In-Depth
        
        The 12 Mighty Chores of Active Directory Administration in Depth
        Admininstering Active Directory takes some practice. Here are 12 exercises to keep your AD skills limber.
        
        
        Running Active Directory isn't an easy job. This article briefs you on 
        what kind of work you'll need to be conversant with to get the most from 
        your directory services.
      
1. One of the most common tasks you perform in AD is user 
        and group administration. User password resets, user creation and deactivation, 
        user group membership management are all tasks that can be performed as 
        often as everyday in some networks. Most of these activities are performed 
        through the AD Users and Computers Microsoft Management Console (MMC) 
        snap-in. This snap-in does support enhancements, some of which are provided 
        by Microsoft. For example, you can add another user account information 
        tab in the user object's properties page by downloading and registering 
        the AcctInfo.dll (see "Additional Information") 
        on a server or workstation hosting the AD Users and Computers console. 
        This will give you information such as the last time users logged on, 
        the last time they changed their passwords, how long they've been logged 
        on and so on. It also includes a nifty little button, Set PWD On Site 
        DC. This button automatically locates a user's site to reset the password 
        locally, thus avoiding replication delays.
      
      When it comes to group management, Windows Server 2003 helps by fully 
        supporting drag-and-drop in most AD consoles. This lets you more easily 
        perform massive user operations such as group membership assignment. But 
        the most important tool you have to lower this administrative workload 
        is structure. This means using rules and guidelines to avoid becoming 
        tangled in the multiple group syndrome. The rule that helps most is UGLP 
        (see Figure 1). Users are inserted into Global groups, Global groups are 
        inserted into Domain Local or Local groups and Permissions are set on 
        the Domain Local or Local groups. If you must support inter-domain or 
        inter-forest operations, then the rule becomes the UGULP because Universal 
        groups are used to link global and domain local groups from one domain 
        or forest to another. The biggest lesson of this rule is that the only 
        groups containing users are global groups. Stick to it; it vastly simplifies 
        user management.
      
         
          |  | 
         
          | Figure 1. The UGLP (or UGULP when crossing domains) 
            rule helps administrators control group management in Active Directory. 
            (Click image to view larger version.) | 
      
      2. Another administrative task that can be performed daily 
        is PC or mobile device administration. Since the advent of Windows NT, 
        all machines in a Windows network must have a computer account. This is 
        how they interact with the directory and how the directory interacts with 
        them. One great feature of Windows 2000 (with Service Pack 1 or later) 
        and Windows 2003 is that computer accounts can be managed in much the 
        same way as user accounts because computer accounts can also be members 
        of groups. Regrouping computers into global groups vastly simplifies management 
        because you can manage groups instead of individual machines. Group membership 
        also vastly simplifies software deliveries. All you need to do is create 
        a security group for each of the software products you assign through 
        the directory and set the access rights on its distribution. This way, 
        if you want to assign a product to a machine, all you need to do is insert 
        the machine account into the proper group.
      Microsoft also provides a useful extension for the AD Users and Computers 
        console for computer management, called the Remote Control Add-on and 
        available for download from the Microsoft Web site. (See "Additional 
        Information.") Once installed, it lets you launch a Remote 
        Control session on any computer in the directory through the object's 
        context menu.
      3. The very purpose of a network is to deliver networked 
        services to users. Many of these services interact with the directory. 
        File shares and printers are now published in the directory for easy location. 
        Distributed File System shares are also integrated to the directory for 
        easier management and administration and for fault tolerance. Terminal 
        Services integrates with the directory through the user object properties 
        for terminal session profile and environment generation. Terminal Services 
        are also now completely integrated with Group Policy Objects (GPOs). Applications 
        can interact with the directory to access information it contains. Windows 
        2003 also supports COM+ and Application Partitions, special replication 
        scopes that can be used to contain information of either local or global 
        interest. Managing these services can also be a daily task in large networks.
      4. The most powerful aspect of AD remains Group Policy. 
        GPO administration can also be a full-time job if not managed properly. 
        Before the coming of Windows 2003, GPO management was cumbersome and unwieldy. 
        But with the Group Policy Management Console (GPMC), Microsoft has redefined 
        the meaning of GPO administration (see Figure 2). This download from Microsoft 
        finally gives systems administrators the tools they need to properly prepare, 
        test and deploy GPOs. One great feature that GPMC provides is the ability 
        to report on GPO settings, something only third-party products such as 
        Full Armor Fazam 2000 provided before.
      
      
         
          |  | 
         
          | Figure 2. The Group Policy Management Console offers 
              powerful reporting capabilities as well as integrated GPO administration 
              capabilities. (Click image to view larger version.) | 
      
      5. One network element that has changed considerably with 
        the coming of AD is the Domain Naming Service (DNS). DNS is now tied closely 
        to the directory. In fact, directory operation is based on a properly 
        functioning DNS service. Fortunately, DNS administration is simplified 
        with Windows 2000 and Windows 2003 because the DNS service is dynamic, 
        updating itself automatically, especially if all objects in your network 
        are running Windows 2000 or later operating systems (because these systems 
        can manage their own DNS records). Nevertheless, you still have to manage 
        external DNS connections, verify that the service is operating properly, 
        verify that DNS Application Partitions are replicating properly, and verify 
        that DNS is properly removing obsolete data from its database. This task 
        may not be a daily task in large networks, but it definitely requires 
        at least a weekly review.
      6. The very nature of the directory is distribution. All 
        of us are familiar with the notion of having at least two domain controllers 
        (DC) for each domain we create, because replication is at the very core 
        of the directory service operation. AD topology and replication administration 
        is an important aspect of ensuring proper AD operation. This is mostly 
        done through the AD Sites and Services console. It lets you configure 
        subnets, sites, site links, site link bridges and bridgehead servers. 
        Of course, you should also rely heavily on the Knowledge Consistency Checker 
        (KSS), a service that automatically generates replication topologies based 
        on the rules and guidelines you give it (so long as no bridgehead servers 
        are defined). Windows 2003 removes many of the limitations Windows 2000 
        imposed on this service, making it more reliable and dependable, but you 
        still have to use the proper tools to verify the proper working state 
        of your replication on a weekly basis at best.
      7. The configuration of AD is also something that must 
        be managed on an on-going basis, especially at the very beginning of your 
        implementation because you'll tend to refine its structure as you learn 
        more about AD. Configuration administration involves forest, domain, and 
        organizational unit (OU) design and implementation. Very large organizations 
        will probably have multiple forests containing multiple domains-especially 
        now that Windows 2003 supports transitive forest trusts. While smaller 
        organizations may have a single domain in a single forest, they'll still 
        want to use OUs to restructure the data they manage in the directory. 
        Configuration administration also involves Operations Master roles, Global 
        Catalog Servers and domain controllers, since these servers define the 
        configuration of each forest. Though configuration management is performed 
        mostly with the Users and Computers console when it comes to OUs, it involves 
        the entire AD toolkit when it comes to forests, domains or the servers 
        they depend on.
      8. AD is a database, albeit a distributed one, but a database 
        no less. As such, it includes a database schema. The default AD schema 
        includes over 200 objects and 1,000 attributes. Because it's an extensible 
        database, the AD schema can be modified and extended. For example, installing 
        Microsoft Exchange almost doubles the size of the default AD schema. Schema 
        modifications shouldn't be done lightly because added objects can't normally 
        be removed (though they can be deactivated). This is the reason why the 
        schema is protected by default. In fact, the SchmMgmt.dll must be registered 
        on either servers or workstations before the Schema Management snap-in 
        becomes available to integrate into a Microsoft Management Console. The 
        schema administrator is mostly a guardian of the AD database. That's because 
        the less you modify the default schema, the better it is. Fortunately, 
        Microsoft has released Active Directory in Application Mode (ADAM). ADAM 
        is a lightweight directory access protocol (LDAP) database that can easily 
        be tied to your directory to provide extensibility. In addition, since 
        it's free to owners of Windows 2003, you can have as many instances of 
        ADAM as you like, letting you extend AD functionality without having to 
        modify the schema of your network directory. [For more on ADAM, read 
        Bill Boswell's explanation in this month's "Windows Insider," 
        at http://mcpmag.com/columns/article.asp?editorialsid=592.--Ed.]
      9. The 200 objects and 1,000 attributes are just to populate 
        the directory with information about the objects it contains. User objects 
        alone include over 200 attributes ranging from the user's address at the 
        office to home address information, maybe a photograph, perhaps a position 
        in the organization's hierarchy and much more. Shared folders can include 
        owners, groups can include managers, printers and computers can include 
        location tracking information-all information elements that should be 
        populated in a properly configured directory. In addition, you can use 
        the AD Schema Management console to add or remove content from the Global 
        Catalog, the portion of the directory that makes information elements 
        available to all users of a forest. You can use this same tool to determine 
        if AD should index an object or not. Indexing objects in AD makes finding 
        them much faster. To control the amount of information stored in the directory, 
        you can even assign NTDS quotas, making sure no one stores more information 
        than they should in the directory. Fortunately for the AD information 
        administrator, it's easy and simple to delegate many of the information 
        management tasks. For example, users control many of their own information 
        elements in the directory. All you need to do is train them to fill in 
        the proper information every time they move or change roles in the organization.
      
      
      
      10. Of course, you can't forget that AD administration 
        also involves security management. After all, the AD database is designed 
        to replace the Windows NT Security Account Manager (SAM). Security management 
        covers everything from setting Domain Account Policies, assigning user 
        rights, and managing trusts to Access Control List (ACL) and Access Control 
        Entry (ACE) administration. Every object in the directory is assigned 
        a security descriptor detailing who in your organization has access to 
        the object. Managing these descriptors can be a full time position by 
        itself. Fortunately, AD supports the concept of inheritance, letting you 
        set access rights at the top of an AD hierarchy (within a domain) and 
        having those rights automatically assigned to all objects in the hierarchy. 
        AD also supports the concept of delegation, something that should be used 
        heavily, especially in large organizations, to offload work that isn't 
        administrator-related. For example, users are automatically delegated 
        rights to their own information within the directory. You can also delegate 
        tasks to help desk operators, network operators and many other operational 
        roles within your organization. 
      
11. As we mentioned above, AD is a database. As such, you 
        need to perform database maintenance activities on the NTDS.DIT file stored 
        within each domain controller. These activities include managing the LostandFound 
        and LostandFoundConfig containers, which are designed to collect homeless 
        objects in your directory. Administrative activities may also include 
        compacting the directory database. Although AD regularly compacts its 
        own database automatically, it may be necessary for you to compact it 
        manually in certain situations. You must also back up the database on 
        a regular basis and perform restores when required (though in many cases, 
        it's easier to recreate the missing objects).
      12. Finally, you need to generate reports from your directory 
        in order to know how it's structured, what it contains and how it runs. 
        There are no default tools for AD report generation. You can, however, 
        export data at several levels of the directory. You can also now generate 
        GPO reports with the GPMC, but that is about as far as the default AD 
        tools will take you.