Home arrow Howto's arrow Howto - Active Directory
Howto - Active Directory
Howto - Move users between Forests PDF Print E-mail
Written by David Noel-Davies   

One of two ways will allow moveing users between Forests sucessfuly. Typically, the Windows Active Directory Migration Tool (ADMT) is the best option for moving users between forests because it can also migrate passwords.

Read more...
 
Howto - Create an MMC Snap-In for Searching PDF Files PDF Print E-mail
Written by David Noel-Davies   


I recently called Microsoft Customer Service and Support (CSS) to help resolve what I thought was an undocumented error. As it turns out, the error was documented—I just couldn't find a reference to it in the 80 PDF manuals that came with this particular Microsoft product. Luckily, the support engineer I talked with was familiar with the error and knew the exact manual that I had to reference.

After that support incident, I recalled that I had used the Adobe PDF IFilter plug-in for the Microsoft Indexing Service several years ago to search through PDF files. Back then, I had only a dozen Adobe PDF files in a directory of hundreds of .doc, .txt, .html and .mht files. However, I had to search every file for specific text strings, and IFilter served this purpose well.

With the propeller hat spinning full tilt, I decided to again use IFilter with the Indexing Service for the purpose of searching Adobe PDF files. But this time, I created a customized Microsoft Management Console (MMC) snap-in for the UI. Although you can use Adobe Acrobat Reader to search through PDF files in a specified directory, it takes an extremely long time if that directory is large (e.g., 65MB). With the MMC snap-in, the search is almost instantaneous. Here's how you can create this snap-in on your local computer:

Read more...
 
Delegation works and then doesnt work PDF Print E-mail
Written by David Noel-Davies   
When Delegation Doesn't Seem to Take

Delegation is a powerful feature of Active Directory that lets an administrator grant users and groups the permissions and rights needed to perform certain tasks. For example, you can delegate to a junior admin the ability to reset the passwords on any account or to view the properties of any account but not change these properties. That can free you, the senior administrator, to focus on more pressing matters.

Sometimes however delegation doesn't work as you expect. In particular, in certain circumstances delegation won't "take" properly and the permissions assigned by the Delegation of Control Wizard are later mysteriously revoked.

This can happen when the account you are trying to delegate to is a member of one of the protected groups i.e. Domain Admins, Server Operators, Backup Operators, and similar built-in groups. These groups are themselves designed to facilitiate delegation by automatically granting certain user rights to any account that belongs to them as a member. But the Delegation of Control Wizard works differently, and the permission and rights assigned to an account by this wizard are enforced once an hour by a special thread running on the PDC Emulator, the big kahuna of domain controllers on your network. So what happens is that if you delegate some task to Bob, and Bob is a member of Backup Operators (either explicitely or through nesting of some other group Bob belongs to), and if the delegation of the task to Bob assigns permissions or rights that conflict with the implicit permissions and rights granted to any member of Backup Operators, then in less than an hour you're likely to see Bob's delegation revoked and Bob unable to perform the task you delegated to him.

Watch out for this. You can avoid this problem by not using the protected groups at all, except for the high-level ones of Enterprise, Schema and Domain Admins. If you do choose to use the Operators groups however, then make sure you carefully check the group membership (explicit and nested) of a user or group before you delegate a task to them using the Delegation of Control Wizard.

Final caveat: this tip applies to AD in Windows 2000 SP4 or later, and Windows Server 2003.

 
troubleshooting FSMO roles PDF Print E-mail
Written by David Noel-Davies   
Quick tips on troubleshooting FSMO roles

Here are some tips on troubleshooting FSMO roles, presented in the form of a pop-quiz. See how you score on it, answers are at the bottom.

1. I can't add a new domain to my forest. Which FSMO role might be down?
Domain Naming Master

2. I tried running adprep /domain but it failed. Which FSMO role might be down?
Infrastructure Master

3. Some users changed their password but now they can't log on. Which FSMO role might be down?
PDC Emulator

4. The clocks on my servers don't seem to be synchronized properly. Which FSMO role might be down?
PDC Emulator

5. I tried upgrading a Windows 2000 domain controller to Windows Server 2003 but the DNS application partition wasn't created. Which FSMO role might be down?
Domain Naming Master

 
Understanding Windows Server 2003 name suffix routing forest trust relationship PDF Print E-mail
Written by David Noel-Davies   
IT Contractors brings you - Howto Name Suffix Routing

Windows 2003 supports several ways to restrict a trust relationship between two Windows AD forests, including SID filtering, selective authentication, and name suffix routing. Name suffix routing is also referred to as top-level name restrictions. SID filtering and selective authentication can be applied to both external and forest trust relationships. Name suffix routing can be applied only to a forest trust type.

A forest trust relationship is a new trust type that was introduced in Windows 2003. Windows 2003 forest trust relationships allow administrators to securely federate two AD forests using a single trust relationship that's set up between the [[root domains]] of the two forests. A forest trust relationship can provide a seamless, AD object browsing, user authentication and access control experience between different forests. In Windows 2000, multiple external trust relationships are required between the different domains in the two forests to obtain the same level of functionality.

Read more...
 
<< Start < Prev 1 2 Next > End >>

Results 10 - 14 of 14
Powered by IT CONTRACTORS and designed by EZPrinting web hosting