لطفا منتظر باشید ...
Publisher| Active DirectoryTasks |
administrative tasks concerning the general administration of Active
Directory. For more specific tasks relating to administering domains,
trusts, user accounts, and so on, refer to the related topics
elsewhere in this chapter. For example, to learn how to manage domain
controllers, see Domain Controller ; to learn how
to configure user accounts, see Users ; and so
on. Note that all tasks in this section involve using the Active
Directory Users and Computers console unless otherwise indicated.
Audit Active Directory
You can use auditing to detect unauthorized
attempts to access Active Directory:Right-click the Domain Controllers node
Properties Group Policy select Default Domain Controller Policy Edit Computer Configuration Windows Settings Security Settings Local Policies Audit Policy right-click Audit Directory Services Access Properties select Define these policy settings choose to audit success and/or failure eventsAuditing of access to Active Directory on all domain controllers inthe domain takes effect once the GPO settings have propagated to
other domain controllers (usually within five minutes). Directory
service access events are logged in the Security log on each domain
controller and can be viewed with Event Viewer.
|
objects within Active Directory. First, follow the steps described
earlier, then make the Security tab visible on properties sheets of
objects by View
Advanced Features, and then specifyauditing for an object by:Right-click on an object (such as a user or computer)
Properties Security Advanced Auditing Add specify the user or group whose access to the object you want to audit Object tab select Successful and/or Failed for each type of access you want to audit for the object Properties tab select Successful and/or Failed for Read or Write actions you want to audit for the objectFor more information, see Auditing later in thischapter.
Back Up Active Directory
See Backup later in this chapter for information
on this.
Create an Object
Right-click a domain, container, or OU
New select the type of object you want to create (user, group, computer...) type a name and specify other common properties of the objectAfter you create an object in Active Directory, you can configure itfurther by opening its properties sheet. For more information on
configuring Active Directory objects, see
Groups , Printing , and
Users later in this chapter.
Create a Saved Query
Saved queries
let you quickly access a desired set of Active Directory objects. For
example, you can create queries to display all disabled user
accounts, all color printers, all computers whose names start with
SRV, and so on.Right-click Saved Queries
New Query Give the query a friendly name you can remember, specify a query root(the container on which the query runs, including its subcontainers),
and define the type of query you want to create. For quick and dirty
queries, select Common Query, which provides several options for
user, group, and computer accounts. To execute a saved query later,
just select it in the console tree and view the results in the
details pane. You can edit queries after you create them and organize
large numbers of queries in folders, sort of like Favorites in
Internet Explorer but without the webbish look. If
you're into LDAP, you can view the actual query
string when you create the query.
Install Active Directory
Installing Active Directory means creating the first
domain controller, the forest, and the forest root domain for your
company's network. There are two ways to do this.
The first method starts with a freshly installed standalone WS2003
machine and is suitable mainly for new networks:Administrative Tools
Manage Your Server Add or Remove a Role Typical configuration for a first server specify DNS name for your forest root domain (e.g., mycompany.local ) accept or modify default NetBIOS name for domain specify IP address of DNS forwarder for external (Internet) name resolutionAt the completion of this process, your server will have a static IPaddress (if it didn't have one already) and Active
Directory installed on it. It will also be a DNS server and, if no
DHCP server is detected on your network, a DHCP server as well. To
verify the actions performed, check Configure Your
Server.log in the \Windows\Debug
folder.Note that if you use this method on a member server already belonging
to an existing WS2003 domain, the Typical configuration for a first
server option is not displayed. Instead, you can select Manage Your
Server
Add or Remove a Role Domain Controller(Active Directory), which starts the Active Directory Installation
Wizard, allowing you to convert your member server into a domain
controller for the existing domain or to create a new child domain or
root domain of a new tree (note that you need to be a member of the
Enterprise Admins group to do this).
|
Directory is to use the Active Directory Installation Wizard:Insert product CD
Start Run dcpromo Domain controller for a new domain Domain in a new forest specify DNS name for your forest root domain accept or modify NetBIOS name for domain accept or modify default location for NTDS and SYSVOL folders Install and configure the DNS server on this computer and set this computer to use this DNS server as its preferred DNS server specify default permissions for users and groups (select pre-W2K compatibility option only if you still have downlevel NT domain controllers on your network) specify password for Directory Services Restore ModeEither method makes the machine the first domain controller of theroot domain of the forest. The machine is also a DNS server and a
global catalog server for the domain. If you used the second method
and want your users to have access to the Internet, you will need to
manually configure a DNS forwarder to your ISP's
name server; see DNS later in this chapter for
directions.
|
Move an Object
Right-click an object
MoveYou can createOUs and move objects to these OUs to facilitate delegation and
application of Group Policy. See Delegation and
Group Policy later in this
chapter for more information.New to the Active Directory Users and Computers console in WS2003 is
the ability to drag and drop objects between containers. At last!
Publish a Resource
Publishing a resource means creating
an object in Active Directory to represent the resource. This helps
users locate the resource on the network in order to access it. Most
resources, such as users, groups, computers, and printers, are
published automatically in Active Directory. Two exceptions to this
are shared folders on network file servers and downlevel shared
printers that are managed by print servers not running WS2003 as
their operating system; these resources must be published manually.To publish a shared folder:Right-click on the OU where you want to publish the shared folder
New Shared Folder specify a friendly name for the resource specify the UNC path to the shared folder After publishing the folder, you can open its properties sheet andadd a description and a list of keywords to help users find the
folder when they need it.To publish a downlevel shared printer:Right-click on the OU where you want to publish the printer
New Printer specify the UNC path to the printer Once users find this printer in Active Directory, they can connect toit or manage its properties, depending on their permissions.
Upgrade to Active Directory
For information about upgrading from NT domains to
Active Directory or from a W2K version of Active Directory to the
WS2003 version, see Active Directory
(O'Reilly).
