Active Directory contains information about all objects on a network Each object has a unique set of...

7.1 © 2004 Pearson Education, Inc.

Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure

Lesson 7: Performing Active Directory Administrative Tasks

Active Directory contains information about all objects on a networkEach object has a unique set of attributesAttributes are used by administrators to locate objects

To locate objects in Active DirectoryUse the Find dialog box in the Active Directory Users

and Computers consoleThe Find dialog box provides a number of options used

to search for Active Directory objects

(Skill 1)

Searching for Active Directory Objects on a Network




Using the Find dialog boxYou can specify a single attribute or multiple

attributes to locate an object

You can even specify partial values for the objects you are trying to locate

Searching for Active Directory Objects on a Network (3)

(Skill 1)




To locate objects using Active Directory You must have Read permission for the object in

question

Your computers must have certain components enabledWindows Server 2003, Windows 2000, Windows XP,

Windows NT with the Active Directory client enabled

Windows 95/98 with the Active Directory client and Active Desktop enabled


(Skill 1)




Figure 7-2 Setting search attributes

(Skill 1)




You can use the Advanced tab in the Find dialog box to make the search more specific by searching on multiple conditionsField: You can specify the search field you are looking

for based on the attribute of the object you are searching

Condition: You can specify various wildcards, such as Starts with and Ends with, to narrow down the search

Value: Requires you to specify a value for the attribute


(Skill 1)




When administrators search for users, computers, or printersThey use the Start menu, or choose Entire Directory in

the In list box in the Find dialog box in the Active Directory Users and Computers console

They are searching the global catalogOnce they enter the search criteria and select Find Now

The search request is routed to the default global catalog port (3268) and sent to the global catalog

The global catalog allows searching for directory information in all domains in a forest


(Skill 1)




Figure 7-3 Using the Advanced tab to search for an object based on a condition

(Skill 1)




Figure 7-4 Filtering the search results

(Skill 1)




On a Windows Server 2003 network, administrators provide access security for Active Directory objects by setting object permissions

Object permissionsProvide users with access to the objects they will need

to use to perform their jobs

Prevent users from accessing objects that are outside of their areas of responsibility or that would represent a security vulnerability

Setting Standard Active Directory Object Permissions

(Skill 2)




Assigning permissionsA crucial component of managing Active Directory

objects is to assign permissions to users and groups depending on the needs and policies of your organization

Great care must be taken when you assign permissions, particularly when you take into account the multiple groups in which a user may be a member

Setting Standard Active Directory Object Permissions (4)

(Skill 2)




Assigning permissionsA user’s effective permissions are a combination of the

permissions assigned to all groups to which he or she belongs

Assigning different permissions to different groups can change the effective permissions for a user

A denied permission overrides an allowed permission that has been assigned to either a user or group


(Skill 2)




Assigning permissionsTwo categories of permissions

Standard permissions include the most commonly assigned permissions such as Read and Write

Special permissions are used to achieve a more specific level of control over objects than standard permissions


(Skill 2)




Assigning permissionsYou assign security permissions for objects and their

attributes in the Active Directory Users and Computers console

You use the Security tab on the Properties dialog box for an object to assign security permissions to objectsYou can view the Security tab only after you enable Active

Directory’s advanced features

Select Advanced Features on the View menu in the Active Directory Users and Computers console


(Skill 2)




Assigning permissionsBy default, Active Directory objects inherit their access

control lists from the security descriptor for the parent container object

This means that you do not need to apply permissions every time you create a new child object unless you want to change the inherited permissions

The administration of Active Directory objects is simplified by inheritance


(Skill 2)




Assigning permissionsYou can change the inherited permissions

Open the Advanced Security Settings for <object_name> dialog box

Clear the check box: Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here


(Skill 2)




Figure 7-7 The Advanced Security Settings for SERVERA dialog box

(Skill 2)




Assigning permissionsAfter you clear the check box, a message box

provides two optionsThe Copy button allows you to copy the permissions

from the parent object

The Remove button removes all previously inherited permissions from the object


(Skill 2)




Figure 7-8 Preventing permission inheritance

(Skill 2)




Assigning permissionsAfter you choose Copy or Remove, you can make

changes to the allowed permissions for a child object or remove users or groups from the Permissions list

Although this can provide a finer degree of control over objects, the maintenance required increases the administrative burden, so changing inherited permissions should be used cautiously


(Skill 2)




Active Directory provides a centralized database for all network resources It can be used as a single location where network

users can find information about network resources

The process of adding resources to the directory is known as publishing

Publishing Resources in Active Directory(Skill 3)




Publishing Publishing ensures that searchable attributes for a resource

are included in the Active Directory databaseResources that can be published include users, computers,

shared folders, and network services

Commonly used attributes (user and computer names) are published automatically

Other directory data (information about shared folders) must be manually published

Publishing resources ensures that users can use object attributes to quickly and easily locate network objects

Publishing Resources in Active Directory (2)(Skill 3)




Figure 7-9 Publishing a shared folder

(Skill 3)




Figure 7-10 The published folder in the OU

(Skill 3)




Publishing Only Windows 2000 and Windows Server 2003 network

printers are published automatically in Active Directory

You must manually publish information about printers running on down-level operating systems





Publishing When you manually publish a printer, you create a new

PrintQueue object in the Active Directory Users and Computers console

To view PrintQueue objects and other sub-objectsOpen the View menu and select the Users, Groups, and

Computers as containers command

Open the Computers folder and select any computer to display its sub-objects, including printers





PublishingTo publish printers, you must be a member of the

Printer Operators, Domain Admins, or Enterprise Admins group

Printers you want to publish must be shared

You must have the Manage Printers permission for the printer to share or publish it

You can also use the Pubprn.vbs script that is stored in the %systemroot%\System32 folder to publish a printer





In Windows Server 2003, you can publish network services information in Active Directory

When you publish service information, administrators can manage the service from a central location rather than having to go to each individual server or computer

A set of services is published in Active Directory by default, but you can add to this list as necessary

Publishing Network-enabled Services(Skill 4)




Publishing services Creates a service-centric model that allows clients to

more easily access services, because they will not need to store the location of the resource

Any published service can be made available from any Windows Server 2003 server

A specific computer does not need to be used to perform a task

Users need to know only the name of the service they want to use

Publishing Network-enabled Services (2)(Skill 4)




You use the Services container in the Active Directory Sites and Services console to publish and manage network services informationThe Services container does not appear in the console

by default

To view it, toggle on the Show Services command on the View menu

Services are published using programming interfaces, such as ADSI

Publishing Network-enabled Services (6)(Skill 4)




Figure 7-13 Displaying the Services container

(Skill 4)




Figure 7-14 Changing permissions for a service certificate template

(Skill 4)




Depending on the size and infrastructure of the organization, objects can be movedWithin a domain

Between domains

Between sites

Moving Active Directory objects from one container to another within a domain is performed in the Active Directory Users and Computers console

Moving Active Directory Objects Within a Domain

(Skill 5)




Restrictions apply to moving objects in Active DirectoryAfter an object has been moved to a new container

It ceases to retain the permissions of the old container

It inherits the permissions of the new container

Permissions assigned directly to the object remain with the object even after you move it to a new location

Moving Active Directory Objects Within a Domain (2)

(Skill 5)




You can use the Dsmov.exe utility at the command prompt to move objects within a domain

You must be a member of the Domain Admins or Enterprise Admins group, or have the appropriate authority to perform this procedure

Moving Active Directory Objects Within a Domain (3)

(Skill 5)




Figure 7-15 The Move dialog box

(Skill 5)




Figure 7-16 The user object in its new location

(Skill 5)




Two command-line utilities are available to move objects such as users, computers, and OUs across domains

Movetree utility Is included in the \Support\Tools folder on the Windows Server

2003 installation CD

You must first install it, because it is not available by default

Does not un-join the computer from its previous domain or join it to its new domain, so computer accounts are typically invalid after the move

Netdom utility is the suggested tool for moving computer accounts

Moving Active Directory Objects Between Domains

(Skill 6)




Security ID (SID)Every object has a unique SID in the domain

When an object is moved between domains, the SID for that object becomes invalid and a new SID is created for the object in the new domain

The old SID information, including the security settings, is stored in SIDHistory, a security field available in Windows 2000 Server and Windows Server 2003

Moving Active Directory Objects Between Domains (2)

(Skill 6)




Security ID (SID)The information in SIDHistory is used when users log

on to a networkDuring logon, along with the new SIDs, the old SIDs in the

SIDHistory field are also considered and added to the access token for the objects

This helps users to retain some of their old access permissions

In contrast to SID, the GUID (a unique reference number for an object) remains unchanged after you move an object from one domain to another


(Skill 6)




Movetree To move objects between domains, you must run the

Movetree utility from the command prompt

Alternatively, you can create a batch file and run the file from the Start menu

To view the complete syntax for the Movetree command, enter Movetree /? at the command prompt


(Skill 6)




As an administrator, you must control replication and monitor server performance to ensure users are able to log on within a reasonable amount of time

You may occasionally need to move domain controllers between sites to create an efficient replication topology and accomplish this task

Moving a Domain Controller Between Sites(Skill 7)




Although the first domain controller is always created in the Default-First-Site-Name site, you can create subsequent domain controllers in any site and later move them to other sites

You move domain controllers between sites in the Active Directory Sites and Services console

Moving a Domain Controller Between Sites (2)(Skill 7)




Figure 7-18 The Move Server dialog box

(Skill 7)




Figure 7-19 The domain controller in its new location

(Skill 7)




NetdomUsed to move workstations and member servers

between domainsThis utility is installed along with the Movetree utility

when you install the Windows Server 2003 Support Tools from the Windows Server 2003 CD

Domain controllers cannot be moved across domainsTo move a domain controller from one domain to

another Demote the domain controller to a member server Use Netdom to move it to the required domain

Moving a Domain Controller Between Sites (3)(Skill 7)




Delegation of control The process of giving other users or administrators

permissions for Active Directory objects to distribute the administrative load

Decentralizes administration to various levels of the organization, thus reducing the centralized administrative burden

Delegating Active Directory Permissions(Skill 8)




Delegation of control is available at all levels of the hierarchyYou can delegate the ability to modify all domain

objects

You can delegate the ability to modify all OU objects

You can even delegate control over just a single object Delegation at the OU level is more common than

delegation at the object level

To delegate control to OUs or containers, you use the Delegation of Control Wizard

Delegating Active Directory Permissions (2)(Skill 8)




Figure 7-22 The Users or Groups screen in the Delegation of Control Wizard

(Skill 8)




Guidelines for effectively managing Active Directory

Understand the policies and requirements of your organization before you plan the delegation of control

Make sure that users who are delegated tasks are fully aware of Active Directory and its functions

Delegate control at the domain, site, or OU level, rather than over individual objects





Guidelines for effectively managing Active Directory

Deny permissions sparingly

Make sure you provide the correct permissions to users to enable them to perform their duties properly

Document your Active Directory object control decisionsServes as a future reference

Helps you to better manage Active Directory objects





Figure 7-23 The Tasks to Delegate screen

(Skill 8)




Recovery Console command-line interfaceOne of several useful tools available for troubleshootingUsed to resolve complex system problems when a full

system boot is not availableNot installed by defaultTwo ways to install it

Run the winnt32 /cmdcons command from the I386 folder on the Windows Server 2003 installation CD

Launch the Recovery Console after you boot the computer from the Windows Server 2003 Server CD

Troubleshooting Active Directory (Skill 9)




To access the Recovery Console, log on using the Administrator account

Recovery Console tasksStarting and stopping services

Formatting drives

Copying files from the installation CD to local hard disks

Troubleshooting Active Directory (2) (Skill 9)

Active Directory contains information about all objects on a network Each object has a unique set of...

Documents

Transcript of Active Directory contains information about all objects on a network Each object has a unique set of...