Windows 2000
and Active Directory
Administration
Don Jones
Sean Daily
Keep sponsor logos below here
Tips and Tricks Guide To
tm
tm
realtimepublishers.com
TM
Table of Contents
Note to Reader: This book presents tips and tricks for seven Windows 2000 and Active
Directory Administration topics. For ease of use, the questions and their solutions are divided
into chapters based on topic, and each question is numbered based on the chapter, including:
•
Chapter 1: Daily Administration
•
Chapter 2: Domain Controller Administration
•
Chapter 3: Replication Management
•
Chapter 4: Security Administration
•
Chapter 5: Disaster Recovery
•
Chapter 6: Tools and Utilities
•
Chapter 7: Migration
Chapter 1: Daily Administration......................................................................................................1
Q 1.1: I just created a new group, and both the new group and the organizational unit I put in the

Chapter 2: Domain Controller Administration ..............................................................................27
Q 2.1: Where should I place Global Catalog servers, and how many do I need?..........................27
Deciding Where to Place GC Servers................................................................................27
Making a GC Server ..........................................................................................................28
Q 2.2: Where do I put FSMOs? .....................................................................................................29
Deciding Where to Place FSMOs......................................................................................30
Transferring FSMOs ..........................................................................................................31
Transferring the RID Master, PDC Emulator, or Infrastructure Master................31
Transferring the Domain-Naming Master .............................................................32
Transferring the Schema Master............................................................................32
Q 2.3: How do I handle a FSMO failure?......................................................................................33
What to Do When a FSMO Fails.......................................................................................34
Seizing FSMOs ..................................................................................................................34
Q 2.4: How can I tell whether I need to add a domain controller?................................................35
Installing the Database Object ...........................................................................................37
Domain Controller Performance Tips................................................................................38
Q 2.5: How many domain controllers do I need for optimum performance?................................39
Q 2.6: I want to make sure that my users can always log on. Doesn’t that mean placing a domain
controller in every location that has users?....................................................................................42
A History of Domain Controller Placement ......................................................................43
How Windows 2000 Learned from History.......................................................................43
Q 2.7: We use Exchange 2000 Server, and users complain that Address Book lookups take too
long. The Exchange server looks fine. What can I do? .................................................................45
Lookups with Earlier Clients .............................................................................................45
Lookups with Later Clients................................................................................................46
Q 2.8: We have a large, multi-domain forest. We’re installing a new application that modifies
Active Directory’s schema, but we need to document those changes before we allow the
application to do so. The application doesn’t indicate exactly what changes it will make. What
can we do?......................................................................................................................................47
Q 2.9: How should I configure Domain Name System on my domain controllers? .....................48

Chapter 4: Security Administration ...............................................................................................74
Q 4.1: I want to distribute the management of the users and groups in my Active Directory.
What’s the best way to proceed? ...................................................................................................74
Q 4.2: We want to delegate new user account creation to our Help desk, but we’re concerned that
user information won’t be entered consistently. What can we do? ...............................................77
Setting Up Policies in Enterprise Directory Manager........................................................79
Working Behind Enterprise Directory Manager’s Back....................................................80
Q 4.3: We’ve organized Active Directory to fit the way we manage it, but that makes our Group
Policies very difficult to apply. What should we do? ....................................................................81
When One Organization Isn’t Enough...............................................................................81

iii
Table of Contents
Can’t You Have Two Organizations?................................................................................82
So What’s the Best Organization for AD?.........................................................................82
Q 4.4: I’ve heard that SYSKEY can be used to protect Windows 2000 against several security
holes. How does it work?...............................................................................................................83
What SYSKEY Fixes.........................................................................................................83
Using SYSKEY .................................................................................................................84
Do You Need SYSKEY? ...................................................................................................85
Q 4.5: How can I prevent users from changing their personal attributes in Active Directory?.....85
Editing the Schema ............................................................................................................86
Reapplying Default Permissions........................................................................................89
Q 4.6: How do I configure the Kerberos authentication protocol?................................................89
How Kerberos Works ........................................................................................................89
Logging On ............................................................................................................90
Accessing Resources..............................................................................................90
Configuring Kerberos ........................................................................................................92
Q 4.7: We’re trying to make our domain controllers as secure as possible. What ports can we
lock down without affecting Active Directory?.............................................................................94

Fast Repairs......................................................................................................................115
Be Prepared for Repair.....................................................................................................116
Chapter 6: Tools and Utilities......................................................................................................117
Q 6.1: How can I automate the process of adding users? ............................................................117
The ADDUSERS Script...................................................................................................117
The ADDUSERS Spreadsheet.........................................................................................120
Q 6.2: What is the ADSI Edit tool? .............................................................................................121
Starting ADSI Edit...........................................................................................................121
Using ADSI Edit..............................................................................................................122
When You’ll Need ADSI Edit .........................................................................................122
Q 6.3: What is DSACLS? ............................................................................................................123
Q 6.4: What’s the difference between REPLMON and REPADMIN?.......................................124
REPADMIN.....................................................................................................................125
Checking Replication...........................................................................................125
Forcing Replication with a Specific Partner ........................................................126
Force Replication with all Replication Partners ..................................................127
Display Replication Data .....................................................................................127
Check to See Whether an Object is Up-to-Date ..................................................128
REPLMON ......................................................................................................................128
Q 6.5: What is MOVETREE used for?........................................................................................129
Q 6.6: How can I use NTDSUTIL to manage the Active Directory database? ...........................130
How NTDSUTIL Works..................................................................................................131
Common Commands .......................................................................................................132
Authoritative Restore...........................................................................................132

v
Table of Contents
Files......................................................................................................................132
IP Deny List .........................................................................................................133
Metadata Cleanup ................................................................................................133

Why Migrating Breaks User Profiles...............................................................................151
Fixing the Problem...........................................................................................................151

vi
Table of Contents
Q 7.6: We have a lot of Windows NT file servers that have a lot of very specific NTFS
permissions. What do we need to do to migrate these permissions to Active Directory?...........153
Microsoft’s ADMT ..........................................................................................................153
Aelita’s Domain Migration Wizard .................................................................................153
Q: 7.7: What little gotchas should we look out for during a migration to Active Directory? .....154
Time Synchronization......................................................................................................154
Run Your Migration Tool on a Domain Controller .........................................................155
Password Policy Mismatch..............................................................................................155
Consistency Problems......................................................................................................155
Carefully Migrate Users and Groups from Multiple Domains ........................................155
Cautiously Migrate Groups..............................................................................................156
Q 7.8: Should I upgrade or migrate?............................................................................................156
Q 7.9: Before we migrate, we’re trying to clean up our Windows NT domain, deleting unused
user accounts and groups. What is the easiest way to accomplish this task? ..............................157
What the Script Will Do ..................................................................................................157
Writing the Script.............................................................................................................158
Putting It All Together.....................................................................................................159
Q 7.10: We’ve upgraded our Windows NT Primary Domain Controller to Windows 2000, and
our Windows 2000 Professional computers are inconsistent about receiving Group Policy. Any
explanation? .................................................................................................................................160
If You’ve Already Upgraded Your PDC .........................................................................161
If You Haven’t Upgraded Your PDC Yet........................................................................162
Q 7.11: How can I look up the SID history for migrated accounts?............................................162
Chapter 1
Chapter 1: Daily Administration
Q 1.1: I just created a new group, and both the new group and the
organizational unit I put in the new group are gone! What should I do?
A:
You’ve stumbled across one of the unavoidable problems of a multimaster directory
environment. As you’re aware, any administrator can modify Active Directory (AD) by
connecting to any domain controller in a domain. AD replicates changes to all domain
controllers so that, eventually, they all contain the changes the administrator made. The key
word, of course, is eventually.
Two administrators could possibly connect to two different domain controllers and make
conflicting changes at the same time. When those changes involve the same object—for
example, both administrators reset a specific user’s password at the same time—AD keeps the
change that occurred last. If they occurred at precisely the same time, AD picks one change to
keep.
That type of situation is confusing but fairly rare. More common are changes made to two
different dependent objects. For example, imagine that your domain contains an organizational
unit (OU) named Houston. Bob, an administrator in Houston, connects to a Houston-based
domain controller and creates a user group named HoustonAdmins. A few minutes earlier,
however, Jerry, an administrator in New York, connected to a New York-based domain
controller and deleted the Houston OU entirely. When AD replicates these two changes, they
conflict. Suddenly, AD has to create a group named HoustonAdmins in an OU that no longer
exists. The same scenario can happen with newly created user accounts: The target domain was
deleted on another domain controller, but the changes have not yet replicated completely to all
domain controllers.

You can configure replication between sites to wait quite a long time before replicating—as long as
several hours. While a longer replication interval will reduce the amount of replication traffic on your
network, it will also increase the possibility of replication conflicts because administrators at one site
will have more time to make changes that might conflict with changes you’re making at another site.

2
Chapter 1


Make a backup! Before you even consider modifying the schema in your production domain, make a
complete backup of AD. That way you’ll be able to perform an authoritative restore, which I discuss in
Question 5.1 in Chapter 5, to undo the schema changes if necessary. Also, make sure that no other
administrators attempt to modify any AD objects while you’re modifying the schema. That way if you
have to restore AD to undo the schema changes, no object changes will be lost.
In a large AD environment, just rebuilding the GC servers’ catalogs can take hours and a great
deal of network bandwidth. Try to plan schema changes for hours when the GCs aren’t urgently
needed for user logons and Exchange 2000 Server clients, such as late at night. And always
remember that schema changes are permanent across your entire forest.
Use a pilot domain to make sure that you want to make the changes. If you need to test an
application, and the application will modify your AD schema, install the application into a standalone
test domain. That test domain shouldn’t have any trust relationships with any other domains. The test
domain allows the application to modify the schema without permanently affecting your production
domain’s schema.
If you decide to keep the application, you can install it in your production domain when you’re ready to
begin using it. Either way, you can decommission the test domain once you’re done testing the
application.
If you’re sure that you want to modify your schema, several things have to be in place first:
• The forest’s schema master must be online. The schema master is a special Flexible
Single Master Operations (FSMO) role held by one of the domain controllers in your
domain. As Figure 1.2 illustrates, you can use the Microsoft Management Console
(MMC) Active Directory Schema snap-in to determine which server currently has the
schema master role.

Figure 1.2: Identifying the current schema master.


account for day-to-day work. You should only log on as a Schema Admins member when you need to
accomplish some forest-wide administrative task, such as modifying the AD schema.
Once you’ve finished installing the application and modifying the schema, put the schema into
read-only mode by clearing The Schema may be modified in this Domain Controller check box
in the Active Directory Schema snap-in. That check box serves as a kind of master safety switch,
preventing even Schema Admins from changing the schema when the check box is clear.
Q 1.3: How can I write a logon script that checks for group
membership?
A:
Active Directory (AD) offers wonderful new flexibility for logon—and logoff—scripts
because the scripts can be written in powerful languages such as JScript and VBScript.
Unfortunately, most administrators still use command-line scripts (batch files) because Microsoft
hasn’t released much documentation about how to really use scripting in logon scripts.

4
Chapter 1

Microsoft has complete references for its scripting languages at
However, you may still need to hunt around for ways to perform common logon script tasks, such as
mapping drives. A good place to start is Microsoft’s Platform Software Development Kit (SDK)
documentation, available online at
Common tasks such as checking for group membership are pretty easy. To do so, you’ll need to
first set up a VBScript logon script, and second, add that script to a Group Policy.
Programming the Script
VBScript allows you to use the Active Directory Service Interfaces (ADSI) to query information
from domain directories. ADSI is included with Windows 2000 (Win2K) and includes providers
that allow you to access both Windows NT domains and AD domains. The AD provider actually
uses the Lightweight Directory Access Protocol (LDAP) to access information in AD. The
following VBScript, which Listing 1.1 shows, will determine the user’s username, look up that
user account in AD, then determine whether the user is a member of a group named

The script creates a reference to the Windows Script Host’s (WSH’s) Network object,
which exposes information about the user’s network environment. The reference is saved
in a variable named objNetwork.

5
Chapter 1
2.
The script saves the user’s ID in a variable named strUser. The ID is obtained from the
Network object.
3.
The script uses ADSI’s LDAP provider to get a reference to the OfficeAdmins group.
The reference is saved in the objGroup variable. Note that the GetObject command is
used with ADSI calls rather than the CreateObject command normally used to create
object references.
4.
The script uses the group’s IsMember method, passing an ADSI reference to the user’s
user account in AD. The IsMember method returns either a zero or a one, which is stored
in the varMember variable.
5.
Finally, an If…Then construct is used to take some action based on whether the user is a
member of the OfficeAdmins group. You can replace the comment lines in the If…Then
construct with code that maps drives, maps printers, or takes some other action.

Learn more about ADSI scripting. Microsoft publishes the ADSI documentation in the Microsoft
Platform SDK. As I previously mentioned, you can access the SDK’s documentation online at
Look under Microsoft Platform SDK, then under Directory Services.
Save your script to a text file, then you’ll be able to use Group Policy to assign the script to users
and computers.

Use the correct file extension! Windows will automatically recognize your script if you use the correct

Figure 1.3: The Group Policy window.

You can use the appropriate configuration section of a Group Policy to assign logon and logoff scripts
to both users and computers. Windows processes computer logon scripts when the computer starts,
then processes user logon scripts when a user actually logs on to the computer. Logoff scripts are
processed in reverse order: User logon scripts are processed first when the user logs off, and
computer logon scripts are processed last, just before the computer shuts down.
Computer scripts must run without a graphical user interface (GUI) because no user is logged on
when the computer scripts execute.
7.
In the right pane of the Group Policy window, double-click Logon or Logoff. Windows
will then display the properties for the item you selected, as Figure 1.4 shows.

7
Chapter 1

Figure 1.4: Logon Script properties.
8.
Click Add to add a new script.
9.
Click Browse to locate your script’s text file, select the file, then click OK.

Multiple scripts can be used! Unlike earlier versions of Windows, Win2K lets you assign multiple
logon and logoff scripts to users and computers. Windows will execute all the scripts at the
appropriate time. Use the Up and Down buttons on the dialog box to place the scripts into the order in
which you want them to execute.
10.
Click OK to save the new Group Policy.

Logon and logoff scripts are for Win2K and later only. AD-based logon and logoff scripts work only on

Chapter 1

Figure 1.6: Adding a user to the OU’s security list.
If AD completely supported inheritance by default, the East and West OUs would also include
Mr. Jarr’s name on their Security tabs. Looking at the properties of the East OU, which Figure
1.7 shows, you can see that such isn’t the case.

Figure 1.7: Security properties for the East OU.
So…No Inheritance?
AD supports inheritance by default only on the default permissions that AD applies to an object.
Any permissions that you add manually do not inherit by default. “Now, wait a second,” you’re
thinking, “I used the Delegation of Control Wizard last week, and inheritance seemed to work
fine.” True. The Delegation of Control Wizard makes inheritance work by changing some of

10
Chapter 1
AD’s default settings. When you run the wizard, it manually applies inheritance attributes to the
object you’re delegating control over.
OK…Some Inheritance
By default, AD supports inheritance-like behavior for group policies. A group policy applied to
an OU will also apply to any child OUs, unless one of those child OUs specifically blocks policy
inheritance. And AD supports permissions inheritance for the permissions applied to objects by
default.
That AD doesn’t do inheritance by default is actually not a big deal. After all, you shouldn’t
usually modify permissions on AD objects manually—that’s why the Security tab isn’t displayed
by default. You’re supposed to use the Delegation of Control Wizard, which takes care of
inheritance for you.
Q 1.5: Why should I use the Active Directory Service Interfaces clients
for Windows 9x and Windows NT?
A:

property pages. These pages allow users (if they have permission) to change properties on
user objects (for example, phone numbers and addresses) by using the user object pages,
which they can access by clicking the Start menu, then pointing to Search and For
People. This feature lets users easily modify their own information within AD, if they
have permission to do so.
• Finally, the ADSI client includes NT LAN Manager (NTLM) version 2 authentication.
NTLM version 2 offers improvements over the older NTLM protocol used by Win9x and
NT, and corrects many security flaws that exist in NTLM version 1.
Unsupported Functionality
Although the ADSI client offers a lot of desirable functionality—especially the address book
integration and ability to access fault-tolerant Dfs shares, it can’t change the fact that Win9x and
NT weren’t made to work in the Win2K world. The ADSI client has the following limitations:
• The ADSI client doesn’t provide Kerberos support. One big reason is that Kerberos
tickets on a Win2K computer are cached in a special area of memory that can never be
written to disk or even paged to the swap file. Win9x and NT don’t provide any area of
memory with that capability, raising the possibility of Kerberos tickets being written to
unsecured areas of the disk and potentially compromised. Providing Kerberos support in
the earlier OSs would take a major architectural change, which is why Win2K exists.
• The ADSI client doesn’t provide Group Policy or IntelliMirror support. This limitation is
definitely the biggest disappointment because there’s no technical reason that the earlier
client OSs can’t support at least a subset of IntelliMirror’s functionality, such as the
ability to deploy new software applications. I suspect that Microsoft simply didn’t want
to invest time and money in bringing important new features to an earlier OS when it
would be much easier for customers to simply upgrade. Nonetheless, most of the
important features in Group Policy and IntelliMirror require functionality that was first
introduced in Win2K, and retrofitting those technologies into Win9x or NT would have
definitely been a challenge.
• The ADSI client doesn’t provide IP Security (IPSec) or Layer 2 Tunneling Protocol
(L2TP) support. That isn’t a problem for most administrators. Very few are using IPSec
anyway, and anyone using L2TP to create secure virtual private networks (VPNs) has

code to your New York office, and you need to change all the zip codes you’ve stored in Active
Directory (AD). The change only affects the users in your New York office, who are
conveniently grouped into an organizational unit (OU) named NewYorkCity. The obvious way
to make the change is to open each user profile in the Active Directory Users and Computers
Microsoft Management Console (MMC) and make the change one at a time. That process would
be time consuming and might keep you away from watching paint dry, which would be just as
exciting. Fortunately, you’ve got a couple of alternatives: bulk import/export and scripting.
Bulk Import/Export
Using AD’s bulk import/export capabilities is the easiest way to make data changes because it
lets you use tools you’re probably already familiar with. First, you need to get to know the basic
import/export tools that Microsoft gives you:
• CSVDE.EXE is a command-line utility that imports and exports data from AD and
Comma Separated Value (CSV) files. CSVDE’s biggest weakness is that it can only add
new objects to AD—it can’t modify existing ones. However, it does use an easy-to-
understand CSV format, which you can work with in Microsoft Excel if you want to.
• LDIFDE.EXE is another command-line utility. This tool works with the Lightweight
Directory Access Protocol (LDAP) Data Interchange Format (LDIF) file format, which is
an Internet draft standard. The tool can export data into LDIF files, import new objects
from LDIF files, and even modify existing objects based on information in an LDIF file.

13
Chapter 1
Using LDIFDE
Obviously, LDIFDE.EXE is the tool of choice in our example scenario. We could use CSVDE
only to import new users, which isn’t what we’re after. To use LDIFDE.EXE, just follow these
steps:
1.
From a command line, type the following command to extract the required entries:
ldifde -f newyork.ldf -s dc01
-d "ou=NewYorkCity,dc= company,dc=com"-psubtree–

Computers console.

14
Chapter 1
Breaking It Down
OK, that’s definitely a lot to swallow—LDIFDE isn’t a lightweight tool. Let’s look at what the
commands are doing, starting with the export command:
ldifde -f newyork.ldf -s dc01
-d "ou=NewYorkCity,dc= company,dc=com" –p subtree
–r"(objectCategory=CN=Person,CN=Schema,CN=Configuration,
DC=company,DC=com)"
–l "postalCode"
• The -f specifies the output file to which LDIFDE will write data.
• The -s specifies the domain controller to which LDIFDE should connect to obtain data
from AD.
• The -d specifies the root, or starting point, of the export. In this case, the root is the
company.com domain and the NewYorkCity OU.
• The -p specifies the scope of LDIFDE’s search. Acceptable values are subtree, which
instructs the utility to search everything below the specified starting point; base, which
searches only in the specified starting point; and onelevel, which searches up to one level
below the starting point.
• The -r specifies a filter. In this example, LDIFDE will only return objects that are of the
Person object type, so it won’t return computers and other objects.
• Finally, the -l specifies the attributes that LDIFDE should return. You can provide more
than one attribute by separating them with commas within the quotation marks.
The second command is a bit easier to follow:
ldifde –i -f newyork.ldf -s dc01
• The -i parameter indicates an import operation.
• The -f and –s parameters specify the import file and the domain controller to connect
with.

oContainer=GetObject("LDAP://OU=NewYorkCity,DC=company,DC=com")
ModifyUsers oContainer
Set oContainer = Nothing
WScript.Echo "Finished"

Sub ModifyUsers(oObject)
Dim oUser
oObject.Filter = Array("user")
For Each oUser in oObject
oUser.Put "postalCode","82138"
oUser.SetInfo
Next
End Sub
This script is the simplest way to modify each user’s zip code, although it takes a bit longer to
understand. The first line of code sets a variable equal to the NewYorkCity OU by executing an
LDAP query. The script then executes a subroutine named ModifyUsers, and displays a Finished
message when that subroutine completes.
The ModifyUsers subroutine does the real work. First, it accepts the incoming OU and stores it
in a variable named oObject. The script then applies a filter to oObject so that only user objects
are available. Next, the script uses a For…Each loop to examine each user in the OU, one at a
time. For each user that the script finds represented by the variable oUser, the script uses the Put
method to set a new postalCode value. The script then calls the SetInfo method to save the new
postalCode value back to AD.
Scripting is definitely the way to go with complex changes such as this change. Although the
script would take longer to put together from scratch than the LDIFDE method, the script

16