite a while before the tombstoneobject is actually deleted from the database of each domain controller. This time is called tombstone

11


12/58


lifetime, and the default value is 60 days. Windows Server 2003 with SP1 and later, extends thedefault period that Active Directory retains a deleted object to 180 days.

If the tombstone's lifetime were shorter than the replication latency, the tombstone might be deletedbefore it has replicated to every domain controller. As a result, those domain controllers would neverknow about the deletion of the original object, leaving the directory in an inconsistent state; somedomain controllers would contain the object and some wouldn't.

Once a tombstone is deleted, its space can be reused for other objects. However, the database sizedoesn't shrink unless you do an offline defragmenttion. You would do that in Directory ServicesRestore Mode. The operation is normally unnecessary, but if you have removed a large number ofobjects and want to recover the disk space, you can perform it.

To determine the tombstone lifetime for the forest, do the following steps:

1. On the Start menu, click Run, type adsiedit.msc, and then click OK.

2. In the console tree, double-click Configuration, CN=Configuration,DC, CN=Services, andCN=Windows NT.

3. Right-click CN=Directory Service, and then click Properties.

4. In the Attribute column, click tombstoneLifetime.

Note The tombstone lifetime does not change automatically when you upgrade to WindowsServer 2003 with SP1, but you can change the tombstone lifetime manually after the upgrade.New forests created with domain controllers running Windows Server 2003 with SP1 have adefault tombstone lifetime of 180 days.

12


13/58


Active Directory Schema Snap-In

The Active Directory Schema snap-in is available so you can view and modify Active Directory schema.By default, the snap-in is not available on the Administrative Tools menu. You must install it using thecommand line and by creating an MMC for it. This action is required to ensure that the schema cannot

be modified by accident.

To install the Active Directory Schema snap-in, complete the following steps:

1. Log on as an Administrator.

2. Click Start, and then click Command Prompt.

3. Type regsvr32 schmmgmt.dll.

13


14/58


4. Click Start, and then click Run.

5. In the Run box, type mmc and then click OK.

6. On the File menu, click Add/Remove Snap-In.

7. In the Add/Remove Snap-In dialog box, click Add.

14


15/58


8. In the Add Standalone Snap-In dialog box, in the Snap-In column, double-click ActiveDirectory Schema, and then click Close.

9. In the Add/Remove Snap-In dialog box, click OK.

10.To save this console, on the File menu, click Save. In the Save As dialog box, ensure thatAdministrative Tools is shown in the Save In box. Then type Active Directory Schema inthe FileName box and click Save. The Active Directory Schema snap-in is now availablefrom the Administrative Tools menu.

15


16/58


11. Close the Active Directory Schema snap-in.

16


17/58


The Microsoft Management Console (MMC)

Compared to Microsoft Windows NT, the process of administration is much easier in Windows Server2003. Mostly this is because of the MMC and the prepackaged administration tools that use it to helpyou more readily manage computers, users, and other aspects of the network environment. Not onlydoes the MMC simplify administration, it also helps to integrate the many disparate tools that werepreviously available by using a single unified interface.

The advantages of having a unified interface are significant because after you learn the structure ofone MMC tool, you can apply what youve learned to all the other MMC tools. Equally as significant isthe capability to build your own consoles and customize existing consoles. You can in fact combineadministrative components to build your own console configuration, and then store this console forfuture use. You would then have quick access to the tools you use the most through a single console.

Keep in mind that the MMC isnt a one-size-fits-all approach to administration. Some administrativefunctions arent implemented for use with the MMC. Many system and operating system properties arestill configured using Control Panel utilities. Many other system and administrative functions areaccessed using wizards. Most administrative tools regardless of type have command-line counterpartsthat run as separate executables from the command line.

The really good news, however, is that you can integrate all non-MMC tools and even command-line

utilities into a custom console by creating links to them. In this way, your custom console remains thecentral interface for administration, and you can use it to access quickly any type of tool with whichyou routinely work.

MMC hosts administrative tools (snap-ins) that you can use to administer networks, computers,services, and other system components. You can combine one or more snap-ins to create customizedMMCs, which can then be used to centralized and combine administrative tasks.

To take advantage of what the MMC framework has to offer, you add any of the available stand-alonesnap-ins to a console. A console is simply a container for snap-ins that uses the MMC framework.Dozens of preconfigured snap-ins are available from Microsoft, and they provide the functionalitynecessary for administration. Third-party tools from independent software vendors now use MMC snap-ins as well.

Although you can load multiple snap-ins into a single console, most of the preconfigured consoles haveonly a single snap-in. For example, most of the tools on the Administrative Tools menu consist of apreconfigured console with a single snap-ineven the Computer Management tool shown in thefollowing figure, which consists of a preconfigured console with the Computer Management snap-inadded to it.

17


18/58


The many features of the Computer Management snap-in are good examples of how snap-ins can havenodes and extension components. A node defines a level within the console or within a snap-in.Computer Management has a root node, which is labeled Computer Management, and three top-levelnodes, which are labeled System Tools, Storage, and Services and Applications. An extensioncomponent is a type of snap-in that is used to extend the functionality of an existing snap-in. ComputerManagement has many extensions. In fact, each entry under the top-level nodes is an extensionandmany of these extensions can them-selves have extensions.

These particular extensions are also implemented as stand-alone snap-ins, and when you use them inyour own console, they add the same functionality as they do in the preconfigured administration tools.

Youll find that many extensions are implemented as both extensions and stand-alone snap-ins. Many

doesnt mean all: Some extensions are meant only to add functionality to an existing snap-in and theyare not also implemented as stand-alone snap-ins.

Keep in mind extensions are optional and can be included or excluded from a snap-in by changingoptions within the console when you are authoring it. For example, if you didnt want someone to beable to use Disk Management from within Computer Management, you could edit the extension optionsfor Computer Management on that users computer to remove the entry for Disk Management. Theuser would then be unable to manage disks from within Computer Management. The user would still,however, be able to manage disks using other tools.

MMC Modes

MMC has two operating modes: author mode and user mode. In author mode, you can create andmodify a consoles design by adding or removing snap-ins and setting console options. In user mode,the console design is frozen, and you cannot change it. By default, the prepackaged console tools foradministration open in user mode, and this is why you are unable to make changes to these consoletools.As the following figure shows, when you open a console that is in author mode, you have an extendedFile menu that allows you to create new consoles, open existing consoles, save the current console,add/remove snap-ins, and set console options. In contrast, when you are working with one of thepreconfigured console tools or any other tool in user mode, you have a limited File menu, as shown.

18


19/58


In author mode, you also have a Favorites menu, which is used to add and organize favorites. TheFavorites menu does not appear in the user mode.

When you are finished designing a console tool, you should change to user mode. Console tools shouldbe run in user mode, and author mode should be used only for configuring console tools. Three user-mode levels are defined:

Type of User Mode Description

User mode - Full Access Grants users full access to all MMC functionality. But prevents usersfrom adding or removing snap-ins or changing snap-in console

properties.

User mode - Limited Access, Prevents users from adding or removing snap-ins orchanging Multiple Windows console properties. Users can create new windowsbut cannot close

User mode - Limited Access, Prevents users from opening new windows or accessing aportion ofSingle Window the console tree, and allows them to view only one window in the

console.

19

existing windows.


20/58


A consoles mode is stored when you save the console and is applied when you open the console. Inauthor mode, you can change the console mode by using the Options dialog box, which is displayed byselecting Options from the File menu. You cannot change the mode when a console is running in usermode. That doesnt mean you cant change back to author mode, however, and then make furtherchanges as necessary.

To open any existing console tool in author mode, right-click the tools icon, and choose Author. Thisworks for the preconfigured administration tools as well. Simply right-click the related menu item onthe Administrative Tools menu, and then choose Author. You will then have full design control over the

console, but remember that if you make changes, you probably dont want to overwrite the existing.msc file for the console. So, instead of choosing Save from the File menu after you make changes,choose Save As, and save the console with a different name, location, or both.

Tip Another way to enter author mode is to use the /A parameter when starting the con-sole tool fromthe command line or the Run dialog box.

Note Remember that at any time, a user with appropriate permissions can enter author mode byright-clicking the console and selecting Author or by running the console tool from the command linewith the /A switch. In author mode, users could change the configuration of the tool. One way toprevent this is to restrict authoring in Group Policy.

You can restrict all authoring by users at the local machine, OU, or domain level by enabling Restrict The User From Entering Author Mode in User Configuration\Administrative Templates\WindowsComponents\Microsoft Management Console within Group Policy.

20


21/58


Building Custom MMCs

If you find that the existing console tools dont meet your needs or you want to create your ownadministration tool with the features you choose, you can build your own custom console tools.

The steps for creating custom console tools are as follows:

1. Create the console for the tool.

2. Add snap-ins to the console. Snap-ins you use can include Microsoft console tools as well asconsole tools from third-party vendors.

3. When you are finished with the design, save the console in user mode so that it is ready for use.

Step 1: Creating the Console

The first step in building a custom console tool is to create the console that youll use as theframework. To get started, open a blank MMC in author mode. Click Start, select Run, type mmc in the

Open box, and then click OK. This opens a blank console titled Console1 that has a default console rootas shown.

If you want your custom tool to be based on an existing console, you can open its .msc file and add itto the new console. Select Open on the File menu, and then use the Open dialog box to find the .mscfile you want to work with. Most .msc files are in the %SystemRoot%\System32 directory. Any existingconsole you choose will open in author mode automatically. Keep in mind that you generally dont wantto overwrite the existing .msc file with the new .msc file you are creating. Because of this, when yousave the custom console, be sure to choose Save As rather than Save on the File menu.

If you want to start from scratch, youll work with the blank console you just opened. The first thing

youll want to do is rename the console root to give it and the related window a more meaningfulname. For example, if you are creating a console tool to help you manage the Active Directory, youcould rename the console root Active Directory Management. To rename the console root and therelated window, right-click the console root, and select Rename. Type the name you want to use, andthen press Enter.

21


22/58


The next thing youll want to do is to consider how many windows the console tool must have. Mostconsole tools have a single window, but as shown in the following, a console can have multiplewindows, each with its own view of the console root. You add windows to the console by using the NewWindow option on the Window menu. After you add a window, youll probably want the MMC to

automatically tile the windows as shown in the figure. You can tile windows by selecting TileHorizontally on the Window menu. You dont have to do this, however; anytime there are multiplewindows, you can use the options on the Window menu to switch between them.

Step 2: Adding Snap-Ins to the Console

While you are thinking about the organization of the tool and the possibility of using additional views ofthe console root, you should also consider the types of snap-ins that you want to add to the console.

You might want to organize the snap-ins into groups by creating folders for storing snap-ins of aspecific type or category. For example, if you are creating a console tool for managing Active Directory,you might find that there are four general types of snap-ins that you want to work with: General, Policy,Security, and Support. You would then create four folders in the console with these names.

Folders are implemented as a snap-in that you add to the console root. To add folders to the consoleroot, follow these steps:

22


23/58


1. Choose Add/Remove Snap-In from the File menu in the main window. As shown in the followingfigure, you must now choose where to add the snap-in. At this point, it is possible only to addthe snap-in to the console root (which is now called Active Directory Management or whicheverother name you used), but after you add folders, you can add snap-ins to a folder below theconsole root by selecting it in the Snap-Ins Added To list.

2. Choose Add, which displays the Add Standalone Snap-In dialog box. Note that this dialog box isset so that you can see the previous dialog box as well. This is important because when you addsnap-ins they appear in the Add/Remove Snap-In list.

3. The Available Standalone Snap-Ins list shows all the snap-ins that are available. Scroll throughthe list until you see the Folder snap-in, as shown. Click Folder, and then choose Add. The Foldersnap-in is added to the list of snap-ins in the Add/Remove Snap-In dialog box. Repeat this foreach folder that you want to use. If you are following the example and want to use four folders,you would click Add three more times so that four Folder snap-ins appear in the Add/RemoveSnap-In dialog box.

23


24/58


4. Now close the Add Standalone Snap-In dialog box by clicking Close, and return to theAdd/Remove Snap-In dialog box. Youll see the folders youve added. Click OK to close thisdialog box and return to the console you are creating.

After you add folders, you must rename them. Right-click the first folder, and choose Rename. Type anew name, and then press Enter. If you are following the example, rename the folders: General, Policy,Security, and Support. When you are finished renaming the folders, follow a similar process to add theappropriate snap-ins to your console:

1. Choose Add/Remove Snap-In on the File menu in the main window.

2. In the Snap-Ins Added To list, choose the folder to use, and then click Add.

3. Use the Add Standalone Snap-Ins dialog box to add snap-ins to the selected folder.

4. When you are finished, click Close to return to the Add/Remove Snap-In dialog box. Youll findthe snap-ins youve chosen are added to the designated folder.

5. If you want to work with a different folder, select the folder in the Snap-Ins Added To list, andrepeat steps 2 to 4.

6. When you are finished adding snap-ins to folders, click OK to close the Add/Remove Snap-Indialog box and return to the console you are creating.

If you want the snap-in to work with whichever computer the console is running on, select LocalComputer. Otherwise, select Another Computer, and then type the computer name or IP address of thecomputer you want to use. If you dont know the computer name or IP address, click Browse to searchfor the computer you want to work with.

24


25/58


Some snap-ins are added by using wizards with several configuration pages, so when you select thesesnap-ins you start the associated wizard and the wizard helps you configure how the snap-in is used.

One snap-in in particular that uses a wizard is Link To Web Address. When you add this snap-in, youstart the Link To Web Address Wizard, as shown in the screen on the following page, and the wizardprompts you to create an Internet shortcut. Here, you type the Uniform Resource Locator (URL) youwant to use, click Next, enter a descriptive name for the URL, then click Finish. Then, when you selectthe related snap-in in the console tree, the designated Web page appears in the details pane.

25


26/58


The following figure shows the example console with snap-ins organized using the previously discussedfolders:

Summary

The MMC is a useful tool for organizing and consolidating snap-ins, or small programs that are used for

network and computer system administrative tasks. The hierarchical display, similar to that of WindowsExplorer, offers a familiar view of snap-in features in a folder-based paradigm. There are two types ofsnap-ins, stand-alone and extension, with extensions appearing and behaving within the MMC based onthe context of their placement. Any console can be configured to work in either of two modes, Authoror User, with the User mode offering some restricted functionality in the saved console.

Managing Computers Remotely with the MMC

Perhaps you work in a peer-to-peer network and need to help other users create user accounts orgroups on their computers to share local folders. You can save yourself a trip to your coworkers offices

26


27/58


by connecting to the users computers with your Computer Management console. Or perhaps you needto format drives or perform other tasks on a remote computer. You can perform almost any task on aremote computer that you can perform locally.

To connect to and manage another system using the Computer Management console, you must launchthe console with an account that has administrative credentials on the remote computer. If yourcredentials do not have elevated privileges on the target computer, you will be able to load the snap-in, but will not be able to read information from the target computer, as shown.

When youre ready to manage the remote system, you may open an existing console with the snap-inloaded, or configure a new MMC with a snap-in that you configure for remote connection when youbuild the console. If you configure an existing Computer Management console, for example, followthese steps:

1. Open the Computer Management console by right-clicking My Computer and choosingManage from the shortcut menu.

2. Right-click Computer Management in the tree pane and choose Connect To AnotherComputer.

27


28/58


3. In the dialog box, as shown, type the name or IP address of the computer or browse the networkfor it, and then click OKto connect.

Summary

The MMC is able to load many different tools in the form of snap-ins. Some of these snap-ins areprogrammed with the ability to connect to remote computers. You must have administrative privilegeson the remote computer to use any tools affecting the configuration of the remote computer.

28


29/58


Backing Up Active Directory

Backup Frequency

Backup frequency depends on criteria that vary for individual environments. In most Active Directoryenvironments, users, computers, and administrators make daily changes to directory objects. Forexample, computer accounts, including domain controller accounts, change their passwords every

30 days by default. Therefore, every day a percentage of computer passwords changes for domaincontrollers. Rolling the computer password of a domain controller back to a former state affectsauthentication. A percentage of user passwords might also expire on a daily basis, and if they are lostas a result of domain controller failure, they must be reset manually. Therefore, the more frequentlyyou back up domain controllers, the fewer problems you will encounter if you need to restore.

The more Active Directory objects and domain controllers you have, the more frequent your backupsshould be. For example, in a large organization, to recover from the inadvertent deletion of a large OUby restoring the domain from a backup that is days or weeks old, you might have to re-create hundredsof accounts that were created in that OU since the backup was taken. To avoid re-creating accounts,ensure that recent system state backups are always available to recover recent Create, Modify, andDelete operations.

Note You must be a member of the Administrators or the Backup Operators groups to perform abackup.

When you back up Active Directory, the Backup Or Restore Wizard automatically backs up all thesystem components and all the services that Active Directory requires. Collectively, these componentsand services are known as system state data. For Windows Server 2003, the system state dataincludes:

Registry

COM+ Class Registration database

System boot files

Files under Windows File Protection

Certificate Services database (if the server is a certificate server).

Active Directory (If the server is a domain controller)

Sysvol (If the server is a domain controller)

Note You cannot choose to back up individual components of the system state data. This is due todependencies among the system state components.

On domain controllers running Windows Server 2003 with SP1, a new event message, event ID 2089,provides the backup status of each directory partition. This event appears in the DirectoryServiceevent log if a directory partition has not been backed up for a period greater than half the tombstonelifetime. The event is logged daily until the partition is backed up. This event serves as a warning toadministrators and monitoring applications to make sure that domain controllers are backed up.

Note Backup does not support the use of backup media such as CD-RW (compact disc rewritable),CD-R (compact disc recordable), and DVD-R (digital video disc recordable). To save backups to thistype of media, back up to a file and copy that file to the CD. You can use Backup to restore from a CD.

29


30/58


To create an Active Directory backup, complete the following steps:

1. Click on the Start menu, point to All Programs, point to Accessories, point to System Tools,and select Backup or just type NTBackup command in the Run window and then click Ok.

2. On the Welcome to The Backup or Restore Wizard page, click Next.

3. On the Backup or Restore page, select Backup Files And Settings, and then click Next.

4. On the What to Back Up page, select Let Me Choose What To Back Up, and then clickNext.

30


31/58


5. On the Items to Back Up page, expand the My Computer, select System State and thenclick Next.

6. On the Backup Type,Destination, and Name page, complete the following steps:

Select Tape in the Select the backup type list if you are using tape; otherwise this optiondefaults to File.

In the Choose a place to save your backup field, choose the location where WindowsBackup will store the data. If you are saving to a tape, select the tape name.

31


32/58


In the Type a name for this backup box, enter a name for the backup you are going todo.

7. On the Completing the Backup or Restore Wizard page, click Advanced.

On the Type of Backup page, select Normal. Normal is the only backup type supported byActive Directory. If the Hierarchical Storage Manager(HSM)i has moved data to remote storageand you want to back it up, select the Backup migrated Remote Storage data check boxand then click Next. If you do not use Remote Storage to store data, you do not need to choosethis option.

32


33/58


8. On the How to Back Up page, select the Verify data after backup check box. If you areusing a tape device and it supports hardware compression, select the Use hardwarecompression, if available check box. If this option is disabled, you do not have a tape driveon your computer or your tape drive cannot handle compressed data. It's recommended thatyou do not select the Disable volume shadow copy1 check box. By default, Backup creates avolume shadow copy of your data to create an accurate copy of the contents of the hard drive,including open files or files in use by the system. Click Next.

Note The Disable volume shadow copy option is no longer available in Windows Server2003 SP1 and in later versions.

1Volume shadow copy makes a read-only copy of the information in open files, which can be used for backuppurposes. The original files continue to be accessed without any interference from the backup operation. When thebackup is complete, the Volume Shadow Copy is deleted. The amount of disk space required by the VolumeShadow Copy will vary, based on the amount of data that changes on the disk during the backup procedure. If theunderlying disk does not have enough free space to support Volume Shadow Copy, open files are not backed up.

33


34/58


9. On the Backup Options page, select the Replace the existing backups option, then selectthe Allow only the owner and the administrator access to the backup data and to anybackups appended to this medium check box. This action saves only the most recent copyof Active Directory and allows you to restrict who can gain access to the completed backup fileor tape. Click Next.

10. On the When to Back Up page, select Now and then click Next.

34


35/58


11. On the Completing the Backup or Restore Wizard page, click Finish to start the backupoperation.

12.The Backup Progress window shows the progress of the backup.

35


36/58


13. When the backup operation is complete, the Backup Progress window shows that the backupis complete. You can click the Report button to see a report about the backup operation.

Scheduling Active Directory Backup Operations

You can schedule Active Directory backup operations to occur at regular intervals. To schedule abackup operation, you must access the advanced backup settings as described in the followingprocedure.

1. Follow steps 11 in the previous section, "Creating an Active Directory Backup."

36


37/58


2. On the When to Back Up page, select Later. Then type the job name in theJob name boxand click Set Schedule.

3. In the Schedule tab, select the frequency of the backup operation: Daily, Weekly, Monthly,Once, At System Startup, At Logon, or When Idle from the Schedule Task list. Indicatethe time the backup operation will begin in the Start Time list. Indicate when the task willoccur in the Schedule Taskbox for the selected frequency. Click Advanced.

-

37


38/58


4. In the Advanced Schedule Options dialog box, you can specify when the backup operationsshould begin, end, or how often they should be repeated in the Start Date, End Date, andRepeat Taskboxes, respectively. Enter information as necessary and then click OK.

5. In the Settings tab in the Schedule Job dialog box, specify whether to delete the task file fromyour computer's hard disk after the backup operation has finished running and is not scheduled

to run again in the Scheduled Task Completed box. Specify whether to start or stop thebackup operation based on the computer's idle time in the Idle Time box. Specify whether tostart or stop the backup operation based on the computer's power status in the PowerManagement box. Click OK.

38


39/58


6. On the When to Back Up page, click Next.

7. In the Set Account Information dialog box, type the password for the account shown, in thePassword box and confirm the password in the Confirm Password box. Click OK.

This dialog box provides a space for you to type the user name under which this scheduledbackup will run. This must be a valid user with the proper user rights to perform the backup, orTask Scheduler will not allow the backup to begin. The user name does not have to be thesame as the user who is scheduling the backup; however, the user name you provide willbecome the owner of the backup set after is created.

8. Confirm your selections on the Completing The Backup Or Restore Wizard page, then clickFinish to schedule the backup.

39


40/58


Back Up System State Excluding System-Protected Files

By using the following procedure, you can reduce the time that is required to perform the backup andsubsequent restore, as well as the amount of disk space that is required.

1. To start the backup utility, click Start, click Run, type ntbackup, and then click OK.

On the Welcome to the Backup or Restore Wizard page, click Advanced Mode, and then click theBackup tab.

3. In the console tree, select the System State check box and in the Backup media or filename field, type a name for this backup.

40


41/58


Click Start Backup, and then click Advanced.

Clear the Automatically back up System Protected Files with the System State check box, andthen click OK.

41


42/58


Click Start Backup.

Deleting Scheduled Active Directory Backup Operations

To delete a scheduled Active Directory backup operation, complete the following steps:

1. Start the backup utility.

2. On the Welcome to the Backup or Restore Wizard page, click the Advanced Mode link.

3. On the Welcome to the Backup Utility Advanced Mode page, click the Schedule Jobs tab.

42


43/58


4. In the Schedule Jobs tab, icons for the scheduled backup operation(s) appear. In this example,a backup operation is scheduled daily. Click the backup operation you want to delete.

5. In the Scheduled Job Options dialog box that appears, ensure that the job you want to deleteappears in theJob Name box and then click Delete.

43


44/58


6. In the Removing a Scheduled Job message box that appears, click Yes. The backupoperation has been deleted from the schedule.

44


45/58


Restoring Active Directory

Like the backup process, when you choose to restore Active Directory, you can only restore all of thesystem state data that was backed up. You cannot choose to restore individual components (forexample, only the Active Directory) of the system state data.

If you are restoring the system state data to a domain controller, you must choose whether you want toperform a nonauthoritative restore or an authoritative restore. The default method of restoring the

system state data to a domain controller is nonauthoritative.

Tip You must be a member of the Administrators or the Backup Operators groups to perform arestore.

Nonauthoritative Restore

In nonauthoritative restore, the services on a domain controller are restored from backup media andthe restored data is then updated through replication. Each restored directory partition is updated withthat of its replication partners by replication after you restore the data.

Note Nonauthoritative restore is typically performed when a domain controller has completely faileddue to hardware or software problems.

Authoritative Restore

An authoritative restore brings a domain or a container back to the state it was in at the time ofbackup and overwrites all changes made since the backup. If you do not want to replicate the changesthat have been made subsequent to the last backup operation, you must perform an authoritativerestore. For example, you must perform an authoritative restore if you inadvertently delete users,groups, or OUs from Active Directory and you want to restore the system so that the deleted objectsare recovered and replicated.

To authoritatively restore Active Directory data, you must run the Ntdsutil utility after you haveperformed a nonauthoritative restore of the system state data but before you restart the server. TheNtdsutil utility allows you to mark objects as authoritative. Marking objects as authoritative changesthe update sequence number of an object so it is higher than any other update sequence number inthe Active Directory replication system. This ensures that any replicated data that you have restored isproperly replicated throughout your organization.

Performing a Nonauthoritative Restore

To restore the system state data on a domain controller, you must first start your computer indirectory services restore mode. If you attempt to restore System State data while the domain

controller is active, you will see the error message shown in the following:

45


46/58


You can restore backed up System State data to an alternate location folder you designate. If yourestore the System State data and you do not designate an alternate location for the restored data,Backup will erase the System State data that is currently on your computer and replace it with theSystem State data you are restoring. Also, if you restore the System State data to an alternate location,on the domain controller from which the backup was made, a location on another computer, or alocation on the computer that you want to install as a domain controller, only the registry files, Sysvoldirectory files, Cluster database information files (if applicable), and system boot files are restored tothe alternate location. The Active Directory database, Certificate Services database (if applicable), and

COM+ Class Registration database are not restored if you designate an alternate location.

To nonauthoritatively restore Active Directory, complete the following steps:

1. Restart the computer.

2. During the phase of startup where the operating system is normally selected, press F8.

3. On the Windows Advanced Options Menu, select Directory Services Restore Mode andpress ENTER.

4. Select your operating system (for example, Windows Server 2003, Enterprise), and press theEnter.

46


47/58


5. You will see a number of checks performed while the system is booting, and eventually you willreceive the Safe Mode logon prompt

6. Log on to your domain as Administrator.

Note When you restart the computer in directory services restore mode, you must log on asan Administrator by using a valid SAM account name and password, not the Active DirectoryAdministrator's name and password. This is because Active Directory is offline, and account

verification cannot occur. Rather, the SAM accounts database is used to control access to ActiveDirectory while it is offline. You specified this password when you set up Active Directory(restore mode password).

7. In the Desktop message box that warns you that Windows is running in safe mode, click OK.

47


48/58


8. Point to Start, point to All Programs, point to Accessories, point to System Tools, and thenselect Backup.

9. On the Welcome To The Backup Or Restore Wizard page, click Next.

10. On the Backup or Restore page, select Restore files and settings. Click Next.

11. On the What to Restore page, expand the media type that contains the data that you want torestore in the Items to restore box or click Browse. Select the data you want to restore, suchas System State, then click Next.

48


49/58


12. On the Completing the Backup or Restore Wizard page, do one of the following:

Click Finish to start the restore process.

Click Advanced to specify advanced restore options.

13. In the Warning message box that warns you that restoring system state will always overwritecurrent system state, click OK.

14.The Restore Progress dialog box displays status information about the restore process. Aswith the backup process, when the restore is complete, you can choose to view the report of therestore.

49


50/58


15. Close the report when you have finished viewing it and then click Close to close the restoreoperation.

16. When prompted to restart the computer, clickYes.

Specifying Advanced Restore Settings for a Nonauthoritative Restore

1. On the Where to Restore page, in the Restore Files To list, select the target location for thedata that you are restoring. The choices in the list are the following:

Original Location This option restores all files to their original locations and is the default.

When you select this option and click the Next button, a dialog box appears, informing youthat restoring system state will always overwrite the current system state information unlessyou restore to an alternate location. Click the OKbutton to proceed to the next screen. Thisoption must be selected to restore Active Directory.

50


51/58


Alternate Location Selecting this option reveals the Alternate location: text box and aBrowse button that opens the Restore Path dialog box. You can use this option torestore the files to a different location. The original folder structure is preserved and createdbeneath that folder.

Single Folder This option reveals the Alternate location: text box and Browsebutton, which opens the Restore Path dialog box. As with the Alternate location setting,you can use this option to restore the files to an alternate location. When this option isselected, all restored files are placed in a single directory, rather than having their directorystructures restored.

51


52/58


2. Click the Next button after making your selection.

3. On the How to Restore page, select how you want to restore the system state data from thefollowing:

Leave Existing Files (Recommended) This option, the default, causes the Restoreutility to skip files that are already in the target location. A common scenario leading tothis choice is one in which some, but not All, files have been deleted from the restorelocation. This option will restore such missing files with the backed-up files.

Replace Existing Files If They Are Older Than The Backup Files This optiondirects the restore process to overwrite existing files unless those files are more recentthan the files in the backup set. The theory is that if a file in the target location is morerecent than the backed-up copy, it is possible that the newer file contains informationthat you do not want to overwrite.

Replace Existing Files Always copies the files from the backup media to the DC andreplaces all files existing on the DC, regardless of whether they are newer. Any files inthe target location that are not in the backup set will remain, however.

52


53/58


4. After making your selection, click the Next button to proceed.

5. The Advanced Restore Options page contains the following five check boxes

Restore security settings This option is selected by default, and should remain selected.In some circumstances, difficulties can arise when restoring data that was on a diskformatted in the NTFS file system, which supports file level permissions, to one using theFAT file system, which does not support file level permissions. In circumstances like these,clearing this check box has been known to resolve some of the issues. This is becauseselecting this box restores a wide range of extended data (permissions, auditinginformation, and ownership information) that is not supported by the FAT file system.

Restore junction points, but not the folders and file data they reference Amongother things, junction points are used to reference mounted drives. InWindows Server 2003,volumes can be mounted in folders of another volume,instead of being accessed through adrive letter. If you have any mounted drives and you want to restore the data that mounteddrives point to, you should not select this check box.

Preserve existing volume mount pointsThis option relates to the preceding point. Whenusing mounted drives, it is necessary to create mount points, which are the empty folders towhich the volume is mounted (thus creating the mounted drive). When selected, this boxprotects existing mount points on the volume being restored. This is helpful if you havealready formatted the disk to which you are restoring and added these mount points prior tobeginning the restore. However, if you have formatted the disk to which you are restoringand have not added these mount points back manually, clearing this check box will restore

your old mount points from tape.

Restore the Cluster Registry to the quorum disk and all other nodes This optionrestores the cluster quorum database and replicates it to all of the nodes in the servercluster. This option will be grayed out if the DC is not part ofa server cluster. If selected, theBackup Or Restore Wizard will stop the Cluster service on all other nodes of the servercluster after the node that was restored reboots.

When restoring replicated data sets, mark the restored data as the primary datafor all replicas Performs a primary restore. Ensures that restored File Replication service(FRS) data is replicated to your other servers. Select this option only when restoring the first

53


54/58


replica set to the network. Do not use this option if one or more replica sets have alreadybeen restored.

6. Click the Next button after making your selections.

7. Click the Finish button to begin the restore.

8. The restore will take at least a few minutes and display its progress. When it is finished, clickthe Close button to close the Restore Progress dialog box, or click the Report button toview the backup log associated with the job. Clicking the Report button will display theNotepad application with the log file displayed. You should review the log for any errormessages, such as those pertaining to files that had to be skipped. When you have finishedreviewing the log, close the Notepad application.

9. Click theYes button in the Backup Utility dialog box when prompted to restart and reboot theserver normally.

Performing an Authoritative Restore

There are times when a normal restore of Active Directory isnt sufficient; for example, when youaccidentally delete an OU. Within a few minutes, the deletion will have replicated to the other DCs inthe domain. If you perform a normal restore in an effort to repopulate the OU back into ActiveDirectory, it will not work. When the DC reboots after the restore and replicates with its replicationpartners, they will have a higher version number for the deleted OU, and the restored DC will be told todelete the object all over again. To restore the object, you must use an authoritative restore.

An authoritative restore is like a normal restore, up to a point. Once the system state data has beenrestored, rather than rebooting the server, the Ntdsutil command-line utility is used to mark one ormore objects as authoritative. This gives them a very high version number so that when the server isrebooted and the replication process takes place, the other servers in the domain will see the highversion number and replicate the object to their own Active Directory databases. To restore a databaseauthoritatively, follow the steps from the preceding section up to number 8, and then proceed to thesesteps:

1. Click the No button in the Backup Utility dialog box when asked to restart.

54


55/58


2. Close the Backup utility, if it does not close by itself.

3. Open a command prompt (click Start | Run and type cmd).

4. Type ntdsutil to enter the Ntdsutil utility. Note that this is a command-line utility so thecommand prompt will change to ntdsutil:.

5. Type authoritative restore. The command prompt should change to display authoritativerestore:.

6. Use one of the following commands to mark Active Directory or a portion of it as authoritative.

To authoritatively restore the entire directory, type restore database and press Enter.

Type restore subtree followed by the distinguished name of the object in ActiveDirectory that you want to restore. For example, to restore the Security1 OU in themicrosoft.com domain, the commands would be:

restore subtree OU=Security1,DC=Microsoft,DC=COM

The verinc option can be used with either the restore database or restoresubtree command. Remember, when an object or the database is restoredauthoritatively,a large version number is applied to it. The verinc option is designed tobeused when you need to perform another authoritative restore, on top of anexistingauthoritative restore. It allows you to choose your own version number, thus ensuringthat it will be higher than the one used previously by the utility.

55


56/58


Shutdown Event Tracker

You've probably noticed that Windows Server 2003 has a new feature that requests a shutdown reasoneach time you restart the server. This feature is called the Shutdown Event Tracker.

To disable this feature, you can perform the following steps:

1. Click Start, click Run, and type gpedit.msc and press ENTER.

2. Expand the Computer Configuration and then Administrative Templates objects. Click onthe System object. In the right-hand pane you'll see several settings appear.

3. Locate and double-click that Display Shutdown Event Tracker setting. The DisplayShutdown Event Tracker Properties dialog box opens.

56


57/58


4. Click the Disabled radio button to disable the Shutdown Event Tracker. Click OK. Close theGroup Policy Editor console.

57


58/58

i Hierarchical Storage Management (HSM) is a data storage technique that automaticallymoves data between high-cost and low-cost storage media. HSM systems exist because high-speed storage devices, such as hard disk drives, are more expensive (per bytestored) than slowerdevices, such as tape drives. While it would be ideal to have all data available on high-speeddevices all the time, this is expensive for many organizations. Instead, HSM systems store the bulkof the enterprise's data on slower devices, and then copy data to faster disk drives when needed.In effect, HSM turns the fast disk drives into caches for the slower mass storage devices. The HSMsystem monitors the way data is used and makes best guesses as to which data can safely be

moved to slower devices and which data should stay on the hard disks.

HSM was first implemented by IBM on their mainframe computers to reduce the cost of datastorage. The user would not need to know where the data was stored and how to get it back, thecomputer would retrieve the data automatically.
http://en.wikipedia.org/wiki/Data_storagehttp://en.wikipedia.org/wiki/Hard_disk_drivehttp://en.wikipedia.org/wiki/Bytehttp://en.wikipedia.org/wiki/Bytehttp://en.wikipedia.org/wiki/Tape_drivehttp://en.wikipedia.org/wiki/Data_storagehttp://en.wikipedia.org/wiki/Hard_disk_drivehttp://en.wikipedia.org/wiki/Bytehttp://en.wikipedia.org/wiki/Tape_drive

active directory - habib

Documents