Realtimepublishers - Windows 2000 and Active Directory Administration (2001).pdf
(
2340 KB
)
Pobierz
The Tips and Tricks Guide to Windows 2000 and Active Directory Administration
tm
realtimepublishers.com
Windows 2000
and Active Directory
Administration
Tips and Tricks Guide To
tm
TM
Don Jones
Sean Daily
Table of Contents
Note to Reader:
This book presents tips and tricks for seven Windows 2000 and Active
Directory Administration topics. For ease of use, the questions and their solutions are divided
into chapters based on topic, and each question is numbered based on the chapter, including:
•
Chapter 1: Daily Administration
•
Chapter 2: Domain Controller Administration
•
Chapter 3: Replication Management
•
Chapter 4: Security Administration
•
Chapter 5: Disaster Recovery
•
Chapter 6: Tools and Utilities
•
Chapter 7: Migration
Chapter 1: Daily Administration......................................................................................................1
Q 1.1: I just created a new group, and both the new group and the organizational unit I put in the
new group are gone! What should I do? ..........................................................................................1
Q 1.2: I tried to install an application that needs to modify the Active Directory schema, but the
installation failed. What should I do? ..............................................................................................2
Q 1.3: How can I write a logon script that checks for group membership? ....................................4
Programming the Script .......................................................................................................5
Assigning the Logon Script .................................................................................................6
Q 1.4: Does Active Directory support inheritance for permissions on objects in the directory? ....9
So…No Inheritance?..........................................................................................................10
OK…Some Inheritance......................................................................................................11
Q 1.5: Why should I use the Active Directory Service Interfaces clients for Windows 9x and
Windows NT? ................................................................................................................................11
Supported Functionality.....................................................................................................11
Unsupported Functionality.................................................................................................12
Where Can I Get It? ...........................................................................................................12
Q 1.6: I need to change a lot of information in Active Directory. Is there an easy way to
manipulate that data other than using the Users and Computers console? ....................................13
Bulk Import/Export............................................................................................................13
Using LDIFDE.......................................................................................................14
Breaking It Down...................................................................................................15
Understanding LDIF ..............................................................................................15
Scripting.............................................................................................................................16
Q 1.7: Is there any way to control permissions inheritance in Active Directory? .........................17
AD’s Default Inheritance Handling ...................................................................................17
i
Table of Contents
Configuring Inheritance for AD Permissions ....................................................................19
Q 1.8: We’re delegating Active Directory administration to different groups in our organization,
but the built-in administrative tools are confusing users because the tools offer so much more
functionality than we’re delegating. What can we do?..................................................................22
Chapter 2: Domain Controller Administration ..............................................................................27
Q 2.1: Where should I place Global Catalog servers, and how many do I need?..........................27
Deciding Where to Place GC Servers ................................................................................27
Making a GC Server ..........................................................................................................28
Q 2.2: Where do I put FSMOs? .....................................................................................................29
Deciding Where to Place FSMOs ......................................................................................30
Transferring FSMOs ..........................................................................................................31
Transferring the RID Master, PDC Emulator, or Infrastructure Master................31
Transferring the Domain-Naming Master .............................................................32
Transferring the Schema Master ............................................................................32
Q 2.3: How do I handle a FSMO failure? ......................................................................................33
What to Do When a FSMO Fails.......................................................................................34
Seizing FSMOs ..................................................................................................................34
Q 2.4: How can I tell whether I need to add a domain controller? ................................................35
Installing the Database Object ...........................................................................................37
Domain Controller Performance Tips................................................................................38
Q 2.5: How many domain controllers do I need for optimum performance?................................39
Q 2.6: I want to make sure that my users can always log on. Doesn’t that mean placing a domain
controller in every location that has users?....................................................................................42
A History of Domain Controller Placement ......................................................................43
How Windows 2000 Learned from History.......................................................................43
Q 2.7: We use Exchange 2000 Server, and users complain that Address Book lookups take too
long. The Exchange server looks fine. What can I do? .................................................................45
Lookups with Earlier Clients .............................................................................................45
Lookups with Later Clients................................................................................................46
Q 2.8: We have a large, multi-domain forest. We’re installing a new application that modifies
Active Directory’s schema, but we need to document those changes before we allow the
application to do so. The application doesn’t indicate exactly what changes it will make. What
can we do?......................................................................................................................................47
Q 2.9: How should I configure Domain Name System on my domain controllers? .....................48
Q 2.10: What’s a good first troubleshooting step when I’m having problems with Active
Directory? ......................................................................................................................................50
ii
Table of Contents
Q 2.11: How can I defragment Active Directory’s database? .......................................................52
Offline Defrag ....................................................................................................................53
Defrag and Replication ......................................................................................................54
Q 2.12: We have several sites in our Active Directory domain. At some sites, one domain
controller in particular seems slower than others. What can we do to troubleshoot the problem?54
Chapter 3: Replication Management .............................................................................................57
Q 3.1: After I make a change in Active Directory, the change doesn’t seem to take effect for
quite a while. What can I do to make this process faster? .............................................................57
Faster Replication ..............................................................................................................58
Making Changes Close to Home .......................................................................................60
Q 3.2: How do I troubleshoot Active Directory replication?.........................................................61
Multiple-Master Replication ..............................................................................................61
How Replication Works.....................................................................................................62
Handling Conflict...................................................................................................62
Replication Loops ..................................................................................................62
Replication Topology.........................................................................................................63
Managing Replication........................................................................................................64
Solving Problems ...............................................................................................................64
Q 3.3: How does Active Directory delete records? .......................................................................64
Modifying AD’s Default Behavior ....................................................................................68
Creating Your Own Site Link Bridges...............................................................................69
Q 3.5: We have many domains and sites in our organization, and Active Directory replication
seems very slow. What can we do to improve performance?........................................................70
Q 3.6: We’re having problems configuring Active Directory replication to pass through a
firewall. Which port should we check first? ..................................................................................72
Chapter 4: Security Administration ...............................................................................................74
Q 4.1: I want to distribute the management of the users and groups in my Active Directory.
What’s the best way to proceed? ...................................................................................................74
Q 4.2: We want to delegate new user account creation to our Help desk, but we’re concerned that
user information won’t be entered consistently. What can we do? ...............................................77
Setting Up Policies in Enterprise Directory Manager........................................................79
Working Behind Enterprise Directory Manager’s Back....................................................80
Q 4.3: We’ve organized Active Directory to fit the way we manage it, but that makes our Group
Policies very difficult to apply. What should we do? ....................................................................81
When One Organization Isn’t Enough...............................................................................81
iii
Table of Contents
Can’t You Have Two Organizations?................................................................................82
So What’s the Best Organization for AD?.........................................................................82
Q 4.4: I’ve heard that SYSKEY can be used to protect Windows 2000 against several security
holes. How does it work?...............................................................................................................83
What SYSKEY Fixes.........................................................................................................83
Using SYSKEY .................................................................................................................84
Do You Need SYSKEY? ...................................................................................................85
Q 4.5: How can I prevent users from changing their personal attributes in Active Directory?.....85
Editing the Schema ............................................................................................................86
Reapplying Default Permissions........................................................................................89
Q 4.6: How do I configure the Kerberos authentication protocol?................................................89
How Kerberos Works ........................................................................................................89
Logging On ............................................................................................................90
Accessing Resources..............................................................................................90
Configuring Kerberos ........................................................................................................92
Q 4.7: We’re trying to make our domain controllers as secure as possible. What ports can we
lock down without affecting Active Directory?.............................................................................94
Default Ports ......................................................................................................................94
Locking Down Ports ..........................................................................................................98
Chapter 5: Disaster Recovery ......................................................................................................101
Q 5.1: How can I prepare for Active Directory disaster recovery? .............................................101
Don’t Put All Your Eggs in One Basket..........................................................................101
Backup and Restore .........................................................................................................103
Non-Authoritative Restore...................................................................................104
Authoritative Restore ...........................................................................................104
Testing Your Backups..........................................................................................105
Q 5.2: Someone accidentally deleted several users from Active Directory. We have a backup, but
how can we restore just the missing objects? ..............................................................................106
The Hard Way..................................................................................................................106
The Easy Way ..................................................................................................................107
Q 5.3: Our IT management is centralized, but our domain controllers aren’t. We need some way
to centralize our disaster recovery operations. What can we do? ................................................109
Q 5.4: What is the best overall strategy for backing up Active Directory? .................................111
Back Up Two Domain Controllers ..................................................................................112
iv
Plik z chomika:
darekisap
Inne pliki z tego folderu:
Addison Wesley - Inside Active Directory (2004).chm
(18576 KB)
IDG - Active Directory (2001).Bible.pdf
(4661 KB)
MOC (Course 4358A) Deploying And Managing AD Federation Services In MS W2k3 R2 (2006).pdf
(11150 KB)
A-LIST - Windows Dot.Net Server 2003 Domains And AD (2003).chm
(14884 KB)
O'Reilly - Active Directory (2003).chm
(3670 KB)
Inne foldery tego chomika:
MS Windows Server 2003
MS Windows Small Business Server
MS Windows Vista
MS Windows XP
Security
Zgłoś jeśli
naruszono regulamin