Specifies that the contents of a certain portion of the Active Directory on a domain controller should override any changes on other domain controllers, regardless of their sequence numbers. An authoritative restore is used to restore the contents of the Active Directory to a previous point in time.
Provides the only way to recover deleted objects without taking a DC offline, and it’s the only way to recover a deleted object’s identity information, such as its objectGUID and objectSid attributes. It neatly solves the problem of recreating a deleted user or group and having to fix up all the old access control list (ACL) references, which contain the objectSid of the deleted object.
Connection Request Policies
Sets of conditions and settings that allow network administrators to designate which Remote Authentication Dial-In User Service (RADIUS) servers perform the authentication and authorization of connection requests that the server running Network Policy Server (NPS) receives from RADIUS clients. Connection request policies can be configured to designate which RADIUS servers are used for RADIUS accounting.
Also known as Unified Remote Access, is a VPN-like technology that provides intranet connectivity to client computers when they are connected to the Internet. Unlike many traditional VPN connections, which must be initiated and terminated by explicit user action, Direct Access connections are designed to connect automatically as soon as the computer connects to the Internet. Direct Access was introduced in Windows Server 2008 R2.
Read only domain controller (RODC)
A domain controller containing a read-only full copy of an Active Directory database. The Active Directory database on a RODC cannot be altered. A RODC is used in an area or location that has limited security and is new in Windows Server 2008.
An FSRM object associated with a file system directory that limits the types of files that the system or any user can store in a directory. When a restricted file is detected, the FSRM server can raise one or more FSRM notifications.
File Server Resource Manager
File Server Resource Manager is a suite of tools that allows administrators to understand, control, and manage the quantity and type of data stored on their servers. By using File Server Resource Manager, administrators can place quotas on folders and volumes, actively screen files, and generate comprehensive storage reports. This set of advanced instruments not only helps the administrator to efficiently monitor existing storage resources but it also aids in the planning and implementation of future policy changes.
Item Level Targeting
You can use item-level targeting to change the scope of individual preference items, so they apply only to selected users or computers. Within a single Group Policy object (GPO), you can include multiple preference items, each customized for selected users or computers and each targeted to apply settings only to the relevant users or computers.
Is a domain-specific role, so exists in the forest root domain and every child domain. Its original conception was for backwards compatibility with legacy systems, such as Windows NT BDCs. However, the role is also responsible for keeping the domain time in sync, given that the DC holding this role in the forest root domain is the most authoritative time source in the forest.
Remote Radius Server Groups
A remote RADIUS server group is a named group that contains one or more RADIUS servers. If you configure more than one server, you can specify load balancing settings to either determine the order in which the servers are used by the proxy or to distribute the flow of RADIUS messages across all servers in the group to prevent overloading one or more servers with too many connection requests.
When a zone that this DNS server hosts is a primary zone, the DNS server is the primary source for information about this zone, and it stores the master copy of zone data in a local file or in AD DS. When the zone is stored in a file, by default the primary zone file is named zone_name.dns and it is located in the %windir%System32Dns folder on the server.
When a zone that this DNS server hosts is a secondary zone, this DNS server is a secondary source for information about this zone. The zone at this server must be obtained from another remote DNS server computer that also hosts the zone. This DNS server must have network access to the remote DNS server that supplies this server with updated information about the zone. Because a secondary zone is merely a copy of a primary zone that is hosted on another server, it cannot be stored in AD DS.
When a zone that this DNS server hosts is a stub zone, this DNS server is a source only for information about the authoritative name servers for this zone. The zone at this server must be obtained from another DNS server that hosts the zone. This DNS server must have network access to the remote DNS server to copy the authoritative name server information about the zone.
Security filtering is a way of refining which users and computers will receive and apply the settings in a Group Policy object (GPO). Using security filtering, you can specify that only certain security principals within a container where the GPO is linked apply the GPO. Security group filtering determines whether the GPO as a whole applies to groups, users, or computers; it cannot be used selectively on different settings within a GPO.
Service Principal Name
A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
Start of Authority
The SOA record stores information about the name of the server that supplied the data for the zone; the administrator of the zone; the current version of the data file; the number of seconds a secondary name server should wait before checking for updates; the number of seconds a secondary name server should wait before retrying a failed zone transfer; the maximum number of seconds that a secondary name server can use data before it must either be refreshed or expire; and a default number of seconds for the time-to-live file on resource records.
Windows Management Instrumentation (WMI) filters allow you to dynamically determine the scope of Group Policy objects (GPOs) based on attributes of the target computer.
Adds one or more service accounts to an Active Directory computer.
Backs up one GPO or all the GPOs in a domain.
Enables encryption for a BitLocker volume.
Enables automatic unlocking for a BitLocker volume.
Gets one or more Active Directory fine grained password policies.
Submits a certificate request to an enrollment server and installs the response or retrieves a certificate for a previously submitted request.
Generates a report either in XML or HTML format for a specified GPO or for all GPOs in a domain.
Imports the Group Policy settings from a backed-up GPO into a specified GPO.
Installs an Active Directory service account on a computer.
Schedule a remote Group Policy refresh (gpupdate) on the specified computer.
Creates a new Active Directory service account.
Creates a new GPO.
Creates a RADIUS client.
Changes settings for a DNS primary zone.
Configures DNS aging settings for a zone.
Blocks or unblocks inheritance for a specified domain or organizational unit (OU).
Sets the properties of the specified GPO link.
Grants a level of permissions to a security principal for one GPO or all the GPOs in a domain.
Edits the properties associated with an external RADIUS server being used for VPN authentication, accounting for Direct Access (DA) and VPN, and one-time password (OTP) authentication for DA.
Shows the records in a DNS Server Cache.
Restores access to data on a BitLocker volume.
Command Line Tools
Active Directory Service Interfaces Editor is a Lightweight Directory Access Protocol editor that you can use to manage objects and attributes in Active Directory. ADSI Edit provides a view of every object and attribute in an Active Directory forest. You can use ADSI Edit to query, view, and edit attributes that are not exposed through other Active Directory Microsoft Management Console (MMC) snap-ins such as Active Directory Users and Computers, Active Directory Sites and Services, Active Directory Domains and Trusts, and Active Directory Schema.
a command-line utility that works with Windows Vista, Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012. An administrator has the ability to display information about policies and also to perform some functions to manipulate audit policies.
If you are in a disaster recovery scenario, you may consider using the Dcgpofix tool. If you use the Dcgpofix tool, it is strongly recommended that as soon as you run it, you review the security settings in these GPOs and manually adjust the security settings to suit your requirements.Dcgpofix restores the default Group Policy objects to their original default state after initial installation of a domain controller. The Dcgpofix tool recreates the two default Group Policy objects and creates the settings based on the operations that are performed only during Dcpromo. It is important to understand that Dcgpofix does not restore the security settings to the state they were in before you run Dcpromo.
Installs and removes Active Directory Domain Services (AD DS).
DiskPart is a text-mode command interpreter in Windows Vista, Windows® XP, and the Windows Server 2003® family. This tool enables you to manage objects (disks, partitions, or volumes) by using scripts or direct input at a command prompt.
Deployment Image Servicing and Management (DISM.exe) is a command-line tool that can be used to service a Windows® image or to prepare a Windows Preinstallation Environment (Windows PE) image. It replaces Package Manager (Pkgmgr.exe), PEimg, and Intlcfg that were included in Windows Vista®. The functionality that was included in these tools is now consolidated in one tool (DISM.exe), and new functionality has been added to improve the experience for offline servicing.
You can use this procedure to fix Group Policy objects (GPOs) and links after a domain rename operation. In this procedure, you use the Gpfixup.exe command-line tool to repair GPOs as well as GPO references in each renamed domain. It is necessary to repair the GPOs and the Group Policy links after a domain rename operation to update the old domain name that is embedded in these GPOs and their links.
You use the Ipconfig.exe command line tool to display the current Transmission Control Protocol/Internet Protocol (TCP/IP) configuration. For Direct Access, you use Ipconfig.exe to determine the Internet Protocol version 6 (IPv6) configuration of a Direct Access client, server, or intranet node.
This GUI tool is a Lightweight Directory Access Protocol (LDAP) client that allows users to perform operations (such as connect, bind, search, modify, add, delete) against any LDAP-compatible directory, such as Active Directory. LDP is used to view objects stored in Active Directory along with their metadata, such as security descriptors and replication metadata.
Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh also provides a scripting feature that allows you to run a group of commands in batch mode against a specified computer. Netsh can also save a configuration script in a text file for archival purposes or to help you configure other servers.
Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the ntdsutil commands to perform database maintenance of AD DS, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. This tool is intended for use by experienced administrators.
Reads, modifies, and deletes the Service Principal Names (SPN) directory property for an Active Directory service account. You use SPNs to locate a target principal name for running a service. You can use setspn to view the current SPNs, reset the account’s default SPNs, and add or delete supplemental SPNs. Setspn is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use setspn, you must run the setspn command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
WSUSutil.exe is a tool that you can use to manage your WSUS server from the command line. WSUSutil.exe is located in the %drive%Program FilesUpdate ServicesTools folder on your WSUS server. You can run specific commands with WSUSutil.exe to perform specific functions.