Microsoft Server Active Directory Services

How To Manage Network Environment using Active Directory

2010-01-06T14:29:00.000-08:00

Active directory is the protocol which provides the platform to manage the network environment. Microsoft has done enough amendment to simplify the use of Active Directory in terms of management, migration and deployment.

Important feature of Active Directory include:
· Permission of X.500 close user group professional in the same company.
· Inception of secure data management
· Presence of hierarchical system allows the system administrator to have clean information of individual user accounts
· Object-targeted storage organization, allows easy access for information from anywhere in the network.

Benefits of Active Directory
· Organizations are able to perform their regular business operating while switching over from one network to other network platform.
· Users don’t have to do much amendment in the existing network.
· Existing user accounts and resource permission will be self migrated.
· Services and application running on the existing platform would also get migrated without any effort.

Deployment of Active Directory
User should follow the below suggestion to formulate Active directory over the new server platform.
· Test and verify the deployment process.
· Against the Forest Root create a DNS.
· Create the Forest Root.
· Map a new Regional Domain.
· Import your valuable data from other sources.

Revealing Windows Server 2003 Resource Tools Kit

2009-12-28T04:07:00.000-08:00

A Resource Kit is not a part of any software but it contains a set of software resources and documentation for the software products. It gives many resources like technical help, features and troubleshooting information, management and many more also.

Windows Server 2003 Resource Kit Tools can be used on many editions of Windows including Windows XP. It is a set of tools that can assist administrators in the streamline management tasks like troubleshooting operating system consequences, organizing Active Directory, assembling networking and security features. It comprises a improved command line shell and 188 tools. After its installation, command line shell gives a very smooth integration with Unix utilities that are available in it. Some of the information present in the Windows Server 2003 Resource Kit can be described as follows:

Technical Reference - It gives the comprehensive information about the technologies present in the Microsoft Windows Server 2003 operating system. It is planned to help IT planners and administrators by supplying the foundational information about the technology elements of the operating system.

Deployment Kit - The Microsoft Windows Server 2003 Deployment Kit gives guidelines and recommended processes for planning and preparing for Server 2003 technologies to fulfill your business requirements and IT goals.

The Migrating from Microsoft Windows NT Server 4.0 to Microsoft Windows Server 2003 template is planned for those IT administrators which are present in small and medium sized firms. It gives them assistance in the upgrading of the domain controller, DHCP server, print server, remote access server and Web server roles from Windows NT 4.0 to 2003.

Get Microsoft Server 2000 Support and Microsoft Windows Server 2003 Support. For more queries

Revealing Windows Server 2003 Editions

2009-12-18T03:16:00.000-08:00

As you would be familiar with Windows Server 2003, Microsoft developed operating system to be used on the servers. There are various editions of Windows Server 2003 and one of them is Web Edition, which is primarily used for creating and hosting Web applications, Web pages and XML web services. This edition is planned for using it as an IIS 6.0 Web server and it gives a platform for quickly formulating and deploying XML Web services. Terminal Server mode is not present on Web Edition and it does not need Client Access Licenses. After installation of its Service Pack 1, you can install Microsoft SQL Server and Microsoft Exchange software in this edition.

Another edition of Windows Server 2003 is the Standard Edition, which is focused for the small to medium sized businesses. This edition provides centralized desktop application deployment and secure Internet connectivity. The initial launch of WS 2003 was usable for only 32-bit processors, a 64-bit edition for holding the x86-64 architecture was launched in April 2005.

Enterprise Edition of this is focused towards medium to large businesses. This edition is available in 64-bit versions for the Itanium and x64 architectures. The 64-bit version of this Edition is adequate of dealing up to 1 TB of memory.

Datacenter Edition of Windows Server 2003 is developed for those infrastructures which require high security and reliability. Server for this edition can be used with the x86, Itanium and x86-64 processors. Windows Server Datacenter Edition is comprised of the better support for Storage Area Networks, supports 8-node clustering and many other features.

Alteration in Terminal Server's Listening Port

2009-12-17T04:08:00.000-08:00

It is a well-known fact that TCP port 3389 is used by Terminal Server and Windows 2000 Terminal Services for client connections. Alteration in this port is not recommended by Microsoft. But you can change this port. You have to perform this task carefully, otherwise you will face serious problems.

You have to give more concentration while modifying the registry. If you want to change the default port, then you have to follow these steps:

You start with the task of running Regedt32 and go to this key, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp.
Then you have to find the port number subkey and notice the value of 00000D3D, hex is for 3389.
After this, you have to change the port number in Hex and save the new value

If you want to change the port for a particular connection on the Terminal Server then follow these steps:

You have to run Regedt32 and go to this key, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\connection.
After this, you have to find the port number subkey and notice the value of 00000D3D, here hex is for 3389.
Then you have to change the port number in Hex and save this new value.

After performing this, you have to make alteration in the Port on the Client Side. Follow these steps to perform this:

You have to open Client Connection Manager.
Then on the File menu, click on New Connection and then create the new connection. After executing the wizard, you will view a new connection listed there.
Then you have to ensure that new connection is highlighted. After this, on the File menu, click Export.
Then you have to edit the .cns file using Notepad. You have to make modifications in the server port, Server Port=3389 to Server Port= new port number, that you had specified on Terminal Server.
Now import the file back into Client Connection Manager. Then you will be demanded to overwrite the current one.
If it has the same name, then overwrite it.

In this way, you will receive a client that has the correct port settings to match your Terminal Server settings. Hope it will help you out, Don’t Forget to subscribe to my blog for more tips and tricks on server and Microsoft Server Support Services

Define Active Directory and its Functionalities?

2009-09-24T22:21:00.000-07:00

With the ever increasing amount of data moving across large networks, it behooves the network systems administrator to oversee the proper function of these elements, not to mention implement the correct security measures. One helpful tool is the Active Directory.

Developed in 1996 by Microsoft, the Active Directory is the primary method by which Windows operating systems amasses information about domains, and also monitors them. In recent years the function has been increased to allow it to facilitate and view online data flows.

The Structure of the Active Directory

Because it was devised to make accessible all the pertinent objects in the network, the directory was structured in an easy to understand hierarchical structure. There are multiple viewing levels: forests, trees and domains/objects.

The forest is where every tree and domain can be viewed; dropping to the tree level, you will see that it contains one or more domains. Domains or objects have no deeper level.

There are three main categories:

Resources : It cover hardware devices like printers and scanners.

Servers : It is primary components of both the network and the domain.

Objects : It is also primary components of both the network and the domain.

The Active Directory is especially useful for managing objects. An object can be defined as any element that can contain another object. Every object has its own properties or schemas, which can be accessed and modified.

How the Active Directory Works

What makes Active Directory so important for a systems administrator is that it makes the updating and upgrading process a virtual one step process. For example, you need to install a new security application. If there are several computers in the network, the procedure would be tedious, but Active Directory, via its forest structure, makes this easy; you just update one object and it applies to all.

The structure is also flexible enough to allow for making changes to specific objects. Because each has its own schema, then the administrator can assign a particular task to a user and use certain software without giving access to everyone.

Active Directory Installation

2009-08-16T23:08:00.000-07:00

Active Directory Installation is not a tough and nasty task, rather than it is very easy. It will not take too much time also.You can install it without facing too much problems. Only you have to follow the given steps;

Go to Start -> Run and type in "dcpromo"

For most cases you will select "Domain Controller for a new domain"

For most cases you will select "Domain in a new forest"

Enter in the FQDN (fully qualified domain name) that you want to use. For example, if your domain was to be called Domain.Com, you would enter Domain.Com. You can also use non existant name spaces such as Domain.Local, or Domain.abc

The next two screens will be where to place file repositories and service folders. You can accept the defaults.

Some users may now get presented with a DNS screen asking you to configure DNS, or to do it later. Select the middle option (Install and configure for me). This will most likely NOT set up dns properly.

Select the permission type you would like. There are two options. If you will only be using Windows 2003 Server and Windows XP or newer, then select the Second option. otherwise, you would need to use the first option.

Pick a "Directory Services Restore" password. Hopefully you will never have to use this as its quite messy for the inexperienced. In either case, Remember this password.

At this point in the installation you are presented with a basic "Sumary" page listing the options you have selected. Make sure these are set properly before continuing. once you select "Next", active directory will begin to install, and once it does you will not be able to stop, and you will have to first uninstall in order to go back and fix any problems or misconfiguration later.

Active Directory will take a while, it could be a couple minutes, or as much as half an hour. Once it is done you will have to reboot.

If you are still unable to install the Active Directory, then we are here to help you.
Just login at : http://www.iyogibusiness.com/active-directory.html

How to add new objects to Active Directory from command line

2009-07-02T01:11:00.000-07:00

H:\>dsadd /?
Description: This tool's commands add specific types of objects to the
directory. The dsadd commands:

dsadd computer - adds a computer to the directory.
dsadd contact - adds a contact to the directory.
dsadd group - adds a group to the directory.
dsadd ou - adds an organizational unit to the directory.
dsadd user - adds a user to the directory.
dsadd quota - adds a quota specification to a directory partition.

For help on a specific command, type "dsadd /?" where
is one of the supported object types shown above.
For example, dsadd ou /?.
Remarks:
Commas that are not used as separators in distinguished names must be
escaped with the backslash ("\") character
(for example, "CN=Company\, Inc.,CN=Users,DC=microsoft,DC=com").
Backslashes used in distinguished names must be escaped with a backslash
(for example,
"CN=Sales\\ Latin America,OU=Distribution Lists,DC=microsoft,DC=com").

Source: infotechguyz

How To Create an Active Directory Server in Windows Server 2003

2009-06-24T23:33:00.000-07:00

After you have installed Windows Server 2003 on a stand-alone server, run the Active Directory Wizard to create the new Active Directory forest or domain, and then convert the Windows Server 2003 computer into the first domain controller in the forest. To convert a Windows Server 2003 computer into the first domain controller in the forest, follow these steps:

1. Insert the Windows Server 2003 CD-ROM into your computer's CD-ROM or DVD-ROM drive.
2. Click Start, click Run, and then type dcpromo.
3. Click OK to start the Active Directory Installation Wizard, and then click Next.
4. Click Domain controller for a new domain, and then click Next.
5. Click Domain in a new forest, and then click Next.
6. Specify the full DNS name for the new domain. Note that because this procedure is for a laboratory environment and you are not integrating this environment into your existing DNS infrastructure, you can use something generic, such as mycompany.local, for this setting. Click Next.
7. Accept the default domain NetBIOS name (this is "mycompany" if you used the suggestion in step 6). Click Next.
8. Set the database and log file location to the default setting of the c:\winnt\ntds folder, and then click Next.
9. Set the Sysvol folder location to the default setting of the c:\winnt\sysvol folder, and then click Next.
10. Click Install and configure the DNS server on this computer, and then click Next.
11. Click Permissions compatible only with Windows 2000 or Windows Server 2003 servers or operating systems, and then click Next.
12. Because this is a laboratory environment, leave the password for the Directory Services Restore Mode Administrator blank. Note that in a full production environment, this password is set by using a secure password format. Click Next.
13. Review and confirm the options that you selected, and then click Next.
14. The installation of Active Directory proceeds. Note that this operation may take several minutes.
15. When you are prompted, restart the computer. After the computer restarts, confirm that the Domain Name System (DNS) service location records for the new domain controller have been created. To confirm that the DNS service location records have been created, follow these steps:

1. Click Start, point to Administrative Tools, and then click DNS to start the DNS Administrator Console.
2. Expand the server name, expand Forward Lookup Zones, and then expand the domain.
3. Verify that the _msdcs, _sites, _tcp, and _udp folders are present. These folders and the service location records they contain are critical to Active Directory and Windows Server 2003 operations.

Source

How do I undelete an object from the Active Directory Recycle Bin?

2009-06-17T22:43:00.000-07:00

Source: Windowsitpro

Once you've enabled the recycle bin, you can undelete objects that were deleted after the recycle bin was enabled within the deleted object lifetime. You view the objects that are in the deleted and recycled states using the steps outlined in the previous FAQ.

To restore an object in the deleted state (isDeleted TRUE), simply pass the deleted object to the Restore-ADObject cmdlet. The easiest way to pass the object is to use the Get-ADObject cmdlet and pass the -IncludeDeletedObjects switch.

For example, if I know the displayName of an object is Dick Grayson, I would use the command below. PS C:\Users\savadmin> Get-ADObject -Filter {displayName -eq "Dick Grayson"} -IncludeDeletedObjects | Restore-ADObject

As you can see below, I actually use the Get-ADObject first just to view the object. I can see its Deleted attribute is True. I then pass the object to Restore-ADObject to undelete it. After that I viewed the object, and the Deleted attribute was blank, showing that it has been restored. In this example,e the object name was AFRBEnabled (After Recycle Bin Enabled).

Active Directory Vulnerabilities In Microsoft Windows

2009-06-10T21:34:00.000-07:00

These vulnerabilities need to be taken seriously, due to the factor that if they are exploited, a DoS attack may take place.

The two vulnerabilities located in Microsoft Windows are:

A Memory leak error which exists in the Active Directory LDAP service. It could be exploited in order to hang an affected system. This may occur via specially tampered with LDAP or LDAPS requests, which need to consist of exact OID filters.
An error that exists within the Active Directory LDAP service. If this is exploited, the chances are that it may trigger the invalid memory and attackers could then execute arbitrary code. This execution of arbitrary code takes place via specially tampered with LDAP or LDAPS requests.

A malicious character with the correct computer skills will be able to take complete and utter control of an infiltrated system. He will also be able to view, change, modify, create or delete whatever he wishes.

These vulnerabilities were reported in implementations of Active Directory on the Microsoft Windows 2000 Server, Windows Server 2003 as well as the Active Directory Application Mode (ADAM), when it is installed on Windows XP Professional as well as Windows Server 2003.

The affected operating systems

Microsoft Windows XP Professional

Microsoft Windows Storage Server 2003

Microsoft Windows Server 2003 Web Edition

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows Server 2003 Enterprise Edition

Microsoft Windows Server 2003 Datacenter Edition

Microsoft Windows 2000 Server

Microsoft Windows 2000 Datacenter Server

Microsoft Windows 2000 Advanced Server

The impact of these vulnerabilities may include unauthorized system access as well as DoS attacks. All Windows users will be pleased to know that these vulnerabilities only affect Microsoft Windows 2000 Server systems. This vulnerability has been rated as moderately critical. The solution to this problem is for all users to apply the relevant updates immediately with the use of update management software or the Microsoft Update service.

Source: http://www.pc1news.com/news/0717/active-directory-vulnerabilities-in-microsoft-windows.html#msg

How to Manage Object Properties In Active Directory

2009-06-04T21:49:00.000-07:00

Instructions:

Step 1 :Open the Active Directory Users And Computers tool.
Step 2: Expand the name of the domain, and select the RD container. Right-click the John Q for example, an admin user account, and select Properties.
Step 3: Here, you will see the various Properties tabs for the User account. Make some configuration changes based on the personal preferences. Clock OK to continue.
Step 4: Select the HR Organizational Unit for example. Right-click the All Users group, and click Properties. In the All Users Properties dialog box, you will be able to modify the membership of the group.
Click the Members tab, and then click Add. Add Monica D. President as an example and John Q. Admin User Accounts to the Group. Click OK to save the settings and then OK to accept the group modifications.
Step 5: Select the Sales Organizational Unit,. Right-click the Workstation1 Computer object. Notice that you can choose to disable the account or reset it( to allow another computer to join the domain under the same name). From the right-click menu, choose Properties. You'll see the properties for the Computer object.
Examine the various options and make changes based on your properties on your personal preference. After you have examined the available options, click the OK button.
Step 6: Select the Corporate Organizational Unit. Right-click the Monica D. President User account, and choose Reset Password. You will be prompted to eneter a new password and then asked to confirm it. Note that you can also force the user to change this password upon the next logon.
Step 7: Close the Active Directory Users And Computers tool and this lesson is complete.

Source: Ehow

Techplus takes on Active directory tools from Specops

2009-05-29T02:47:00.000-07:00

Techplus, has brought on management products from Toronto-based vendor, Specops, in a bid to expand its software portfolio.

The distributor will have access to the full software range and has just announced the availability of Specops Virtual Deploy, a Group Policy extension tool that allows administrators to manage Microsoft App-V virtual applications.

Specops provides a range of products allowing organisations to manage and interact with all Microsoft-based server environments through Active Directory or Group Policy platform. Techplus managing director, Paul Kern, said it was Specop’s first local channel partner.

“They have sold products in Australia to some of the larger government departments and multinationals for many years,” he said. “Customers could go online and buy it. But they’ve never been through the channel, or proactively sold products here before.”

Kern said the products were suitable for any organisation – small or large – running Microsoft servers, and claimed they were straightforward to use.

“The core differentiation against other vendors who provide these kinds of products is that users can manage everything through Active Directory – it’s just not an application on top, but a fully integrated solution,” he said.

Specop’s software tools are available for a one-off licence fee. Users can then choose to subscribe to an annual maintenance and support package.

Source: arnnet.com.au

How can I delegate the right to unlock locked Active Directory (AD) user accounts?

2009-05-25T00:27:00.000-07:00

To delegate the right to unlock locked user accounts to a user or group in AD, you must modify the permissions to read and write the lockoutTime Active Directory user object attribute.

To let administrators change these two permissions in AD, you must first make sure that the read and write permissions are visible in the advanced ACL editor that you can access from the Active Directory Users and Computers (ADUC) MMC snap-in. In Windows 2000, both permissions are hidden from ADUC by default. In Windows Server 2003 and Windows Server 2008, they show up in the ADUC’s advanced ACL editor, shown here.

The attribute permissions that are displayed in ADUC’s ACL editor can be controlled using the dssec.dat configuration file, which is stored in the %windir%\System32 directory. In dssec.dat, each object attribute can be assigned one of the following values:

* 7 : do not include the property in the ACL editor
* 2 : include only the “Read” property in the ACL editor
* 1 : include only the “Write” property in the ACL editor
* 0 : include both the “Read” and “Write” property in the ACL editor

If an attribute isn't listed in the dssec.dat file, it will show up in the ACL editor. In Windows Server 2003 and Windows 2008, lockoutTime is by default not included in the dssec.dat file, so it shows up in the ACL editor.

Dssec.dat uses an ini file data format to list the properties of each object class that should be filtered out of the list in the Properties section of the ACL Editor. The file is structured as follows:

[objectclass-name1]
@=value
attribute-name1=value
attribute-name2=value
.
.
attribute-nameX=value

[objectclass-name2]
@=value
attribute-name1=value
attribute-name2=value
.
.
attribute-nameX=value

where objectclass-nameX refers to the AD schema object class for which the visibility in the ACL editor should be controlled and attribute-nameX to the attribute. The "@" placeholder controls the visibility of the object itself.

To modify the filter for the lockoutTime attribute in Windows 2000, open dssec.dat in Notepad. You can find the lockoutTime attribute under the [user] heading. You must reset the value for the lockoutTime attribute from 7 to 0 then save the changes to the dssec.dat file.

Note that you only need to edit the dssec.dat file on the Windows 2000 computer where you set up the actual delegation. Also, keep in mind that the dssec.dat file is read only when an administrator opens ADUC. This means that changes you make to dssec.dat won’t take effect until you close and reopen ADUC.

To delegate the right to unlock user accounts on the OU or domain level in ADUC, you can modify the permissions for the lockoutTime attribute directly in the ACL editor or use the AD delegation wizard. In the latter case, you must perform the following steps.

1. Right-click the OU or domain in ADUC and select Delegate Control... from the context menu.
2. Click Next in the Welcome dialog.
3. Click Add... to select the user or group to which you want to delegate control and click OK.
4. Click Next.
5. Select Create a custom task to delegate and click Next.
6. Select Only the following objects in the folder then, in the list, check User objects and click Next.
7. Clear the General checkbox and check the Property-specific box.
8. Check both the Read lockoutTime and Write lockoutTime boxes and clicks Next.
9. Click Finish.

Source: http://windowsitpro.com/article/articleid/102025/q--how-can-i-delegate-the-right-to-unlock-locked-active-directory-ad-user-accounts.html

Win Server 2008: Owner Rights in Active Directory Domain Services

2009-05-17T23:36:00.000-07:00

Windows Server 2008 introduces new capabilities for Active Directory Domain Services object ownership. These new capabilities do not change the default permissions that the owner of an object is granted; however, they do provide the ability to modify the permissions granted to the owner of an object. The ability to restrict the permissions for the owner on an object is a welcome security enhancement in Windows Server 2008.

Each Active Directory Services object has a security descriptor, which facilitate the ability to secure the object by using permissions. A security descriptor contains all information related to access control for a given object, including:

* The owner of the object
* The primary group of the object (rarely used)
* The discretionary access control list (DACL)
* The system access control list (SACL)
* Control information

By default, the owner of the object is given the WRITE_DAC permission and READ_CONTROL permission. These permissions provide the owner with the ability to change permissions on an object and to read the permissions assigned to an object, respectively.

Issues with Pre-Windows Server 2008 Behavior of Object Ownership

There are a number of issues with the pre-Windows Server 2008 behavior of object ownership. It is important to cover these issues to provide a better understanding of the benefits.

One of the biggest security risks with the pre-Windows Server 2008 behavior of object ownership is that it provides the ability to escalate privileges. Consider the scenario in which you've granted your help desk permission to create user accounts but not the permission to delete user accounts. When a member of the help desk subsequently creates a user account, he becomes the owner of that user account object in the directory. With the pre-Windows Server 2008 behavior of object ownership, they automatically receive the ability to change permissions on the user. If they want to delete the user object, or grant anyone the ability to do so, they can grant the ability to do by modifying the permissions on the user account object.

With the pre-Windows Server 2008 behavior of object ownership, you are limited to taking ownership of an object. As a safeguard, members of the Administrators group can always take ownership of an object, even if the current owner has denied Administrators the permissions to modify the object. However, taking ownership of an object is essentially a reactive step. The pre-Windows Server 2008 behavior of object ownership did not have any means to be proactive.

By default, Windows Server 2008 designates the creator of an object as the owner, which is the same as the pre-Windows Server 2008 behavior. Furthermore, Windows Server 2008 still grants the owner the ability to change permissions of an object and read permissions, which is also consistent with the pre-Windows Server 2008 behavior. However, Windows Server 2008 introduces a new well-known security principal called, Owner Rights, which can be used to restrict the permissions that the owner of an object is granted. In Windows Server 2008, you can add the Owner Rights well-known security principal to the Discretionary Access Control List (DALC) of an object, and control the permissions that assigned to the owner of that object. When you add the Owner Rights well-known security principal to the DALC of an object, you can specify the permissions assigned to the owners of objects. This new capability overrides the default pre-Windows Server 2008 behavior of object ownership.

Source: enterpriseitplanet.com

Windows Server 2008: Install Active Directory Domain Services

2009-05-12T02:27:00.000-07:00

Active Directory provides the structure to centralize the network and store information about network resources across the entire domain. Active Directory uses Domain Controllers to keep this centralized storage available to network users.

In this scenario we are going to install Active Directory fresh with a brand new Domain Controller after a fresh install of Windows Server 2008.

Requirements for Active Directory Domain Services

Let’s go through some of the requirements for a fresh install of active directory services. Some of these will be required to be done before hand; others as noted can be done during the install:

* Install Windows Server 2008

* Configure TCP/IP and DNS networking configurations

* The disk drives that store SYSVOL must be on a local drive configured NTFS

* Active Directory requires DNS to be installed in the network. If it is not already installed you can specify DNS server to be installed during the Active Directory Domain Services installation.

Once you verify that these requirements have been met we can get started.

Install Active Directory Domain Services via Server Manager

For the first example let’s start by installing Active Directory through Server Manager. This is the most straight forward way, as a wizard will guide you through the steps necessary.

1. Start Server Manager.

2. Select Roles in the left pane, then click on Add Roles in the center console.

3. Depending on whether you checked off to skip the Before You Begin page while installing another service, you will now see warning pages telling you to make sure you have strong security, static IP, and latest patches before adding roles to your server.

If you get this page, then just click Next.

4. In the Select Server Roles window we are going to place a check next to Active Directory Domain Services and click Next.

5. The information page on Active Directory Domain Services will give the following warnings, which after reading, you should click Next:

* Install a minimum of two Domain Controllers to provide redundancy against server outage (which would prevent users from logging in with only one)

* AD DS requires DNS which if not installed you will be prompted for

* After installing AD DS you must run dcpromo.exe to upgrade to a fully functional domain controller

* Installing AD DS will also install DFS Namespaces, DFS Replication, and Filer Replication services which are required by Directory Service

6. The Confirm Installation Selections screen will show you some information messages and warn that the server may need to be restarted after installation.

Review the information and then click Next.

7. The Installation Results screen will hopefully show Installation Succeeded, and an additional warning about running dcpromo.exe (I think they really want us to run dcpromo).

After you review the, click Close.

8. After the Installation Wizard closes you will see that server manager is showing that Active Directory Domain Services is still not running. This is because we have not run dcpromo yet.

9. Click on the Start button, type dcpromo.exe in the search box and either hit Enter or click on the search result.

10. The Active Directory Domain Services Installation Wizard will now start.

There are links to more information if you want to learn a bit more you can follow them or you can go ahead and click Use advanced mode installation and then click Next.

For more detail: Source

Restartable Active Directory Domain Services Explained

2009-05-06T03:20:00.000-07:00

Windows Server 2008 includes a service that allows you to start, stop, and restart Active Directory Domain Services on a domain controller. This new functionality facilitates more streamlined operations when it comes to performing offline tasks on a domain controller. This article takes a closer look at the new restartable Active Directory Domain Services in Windows Server 2008.

Overview of the Active Directory Domain Services Service

Every domain controller that has Windows Server 2008 installed includes a service called Active Directory Domain Services, which can be manipulated like any other service. This new service and functionality is enabled by default on all domain controllers that have Windows Server 2008 installed; there are no domain or forest functional-level requirements for this functionality.

With the Active Directory Domain Services running as a service on a domain controller, you can use familiar tools to manipulate the status of the service. For example, you can use the Services console or sc.exe to stop, start or restart the Active Directory Domain Services service.

The Active Directory Domain Services service has a number of other services that depend on it. As a result, when you change the status of the Active Directory Domain Services service, the dependent services will also be affected. These dependent services include the following:

DFS Replication
DNS Server
Intersite Messaging
Kerberos Key Distribution Center

It is common to have domain controllers run other services that do not depend on Active Directory Domain Services. The fact that Active Directory Domain Services runs as a true service, which can be manipulated independently from nondependent services, facilitates the ability for the nondependent services to continue to function when the Active Directory Domain Services service is stopped.

The Active Directory Domain Services service can be in one of two statuses: Started or Stopped. The tasks that can be performed on a domain controller differ based on the status of the service. Furthermore, the directory service functionality is also different depending on the status of the Active Directory Domain Services service.

Active Directory Domain Services Service -- Started

When the Active Directory Domain Services service is started, the domain controller functions just like any other domain controller. In this state, Active Directory Domain Services, and other dependent and nondependent services running on the domain controller, operate just as they do on a Windows Server 2003 or Windows 2000 Server domain controller. The domain controller will process authentication and authorization requests, for example, because the domain controller is online.

Active Directory Domain Services -- Stopped

When the Active Directory service is stopped, the domain controller is said to be offline and functions similar to a domain controller running in Directory Services Restore Mode. When the Active Directory Domain Services service is stopped, the Active Directory Domain Services database (NTDS.dit) is offline. As a result, changes cannot be made to the Active Directory Domain Services database, directly or by virtue of replication.

The fact that the Active Directory Domain Services database is offline when the Active Directory Domain Services service is stopped provides the ability to perform offline maintenance tasks without restarting the domain controller into Directory Services Restore Mode. These tasks include performing an offline Active Directory Domain Services database defragmentation, marking an object or objects as authoritative, and forcefully removing Active Directory Domain Services from the domain controller.

Because the Active Directory Domain Services database is offline when the Active Directory Domain Services service is stopped, the domain controller will not process authentication requests. In this case, authentication requests, and all other Active Directory Domain Services client and service requests, will be referred to an online domain controller. If no other domain controllers can be contacted to process the authentication request, you must logon to the domain controller using the Directory Services Restore Mode account.

Directory Services Restore Mode Account and the Active Directory Domain Services Service

By default, the Directory Services Restore Mode account can be used only when logging onto a domain controller in Directory Services Restore Mode. However, Windows Server 2008 provides the ability to enable the use of the Directory Services Restore Mode account when logging onto a domain controller when the Active Directory Domain Services service is stopped. This functionality is enabled by modifying HKLMSystemCurrentControlSetControlLsaDSRMAdminLogonBehavior registry key. The table that follows lists the three options for the DSRMAdminLogonBehavior registry key:

Value	Description
0 (Default)	The DSRM account cannot be used for logon.
1	The DSRM Administrator account can be used to log on only when the AD DS service is stopped
2	The DSRM Administrator account can be used to log on at any time.

Source: enterpriseitplanet.com/networking/features/article.php/3814246

Google Apps gains LDAP support

2009-05-01T00:37:00.000-07:00

Google Apps has gained a directory tool designed to simplify and accelerate the setup of this hosted collaboration and communication suite.

With the new Directory Sync, Apps can tap into existing LDAP-based user directories, such as the ones in IBM's Lotus Domino and Microsoft Active Directory, so that administrators don't have to set up a separate directory in the Google suite.

Google Apps has mostly been adopted in small and medium-size companies, and groups within large organizations, although the suite has nabbed large deployments in universities and government settings.

The new tool, which comes from technology Google acquired when it bought Postini, runs behind customers' firewalls and offers a one-way delivery of directory information to Google Apps.

"The utility offers many of the customization settings, tests and simulations originally developed and refined for the Postini directory sync tool," wrote Navneet Goel, Google enterprise product manager, in a blog posting Thursday.

The LDAP (Lightweight Directory Access Protocol) component is available at no additional cost for administrators of the Premier, Education and Partner versions of Apps.

For detail info: http://www.reuters.com/article/idgSmallBusiness/idUS210295645120090501

How to Fix Active Directory DNS problems?

2009-04-14T00:10:00.000-07:00

Lots of times when creating a brand new domain or promoting a computer that does not have DNS installed or correctly configured, Active directory does not properly configure the DNS name space for your new domain.

This can be checked by going into the DNS MMC console and expanding the Forward lookup zone. it should have several sub "folders" such as DC, GC, etc.

Errors like:

server GUID DNS name could not be resolved to an IP address. Check items such as the DNS server, DHCP and server name. Although the GUID DNS name (._msdcs.domain-name.local) couldn't be resolved, the server name () resolved to the IP address () and was pingable. Check that the IP address is registered correctly with the DNS server.

This type of error will cause you to not be able to add computers to your domain, or even add new domain controllers.

Step1: Log into the Domain controller either in console or via RDP

Step2: Download DcDiag.exe from microsoft if you do not have the Windows 2000 support tools installed. You can find it at http://www.microsoft.com/downloads/details.aspx?familyid=23870A87-8422-408C-9375-2D9AAF939FA3&displaylang=en

You can download it and extract it to anywhere you like.

Step3: Open a command window (Start menu -> Run -> Type "cmd" with out quotes and hit enter/click ok), now change directory to where the executable is located.

Step4: Type "ipconfig /flushdns", then "ipconfig /registerdns" (with out the quotes) to flush out the DNS resolver cache and register the DNS source records, respectively.

Some people like to clear the ARP cache as well, you can do this by typing "arp -d *" at the command prompt with out quotes. This part is optional.

Step5: At the prompt type in dcdiag /fix

Read through the output. You will most likely have the following text somewhere in your output:

Server GUID DNS name could not be resovled to an ipaddress.
Althought GUID could not be resolved, the server name resolved to the ip address x.x.x.x and was pingable

Step6: Still at the command prompt, type "dcdiag /fix", then "net stop netlogon" and "net start netlogon" (again with out the quotes) to finalize the changes.

Run dcdiag one more time to make sure the domain controller's DNS is working. You should no longer get the error mentioned in step 5. Some other NIC related errors may show up, but you can dismiss those for the most part it wont affect your installation (you couldnt get this far if there were serious NIC problems)

Step7: You should now be able to add member computers to your new domain and add domain controllers.

Source:eHow

OUrganizeIT - Active Directory Object Management tool

2009-04-08T03:09:00.000-07:00

OUrganizeIT by Synergix, Inc., is an Active Directory Object Management tool. It helps organize and secure computer objects and user objects in Microsoft Windows Active Directory environment, facilitating organizations meet their SOX, SEC and HIPAA compliance requirements.

Users with elevated privileges may remove their computers from the domain, for non-business, experimental purposes or for business reasons, such as product demonstration purposes at client sites or tradeshows or conferences. OUrganizeITTM helps maintain domain membership.

If the computer object in the Active Directory domain becomes defunct or the user removes the computer object from the domain and puts it in a workgroup or another domain ( at home, internet cafe, etc.), the computer rejoins the domain next time it is put back on the corporate network. All this is achieved without granting the user elevated privileges on his / her workstation or in Active Directory environment.

Version 8 includes VPN User Password Change option.

Source: zdnetasia.com

Windows Server 2008 Active Directory Database Mounting Tool

2009-04-03T05:16:00.000-07:00

Windows Server 2008 aims to improve recovery processes for Active Directory Domain Service (AD DS) and Active Directory Lightweight Directory Services (AD LDS). In Windows Server 2008, you can now take point-in-time snapshots of the data that is stored in AD DS or AD LDS. Furthermore, Windows Server 2008 includes a new Active Directory database mounting tool, which allows you to mount the snapshot. This new functionality provides administrators with the ability to view AD DS and AD LDS data, as it existed at different times, thus effectively arming you with better means to deal with the recovery of AD DS and AD LDS data.
Snapshots

The Windows Server 2008 version of the Ntdsutil.exe command-line tool includes a new operation, called snapshot, which provides the ability to create snapshots of AD DS and AD LDS data. The Ntdsutil.exe snapshot operation can be used to create point-in-time snapshots of AD DS and AD LDS data. You can also schedule a recurring task (e.g., using Task Scheduler) that uses Ntdsutil.exe to create snapshots.

You are not restricted to the use of snapshots that were created by using the Ntdsutil.exe snapshot operation. You can use any backup of an AD DS or AD LDS database that uses the Volume Shadow Copy Service (VSS), including Windows Server Backup as well as third-party backup solutions.

Database Mounting

The Ntdsutil.exe snapshot operation also provides the ability to list, mount, and unmount snapshots of AD DS and AD LDS data. If you incorporate this new functionality into your disaster recovery plan for AD DS or AD LDS, you will likely have multiple snapshots of AD DS or AD LDS data. The Ntdsutil.exe snapshot operation provides the ability to list all snapshots so you can determine which snapshot you need to work with. Once you have identified the appropriate snapshot, you must mount the snapshot before you can continue. Mounting and unmounting snapshots is also performed using the Ntdsutil.exe snapshot operation.

Exposing a Snapshot as an LDAP Server

After you have created one or more a snapshots, and you know which snapshot you plan to work with, you must expose that snapshot as an LDAP server before you can view the data stored in the snapshot. Windows Server 2008 includes a command-line tool, called Dsamain.exe, which provides the ability to expose snapshots as an LDAP server. Dsamain.exe can be used to expose AD DS and AD LDS snapshots as an LDAP server. When running the Dsamain.exe command-line tool, you must specify the path to the AD DS or AD LDS database (ntds.dit) file. You can optionally specify where to store the log files and temporary database by using the log path parameter. In most cases, you will view multiple snapshots at the same time. As a result, you must specify which port to use for LDAP communication when exposing the snapshot using Dsamain.exe.

In addition to LDAP communication, LDAP over SSL, global catalog, and global catalog over SSL communication can be used to query a snapshot exposed as an LDAP server. By default, Dsamain.exe will increment the port number by 1 for each of these additional protocols. For example, if you specify port 5000 for LDAP, Dsamain.exe will use 5001 for LDAP over SSL, 5002 for global catalog, and 5003 for global catalog over SSL. You can, however, specify the port numbers to be used for the additional protocols.

Source: http://www.enterpriseitplanet.com/networking/features/article.php/3812086

Active Directory Recycle Bin can save a Windows Server

2009-03-25T00:11:00.000-07:00

The Recycle Bin feature allows objects to be restored via the Active Directory PowerShell environment. For the beta release, this functionality is turned off by default, so the first step is to enable the feature. Figure A shows this step.

Once this is complete, you can view the contents of the Active Directory Recycle Bin. This special location exists as a container that holds the objects as they are deleted.

In my first looks at Windows Server 2008 R2 beta, I set up a test domain running at that function level. The domain, dev.tld, had nothing in the Recycle Bin after it was created. I deleted two objects: one user and one group. Figure B shows the query of what is in the Recycle Bin before the two objects were deleted, then another query after they were deleted.

Notice that some fields were cut off in the display, notably the full GUID (which is needed for the restore). To display the entire GUID and object name, you would run this query:

Get-ADObject -SearchBase "CN=Deleted Objects,DC=dev,DC=tld" -ldapFilter "(objectClass=*)" -includeDeletedObjects | FT ObjectGUID,Name -A

Then, the full GUID is displayed, so a copy and paste operation will allow an easy restore. From the list above, to restore the single user named test, the following command will perform the restore:

Restore-ADObject -Identity 6ff46162-15c2-4d42-8e15-2fcac5c8422e

The object is instantly returned to full existence in Active Directory.

Source: http://blogs.techrepublic.com.com/datacenter/?p=675

Recovering Bitlocker Keys from Active Directory

2009-03-08T23:48:00.000-07:00

BitLocker is a great tool for ensuring that the data on your organization’s computers is protected when laptop computers are misplaced or hard disk drives are stolen. Volumes encrypted using bitlocker can be recovered using the bitlocker recovery tool if you have the appropriate recovery key. As each BitLocker key is individual , the big problem with BitLocker recovery has been keeping track of every computer’s BitLocker keys.

The easiest way to keep track of all keys is to archive them to Active Directory. It saves a lot of effort with setting up an Excel spreadsheet! The Computer Configuration\Administrative Templates\Windows components\BitLocker Drive Encryption node of a Windows Server 2008 GPO contains a policy named Turn on BitLocker Backup To Active Directory Domain Services.

You can configure this policy so that BitLocker cannot be first enabled unless the computer is connected to the domain and the backup of the BitLocker keys to AD succeeds (BitLocker remains on after that). To ensure BitLocker keys are backed up, enable the policy and select the Require BitLocker Backup to AD DS option before deploying BitLocker. You can choose to back up recovery passwords and key packages or just recovery passwords. You should back up both items as this will give you more flexibility when attempting to recover encrypted volumes that might be damaged.

Retrieving a BitLocker key from Active Directory involves using the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool. This tool allows you to locate and view BitLocker recovery passwords, assuming that you have Domain Administrator privileges in the domain in which the password is stored and the passwords are archived in AD. You can obtain this tool from Microsoft’s website here: http://support.microsoft.com/kb/928202.

You should note that the tool is not included with Windows Server 2008 or Windows Vista by default. So although you can archive BitLocker keys to AD, there isn’t any way to retrieve them unless you download this extra tool. Before you run the tool on a DC for the first time, but after you have installed it, it is necessary to run the command regsvr32.exe bdeaducext.dll. The tool itself modifies Active Directory Users and Computers so that when you view a computer account’s properties, there will be a BitLocker Recovery Tab that lists BitLocker recovery passwords associated with the computer account. You can remove the tool using Add or Remove Programs in the Control Panel. Once you’ve recovered the appropriate passwords, you can get on with recovering encrypted data!

Source: http://windowsitpro.com/article/articleid/101582/recovering-bitlocker-keys-from-active-directory.html

Windows Server 2008: Discover the New Active Directory Domain Services

2009-02-22T23:38:00.000-08:00

There are a number of new Active Directory Domain Services features in Windows Server 2008. These new features improve auditing, security, and the management of Active Directory Domain Services and show Microsoft's commitment to evolving Active Directory Domain Services. The following is an overview of the new Active Directory Domain Services features that are in Windows Server 2008.

Auditing

Windows Server 2008 introduces significant changes to Active Directory Domain Services auditing. Active Directory Domain Services auditing in Windows Server 2008 is more granular than previous versions and provides you with more control over what is audited.

Active Directory Domain Services auditing is now divided into the following four subcategories:

* Directory Service Access
* Directory Service Changes
* Directory Service Replication
* Detailed Directory Service Replication

You can disable or enable Active Directory Services auditing at the subcategory level. For each subcategory, you can also configure whether to log successful events, failed events, both successful and failed events, or no auditing.

In Windows Server 2008, the new Directory Service Changes subcategory allows you to log the old value and new value of a changed attribute, in addition to the attribute name.

Windows Server 2008 also provides the ability to exclude the logging of changes to specific attributes by modifying the attribute properties.

The Active Directory Domain Services auditing subcategories are viewed and configured by using the Auditpol.exe command-line tool.
Fine-Grained Password Policies

Windows Server 2008 introduces the ability to create multiple password policies in a single domain, which is another first for Active Directory Domain Services. The introduction of fine-grained password policies in Windows Server 2008 allows organizations to create and manage multiple password policies and account lockout policies to meet diverse security requirements.

You can configure the same password policy and account lockout settings in a fine-grained password policy as you can at the domain level. Fine-grained password policies can be linked to users and to global groups. Because users can inherit multiple password fine-grained password policies, a precedence setting has been included to allow you more granular control.

Fine-grained password policies are configured by using the ADSI Edit snap-in.
Read-Only Domain Controllers

Another first for Active Directory Domain Services is the introduction of a new type of domain controller in Windows Server 2008, the read-only domain controller (RODC). RODCs are intended to assist you in situations in which domain controllers must be deployed in locations where physical security cannot be guaranteed, such as branch offices.

Microsoft has implemented a number of mitigating measures to ensure a compromised RODC does not impact the rest of your Active Directory Domain Services environment. These measures include the following:

* Read-only database
* Unidirectional replication
* Credential caching
* Administrator role separation
* Read-only Domain Name System (DNS)

Restartable Active Directory Domain Services

Windows Server 2008 now includes a true service, which allows you to stop, start, and restart Active Directory Domain Services without having to restart the operating system.

In Windows 2000 Server and Windows Server 2003, the operating system on a domain controller had to be restarted in Directory Services Restore Mode for most maintenance and recovery. However, Windows Server 2008 now provides the ability to start, stop, and restart the Domain Controller service.

The domain controller service can be manipulated by using the Services snap-in or the Computer Management snap-in.

Database Mounting Tool

Windows Server 2008 includes a new ability to take snapshots of an Active Directory Domain Services database and mount these snapshots into a new database mounting tool.

The database mounting tool allows you to view an Active Directory Domain Services object's previous state. You can then use this to compare the object's previous state to the object in production. This is particularly useful if you know that an object's attributes were changed, but do not know what the previous value of the attributes were.

User Interface Improvements

A number of user interface improvements have been made in Windows Server 2008. The following is a list of some of the most noteworthy interface changes in Windows Server 2008:

* New installation options for domain controllers.
* A more streamlined and simplified installation process.
* Improvements to the Active Directory Users and Computers console.
* A built-in Attribute Editor, which is accessible on the properties page of each object in the Active Directory Domain Services management tools.

Owner Rights

Windows Server 2008 now provides the ability to limit the default permissions that the owner of an object is given. In previous versions of Windows, the owner of an object was given the ability to read and change permissions on the object, which was more than they required in most cases. This new functionality in Windows Server 2008 also applies to Active Directory Domain Services objects.

Source: http://www.enterpriseitplanet.com/networking/features/article.php/3796561

Active Directory Domain Services Fine-Grained Password and Account Lockout Policies

2009-02-16T01:47:00.000-08:00

Since the release of Windows NT 3.1, Microsoft's first Network Operating System, password policies were limited to the domain level. This held true for Windows 2000 Server and Windows Server 2003 versions of Active Directory. However, Microsoft has introduced the ability to define multiple password and account lockout policies in Windows Server 2008.

This article takes a deeper look at the new Active Directory Domain Services fine-grained password and account lockout policies in Windows Server 2008.

Password Settings Container and Password Settings Objects

Active Directory Domain Services in Windows Server 2008 includes two new object classes for fine-grained password and account lockout policies: Password Settings Container and Password Settings objects. Fine-grained password and account lockout policies require a domain functional level of Windows Server 2008, so these two objects will not be used for domains with a lower domain functional level.

The Password Settings Container (PSC) is created in the System container in each domain that has a domain functional level of Windows Server 2008. Password Settings Containers are used to store Password Settings objects for the domain. Once created by the system, the Password Settings Container cannot be moved, deleted, or renamed. You can view the Password Settings Container by enabling the Advanced View in the Active Directory Users and Computers Container, ADSI Edit, and LDP.exe.

Password Settings objects (PSOs) are the objects that you create to define fine-grained password and account lockout policies. Password Settings objects are stored in the Password Settings Container for the domain. Multiple Password Settings objects can be stored. Password Settings objects can be created by using ADSI Edit and LDIFDE.

Password Settings Object Attributes

Password Settings objects include the nine attributes for the same Password Policy and Account Lockout settings as the Default Domain Policy. These nine attributes are mandatory and must be defined on every Password Settings object. These attributes are shown in the table below.

LDAP Display Name	Description
msDS-PasswordHistoryLength	Enforce password history
msDS-MaximumPasswordAge	Maximum password age
msDS-MinimumPasswordAge	Maximum password age
msDS-MinimumPasswordLength	Minimum password length
msDS-Password-ComplexityEnabled	Passwords must meet complexity requirements
msDS-PasswordReversibleEncryptionEnabled	Store passwords using reversible encryption
msDS-LockoutDuration	Account lockout duration
msDS-LockoutThreshold	Account lockout threshold
msDS-LockoutObservationWindow	Reset account lockout after

Microsoft did not include the ability to create fine-grained password and account lockout policies in the Active Directory Users and Computers console in Windows Server 2008. As a result, the graphical interface to create Password Settings objects is the ADSI Edit console. The ADSI Edit console allows you to create Password Settings objects, and enter values for the attributes that are contained in Password Settings objects, in raw format. To set a Maximum Password Age of 42 days on a Password Settings object, you would enter a value of 42:00:00:00.

Controlling the Scope of Password and Account Lockout Policies

In addition to the above nine attributes, Password Settings objects also include two new attributes which are used to control the scope. These two attributes are shown in the table below:

LDAP Display Name	Description
msDS-PSOAppliesTo	PSO link
msDS-PasswordSettingsPrecedence	Precedence

The msDS-PSOAppliesTo attribute is used to link Password Settings objects to users and/or global groups. The msDS-PSOAppliesTo attribute is a multivalued attribute, which allows Password Settings objects to be linked to multiple users and/or global groups. The msDS-PSOAppliesTo includes a forward link to user or group objects. The msDS-PasswordSettingsPrecedence attribute is a mandatory attribute which is used to resolve conflicts when more than one Password Settings object is applied to a user or group.

Source: http://www.enterpriseitplanet.com/networking/features/article.php/3800436

Integrating Mac OS X with Active Directory

2009-02-09T23:10:00.000-08:00

Active Directory within Mac OS X enables Mac clients and servers to integrate smoothly into existing AD environments, and provides the option of deploying a single directory services infrastructure that can support both Windows and Mac clients.

A key component of any modern computing environment, directory services allow organizations to centralize information about users, groups, and computing resources. A network-based repository consolidates resources, simplifies system management, and reduces support and administration costs. At the same time, it benefits users by enabling them to access enterprise resources from anywhere on the network. Thus, a directory services infrastructure offers advantages for both administrators and end users.

Of course, the full benefits of active directory services can only be realized when all of your desktop, laptop, and server systems are integrated into the same directory services infrastructure. This goal has been difficult to achieve in the past due to the proliferation of proprietary directory services solutions.

With the introduction of the Active Directory (AD) plug-in in Mac OS X v10.3 (Tiger), Apple made a concerted effort to enable IT administrators to integrate Mac OS X clients and servers easily into existing Active Directory infrastructures. While every Active Directory installation is different (especially in the enterprise space), Mac OS X integrates well with the vast majority of them, and with minimum effort.

Whatever combination of Mac, Windows, and Linux systems your organization uses, you no longer need to maintain a separate directory or separate user records to support your OS X systems. Users can move effortlessly between different computers while still adhering to enterprise policies for strong authentication and password-protected access to network resources.

Apple's support for Active Directory within Mac OS X enables Mac clients and servers to integrate smoothly into existing AD environments, and provides the option of deploying a single directory services infrastructure that can support both Windows and Mac clients.

Source: http://www.ciol.com/Developer/Operating-System/Tech-Papers/Integrating-Mac-OS-X-with-Active-Directory/4209115565/0/