Windows 2000 and Active Directory Administration Don Jones Sean Daily Keep sponsor logos below here Tips and Tricks Guide To tm tm realtimepublishers.com TM Table of Contents Note to Reader: This book presents tips and tricks for seven Windows 2000 and Active Directory Administration topics. For ease of use, the questions and their solutions are divided into chapters based on topic, and each question is numbered based on the chapter, including: • Chapter 1: Daily Administration • Chapter 2: Domain Controller Administration • Chapter 3: Replication Management • Chapter 4: Security Administration • Chapter 5: Disaster Recovery • Chapter 6: Tools and Utilities • Chapter 7: Migration Chapter 1: Daily Administration 1 Q 1.1: I just created a new group, and both the new group and the organizational unit I put in the new group are gone! What should I do? 1 Q 1.2: I tried to install an application that needs to modify the Active Directory schema, but the installation failed. What should I do? 2 Q 1.3: How can I write a logon script that checks for group membership? 4 Programming the Script .5 Assigning the Logon Script .6 Q 1.4: Does Active Directory support inheritance for permissions on objects in the directory? 9 So…No Inheritance? 10 OK…Some Inheritance 11 Q 1.5: Why should I use the Active Directory Service Interfaces clients for Windows 9x and Windows NT? 11 Supported Functionality .11 Unsupported Functionality .12 Where Can I Get It? .12 Q 1.6: I need to change a lot of information in Active Directory. Is there an easy way to manipulate that data other than using the Users and Computers console? 13 Bulk Import/Export 13 Using LDIFDE .14 Breaking It Down .15 Understanding LDIF 15 Scripting .16 Q 1.7: Is there any way to control permissions inheritance in Active Directory? .17 AD’s Default Inheritance Handling .17 i Table of Contents Configuring Inheritance for AD Permissions 19 Q 1.8: We’re delegating Active Directory administration to different groups in our organization, but the built-in administrative tools are confusing users because the tools offer so much more functionality than we’re delegating. What can we do? 22 Chapter 2: Domain Controller Administration 27 Q 2.1: Where should I place Global Catalog servers, and how many do I need? 27 Deciding Where to Place GC Servers 27 Making a GC Server 28 Q 2.2: Where do I put FSMOs? .29 Deciding Where to Place FSMOs 30 Transferring FSMOs 31 Transferring the RID Master, PDC Emulator, or Infrastructure Master 31 Transferring the Domain-Naming Master .32 Transferring the Schema Master 32 Q 2.3: How do I handle a FSMO failure? 33 What to Do When a FSMO Fails .34 Seizing FSMOs 34 Q 2.4: How can I tell whether I need to add a domain controller? 35 Installing the Database Object .37 Domain Controller Performance Tips 38 Q 2.5: How many domain controllers do I need for optimum performance? 39 Q 2.6: I want to make sure that my users can always log on. Doesn’t that mean placing a domain controller in every location that has users? 42 A History of Domain Controller Placement 43 How Windows 2000 Learned from History .43 Q 2.7: We use Exchange 2000 Server, and users complain that Address Book lookups take too long. The Exchange server looks fine. What can I do? .45 Lookups with Earlier Clients .45 Lookups with Later Clients 46 Q 2.8: We have a large, multi-domain forest. We’re installing a new application that modifies Active Directory’s schema, but we need to document those changes before we allow the application to do so. The application doesn’t indicate exactly what changes it will make. What can we do? 47 Q 2.9: How should I configure Domain Name System on my domain controllers? .48 Q 2.10: What’s a good first troubleshooting step when I’m having problems with Active Directory? 50 ii Table of Contents Q 2.11: How can I defragment Active Directory’s database? .52 Offline Defrag 53 Defrag and Replication 54 Q 2.12: We have several sites in our Active Directory domain. At some sites, one domain controller in particular seems slower than others. What can we do to troubleshoot the problem?54 Chapter 3: Replication Management .57 Q 3.1: After I make a change in Active Directory, the change doesn’t seem to take effect for quite a while. What can I do to make this process faster? .57 Faster Replication 58 Making Changes Close to Home .60 Q 3.2: How do I troubleshoot Active Directory replication? .61 Multiple-Master Replication 61 How Replication Works .62 Handling Conflict .62 Replication Loops 62 Replication Topology .63 Managing Replication 64 Solving Problems .64 Q 3.3: How does Active Directory delete records? .64 Modifying AD’s Default Behavior 68 Creating Your Own Site Link Bridges .69 Q 3.5: We have many domains and sites in our organization, and Active Directory replication seems very slow. What can we do to improve performance? 70 Q 3.6: We’re having problems configuring Active Directory replication to pass through a firewall. Which port should we check first? 72 Chapter 4: Security Administration .74 Q 4.1: I want to distribute the management of the users and groups in my Active Directory. What’s the best way to proceed? .74 Q 4.2: We want to delegate new user account creation to our Help desk, but we’re concerned that user information won’t be entered consistently. What can we do? .77 Setting Up Policies in Enterprise Directory Manager 79 Working Behind Enterprise Directory Manager’s Back 80 Q 4.3: We’ve organized Active Directory to fit the way we manage it, but that makes our Group Policies very difficult to apply. What should we do? 81 When One Organization Isn’t Enough .81 iii Table of Contents Can’t You Have Two Organizations? 82 So What’s the Best Organization for AD? .82 Q 4.4: I’ve heard that SYSKEY can be used to protect Windows 2000 against several security holes. How does it work? .83 What SYSKEY Fixes .83 Using SYSKEY .84 Do You Need SYSKEY? .85 Q 4.5: How can I prevent users from changing their personal attributes in Active Directory? .85 Editing the Schema 86 Reapplying Default Permissions 89 Q 4.6: How do I configure the Kerberos authentication protocol? 89 How Kerberos Works 89 Logging On 90 Accessing Resources 90 Configuring Kerberos 92 Q 4.7: We’re trying to make our domain controllers as secure as possible. What ports can we lock down without affecting Active Directory? .94 Default Ports 94 Locking Down Ports 98 Chapter 5: Disaster Recovery 101 Q 5.1: How can I prepare for Active Directory disaster recovery? .101 Don’t Put All Your Eggs in One Basket 101 Backup and Restore .103 Non-Authoritative Restore .104 Authoritative Restore .104 Testing Your Backups 105 Q 5.2: Someone accidentally deleted several users from Active Directory. We have a backup, but how can we restore just the missing objects? 106 The Hard Way 106 The Easy Way 107 Q 5.3: Our IT management is centralized, but our domain controllers aren’t. We need some way to centralize our disaster recovery operations. What can we do? 109 Q 5.4: What is the best overall strategy for backing up Active Directory? .111 Back Up Two Domain Controllers 112 iv Table of Contents Back Up to Disk .112 Back Up Frequently .112 The Ideal Backup Strategy .112 Q 5.5: One of our domain controllers crashed. What’s the easiest way to restore its copy of the Active Directory database? 114 Restoring AD .114 Reinstalling AD .114 Q 5.6: I’ve heard that it’s unsafe to perform a repair installation on a domain controller. What should I do instead? .114 Manual Repairs 115 Fast Repairs 115 Be Prepared for Repair .116 Chapter 6: Tools and Utilities 117 Q 6.1: How can I automate the process of adding users? 117 The ADDUSERS Script .117 The ADDUSERS Spreadsheet .120 Q 6.2: What is the ADSI Edit tool? .121 Starting ADSI Edit .121 Using ADSI Edit 122 When You’ll Need ADSI Edit .122 Q 6.3: What is DSACLS? 123 Q 6.4: What’s the difference between REPLMON and REPADMIN? .124 REPADMIN .125 Checking Replication .125 Forcing Replication with a Specific Partner 126 Force Replication with all Replication Partners 127 Display Replication Data .127 Check to See Whether an Object is Up-to-Date 128 REPLMON 128 Q 6.5: What is MOVETREE used for? 129 Q 6.6: How can I use NTDSUTIL to manage the Active Directory database? .130 How NTDSUTIL Works 131 Common Commands .132 Authoritative Restore .132 v Table of Contents Files 132 IP Deny List .133 Metadata Cleanup 133 Roles 133 Additional Commands .134 Automating NTDSUTIL 135 Chapter 7: Migration 136 Q 7.1: I need to decide on a name for my new Active Directory domain. What name should I use? 136 You Have an Internet Domain Name Hosted by Your Internet Service Provider .136 Examine Your Current Situation .136 Decide What to Do .137 You Already Have an Internet Domain Name That You Host 139 You Don’t Have a Domain Name Registered on the Internet .140 Q 7.2: Should I perform an upgrade or a migration? .141 SID History and Migration Problems 141 Migrating: Tons of Work .142 Upgrades Make Things Easier .142 Up-to-Date Best Practices 142 Q 7.3: I’m migrating several Windows NT domains into a single Windows 2000 domain. The NT domains contain several groups with the same names. Is it safe to merge the groups? 143 Merging Global Groups .144 Handling the Merge .146 Q 7.4: We’re trying to migrate multiple Windows NT domains into a single Windows 2000 domain, but management doesn’t want to lose the control they have with multiple domains. What should we tell them? 147 The Case for Multiple Domains .147 The Case for Multiple Domain Trees and Multiple Forests 148 Sharing Between Forests 149 Q 7.5: We migrated our user accounts to Active Directory, but users' local computer profile settings were lost. What can we do? 150 SID Histories and Local Profiles .150 Local Profiles Don’t Care About SID History .150 Why Migrating Breaks User Profiles .151 Fixing the Problem .151 vi Table of Contents Q 7.6: We have a lot of Windows NT file servers that have a lot of very specific NTFS permissions. What do we need to do to migrate these permissions to Active Directory? .153 Microsoft’s ADMT 153 Aelita’s Domain Migration Wizard .153 Q: 7.7: What little gotchas should we look out for during a migration to Active Directory? .154 Time Synchronization 154 Run Your Migration Tool on a Domain Controller .155 Password Policy Mismatch 155 Consistency Problems 155 Carefully Migrate Users and Groups from Multiple Domains 155 Cautiously Migrate Groups 156 Q 7.8: Should I upgrade or migrate? 156 Q 7.9: Before we migrate, we’re trying to clean up our Windows NT domain, deleting unused user accounts and groups. What is the easiest way to accomplish this task? 157 What the Script Will Do 157 Writing the Script .158 Putting It All Together .159 Q 7.10: We’ve upgraded our Windows NT Primary Domain Controller to Windows 2000, and our Windows 2000 Professional computers are inconsistent about receiving Group Policy. Any explanation? .160 If You’ve Already Upgraded Your PDC .161 If You Haven’t Upgraded Your PDC Yet 162 Q 7.11: How can I look up the SID history for migrated accounts? 162 vii Copyright Statement © 2001 Realtimepublishers.com, Inc. All rights reserved. This site contains materials that have been created, developed, or commissioned by, and published with the permission of, Realtimepublishers.com, Inc. (the “Materials”) and this site and any such Materials are protected by international copyright and trademark laws. THE MATERIALS ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON- INFRINGEMENT. The Materials are subject to change without notice and do not represent a commitment on the part of Realtimepublishers.com, Inc or its web site sponsors. In no event shall Realtimepublishers.com, Inc. or its web site sponsors be held liable for technical or editorial errors or omissions contained in the Materials, including without limitation, for any direct, indirect, incidental, special, exemplary or consequential damages whatsoever resulting from the use of any information contained in the Materials. The Materials (including but not limited to the text, images, audio, and/or video) may not be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any way, in whole or in part, except that one copy may be downloaded for your personal, non-commercial use on a single computer. In connection with such use, you may not modify or obscure any copyright or other proprietary notice. The Materials may contain trademarks, services marks and logos that are the property of third parties. You are not permitted to use these trademarks, services marks or logos without prior written consent of such third parties. If you have any questions about these terms, or if you would like information about licensing materials from Realtimepublishers.com, please contact us via e-mail at info@realtimepublishers.com viii Chapter 1 Chapter 1: Daily Administration Q 1.1: I just created a new group, and both the new group and the organizational unit I put in the new group are gone! What should I do? A: You’ve stumbled across one of the unavoidable problems of a multimaster directory environment. As you’re aware, any administrator can modify Active Directory (AD) by connecting to any domain controller in a domain. AD replicates changes to all domain controllers so that, eventually, they all contain the changes the administrator made. The key word, of course, is eventually. Two administrators could possibly connect to two different domain controllers and make conflicting changes at the same time. When those changes involve the same object—for example, both administrators reset a specific user’s password at the same time—AD keeps the change that occurred last. If they occurred at precisely the same time, AD picks one change to keep. That type of situation is confusing but fairly rare. More common are changes made to two different dependent objects. For example, imagine that your domain contains an organizational unit (OU) named Houston. Bob, an administrator in Houston, connects to a Houston-based domain controller and creates a user group named HoustonAdmins. A few minutes earlier, however, Jerry, an administrator in New York, connected to a New York-based domain controller and deleted the Houston OU entirely. When AD replicates these two changes, they conflict. Suddenly, AD has to create a group named HoustonAdmins in an OU that no longer exists. The same scenario can happen with newly created user accounts: The target domain was deleted on another domain controller, but the changes have not yet replicated completely to all domain controllers.  You can configure replication between sites to wait quite a long time before replicating—as long as several hours. While a longer replication interval will reduce the amount of replication traffic on your network, it will also increase the possibility of replication conflicts because administrators at one site will have more time to make changes that might conflict with changes you’re making at another site. AD could respond by not creating the group. This solution isn’t great, though, because you might be relying on the group—after all, the administrator who deleted the OU didn’t know the group existed at the time. The situation’s even worse with user accounts because users’ access depends on the existence of their accounts. So AD responds by creating the user or group in the LostAndFound container, a special OU-like folder within AD. You can view the contents of the LostAndFound container by using the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, which Figure 1.1 shows. 1 [...]... the Active Directory Users and Computers snap-in, and close the dialog boxes Users still need the MMC and snap-in on their computer! Your users will obviously need the MMC on their computers, and they’ll also need whatever snap-ins you configure in a customized console 22 Chapter 1 Figure 1.13: Adding the Active Directory Users and Computers snap-in 3 The console will now display the standard Active Directory. .. should I use the Active Directory Service Interfaces clients for Windows 9x and Windows NT? A: Active Directory (AD) introduces a great deal of new functionality To fully take advantage of that functionality, your client computers need to all be running Windows 2000 (Win2K) Professional or later But you can use a subset of AD’s functionality on earlier clients by using Microsoft’s Active Directory Service... VBScript logon script, and second, add that script to a Group Policy Programming the Script VBScript allows you to use the Active Directory Service Interfaces (ADSI) to query information from domain directories ADSI is included with Windows 2000 (Win2K) and includes providers that allow you to access both Windows NT domains and AD domains The AD provider actually uses the Lightweight Directory Access Protocol... earlier versions of Windows, Win2K lets you assign multiple logon and logoff scripts to users and computers Windows will execute all the scripts at the appropriate time Use the Up and Down buttons on the dialog box to place the scripts into the order in which you want them to execute 10 Click OK to save the new Group Policy Logon and logoff scripts are for Win2K and later only AD-based logon and logoff scripts... command-line task, or navigate to a specific location within the snap-in In this case, the user will need to run the New User command, which is a menu command Figure 1.15: Choosing the command type for the task 8 As Figure 1.16 shows, select the menu command to which the task will link Select the appropriate OU in the Console Tree window, and the Available commands window will display the menu commands... into AD At the command prompt, type the following command, then press Enter: ldifde –i -f newyork.ldf -s dc01 6 To confirm that the entries have been modified, check the Active Directory Users and Computers console 14 Chapter 1 Breaking It Down OK, that’s definitely a lot to swallow—LDIFDE isn’t a lightweight tool Let’s look at what the commands are doing, starting with the export command: ldifde -f newyork.ldf... these steps: 1 Launch the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in 2 Right-click the OU or domain to which you want to apply the policy, and select Properties from the pop-up menu 3 On the Group Policy tab, click New 4 Type a name for the new policy, and press Enter 5 Select the new policy, and click Edit 6 Windows displays the Group Policy window, which Figure 1.3... your New York office, and you need to change all the zip codes you’ve stored in Active Directory (AD) The change only affects the users in your New York office, who are conveniently grouped into an organizational unit (OU) named NewYorkCity The obvious way to make the change is to open each user profile in the Active Directory Users and Computers Microsoft Management Console (MMC) and make the change... scripts and other scripts that use ADSI, and run those scripts successfully on your earlier client computers • Normally, Win9x and NT clients can only access Win2K distributed file system (Dfs) roots that are standalone The ADSI client allows them access to Win2K Dfs faulttolerant and failover file shares specified in AD By using these more advanced Dfs shares, you can provide fault tolerance and reliability... we do? A: This situation is fairly common in organizations that choose to delegate Active Directory (AD) authority For example, suppose you delegate the ability to manage a single organizational unit (OU) to a group of users so that they can create new user accounts If you give them the standard Active Directory Users and Computers console, they’ll be exposed to a lot of additional functionality that . This book presents tips and tricks for seven Windows 2000 and Active Directory Administration topics. For ease of use, the questions and their solutions are. Windows 2000 and Active Directory Administration Don Jones Sean Daily Keep sponsor logos below here Tips and Tricks Guide To tm