Active Directory Installation

Active Directory must be installed on Windows 2000 servers that are to be Windows 2000 domain controllers. It can be installed on Windows 2000:

• Server
• Advanced Server
• Datacenter Server.

When Active Directory is installed on a computer, that computer is promoted by Active Directory to a domain controller. If the computer is the first domain controller, it creates an Active Directory database. If it is not the first, it gets a read and write copy of the AD database.

Requirements

• The computer must be Windows 2000 Server, Advanced Server or Datacenter Server.
• At least one volume on the computer must be formatted with NTFS.
• DNS must be active on the network prior to AD installation or be installed during AD installation. DNS must support SRV records and be dynamic.
• The computer must have IP protocol installed and have a static IP address.
• The Kerberos v5 authentication protocol must be installed.
• Time and zone information must be correct. Simple Network Time Protocol (SNTP) (RFC 1769) synchronizes time on network computers (nodes)

Installation Process

You can install Active Directory by selecting "Start", "Run", and typing "Dcpromo.exe" in the text box or follow the following selections:

1. Click "Administrative Tools".
2. Select "Configure Your Server".
3. Select "Active Directory Installation Wizard".

Directory Service Client

On non Windows 2000 systems, the Directory Service Client can be installed which will allow those systems to:

• Search the Active Directory.
• Change passwords on domain controllers.
• Use D6 shares that are fault tolerant.

Internet Explorer 4.01 or later must be installed on any system that the Directory Service Client is to be installed on in order for the install wizard to run. To install Directory Service Client:

1. Place the Windows 2000 CD in the CDROM drive.
2. Indicate that you do not want to upgrade Windows and close the dialog box.
3. Open a DOS prompt and change drives to the drive letter of the CDROM drive,
4. Type "cd \clients\win9x" and type "dsclient".
5. Follow the wizard prompts to complete the installation.

DNS

DNS is required to use Active Directory since clients use DNS to locate Active Directory controllers. Servers and client computers register their names and IP addresses with the DNS server. The DNS server must support Service Resource Records (SRVs) according to RFC 2052 and dynamic update protocol according to RFC 2136. DNS can be installed with the Active Directory server or on a separate DNS server.

Active Directory Installation Effects

• The server becomes a domain controller.
• A new Windows 2000 domain is created.
• A new domain tree and forest is created.

In each child domain, Active Directory must be installed on the first domain controller.

Verification of Active Directory

Select "Start", "Programs", "Administrative Tools", "Active Directory Users and Computers" and click the + next to the domain. Highlight the domain controllers folder, and the computer Active Directory was installed on should appear in the right pane.

Active Directory Configuration

Active Directory Users and Computers

Active Directory Users and Computers is a Microsoft Management Console snap-in. It is started by selecting "Start", "Programs", "Administrative Tools", and "Active Directory Users and Computers". Only members of the Domain Admins or Enterprise Admins group can use this tool. This tool is used to create, configure, locate, move, and delete objects including:

• User (automatically published)
• Group (automatically published)
• Computer (Those in the domain are automatically published)
• Contact (automatically published)
• Domain
• Organizational Unit (automatically published)
• Shared folder
• Printer (Most are automatically published) - Windows NT shared printers are not published automatically.

It is also used to publish resources, control security and access to objects, and set up administrative control of objects to users. Published resources allow users to find and use them without knowing what server they reside on. Most browse lists do not cross subnet boundaries, but published resources are seen across subnets. These published resources may be browsed from "My Network Places". The "Computer Management" administrative tool or "Active Directory Users and Computers" is used to publish resources in Active Directory

Active Directory Administration

Active Directory is normally administered from domain controllers but can be administered from a Windows 2000 Professional workstation by using the ADMINPAK tool. It is on the Windows 2000 CDROM in the directory /i386/Adminpak.msi.

Action Items that can be selected from the domain:

• New
• Shared Folder
• Printer
• Find

View Menu items:

• Advanced Features - Used to set object permissions.

When using Active Directory Users and Computers, once the domain is highlighted, the following options are available by selecting the menu item, "Action", and "New".

• Organizational Unit

To configure an object, click the + next to the domain name, and highlight the object. The following selections are available by selecting "Action":

• Properties

Searching With Windows Explorer

Windows Explorer can be used to search for Active Directory objects. This is done by selecting "View", Explorer Bar", and "Search".

Publishing Resources

Publishing is the act of making an object publically browseable and accessible using Active directory. Most objects are automatically listed in Active Directory when they are created, but some objects must be published to be made available. Things that are not automatically published:

• Windows NT shared printers
• Computers outside the domain.

Moving AD Objects

From Active Directory Users and Computers click the + next to the domain name, and highlight the object. Right click on the object in the right pane to be moved, and select Move. Expand any container objects required, and highlight the container to move the object to, then click "OK".

To move an object to another directory, use the command line program called MoveTree.exe. This program is part of the "Windows 2000 Support Tools "on the Windows 2000 Server or above CD in \Support\Tools.

Changes

When a user is moved from one OU to another the following is true:

• The user inherits permissions from the new OU.
• The user loses permissions from the original OU.
• The users and groups that could manage the user still can manage the user.

The MoveTree.exe tool is used to move an OU from one domain to another.

The "Delegation of Control Wizard" or "Active Directory Users and Computers" can be used to delegate OU administrative control to a specific user