• 
• 
• 
• 
• 
• 
• 

 1 of 7

Gallery

Active Directory Workshop

Posted on 5 Jun 2002 at 14:59

Currently, a Microsoft Jet database is used to support the directory. This enables the repository to be indexed and for resources to be located quickly, but it does require a fair amount of room. The default folder for the database (%systemroot%/ntds), for instance, starts out at just over 40Mb, growing rapidly as objects are added and security rights defined. The log files are also stored here.

One other complication is that AD isn't loaded by default. Instead, you're prompted by the Configure Your Server Wizard to install it once the operating system is up and running. This starts when you first log on as the administrator and is used to configure a range of optional extras, including AD and the bundled DHCP and DNS servers.

You'll need the Windows 2000 install CD plus Service Packs, but the install Wizard does most of the hard work for you, which is just as well because the underlying technology is quite complex. Most of it's pretty dull, but one important consideration is a dependency on DNS. This allows AD to use familiar, Internet-style 'company.com' naming rather than the standard X.500 names used by other directories. A DNS server that supports dynamic updates is required. Fortunately, the Wizard checks to see if it can find one, prompting to install the bundled Windows 2000 implementation if it doesn't. It will also configure DNS with the domain names you decide to use, which saves having to set up the records manually.

You don't have to reload the operating system to promote a Windows 2000 server to a domain controller, which you do with NT. Moreover, existing NT domain servers can be integrated into AD without having to upgrade to Windows 2000. However, integration and migration from NT are far from simple procedures, putting them beyond the scope of this article, so for now we'll assume a new, Windows 2000-only installation. If you're desperate for migration information, the best place to seek help is via the Microsoft Web site and the Windows 2000 Resource Kit.

Management Console

As with most things to do with Windows 2000, once installed AD is managed using snap-ins to the MMC (Microsoft Management Console). The requisite snap-ins are loaded as part of the AD setup process - management of local users and groups are disabled by the Setup Wizard. The easiest way of accessing the new snap-ins is from the Start | Program | Administrative Tools menu, with three options as in Table 1.

Like all MMC snap-ins, you get the same familiar interface, with two panes displayed. On the left, the scope pane shows the directory tree and the objects it contains (see Root and branch for details), and this can be expanded, collapsed and displayed, just like folders and files in Windows Explorer. On the right is the separate results pane where selected objects and their properties are shown.

Clearly, the snap-in you're likely to be most interested in is 'Active Directory Users and Computers', as it's from here that users and their access rights to network resources are defined.

What you see depends on how the directory has been set up, but on the first domain controller a number of special system containers will have been created, the more important of which you'll find described in Table 2.

These are a good starting point, but in practice you'll want to create new containers to reflect your organisation and its users. Plus, you're likely to need to set up new users and user groups, and define the printers, shared files and other resources they need to access.