... new CLIs with WindowsServer 2003, most of which cannot be run on the Windows 2000 operating system Typically, you can still use these newer tools on a Windows XP or WindowsServer2003 computer ... in WindowsServer 2003, contain many "must have" tools for people that work with Active Directory The Microsoft installer (MSI) for the Windows Support Tools can be found on a Windows 2000 Server ... that contain a great deal of information on Active Directory With WindowsServer 2003, Microsoft has taken their level of documentation a step higher Extensive information on Active Directory...
... syntax or usage informationfor any of the command-line tools I use, you should first take a look at the help informationfor the tools The vast majority of CLI tools provide syntax information by ... recovery, upgrading to WindowsServer2003 Active Directory, and Active Directory tools Google Search Engine (http://www.google.com/) Google is my primary starting point for locating information on Active ... computer (e.g., rallen-xp) Recipe 1.5 Where to Find More Information While it is my hope that this book provides you with enough information to perform most of the tasks you need to to maintain your...
... prepares a Windows 2000 forest and domains forWindowsServer2003 Both /forestprep and /domainprep must be run before you can upgrade any domain controllers to WindowsServer2003 or install new Windows ... Prepare a Domain or Forest forWindowsServer2003 2.10.1 Problem You want to upgrade your existing Windows 2000 Active Directory domain controllers to WindowsServer2003 Before doing this, you ... and indicates a mixed-mode domain WindowsServer2003 Active Directory has a similar concept called functional levels For more information on WindowsServer2003 functional levels, see Recipe...
... mixed mode )Windows Server2003WindowsServer2003 Interim Windows NT 4. 0Windows Server2003WindowsServer2003WindowsServer2003 When a domain is at the Windows 2000 functional level, the domain ... 2-4 WindowsServer2003 domain functional levels Functional level Windows 2000 msDS-BehaviorVersion Valid operating systems Windows 200 0Windows NT (when in mixed mode )Windows Server2003Windows ... "Attempting to change forest to " & _ "Windows Server2003 functional level " objDomain.Put "msDS-Behavior-Version", objDomain.SetInfo else Wscript.Echo "Forest already at WindowsServer2003 functional...
... is new to WindowsServer2003 See Recipe 2.20 for an example 2.19.4 See Also The Introduction at the beginning of this chapter for attributes of trustedDomain objects, Recipe 2.20 for another ... associated with the trust you want to verify Click the Edit button Click the Verify button For the WindowsServer2003 version of the Active Directory Domains and Trusts snap-in: In the left pane, right-click ... following code lists all of the trusts for the ' specified domain using the Trustmon WMI Provider ' The Trustmon WMI Provider is only supported on WindowsServer2003 ' SCRIPT CONFIGURATION ...
... Discussion For a complete list of WindowsServer2003 [DCInstall] settings, see the ref.chm help file in \support\tools\deploy.cab that can be found on the WindowsServer2003 CD ForWindows 2000, ... of screens that collects information about the forest and domain to promote the server into There are several options for promoting a server: • • • Promoting into a new forest (See Recipe 2.1) ... optimal for your installation Also, if the server is a global catalog, ensure that other global catalog servers exist in the forest that can handle the load It is important to demote a server before...
... objReg.GetStringValue HKLM, strTimeServerReg, "ntpserver", strCurrentServer WScript.Echo "Current Value: " & strCurrentServer objReg.SetStringValue HKLM, strTimeServerReg, "ntpserver", strTimeServer 80 ... Global catalog serverfor the forest DS_KDC_FLAG Kerberos Key Distribution Center for the domain DS_PDC_FLAG Primary domain controller of the domain DS_TIMESERV_FLAG Time serverfor the domain ... Directory before promoting the server into the forest That way you not need to worry about moving it after the fact When moving a server object, remember that it has to be moved to a Servers container...
... default=multi(0)disk(0)rdisk(0)partition(2) \WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(2) \WINDOWS= "Windows Server 2003" /3GB Restart the computer 82 On WindowsServer 2003, you can edit the boot.ini ... is supported only on Windows 2000 Advanced Server, Windows 2000 Datacenter Server, WindowsServer2003 Enterprise Edition, and WindowsServer2003 Data Center Edition, and should be used only ... Solution If you upgrade a Windows 2000 domain controller to WindowsServer 2003, the DLT Server service is stopped and set to disabled A new install of WindowsServer2003 also has the service...
... Recipe 3.24 for disabling the global catalog requirement forWindowsServer 2003, Recipe 7.9 for enabling universal group caching, MS KB 216970 (Global Catalog Server Requirement for User and ... Catalog Server Be Available to Validate User Logons) 93 Recipe 3.24 Disabling the Global Catalog Requirement During a Windows2003 Domain Login This recipe requires the WindowsServer2003 forest ... You want to disable the requirement for a global catalog server to be reachable when a user logs into a Windows2003 domain 3.24.2 Solution See Recipe 7.9 forinformation on enabling universal group...
... useful for discovering basic information about a forest, domain, or domain controller 4.1.2 Solution 4.1.2.1 Using a graphical user interface Open LDP From the menu, select Connection Connect For Server, ... Controls For the WindowsServer2003 version of LDP, select the control you want to use under Load Predefined The control should automatically be added to the list of Active Controls 109 For the Windows ... things, which means you not need to hardcode that information in scripts and programs Here is an example from LDP when run against a WindowsServer 2003- based domain controller: ld = ldap_open("dc01",...
... This works only on a WindowsServer2003 domain controller 4.4.2.1 Using a graphical user interface Open LDP From the menu, select Connection For Server, enter the name of a DC For Port, enter 389 ... select controls by name with the WindowsServer2003 version of LDP) For the Windows 2000 version of LDP, add a control with an OID of 1.2.840.113556.1.4.1504 For Value, enter the multivalued ... Response Response from server returning a virtual list view 2.16.840.1.113730.3.4.10 of results from a search This control is new to WindowsServer2003 Attribute Scoped Query Used to force a query to...
... entry for the naming context you want to browse is not already displayed, the following: a Right-click on ADSI Edit in the right pane and click Connect to b Fill in the informationfor the ... 1 Follow the directions in Recipe 4.5 for searching for objects For the Filter, enter the bitwise expression, such as the following, which will find ... binary form and cannot be edited directly If you want to set the password for a user through a GUI, you can it with the AD Users and Computers snap-in 4.10.3.2 Using a command-line interface For...
... 4.11 for modifying an object, and Recipe 4.14 for creating a dynamic object Recipe 4.16 Modifying the Default TTL Settings for Dynamic Objects This recipe requires the WindowsServer2003 forest ... 4.15 for refreshing a dynamic object, and Recipe 4.16 for modifying the default dynamic object properties Recipe 4.15 Refreshing a Dynamic Object This recipe requires the WindowsServer2003 forest ... for modifying an object Recipe 4.14 Creating a Dynamic Object This recipe requires the WindowsServer2003 forest functional level 132 4.14.1 Problem You want to create an object that is automatically...
... Discussion For more information on the LDIF format, check RFC 2849 4.25.3.1 Using a command-line interface To import with ldifde, simply specify the -i switch to turn on import mode and -f for ... from asking for confirmation before deleting The -s parameter can be used as well to specify a specific server to target 4.20.3.3 Using VBScript Using the DeleteObject method is straightforward Passing ... well-defined file-based format for representing directory entries The format is intended to be both human and machine parseable, which adds to its usefulness LDIF is the de facto standard for importing...
... for the file It can also be beneficial to use the -v switch to turn on verbose mode to get more information in case of errors 4.27.4 See Also Recipe 4.26 for exporting objects in CSV format, ... 5.11 for more information gpOptions Contains if GPO inheritance is blocked and otherwise msDS-Approx-ImmedSubordinates Approximate number of direct child objects in the OU See Recipe 5.8 for more ... Active Directory, stores data in a hierarchy of containers and leaf nodes called the directory information tree (DIT) Leaf nodes are end points in the tree, while containers can store other containers...
... objects to move (use for all) 5.6.3.3 Using VBScript For more information on the MoveHere method, see Recipe 4.17 5.6.4 See Also Recipe 4.17 for moving objects, Recipe 5.3 for enumerating objects ... objects to move (use for all) 5.6.3.3 Using VBScript For more information on the MoveHere method, see Recipe 4.17 5.6.4 See Also Recipe 4.17 for moving objects, Recipe 5.3 for enumerating objects ... Units Within a Domain in Windows 2000) and MSDN: IADsContainer::MoveHere Recipe 5.8 Determining How Many Child Objects an OU Has This recipe requires the WindowsServer2003 domain functional level...
... conflict with WindowsServer2003 See MS KB 314649 for more information In WindowsServer2003 Active Directory, inetOrgPerson is supported natively You can create inetOrgPerson objects for your users, ... primaryGroupID ID of the primary group for the user See Recipe 6.15 for more information profilePath UNC path to profile directory See Recipe 6.29 for more information pwdLastSet Large integer that ... representation of the timestamp for when a user was locked out See Recipe 6.9 for more information memberOf List of DNs of the groups the user is a member of See Recipe 6.14 for more information objectSID...
... as well Thanks, Joe! 6.9.4 See Also MS KB 813500 (Support WebCast: Microsoft Windows 2000 Server and WindowsServer 2003: Password and Account Lockout Features) Recipe 6.10 Troubleshooting Account ... 6.10.2.1 Using a graphical user interface 186 LockoutStatus is a new tool available forWindows 2000 or WindowsServer2003 that can help identify which domain controllers users are getting locked ... http://microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629B999ADDE0B9E&displaylang=en 6.10.4 See Also MS KB 813500 (Support WebCast: Microsoft Windows 2000 Server and WindowsServer 2003: Password and Account Lockout Features) 187 Recipe 6.11 Viewing the Account...
... 6.15 and Recipe 7.8 for more on finding the primary group of a user 6.14.4 See Also Recipe 7.3 for more on viewing the nested members of a group and Recipe 10.16 for more information on linked ... (Domain Users) for all users 6.15.4 See Also Recipe 7.8 for determining the group name given a group ID, MS KB 297951 (HOWTO: Use the PrimaryGroupID Attribute to Find the Primary Group for a User), ... you will need to perform a query against the global catalog for all group objects that have a member attribute that contains the DN of the user 6.16.4 See Also Recipe 7.4 for adding and removing...
... expire is a little complicated Fortunately, the new dsquery user command helps by providing an option for searching for users that haven't changed their password for a number of days (-stalepwd) ... "(!pwdLastSet=0));"; 6.23.4 See Also Recipe 6.11 for more on the password policy for a domain, Recipe 6.17 for how to set a user's password, and Recipe 6.22 for how to set a user's password to never ... to expire?) This next bit-wise filter will match only enabled user objects See Recipe 6.13 for more information on finding disabled and enabled users $query = "(!useraccountcontrol:1.2.840.113556.1.4.803:=2)";...