Active Dircetory and Group Policy Information

Important Legal NOTICE!

Click Here To Read Important Legal NOTICE!


1) F8 - Directory Service Restore Mode
Allows restore of Active Directory on a Windows 2003 Domain Controller
Defragment the Ntds.dit (AD) Q229602
Ntdsutil.exe /?
2) Active Directory Defrag
Online Defrag, happens automatically, by default, every 12 hours as part of the garbage collection process. (Knowledge Base article Q198793) The good news about online defrag is that it’s automatic, and the domain controller stays online. Unfortunately, online defrag doesn’t reduce the total size of the database file. It only reclaims free space from within the database file.
Offline Defrag,
To reduce the size of the AD database, you’ll need to reboot the server and use the F8 option, then choose Directory Services Restore Mode. This allows you to boot the server, but not start AD. You can now work with the AD files that are open when the server’s in normal operation. Once booted into Directory Services Restore Mode, you can use the NTDSUtil.exe utility to compact the database. When compacting ntds.dit, you need to have enough free disk space to hold a copy of the current ntds.dit file. (Knowledge Base article Q232122)
3) Policies for different Operating Systems
Use the Windows 95 System Policy Editor for 9x clients, Save file as config.pol
Use the Windows NT 4.0 System Policy Editor for NT 4.0 clients, ntconfig.pol
Put in C:\Windows\SYSVOL\sysvol\domain.name\scripts
Windows 2003 Group Policies do not apply to NT 4.0 & 9x clients
Q248358
4) Local Group Policies
Local group policies are not per user on 2000 Professional but for every one who logs on.
Try using NT 40 System Policies Q218601
Coping Local Group Policies Q274478
5) Active Directory – Logical Structure
Domain
A Logical Grouping of Users, Groups and Computers organized in one DNS name Zone
that share a common directory database and security principle
Domain Tree
Root Domain and Children Domains that share a contiguous domain name space
Similar to the way a file system works, AD tree uses objects instead of folders
Forest
One or More Domain Trees that share same Global Catalog & Schema
Used to join domain trees with no common part and don’t share the same namespace
Organization Unit (OU)
Container Object to assist in organization of users, groups, computers, printers, etc.
Used to apply Group Policies to different areas in the domain
Implicit two-way transitive trusts exist between domains and domain trees
Sites
based on Geographic locations Relates to a local IP subnet Q199174
Usually a LAN is high speed (512k) & reliable connections
If the link between two locations is not high speed or reliable then it could be saturated with the replication traffic every 3 minutes. Typically you include at least one domain controller per site and you have 1 DC for every 1200-1500 users
6) Switching (AD) from native mode to mixed mode
by John Savill, http://www.windows2000faq.com
A. After you've changed an AD domain to native mode, it remains in native mode. You can't perform an authoritative restore to change the AD domain from native mode to what it was before the switch (i.e., mixed mode).
If you haven't yet changed from mixed to native mode and believe you might want to switch back at some point, you should take one of the domain controllers (DCs) offline (thereby ensuring that it doesn't hold any of the Flexible Single-Master Operation--FSMO--roles), then perform the switch to native mode. Should you need to switch the AD domain back to mixed mode, perform the following tasks:
1. Turn off all the DCs.
2. Turn on the offline mixed-mode DC you set aside.
3. Use Ntdsutil to give that DC all the FSMO roles.
4. Rebuild all the other DCs from scratch; don't bring them online as DCs.
Be aware that some applications might have switched to native-mode compatibility and thus won't work when the domain is returned to mixed mode.
7) Download additional security templates
www.microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en. These additional templates enable you to configure the security of print servers, member servers, and IIS servers, among others.
8) Group Policy Management Console
www.microsoft.com/downloads/details.aspx?familyid=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
On e feature of (GPMC) is that you can use it to back up and restore group policy objects (GPOs). Simpley Right-click on a GPO and choose Back Up to open the Back Up Group Policy Object dialog box and away you go.
9) Modify multiple user accounts at the same time
Select the necessary user accounts (hold down the shift and/or CTRL key
Then choose Action menu <> Properties.
The properties you can modify for multiple users simultaneously include:
- Description, Office, Telephone Number, Fax, Web Page, and E-mail
- UPN Suffix, Logon Hours, Computer Restrictions, Account Expires, Account Options (such as Password Never Expires)
- Address information
- Profile Path, Logon Script, Home Folder
- Organization information
Click OK to save your changes.
10) What suffix to use in your Domain name for your AD
It is better to use a standard naming method of create a name by using a subdomain of your company's DNS address space (e.g., if your company's DNS domain is dananne.com, you could name your AD tree ads.dananne.com). When you use this method, the DNS information for AD is hosted on internal DNS servers, not on your external DNS servers. This means that external users can't see information about your internal infrastructure.
If you need to use a nonstandard Suffixes in your domain name, avoid the use of .local or .pvt because they aren't reserved. Instead, use one of these reserved top-level domains: ie: - .test - .example - .invalid - .localhost
Internet Engineering Task Force (www.IETF.org) (RFC) 2606.
If you use these nonstandard DNS names, you can't obtain certificates from a third-party Certificate Authority (CA).
11) Copying Security settings from one server to another
If you have configured the security of one of your servers and would like to use its same settings on other servers, you can use the secedit command line utility to export the server's security configuration to a template file.
- open a Command
- type secedit /export /cfg mysecurity.inf
- Secedit creates the new template file in your current folder.
- copy it to the \System-Root%\Security\Templates folder.
12) A GPO to turn off default administrative shares
One way to control creation of default administrative shares is to use Group Policy settings to create a custom Administrative Template (.adm) file.
The following sample .adm file, was created by Tim Goodrich

CLASS MACHINE

CATEGORY !!DefaultShares

POLICY !!DefaultSharesWKS
EXPLAIN !!EnableDefaultShares_Explain
VALUENAME "AutoShareWks"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
KEYNAME
"SYSTEM\CurrentControlSet\Services\lanmanserver\parameters"
END POLICY

POLICY !!DefaultSharesSRV
EXPLAIN !!EnableDefaultShares_Explain
VALUENAME "AutoShareServer"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
KEYNAME
"SYSTEM\CurrentControlSet\Services\lanmanserver\parameters"
END POLICY

END CATEGORY

[strings]

Copy this into NotePad then save it as an .adm file
13) Speed up GPO processing
Separate your policies by User and Computer, putting their settings into separate GPOs and disabling the side that isn't used. Disable the Computer Settings for a GPO containing User policies, and vice versa.
Open the Properties of the GPO, then uncheck the side (User or Computer) not used
14) Group Policy diagnosis Tool
GPresult, a command-line utility that installs as part of the resource kit's Network Management Tools component, helps you solve this diagnosis problem. GPresult's reports are too long to include here, but the tool provides a wealth of diagnostic information about how Win2K has applied Group Policy to the current computer or user.
15) Delegated users who have authority to reset passwords
You can give delegated users who have authority to reset passwords permission to force users to change their password at the next logon. After you make the following changes, delegated users will be able to select "Force user to change password" in the Change Password dialog box in User Manager. Take the following steps:
1. Open Administrative Tools, Active Directory Users and Computers.
2. Click View, Advanced Features.
3. Right-click the container object that you want these changes to apply to and select Properties from the context menu.
4. On the Security tab, click Advanced.
5. On the Permissions tab, click Add.
6. Select the group or individual user to which you want to delegate control and click OK.
7. Select the Properties tab from the Permission Entry for Users dialog box.
8. Click the "Apply onto" drop-down list.
9. Select "User objects."
10. For Write Account Restrictions, click Allow.
11. Click OK through all the exit screens.
After you've made these changes, the managers or users to whom you've delegated the change password authority can force the users for which they're responsible to change their passwords when the users log on after a password reset
16) Limit the number of domains
When possible, you should try to limit the number of domains and rely on organizational units (OUs) and sites in Active Directory (AD). However, you might need to create domains in certain situations.
-If you have limited bandwidth for replication traffic--for example, because of slow network connections between sites--you might need to add domains
-If you have only SMTP connectivity between sites, you must add domains because domain information can't replicate across site links that use SMTP.
-If you use different password/lockout/Kerberos policies; you can set those policies only at the domain level
-If you restrict administrative permissions (e.g., legal reasons to restrict access).
-If you want to implement decentralized administration.
-If you use a namespace other than the default.
-If you want to ease migration of multiple domains.
-If you want to put the schema master in a domain separate from the domain that hosts users and resources.
-If you want to maintain an existing domain structure.
-If you need an isolated or autonomous domain--depending on your requirements, you might need a separate forest if the domain can't share items such as the schema.
**If you have multiple domains, Microsoft recommends using a dedicated root domain containing only the default objects, the forest master roles (schema and domain naming), and the forest administrative groups (enterprise and schema).
17) Logon time expires
Log off user when logon time expires (Local) effects computers in the OU not at the domain level
18) Allow users to install print drive
Allow users to install print driver and they do not have to be poweruser or admin
Use group policy = diable the Prevent users from installing printer driver policy
Or registry
HKLM\system\CurrentContolSet\COntol\Print\Providers\LanMan\PrintServices\SErvers
change AddPrinterDriver to value of 1
19) Unable to remove Active Directory from a domain controller
you'll find that you're unable to remove a domain controller when certain services fail on that server or you're experiencing problems with your network connectivity or name resolution.
- Start menu
- Run
- enter "dcpromo /forceremoval"
- OK
20) Seamlessly integrating UNIX, Linux, Mac, J2EE and web platforms with Microsoft Active Directory
www.centrify.com

Windows 2003 Command Line Utilities

Command

Purpose

Example

Where to Get It

Active Directory Management

Adfind

Search AD

Adfind –b dc=deuby,dc=com –f “objectcategory=computer” dNSHostName

www.joeware.net

Admod

Modify any AD object

Admod –b cn=joe,ou=users,dc=deuby,dc=com “description::Command line guru”

www.joeware.net

Dsadd

Add AD objects

Dsadd group “ou=Admins,dc=deuby,dc=com”

Built-In

Dsget

List AD object attributes

Dsquery server –domain deubynet | dsget server –dnsname

Built-In

Dsmod

Modify AD objects

Dsquery user –name “Sean Deuby” | dsmod user –desc “Command line guru”

Built-in

Dsmove

Move AD objects

Dsquery user –name “Sean Deuby” | dsmove –newparent “OU=Admins,DC=deuby,DC=net”

Built-in

Dsquery

List AD objects

Dsquery server –domain deubynet

Built-In

Dsrm

Delete AD objects

Dsrm –subtree “ou=Admins,dc=deuby,dc=com”

Built-in

Active Directory Replication

ADLB

Rebalance AD inter-site replication load balancing.

Adlb /server:DcName /site:SIteName

Resource Kit

Repadmin

View and control AD replication

Repadmin /showrepl /errorsonly

 

www.microsoft.com/downloads

Active Directory Troubleshooting

Dcdiag

Test for common DC problems

Dcdiag /s:dcName

CD:\Support Tools

DNSLint

Test AD DNS configuration

dnslint /ad 192.168.1.51 /s 192.168.1.51

CD:\Support Tools

Dsrevoke

Reverse Delegation of Control

dsrevoke /report deubynet\sdeuby

http://www.microsoft.com/downloads

Group Policy Troubleshooting

Dcgpofix

Recreate default domain group policy objects in Windows 2003

Dcgpofix /target:DC

http://www.microsoft.com/downloads

Gpotool

Checks GPO consistency

Gpotool /domain:deuby.com

Resource Kit

Recreatedefpol

Recreate default domain group policy objects in Windows 2000

Recreatedefpol

www.microsoft.com/downloads

Miscellaneous

Command Prompt Here

Launch a command prompt from any folder in Explorer

N/A

www.microsoft.com/downloads

Pslist

List processes

Pslist "\\computer"

www.sysinternals.com

Psexec

Run a command on a remote machine.

psexec "\\computer" cmd.exe

www.sysinternals.com

Where

Find the location of an executable, like `which` in unix

Where dsquery

Built-in
Back To Main Page Important Legal NOTICE!

Click Here To Read Important Legal NOTICE!


Updated October 10, 2007
Copyright© 2007 by Dana Shea
Copyright© All rights Reserved. No part of the contents of this site may be reproduced
or transmitted in any form or by any means without written permission.
Any questions or problem links please email