Active Directory

These pages provide information for Oxford University IT Support Staff on installing and running Active Directory within University departments and colleges.

Active Directory is a large subject area and many publications and courses already exist, so these web pages are not intended to duplicate this information. Rather they concentrate on details that are specific to the Oxford University environment, providing a checklist of key tasks for IT officers installing or running Active Directory, and listing pointers to useful tools, utilities and sources of support.

In particular these pages include information on naming domains, and configuring DNS to support Active Directory within the University environment.

We recommend that everyone running Active Directory, including experienced Active Directory administrators who are new to the Oxford environment, read at least the pages on How to configure DNS for Active Directory within the Oxford University Environment.

1. Introduction

The devolved nature of IT provision within Oxford University means that there is no single central directory service for managing desktops. Instead departments and colleges run their own according to their requirements. Departments and Colleges running Active Directory generally install and run their own self-contained, single-domain Active Directory forest.

It is not compulsory to run one Active Directory forest per department, and there are some instances where several departments share a common Active Directory infrastructure. Although less common, this configuration is equally valid.

2. DNS

Active Directory relies heavily on DNS and various problems can arise from an incorrectly configured DNS. The DNS configuration for Active Directory is slightly unusual, so refer to the How to configure DNS for Active Directory within the Oxford University Environment pages for details.

If you’re familiar with the ways in which DNS is configured for Active Directory within the University you can skip directly to the recommended configuration: Configuring DNS to Support Active Directory using an Existing DNS Name (Option 1).

It is also possible to configure DNS slightly differently, to use a different domain name to the usual DNS domain name in use. This is documented in the Alternative configuration: Configuring DNS to support Active Directory using a Private Internal Name (Option 2).

NB these pages were revised in August 2008. If you are using the DNS configuration detailed in the previous version, you need the recommended configuration (Option 1).

3. Checklist for Planning, Installing and Configuring Active Directory

This section provides a summary of the steps that are usually needed when planning, installing and configuring an Active Directory domain or forest, including recommendations for the Oxford environment. It covers common tasks, but is not an exhaustive list as details will depend on local environments and requirements.

Plan and configure your namespace and DNS
As described above, this is vital as incorrect configuration can lead to a variety of problems. More detailed information is provided on naming and DNS configuration. Consider including DNS checks as part of a regular maintenance plan. Changing domain names is not something to be undertaken lightly, so it’s worth planning naming carefully. Note that in Windows 2008 Server, IPv6 is enabled by default; if you’re not using it, you may decide to disable it until it’s needed (see Microsoft’s IPv6 for Microsoft Windows: Frequently Asked Questions).
Domain Controllers
Aiming for a minimum of two, possibly three domain controllers reduces the probability of ever needing to restore the Active Directory database from backup. For more flexibility, consider putting other services (e.g. file sharing) onto member servers, and use your domain controllers only for authentication and name resolution services such as DNS, WINS etc. This makes them much easier to move, upgrade etc.
NetBIOS Names
If you are using the central WINS servers, plan the NetBIOS names of your servers and domains (the first part of the DNS name, up to the first “.”) to minimise the risk of name clashes. See The Central Windows Internet Name Service (WINS) for further information. If you use internal WINS servers (or don’t use any) then you only need to make sure you use unique names within your college or department.
If you are adding a new type of domain controller into an existing domain (e.g. a 2008 domain controller into a domain of 2003 R2 servers), you normally need to prepare the forest and/or domain before you add or upgrade the first server running the new operating system. This is done using the adprep.exe command on the install media of the new operating system. Among other things it upgrades the schema to the required level. See for example the Microsoft Adprep page on preparing to add a server running 2008 to a 2000 or 2003 domain or forest, and their other Adprep page for adding 2003 to a 2000 domain. Note that to add a 2003 R2 server to a 2003 or 2000 domain, you need to use the version of adprep.exe on the second CD. Also that this only applies for domain controllers.
Under 2003 (or 2000), use dcpromo to install Active Directory. It’s a more flexible method than one of the wizards, particularly if you need to change the NetBIOS name of a domain. Under 2008 the wizard is more flexible and should allow you to select the Advanced mode near the start of the process.
Restore Mode Password
During the installation of Active Directory, you will be prompted for the Restore Mode Password. Keep this safe as although it’s rarely used you might need to know it for certain maintenance and restore operations.
If you have more than one domain controller, check replication each time you add or remove a domain controller. Consider checking periodically for errors as part of a maintenance plan.
Configure time
Configure the PDC emulator for the forest root to synchronise with an external time source. This may be your college/departmental ntp servers, if you have them, or else the IT Services stratum 3 ntp servers. Remember to change this if you move the PDC emulator role. Everything time-related should follow automatically. See Configure the Windows Time service on the PDC emulator for more information and instructions.
Running your Active Directory infrastructure within a virtual environment can work, but there are some watch points. Avoid the use of REDO and snapshots for your domain controllers. Also take care with time synchronisation. There are various different schemes in use but the common principle seems to be, don’t synchronize to multiple sources on the same machine (e.g. don’t use both VMWare synchronisation and Active Directory’s normal mechanisms). Also watch out for time problems when you boot up a virtual server that has been down for some time. See for example Virtualizing a Windows Active Directory Domain Infrastructure for this and other information. NB for time synchronisation instructions, see the links in the previous point above.
Global Catalog
In a single-domain environment, consider making all your domain controllers into global catalog servers. In multi-domain environments, plan the placement of global catalog servers together with the location of your operations master role-holders. See Planning Global Catalog Server Placement and Designate a domain controller to be a global catalog server.
Operations Master Roles
These are installed by default onto the first domain controller in a domain or forest. It’s important to know where they are as some operations may fail if the relevant operations master is unavailable. In more complex environments, particularly multi-domain forests, you may need to move some of them. See Operations master roles.
Install Additional Tools and Utilities
Some useful tools are not installed by default under Windows 2000 and 2003. Install the Support Tools package on all domain controllers (from the support folder on the 2003 or 2000 Server CD or download the latest version from Microsoft.) Under Windows 2008 many of these tools are included as part of the operating system. Also install the Group Policy Management Console on any systems that you use to manage group policy (again it’s included on Windows 2008). It’s more sophisticated than the built-in tools. It needs at least Windows 2003 or XP (it is included with 2008 by default).
Backup and Restore
Configure backup for Active Directory as well as your file stores just in case. If you use Group Policy, consider backing them up periodically, for example using the Group Policy Management Console (see Tools and Utilities).
Functional Level
to enable additional features, raise the functional level of your domain and forest as high as possible. See Raising domain and forest functional levels and What Are Active Directory Functional Levels?
Assess security. For example, consider applying a password policy using Group Policy; increasing the size of all the event logs, configuring security logging, and keep an eye on the event logs. Consider enabling some security logging on clients as this isn’t enabled by default. Group Policy can make this easier. If you decide to apply more security settings, test thoroughly before letting them into the wild. For example Microsoft’s Windows 2003 Security Guide contains various predefined group policy templates, but benefits from some understanding before implementing or it can have unexpected consequences.
Certificate Services
Implementing a PKI infrastructure is a major topic in its own right and again benefits from reading around before installing. The JANET certificate service can also be used to secure certain services such as IIS web sites. Further information on setting up your own certificate server as part of an Active Directory installation is available on the Designing a Public Key Infrastructure pages.
Domain controllers by default use dynamic port allocation so take care if you have firewalls between your domain controllers, on your domain controllers, or between domain controllers and domain members. It is possible to firewall a domain controller using the built-in firewall, but it’s not straightforward prior to Windows 2008 server. On Windows 2008 server the firewall is enabled; it is also configured automatically as required when you add roles.
Maintenance Plan
Consider developing and using a maintenance plan. A minimum might be to check event logs daily to weekly, paying particular attention to the additional logs available on domain controllers. The Directory Services log will tell you about directory replication, the File Replication Service log will tell you about file replication, and the DNS Service log will tell you about the health of your DNS Service.
Health Check
Consider developing a more thorough health check procedure using the available Tools and Utilities. Consider running through it or appropriate parts of it after any major changes such as adding and removing domain controllers, renumbering a subnet, etc., or just periodically (e.g every 6–12 months).
Development and Testing
Consider using a copy of your preferred virtualisation software to set up a test domain where you can try out changes in a development environment. It may be worth purchasing a subscription to Microsoft Technet (email the Shop for details) .

4. Tools and Utilities

Many tools are available to help monitor and troubleshoot Active Directory installations. Some of these tools are included as part of the Support Tools package which is available from the 2003 Server CD, or can be downloaded from Microsoft (2003 SP2 version). The Support Tools are particularly useful and are worth installing as standard. On Windows 2008 separate Support Tools are no longer available; many have been incorporated into the standard 2008 installation (search for Command Reference Overview in the Help and Support system to find out which as some tools haven’t been included).

This list is intended as a starting point to provide brief details of tools that between them will provide a reasonable view of the health of Active Directory (plus a couple of utilities for managing accounts.) It is not intended as a definitive list as there are many other useful tools available.

Use for command-line maintenance of your Active Directory database. Installed by default on domain controllers and menu driven. Although many of its functions are also available via the GUI, it’s worth becoming familiar with this tool as sometimes nothing else will do. For example, it’s needed for cleaning up if a domain controller isn’t demoted cleanly.
Command-line tool to perform various domain controller tests to help confirm health and diagnose problems. Part of the Support Tools suite (2000/2003) or included by default in Windows 2008.
For network-related tests and troubleshooting. Part of the Support Tools suite (2000/2003) or included by default in Windows 2008.
repadmin.exe and replmon.exe
Command-line tool to monitor and troubleshoot replication issues (repadmin.exe) and a GUI version that provides much of the same functionality (replmon.exe). Part of the Support Tools suite (2000/2003) or included by default in Windows 2008 (replmon is no longer provided).
Accesses information on the ntfrs service including subscription information etc. Part of the Support Tools suite (2000/2003) or included by default in Windows 2008.
A graphical tool to monitor the status of the File Replication Service. Look for it on the Microsoft Download Center.
Low level editor for Active Directory. Installed as part of the Support Tools for Windows Server 2000 and 2003, and installed by default when you install Active Directory on Windows Server 2008.
Group Policy Management Console (GPMC)
It’s been around for a while but you need to download it separately on 2003 (it’s included in 2008). An improvement on the built-in group policy editor, you need at least 2003 server or XP SP1 to run it. Download it from Microsoft.
dsadd, dsget, dsmod, dsmove, dsquery, dsrm
Built-in command-line tools included with 2003 and 2008, use /? after the command for syntax.
csvde, ldifde
Built-in command-line tools included with 2000 and above, csvde is particularly useful for dumping the contents of Active Directory into a csv file, or creating new objects from a similar file. Again, use /? after the command for help.
Created to make it easier to do bulk operations on Active Directory objects, such as modifications, imports and exports. Requires .NET framework installed (version 2 probably). It’s currently travelling the internet so download from http://ADModify.NET and check the Microsoft Exchange Team Blog for an introduction.
redirusr.exe and redircmp.exe
Built-in command-line tools included with Windows 2003 and above. Change the default containers for new user and computer objects respectively.
Account lockout and Management Tools
Microsoft have provided a number of tools in their Account lockout and Management Tools package, to help in these areas, along with a script to turn on Kerberos logging. They also provide some information on the Account Management Tools.

5. Further Information, Support and Training

For the most part support will be from the ITSS community or from knowledgebases, forums etc. A list of starting points is given below. The Computing Services will focus particularly on assisting with DNS related issues.

itss-discuss mailing list
A message to this mailing list will often provide some useful help
Members of the Oxford University IT Support Staff community can contribute to the ITSS Wiki. Various Windows and Active Directory information is included here, such as setting up a trust from Active Directory to the central Kerberos servers, or installing an external certificate for IIS.
Support from IT Services
If you need advice on DNS-related issues, email
Microsoft Support Site
Provides an interface for searching the knowledgebase.
Microsoft Technet
Includes the Technet Website aimed at IT professionals. The bulk of the server documentation lives here. Also includes Technet Plus, a subscription service which gives you full versions of many of the operating systems and common server products without time limits, as well as access to forums, some free support calls etc. It should be available at a discount; email the Shop to request details of how to purchase.
MSDN (Microsoft Developer Network)
Aimed at developers, it also operates the MSDN website, and similarly has various Subscription services available offering access to various resources. Again, email the Shop to request details of how to purchase at a discount.
Training Courses
From time to time ITS3 organise on-site training courses on Active Directory and on Windows Server.
Microsoft Events
Microsoft also organise various UK-based events, some of which are free of charge. Some of these run in Reading and are fairly easy to get to (train plus shuttle bus). Their main events page also includes on-line events such as webcasts.

6. Active Directory Concepts

If you are new to Active Directory, it may be difficult to know how to get started. If you’ve picked it up as you go along, you may want to identify the gaps in your knowledge. This section provides a checklist of the key areas that you will need to understand and some pointers to finding more information. It isn’t absolutely exhaustive, but aims to include most major areas.

If you’re after a more formal approach, ITS3 sometimes organise on-site Active Directory Design and Implementation courses and Windows Server courses.

Domain Name System
A basic understanding of how DNS works is essential, as well as the way computers use it to locate Active Directory services. You will need to know how to configure, monitor and maintain DNS servers that support your chosen Active Directory namespace. See the How to configure DNS for Active Directory within the Oxford University Environment page for more information.
NetBIOS Naming
Technically it’s on the way out; in reality switching it off may be problematic, particularly if you’re reliant on browsing for resources. Understand the essentials is useful, together with the role of WINS servers. If you use the central WINS service, be aware that names must be unique within the whole of the University. See The Central Windows Internet Name Service (WINS) web pages for details.
Operations Master Roles, or Flexible Single Master Operations (FSMO) Roles
Not all domain controllers are considered equal. One or more will hold your five or more operations master roles. Microsoft provide a useful summary in their Operations master roles document. Make sure you understand the main functions of the roles, which servers hold them, which ones should not hold them in a multi-domain forest, which ones you can least live without for any length of time, how to move them and what to do if you lose a server that holds one or more of them.
Global Catalog
A domain controller that is a global catalog server contains partial information on all objects in an Active Directory installation. It can play a major role in the logging-in process, particularly in a multi-domain environment. Knowing how to assign this role to a server is essential, and some understanding of the part it plays useful. See for example Microsoft’s document on The role of the global catalog.
Backing Up and Restoring Active Directory
For preference, you probably want to avoid ever needing to restore your Active Directory database from backup by running at least 2 or 3 domain controllers. Cost may be an issue but for small to medium sized units, if you limit the additional services that they run to name resolution services (e.g. DNS and WINS, if used), they may not all need to be of particularly high specification. Limiting the services running on domain controllers also makes them easier to replace if they fail. If you ever need to restore all or part of your Active Directory, it will help to understand the difference between authoritative and non-authoritative restore modes. Also make sure you know the Directory Services Restore Mode passwords set when you installed Active Directory onto your domain controllers. See Microsoft’s Introduction to Administering Active Directory Backup and Restore for more information.
Organisational Units
Useful for organising your user and computer accounts, and particularly to group accounts for applying Group Policy. For many units, the design of your organisational units will depend primarily on which policies you want to apply to which groups computers and users.
Group Policy
Powerful tool for enforcing your chosen configuration for users and workstations. Anything and everything (well, almost) ranging from what appears on the Start menu, which software people can run, the startup mode for services, security and audit settings, logon/logoff scripts, through to software installation and much more. Extensible via templates, group policy can also be used to manage some of the main Microsoft programs such as Office. It’s helpful to understand concepts such as inheritance, blocking inheritance, enforcing links, where group policy settings are stored, how they are applied, backing up and restoring etc. One place to start is Microsoft’s Group Policy Home Page.
Domain and Forest Functional Levels
These depend on the operating systems running on domain controllers in your Active Directory, i.e. whether NT, 2000, 2003, 2008. Different features become available when you raise the functional level, and it’s useful to know how to do so. There’s normally little reason not to raise the level as high as you can. See Raising domain and forest functional levels and What Are Active Directory Functional Levels?
Synchronised time is vital to certain types of authentication (Kerberos) and it’s useful to know how time is synchronised automatically through domains and forests. The role of the PDC emulator(s) is pivotal. Take extra care if running virtualised Windows servers. See How Windows Time Service Works particularly the Windows Time Service Processes and Interactions section. See also Configure the Windows Time service on the PDC emulator for instructions.
The replication topology and operation are usually quite straight forward in the single-domain environment that is most common in the University. Even so, it is vital that replication works smoothly. One source of problems is probably DNS configuration. More complex environments such as multiple domains and/or multiple sites warrant more attention. See Replication overview and How Replication Works.
Particularly important if you’re planning on enhancing security, or linking to the central Kerberos infrastructure. See the Authentication protocols overview and Introduction to authentication for some introductory information, and Logon and Authentication Technologies for a more detailed explanation.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: