Microsoft Server Active Directory Services

How To Manage Network Environment using Active Directory

2010-01-06T14:29:00.000-08:00

Active directory is the protocol which provides the platform to manage the network environment. Microsoft has done enough amendment to simplify the use of Active Directory in terms of management, migration and deployment.

Important feature of Active Directory include:
· Permission of X.500 close user group professional in the same company.
· Inception of secure data management
· Presence of hierarchical system allows the system administrator to have clean information of individual user accounts
· Object-targeted storage organization, allows easy access for information from anywhere in the network.

Benefits of Active Directory
· Organizations are able to perform their regular business operating while switching over from one network to other network platform.
· Users don’t have to do much amendment in the existing network.
· Existing user accounts and resource permission will be self migrated.
· Services and application running on the existing platform would also get migrated without any effort.

Deployment of Active Directory
User should follow the below suggestion to formulate Active directory over the new server platform.
· Test and verify the deployment process.
· Against the Forest Root create a DNS.
· Create the Forest Root.
· Map a new Regional Domain.
· Import your valuable data from other sources.

Revealing Windows Server 2003 Resource Tools Kit

2009-12-28T04:07:00.000-08:00

A Resource Kit is not a part of any software but it contains a set of software resources and documentation for the software products. It gives many resources like technical help, features and troubleshooting information, management and many more also.

Windows Server 2003 Resource Kit Tools can be used on many editions of Windows including Windows XP. It is a set of tools that can assist administrators in the streamline management tasks like troubleshooting operating system consequences, organizing Active Directory, assembling networking and security features. It comprises a improved command line shell and 188 tools. After its installation, command line shell gives a very smooth integration with Unix utilities that are available in it. Some of the information present in the Windows Server 2003 Resource Kit can be described as follows:

Technical Reference - It gives the comprehensive information about the technologies present in the Microsoft Windows Server 2003 operating system. It is planned to help IT planners and administrators by supplying the foundational information about the technology elements of the operating system.

Deployment Kit - The Microsoft Windows Server 2003 Deployment Kit gives guidelines and recommended processes for planning and preparing for Server 2003 technologies to fulfill your business requirements and IT goals.

The Migrating from Microsoft Windows NT Server 4.0 to Microsoft Windows Server 2003 template is planned for those IT administrators which are present in small and medium sized firms. It gives them assistance in the upgrading of the domain controller, DHCP server, print server, remote access server and Web server roles from Windows NT 4.0 to 2003.

Get Microsoft Server 2000 Support and Microsoft Windows Server 2003 Support. For more queries

Revealing Windows Server 2003 Editions

2009-12-18T03:16:00.000-08:00

As you would be familiar with Windows Server 2003, Microsoft developed operating system to be used on the servers. There are various editions of Windows Server 2003 and one of them is Web Edition, which is primarily used for creating and hosting Web applications, Web pages and XML web services. This edition is planned for using it as an IIS 6.0 Web server and it gives a platform for quickly formulating and deploying XML Web services. Terminal Server mode is not present on Web Edition and it does not need Client Access Licenses. After installation of its Service Pack 1, you can install Microsoft SQL Server and Microsoft Exchange software in this edition.

Another edition of Windows Server 2003 is the Standard Edition, which is focused for the small to medium sized businesses. This edition provides centralized desktop application deployment and secure Internet connectivity. The initial launch of WS 2003 was usable for only 32-bit processors, a 64-bit edition for holding the x86-64 architecture was launched in April 2005.

Enterprise Edition of this is focused towards medium to large businesses. This edition is available in 64-bit versions for the Itanium and x64 architectures. The 64-bit version of this Edition is adequate of dealing up to 1 TB of memory.

Datacenter Edition of Windows Server 2003 is developed for those infrastructures which require high security and reliability. Server for this edition can be used with the x86, Itanium and x86-64 processors. Windows Server Datacenter Edition is comprised of the better support for Storage Area Networks, supports 8-node clustering and many other features.

Alteration in Terminal Server's Listening Port

2009-12-17T04:08:00.000-08:00

It is a well-known fact that TCP port 3389 is used by Terminal Server and Windows 2000 Terminal Services for client connections. Alteration in this port is not recommended by Microsoft. But you can change this port. You have to perform this task carefully, otherwise you will face serious problems.

You have to give more concentration while modifying the registry. If you want to change the default port, then you have to follow these steps:

You start with the task of running Regedt32 and go to this key, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp.
Then you have to find the port number subkey and notice the value of 00000D3D, hex is for 3389.
After this, you have to change the port number in Hex and save the new value

If you want to change the port for a particular connection on the Terminal Server then follow these steps:

You have to run Regedt32 and go to this key, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\connection.
After this, you have to find the port number subkey and notice the value of 00000D3D, here hex is for 3389.
Then you have to change the port number in Hex and save this new value.

After performing this, you have to make alteration in the Port on the Client Side. Follow these steps to perform this:

You have to open Client Connection Manager.
Then on the File menu, click on New Connection and then create the new connection. After executing the wizard, you will view a new connection listed there.
Then you have to ensure that new connection is highlighted. After this, on the File menu, click Export.
Then you have to edit the .cns file using Notepad. You have to make modifications in the server port, Server Port=3389 to Server Port= new port number, that you had specified on Terminal Server.
Now import the file back into Client Connection Manager. Then you will be demanded to overwrite the current one.
If it has the same name, then overwrite it.

In this way, you will receive a client that has the correct port settings to match your Terminal Server settings. Hope it will help you out, Don’t Forget to subscribe to my blog for more tips and tricks on server and Microsoft Server Support Services

Define Active Directory and its Functionalities?

2009-09-24T22:21:00.000-07:00

With the ever increasing amount of data moving across large networks, it behooves the network systems administrator to oversee the proper function of these elements, not to mention implement the correct security measures. One helpful tool is the Active Directory.

Developed in 1996 by Microsoft, the Active Directory is the primary method by which Windows operating systems amasses information about domains, and also monitors them. In recent years the function has been increased to allow it to facilitate and view online data flows.

The Structure of the Active Directory

Because it was devised to make accessible all the pertinent objects in the network, the directory was structured in an easy to understand hierarchical structure. There are multiple viewing levels: forests, trees and domains/objects.

The forest is where every tree and domain can be viewed; dropping to the tree level, you will see that it contains one or more domains. Domains or objects have no deeper level.

There are three main categories:

Resources : It cover hardware devices like printers and scanners.

Servers : It is primary components of both the network and the domain.

Objects : It is also primary components of both the network and the domain.

The Active Directory is especially useful for managing objects. An object can be defined as any element that can contain another object. Every object has its own properties or schemas, which can be accessed and modified.

How the Active Directory Works

What makes Active Directory so important for a systems administrator is that it makes the updating and upgrading process a virtual one step process. For example, you need to install a new security application. If there are several computers in the network, the procedure would be tedious, but Active Directory, via its forest structure, makes this easy; you just update one object and it applies to all.

The structure is also flexible enough to allow for making changes to specific objects. Because each has its own schema, then the administrator can assign a particular task to a user and use certain software without giving access to everyone.

Active Directory Installation

2009-08-16T23:08:00.000-07:00

Active Directory Installation is not a tough and nasty task, rather than it is very easy. It will not take too much time also.You can install it without facing too much problems. Only you have to follow the given steps;

Go to Start -> Run and type in "dcpromo"

For most cases you will select "Domain Controller for a new domain"

For most cases you will select "Domain in a new forest"

Enter in the FQDN (fully qualified domain name) that you want to use. For example, if your domain was to be called Domain.Com, you would enter Domain.Com. You can also use non existant name spaces such as Domain.Local, or Domain.abc

The next two screens will be where to place file repositories and service folders. You can accept the defaults.

Some users may now get presented with a DNS screen asking you to configure DNS, or to do it later. Select the middle option (Install and configure for me). This will most likely NOT set up dns properly.

Select the permission type you would like. There are two options. If you will only be using Windows 2003 Server and Windows XP or newer, then select the Second option. otherwise, you would need to use the first option.

Pick a "Directory Services Restore" password. Hopefully you will never have to use this as its quite messy for the inexperienced. In either case, Remember this password.

At this point in the installation you are presented with a basic "Sumary" page listing the options you have selected. Make sure these are set properly before continuing. once you select "Next", active directory will begin to install, and once it does you will not be able to stop, and you will have to first uninstall in order to go back and fix any problems or misconfiguration later.

Active Directory will take a while, it could be a couple minutes, or as much as half an hour. Once it is done you will have to reboot.

If you are still unable to install the Active Directory, then we are here to help you.
Just login at : http://www.iyogibusiness.com/active-directory.html

How to add new objects to Active Directory from command line

2009-07-02T01:11:00.000-07:00

H:\>dsadd /?
Description: This tool's commands add specific types of objects to the
directory. The dsadd commands:

dsadd computer - adds a computer to the directory.
dsadd contact - adds a contact to the directory.
dsadd group - adds a group to the directory.
dsadd ou - adds an organizational unit to the directory.
dsadd user - adds a user to the directory.
dsadd quota - adds a quota specification to a directory partition.

For help on a specific command, type "dsadd /?" where
is one of the supported object types shown above.
For example, dsadd ou /?.
Remarks:
Commas that are not used as separators in distinguished names must be
escaped with the backslash ("\") character
(for example, "CN=Company\, Inc.,CN=Users,DC=microsoft,DC=com").
Backslashes used in distinguished names must be escaped with a backslash
(for example,
"CN=Sales\\ Latin America,OU=Distribution Lists,DC=microsoft,DC=com").

Source: infotechguyz

How To Create an Active Directory Server in Windows Server 2003

2009-06-24T23:33:00.000-07:00

After you have installed Windows Server 2003 on a stand-alone server, run the Active Directory Wizard to create the new Active Directory forest or domain, and then convert the Windows Server 2003 computer into the first domain controller in the forest. To convert a Windows Server 2003 computer into the first domain controller in the forest, follow these steps:

1. Insert the Windows Server 2003 CD-ROM into your computer's CD-ROM or DVD-ROM drive.
2. Click Start, click Run, and then type dcpromo.
3. Click OK to start the Active Directory Installation Wizard, and then click Next.
4. Click Domain controller for a new domain, and then click Next.
5. Click Domain in a new forest, and then click Next.
6. Specify the full DNS name for the new domain. Note that because this procedure is for a laboratory environment and you are not integrating this environment into your existing DNS infrastructure, you can use something generic, such as mycompany.local, for this setting. Click Next.
7. Accept the default domain NetBIOS name (this is "mycompany" if you used the suggestion in step 6). Click Next.
8. Set the database and log file location to the default setting of the c:\winnt\ntds folder, and then click Next.
9. Set the Sysvol folder location to the default setting of the c:\winnt\sysvol folder, and then click Next.
10. Click Install and configure the DNS server on this computer, and then click Next.
11. Click Permissions compatible only with Windows 2000 or Windows Server 2003 servers or operating systems, and then click Next.
12. Because this is a laboratory environment, leave the password for the Directory Services Restore Mode Administrator blank. Note that in a full production environment, this password is set by using a secure password format. Click Next.
13. Review and confirm the options that you selected, and then click Next.
14. The installation of Active Directory proceeds. Note that this operation may take several minutes.
15. When you are prompted, restart the computer. After the computer restarts, confirm that the Domain Name System (DNS) service location records for the new domain controller have been created. To confirm that the DNS service location records have been created, follow these steps:

1. Click Start, point to Administrative Tools, and then click DNS to start the DNS Administrator Console.
2. Expand the server name, expand Forward Lookup Zones, and then expand the domain.
3. Verify that the _msdcs, _sites, _tcp, and _udp folders are present. These folders and the service location records they contain are critical to Active Directory and Windows Server 2003 operations.

Source

How do I undelete an object from the Active Directory Recycle Bin?

2009-06-17T22:43:00.000-07:00

Source: Windowsitpro

Once you've enabled the recycle bin, you can undelete objects that were deleted after the recycle bin was enabled within the deleted object lifetime. You view the objects that are in the deleted and recycled states using the steps outlined in the previous FAQ.

To restore an object in the deleted state (isDeleted TRUE), simply pass the deleted object to the Restore-ADObject cmdlet. The easiest way to pass the object is to use the Get-ADObject cmdlet and pass the -IncludeDeletedObjects switch.

For example, if I know the displayName of an object is Dick Grayson, I would use the command below. PS C:\Users\savadmin> Get-ADObject -Filter {displayName -eq "Dick Grayson"} -IncludeDeletedObjects | Restore-ADObject

As you can see below, I actually use the Get-ADObject first just to view the object. I can see its Deleted attribute is True. I then pass the object to Restore-ADObject to undelete it. After that I viewed the object, and the Deleted attribute was blank, showing that it has been restored. In this example,e the object name was AFRBEnabled (After Recycle Bin Enabled).

Active Directory Vulnerabilities In Microsoft Windows

2009-06-10T21:34:00.000-07:00

These vulnerabilities need to be taken seriously, due to the factor that if they are exploited, a DoS attack may take place.

The two vulnerabilities located in Microsoft Windows are:

A Memory leak error which exists in the Active Directory LDAP service. It could be exploited in order to hang an affected system. This may occur via specially tampered with LDAP or LDAPS requests, which need to consist of exact OID filters.
An error that exists within the Active Directory LDAP service. If this is exploited, the chances are that it may trigger the invalid memory and attackers could then execute arbitrary code. This execution of arbitrary code takes place via specially tampered with LDAP or LDAPS requests.

A malicious character with the correct computer skills will be able to take complete and utter control of an infiltrated system. He will also be able to view, change, modify, create or delete whatever he wishes.

These vulnerabilities were reported in implementations of Active Directory on the Microsoft Windows 2000 Server, Windows Server 2003 as well as the Active Directory Application Mode (ADAM), when it is installed on Windows XP Professional as well as Windows Server 2003.

The affected operating systems

Microsoft Windows XP Professional

Microsoft Windows Storage Server 2003

Microsoft Windows Server 2003 Web Edition

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows Server 2003 Enterprise Edition

Microsoft Windows Server 2003 Datacenter Edition

Microsoft Windows 2000 Server

Microsoft Windows 2000 Datacenter Server

Microsoft Windows 2000 Advanced Server

The impact of these vulnerabilities may include unauthorized system access as well as DoS attacks. All Windows users will be pleased to know that these vulnerabilities only affect Microsoft Windows 2000 Server systems. This vulnerability has been rated as moderately critical. The solution to this problem is for all users to apply the relevant updates immediately with the use of update management software or the Microsoft Update service.

Source: http://www.pc1news.com/news/0717/active-directory-vulnerabilities-in-microsoft-windows.html#msg

How to Manage Object Properties In Active Directory

2009-06-04T21:49:00.000-07:00

Instructions:

Step 1 :Open the Active Directory Users And Computers tool.
Step 2: Expand the name of the domain, and select the RD container. Right-click the John Q for example, an admin user account, and select Properties.
Step 3: Here, you will see the various Properties tabs for the User account. Make some configuration changes based on the personal preferences. Clock OK to continue.
Step 4: Select the HR Organizational Unit for example. Right-click the All Users group, and click Properties. In the All Users Properties dialog box, you will be able to modify the membership of the group.
Click the Members tab, and then click Add. Add Monica D. President as an example and John Q. Admin User Accounts to the Group. Click OK to save the settings and then OK to accept the group modifications.
Step 5: Select the Sales Organizational Unit,. Right-click the Workstation1 Computer object. Notice that you can choose to disable the account or reset it( to allow another computer to join the domain under the same name). From the right-click menu, choose Properties. You'll see the properties for the Computer object.
Examine the various options and make changes based on your properties on your personal preference. After you have examined the available options, click the OK button.
Step 6: Select the Corporate Organizational Unit. Right-click the Monica D. President User account, and choose Reset Password. You will be prompted to eneter a new password and then asked to confirm it. Note that you can also force the user to change this password upon the next logon.
Step 7: Close the Active Directory Users And Computers tool and this lesson is complete.

Source: Ehow

Techplus takes on Active directory tools from Specops

2009-05-29T02:47:00.000-07:00

Techplus, has brought on management products from Toronto-based vendor, Specops, in a bid to expand its software portfolio.

The distributor will have access to the full software range and has just announced the availability of Specops Virtual Deploy, a Group Policy extension tool that allows administrators to manage Microsoft App-V virtual applications.

Specops provides a range of products allowing organisations to manage and interact with all Microsoft-based server environments through Active Directory or Group Policy platform. Techplus managing director, Paul Kern, said it was Specop’s first local channel partner.

“They have sold products in Australia to some of the larger government departments and multinationals for many years,” he said. “Customers could go online and buy it. But they’ve never been through the channel, or proactively sold products here before.”

Kern said the products were suitable for any organisation – small or large – running Microsoft servers, and claimed they were straightforward to use.

“The core differentiation against other vendors who provide these kinds of products is that users can manage everything through Active Directory – it’s just not an application on top, but a fully integrated solution,” he said.

Specop’s software tools are available for a one-off licence fee. Users can then choose to subscribe to an annual maintenance and support package.

Source: arnnet.com.au

How can I delegate the right to unlock locked Active Directory (AD) user accounts?

2009-05-25T00:27:00.000-07:00

To delegate the right to unlock locked user accounts to a user or group in AD, you must modify the permissions to read and write the lockoutTime Active Directory user object attribute.

To let administrators change these two permissions in AD, you must first make sure that the read and write permissions are visible in the advanced ACL editor that you can access from the Active Directory Users and Computers (ADUC) MMC snap-in. In Windows 2000, both permissions are hidden from ADUC by default. In Windows Server 2003 and Windows Server 2008, they show up in the ADUC’s advanced ACL editor, shown here.

The attribute permissions that are displayed in ADUC’s ACL editor can be controlled using the dssec.dat configuration file, which is stored in the %windir%\System32 directory. In dssec.dat, each object attribute can be assigned one of the following values:

* 7 : do not include the property in the ACL editor
* 2 : include only the “Read” property in the ACL editor
* 1 : include only the “Write” property in the ACL editor
* 0 : include both the “Read” and “Write” property in the ACL editor

If an attribute isn't listed in the dssec.dat file, it will show up in the ACL editor. In Windows Server 2003 and Windows 2008, lockoutTime is by default not included in the dssec.dat file, so it shows up in the ACL editor.

Dssec.dat uses an ini file data format to list the properties of each object class that should be filtered out of the list in the Properties section of the ACL Editor. The file is structured as follows:

[objectclass-name1]
@=value
attribute-name1=value
attribute-name2=value
.
.
attribute-nameX=value

[objectclass-name2]
@=value
attribute-name1=value
attribute-name2=value
.
.
attribute-nameX=value

where objectclass-nameX refers to the AD schema object class for which the visibility in the ACL editor should be controlled and attribute-nameX to the attribute. The "@" placeholder controls the visibility of the object itself.

To modify the filter for the lockoutTime attribute in Windows 2000, open dssec.dat in Notepad. You can find the lockoutTime attribute under the [user] heading. You must reset the value for the lockoutTime attribute from 7 to 0 then save the changes to the dssec.dat file.

Note that you only need to edit the dssec.dat file on the Windows 2000 computer where you set up the actual delegation. Also, keep in mind that the dssec.dat file is read only when an administrator opens ADUC. This means that changes you make to dssec.dat won’t take effect until you close and reopen ADUC.

To delegate the right to unlock user accounts on the OU or domain level in ADUC, you can modify the permissions for the lockoutTime attribute directly in the ACL editor or use the AD delegation wizard. In the latter case, you must perform the following steps.

1. Right-click the OU or domain in ADUC and select Delegate Control... from the context menu.
2. Click Next in the Welcome dialog.
3. Click Add... to select the user or group to which you want to delegate control and click OK.
4. Click Next.
5. Select Create a custom task to delegate and click Next.
6. Select Only the following objects in the folder then, in the list, check User objects and click Next.
7. Clear the General checkbox and check the Property-specific box.
8. Check both the Read lockoutTime and Write lockoutTime boxes and clicks Next.
9. Click Finish.

Source: http://windowsitpro.com/article/articleid/102025/q--how-can-i-delegate-the-right-to-unlock-locked-active-directory-ad-user-accounts.html

Win Server 2008: Owner Rights in Active Directory Domain Services

2009-05-17T23:36:00.000-07:00

Windows Server 2008 introduces new capabilities for Active Directory Domain Services object ownership. These new capabilities do not change the default permissions that the owner of an object is granted; however, they do provide the ability to modify the permissions granted to the owner of an object. The ability to restrict the permissions for the owner on an object is a welcome security enhancement in Windows Server 2008.

Each Active Directory Services object has a security descriptor, which facilitate the ability to secure the object by using permissions. A security descriptor contains all information related to access control for a given object, including:

* The owner of the object
* The primary group of the object (rarely used)
* The discretionary access control list (DACL)
* The system access control list (SACL)
* Control information

By default, the owner of the object is given the WRITE_DAC permission and READ_CONTROL permission. These permissions provide the owner with the ability to change permissions on an object and to read the permissions assigned to an object, respectively.

Issues with Pre-Windows Server 2008 Behavior of Object Ownership

There are a number of issues with the pre-Windows Server 2008 behavior of object ownership. It is important to cover these issues to provide a better understanding of the benefits.

One of the biggest security risks with the pre-Windows Server 2008 behavior of object ownership is that it provides the ability to escalate privileges. Consider the scenario in which you've granted your help desk permission to create user accounts but not the permission to delete user accounts. When a member of the help desk subsequently creates a user account, he becomes the owner of that user account object in the directory. With the pre-Windows Server 2008 behavior of object ownership, they automatically receive the ability to change permissions on the user. If they want to delete the user object, or grant anyone the ability to do so, they can grant the ability to do by modifying the permissions on the user account object.

With the pre-Windows Server 2008 behavior of object ownership, you are limited to taking ownership of an object. As a safeguard, members of the Administrators group can always take ownership of an object, even if the current owner has denied Administrators the permissions to modify the object. However, taking ownership of an object is essentially a reactive step. The pre-Windows Server 2008 behavior of object ownership did not have any means to be proactive.

By default, Windows Server 2008 designates the creator of an object as the owner, which is the same as the pre-Windows Server 2008 behavior. Furthermore, Windows Server 2008 still grants the owner the ability to change permissions of an object and read permissions, which is also consistent with the pre-Windows Server 2008 behavior. However, Windows Server 2008 introduces a new well-known security principal called, Owner Rights, which can be used to restrict the permissions that the owner of an object is granted. In Windows Server 2008, you can add the Owner Rights well-known security principal to the Discretionary Access Control List (DALC) of an object, and control the permissions that assigned to the owner of that object. When you add the Owner Rights well-known security principal to the DALC of an object, you can specify the permissions assigned to the owners of objects. This new capability overrides the default pre-Windows Server 2008 behavior of object ownership.

Source: enterpriseitplanet.com

Windows Server 2008: Install Active Directory Domain Services

2009-05-12T02:27:00.000-07:00

Active Directory provides the structure to centralize the network and store information about network resources across the entire domain. Active Directory uses Domain Controllers to keep this centralized storage available to network users.

In this scenario we are going to install Active Directory fresh with a brand new Domain Controller after a fresh install of Windows Server 2008.

Requirements for Active Directory Domain Services

Let’s go through some of the requirements for a fresh install of active directory services. Some of these will be required to be done before hand; others as noted can be done during the install:

* Install Windows Server 2008

* Configure TCP/IP and DNS networking configurations

* The disk drives that store SYSVOL must be on a local drive configured NTFS

* Active Directory requires DNS to be installed in the network. If it is not already installed you can specify DNS server to be installed during the Active Directory Domain Services installation.

Once you verify that these requirements have been met we can get started.

Install Active Directory Domain Services via Server Manager

For the first example let’s start by installing Active Directory through Server Manager. This is the most straight forward way, as a wizard will guide you through the steps necessary.

1. Start Server Manager.

2. Select Roles in the left pane, then click on Add Roles in the center console.

3. Depending on whether you checked off to skip the Before You Begin page while installing another service, you will now see warning pages telling you to make sure you have strong security, static IP, and latest patches before adding roles to your server.

If you get this page, then just click Next.

4. In the Select Server Roles window we are going to place a check next to Active Directory Domain Services and click Next.

5. The information page on Active Directory Domain Services will give the following warnings, which after reading, you should click Next:

* Install a minimum of two Domain Controllers to provide redundancy against server outage (which would prevent users from logging in with only one)

* AD DS requires DNS which if not installed you will be prompted for

* After installing AD DS you must run dcpromo.exe to upgrade to a fully functional domain controller

* Installing AD DS will also install DFS Namespaces, DFS Replication, and Filer Replication services which are required by Directory Service

6. The Confirm Installation Selections screen will show you some information messages and warn that the server may need to be restarted after installation.

Review the information and then click Next.

7. The Installation Results screen will hopefully show Installation Succeeded, and an additional warning about running dcpromo.exe (I think they really want us to run dcpromo).

After you review the, click Close.

8. After the Installation Wizard closes you will see that server manager is showing that Active Directory Domain Services is still not running. This is because we have not run dcpromo yet.

9. Click on the Start button, type dcpromo.exe in the search box and either hit Enter or click on the search result.

10. The Active Directory Domain Services Installation Wizard will now start.

There are links to more information if you want to learn a bit more you can follow them or you can go ahead and click Use advanced mode installation and then click Next.

For more detail: Source

Restartable Active Directory Domain Services Explained

2009-05-06T03:20:00.000-07:00

Windows Server 2008 includes a service that allows you to start, stop, and restart Active Directory Domain Services on a domain controller. This new functionality facilitates more streamlined operations when it comes to performing offline tasks on a domain controller. This article takes a closer look at the new restartable Active Directory Domain Services in Windows Server 2008.

Overview of the Active Directory Domain Services Service

Every domain controller that has Windows Server 2008 installed includes a service called Active Directory Domain Services, which can be manipulated like any other service. This new service and functionality is enabled by default on all domain controllers that have Windows Server 2008 installed; there are no domain or forest functional-level requirements for this functionality.

With the Active Directory Domain Services running as a service on a domain controller, you can use familiar tools to manipulate the status of the service. For example, you can use the Services console or sc.exe to stop, start or restart the Active Directory Domain Services service.

The Active Directory Domain Services service has a number of other services that depend on it. As a result, when you change the status of the Active Directory Domain Services service, the dependent services will also be affected. These dependent services include the following:

DFS Replication
DNS Server
Intersite Messaging
Kerberos Key Distribution Center

It is common to have domain controllers run other services that do not depend on Active Directory Domain Services. The fact that Active Directory Domain Services runs as a true service, which can be manipulated independently from nondependent services, facilitates the ability for the nondependent services to continue to function when the Active Directory Domain Services service is stopped.

The Active Directory Domain Services service can be in one of two statuses: Started or Stopped. The tasks that can be performed on a domain controller differ based on the status of the service. Furthermore, the directory service functionality is also different depending on the status of the Active Directory Domain Services service.

Active Directory Domain Services Service -- Started

When the Active Directory Domain Services service is started, the domain controller functions just like any other domain controller. In this state, Active Directory Domain Services, and other dependent and nondependent services running on the domain controller, operate just as they do on a Windows Server 2003 or Windows 2000 Server domain controller. The domain controller will process authentication and authorization requests, for example, because the domain controller is online.

Active Directory Domain Services -- Stopped

When the Active Directory service is stopped, the domain controller is said to be offline and functions similar to a domain controller running in Directory Services Restore Mode. When the Active Directory Domain Services service is stopped, the Active Directory Domain Services database (NTDS.dit) is offline. As a result, changes cannot be made to the Active Directory Domain Services database, directly or by virtue of replication.

The fact that the Active Directory Domain Services database is offline when the Active Directory Domain Services service is stopped provides the ability to perform offline maintenance tasks without restarting the domain controller into Directory Services Restore Mode. These tasks include performing an offline Active Directory Domain Services database defragmentation, marking an object or objects as authoritative, and forcefully removing Active Directory Domain Services from the domain controller.

Because the Active Directory Domain Services database is offline when the Active Directory Domain Services service is stopped, the domain controller will not process authentication requests. In this case, authentication requests, and all other Active Directory Domain Services client and service requests, will be referred to an online domain controller. If no other domain controllers can be contacted to process the authentication request, you must logon to the domain controller using the Directory Services Restore Mode account.

Directory Services Restore Mode Account and the Active Directory Domain Services Service

By default, the Directory Services Restore Mode account can be used only when logging onto a domain controller in Directory Services Restore Mode. However, Windows Server 2008 provides the ability to enable the use of the Directory Services Restore Mode account when logging onto a domain controller when the Active Directory Domain Services service is stopped. This functionality is enabled by modifying HKLMSystemCurrentControlSetControlLsaDSRMAdminLogonBehavior registry key. The table that follows lists the three options for the DSRMAdminLogonBehavior registry key:

Value	Description
0 (Default)	The DSRM account cannot be used for logon.
1	The DSRM Administrator account can be used to log on only when the AD DS service is stopped
2	The DSRM Administrator account can be used to log on at any time.

Source: enterpriseitplanet.com/networking/features/article.php/3814246

Google Apps gains LDAP support

2009-05-01T00:37:00.000-07:00

Google Apps has gained a directory tool designed to simplify and accelerate the setup of this hosted collaboration and communication suite.

With the new Directory Sync, Apps can tap into existing LDAP-based user directories, such as the ones in IBM's Lotus Domino and Microsoft Active Directory, so that administrators don't have to set up a separate directory in the Google suite.

Google Apps has mostly been adopted in small and medium-size companies, and groups within large organizations, although the suite has nabbed large deployments in universities and government settings.

The new tool, which comes from technology Google acquired when it bought Postini, runs behind customers' firewalls and offers a one-way delivery of directory information to Google Apps.

"The utility offers many of the customization settings, tests and simulations originally developed and refined for the Postini directory sync tool," wrote Navneet Goel, Google enterprise product manager, in a blog posting Thursday.

The LDAP (Lightweight Directory Access Protocol) component is available at no additional cost for administrators of the Premier, Education and Partner versions of Apps.

For detail info: http://www.reuters.com/article/idgSmallBusiness/idUS210295645120090501

How to Fix Active Directory DNS problems?

2009-04-14T00:10:00.000-07:00

Lots of times when creating a brand new domain or promoting a computer that does not have DNS installed or correctly configured, Active directory does not properly configure the DNS name space for your new domain.

This can be checked by going into the DNS MMC console and expanding the Forward lookup zone. it should have several sub "folders" such as DC, GC, etc.

Errors like:

server GUID DNS name could not be resolved to an IP address. Check items such as the DNS server, DHCP and server name. Although the GUID DNS name (._msdcs.domain-name.local) couldn't be resolved, the server name () resolved to the IP address () and was pingable. Check that the IP address is registered correctly with the DNS server.

This type of error will cause you to not be able to add computers to your domain, or even add new domain controllers.

Step1: Log into the Domain controller either in console or via RDP

Step2: Download DcDiag.exe from microsoft if you do not have the Windows 2000 support tools installed. You can find it at http://www.microsoft.com/downloads/details.aspx?familyid=23870A87-8422-408C-9375-2D9AAF939FA3&displaylang=en

You can download it and extract it to anywhere you like.

Step3: Open a command window (Start menu -> Run -> Type "cmd" with out quotes and hit enter/click ok), now change directory to where the executable is located.

Step4: Type "ipconfig /flushdns", then "ipconfig /registerdns" (with out the quotes) to flush out the DNS resolver cache and register the DNS source records, respectively.

Some people like to clear the ARP cache as well, you can do this by typing "arp -d *" at the command prompt with out quotes. This part is optional.

Step5: At the prompt type in dcdiag /fix

Read through the output. You will most likely have the following text somewhere in your output:

Server GUID DNS name could not be resovled to an ipaddress.
Althought GUID could not be resolved, the server name resolved to the ip address x.x.x.x and was pingable

Step6: Still at the command prompt, type "dcdiag /fix", then "net stop netlogon" and "net start netlogon" (again with out the quotes) to finalize the changes.

Run dcdiag one more time to make sure the domain controller's DNS is working. You should no longer get the error mentioned in step 5. Some other NIC related errors may show up, but you can dismiss those for the most part it wont affect your installation (you couldnt get this far if there were serious NIC problems)

Step7: You should now be able to add member computers to your new domain and add domain controllers.

Source:eHow

OUrganizeIT - Active Directory Object Management tool

2009-04-08T03:09:00.000-07:00

OUrganizeIT by Synergix, Inc., is an Active Directory Object Management tool. It helps organize and secure computer objects and user objects in Microsoft Windows Active Directory environment, facilitating organizations meet their SOX, SEC and HIPAA compliance requirements.

Users with elevated privileges may remove their computers from the domain, for non-business, experimental purposes or for business reasons, such as product demonstration purposes at client sites or tradeshows or conferences. OUrganizeITTM helps maintain domain membership.

If the computer object in the Active Directory domain becomes defunct or the user removes the computer object from the domain and puts it in a workgroup or another domain ( at home, internet cafe, etc.), the computer rejoins the domain next time it is put back on the corporate network. All this is achieved without granting the user elevated privileges on his / her workstation or in Active Directory environment.

Version 8 includes VPN User Password Change option.

Source: zdnetasia.com

Windows Server 2008 Active Directory Database Mounting Tool

2009-04-03T05:16:00.000-07:00

Windows Server 2008 aims to improve recovery processes for Active Directory Domain Service (AD DS) and Active Directory Lightweight Directory Services (AD LDS). In Windows Server 2008, you can now take point-in-time snapshots of the data that is stored in AD DS or AD LDS. Furthermore, Windows Server 2008 includes a new Active Directory database mounting tool, which allows you to mount the snapshot. This new functionality provides administrators with the ability to view AD DS and AD LDS data, as it existed at different times, thus effectively arming you with better means to deal with the recovery of AD DS and AD LDS data.
Snapshots

The Windows Server 2008 version of the Ntdsutil.exe command-line tool includes a new operation, called snapshot, which provides the ability to create snapshots of AD DS and AD LDS data. The Ntdsutil.exe snapshot operation can be used to create point-in-time snapshots of AD DS and AD LDS data. You can also schedule a recurring task (e.g., using Task Scheduler) that uses Ntdsutil.exe to create snapshots.

You are not restricted to the use of snapshots that were created by using the Ntdsutil.exe snapshot operation. You can use any backup of an AD DS or AD LDS database that uses the Volume Shadow Copy Service (VSS), including Windows Server Backup as well as third-party backup solutions.

Database Mounting

The Ntdsutil.exe snapshot operation also provides the ability to list, mount, and unmount snapshots of AD DS and AD LDS data. If you incorporate this new functionality into your disaster recovery plan for AD DS or AD LDS, you will likely have multiple snapshots of AD DS or AD LDS data. The Ntdsutil.exe snapshot operation provides the ability to list all snapshots so you can determine which snapshot you need to work with. Once you have identified the appropriate snapshot, you must mount the snapshot before you can continue. Mounting and unmounting snapshots is also performed using the Ntdsutil.exe snapshot operation.

Exposing a Snapshot as an LDAP Server

After you have created one or more a snapshots, and you know which snapshot you plan to work with, you must expose that snapshot as an LDAP server before you can view the data stored in the snapshot. Windows Server 2008 includes a command-line tool, called Dsamain.exe, which provides the ability to expose snapshots as an LDAP server. Dsamain.exe can be used to expose AD DS and AD LDS snapshots as an LDAP server. When running the Dsamain.exe command-line tool, you must specify the path to the AD DS or AD LDS database (ntds.dit) file. You can optionally specify where to store the log files and temporary database by using the log path parameter. In most cases, you will view multiple snapshots at the same time. As a result, you must specify which port to use for LDAP communication when exposing the snapshot using Dsamain.exe.

In addition to LDAP communication, LDAP over SSL, global catalog, and global catalog over SSL communication can be used to query a snapshot exposed as an LDAP server. By default, Dsamain.exe will increment the port number by 1 for each of these additional protocols. For example, if you specify port 5000 for LDAP, Dsamain.exe will use 5001 for LDAP over SSL, 5002 for global catalog, and 5003 for global catalog over SSL. You can, however, specify the port numbers to be used for the additional protocols.

Source: http://www.enterpriseitplanet.com/networking/features/article.php/3812086

Active Directory Recycle Bin can save a Windows Server

2009-03-25T00:11:00.000-07:00

The Recycle Bin feature allows objects to be restored via the Active Directory PowerShell environment. For the beta release, this functionality is turned off by default, so the first step is to enable the feature. Figure A shows this step.

Once this is complete, you can view the contents of the Active Directory Recycle Bin. This special location exists as a container that holds the objects as they are deleted.

In my first looks at Windows Server 2008 R2 beta, I set up a test domain running at that function level. The domain, dev.tld, had nothing in the Recycle Bin after it was created. I deleted two objects: one user and one group. Figure B shows the query of what is in the Recycle Bin before the two objects were deleted, then another query after they were deleted.

Notice that some fields were cut off in the display, notably the full GUID (which is needed for the restore). To display the entire GUID and object name, you would run this query:

Get-ADObject -SearchBase "CN=Deleted Objects,DC=dev,DC=tld" -ldapFilter "(objectClass=*)" -includeDeletedObjects | FT ObjectGUID,Name -A

Then, the full GUID is displayed, so a copy and paste operation will allow an easy restore. From the list above, to restore the single user named test, the following command will perform the restore:

Restore-ADObject -Identity 6ff46162-15c2-4d42-8e15-2fcac5c8422e

The object is instantly returned to full existence in Active Directory.

Source: http://blogs.techrepublic.com.com/datacenter/?p=675

Recovering Bitlocker Keys from Active Directory

2009-03-08T23:48:00.000-07:00

BitLocker is a great tool for ensuring that the data on your organization’s computers is protected when laptop computers are misplaced or hard disk drives are stolen. Volumes encrypted using bitlocker can be recovered using the bitlocker recovery tool if you have the appropriate recovery key. As each BitLocker key is individual , the big problem with BitLocker recovery has been keeping track of every computer’s BitLocker keys.

The easiest way to keep track of all keys is to archive them to Active Directory. It saves a lot of effort with setting up an Excel spreadsheet! The Computer Configuration\Administrative Templates\Windows components\BitLocker Drive Encryption node of a Windows Server 2008 GPO contains a policy named Turn on BitLocker Backup To Active Directory Domain Services.

You can configure this policy so that BitLocker cannot be first enabled unless the computer is connected to the domain and the backup of the BitLocker keys to AD succeeds (BitLocker remains on after that). To ensure BitLocker keys are backed up, enable the policy and select the Require BitLocker Backup to AD DS option before deploying BitLocker. You can choose to back up recovery passwords and key packages or just recovery passwords. You should back up both items as this will give you more flexibility when attempting to recover encrypted volumes that might be damaged.

Retrieving a BitLocker key from Active Directory involves using the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool. This tool allows you to locate and view BitLocker recovery passwords, assuming that you have Domain Administrator privileges in the domain in which the password is stored and the passwords are archived in AD. You can obtain this tool from Microsoft’s website here: http://support.microsoft.com/kb/928202.

You should note that the tool is not included with Windows Server 2008 or Windows Vista by default. So although you can archive BitLocker keys to AD, there isn’t any way to retrieve them unless you download this extra tool. Before you run the tool on a DC for the first time, but after you have installed it, it is necessary to run the command regsvr32.exe bdeaducext.dll. The tool itself modifies Active Directory Users and Computers so that when you view a computer account’s properties, there will be a BitLocker Recovery Tab that lists BitLocker recovery passwords associated with the computer account. You can remove the tool using Add or Remove Programs in the Control Panel. Once you’ve recovered the appropriate passwords, you can get on with recovering encrypted data!

Source: http://windowsitpro.com/article/articleid/101582/recovering-bitlocker-keys-from-active-directory.html

Windows Server 2008: Discover the New Active Directory Domain Services

2009-02-22T23:38:00.000-08:00

There are a number of new Active Directory Domain Services features in Windows Server 2008. These new features improve auditing, security, and the management of Active Directory Domain Services and show Microsoft's commitment to evolving Active Directory Domain Services. The following is an overview of the new Active Directory Domain Services features that are in Windows Server 2008.

Auditing

Windows Server 2008 introduces significant changes to Active Directory Domain Services auditing. Active Directory Domain Services auditing in Windows Server 2008 is more granular than previous versions and provides you with more control over what is audited.

Active Directory Domain Services auditing is now divided into the following four subcategories:

* Directory Service Access
* Directory Service Changes
* Directory Service Replication
* Detailed Directory Service Replication

You can disable or enable Active Directory Services auditing at the subcategory level. For each subcategory, you can also configure whether to log successful events, failed events, both successful and failed events, or no auditing.

In Windows Server 2008, the new Directory Service Changes subcategory allows you to log the old value and new value of a changed attribute, in addition to the attribute name.

Windows Server 2008 also provides the ability to exclude the logging of changes to specific attributes by modifying the attribute properties.

The Active Directory Domain Services auditing subcategories are viewed and configured by using the Auditpol.exe command-line tool.
Fine-Grained Password Policies

Windows Server 2008 introduces the ability to create multiple password policies in a single domain, which is another first for Active Directory Domain Services. The introduction of fine-grained password policies in Windows Server 2008 allows organizations to create and manage multiple password policies and account lockout policies to meet diverse security requirements.

You can configure the same password policy and account lockout settings in a fine-grained password policy as you can at the domain level. Fine-grained password policies can be linked to users and to global groups. Because users can inherit multiple password fine-grained password policies, a precedence setting has been included to allow you more granular control.

Fine-grained password policies are configured by using the ADSI Edit snap-in.
Read-Only Domain Controllers

Another first for Active Directory Domain Services is the introduction of a new type of domain controller in Windows Server 2008, the read-only domain controller (RODC). RODCs are intended to assist you in situations in which domain controllers must be deployed in locations where physical security cannot be guaranteed, such as branch offices.

Microsoft has implemented a number of mitigating measures to ensure a compromised RODC does not impact the rest of your Active Directory Domain Services environment. These measures include the following:

* Read-only database
* Unidirectional replication
* Credential caching
* Administrator role separation
* Read-only Domain Name System (DNS)

Restartable Active Directory Domain Services

Windows Server 2008 now includes a true service, which allows you to stop, start, and restart Active Directory Domain Services without having to restart the operating system.

In Windows 2000 Server and Windows Server 2003, the operating system on a domain controller had to be restarted in Directory Services Restore Mode for most maintenance and recovery. However, Windows Server 2008 now provides the ability to start, stop, and restart the Domain Controller service.

The domain controller service can be manipulated by using the Services snap-in or the Computer Management snap-in.

Database Mounting Tool

Windows Server 2008 includes a new ability to take snapshots of an Active Directory Domain Services database and mount these snapshots into a new database mounting tool.

The database mounting tool allows you to view an Active Directory Domain Services object's previous state. You can then use this to compare the object's previous state to the object in production. This is particularly useful if you know that an object's attributes were changed, but do not know what the previous value of the attributes were.

User Interface Improvements

A number of user interface improvements have been made in Windows Server 2008. The following is a list of some of the most noteworthy interface changes in Windows Server 2008:

* New installation options for domain controllers.
* A more streamlined and simplified installation process.
* Improvements to the Active Directory Users and Computers console.
* A built-in Attribute Editor, which is accessible on the properties page of each object in the Active Directory Domain Services management tools.

Owner Rights

Windows Server 2008 now provides the ability to limit the default permissions that the owner of an object is given. In previous versions of Windows, the owner of an object was given the ability to read and change permissions on the object, which was more than they required in most cases. This new functionality in Windows Server 2008 also applies to Active Directory Domain Services objects.

Source: http://www.enterpriseitplanet.com/networking/features/article.php/3796561

Active Directory Domain Services Fine-Grained Password and Account Lockout Policies

2009-02-16T01:47:00.000-08:00

Since the release of Windows NT 3.1, Microsoft's first Network Operating System, password policies were limited to the domain level. This held true for Windows 2000 Server and Windows Server 2003 versions of Active Directory. However, Microsoft has introduced the ability to define multiple password and account lockout policies in Windows Server 2008.

This article takes a deeper look at the new Active Directory Domain Services fine-grained password and account lockout policies in Windows Server 2008.

Password Settings Container and Password Settings Objects

Active Directory Domain Services in Windows Server 2008 includes two new object classes for fine-grained password and account lockout policies: Password Settings Container and Password Settings objects. Fine-grained password and account lockout policies require a domain functional level of Windows Server 2008, so these two objects will not be used for domains with a lower domain functional level.

The Password Settings Container (PSC) is created in the System container in each domain that has a domain functional level of Windows Server 2008. Password Settings Containers are used to store Password Settings objects for the domain. Once created by the system, the Password Settings Container cannot be moved, deleted, or renamed. You can view the Password Settings Container by enabling the Advanced View in the Active Directory Users and Computers Container, ADSI Edit, and LDP.exe.

Password Settings objects (PSOs) are the objects that you create to define fine-grained password and account lockout policies. Password Settings objects are stored in the Password Settings Container for the domain. Multiple Password Settings objects can be stored. Password Settings objects can be created by using ADSI Edit and LDIFDE.

Password Settings Object Attributes

Password Settings objects include the nine attributes for the same Password Policy and Account Lockout settings as the Default Domain Policy. These nine attributes are mandatory and must be defined on every Password Settings object. These attributes are shown in the table below.

LDAP Display Name	Description
msDS-PasswordHistoryLength	Enforce password history
msDS-MaximumPasswordAge	Maximum password age
msDS-MinimumPasswordAge	Maximum password age
msDS-MinimumPasswordLength	Minimum password length
msDS-Password-ComplexityEnabled	Passwords must meet complexity requirements
msDS-PasswordReversibleEncryptionEnabled	Store passwords using reversible encryption
msDS-LockoutDuration	Account lockout duration
msDS-LockoutThreshold	Account lockout threshold
msDS-LockoutObservationWindow	Reset account lockout after

Microsoft did not include the ability to create fine-grained password and account lockout policies in the Active Directory Users and Computers console in Windows Server 2008. As a result, the graphical interface to create Password Settings objects is the ADSI Edit console. The ADSI Edit console allows you to create Password Settings objects, and enter values for the attributes that are contained in Password Settings objects, in raw format. To set a Maximum Password Age of 42 days on a Password Settings object, you would enter a value of 42:00:00:00.

Controlling the Scope of Password and Account Lockout Policies

In addition to the above nine attributes, Password Settings objects also include two new attributes which are used to control the scope. These two attributes are shown in the table below:

LDAP Display Name	Description
msDS-PSOAppliesTo	PSO link
msDS-PasswordSettingsPrecedence	Precedence

The msDS-PSOAppliesTo attribute is used to link Password Settings objects to users and/or global groups. The msDS-PSOAppliesTo attribute is a multivalued attribute, which allows Password Settings objects to be linked to multiple users and/or global groups. The msDS-PSOAppliesTo includes a forward link to user or group objects. The msDS-PasswordSettingsPrecedence attribute is a mandatory attribute which is used to resolve conflicts when more than one Password Settings object is applied to a user or group.

Source: http://www.enterpriseitplanet.com/networking/features/article.php/3800436

Integrating Mac OS X with Active Directory

2009-02-09T23:10:00.000-08:00

Active Directory within Mac OS X enables Mac clients and servers to integrate smoothly into existing AD environments, and provides the option of deploying a single directory services infrastructure that can support both Windows and Mac clients.

A key component of any modern computing environment, directory services allow organizations to centralize information about users, groups, and computing resources. A network-based repository consolidates resources, simplifies system management, and reduces support and administration costs. At the same time, it benefits users by enabling them to access enterprise resources from anywhere on the network. Thus, a directory services infrastructure offers advantages for both administrators and end users.

Of course, the full benefits of active directory services can only be realized when all of your desktop, laptop, and server systems are integrated into the same directory services infrastructure. This goal has been difficult to achieve in the past due to the proliferation of proprietary directory services solutions.

With the introduction of the Active Directory (AD) plug-in in Mac OS X v10.3 (Tiger), Apple made a concerted effort to enable IT administrators to integrate Mac OS X clients and servers easily into existing Active Directory infrastructures. While every Active Directory installation is different (especially in the enterprise space), Mac OS X integrates well with the vast majority of them, and with minimum effort.

Whatever combination of Mac, Windows, and Linux systems your organization uses, you no longer need to maintain a separate directory or separate user records to support your OS X systems. Users can move effortlessly between different computers while still adhering to enterprise policies for strong authentication and password-protected access to network resources.

Apple's support for Active Directory within Mac OS X enables Mac clients and servers to integrate smoothly into existing AD environments, and provides the option of deploying a single directory services infrastructure that can support both Windows and Mac clients.

Source: http://www.ciol.com/Developer/Operating-System/Tech-Papers/Integrating-Mac-OS-X-with-Active-Directory/4209115565/0/

Microsoft Active Directory Topology Diagrammer

2009-02-02T01:36:00.001-08:00

The Microsoft Active Directory Topology Diagrammer is a really useful tool when documenting Active Directory domains of any size.

With the Active Directory Topology Diagrammer tool, you can read your Active Directory structure through Microsoft ActiveX Data Objects (ADO). The Active Directory Topology Diagrammer tool automates Microsoft Visio to draw a diagram of the Active Directory Domain topology, your Active Directory Site topology, your OU structure or your current Exchange 200X Server Organization.

With the Active Directory Topology Diagrammer tool, you can also draw partial information from your Active Directory, like only one Domain or one site. The objects are linked together, and arranged in a reasonable layout that you can later interactively work with the objects in Microsoft Visio.

The Diagrammer is very flexible and allows the user to include and exclude granular information such as the following:

domain(s) (child etc.)
Site(s )
OUs
Administrative Groups
Exchange connectors (Routing, SMTP, X.400, Notes etc.)
Users in the domain(s)
Trusts
User Count
Global Catalog servers
IP and SMTP Site links
Subnets
Inter/Intra Site Replication Connections
Number of Mailboxes
Application Partitions
Servers and OS version information (with color coding)

Source : http://thebackroomtech.com/2008/01/30/microsoft-active-directory-topology-diagrammer/

Active Directory Auditing Tools

2009-01-27T03:09:00.000-08:00

Active Directory is a crucial component of just about any Windows-based IT infrastructure, and keeping tabs on who modified AD records, when they were changed, and why they were changed can be a full-time job. Throw in some additional requirements—such as the need to be in compliance with federal and state governance guidelines, from the Sarbanes-Oxley (SOX) Act to the Health Insurance Portability and Accountability Act (HIPAA)—and you have the makings of a headache-inducing task for many IT pros. But help is on the way.

Windows Server 2008 AD Improvements

Microsoft listened to IT pro complaints about AD auditing and implemented several new features in Windows Server 2008 to ease the pain. “Windows 2008 brings various benefits to the table with respect to event management, including a completely changed event-log storage model,” says Guido Grillenmeier, a Microsoft Active Directory Services MVP and a master technologist with HP’s Advanced Technology Group. “It also includes improved native AD auditing, as it allows more granular and more complete auditing of AD changes. For example, it can record the old value and new value of an attribute that was changed.”

Server 2008 breaks auditing into four categories: Access, Changes, Replication, and Detailed Replication. The Changes category improves upon the way AD changes were handled in Windows Server 2003 and Windows 2000, logging deltas of attribute changes, detailing new object creation and movement, and offering a create-event feature that’s triggered when objects are moved to different domains.

Choosing an AD Auditing Solution

Regardless of whether you’re running Server 2008, Windows 2003, or Win2K, an off-the-shelf AD auditing product can help minimize the workload. Determining what level of AD auditing your organization needs is important . Grillenmeier cautions against looking for a silver-bullet solution to AD auditing requirements. “For example, proxy-management solutions … such as AD Self-Service Suite and Ensim Unify … are nice tools to delegate specific management tasks to non-admin users and audit the changes they do to AD with the tool. However, these tools only audit what’s changed by them and can’t audit native changes in AD; they can never create a complete auditing trail.”

Grillenmeier contrasts those AD proxy-management auditing tools with AD auditing tools that gather security and auditing events from event logs on domain controllers - such as Microsoft System Center Operations Manager or HP OpenView—and AD auditing tools that combine native event logs with AD data gathered by agents, such as Quest InTrust and Quest ChangeAuditor.

“Event-log–based may be sufficient for many customers that need to meet specific compliancy requirements,” says Grillenmeier. “It’s mainly a matter of correctly setting up auditing in the directory itself, so that the changes are correctly logged in the event logs. Note that if proxy-management tools are used, you still have to combine the native event data with the data of the proxy tools to figure out which person actually performed a change in AD, since for changes done by the proxy tool the native event logs will only see the service account as the owner of the change.” Grillenmeier says that only products that combine event-log auditing with separate agents that gather AD data are capable of auditing all AD changes.

Don’t Forget the Data

One important yet overlooked aspect of AD auditing is the massive amount of data the auditing process can generate. “For enterprise-scale customers, this easily amounts to many gigabytes per day of auditing data,” Grillenmeier says. “Tools that [have the capability] to efficiently store the auditing data in a compressed format and are a critical factor for large companies.” You’ll do well to consider your organization’s auditing needs, the number of AD changes it makes, and how granular those changes are. And you’d be well advised to pay attention to the security, backup, and disaster recovery of AD auditing data, just as you would for other types of data.

Source: http://windowsitpro.com/ActiveDirectory/Article/ArticleID/100828/ActiveDirectory_100828.html

Active Directory Domain Services Features in Windows Server 2008

2009-01-20T02:44:00.000-08:00

Directory Service Access
Directory Service Changes
Directory Service Replication
Detailed Directory Service Replication

You can disable or enable Active Directory Domain Services auditing at the subcategory level. For each subcategory, you can also configure whether to log successful events, failed events, both successful and failed events, or no auditing.

In Windows Server 2008, the new Directory Service Changes subcategory allows you to log the old value and new value of a changed attribute, in addition to the attribute name.

Windows Server 2008 also provides the ability to exclude the logging of changes to specific attributes by modifying the attribute properties.

The Active Directory Domain Service auditing subcategories are viewed and configured by using the Auditpol.exe command-line tool.

Fine-Grained Password Policies

Windows Server 2008 introduces the ability to create multiple password policies in a single domain, which is another first for Active Directory Domain Services. The introduction of fine-grained password policies in Windows Server 2008 allows organizations to create and manage multiple password policies and account lockout policies to meet diverse security requirements.

You can configure the same password policy and account lockout settings in a fine-grained password policy as you can at the domain level. Fine-grained password policies can be linked to users and to global groups. Because users can inherit multiple password fine-grained password policies, a precedence setting has been included to allow you more granular control.

Fine-grained password policies are configured by using the ADSI Edit snap-in.
Read-Only Domain Controllers

Microsoft has implemented a number of mitigating measures to ensure a compromised RODC does not impact the rest of your Active Directory Domain Services environment. These measures include the following:

* Read-only database
* Unidirectional replication
* Credential caching
* Administrator role separation
* Read-only Domain Name System (DNS)

Restartable Active Directory Domain Services

Windows Server 2008 now includes a true service, which allows you to stop, start, and restart Active Directory Domain Services without having to restart the operating system.

In Windows 2000 Server and Windows Server 2003, the operating system on a domain controller had to be restarted in Directory Services Restore Mode for most maintenance and recovery. However, Windows Server 2008 now provides the ability to start, stop, and restart the Domain Controller service.

The domain controller service can be manipulated by using the Services snap-in or the Computer Management snap-in.

Database Mounting Tool

Windows Server 2008 includes a new ability to take snapshots of an Active Directory Domain Services database and mount these snapshots into a new database mounting tool.

The database mounting tool allows you to view an Active Directory Domain Services object's previous state. You can then use this to compare the object's previous state to the object in production. This is particularly useful if you know that an object's attributes were changed, but do not know what the previous value of the attributes were.

User Interface Improvements

A number of user interface improvements have been made in Windows Server 2008. The following is a list of some of the most noteworthy interface changes in Windows Server 2008:

New installation options for domain controllers.
A more streamlined and simplified installation process.
Improvements to the Active Directory Users and Computers console.
A built-in Attribute Editor, which is accessible on the properties page of each object in the Active Directory Domain Services management tools.

Owner Rights

Windows Server 2008 now provides the ability to limit the default permissions that the owner of an object is given. In previous versions of Windows, the owner of an object was given the ability to read and change permissions on the object, which was more than they required in most cases. This new functionality in Windows Server 2008 also applies to Active Directory Domain Services objects.

Source: http://www.enterpriseitplanet.com/networking/features/article.php/3796561

How do I install Active Directory on my Windows 2000 Server?

2009-01-15T05:44:00.000-08:00

You can configure your server as a Domain Controller manually, but if you don't have the time, skill, brains or will to do it manually, it can still be done with just a few mouse clicks.

Dynamic Host Configuration Protocol (DHCP), Domain Name Service (DNS), and DCPROMO can be by using the Windows 2000 Configure Your Server Wizard.

Even though it's all done automatically, you still need the following:

A NIC
The TCP/IP protocol
An NTFS partition with enough free space
A network connection (to a hub or to another computer via a crossover cable).
An Administrator's username and password
The Windows 2000 Server (or Advanced Server) CD media (or at least the i386 folder)

This article assumes that all of the above requirements are fulfilled. See my Active Directory Installation Requirements page for more info.

Note: This article does NOT assume you have a working brain, or that you can use it correctly. If you think you really want to know how this thing works, please read the How to Install Active Directory on W2K page instead...

To configure your server as a Domain Controller

1. Press Ctrl-Alt-Del and log on to the server as administrator. Leave the password blank.
2. When the Windows 2000 Configure Your Server page appears, select This is the only server in my network and click Next.
3.Click Next to configure the server as a domain controller and set up Active Directory, DHCP, and DNS.
On the What do you want to name your domain page, type dpetri
In the Domain name box, type com (again, this is only an example). Click on the screen outside of the textbox to see the Preview of the Active Directory domain name. Click Next
Click Next to run the wizard. When prompted, insert the Windows 2000 Server CD-ROM. When the wizard is finished, the machine reboots.
The Configure Your Server Wizard installs DNS and DHCP and configures DNS, DHCP, and Active Directory. The default values set by the wizard are:

DHCP Scope: 10.0.0.3-10.0.0.254
Preferred DNS Server: 127.0.0.1
IP address: 10.10.1.1
Subnet mask: 255.0.0.0

Source: http://www.petri.co.il/how_to_install_active_directory_on_w2k_for_lamers.htm

Win Server 2008 Directory Services, Active Directory Snapshots

2009-01-06T02:19:00.000-08:00

Snapshots represent differences between a volume's current content and its state at the moment of their creation. Although ultimately the size of a snapshot depends on how dynamic the environment is and how long you decide to keep them active, due to their nature, snapshots are typically small andd can be initiated in the matter of seconds. To provide meaningful information, they must be paired up with the volume from which they originated. In addition, since they are based on the copy-on-write principle, they result in increased number of disk I/O operations, which might have negative impact on overall performance. It is also important to realize that snapshot can not be used for direct restore of Active Directory objects. Their main appeal comes from an ability to easily generate and view Active Directory state at arbitrarily chosen intervals. In effect, they offer a convenient way to determine when a particular object has been modifed. This helps you identify a backup set most suitable for the restore and delivers extra auditing and change tracking benefits. For the same reason, they significantly simplify extracting any pertinent historical information that can be subsequently imported to an object recovered via tombstone reanimation or used to reverse undesired modifications.

Snapshots are generated using the ntdsutil command line utility launched either directly from the console or a Terminal Services sesssion of a Windows Server 2008-based domain controller. Once you are at the ntdsutil: prompt, Activate Instance NTDS. You also have an option of pointing to an AD LDS instance by specifying its name instead of NTDS value). Next, switch to the snapshot context by typing snapshot and follow by create command. Shortly thereafter you should receive a notification stating that the snapshot set has been generated successfully. The message includes its unique GUID. To confirm, you can execute list all from within the same context, which should provide the listing of all active snapshots (including the date and time they were created). Note that the same can be accomplished running the following from the command prompt, which comes handy when automating snapshot generation as a scheduled task:

ntdsutil "Activate Instance NTDS" snapshot create quit quit

Any active snapshots must be mounted before you can access it via DSAMAIN.EXE. This is done by invoking the mount command followed by either an integer assigned to each snapshot (which can be determined by running list all) or its GUID, resulting in the creation of a junction point, with the name generated by concatenating the word $SNAP, date and time (in military format) when snapshot was generated and the target volume (e.g., $SNAP_200808082008_VOLUMEC$). That, in turn (as we explained in our previous article), determines the full path to the Active Directory NTDS.DIT file. This, in turn, becomes $SNAP_200808082008_VOLUMEC$\Windows\NTDS\NTDS.DIT, assuming default placement of database and log files, and it gets associated with the -dbpath switch when running the Database Mounting Tool.

After you complete browsing through the mounted NTDS instance and terminate the DSAMAIN.EXE, unmount the snapshot by calling unmount command followed, as before, by either its integer identifier or its GUID. Removal of snapshots that are no longer needed can be accomplished with the delete command. For the full overview of snapshot syntax, refer to Windows Server 2008 Technical Library.

Third-Party Offerings

Although snapshots significantly simplify handling unintended deletions or modifications of Active Directory objects (for the reasons we described earlier), the actual recovery still requires multiple steps, which might include rather involved tombstone reanimation and restoring its attributes. Fortunately, a variety of free third-party offerings can further streamline the restore process. Some of the more notable ones are listed below.

Snapshot Recovery Tool from 1Identity - available as a free download containing the command line-based oirecmgr.exe utility, it provides ability to recover an object and restore its attributes from an LDAP instance loaded via Database Mounting Tool to an arbitrary Windows Server 2008 domain controller. It is also capable of reanimating tombstones in both Windows Server 2003 and 2008 Active Directory environments. Note, however, that this option precludes simultaneous attribute recovery.

Although it has a dependency on .NET Framework 2.0, it can be executed remotely from a system running Windows XP Professional or Vista. Its command line syntax allows you to restore arbitrary number of objects, either by specifying their GUIDs via multiple -o switches or by storing them in a text file, which name gets assigned to the -of switch) as well as attributes (in a comma-separated format. For example, the following command (executed directly from the console of a domain controller USDC-NYC001) would reanimate deleted user object with GUID of 7abadaba-daba-d000-0d15-c015dead and restore its attributes, populating both forward and back links, such as user's group membership, by extracting relevant information from an Active Directory snapshot accessible via port 33389. Reanimating tombstoned user accounts does not reinstate their passwords, which will need to be reset before you enable them since, by default, they are disabled following the restore:

oirecmgr.exe -o 7abadaba-daba-d000-0d15-c015dead -sh USDC-NYC001:33389 -ol -real

* Directory Service Comparison Tool is supposed to provide similar functionality but via a graphical interface in the form of a Microsoft Management Console snap-in, which becomes available once you install freely downloadable setup program. This is available in both x86 and x64 versions. To configure it, select Datasource Settings... entry from the context sensitive menu of its node in the tree pane. In the resulting Datasource Settings dialog box, specify the name of a target domain controller and a server hosting a snapshot (or another VSS compliant restore) mounted using DSAMAIN.EXE, along with their LDAP ports, as well as the naming context you intend to compare. The pane window of the console is divided into three tabs, intended for the list of modifications, additions and deletions (respectively) that took place since the DSA-mounted LDAP directory services store has been created. Unfortunately, the tool's functionality is somewhat limited (at least as far as snapshots are concerned), due to a bug affecting highestCommittedUSN value recorded in Active Directory snapshots. Just as Snapshot Recovery Tool, this utility relies on .NET Framework 2.0 being installed, in addition to MMC 3.0, and can be installed on remote Windows XP Professional or Vista system.

* Active Directory Explorer from the Sysinternals team a distinct position in this list since it provides its own capability to create snapshots, independent of the one introduced in Windows Server 2008 Active Directory and supported on all of its versions. Their content can be derived from an online Active Directory environment by connecting to one of its domain controllers or from a restored backup or VSS-compatible snapshot mounted using DSAMAIN.EXE utility. In addition, it is possible to store them for offline viewing in an arbitrary location. The intuitive graphical interface of AD Explorer simplifies browsing their content and includes search and comparison features.

Source: http://www.serverwatch.com/tutorials/article.php/3794191

Managing Groups: Exchange and Active Directory Admins Sound Off

2008-12-30T02:27:00.000-08:00

How long does it take your organization to get around to updating an Active Directory group? According to a survey recently compiled by Imanami, a provider of group lifecycle management solutions, you’re not a slacker if it takes you nine days.

Imanami also discovered that in the organizations surveyed, two percent of the people still in Active Directory are no longer employed by the company, or 60 people in an organization of 3,000 users. Imanami surveyed IT pros involved in managing groups and other aspects of Microsoft Exchange management in organizations with at least 1,000 email users.

Based on responses, Imanami calculated that for every 1,000 users, some lucky IT pro spends about six hours per week managing groups in AD. Assuming an organization hires an IT pro at $90,000 a year and his or her job includes this task, Imanami calculates it costs $13,050 per year to manage groups in Active Directory.

“We know how much our solution costs—what surprised us was how much they're paying: one employee for every 5,000 users,” says Edward Killeen, Imanami’s director of sales and marketing. “At up to 250 employees, it's okay to manage groups manually. We usually find at 250 employees the pain starts---there are a lot of groups. Why not automate it and be done with it?”

“People aren’t aware of a solution,” Killeen says. “The good news is that you don’t have to buy ILM. ILM comes with its own nomenclature. Most product suites are ‘Frankenproducts,’ made from acquired products put together. We’re purpose built. Our customers appreciate that they can deploy this without hiring someone.”

Imanami’s conclusions, among other things are that "Group management is not the most serious problem faced by Exchange managers, but it is a serious one that presents a number of security problems.” To compare your experience to those of the IT pros surveyed, visit Imanami’s website.

Source: windowsitpro.com/article/articleid/101004/managing-groups-exchange-and-active-directory-admins-sound-off.html

Disable the Password for a User in Windows Server 2003 Active Directory domain

2008-12-22T06:09:00.000-08:00

Windows Server 2003 provides security policies that ensure that all users select strong passwords. Creating a password policy involves setting the following options in the Default active directory services domain group policy object. These policies, with the exception of those settings related to password lifetime, are enforced on all users in a domain.

The default password filter (Passfilt.dll) included with Windows Server 2003 requires that a password:

Is not based on the user’s account name.
Contains at least six characters.
Contains characters from three of the following four categories:
Uppercase alphabet characters (A–Z)
Lowercase alphabet characters (a–z)
Arabic numerals (0–9)
Nonalphanumeric characters (for example, !$#,%)

Security Warning: Bare in mind that this setting can only be enabled/disabled at the domain level, and NOT on an OU level. Disabling the password requirement for an entire domain will lower your security configuration, and should only be done when absolutely necessary.

In order to disable this requirement you need to edit the Default Domain Policy for your domain.

1. Go to Administrative tools folder.
2. Double-click on the Default Domain Security Policy icon.
3. Note: If for any reason you don't see that icon you can still edit the Default Domain Group Policy from the AD Users and Computers snap-in, or from a GPMC window.
4. Navigate to Security Settings > Account Policies > Password Policy.

5. Right-click on the Minimum Password Length option in the right pane and select Properties.
6. Keep the V on the Define Setting selected! Do not remove the V from that check-box. Removing the V will cause the GPO to revert to the default setting, which is what we are trying to remove in the first place.

7. Enter 0 (zero) for the number of minimum characters required in a password.

8. Now double-click on the Passwords Must Meet Complexity Requirements option in the right pane.

Again, do not remove the V from that check-box. Instead, select Disabled.
9. Click OK all the way out and close the GPO window.

Source: petri.co.il/disable_password_requirement_in_win2003_domain.htm

NET's UC Gateways AddingIntegration Capabilities to MS Active Directory

2008-12-15T05:41:00.000-08:00

NET's UC Gateways AddingIntegration Capabilities to Microsoft Active Directory to its VX Series gateways..

VoIP technologies innovator Network Equipment Technologies gave its unified communications platform a boost today by adding integration capabilities of Microsoft Active Directory (AD) and other Lightweight Directory Access Protocol solutions to its VX Series gateways.

The directory integration is designed to provide migration benefits to a converged data/voice infrastructure, such as Microsoft Office Communications Server 2007.

While the benefits of the upgrades are many, its primary function is to allow customers to leverage the directory integration features of the VX Series UC Gateway. By using information from AD, customers now have the ability to add enterprise mobility applications to the UC solution.

The applications include the use of AD or LDAP as a single point-of-administration, which is important for allowing customers to perform all moves, adds and changes in one place, according to Talbot Harty, chief development officer at NET.

"The ability to use AD to drive voice and fax functions in a converged environment saves administrators and end-users significant time and effort, while also enabling companies to implement all kinds of useful call management rules," said Harty.

In addition, the ability to flexibly define call-routing rules using AD or LDAP fields has an important function for administrators. This simplification of phased technology migrations – through identification which end-users are served by Microsoft OCS, the PBX,Cisco Manager – has significant business value, according to Harty.

"By delivering robust AD and LDAP integration in our VX Series UC Gateways, we provide customers migrating to Microsoft OCS and other UC solutions.”

NET Quintum, the wholly owned subsidiary of NET, has increased its footprint in recent months within the OCS Server 2007 community. The company has developed VoIP solutions that allow OCS 2007 to be connected to the PSTN, allowing for voice communications outside the IP network. NET Quintum Tenors make it easier to connect Microsoft Office Communications Server 2007 with a Microsoft specific configuration wizard and a wide variety of product options.

The VX Series UC Gateway's AD and LDAP support also provides advantages to resellers and integrators making it easier to install, configure and maintain convergence solutions, according to Jeff Zaremba, senior director of Collaboration Technologies at Avanade.

"Directory integration provides real value to customers by providing a consistent method for managing call routing based on Active Directory when implementing unified communications solutions such as Microsoft Office Communications Server 2007," said Zaremba. Avanade was founded in 2000 byAccenture and Microsoft Corporation.

"Additionally, it provides flexibility in migration by allowing customers to migrate over time as their business requirements dictate. For Avanade, directory integration enables us to implement more sophisticated solutions for our customers with less time, effort, and technical complexity."

More information about the VX Series UC Gateways and the application of directory integration is available at VX Gateways and Active Directory.

Source: http://unified-communications.tmcnet.com/topics/enterprise-voip/articles/47298-nets-uc-gateways-provide-integration-with-ms-active.htm

Microsoft's new hosted services: What are your options?

2008-12-05T06:19:00.000-08:00

Today's announcement officially means Microsoft is the latest entry in a market of services that Microsoft actually made feasible: It can now host Exchange mailboxes for Active Directory users that do not have Exchange Server 2007.

Whether today's announcement of Microsoft-branded hosted services actually adds up to a savings for a business customer, depends on how that customer is getting or has gotten its software. Right now, the Exchange Online service can host mailboxes for as little as $10 per month per client, with a five-user minimum. That's about the industry average; other firms presently offer Exchange hosting for between $8 and $15 per month.

But Microsoft's not entering this market to simply lend its voice to the ongoing chorus. On an a la carte basis, it's also offering SharePoint Online hosting for managing a collaborative document sharing site (at $7.25 / user / month), secure instant messaging and presence with Office Communications Online (at $2.50 / user / month), and Web conferencing with Office Live Meeting, a pre-existing service (now at $4.50 / user / month).

In a very compelling alternative package, though, the company is rolling all four of these services into a single bundle called Business Productivity Online Standard Suite, for $15 per user per month. Package licensing deals are available for "midmarket" customers with between 25 and 499 users, and "enterprise" customers with 500 users and above.

Compare this against the way licensing works now. Microsoft offers Exchange Server 2007 Standard Edition for $699 up front, plus $67 for each Client Access License (CAL). So in small-quantity bundles, just the CAL could be paid for in under seven months' time, which would leave a seven-person business another seven months to break even on the up-front costs.

However, just last week, Microsoft rolled out four buildouts of Small Business Server 2008 and Essential Business Server 2008, which include Exchange Server. For the Standard Edition of SBS 2008 (which does not include SQL Server), a five-CAL package sells for $1,089, plus $77 for each additional user. SBS also includes Windows Server 2008, of course, as well as SharePoint Services 3.0, and additional extras such as Forefront Security.

Technically, Microsoft's Online hosted services do not require Windows Server. However, if your business uses networked systems and if you want to take full advantage of Exchange synchronization, you should probably have a domain controller, which means one copy of Windows Server 2008 Standard Edition. That will get you Active Directory Services (AD DS, and yes, the "D" is indeed repeated there). You could get hosted e-mail without Windows Server, in which case you'd be running Outlook 2007 through Windows XP or Vista, but most of the ActiveSync functionality that Exchange provides would be useless. The street price for Windows Server 2008 Standard is about $749, coming down a bit since the rollout of SBS and EBS 2008, and you may still need additional CALs.

Source:betanews.com/article/Microsofts_new_hosted_services_What_are_your_options/1226954182

Train Signal Releases New Microsoft Server 2008 Active Directory Training

2008-11-26T01:01:00.000-08:00

Train Signal Inc., a global leader in professional computer training, is excited to announce the release of their new training course, Microsoft Windows Server 2008 Active Directory. Following the launch of this course, Train Signal will be releasing additional training courses for Windows Server 2008.

The comprehensive Windows Server 2008 Active Directory training features more than 20 hours of video instruction on two DVDs. Multiple file formats, such as iPod Video, Mp3 Audio, .WMV and .AVI, are available to make the training even more convenient. And students can print out the instructor's notes to follow along more easily and enhance the learning process.
The training package also helps students prepare for the 70-640 Configuring Windows Server 2008 Active Directory exam. It covers everything they need to know to pass the exam and includes the award-winning 70-640 practice exam software from Transcender, the world's leading exam simulation provider.

"This training package is perfect for anyone who wants to gain hands-on experience on Microsoft Server Active Directory 2008 and prepare for the 70-640 MCITP exam," said Iman Jalali, Train Signal's Director of Sales and Marketing. "We are pleased to offer this extensive package of training materials to help everyone from beginners to experienced administrators enhance their skills."

Train Signal's Windows Server 2008 Active Directory training package is designed to help students develop real skills that they can apply immediately. Key topics covered in the training include:

Creating Domain Controllers
User Account Creation
Group Policy
Back Up and Restore/Disaster Recovery
Read-Only Domain Controllers in Server Core
Sharing Folders and Files
Remote Software Installation through Group Policy
MCITP: 70-640 Certification

Train Signal's Windows Server 2008 Active Directory video course is instructed by Benjamin "Coach" Culbertson, MCT, MCSA, MCDBA, CIW, A+, Net+, MOS. Culbertson has a passion for educating and motivating students. He has 10 years of training, Web, print and network consulting experience and uses a high-energy teaching style that keeps students engaged.

Source: marketwatch.com

How to Schedule Active Directory Snapshots in Windows Server 2008

2008-11-20T00:11:00.000-08:00

If you’ve played around with Windows Server 2008 Active Directory Domain Services, you will probably be familiar with the snapshot feature within NTDSUTIL. The feature allows you to take snapshot of the volumes that host the AD components and to then mount the snapshot. Once mounted, you can use DSAMAIN.EXE to expose a read-only copy of the AD database to your favourite browsing tool (LDP.EXE, ADSIEDIT.MSC, DSA.MSC, ADFIND.EXE, etc.). The process for doing this is well documented elsewhere, so I don’t intend to reproduce it here.

Microsoft recommends that you schedule regular snapshots, as this provides you with a quick method of checking the contents of the directory at different time slices in the past. One advantage of this that you can quickly identify which backup to use when needing to authoritatively restore accidentally deleted AD objects from backup.

Windows Server 2008 comes with a re-vamped Task Scheduler. You can configure tasks using both the UI as well as the command line (schtasks.exe). I prefer to use the command line as it has the advantage of allowing you to set tasks to run under the SYSTEM account. It is also the only option if you are using Server Core, unless you want to open the firewall to allow remote task scheduling from a computer running the full version.

Here’s the command line I use. Note that this is all on one line (wrapped here to fit page width).

SCHTASKS /Create /RU SYSTEM /SC DAILY /TN MYTASKS\DS_SNAPSHOT /TR “%windir%\system32\ntdsutil.exe sn \”ac i ntds\” create q q” /ST 05:00

It is worth pulling the command arguments apart to explain them better

/Create - pretty obvious. It instructs schtasks to create a new task.

/RU SYSTEM - the task will run under the SYSTEM account. Note that you don’t need to specify a password when using SYSTEM.

/SC DAILY- the task will run daily

/TN MYTASKS\DS_SNAPSHOT - I’ve called the task name DS_SNAPSHOT and this will be created within the MYTASKS task folder. The folder will be created automatically if it does not already exist.

/TR “%windir%\system32\ntdsutil.exe sn \”ac i ntds\” create q q” - This is the task action. It runs NTDSUTIL with arguments. Note that the double quotation marks within the arguments have to be escaped with the backslash character

/ST 05:00 - the start time for the task will be 5am.

The command line shown above assumes that you are working on the local machine on which you want to create the task. If defining the task for a remote computer, use the additional command line options shown below.

SCHTASKS /Create /S MYSERVER /U administrator /P xxxxx /RU SYSTEM /SC DAILY /TN MYTASKS\DS_SNAPSHOT /TR “%windir%\system32\ntdsutil.exe sn \”ac i ntds\” create q q” /ST 05:00

Once you’ve run the command you can verify the settings in the Task Scheduler UI.

Source:open-a-socket.com/index.php/2008/11/20/how-to-schedule-active-directory-snapshots-in-windows-server-2008/

See Also this :-
Restarting Active Directory as a service in Windows Server 2008

Active Directory-based soln for UNIX & Linux

2008-11-12T20:56:00.000-08:00

Centrify Corporation, a provider of Microsoft Active Directory-based auditing, access control and identity management solutions for non-Microsoft platforms, has announced Centrify DirectAuthorize, a software solution that enables organizations to increase security and compliance by controlling how users access systems and what they can do on those systems.

DirectAuthorize centrally manages and enforces role-based entitlements for fine-grained control of user access and privileges on UNIX and Linux systems. This can eliminate a user's need to use the root account or other privileged accounts, thereby allowing those accounts to be securely locked down.

DirectAuthorize is the industry's first Active Directory-based solution for UNIX and Linux privilege management and delegation of root access. Leveraging a common architecture, DirectAuthorize is seamlessly integrated with Centrify DirectControl and complements DirectControl's comprehensive Active Directory-based authentication, access control and group policy support for non-Microsoft systems and applications.

"Unlike Windows Active Directory, UNIX lacks a simple and scalable model for administrative delegation," observed Ant Allan and Jay Heiser, Research Vice Presidents in the Gartner publication, Controlling UNIX Superuser privileges is Critical. "Organizations that allow root logins to mission- critical UNIX servers run unnecessary risks."

DirectAuthorize meets compliance-driven requirements for "least access" management by allowing organizations to centrally define logical roles (e.g. backup operator, DBA, web developer, application administrator, etc.) that carry with them the specific rights needed to perform duties within a role. DirectAuthorize's role-based architecture enables the following benefits:

Simplify the execution of privileged commands --- users no longer need to switch to root or other privileged accounts
Grant users rights to execute commands with elevated privileges, eliminating the need for access to privileged accounts and passwords
Assign users a Restricted Environment with access only to a specific "whitelist" of commands
Lockdown sensitive systems with fine-grained access controls that specify who can access a system and how
Model date- and time-based access windows to match user roles

Like Centrify DirectControl, DirectAuthorize is tightly integrated into Active Directory, meaning no additional servers or infrastructure is required to run DirectAuthorize. DirectAuthorize stores its role and rights data securely in Active Directory Authorization Manager's existing rights-based logical model and data storage schema found in Windows 2003 and above.

This means no Active Directory schema extensions are required to install and use DirectAuthorize, and customers can leverage the pre-existing Authorization Manager (AzMan) tools and APIs to access DirectAuthorize's roles and rights data. DirectAuthorize is built on top of the DirectControl architecture, meaning the DirectAuthorize user interface is integrated with the DirectControl Administrator's Console and the DirectAuthorize rights enforcers are integrated into the DirectControl Agent. And unlike other solutions, DirectAuthorize requires no UNIX kernel changes or system reboots.

Via:ciol.com

Macs to gain smart card-based login to Active Directory

2008-11-06T23:00:00.001-08:00

Just like their Windows coworkers, Mac users in the enterprise will have more options to log into Windows Active Directory services using smart card technology. According to access-control management company Centrify support for smart card-based login will be available next month. A beta version is available now.

On Wednesday, Centrify announced the release of its DirectControl 4.2 for Mac OS X software as well as the card client software supports Common Access Cards (CAC) and Personal Identity Verification (PIV) cards as well as with other cards that support the Apple TokenD interface. Dubbed Centrify DirectControl for Mac OS X Smart Card edition, the software will cost $90 for a single copy.

DirectControl 4.2 will come with some new security policies, the company said.

Finder Lock is one of more than 200 Mac-specific Group Policies that Centrify has developed to help administer Macs from the same centralized administrative tools from which Windows computers are managed. Other policies added in this release include enforcement of a computer policy to require smart card login, a removal policy to either lock the screen or force a logout when the smart card is removed, and additional security controls.

Improved support for Active Directory policies is one of the Mac headaches for IT managers in the enterprise. Smart card login will improve user experience.

For example, longtime Mac connectivity vendor Group Logic (the maker of Mass Transit) last month released the results of a survey of 350 IT pros about Mac/Windows IT issues. Some 70 percent of the respondents said they currently had Macs in their companies and an additional 6 percent were planning to bring in Macs in the “near term.”

Here was the hot list of Mac integration issues from the survey:

Adapting Active Directory policy to support Macs — 38 percent.
Help desk calls from Mac users — 35 percent.
Compatibility and/or data corruption issues — 27 percent.
Lack of IT/file naming policy enforcement tools — 25 percent.
Maintaining the full “Mac Experience” for their end-users — 24 percent.

Source:zdnet

How To Use Ntdsutil to Manage Active Directory Files from the Command Line in Windows Server 2003

2008-10-14T01:03:00.000-07:00

How to Start Your Computer in Directory Services Restore Mode

Windows Server 2003 Directory Service opens its files in exclusive mode. This means that the files cannot be managed while the server is operating as a domain controller.

To start the server in Directory Services Restore mode, follow these steps:
1. Restart the computer.
2. After the BIOS information is displayed, press F8.
3. Use the DOWN ARROW to select Directory Services Restore Mode(Windows Server 2003 domain controllers only), and then press ENTER.
4. Use the UP and DOWN ARROWS to select the Windows Server 2003 operating system, and then press ENTER.
5. Log on with your administrative account and password.

How to Install Support Tools and Start Ntdsutil

To install Windows Support Tools, follow these steps:
1. Insert the Windows Server 2003 installation CD in the CD-ROM or DVD-ROM drive.
2. Click Start, click Run, type drive_letter:\Support\Tools\suptools.msi, and then press ENTER.
To start Ntdsutil, click Start, click Run, type ntdsutil in the Open box, and then press ENTER.

NOTE: To access the list of available commands, type ?, and then press ENTER.

How to Move the Database

You can move the Ntds.dit data file to a new folder. If you do so, the registry is updated so that active directory service uses the new location when you restart the server.

To move the data file to another folder, follow these steps:
1. Click Start, click Run, type ntdsutil in the Open box, and then press ENTER.
2. At the Ntdsutil command prompt, type files, and then press ENTER.
3. At the file maintenance command prompt, type move DB to new location (where new location is an existing folder that you have created for this purpose), and then press ENTER.
4. To quit Ntdsutil, type quit, and then press ENTER.
5. Restart the computer.

How to Move Log Files

Use the move logs to command to move the directory service log files to another folder. For the new settings to take effect, restart the computer after you move the log files.
To move the log files, follow these steps:
1. Click Start, click Run, type ntdsutil in the Open box, and then press ENTER.
2. At the Ntdsutil command prompt, type files, and then press ENTER.
3. At the file maintenance command prompt, type move logs to new location (where new location is an existing folder that you have created for this purpose), and then press ENTER.
4. Type quit, and then press ENTER.
5. Restart the computer.

How to Recover the Database

To recover the database, follow these steps:
1. Click Start, click Run, type ntdsutil in the Open box, and then press ENTER.
2. At the Ntdsutil command prompt, type files, and then press ENTER.
3. At the file maintenance command prompt, type recover, and then press ENTER.
4. Type quit, and then press ENTER.
5. Restart the computer.
NOTE: You can also use Esentutl.exe to perform database recovery when the procedure described earlier in this article fails (for example, the procedure may fail when the database is inconsistent). To use Esentutl.exe to perform database recovery, follow these steps:
1. Click Start, click Run, type cmd in the Open box, and then press ENTER.
2. Type esentutl /r path\ntds.dit, and then press ENTER. path refers to the current location of the Ntds.dit file.
3. Delete the database log files (.log) from the WINDOWS\Ntds folder.
4. Restart the computer.
For additional information about the esentutl.exe utility, at the command prompt, type esentutl /?, and then press ENTER.

NOTE: This procedure involves transaction logs to recover data. Transaction logs are used to make sure that committed transactions are not lost if your computer fails or if it experiences unexpected power loss. Transaction data is written first to a log file, and then it is written to the data file. After you restart the computer after it fails, you can rerun the log to reproduce the transactions that were committed but that were not recorded to the data file.

How to Set Paths

You can use the set path command to set the path for the following items:
• Backup: Use this parameter with the set path command to set the disk-to-disk backup target to the folder that is specified by the location variable. You can configure Directory Service to perform an online disk-to-disk backup at scheduled intervals.
• Database: Use this parameter with the set path command to update the part of the registry that identifies the location and file name of the data file. Use this command only to rebuild a domain controller that has lost its data file and that is not being restored by means of typical restoration procedures.
• Logs: Use this parameter with the set path command to update the part of the registry that identifies the location of the log files. Use this command only if you are rebuilding a domain controller that has lost its log files and is not being restored by means of typical restoration procedures.
• Working Directory: Use this parameter with the set path command to set the part of the registry that identifies Directory Service's working folder to the folder that is specified by the location variable.
To run the set path command, follow these steps:
1. Click Start, click Run, type ntdsutil in the Open box, and then press ENTER.
2. At the Ntdsutil command prompt, type files, and then press ENTER.
3. At the file maintenance command prompt, type set path object location, and then press ENTER. object refers to one of the following items:
• Backup
• Database
• Logs
• Working Directory
location refers to the location (folder) to which you want to set the object identified in the command.
4. Type quit, and then press ENTER.

Source: support.microsoft.com/kb/816120

What is Active directory

2008-08-07T13:35:00.000-07:00

Active directory is a directory structure used on Microsoft Windows based computers and servers to store information and data about networks and domains. It is primarily used for online information and was originally created in 1996 and first used with Windows 2000.

An active directory (sometimes referred to as an AD) does a variety of functions including the ability to provide information on objects, helps organize these objects for easy retrieval and access, allows access by end users and administrators and allows the administrator to set security up for the directory.

An active directory can be defined as a hierarchical structure and this structure is usually broken up into three main categories, the resources which might include hardware such as printers, services for end users such as web email servers and objects which are the main functions of the domain and network.

It is interesting to note the framework for the objects. Remember that an object can be a piece of hardware such as a printer, end user or security settings set by the administrator. These objects can hold other objects within their file structure. All objects have an ID, usually an object name (folder name). In addition to these objects being able to hold other objects, every object has its own attributes which allows it to be characterized by the information which it contains. Most IT professionals call these setting or characterizations schemas.

Depending on the type of schema created for a folder, will ultimately determine how these objects are used. For instance, some objects with certain schemas can not be deleted, they can only be deactivated. Others types of schemas with certain attributes can be deleted entirely. For instance, a user object can be deleted, but the administrator object can not be deleted.
When understanding active directories, it is important to know the framework that objects can be viewed at. In fact, an active directory can be viewed at either one of three levels, these levels are called forests, trees or domains. The highest structure is called the forest because you can see all objects included within the active directory.

Within the Forest structure are trees, these structures usually hold one or more domains, going further down the structure of an active directory are single domains. To put the forest, trees and domains into perspective, consider the following example.

A large organization has many dozens of users and processes. The forest might be the entire network of end users and specific computers at a set location. Within this forest directory are now trees that hold information on specific objects such as domain controllers, program data, system, etc. Within these objects are even more objects which can then be controlled and categorized.

Active Directory management

2008-07-14T04:43:00.000-07:00

AD data is stored in a central, organized, accessible database. Active Directory networks can vary from a small installation with just a few hundred objects to millions of them. It is a key component when it comes to managing very large networks.

Their manager calls the help desk, which calls IT support to action the changes in AD. Once these are made, the manager is notified that the user has been set up. This can take hours, sometimes days. Not only does this process tie up IT with mundane admin chores, but it can mean that staff can't be productive during this hiatus. The other side of the coin applies equally - you can't remove a user's access rights immediately.

Active Directory offers a cost-effective solution. It neatly overcomes these AD admin headaches by effectively delegating AD object management to line managers. If changes have to be made, managers can make them on the spot, with changes going live in as little as ten seconds.

Active Directory uses a web-based AD management interface - it can be installed quickly through a company's internal network as there are no desktop clients to install, and the familiar web-browser user interface cuts the need for training. In fact, it's so simple and intuitive that most staff probably won't need any training.

Active Directory provides granular access control to entrusted staff with no limitations. Once logged in your presented with a home page offering just three options: update access, view access groups and view audited history. Changes to the AD are made via a wizard. A search option is provided, useful if you have thousands of AD objects to contend with.

When you have finished making your changes you simply click the "update all groups" button and it's done.

Paperwork is kept to a minimum. Changes to working practices and user privileges are managed through work flow emails. As well as greatly simplifying AD admin for both line managers and IT support staff, security is also improved by automating a usually manual security process. All Active Directory updates are logged to allow for auditing, which is essential to meet compliance standards.

In fact, Active Directory management can be standardized worldwide and can be used as part of the enterprise's Quality Management. The audit history option on the home page lets you view log information by group/role, date or user. Data can be downloaded and displayed in Excel.

Although Active Directory is a standalone product and doesn't integrate with other network management tools, its web services programming interface (API) will allow the integration of separate systems. As a result, Active Directory can complement existing identity management or account provisioning solutions. At the moment, Active Directory can support up to 100,000 users. System pre-requisites include Windows Server 2000/2003, IIS 6,.NET Framework 1.1, an SMTP e-mail server and MS SL Server, either 2000, 2005 or Express 2005 - most organizations contemplating deploying Active Directory will most likely meet these criteria from the off.

Installation is a doddle - in fact, if you spend more than ten minutes on it, you're probably doing something wrong.

In conclusion, Active Directory is an AD management tool that's well-suited to organizations with more than 300 seats, as well as to managed-data centers looking for a painless and secure method of passing security management tasks back to the client.

Source:securecomputing.net

Windows Server 2008

2008-07-08T08:06:00.000-07:00

Over the weekend I installed the released version of Windows Server 2008 (after having worked with the release candidate previously), and the experience reminded how impressed I am by Win2008's ease of installation. I have a Intel quad-CPU set up, along with some 7200rpm drives because I do a lot of testing, and the 64-bit version Windows Server 2008 Standard Edition installation just flew onto my hard drive. Following that, deciding what you want your Win2008 to be in life is a relatively straightforward, guided process.

If you are new to Win2008, it includes something called Server Roles. What do you want this server to be? An Active Directory domain controller (called Domain Services), a file or print server, an IIS Web server, a combination, or maybe something else? Win2008 comes with some 17 Server Roles, each comprising a number of appropriate options. Let's say you want to set up a multipurpose server as a domain controller, DHCP server, file server, print server and Web server -- a configuration you might use in a smaller organization. Each of those functions are Server Roles within Win2008. Active Directory Domain Services will also require you set up the server using the DNS Server role.

Each Server Role starts with a wizard for basic configuration information (like setting up scopes for the DHCP Server role, for example) and concludes with an installation step. If some feature selections within a Server Role have other software dependencies, those are shown with an easy-to-understand "okay" box to add those to the installation. If you are a beginner or don't happen to know about a certain feature set within a Server Role, help is there right upfront about what it does and the installation options that may be relevant to you (like setting up a new domain vs. adding a controller to an existing domain services forest).

You'll likely have to reboot Win2008 after most installation steps, so you'll want to get everything installed and configured before a bunch of users sign on. While there's a big difference in pricing, I've found Win2008 Standard Edition about as easy to set up as the Win2008 Small Business Edition. SBE obviously consolidates some steps, but Win2008 isn't all that hard to set up -- the basic stuff anyway. If you are going to exceed the license restrictions, don't fear setting up Win2008, as it's not that much harder.

Active Server Directory

2008-07-01T07:47:00.000-07:00

An active directory (sometimes referred to as an AD) does a variety of functions including the ability to provide information on objects, helps organize these objects for easy retrieval and access, allows access by end users and administrators and allows the administrator to set security up for the directory.

An active directory can be defined as a hierarchical structure and this structure is usually broken up into three main categories, the resources which might include hardware such as printers, services for end users such as web email servers and objects which are the main functions of the domain and network.

It is interesting to note the framework for the objects. Remember that an object can be a piece of hardware such as a printer, end user or security settings set by the administrator. These objects can hold other objects within their file structure. All objects have an ID, usually an object name (folder name). In addition to these objects being able to hold other objects, every object has its own attributes which allows it to be characterized by the information which it contains. Most IT professionals call these setting or characterizations schema's.

Depending on the type of schema created for a folder, will ultimately determine how these objects are used. For instance, some objects with certain schema's can not be deleted, they can only be deactivated. Others types of schema's with certain attributes can be deleted entirely. For instance, a user object can be deleted, but the administrator object can not be deleted.

When understanding active directories, it is important to know the framework that objects can be viewed at. In fact, an active directory can be viewed at either one of three levels, these levels are called forests, trees or domains. The highest structure is called the forest because you can see all objects included within the active directory.

Within the Forest structure are trees, these structures usually hold one or more domains, going further down the structure of an active directory are single domains. To put the forest, trees and domains into perspective, consider the following example.

A large organization has many dozens of users and processes. The forest might be the entire network of end users and specific computers at a set location. Within this forest directory are now trees that hold information on specific objects such as domain controllers, program data, system, etc. Within these objects are even more objects which can then be controlled and categorized.