Active Directory Articles

Article / Updated 03-26-2016

Moving objects around in Active Directory may involve moving objects from one location to another within a domain, or you might have to move objects from one domain to another. You need to know the details associated with either operation for the MCSE Directory Services exam. Fortunately, you just need to remember some simple rules. Moving objects within a domain Moving objects within a domain is a simple process: Just right-click the object and choose Move. Windows 2000 displays a dialog box in which you simply choose the destination container object for the move. (In newer versions of Windows 2000, you can drag and drop Active Directory objects from one OU to another.) A real-world example of moving an object within a domain involves moving a user account from one OU to another when the user transfers from one department to another in your organization. Moving the user's account enables the user to receive the benefits and restrictions you have defined for the new OU. What is not as straightforward (and what you need to know for the exam) is the effect that moving objects has on permissions. Here are the rules you must know: Permissions you assign directly to an Active Directory object remain with the object after you move the object. The object inherits the permissions assigned to the new OU and loses any previously inherited permissions. You may have already figured this one out: An excellent strategy for administering Active Directory objects is to move objects that need similar permission settings into the same OU. By doing so, you can easily manage your network, assigning permissions and delegating authority effectively with just a few mouse clicks. Moving objects between domains In a multiple-domain Windows 2000 forest, you may need to move objects (users, organizational units, groups) between these multiple domains. You use the MOVETREE command line utility to perform many of these operations. When you move users and groups to a new domain, they receive new security identifiers (SIDs). Fortunately, Windows 2000 running in native mode supports an attribute called SIDHistory. As you move a user from domain to domain, Windows 2000 populates SIDHistory so you do not have to reset permissions to objects each time you perform the move operation. MOVETREE assists you with most move operations between domains. And in those cases for which MOVETREE cannot do the job, you can turn to another utility called NETDOM. MOVETREE can Move most Active Directory objects (including nonempty containers) from one domain to another in the same forest. Move domain local and global groups between domains. These groups cannot contain members, however. The domains must exist within the same forest. Move universal groups and their members between domains of the same forest. MOVETREE can move most Active Directory objects. Those that it cannot move when you try to relocate groups of objects become orphaned. Windows 2000 places these orphaned objects in a special container called LostAndFound. You can view this container by using the Advanced View feature of Active Directory Users and Computers. You must have the appropriate administrative permissions to use MOVETREE from the command prompt. This command uses the following syntax: MOVETREE {/start | /startnocheck | /continue | /check} /s SrcDSA /d DstDSA /sdn SrcDN /ddn DstDN [/u [Domain]Username /p Password] [/verbose] [{/? | /help}] The italicized entries in this syntax represent information you must provide. Table 1 describes the switches you can use with the MOVETREE command. Table 1 MOVETREE Command Switches Switch What It Does /start Initiates the move operation. /startnocheck Starts a MOVETREE operation with no /check. /continue Continues the execution of a previously paused or failed MOVETREE operation. /check Performs a test run of the MOVETREE operation. /s SrcDSA Specifies the source server's fully qualified domain name (FQDN). /d DstDSA Specifies the destination server's FQDN. /sdn SrcDN Specifies the distinguished name of the object you are moving from the source. /ddn DstDN Specifies the distinguished name of the object you are moving to the destination. /u Runs MOVETREE under the credentials of the username and password provided. /verbose Causes MOVETREE to display more details as it runs. /? Displays help about MOVETREE. MOVETREE creates log files when operations are performed. You can check these log files for information regarding the success or failure of MOVETREE events: MOVETREE.ERR: Lists any errors encountered. MOVETREE.LOG: Lists statistical results of the operation. MOVETREE.CHK: Lists any errors detected from MOVETREE being executed in check mode. MOVETREE moves computer objects from one domain to another for you, but it cannot disjoin the computer from the source domain and join it to the target domain. This limitation makes NETDOM a much better utility for moving computers between domains in a Windows 2000 Active Directory setting. NETDOM uses the following syntax to move computer accounts: MOVETREE {/NETDOM move /D:domain [/OU:ou_path] [/Ud:User /Pd:{Password|*}] [/Uo:User /Po:{Password|*}] [/Reboot:[time_in_seconds]] Table 2 describes the switches you use with the NETDOM command. Table 2 NETDOM Command Switches Switch What It Does /domain Identifies the target domain. /OU:ou_path Specifies the target OU. /Ud:User Indicates the user account used to make the connection with the target domain. Pd:{Password|*} Enters the password for the user account used to connect to the destination domain; if you use *, NETDOM prompts for the password. /Uo:User Identifies the user account used to make the connection to the source domain. /Po:{Password|*} Enters the password for the user account used to connect to the original domain; if you use *, NETDOM prompts for the password. /Reboot:[time_in_seconds] Specifies that the computer being moved should shut down and reboot automatically in the given number of seconds after the move operation.

Article / Updated 03-26-2016

The terms object, organizational unit, domain, tree, and forest are used to describe the way Active Directory organizes its directory data. Like all directories, Active Directory is essentially a database management system. The Active Directory database is where the individual objects tracked by the directory are stored. Active Directory uses a hierarchical database model, which groups items in a tree-like structure. The following sections explain the meaning of these important Active Directory terms. Objects The basic unit of data in Active Directory is called an object. Active Directory can store information about many different kinds of objects. The objects you work with most are users, groups, computers, and printers. The figure below shows the Active Directory Manager displaying a list of built-in objects that come preconfigured with Windows Server 2008 R2. To get to this management tool, choose Start→Administrative Tools→Active Directory Users and Computers. Then click the Builtin node to show the built-in objects. Objects have descriptive characteristics called properties or attributes. You can call up the properties of an object by double-clicking the object in the management console. Domains A domain is the basic unit for grouping related objects in Active Directory. Typically, domains correspond to departments in a company. For example, a company with separate Accounting, Manufacturing, and Sales departments might have domains named (you guessed it) Accounting, Manufacturing, and Sales. Or the domains correspond to geographical locations. For example, a company with offices in Detroit, Dallas, and Denver might have domains named det, dal, and den. Note that because Active Directory domains use DNS naming conventions, you can create subdomains that are considered to be child domains. You should always create the top-level domain for your entire network before you create any other domain. For example, if your company is named Nimbus Brooms and you’ve registered NimbusBroom.com as your domain name, you should create a top-level domain named NimbusBroom.com before you create any other domains. Then, you can create subdomains such as Accounting.NimbusBroom.com, Manufacturing.NimbusBroom.com, and Sales.NimbusBroom.com. If you have Microsoft Visio, you can use it to draw diagrams for your Active Directory domain structure. Visio includes several templates that provide cool icons for various types of Active Directory objects. For example, the following figure shows a diagram that shows an Active Directory with four domains created with Visio. Note that these domains have little to do with the physical structure of your network. In Windows NT, domains usually are related to the network’s physical structure. Every domain must have at least one domain controller, which is a server that’s responsible for the domain. However, unlike a Windows NT PDC, an Active Directory domain controller doesn’t have unique authority over its domain. In fact, a domain can have two or more domain controllers that share administrative duties. A feature called replication works hard at keeping all the domain controllers in sync with each other. Organizational units Many domains have too many objects to manage all together in a single group. Fortunately, Active Directory lets you create one or more organizational units, also known as OUs. OUs let you organize objects within a domain, without the extra work and inefficiency of creating additional domains. One reason to create OUs within a domain is so that you can assign administrative rights to each OU of different users. Then, these users can perform routine administrative tasks such as creating new user accounts or resetting passwords. For example, suppose the domain for the Denver office, named den, houses the Accounting and Legal departments. Rather than create separate domains for these departments, you could create organizational units for the departments. Trees A tree is a set of Active Directory names that share a common namespace. For example, the domains NimbusBroom.com, Accounting.NimbusBroom.com, Manufacturing.NimbusBroom.com, and Sales.NimbusBroom.com make up a tree that is derived from a common root domain, NimbusBroom.com. The domains that make up a tree are related to each other through transitive trusts. In a transitive trust, if DomainA trusts DomainB and DomainB trusts DomainC, then DomainA automatically trusts DomainC. Note that a single domain all by itself is still considered to be a tree. Forests As its name suggests, a forest is a collection of trees. In other words, a forest is a collection of one or more domain trees that do not share a common parent domain. For example, suppose Nimbus Brooms acquires Tracorum Technical Enterprises, which already has its own root domain named TracorumTech.com, with several subdomains of its own. Then, you can create a forest from these two domain trees so the domains can trust each other. The key to Active Directory forests is a database called the global catalog. The global catalog is sort of a super-directory that contains information about all of the objects in a forest, regardless of the domain. Then, if a user account can’t be found in the current domain, the global catalog is searched for the account. The global catalog provides a reference to the domain in which the account is defined.