In-Depth

The 12 Mighty Chores of Active Directory Administration in Depth

Admininstering Active Directory takes some practice. Here are 12 exercises to keep your AD skills limber.

• By Danielle Ruest and Nelson Ruest
• 09/01/2003

1. One of the most common tasks you perform in AD is user and group administration. User password resets, user creation and deactivation, user group membership management are all tasks that can be performed as often as everyday in some networks. Most of these activities are performed through the AD Users and Computers Microsoft Management Console (MMC) snap-in. This snap-in does support enhancements, some of which are provided by Microsoft. For example, you can add another user account information tab in the user object's properties page by downloading and registering the AcctInfo.dll (see "Additional Information") on a server or workstation hosting the AD Users and Computers console. This will give you information such as the last time users logged on, the last time they changed their passwords, how long they've been logged on and so on. It also includes a nifty little button, Set PWD On Site DC. This button automatically locates a user's site to reset the password locally, thus avoiding replication delays.

When it comes to group management, Windows Server 2003 helps by fully supporting drag-and-drop in most AD consoles. This lets you more easily perform massive user operations such as group membership assignment. But the most important tool you have to lower this administrative workload is structure. This means using rules and guidelines to avoid becoming tangled in the multiple group syndrome. The rule that helps most is UGLP (see Figure 1). Users are inserted into Global groups, Global groups are inserted into Domain Local or Local groups and Permissions are set on the Domain Local or Local groups. If you must support inter-domain or inter-forest operations, then the rule becomes the UGULP because Universal groups are used to link global and domain local groups from one domain or forest to another. The biggest lesson of this rule is that the only groups containing users are global groups. Stick to it; it vastly simplifies user management.

Figure 1. The UGLP (or UGULP when crossing domains) rule helps administrators control group management in Active Directory. (Click image to view larger version.)

2. Another administrative task that can be performed daily is PC or mobile device administration. Since the advent of Windows NT, all machines in a Windows network must have a computer account. This is how they interact with the directory and how the directory interacts with them. One great feature of Windows 2000 (with Service Pack 1 or later) and Windows 2003 is that computer accounts can be managed in much the same way as user accounts because computer accounts can also be members of groups. Regrouping computers into global groups vastly simplifies management because you can manage groups instead of individual machines. Group membership also vastly simplifies software deliveries. All you need to do is create a security group for each of the software products you assign through the directory and set the access rights on its distribution. This way, if you want to assign a product to a machine, all you need to do is insert the machine account into the proper group.

Microsoft also provides a useful extension for the AD Users and Computers console for computer management, called the Remote Control Add-on and available for download from the Microsoft Web site. (See "Additional Information.") Once installed, it lets you launch a Remote Control session on any computer in the directory through the object's context menu.

3. The very purpose of a network is to deliver networked services to users. Many of these services interact with the directory. File shares and printers are now published in the directory for easy location. Distributed File System shares are also integrated to the directory for easier management and administration and for fault tolerance. Terminal Services integrates with the directory through the user object properties for terminal session profile and environment generation. Terminal Services are also now completely integrated with Group Policy Objects (GPOs). Applications can interact with the directory to access information it contains. Windows 2003 also supports COM+ and Application Partitions, special replication scopes that can be used to contain information of either local or global interest. Managing these services can also be a daily task in large networks.

4. The most powerful aspect of AD remains Group Policy. GPO administration can also be a full-time job if not managed properly. Before the coming of Windows 2003, GPO management was cumbersome and unwieldy. But with the Group Policy Management Console (GPMC), Microsoft has redefined the meaning of GPO administration (see Figure 2). This download from Microsoft finally gives systems administrators the tools they need to properly prepare, test and deploy GPOs. One great feature that GPMC provides is the ability to report on GPO settings, something only third-party products such as Full Armor Fazam 2000 provided before.

Figure 2. The Group Policy Management Console offers powerful reporting capabilities as well as integrated GPO administration capabilities. (Click image to view larger version.)

5. One network element that has changed considerably with the coming of AD is the Domain Naming Service (DNS). DNS is now tied closely to the directory. In fact, directory operation is based on a properly functioning DNS service. Fortunately, DNS administration is simplified with Windows 2000 and Windows 2003 because the DNS service is dynamic, updating itself automatically, especially if all objects in your network are running Windows 2000 or later operating systems (because these systems can manage their own DNS records). Nevertheless, you still have to manage external DNS connections, verify that the service is operating properly, verify that DNS Application Partitions are replicating properly, and verify that DNS is properly removing obsolete data from its database. This task may not be a daily task in large networks, but it definitely requires at least a weekly review.

6. The very nature of the directory is distribution. All of us are familiar with the notion of having at least two domain controllers (DC) for each domain we create, because replication is at the very core of the directory service operation. AD topology and replication administration is an important aspect of ensuring proper AD operation. This is mostly done through the AD Sites and Services console. It lets you configure subnets, sites, site links, site link bridges and bridgehead servers. Of course, you should also rely heavily on the Knowledge Consistency Checker (KSS), a service that automatically generates replication topologies based on the rules and guidelines you give it (so long as no bridgehead servers are defined). Windows 2003 removes many of the limitations Windows 2000 imposed on this service, making it more reliable and dependable, but you still have to use the proper tools to verify the proper working state of your replication on a weekly basis at best.

7. The configuration of AD is also something that must be managed on an on-going basis, especially at the very beginning of your implementation because you'll tend to refine its structure as you learn more about AD. Configuration administration involves forest, domain, and organizational unit (OU) design and implementation. Very large organizations will probably have multiple forests containing multiple domains-especially now that Windows 2003 supports transitive forest trusts. While smaller organizations may have a single domain in a single forest, they'll still want to use OUs to restructure the data they manage in the directory. Configuration administration also involves Operations Master roles, Global Catalog Servers and domain controllers, since these servers define the configuration of each forest. Though configuration management is performed mostly with the Users and Computers console when it comes to OUs, it involves the entire AD toolkit when it comes to forests, domains or the servers they depend on.

8. AD is a database, albeit a distributed one, but a database no less. As such, it includes a database schema. The default AD schema includes over 200 objects and 1,000 attributes. Because it's an extensible database, the AD schema can be modified and extended. For example, installing Microsoft Exchange almost doubles the size of the default AD schema. Schema modifications shouldn't be done lightly because added objects can't normally be removed (though they can be deactivated). This is the reason why the schema is protected by default. In fact, the SchmMgmt.dll must be registered on either servers or workstations before the Schema Management snap-in becomes available to integrate into a Microsoft Management Console. The schema administrator is mostly a guardian of the AD database. That's because the less you modify the default schema, the better it is. Fortunately, Microsoft has released Active Directory in Application Mode (ADAM). ADAM is a lightweight directory access protocol (LDAP) database that can easily be tied to your directory to provide extensibility. In addition, since it's free to owners of Windows 2003, you can have as many instances of ADAM as you like, letting you extend AD functionality without having to modify the schema of your network directory. [For more on ADAM, read Bill Boswell's explanation in this month's "Windows Insider," at http://mcpmag.com/columns/article.asp?editorialsid=592.--Ed.]

9. The 200 objects and 1,000 attributes are just to populate the directory with information about the objects it contains. User objects alone include over 200 attributes ranging from the user's address at the office to home address information, maybe a photograph, perhaps a position in the organization's hierarchy and much more. Shared folders can include owners, groups can include managers, printers and computers can include location tracking information-all information elements that should be populated in a properly configured directory. In addition, you can use the AD Schema Management console to add or remove content from the Global Catalog, the portion of the directory that makes information elements available to all users of a forest. You can use this same tool to determine if AD should index an object or not. Indexing objects in AD makes finding them much faster. To control the amount of information stored in the directory, you can even assign NTDS quotas, making sure no one stores more information than they should in the directory. Fortunately for the AD information administrator, it's easy and simple to delegate many of the information management tasks. For example, users control many of their own information elements in the directory. All you need to do is train them to fill in the proper information every time they move or change roles in the organization.

10. Of course, you can't forget that AD administration also involves security management. After all, the AD database is designed to replace the Windows NT Security Account Manager (SAM). Security management covers everything from setting Domain Account Policies, assigning user rights, and managing trusts to Access Control List (ACL) and Access Control Entry (ACE) administration. Every object in the directory is assigned a security descriptor detailing who in your organization has access to the object. Managing these descriptors can be a full time position by itself. Fortunately, AD supports the concept of inheritance, letting you set access rights at the top of an AD hierarchy (within a domain) and having those rights automatically assigned to all objects in the hierarchy. AD also supports the concept of delegation, something that should be used heavily, especially in large organizations, to offload work that isn't administrator-related. For example, users are automatically delegated rights to their own information within the directory. You can also delegate tasks to help desk operators, network operators and many other operational roles within your organization.

11. As we mentioned above, AD is a database. As such, you need to perform database maintenance activities on the NTDS.DIT file stored within each domain controller. These activities include managing the LostandFound and LostandFoundConfig containers, which are designed to collect homeless objects in your directory. Administrative activities may also include compacting the directory database. Although AD regularly compacts its own database automatically, it may be necessary for you to compact it manually in certain situations. You must also back up the database on a regular basis and perform restores when required (though in many cases, it's easier to recreate the missing objects).

12. Finally, you need to generate reports from your directory in order to know how it's structured, what it contains and how it runs. There are no default tools for AD report generation. You can, however, export data at several levels of the directory. You can also now generate GPO reports with the GPMC, but that is about as far as the default AD tools will take you.