Lesson 2: Active Directory Administrative Tools
The powerful and flexible Active Directory administrative tools that are included with Windows 2000 Server simplify directory service administration. You can use the standard consoles or, using Microsoft Management Console (MMC), you can create custom consoles that focus on single management tasks. This lesson introduces the Active Directory administrative tools and the MMC.
After this lesson, you will be able to
Describe the function of the Active Directory Users and Computers administrative console
Describe the function of the Active Directory Sites and Services administrative console
Describe the function of the Active Directory Domains and Trusts administrative console
Describe the function and components of MMC, including console trees, details panes, snap-ins, extensions, and console modes
Estimated lesson time: 20 minutes
Active Directory Administrative Tools
The Active Directory administrative tools are installed automatically on computers configured as Windows 2000 domain controllers. The administrative tools are also available with the optional Administrative Tools package. This package can be installed on other versions of Windows 2000 to allow you to administer Active Directory from a computer that is not a domain controller. The following Active Directory standard administrative tools are available on the Administrative Tools menu of all Windows 2000 domain controllers:
Active Directory Domains and Trusts console
Active Directory Sites and Services console
Active Directory Users and Computers console
Active Directory Domains and Trusts Console
The Active Directory Domains and Trusts console helps you manage trust relationships between domains. These domains can be Windows 2000 domains in the same forest, Windows 2000 domains in different forests, pre-Windows 2000 domains, and even Kerberos V5 realms.
Using Active Directory Domains and Trusts, you can
Provide interoperability with other domains (such as pre-Windows 2000 domains or domains in other Windows 2000 forests) by managing explicit domain trusts
Change the mode of operation of a Windows 2000 domain from mixed mode to native mode
Add and remove alternate user principal name (UPN) suffixes used to create user logon names
Transfer the domain naming operations master role from one domain controller to another
Provide information about domain management
Active Directory Sites and Services Console
You provide information about the physical structure of your network by publishing sites to Active Directory using the Active Directory Sites and Services console. Active Directory uses this information to determine how to replicate directory information and handle service requests.
Active Directory Users and Computers Console
The Active Directory Users and Computers console allows you to add, modify, delete, and organize Windows 2000 user accounts, computer accounts, security and distribution groups, and published resources in your organization''s directory. It also allows you to manage domain controllers and OUs.
Other Active Directory Administrative Tools
In addition to the Active Directory consoles provided on the Administrative Tools menu, there are several other tools provided for administering Active Directory.
Active Directory Schema Snap-In
The Active Directory Schema snap-in allows you to view and modify Active Directory schema. This snap-in is not available by default on the Administrative Tools menu. You must install it, and all of the Windows 2000 Administration Tools, using Add/Remove Programs in the Control Panel. Do not use the ADMINPAK.MSI file on the Windows 2000 Server CD-ROM to perform these operations.
To install the Active Directory Schema snap-in on a domain controller
Log on as an Administrator.
Click Start, point to Settings, then click Control Panel.
Double-click Add/Remove Programs.
On the Add/Remove Programs dialog box, click Change Or Remove Programs, click Windows 2000 Administration Tools, then click Change.
On the Welcome To The Windows 2000 Administration Tools Setup Wizard page, click Next.
On the Setup Options page, click Install All Of The Administrative Tools, then click Next.
The wizard installs the Windows 2000 Administration Tools. When it finishes, click Finish.
Close the Add/Remove Programs dialog box, then close the Control Panel.
Click Start, and then click Run.
In the Open box, type mmc and then click OK.
On the Console menu, click Add/Remove Snap-In.
In the Add/Remove Snap-In dialog box, click Add.
In the Add Standalone Snap-In dialog box, in the Snap-In column, double-click Active Directory Schema, click Close, then click OK.
To save this console, from the Console menu, click Save.
IMPORTANT Modifying the Active Directory schema is an advanced operation that is best performed programmatically by experienced programmers or system administrators. For detailed information about modifying the Active Directory schema, see the Microsoft Active Directory Programmer''s Guide.
Active Directory Support Tools
Several additional tools that can be used to configure, manage, and debug Active Directory are available in the Windows 2000 Support Tools. The Windows 2000 Support Tools are included on the Windows 2000 CD in the \Support\Tools folder. These tools are intended for use by Microsoft support personnel and experienced users.
To use Active Directory support tools you must first install the Windows 2000 Support Tools on your computer.
To install the Windows 2000 Support Tools
Start Windows 2000. You must log on as a member of the Administrator group to install these tools.
Insert the Windows 2000 CD into your CD-ROM drive.
When the Microsoft Windows 2000 CD screen appears, click Browse This CD.
Browse to the \SUPPORT\TOOLS directory.
Click SETUP.EXE.
Follow the instructions that appear on your screen.
The Setup program installs all Windows 2000 Support Tools files onto your hard disk and requires a maximum of 19 megabytes (MB) of free space.
Setup creates a Windows 2000 Support Tools folder within the Programs folder on the Start menu. For detailed information about individual tools, click the Tools Help menu item. Graphical User Interface (GUI) tools can be selected from the Tools menu.
Setup also adds the \Program Files\Resource Kit directory (or the directory name you choose for installing the tools) to your computer''s PATH statement.
Table 3.2 describes the support tools that pertain to Active Directory.
Table 3.2 Active Directory Support Tools
| Tool | Used To |
|---|---|
ACLDIAG.EXE: ACL Diagnostics1 |
Determine whether a user has been granted or denied access to an Active Directory object. It can also be used to reset access control lists to their default state. See Chapter 14, "Managing Active Directory Performance," for more information. |
ADSI Edit3 |
View all objects in the directory (including schema and configuration naming contexts), modify objects, and set access control lists on objects. |
DFSUTIL.EXE: Distributed File System Utility1 |
Manage all aspects of distributed file system (Dfs), check the configuration concurrency of Dfs servers, and display the Dfs topology. |
DNSCMD.EXE: DNS Server Troubleshooting Tool1 |
Check dynamic registration of DNS resource records including secure DNS update, as well as deregister resource records. |
DSACLS.EXE1 |
View or modify the access control lists of objects in Active Directory. See Chapter 14, "Managing Active Directory Performance," for more information. |
DSASTAT.EXE: Active Directory Diagnostic Tool1 |
Compare naming contexts on domain controllers and detect Active Directory differences. See Chapter 14, "Managing Performance," for more information. |
LDP.EXE: Active Directory Administration Tool2 |
Allow Lightweight Directory Access Protocol (LDAP) operations to be performed against the Active Directory. See Chapter 14, "Managing Active Directory Performance," for more information. |
MOVETREE.EXE: Active Directory Object Manager1 |
Move Active Directory objects such as OUs and users between domains in a single forest. See Chapter 11, "Administering Active Directory," for more information. |
NETDOM.EXE: Windows 2000 Domain Manager1 |
Manage Windows 2000 domains and trust relationships. |
NLTEST.EXE1 |
Provide a list of primary domain controllers, force a shutdown, provide information about trusts and replication. See Chapter 14, "Managing Active Directory Performance," for more information. |
REPADMIN.EXE: Replication Diagnostics Tool1 |
Check replication consistency between replication partners, monitor replication status, display replication metadata, force replication events and knowledge consistency checker recalculation. See Chapter 14, "Managing Active Directory Performance," for more information. |
REPLMON.EXE: Active Directory Replication Monitor2 |
Graphically display replication topology, monitor replication status (including Policies), force replication events and knowledge consistency checker recalculation. See Chapter 14, "Managing Active Directory Performance," for more information. |
SDCHECK.EXE: Security Descriptor Check Utility1 |
Check access control list propagation and replication for specified objects in the directory. This tool enables an administrator to determine if access control lists are being inherited correctly and if access control list changes are being replicated from one domain controller to another. See Chapter 14, "Managing Active Directory Performance," for more information. |
SIDwalker: Security Administration Tools |
Manage access control policies on Windows 2000 and Windows NT systems. SIDwalker consists of three separate programs: SHOWACCS.EXE1 and SIDWALK.EXE1 for examining and changing access control entries, and Security Migration Editor3 for editing mapping between old and new security IDs (SIDs). |
1 command-line tool
2 graphical user interface tool
3 Microsoft Management Console snap-in
For more information about the Active Directory support tools, see the Microsoft Windows Server 2000 Resource Kit.
Active Directory Service Interfaces
Active Directory Service Interfaces (ADSI) provides a simple, powerful, object-oriented interface to Active Directory. ADSI makes it easy for programmers and administrators to create programs utilizing directory services by using high-level tools such as Microsoft Visual Basic, Java, C, or Visual C++, as well as ActiveX Scripting Languages, such as VBScript, JScript, or PerlScript, without having to worry about the underlying differences between the different namespaces. ADSI is a fully programmable automation object for use by administrators.
ADSI enables you to build or buy programs that give you a single point of access to multiple directories in your network environment, whether those directories are based on LDAP or another protocol.
The Microsoft Management Console (MMC)
The MMC is a tool used to create, save, and open collections of administrative tools, which are called consoles. When you access the Active Directory administrative tools, you are accessing the MMC for that tool. The Active Directory Domains and Trusts, Active Directory Sites and Services, and Active Directory Users and Computers administrative tools are each a console. The console does not provide management functions itself, but is the program that hosts management applications called snap-ins. You use snap-ins to perform one or more administrative tasks.
There are two types of MMCs: preconfigured and custom. Preconfigured MMCs contain commonly used snap-ins, and they appear on the Administrative Tools menu. You create custom MMCs to perform a unique set of administrative tasks. You can use both preconfigured and custom MMCs for remote administration.
Preconfigured MMCs contain snap-ins that you use to perform the most common administrative tasks. Windows 2000 installs a number of preconfigured MMCs during installation. Preconfigured MMCs
Contain one or more snap-ins that provide the functionality to perform a related set of administrative tasks.
Function in User mode. Because preconfigured MMCs are in User mode, you cannot modify them, save them, or add additional snap-ins. However, when you create custom consoles, you can add as many preconfigured consoles as you want as snap-ins to your custom console.
Vary, depending on the operating system that the computer is running and the installed Windows 2000 components. Windows 2000 Server and Windows 2000 Professional have different preconfigured MMCs.
Might be added by Windows 2000 when you install additional components. Optional Windows 2000 components might include additional preconfigured MMCs that Windows 2000 adds when you install a component. For example, when you install the Domain Name System (DNS) service, Windows 2000 also installs the DNS console.
Table 3.3 lists the typical preconfigured MMCs in Windows 2000 and their function.
Table 3.3 Preconfigured MMCs
| Preconfigured MMC | Function |
|---|---|
Active Directory Domains and Trusts 1,2 |
Manages the trust relationships between domains |
Active Directory Sites and Services 1,2 |
Creates sites to manage the replication of Active Directory information |
Active Directory Users and Computers 1,2 |
Manages users, computers, security groups, and other objects in Active Directory |
Component Services |
Configures and manages COM+ applications |
Computer Management |
Manages disks and provides access to other tools to manage local and remote computers |
Configure Your Server 1 |
Sets up and configures Windows services for your network |
Data Sources (ODBC) |
Adds, removes, and configures Open Database Connectivity (ODBC) data sources and drivers |
DHCP 1,2 |
Used to configure and manage the Dynamic Host Configuration Protocol (DHCP) service |
Distributed File System 1 |
Creates and manages DFSs that connect shared folders from different computers |
DNS 1,2 |
Manages the DNS service, which translates DNS computer names to IP addresses |
Domain Controller Security Policy 1,2 |
Used to view and modify security policy for the Domain Controllers organizational unit |
Domain Security Policy 1,2 |
Used to view and modify security policy for the domain, such as user rights and audit policies |
Event Viewer |
Displays monitoring and troubleshooting messages from Windows and other programs |
Internet Services Manager 1 |
Manages Internet Information Services (IIS), the Web server for Internet and intranet Web sites |
Licensing 1 |
Manages client access licensing for a server product |
Local Security Policy 3 |
Used to view and modify local security policy, such as user rights and audit policies |
Performance |
Displays graphs of system performance and configures data logs and alerts |
Routing and Remote Access 1 |
Used to configure and manage the Routing and Remote Access service |
Server Extensions Administrator 1 |
Used to administer Microsoft FrontPage Server Extensions and FrontPage extended webs |
Services |
Starts and stops services |
Telnet Server Administration 1 |
Used to view and modify telnet server settings and connections |
1 MMC not available on Windows 2000 Professional.
2 MMC not available on Windows 2000 Server stand-alone server.
3 MMC not available on Windows 2000 Server domain controller.
You can use many of the preconfigured MMCs for administrative tasks. However, there will be times when you need to create your own custom MMCs. Although you can''t modify preconfigured consoles, you can combine multiple preconfigured snap-ins with third-party snap-ins that perform related tasks to create custom MMCs. You can then do the following:
Save the custom MMCs to use again.
Distribute the custom MMCs to other administrators.
Use the custom MMCs from any computer to centralize and unify administrative tasks.
Creating custom MMCs allows you to meet your administrative requirements by combining snap-ins that you use to perform common administrative tasks. By creating a custom MMC, you do not have to switch between different programs or different preconfigured MMCs because all of the snap-ins that you need to perform your job are located in the custom MMC.
Consoles are saved as files and have an .msc extension. All the settings for the snap-ins contained in the console are saved and restored when the file is opened, even if the console file is opened on a different computer or network.
Every MMC has a console tree. A console tree displays the hierarchical organization of the snap-ins contained with an MMC. As you can see in Figure 3.1, this MMC contains the Device Manager on the local computer and the Disk Defragmenter snap-ins.
Figure 3.1 A sample MMC
The console tree organizes snap-ins that are part of an MMC. This allows you to easily locate a specific snap-in. Items that you add to the console tree appear under the console root. The details pane lists the contents of the active snap-in.
Every MMC contains the Action menu and the View menu. The choices on these menus are context-sensitive, depending on the current selection in the console tree.
Snap-ins are applications that are designed to work in an MMC. Use snap-ins to perform administrative tasks. There are two types of snap-ins: standalone snap-ins and extension snap-ins.
Standalone snap-ins are usually referred to simply as snap-ins. Use standalone snap-ins to perform Windows 2000 administrative tasks. Each snap-in provides one function or a related set of functions. Windows 2000 Server comes with standard snap-ins. Windows 2000 Professional includes a smaller set of standard snap-ins.
Extension snap-ins are usually referred to simply as extensions. They are snap-ins that provide additional administrative functionality to another snap-in. The following are characteristics of extensions:
Extensions are designed to work with one or more standalone snap-ins, based on the function of the standalone snap-in. For example, the Software Installation extension is available in the Group Policy snap-in; however, it is not available in the Disk Defragmenter snap-in, because Software Installation does not relate to the administrative task of disk defragmentation.
When you add an extension, Windows 2000 displays only extensions that are compatible with the standalone snap-in. Windows 2000 places the extensions into the appropriate location within the standalone snap-in.
When you add a snap-in to a console, MMC adds all available extensions by default. You can remove any extension from the snap-in.
You can add an extension to multiple snap-ins.
Figure 3.2 demonstrates the concept of snap-ins and extensions. A toolbox (an MMC) holds a drill (a snap-in). You can use a drill with its standard drill bit, and you can perform additional functions with different drill bits (extensions).
Figure 3.2 Snap-ins and extensions
Some standalone snap-ins can use extensions that provide additional functionality, for example, Computer Management. However, some snap-ins, like Event Viewer, can act as a snap-in or an extension.
Use console options to determine how each MMC operates by selecting the appropriate console mode. The console mode determines the MMC functionality for the person who is using a saved MMC. The two available console modes are Author mode and User mode.
NOTE Additional console options can be set using group policy. For information on setting group policies, see Chapter 12, "Administering Group Policy."
When you save an MMC in Author mode, you enable full access to all MMC functionality, which includes modifying the MMC. Save the MMC using Author mode to allow those using it to do the following:
Add or remove snap-ins
Create new windows
View all portions of the console tree
Save MMCs
NOTE By default, all new MMCs are saved in Author mode.
Usually, if you plan to distribute an MMC to other administrators, you save the MMC in User mode. When you set an MMC to User mode, users cannot add snap-ins to, remove snap-ins from, or save the MMC.
There are three types of User modes that allow different levels of access and functionality. Table 3.4 describes when to use each User mode.
Table 3.4 MMC Console User Modes
| User Mode | Use When |
|---|---|
Full Access |
You want to allow users to navigate between snap-ins, open new windows, and gain access to all portions of the console tree. |
Limited Access, Multiple Windows |
You do not want to allow users to open new windows or gain access to a portion of the console tree. You want to allow users to view multiple windows in the console. |
Limited Access, Single Window |
You do not want to allow users to open new windows or gain access to a portion of the console tree. You want to allow users to view only one window in the console. |
In this lesson you learned about the Active Directory administrative tools. The Active Directory Domains and Trusts console manages the trust relationships between domains. The Active Directory Sites and Services console creates sites to manage the replication of Active Directory information. The Active Directory Users and Computers console manages users, computers, security groups, and other objects in Active Directory.
The MMC is a tool used to create, save, and open collections of administrative tools, called consoles. MMCs hold one or more management applications, called snap-ins, which you use to perform administrative tasks. Preconfigured MMCs contain commonly used snap-ins, and they appear on the Administrative Tools menu. You create custom MMCs to perform a unique set of administrative tasks. You can use both preconfigured and custom MMCs for remote administration.
You learned that every MMC has a console tree. The console tree displays the hierarchical organization of the snap-ins that are contained within that MMC. This allows you to easily locate a specific snap-in. The details pane lists the contents of the active snap-in. You also learned that there are two types of snap-ins: standalone snap-ins and extension snap-ins.
Finally, in this lesson you learned about console options. You use console options to determine how each MMC operates by selecting the appropriate console mode. The two available console modes are Author mode and User mode. When you save an MMC in Author mode, you enable full access to all MMC functionality, which includes modifying the MMC. When you set an MMC to User mode, users cannot add snap-ins to, remove snap-ins from, or save the MMC.