The 12 Mighty Chores of Active Directory Administration in Depth
Admininstering Active Directory takes some practice. Here are 12 exercises to keep your AD skills limber.
Running Active Directory isn't an easy job. This article briefs you on
what kind of work you'll need to be conversant with to get the most from
your directory services.
1. One of the most common tasks you perform in AD is user
and group administration. User password resets, user creation and deactivation,
user group membership management are all tasks that can be performed as
often as everyday in some networks. Most of these activities are performed
through the AD Users and Computers Microsoft Management Console (MMC)
snap-in. This snap-in does support enhancements, some of which are provided
by Microsoft. For example, you can add another user account information
tab in the user object's properties page by downloading and registering
the AcctInfo.dll (see "Additional Information")
on a server or workstation hosting the AD Users and Computers console.
This will give you information such as the last time users logged on,
the last time they changed their passwords, how long they've been logged
on and so on. It also includes a nifty little button, Set PWD On Site
DC. This button automatically locates a user's site to reset the password
locally, thus avoiding replication delays.
When it comes to group management, Windows Server 2003 helps by fully
supporting drag-and-drop in most AD consoles. This lets you more easily
perform massive user operations such as group membership assignment. But
the most important tool you have to lower this administrative workload
is structure. This means using rules and guidelines to avoid becoming
tangled in the multiple group syndrome. The rule that helps most is UGLP
(see Figure 1). Users are inserted into Global groups, Global groups are
inserted into Domain Local or Local groups and Permissions are set on
the Domain Local or Local groups. If you must support inter-domain or
inter-forest operations, then the rule becomes the UGULP because Universal
groups are used to link global and domain local groups from one domain
or forest to another. The biggest lesson of this rule is that the only
groups containing users are global groups. Stick to it; it vastly simplifies
|Figure 1. The UGLP (or UGULP when crossing domains)
rule helps administrators control group management in Active Directory.
(Click image to view larger version.)
2. Another administrative task that can be performed daily
is PC or mobile device administration. Since the advent of Windows NT,
all machines in a Windows network must have a computer account. This is
how they interact with the directory and how the directory interacts with
them. One great feature of Windows 2000 (with Service Pack 1 or later)
and Windows 2003 is that computer accounts can be managed in much the
same way as user accounts because computer accounts can also be members
of groups. Regrouping computers into global groups vastly simplifies management
because you can manage groups instead of individual machines. Group membership
also vastly simplifies software deliveries. All you need to do is create
a security group for each of the software products you assign through
the directory and set the access rights on its distribution. This way,
if you want to assign a product to a machine, all you need to do is insert
the machine account into the proper group.
Microsoft also provides a useful extension for the AD Users and Computers
console for computer management, called the Remote Control Add-on and
available for download from the Microsoft Web site. (See "Additional
Information.") Once installed, it lets you launch a Remote
Control session on any computer in the directory through the object's
3. The very purpose of a network is to deliver networked
services to users. Many of these services interact with the directory.
File shares and printers are now published in the directory for easy location.
Distributed File System shares are also integrated to the directory for
easier management and administration and for fault tolerance. Terminal
Services integrates with the directory through the user object properties
for terminal session profile and environment generation. Terminal Services
are also now completely integrated with Group Policy Objects (GPOs). Applications
can interact with the directory to access information it contains. Windows
2003 also supports COM+ and Application Partitions, special replication
scopes that can be used to contain information of either local or global
interest. Managing these services can also be a daily task in large networks.
4. The most powerful aspect of AD remains Group Policy.
GPO administration can also be a full-time job if not managed properly.
Before the coming of Windows 2003, GPO management was cumbersome and unwieldy.
But with the Group Policy Management Console (GPMC), Microsoft has redefined
the meaning of GPO administration (see Figure 2). This download from Microsoft
finally gives systems administrators the tools they need to properly prepare,
test and deploy GPOs. One great feature that GPMC provides is the ability
to report on GPO settings, something only third-party products such as
Full Armor Fazam 2000 provided before.
Figure 2. The Group Policy Management Console offers
powerful reporting capabilities as well as integrated GPO administration
capabilities. (Click image to view larger version.)
5. One network element that has changed considerably with
the coming of AD is the Domain Naming Service (DNS). DNS is now tied closely
to the directory. In fact, directory operation is based on a properly
functioning DNS service. Fortunately, DNS administration is simplified
with Windows 2000 and Windows 2003 because the DNS service is dynamic,
updating itself automatically, especially if all objects in your network
are running Windows 2000 or later operating systems (because these systems
can manage their own DNS records). Nevertheless, you still have to manage
external DNS connections, verify that the service is operating properly,
verify that DNS Application Partitions are replicating properly, and verify
that DNS is properly removing obsolete data from its database. This task
may not be a daily task in large networks, but it definitely requires
at least a weekly review.
6. The very nature of the directory is distribution. All
of us are familiar with the notion of having at least two domain controllers
(DC) for each domain we create, because replication is at the very core
of the directory service operation. AD topology and replication administration
is an important aspect of ensuring proper AD operation. This is mostly
done through the AD Sites and Services console. It lets you configure
subnets, sites, site links, site link bridges and bridgehead servers.
Of course, you should also rely heavily on the Knowledge Consistency Checker
(KSS), a service that automatically generates replication topologies based
on the rules and guidelines you give it (so long as no bridgehead servers
are defined). Windows 2003 removes many of the limitations Windows 2000
imposed on this service, making it more reliable and dependable, but you
still have to use the proper tools to verify the proper working state
of your replication on a weekly basis at best.
7. The configuration of AD is also something that must
be managed on an on-going basis, especially at the very beginning of your
implementation because you'll tend to refine its structure as you learn
more about AD. Configuration administration involves forest, domain, and
organizational unit (OU) design and implementation. Very large organizations
will probably have multiple forests containing multiple domains-especially
now that Windows 2003 supports transitive forest trusts. While smaller
organizations may have a single domain in a single forest, they'll still
want to use OUs to restructure the data they manage in the directory.
Configuration administration also involves Operations Master roles, Global
Catalog Servers and domain controllers, since these servers define the
configuration of each forest. Though configuration management is performed
mostly with the Users and Computers console when it comes to OUs, it involves
the entire AD toolkit when it comes to forests, domains or the servers
they depend on.
8. AD is a database, albeit a distributed one, but a database
no less. As such, it includes a database schema. The default AD schema
includes over 200 objects and 1,000 attributes. Because it's an extensible
database, the AD schema can be modified and extended. For example, installing
Microsoft Exchange almost doubles the size of the default AD schema. Schema
modifications shouldn't be done lightly because added objects can't normally
be removed (though they can be deactivated). This is the reason why the
schema is protected by default. In fact, the SchmMgmt.dll must be registered
on either servers or workstations before the Schema Management snap-in
becomes available to integrate into a Microsoft Management Console. The
schema administrator is mostly a guardian of the AD database. That's because
the less you modify the default schema, the better it is. Fortunately,
Microsoft has released Active Directory in Application Mode (ADAM). ADAM
is a lightweight directory access protocol (LDAP) database that can easily
be tied to your directory to provide extensibility. In addition, since
it's free to owners of Windows 2003, you can have as many instances of
ADAM as you like, letting you extend AD functionality without having to
modify the schema of your network directory. [For more on ADAM, read
Bill Boswell's explanation in this month's "Windows Insider,"
9. The 200 objects and 1,000 attributes are just to populate
the directory with information about the objects it contains. User objects
alone include over 200 attributes ranging from the user's address at the
office to home address information, maybe a photograph, perhaps a position
in the organization's hierarchy and much more. Shared folders can include
owners, groups can include managers, printers and computers can include
location tracking information-all information elements that should be
populated in a properly configured directory. In addition, you can use
the AD Schema Management console to add or remove content from the Global
Catalog, the portion of the directory that makes information elements
available to all users of a forest. You can use this same tool to determine
if AD should index an object or not. Indexing objects in AD makes finding
them much faster. To control the amount of information stored in the directory,
you can even assign NTDS quotas, making sure no one stores more information
than they should in the directory. Fortunately for the AD information
administrator, it's easy and simple to delegate many of the information
management tasks. For example, users control many of their own information
elements in the directory. All you need to do is train them to fill in
the proper information every time they move or change roles in the organization.
10. Of course, you can't forget that AD administration
also involves security management. After all, the AD database is designed
to replace the Windows NT Security Account Manager (SAM). Security management
covers everything from setting Domain Account Policies, assigning user
rights, and managing trusts to Access Control List (ACL) and Access Control
Entry (ACE) administration. Every object in the directory is assigned
a security descriptor detailing who in your organization has access to
the object. Managing these descriptors can be a full time position by
itself. Fortunately, AD supports the concept of inheritance, letting you
set access rights at the top of an AD hierarchy (within a domain) and
having those rights automatically assigned to all objects in the hierarchy.
AD also supports the concept of delegation, something that should be used
heavily, especially in large organizations, to offload work that isn't
administrator-related. For example, users are automatically delegated
rights to their own information within the directory. You can also delegate
tasks to help desk operators, network operators and many other operational
roles within your organization.
11. As we mentioned above, AD is a database. As such, you
need to perform database maintenance activities on the NTDS.DIT file stored
within each domain controller. These activities include managing the LostandFound
and LostandFoundConfig containers, which are designed to collect homeless
objects in your directory. Administrative activities may also include
compacting the directory database. Although AD regularly compacts its
own database automatically, it may be necessary for you to compact it
manually in certain situations. You must also back up the database on
a regular basis and perform restores when required (though in many cases,
it's easier to recreate the missing objects).
12. Finally, you need to generate reports from your directory
in order to know how it's structured, what it contains and how it runs.
There are no default tools for AD report generation. You can, however,
export data at several levels of the directory. You can also now generate
GPO reports with the GPMC, but that is about as far as the default AD
tools will take you.