Chapter 12

Active Directory, Part II

In This Chapter� Actively managing the Active Directory

� Understanding the difference between Active Directory planning andpractical uses of Active Directory

� Optimizing organizational units in Active Directory

� Configuring and delegating OU permissions in Active Directory

� Adding and moving common Active Directory objects including users,groups, and computers

� Understanding Active Directory site and domain management

B elieve it or not, you’ve already been working with Active Directory! Ifyou’ve followed many of my examples and steps since the beginning of

the book, you’ve installed a domain controller, and thus you have installedActive Directory (see Chapter 2). If you’ve added users, as discussed inChapter 9, then you have used Active Directory to accomplish a task. I sharethis with you so that you can minimize if not eliminate any Active Directoryanxiety you’ve built up.

This chapter is the “yang” to the “yin” of the last chapter. Whereas the lastchapter was planning-centric, this chapter focuses on the practical andpragmatic aspects of Active Directory. It’s hands-on, so let’s get going.

Optimizing Organizational UnitsI’ve come to believe the organizational units (OUs) are where the MCSEs andMBAs can find common ground. I talked about this coming together ofbusiness and technical perspectives in the last chapter. In this chapter, wemake it happen. Ideally, your Active Directory will be, first and foremost,pragmatic. I believe that the OUs can be designed with the underlyingorganization in mind, be it corporations, not-for-profit organizations, orgovernment agencies. That is, OUs can be created for different functionalareas of responsibility, such as marketing, manufacturing, and legal. Anotherpossibility that works for many firms is to create OUs by geographic location:corporate headquarters, branch offices, project sites, and even vendor sites.

4620-1 ch12.f.qc 10/28/99 12:04 PM Page 425

Of course, if you feel the world should be run by MCSEs, you might build acomplex Active Directory based on subnets, hardware locations, and othertechnology-based dimensions. The choice is yours. You can create an ActiveDirectory with a focus on business functions, technology resources, or acombination of the two.

Remember that OUs may contain users, groups, and computer accounts. OUsare typically used to delegate administrative control.

OUs are best deployed if they define administrative boundaries in your domain.

To create an OU, follow these steps.

STEPS:Creating an OU

Step 1. Select Administrative Tools, Active Directory Users andComputers on the Start menu. The Active Directory Users andComputers MMC will appear.

Step 2. Right-click the domain icon in the left pane. The secondary menuwill be displayed.

Step 3. Select New, Organizational Unit from the secondary menu.

Step 4. The Create New Object - (Organizational Unit) dialog box willappear (see Figure 12-1). Name the OU.

Step 5. Click OK. The OU will appear in the left pane of the ActiveDirectory Users and Computers MMC (see Figure 12-2).

Figure 12-1: Creating an OU

426 Part IV: Active Directory and Security■ ■

4620-1 ch12.f.qc 10/28/99 12:04 PM Page 426

Figure 12-2: OU displayed in Active Directory Users and Computers MMC

You may recall a secret near the end of Chapter 11 where I suggested youconsider creating just one OU and putting everything in it, at least to startwith. You would then critically evaluate the need for additional OUs on acase-by-case basis. But be advised that while this advice is valid, it clearlyapplies to small and medium-sized organizations, not full-scale enterprises.

You want to be master of your own destiny with your Active Directory andcreate at least one OU right away. That’s because the built-in defaultcontainers shown in Active Directory Users and Computers are not veryuseful or practical. First, these containers are not true OUs. Second, youcannot create OUs within these default containers. Finally, you can’t applygroup policy to these default containers. Take my advice and create your ownOU or OUs as soon as possible.

An OU inside an OUThere are very important reasons to consider creating an OU within an OU.For example, this might make the best sense if you work in a decentralized ormatrix organization. Another reason to have OUs within OUs would be aproject management organization, where the embedded OU might be namedafter a project of limited scope and duration. To create an OU within an OU,follow these steps.

Chapter 12: Active Directory, Part II 427■ ■

4620-1 ch12.f.qc 10/28/99 12:04 PM Page 427

STEPS:Creating an OU within an OU

Step 1. Select the OU in the left pane of the Active Directory Users andComputers MMC.

Step 2. Right-click the OU that you selected. The secondary menu will appear.

Step 3. Select New ➪ Organizational Unit from the secondary menu.

Step 4. The Create New Object - (Organizational Unit) dialog box willappear. Enter the name of the OU in the Name field.

Step 5. Click OK and observe that the new, embedded OU appearsindented under the original OU (see Figure 12-3).

Figure 12-3: OU within an OU

OU permissionsIn order to create an OU within an OU (as you did when creating Northwestinside of Marketing in the previous example), you must have the followingpermissions in the parent container (for example, Marketing):

428 Part IV: Active Directory and Security■ ■

4620-1 ch12.f.qc 10/28/99 12:04 PM Page 428

■ Create Organizational Unit Objects

■ List Contents

■ Read

The List Contents right isn’t truly necessary when creating an OU within anOU. However, if you don’t provide the List Contents correctly, you would notbe able to see the embedded OU you just created. Not only is out of sight thesame as out of mind, it’s also out of management (can’t be managed).

To assign and modify Active Directory permissions, follow these steps.

STEPS:Managing Active Directory permissions

Step 1. In the Active Directory Users and Computers MMC, select View ➪Advanced Features.

Step 2. Right click an object (for example, the Marketing OU). SelectProperties from the secondary menu.

Step 3. Select the Security tab on the OU’s Properties sheet.

Step 4. You may now grant or deny the Full Control, Read, Write, CreateAll Child Objects, and Delete All Child Objects permissions.

Step 5. If you select the Advanced button, the Access Control Settingsappear. You may set advanced permissions such as Special.

The Access Control Settings dialog box displays permissions entries in thecolumn-and-row format that many of us have been searching for. Many times,I have wanted to know who has access to what, and wanted the informationpresented in a columnar report-type format. The Access Control Settingsdialog box does exactly that.

Step 6. Click OK to return to the Active Directory Users and ComputersMMC. You have now modified the permissions for an ActiveDirectory object.

On the Security tab of an OU’s properties sheet, you may select the Allowinheritable permissions from the parent to propagate to this objectcheckbox. Simply stated, this allows this OU to inherit rights from its parent.

Likewise, on the Access Control Settings dialog box, selected via theAdvanced button from the Security tab of an OU’s properties sheet, you canhave the existing OU’s permissions propagate to any existing or futurechildren. This is the last-will-and-testament option. To invoke this option,select the Allow inheritable permissions from the parent to propagate to thisobject checkbox.

Chapter 12: Active Directory, Part II 429■ ■

4620-1 ch12.f.qc 10/28/99 12:04 PM Page 429

And in all cases, there is no usurious inheritance tax.

Delegating controlAnother cool Active Directory feature, viewed from the OU perspective, isthat it allows you to delegate control of an OU to someone else. This is howyou can create mini-administrator, a highly desirable new feature in Windows2000 Server. The basic reason for delegating control is to make your lifeeasier by having someone help you manage an OU. It is also easier to trackpermissions at the OU level. Follow these steps to delegate control.

STEPS:Delegating control

Step 1. Select an OU, right click and select Delegate Control from thesecondary menu. The Delegation of Control Wizard will appear(see Figure 12-4).

Figure 12-4: Delegation of Control Wizard

Step 2. Click Next. The Users or Groups screen appears (see Figure 12-5).Select the group or user that you want to delegate control to viathe Add button. Click Next.

430 Part IV: Active Directory and Security■ ■

4620-1 ch12.f.qc 10/28/99 12:04 PM Page 430

Figure 12-5: Users or Groups Selection screen

Step 3. Select the Tasks to Delegate from the list of common tasks orcreate a custom task to delegate (see Figure 12-6). Click Next.

Figure 12-6: Tasks to delegate

Chapter 12: Active Directory, Part II 431■ ■

4620-1 ch12.f.qc 10/28/99 12:04 PM Page 431

Step 4. Click Finish at the Completing the Delegation of Control Wizardscreen. You have now delegated the OU control you elected todelegate to a user or group.

Another approach to delegating control is to create your own MicrosoftManagement Console (MMC) and then assign permissions that permit adelegate to use the custom MMC. For example, create an MMC with three orfour of your favorite snap-ins. In Figure 12-7, I’ve created an MMC with theComputer Management, Event Viewer, Resource Kits, and Performance Logsand Alerts snap-ins.

Figure 12-7: Custom MMC

Next, select options from the Console menu. The Options dialog box willappear. Select the Console tab and select User mode - full access (see Figure12-8). Click OK. You have now delegated control to this MMC. Be sure to saveyour MMC when you exit.

432 Part IV: Active Directory and Security■ ■

4620-1 ch12.f.qc 10/28/99 12:04 PM Page 432

Figure 12-8: Console mode

You may now distribute this MMC to other users. By setting the MMC consoleto User mode, the other users may not modify this custom MMC, but ratherthey may use it to complete system management tasks. You may havenoticed that the Console mode field had several selections:

■ Author mode: Allows access to all MMC functionality including adding,creating, and modifying the MMC. You may also navigate the entire MMCtree.

■ User mode - full access: Users have access to all MMC managementfunctionality and the MMC tree. However, users cannot add or removesnap-ins or change console file options. The Save commands are disabled.

■ User mode - limited access, multiple window: This is a more restrictivesetting. Users cannot modify the MMC, open new Windows, or see areasof the console tree that weren’t visible when the MMC was last saved.Multiple windows are allowed.

■ User mode: limited access, single window: Same as the multiple windowoption except that only a single window is displayed.

Advanced featuresA little known secondary menu option, displayed when you right-click thedomain object, is View ➪ Advanced Features. When selected, AdvancedFeatures displays several more Active Directory components in the MMC, asseen in Figure 12-9.

Chapter 12: Active Directory, Part II 433■ ■

4620-1 ch12.f.qc 10/28/99 12:04 PM Page 433

Figure 12-9: Advanced Features

For example, one of the objects displayed is LostAndFound. This object is thedefault container for orphaned objects. Orphaned objects are created when therelationship that ties these objects to other objects is somehow lost or broken.And to be brutally honest, orphaned objects can be created with no mistake onyour part. Sometimes computers just hiccup or act in inexplicable ways.

Creating Users, Groups, and ComputersThis section is actually a review for those of you who diligently read Chapter9. Because of that, I’ll quickly review how you add users, groups, andcomputers.

The first steps are the same. To create a user, group, or computer, simplyright-click the domain or OU in the left pane of the Active Directory Usersand Computers MMC. From the secondary menu, select New. You would thenselect User, Group, or Computer depending on the task you want tocomplete.

If you select User, the Create New Object - (User) Wizard will be displayed(see Figure 12-10). Complete each screen to create the user.

434 Part IV: Active Directory and Security■ ■

4620-1 ch12.f.qc 10/28/99 12:04 PM Page 434

Figure 12-10: Creating a user

If you select Group, the Create New Object - (Group) Wizard appears (seeFigure 12-11). Complete each field and click OK to create the group.

Figure 12-11: Creating a group

Chapter 12: Active Directory, Part II 435■ ■

4620-1 ch12.f.qc 10/28/99 12:04 PM Page 435

If you select Computer, the Create New Object - (Computer) Wizard will bedisplayed (see Figure 12-12). Name the computer and click OK to create the computer.

It is very important to select the Allow pre-Windows 2000 computers to usethis account checkbox if you are creating a computer account for a WindowsNT 4.0 Workstation machine (as an example).

Figure 12-12: Creating a computer account

You can also create custom objects such as figures. I’ve seen this done inActive Directory where an organization wanted to have a picture of a floorplan showing where each user was located. Good idea when conceived on thewhiteboard during planning. Bad idea when fully implemented. Why? Becausecreating objects such as artwork and figures causes the Active Directorydatabase to grow exponentially in size, resulting in poor performance.

Moving ObjectsIf you’ve followed the examples in both Chapter 9 and this chapter, you willnotice that the user, group, and computer exist as objects just below thedomain in the Active Directory. It would be better to move these to an OU.

Be advised about the basic guidelines concerning moving objects such asusers, groups, and computers. Object permissions move with the object, butinherited permissions do not move.

436 Part IV: Active Directory and Security■ ■

4620-1 ch12.f.qc 10/28/99 12:04 PM Page 436

Follow these steps to move a user, group, and computer to the Marketing OU(again, assuming you’ve created that).

STEPS:Moving a user, group and computer

Step 1. Select the object you want to move. Right-click the object todisplay the secondary menu. In this example, I’ve selectedRaymond MacMillan, a user.

Step 2. Select Move. The Move dialog box appears.

Step 3. Select the container that you want to move the object to. In thisexample, I’ve selected Marketing (see Figure 12-13).

Figure 12-13: Move dialog box

Step 4. Click OK.

Step 5. The object, Raymond MacMillan, has moved to the Marketing OU(see Figure 12-14). Repeat steps 1 to 4 to move a computer or group.

Chapter 12: Active Directory, Part II 437■ ■

4620-1 ch12.f.qc 10/28/99 12:04 PM Page 437

Figure 12-14: Moving an object

Active Directory Sites and ServicesThe Active Directory Sites and Services MMC, launched from theAdministrative Tools group, is used to manage the replication of criticalActive Directory information, including network services, domain controller,and site information. A site is really just a collection of subnets.

One rule of thumb has been that sites are LANs and separate sites represent a WAN.

The replication process is managed via the Active Directory Sites andServices MMC (see Figure 12-15). A few facts about replication might be ofinterest to you. First, configuring replication often means you must choosebetween accurate data and high performance. If replications are performedfrequently, the data contained at each domain controller will be as accurateas possible. That is a good thing. But this data accuracy comes at a price.This frequent replication pattern consumes network bandwidth. The trade-offis this: accurate data versus network traffic issues.

When discussing one site, the originating domain controller with a deltachange to its Active Directory database is responsible for notifying thereplication partners about such changes. This occurs via a communicationknown as change notification. The replication partner, typically within five

438 Part IV: Active Directory and Security■ ■

4620-1 ch12.f.qc 10/28/99 12:04 PM Page 438

minutes of receiving this message, pulls down the delta Active Directorychanges. When discussing multiple sites, replication is scheduled manually.

Once exception to this change notification process is that security-sensitiveupdates, defined as security-related attributes, are pulled down by thereplication partner immediately.

Replication pathways within a single site are created via the KnowledgeConsistency Checker (KCC). KCC creates pathways that are feasible withinthree hops. New domain controllers, when added to the network, areautomatically added to the replication pathway by KCC.

Figure 12-15: Active Directory Sites and Services MMC

All replication traffic, whether within one site or across multiple sites, useRemote Procedure Calls (RPC) as the underlying transport mechanism. Withmultiple site communications, Simple Mail Transport Protocol (SMTP) mayalso be used. The RPC communication process is shown in Figure 12-16.

Figure 12-16: The RPC communication process

Windows 2000 ServerDomain Controller A

Windows 2000 ServerDomain Controller B

Remote ProceduresRemote ProceduresRemote Procedures

Server StubServer Stub

Server RPC Runtime LibraryServer RPC Runtime Library

Network TNetwork TransportNetwork Transport

Chapter 12: Active Directory, Part II 439■ ■

4620-1 ch12.f.qc 10/28/99 12:04 PM Page 439

Because you are using RPCs in your site replication, you will need to use theRPING utility from Microsoft Exchange to assist in troubleshooting replicationproblems. RPING is discussed in Chapter 20.

Active Directory Domains and TrustsThe Active Directory Domains and Trusts MMC (see Figure 12-17) is launchedfrom the Administrative Tools program groups. Its main function is to managedomain trusts and user principal name suffixes and change the domain mode.Domains are administrative units typically created to assist you in organizingand managing your network resources. Trusts create secure pathwaysbetween domains.

Specifically, you may use Active Directory Domains and Trusts to

■ Support mixed mode domain operations in mixed Windows 2000 andWindows NT domain environments

■ Configure operations to run in strict Windows 2000 native mode

■ Add/remove domain names

■ Change the domain controller that holds the domain naming operationsmaster role

■ Create and modify domain trusts

■ Gather and observe information about domain management

Figure 12-17: Active Directory Domains and Trusts

4620-1 ch12.f.qc 10/28/99 12:05 PM Page 440

SummaryThis chapter brought a discussed the practical aspects of Active Directory.

� Implementing Active Directory in your organization

� Creating and moving objects in Active Directory

� Understanding which Active Directory MMC to use under what circumstances

� Delegating OU permissions in Active Directory

� Understanding Active Directory site and domain management

Chapter 12: Active Directory, Part II 441■ ■

4620-1 ch12.f.qc 10/28/99 12:05 PM Page 441

4620-1 ch12.f.qc 10/28/99 12:05 PM Page 442