Comparisons with Schema Default Permissions

To verify whether an Active Directory object retains all the permissions that were set at the moment of its creation, use a command similar the following C > acldiag OU Staff, DC net, DC dom schema skip Security Diagnosis for OU Staff, DC net, DC dom Schema defaults Present Obtained At CREATION In the case shown, the tool reports that the object kept all permissions assigned upon its creation. If some permission has been removed, the tool displays the message To see the default (schema)...

Creating Authoritative Zones

On the Windows .NET DNS server, we need to create four dynamic authoritative zones necessary for domain functioning. These zones will answer the DNS queries for specific IP addresses that could not be resolved by the preferred server. In our scenario, all these zones' names have the net.dom suffix. (In general, these zones can be either standard or Active Directory-integrated.) The zones created will be the following Furthermore, we also have to allow dynamic updates of these zones. Fig. 4.6...

Viewing the Flags of a Domain Controller

LADsTools have many functions that allow administrators to gather information about the configuration of Active Directory. For example, here is a script that displays the flags, i.e., the functional roles, for a specified DC. You can get the same information by entering nltest dsGetDC < domainName> at the command prompt. (For additional information on Nltest, see Chapter 11, Verifying Network and Distributed Services.) Listing 17.19. getDclnfo.vbs Getting a Domain Controller's Flags Dim...

Resultant Set of Policy RSoP

Resultant Set of Policy is a technology of gathering group policy settings applied to the user and computer objects located at various levels (including local GPOs) in the Active Directory object hierarchy from site to organizational unit. It uses Windows Management Instrumentation (WMI) to retrieve data from the Common Information Management Object Model (CIMOM) database. Administrators can use this technology through the following features The GPResult command-line tool (described above) The...

Group Mapping and Merging

The Group Mapping and Merging Wizard helps administrators to reorganize groups and can perform the following operations Assign group members' rights to a target group. Copy SIDs of selected groups from different source domains to a target group (you can perform this operation manually by using the SIDHist.vbs script). Add all users that are members of source groups to a target group. The last operation should be performed only after migration of all member accounts. Migrating Domain Trusts Let...

IP Deny List

You can prevent a domain controller from answering the LDAP queries from specific IP address(es). To do so, edit the lDAPIPDenyList attribute of the CN Default Query Service,CN Windows NT,CN Services, CN Configuration,DC ForestDnsName directory object. Follow two examples the string of ASCII codes 31 39 32 2E 31 36 38 2E 31 2E 31 2E 31 32 33 20 32 35 35 2E 32 35 35 2E 32 35 35 2E 32 35 35 defines a single node 192.168.1.123 255.255.255.255 and the string 31 39 32 2E 31 36 38 2E 31 2E 30 20 32...

Removing Lingering Objects

When a DC has been offline for a period that exceeds the tombstone lifetime, the tombstones stored on it cannot be completely removed and replicated to from other DCs (since the other DCs do not store such deleted objects at this point). The following sample command will help you to remove tombstones and repair replication C > repadmin removelingeringobjects netdc4.net.dom df69f38c-c924-492d-a7e6-3bOb1bc7dcc5 DC net,DC dom RemoveLingeringObjects sucessfull on netdc4.net.dom. The target DC is...

Comparing Information on Different Domain Controllers

A command that compares the partition replicas stored on different servers must contain the DNS name of a reference server and the GUID of a source (tested) server. All changes made in the source server will be registered. Actually, this command performs the same job as the DsaStat tool does. The output shown below was obtained at the time when a great number of user objects on the NETDC1 domain controller were being removed. C > repadmin getchanges DC net,DC dom netdc4.net.dom...

Converting Directory Time showtime

RepAdmin can convert time values stored in Active Directory into a readable format. (See also NLtest description at the beginning of this chapter.) Let us convert the same value 126679218485309520. Enter repadmin showtime at the command prompt, and paste the value in. Erase the seven rightmost digits and press < Enter> . The result should be the following C > repadmin showtime 12667921848 12667921848 0x2f31125b8 02-06-07 11 10.48 UTC 2002-06-07 15 10 48 local You may notice that both UTC...

Granting and Removing Permissions

Let us now consider a couple of examples of how to modify security descriptors. The first command grants the user jsmith net.dom the Generic Read right (List Contents, Read All Properties, and Read Permissions) for all objects in (and including) the Staff OU C > dsacls OU Staff, DC net, DC dom G jsmith net.dom GR I T You may verify the result of the operation with all possible (and already mentioned) means. The second command prevents the user from reading two properties of the OU object C...

Exporting and ReImporting Objects

Export operations are usually successful. (The worst-case scenario is when an export file does not contain all the objects you expect it to contain.) You need only take into consideration the following when you specify a list of attributes (by using the -l parameter) in the export command, LDIFDE and CSVDE do not include any information about non-defined attributes in the output file. Therefore, you might need to manually include the attributes' names (if you need them) in the import file and...

Using User Principal Names UPN

The concept of user principal names can considerably simplify the logon process in large domain trees. While logging on, the domain users can use one of two methods for specifying their names. They can Enter a UPN name, such as user DNSdomainName (in this case, the domain list becomes unavailable). Enter a pre-Windows 2000 (SAM account) user name (without the symbol) and then select a domain from the list. Each method has certain advantages. It may be inconvenient to enter long domain names,...

Saved Queries

This is a new feature available in Windows .NET only. An administrator can create one or more queries using the LDAP filters and save them in the snap-in for subsequent use. These queries will allow him or her to quickly select the necessary objects only, which simplifies work with large number of directory objects of a specific type (user, group, computer, etc.). All queries are stored in the Saved Queries folder in the snap-in's tree pane and can be organized in a folder structure (see an...

Reading Property Values of Different Types

Some problems may arise when you attempt to display the values of certain properties. This is often due to selection of an inappropriate format. The following example program displays some property types. Some types, such as Large Integer, NT Security Descriptor, or Octet String (for example, the objectSid property), require special conversion procedures. Take note of the obj. Guid method inherited from the IADs interface. It produces a string that can be used for binding to the object (in the...

Moving User and Group Accounts

The destination container must already exist before a user or group account is moved. The object can be renamed when moving you only need to specify the appropriate distinguished names along with the sdn and ddn parameters. Local and global groups must be empty when moved. (Only universal groups retain all their members when moved.) Otherwise, a message similar to the following will appear in the movetree.chk file ERROR 0x2132 Cross-domain move of non-empty account groups is not allowed....

Using the Resultant Set of Policy Snapin

The Resultant Set of Policy (RSoP) snap-in can be started as a standalone snap-in from an MMC console or be configured from either the Active Directory Users and Computers or Active Directory Sites and Services snap-in. Let us first discuss the former option. You can run the RSoP snap-in on any domain client computer running Windows XP or Windows .NET. Necessary steps will be the same on both systems the only difference is how the snap-in is configured On Windows XP, the snap-in is configured...

Using the Performance Counters

Performance counters are very useful to monitor replication events, especially the replication traffic. To start monitoring, run the Performance snap-in (from the Administrative Tools group). Select System Monitor and click the Add button on the taskpad. Select NTDS in the Performance object list and add the counters shown in Fig. 6.1. (The Report View seems to be the most useful in this case.) All counters have zero values immediately after startup of the DC. (The NTDS performance object has a...

Logging Diagnostic Events

On Active Directory domain controllers, the registry key contains diagnostic entries (total 19 on Windows 2000, and 24 on Windows .NET) that represent the events that Active Directory can register in the Directory Service log. Each entry has a REG_DWORD value ranging from 0 to 5, which corresponds to the level of granularity of logged events. When the default level 0 is set, only critical events are logged. This is the normal value for most entries. Super-verbose level 5 should be used with...

Importing and Exporting Modifying Directory Objects

By default, every Windows 2000- or Windows .NET-based domain controller contains two utilities installed LDIF Directory Exchange (LDIFDE.exe) and CSV Directory Exchange (CSVDE.exe) that are primarily intended for bulk operations. Unlike Ds* family tools (DsQuery.exe, DsAdd.exe, DsMod.exe, etc.), these utilities can save results in a file for consequent operations and read data from a file. You can use these utilities to Export Active Directory information to a text file (in LDIF or CSV format)...

Verifying the DNS Service

After you have installed DNS service on a Windows 2000 .NET Server, or if you already have a functioning Microsoft DNS server (or a third party DNS server), you may wish (or rather, need) to verify the DNS configuration. This is especially important if you use an outside DNS server (a server running on a remote computer or even in another organization). It is not enough that you yourself think that all DNS parameters are properly set rather, it is the system and program tests that should...

WMI Filters

In Windows .NET-based domains, you are able to link a GPO to a specific property of client computer. Let me explain this in the following example. Suppose we want to assign some group policy setting a GPO to users or computers that work on Windows 2000 Professional systems only, and that GPO will in no way affect the other users or computers . The following procedure will permit us to carry out this task 1. Create a new GPO. You can select an existing GPO. However, it would be better to use a...

Domain Modes and Functional Levels

Let us first discuss certain general domain and forest functionalities that, to some degree, are common for both Windows 2000 and Windows .NET domains. Windows 2000 domains can operate in either default mixed mode when a domain can contain Windows 4.0 Backup Domain Controllers, BDC or native mode when a domain contains only Windows 2000-based domain controllers . When a domain's mode is changed to native, the following considerations should be taken into account Domain controllers DC no longer...

Delegating Administrative Control

One of the most remarkable features that Active Directory realizes is the possibility of delegating all or part of administrative power over an OU or a directory container to a group or a user in both Windows 2000 and Windows .NET domains . Delegation of control is essentially the same thing as wizard-aided granting of permissions on Active Directory objects to a user or group. You can manually assign the permissions necessary for performing this administrative task to a user or group, but this...

Roles Managing FSMO Roles

NTDSutil allows an administrator to manipulate FSMO roles to view and transfer them. See Chapter 7, Common Administrative Tasks,to learn how to dump names of all FSMO role owners. In this section, we'll discuss how to designate a DC as a role owner by using NTDSutil. You can choose either of the following options Seize role this command designates the connected server as the specified role master. The command must be used only when the DC the current master has severely crashed and cannot be...

Windows NET Server Domains Active Directory

Copyright 2003 A-LIST, LLC All rights reserved. No part of this publication may be reproduced in any way, stored in a retrieval system of any type, or transmitted by any means or media, electronic or mechanical, including, but not limited to, photocopy, recording, or scanning, without prior permission in writing from the publisher. 295 East Swedesford Rd. PMB 285 Wayne, PA 19087 702-977-5377 FAX mail alistpublishing.com http www.alistpublishing.com All brand names and product names mentioned in...

Verifying Replication

DCdiag allows an administrator to resolve replication problems quite well. Let us suppose that a site contains three domain controllers, one of which is refusing to replicate with its partners. The following command will test all DCs and check replication issues on each DC C gt dcdiag test Replications a v Only failed replication events will be included in the resulting report. The output of this command is the following Verifying that the local machine netdc1, is a DC. Connecting to directory...

Basic Active Directory Administrative Snapins

Both Windows 2000 and Windows .NET systems use the same set of snap-ins for administering Active Directory. For the most part, these tools have not changed in the new version they perform the same fnctions although in Windows .NET, all of them have some additional features . Therefore, an administrator acquainted with Windows 2000-based domains can easily master commonly used operations in the Windows .NET environment. After a Windows .NET Server has been promoted to a domain controller, new...

Kerberos List KListexe RK

This command-line tool has practically the same possibilities and features as the Kerberos Tray tool described earlier. This tool has the following commands klist tgt displays the initial TGT. klist tickets lists all cached tickets. klist purge allows you to delete a specific ticket in a dialog. Here is an example of such a dialog Server krbtgt SUBDOM.NET.DOM NET.DOM KerbTicket Encryption Type RSADSI RC4-HMAC NT End Time 6 12 2002 1 33 40 Renew Time 6 18 2002 15 33 40 Purge y n y Deleting...

Appendix C Adsi Interfaces Supported by the LDAP and WinNT Providers

The following table lists all interfaces 42 in total supported by either the LDAP or WinNT provider, or by both of them. The last column indicates one of 10 categories to which an interface belongs. First of all, get acquainted with the core interfaces. Interface name LDAP WinNt Category

Managing Replication Status DSA Options

Each Directory System Agent DSA is represented in Active Directory by an object of the nTDSDSA class named CN NTDS Settings that belongs to the appropriate server object in the Configuration partition. You can view the attributes of DSA objects with the ADSI Edit snap-in. DSA objects have the options attribute, which significantly affects their state and behavior. An administrator can set the value of this attribute by using RepAdmin with an undocumented parameter options. Let us discuss a few...

Exact policies applied to the computer account Resultant Set Of Policies for Computer

N A this means that the GPOs that affect this computer account do not contain policy settings of that kind Startup Scripts LastExecuted 2 28 49 PM Shutdown Scripts GPO Default Domain Policy account policies can be defined at the domain level only Computer Setting N A GPO Default Domain Policy Policy PasswordHistorySize Computer Setting 3 GPO Default Domain Policy Computer Setting N A GPO Default Domain Policy Policy LockoutBadCount Computer Setting N A GPO Default Domain Policy Policy...

Active Directory Service Interfaces ADSI

- MSDN Library Platform SDK, ADSI, and other technical programming information Active Directory Service Interfaces Overview links to resources and downloads It is advisable to download the updated version from the Microsoft Platform SDK page. You can only select and download the necessary files Microsoft Active Directory Services Interfaces 2.5 and SDK or Active Directory SDK code and documentation MSDN Online Windows Development Center Online documentation click Networking and Directory...

Analyzing RSoP Data in Domain

From the Active Directory Users and Computers snap-in, you can obtain the RSoP data for any user, computer, and OU. The Active Directory Sites and Services snap-in will help you to run an RSoP query on a site. In all cases, the Resultant Set of Policy Wizard is used to prepare a query. There is nothing difficult in testing groups policy settings, and you will see this yourself if you run the wizard two or three times. Using an example, let us discuss how to prepare an RSoP query for a domain or...

Seizing a Role

Suppose a DC that holds the Infrastructure FSMO role was destroyed, and you want this role to be designated to another DC. The following dialog shows how to forcibly transfer the role to a new candidate server netdcl.net.dom comments are in bold square brackets server connections Connect to server netdcl.net.dom Connected to netdcl.dom using credentials of locally logged on user fsmo maintenance Seize infrastructure master The Role Seizure Confirmation Dialog will appear click Yes. First, the...

Windows Domain Scenario

To pre-create a computer account for a Windows NT 4.0 BDC, log on to the domain using an administrative account on any Windows 2000 domain member, and perform the following operations 1. Start the Server Manager enter srvmgr at the command prompt , which is supported with Windows 2000. Do not use the Server Manager from the Windows NT 4.0 installation 2. Select Add to Domain from the Computer menu. 3. Select Windows NT Backup Domain Controller, enter the BDC computer name, and click Add, then...

Retrieving Information from a RootDSE

From the following script, you can learn how to access the RootDSE object and use two popular interfaces, namely, lADsPropertyList and lADsPropertyEntry. RootDSE is the main source of information about names of Active Directory partitions and Directory Service Agents. See Chapter 2, Active Directory Terminology and Concepts, for detailed information on RootDSE. This script can also serve as an example of handling ADSI errors. Listing 17.2. getRootDSE.vbs Reading the Attributes of a RootDSE...

Requirements and Restrictions

The Active Directory can be installed only if several critical conditions are met. The Active Directory Installation Wizard DCpromo.exe will check different parameters depending on the type of DC that is being created. Among these conditions are the following Active Directory can be installed only on a NTFS 5.0 formatted disk partition. This partition must have at least 250 MB of free space. This does not mean that all that space will be employed at once the default size of the Active Directory...

Advertising a Server as a Domain Controller

Here are the methods that will allow you to identify whether a Windows 2000- or Windows .NET-based server is a domain controller after its promotion or normal reboot The registry key must contain the NTDS subkey. Enter net accounts at the command prompt. The Computer role of a domain controller is PRIMARY, while standalone servers identify themselves as SERVERS. Enter net start at the command prompt. The list of running services must contain the Kerberos Key Distribution Center KDC service....

Chapter Active Directory Terminology and Concepts

This chapter relates to basic Active Directory elements, features, and requirements that will be mentioned repeatedly in the other chapters of the book. You should have a solid understanding of all these concepts and ideas before you go any further. If a term is not clear to you, you can easily find detailed information in other sources. For example, you can use the search function and quickly find an exhaustive description of any term including its relation to other Active Directory elements...

Selecting a Domain Controller

A Group Policy Object Editor snap-in is always targeted to a specific preferred domain controller. Notice the This list obtained from line in Fig. 7.35. By default, all Group Policy Object Editor snap-ins started on computers that belong to the sample domain net.dom will select the name DC. There are some rules that define this behavior of the snap-in. To verify or change the default settings of a Group Policy Object Editor snap-in, point to the root node in the tree pane and click View DC...

Adding and Removing Partition Replicas

To provide fault tolerance or increase the performance of an application partition, you should create a copy of that partition on several domain controllers, i.e., add them as partition replicas. The following command designates the NETDC2 domain controller as a replica of the app-part.net.dom application partition domain management Add NC Replica DC App-Part, DC net, DC dom netdc2.subdom.net.dom domain management List NC Replicas DC App-Part, DC net, DC dom The application directory partition...

Viewing Information on Network Topology

Information about the site in a multiple site network a client computer is connected to is not configured on that computer in any way. The site is selected on the basis of client and subnet IP address data. The following command will help you to find the site to which the local or remote computer has been connected after it has been booted and logged on to the domain The command completed successfully Add server lt computerName gt for a remote computer. Sometimes, a domain controller can serve...

Searching Active Directory for Objects

There are several ways of treating directory objects of the same type enumerating objects . Generally, the most preferable way is the following one 1. Use ActiveX Data Objects ADO for searching Active Directory, and obtain a set of necessary objects. Remember that access through ADO is read-only 2. Bind directly to an object found. 4. Repeat Steps 2 and 3 for the next object found. Nevertheless, it is also possible to filter out, or enumerate child objects located in containers. This approach...

Other Name Types Used in Active Directory

SAM account names are required for compatibility with down-level clients. A SAM name must be unique within a domain. Globally Unique Identifiers - the Globally Unique Identifier GUID is a 128-bit number, which uniquely identifies the object when it is created. It never changes and ensures that the object will be addressed even if it has been renamed or moved. Fully Qualified Domain Name FQDN is also known as the full computer name this is a concatenation of...

Windows NET Support Tools

Sometimes, administrators forget or simply do not know that each Windows 2000 or Windows .NET as well as Windows XP installation CD contains a pack of powerful tools named Windows Support Tools. This pack is the same for both Professional and Server versions of Windows 2000. Windows .NET servers have more recent versions of the Support Tools then Windows XP. This pack must be installed separately from the operation system itself. Run the Setup.exe or Suptools.msi file from the SUPPORT TOOLS...

Normal Replication Intervals

There are two default methods of replicating object changes in Active Directory forests Change notification is usually used between DCs within a site. If a DC updates an object attribute, it will send notification to its first replication partner within a specified time interval 5 minutes by default . Then, the partner pulls the changes from the originating DC. You can change the default interval 300 seconds by modifying the Replicator notify pause after modify secs value under the registry...

Moving an OU Subtree

Moving OUs with all their child objects is arguably the most attractive feature of MoveTree. You must take into consideration the fact that when an OU is moved, it retains all links with Group Policy Objects GPOs assigned to this OU. It is necessary to re-create these GPOs in the new domain, and break the links with GPOs from the old domain. Suppoce, for example, we would like to move the Personnel OU from the net.dom domain to the subdom.net.dom domain and rename it Staff. You must have...

Well Known SIDs and RIDs

Let us first clarify some terms used below. A unique Security Identifier SID of a security principal i.e., user, computer, or group account is used to grant access rights to shared network resources to a principal. The SID is composed of two parts a unique domain part, which is the same for all principals within the domain where they reside, and a Relative Identifier RID , which uniquely identifies the principal in the domain. Note Windows .NET domains offer a new security principle class...

Making a Custom MMC Console

Most standard administrative tools can be started from the Start Administrative Tools menu, or can be added to a custom MMC console. Such tools as the Active Directory Schema Manager snap-in or the Group Policy Object Editor snap-in should always be initially added to an MMC document 1. Enter mmc in the Start Run window. 2. Press lt Ctrl gt lt M gt , or select the Console Add Remove Snap-in command. Click Add in the window that is open. 3. Select the desired snap-in in the Add Standalone...

Active Directory Essentials and Components

Let us first consider what essential information is necessary to comprehend in order to deploy and manage both Windows 2000 and Windows .NET domains. You may skip this section, if you are familiar with Active Directory basics, and go to the new features' description. The Active Directory elements considered in this section will be addressed later, in subsequent chapters. If you find that you are not completely grasping the meaning of a particular word, just search for it in Help and Support...

Parameters

Table 12.1 lists some of the most frequently used parameters of both utilities -LDIFDE and CSVDE. Table 12.1 Some Parameters of the LDIFDE and CSVDE Utilities Meaning or value if the Parameter Description and comments parameter is Input or output filename. -f con can be used for output to the console. Required parameter DC name Port number. The Global Catalog port 3268 can also be used The name of the DC the user is currently logged on to -d Search base Domain naming context -c Replace all...

Active Directory Sites and Services Snapin

The Active Directory Sites and Services snap-in is the main GUI tool that allows an administrator to configure Active Directory as a distributed network service. Other administrative tools consider Active Directory as a whole, at a logical level. You might almost forget about this snap-in in a small, single-site network with just a few domain controllers. However, in large networks with many sites, this snap-in becomes one of the essential administrative tools. The Active Directory Sites and...

LDAP Default Query Policy

By default, the Default Query Policy is used albeit not set on every domain controller. It is stored in the CN Default Query Policy, CN Query-Policies,CN Directory Service,CN Windows object. The lDAPAdminLimits attribute contains all LDAP administrative limits. To assign a query policy to a site, create a query policy object and specify its distinguished name in the queryPolicyObject attribute of the NTDS Site Settings object of the nTDSSiteSettings object class . Every site has a similar...

Remote Administration Scripts

The Windows 2000 Server Resource Kit contains a collection of scripts called Remote Administration Scripts. Windows .NET Server Resource Kit will most likely include them, too. Professional versions of the Resource Kits also contain many useful scripts. You can use these scripts not only for performing various administrative tasks, but as a cookbook, too, while learning ADSI basics and creating your own scripts. All scripts are located in the Ras.cab file on the Windows 2000 Resource Kit CD and...

Working with Container Objects Domains and OUs

When working with container objects, you must always remember that the combination of the search base and the LDAP filter defines the result of the operation either you export only container objects of the specified type, or you export an entire container. Compare, for example, the following two commands. The first command exports all OU objects from the current domain remember the default values for the omitted -l, -d, and -p parameters The second command exports an entire subtree, i.e., all...

Active Directory Diagnostic Tool NTDSutilexe

This utility is automatically installed into every domain controller in the System-Roor system32 folder . One could hardly say that this tool is for everyday use, but every administrator must be familiar with its features since it is used in certain operations that are very important for Active Directory functioning, such as Active Directory restore, offline defragmentation, FSMO role manipulating, and so on. However, NTDSutil has become one of the major tools for deploying and maintaining...

Working with Global Catalog

Being able to work directly with a global catalog GC server may be helpful while troubleshooting the problems related to GC replication. You can connect to different GC servers and compare the values of stored attributes see also the description of DsaStat.exe in Chapter 11, Verifying Network and Distributed Services . You can also verify the representation of attributes in a GC. This process can be controlled via the Active Directory Schema Manager snap-in, see the next section. Note Only some...

Clone Principal Samples

Let us now consider some examples of how to use ClonePrincipal. Each parameter of every ClonePrincipal script is mandatory. You can view the parameter list for each script by entering the script name and a question mark at the command prompt. Note You might wish to set the command-line mode of Windows Script Host WSH , since by default, it outputs all messages in pop-up windows, which is not convenient when you are working with ClonePrincipal scripts. Enter cscript H CScript at the command...

General Statistical Comparison

Let us first see how DsaStat compares directory replicas and produces statistical data. In this mode, the tool only counts the directory objects and displays totals. In the following example, the Configuration partition is verified on DCs from different domains. It might be necessary to specify a domain administrator's credentials. If the -b parameter has been omitted, all applicable partitions are compared. C gt dsastat -b CN Configuration, DC net, DC dom netdc1.net.dom success. Connecting to...

DNS Records Registered by Active Directory Domain Controllers

All SRV and A resource records 20 in total, if the domain controller is a Global Catalog server 15 if it is not that each Active Directory domain controller must register on a DNS server, are contained in the SystemRoot system32 config netlogon.dns file. If your DNS server does not support dynamic records update, you need to manually manage these records. An example of such a file is presented below. Note It is possible to set a group policy that will prohibit registration of some or all SRV...

Basic ADSI Programming

In every script or application, the programmer needs to select an object and perform some action over it. To implement these general tasks, ADSI provides operations of the following types. Binding to an object and authenticating in Active Directory. Before any operation begins, the programmer selects an object, or binds to the object using either current user credentials recommended choice or the specified alternative ones. - Accessing in the object's attributes. Depending on the ADSI object's...

Running GPO Editor

By default when started without any parameters , the Group Policy Object Editor snap-in is focused on the local GPO stored on computer. Generally, you have two options Run this snap-in with a preconfigured GPO. You can use either the standard snap-ins gpedit.msc, dompol.msc, and dcpol.msc or custom MMC consoles with the Group Policy Object Editor snap-in. Specify a GPO when the snap-in runs. In the first case, you can create a custom MMC console, add the Group Policy Object Editor snap-in to...

Active Directory Replication Monitor Repl Monexe ST

All operation masters can be displayed with ReplMon.exe. Start the tool and add servers to the Monitored Servers list tree . In this case, it is enough to add one server only. Select a DC from the tree pane, open the Properties window, and click the FSMO Roles tab. Fig. 8.3 shows a sample view of this tab. i md Rt fujm -trYtth-Ti I CP. P Cm' fltriir sf isiwii i jt-rGtt cj Ihnr T Lt IJtfitf M . I JK T gt iib r w.-. I n pvMtf JE1 SiirtJJfTD 1 Fig. 8.3 Viewing all operation masters the owners of...

Installing Administrative Snapins Selectively

For some reason, you might want to install only one or just a few separate administrative tools on a client computer instead of the entire Administration Tools pack. This can be done quite easily. But don't forget about security requirements You will have to carry out the following steps 1. Copy the necessary snap-ins files with MSC extension from the SystemRoot system32 folder on a DC to any local folder you wish. 2. Copy the appropriate DLL s to the local SystemRoot system32 folder or to any...

The following error specifies that you want to import an attributes that only the system can change

Line 3 Constraint Violation The server side error is Access to the is not permitted because the attribute is owned by the Security Manager SAM . If you encounter such an error, use the -m parameter for export, and if the error still exists, check the import file for consistency. Try to get rid of unnecessary attributes when doing export. Let us look at a situation where you yourself produce a critical error by using the -c parameter. The scenario is the following. Suppose that you want to copy...

Primary DNS Suffix

Before installing DNS service, you must check the primary DNS suffix for the server see Setting the DNS Suffix section . This is especially important if this server is also going to be a domain controller. In that case, you can either set the DNS suffix to be the same as the DNS name of the domain that the domain controller will belong to, or first promote the server and then install the DNS service. In any configuration, you must be sure that all names the computer name that includes the...

Normal Intra Site Replication Intervals

If a DC updates an object attribute, it will send a notification message to its first replication partner within a specified time interval 5 minutes by default . To change the default setting 300 seconds , modify the Replicator notify pause after modify secs value under the key. The originating DC will notify the next replication partner within the time specified by the Replicator notify pause between DSAs secs registry value 30 seconds by default . These values affect replication of all...

RootDSE Object

Every LDAP v3-complaint server has an individual DSA-Specific Entry object RootDSE defined in RFC 2251. This object is the root of the Directory Information Tree DIT , but is not a part of any naming context partition . It defines a directory server's configuration and capabilities. Note Directory System Agent DSA is the system process that provides clients with access to directory information physically stored on a hard disk of a domain controller, or directory server. In Active Directory...

Authoritative Restore

This menu contains commands that allow an administrator to perform an authoritative restore of the entire Active Directory database, a selected subtree, or an object. The commands' syntax is very simple, and it is much more difficult to understand how to use these simple commands. Since using commands from the Authoritative Restore menu as well as selecting the proper values for the verinc parameter is closely related to the entire process of backing up and restoring Active Directory, all of...

Example Listing Attributes replicated to Global Catalog

As an example of a search operation, let us consider how to view all attributes replicated to Global Catalog. You may use any search tool, such as the Search.vbs script or the Ldp.exe utility. For more information, see Chapter 12. Here is a sample command search LDAP CN Schema, CN Configuration, DC net, DC dom C amp objectClass attributeSchema P ADsPath, attributeID, attributeSyntax, isSingleValued, lDAPDisplayName, oMSyntax The query produces a result similar to the following only one entry...

Viewing Replication Partners showreps

The first and one of the most important steps for managing replication is to enumerate partners neighbors that have connections to the specified DC and to determine the replication topology for each naming context. This information is used with many other of RepAdmin's parameters. The following example was obtained for a forest that consists of two domains and two sites. The root domain net.dom is located in the NET-Site and contains two DCs netdci and NETDC3A . The child domain subdom.net.dom...

Refreshing DNS Resource Records Registration fix

If NetDiag detects that registration of some SRV records has failed for a domain controller, you can try to fix the problem automatically. Executing the netdiag fix command yields the same result as restart of the Netlogon service would. The command looks up all DNS records in the file and updates the corresponding records on the DNS server. When the command runs, strings similar to the following will appear in the 'DNS test' section FIX re-register DC DNS entry on DNS server '192.168.1.2'...

Active Directory Browser Ads Vwexe Adsi Sdk

The Active Directory Browser is included in the ADSI SDK also known as Active Directory SDK that you can download from the Microsoft website see links in Appendix A . The main peculiarity of the Active Directory Browser is its ability to work with both Windows NT 4.0 and AD-based Windows 2000 and Windows .NET domains see Figs. 12.1 and 12.2 . Moreover, this is the only browsing tool that has multiple-document interface MDI , which allows you to open separate windows for different objects or...

Searching Active Directory

ADSI provides search operations via ActiveX Data Objects ADO . There are two syntaxes used by ADSI in query statements. LDAP dialect consists of the base DN, search filter according to RFC 2254 , list of attributes, and search scope lt LDAP DC net, SQL dialect is similar to the SELECT statement from standard SQL language. The following search string performs the same operation as the preceding string, but in addition, produces a sorted result SELECT ALL ADsPath FROM 'LDAP DC net, DC dom' WHERE...

Advanced Features Mode

By default, the Active Directory Users and Computers snap-in only displays five nodes in basic mode. For some administrative tasks this is not enough, and you need to switch to the Advanced Features mode that displays some important invisible containers and has additional options. This can be done using the Advanced Features command in the View menu. Perhaps one of the most valuable nodes shown in advanced mode is the System container Fig. 7.8 , which provides access to a number of system...

Placing Flexible Single Master Operation FSMO Roles

Forest Wide And Domain Wide Fsmo Roles

Every Active Directory beginner first gets a piece of good news all Active Directory domain controllers running either Windows 2000 or Windows .NET are peers write operations are permitted on every domain controller DC and all changes are replicated from the originating DC to others so-called multi-master replication is used . These features are quite advantageous when compared to the rules accepted in Windows NT-based domains. Some time later, the beginner gets some bad news there are...

Logging Replication Events

You can use the Directory Service event log for monitoring such events as the moments of replication request completion, the number, total size, and names of replicated attributes, and so on. The granularity level of logged events is set through the system registry see below . Set the 5 Replication Events value at the registry key equal to 3 or 4 the difference between the cases will be discussed later . This will help you to see all replication requests, the sequence of replicated directory...

Reading the Property List

Here is another example of using the IADsPropertyList and IADsPropertyEntry interfaces with various providers as well as with Global Catalog. By using this code, you can compare a directory object's attribute lists received from different providers or see the attributes replicated to Global Catalog. Only defined attributes i.e., those that have values are included in the list. To see all possible attributes, you must refer to the schema see Listing 17.4. You can also view the type of each...

Viewing All Permissions

ACLDiag can display in a readable or tab-delimited form all directly defined or inherited permissions on an Active Directory object, as well as the audit settings. The tool's output is structured to help an administrator to analyze information. Essentially, the tool has two subtests Security Diagnosis you may skip this by using the skip parameter and Effective Rights Diagnossis. Let us see, for example, in which form ACLDiag displays permissions for an OU. For clarity, the output section's...

Directory Time Conversion

Some attributes, e.g., pwdLastSet, lastLogon, or badPasswordTime, are stored in Active Directory as Large Integers INTEGER8 format . NLTest can convert these values to a human-readable format. The conversion procedure is rather cumbersome, so you may prefer to use the repadmin showtime or w32tm ntte commands see later in this chapter . Let us, for example, consider converting a time value 126679218485309520 obtained with the ADSI Edit snap-in. Copy and paste the value in the Calculator, and...

Manipulating Security Descriptors

Working with security descriptors of Active Directory objects is an advanced programming topic that requires a solid understanding of the Active Directory accesscontrol model. However, administrators can easily use some operations that deal with reading and or settings permissions on Active Directory and other objects. ADSI 2.5 contains three interfaces that help to perform these tasks IADsSecurityDescriptor provides access to the common properties of a directory object's security descriptor,...

Multiple Selection of Directory Objects

One of the most troublesome disadvantages of the Active Directory Users and Computers snap-in in Windows 2000 is its inability to manipulate a number of directory objects, primarily, and user objects. Windows .NET offers a pleasant improvement in that area. For the most of directory objects e.g., computers, groups, OUs, and etc. , you can change the description only. However, in user objects, over 30 attributes can be changed simultaneously. You select the objects as usual using the lt Shift gt...

Running the Active Directory Installation Wizard

There are two ways to start the Active Directory Installation Wizard in interactive mode Choose the Start All Programs Administrative Tools Configure Your Server Wizard command, and then assign the domain controller role to the server. Open the Run window and enter dcpromo.exe. In general, you have four options for installing the Active Directory these are graphically represented in Fig. 5.1. Installation from a backup media is described later in this chapter. The selections, which you should...

Primary Restore

To restore a standalone domain controller 1. Run the Backup utility and open the Restore and Manage Media tab Fig. 8.12 . r eurhvpji. . , hrti.tj j-,iu ut.il,l ,j Witimj Pb ' -au . J5ti J i ft tm M i1 I 'l gt f ii-. U--W- fi J in ffi ipwdt U i -r vvkk vfi-twic rfv t-ja-jji j fv utfffll j m fv Fig. 8.12 Restoring the System State from a backup media 2. Select the necessary media and check the System State box. Files should be restored to the Original location. 3. Click Start Restore and confirm...

Viewing Trusted Domains

Using NLTest, you can display all trust relationships that have been established between the current domain and other domains in the same or another forest. Verbose mode allows you to view domain SIDs and GUIDs. Look at a sample output 0 SUBDOM subdom.net.dom NT 5 Forest 2 Direct Outbound Direct Inbound Attr 0x20 Dom Guid 5bcbeeb3-e619-40a6-86b9-4e3d3d9647b2 Dom Sid 1 W2K w2k.dom NT 5 Direct Inbound Dom Sid 2 NET net.dom NT 5 Forest Tree Root Primary Domain Native Dom Guid...

Sometimes a command fails Take a look for example at the following output produced by a command

C gt repadmin syncall netdc1.net.dom DC net,DC dom Syncing partition DC net,DC dom CALLBACK MESSAGE Error contacting server network error 1722 0x6ba The RPC server is unavailable. CALLBACK MESSAGE SyncAll Finished. SyncAll reported the following errors Error contacting server a10bc624-6d04-44e7-adf9- 5ef4282efbb1._msdcs.net.dom network error 1722 0x6ba To see a name which corresponds to the GUID shown, use repadmin showreps. In Windows 2000, only an error code is displayed. You can get a text...

Creating a Custom Query

A query in the ADSI Edit snap-in is a custom template for displaying only desired objects in the tree pane. This is an analog to saved queries in the Active Directory Users and Computers snap-in. This makes working with large numbers of objects or objects related to different Active Directory containers simpler. The queries can be created in any Active Directory namespace partitions , but remember that since a namespace belongs to a specific domain, the queries work within the borders of one...

Disabling the Knowledge Consistency Checker KCC

To disable automatic generation of replication topology for a site, you can modify the options attribute of the CN NTDS Site object To disable intra-site topology generation, set the attribute to 1 0 1 To disable inter-site topology generation, set the attribute to 16 0 10 To disable both intra-site and inter-site topology generation, set the attribute to 17 0 11 In a Windows .NET environment, you can also use the repadmin siteoptions command to see the command parameters, enter repadmin...

Creating Forest Trust

Creating Forest Trust Server 2003

The forest trusts are always transitive and can have a one-way as well as two-way direction. Remember that the forest functional levels of both forests must be raised to Windows .NET version 2002 If this condition has not been met, you may create a usual external trust only. Make sure that domain controllers of each forest can resolve the DNS name of another forest. 1. Open the Active Directory Domains and Trusts snap-in on any DC in the forest root domain of either forest that participates in...

Connecting to Domain or Domain Controller

The Active Directory Users and Computers snap-in operates with only one DC and, therefore, one domain at a time. By default, this is your current logon domain and DC unless you have changed the domain or DC and checked the Save this domain setting for the current console box, Fig. 7.4 . Fig. 7.4 You may choose any domain in the forest to administer You can choose a domain that you wish to investigate by pointing to the root of the snap-in or by selecting the domain object from the tree pane and...

Kerberos Tray Kerb Trayexe RK

The Kerberos Tray tool lists all cached Kerberos tickets and allows you to view the tickets' properties as well as to purge tickets. This information may help in resolving problems with authentication and access to network resources. If an AD-based computer has not obtained the initial ticket-granting-ticket TGT from a Kerberos Distribution Center KCC during the first logging on to the domain, or if the cached tickets have expired and haven't been renewed, the computer won't be authenticated to...

Deleting Objects

There are two ways to delete a directory object use the Delete method of the IADsContainer interface, or use a special interface named IADsDeleteOps. To delete an object using the former method, you need to bind to the object's parent container and call the Delete method. This method is applicable to leaf objects only i.e., the object must not have any child objects . If you try to delete a non-leaf object, you will get the error 2147016683 Ox80072015 , which means The directory service can...

Restoring Security Settings

For various reasons, you may want to return an object's security settings to their initial default state. The default settings for an object class are defined in the Active Directory schema. In addition, the settings inherited from the parents are also applied to the object. For example, the following command restores defaults for an OU object C gt dsacls OU Staff, DC net, DC dom S You can also use the T parameter and restore the defaults on the entire tree of objects. If the operation was...

DsQuery and DsGet

The DsQuery.exe utility can find directory objects of any type or objects of a specific type. The DsGet.exe utility displays the specified attributes a limited set of attributes of specific type objects. These specific types are computer contact subnet group OU site server user For example, the following command displays ADsPaths and GUIDs of the user accounts in the User container C gt dsquery CN Users, DC net, DC dom -filter objectClass user -attr ADsPath objectGUID The most universal dsquery...

Security Descriptor Check Utility SDCheckexe ST

The SDCheck command-line tool is primarily intended to help administrators verify and monitor the following issues related to directory objects' security descriptors Propagation of inherited ACLs for a specified directory object Replication of ACLs between different domain controllers krbtgt SUBDOM.NET.DOM cb 42 NET.DOM cb 14 84 Let us consider how to fulfill these tasks using the following sample output. In this scenario, we will test the ACLs of a user object Alice net.dom that belongs to a...

NLTest NLtestexe ST

The NLTest tool helps administrators to manage both Windows 2000 native and mixed mode with Windows NT 4.0 BDCs domains as well as Windows .NET version 2002 mode domains. The tool has a number of options including the following Verifying and resetting secure channels trusts Getting information on network topology a list of DCs, sites, domain trusts, etc. Forcing synchronization with BDCs Forcing shutdown on a computer, and other options NLTest is a very useful tool for troubleshooting...

Verifying DNS Configuration

DNS testing is one of the most important steps in preparing a server for promotion. Any undetected errors in DNS configuration may result in an inoperable domain controller. The following DNS related faults are possible The computer has no settings for the preferred DNS server. The specified DNS server does not host the specified authoritative zone domain name . The authoritative zone exists, but is not updatable. Microsoft has done a great job in extending the initial functionality of the...

The following command performs the fullcontent comparison as well as detects both a changed albeit nonreplicated

C gt dsastat -s netdc1.net.dom netdc4.net.dom -b DC net,DC dom -t FALSE Unsorted mode. FAIL Value 0 of Attr versionNumber did not compare on dn CN Policies, CN System, DC net, DC dom Servers netdc1.net.dom netdc4.net.dom FAIL FAIL 1 mismatch with current DIT image - gt gt DSA Diagnostics lt lt - No missing replies INFO Server sizes are equal. Different Directory Information Trees. 1 errors see above . fail - gt gt FAIL lt lt -closing connections

Registry Settings Tcpip ClientSupport

In the source domain running Windows NT 4.0 with Service Pack 4 or later or Windows 2000 .NET, create the registry REG_DWORD Ox1 value named TcpipClientSupport on the PDC or the PDC Emulator under the following subkey This setting is not necessary if you use ADMT for intra-forest migration. Audit Settings It is necessary to set auditing, both in the source and target domains. Use the For Windows 2000 and Windows .NET domains both the source and target 1. Open the Group Policy Object GPO for the...

Filter Options

As the number of objects in Active Directory considerably increases, the length of time it takes to find specific objects may become unbearable. However, you can set a filter and look up only the desired objects. Select the Filter Options command in the View menu or click the Set Filtering Options l Ubutton on the Standard toolbar. You can set the types of objects to be displayed from a predefined list, or create your own custom filter. The process of creating a filter is intuitively simple....