Written by Daniel Mundy | 12 November 2008

• Domain Controllers - adding, moving, and removing DCs
• Groups
• Move the AD Database (ntds.dit) to another drive
• Active Directory Health Check
• Active Directory Command Line Tools
• Saved Queries

 

See also:

• Group Policy
• Windows Server 2003
• Roaming Profiles

User Acccount Management

Computer Account Management

When a secure channel fails, don't simply remove/rejoin the computer to the domain. Use netdom or nltest to reset the secure channel.

Use redircmp to redirect the default computer container to an OU. By default the Computers container allows anyone to join a PC to a domain. Syntax:

redircmp "DN of OU for new computer objects"

FSMO Roles

• How to move the FSMO roles to a different server

Global Catalog

To check if GC has replicated, install the Server 2003 Support Tools, and run: dcdiag /s:servername /v | find /I "gc"

If it says "The DS servername is advertising as a GC" then replication has finished.

Certificate Authority

• How to manually remove Enterprise Certificate Authority from Windows 2000/2003 Domain

DNS

• ms291382: Frequently asked questions about Windows 2000 DNS and Windows Server 2003 DNS

Logon Scripts

• Map drives according to group membership

Misc

• ms181171: Secure channel manipulation with TCP/IP - using regedit to change WINS/NBT Node Type
• Well Known Security Identifiers (SIDs) in Microsoft Windows
• Find all groups with "Password Never Expires" attribute set

Check Out

• http://msforums.ph/blogs/monsalvador/archive/2007/07/04/how-to-view-additional-account-user-information-in-active-directory-windows-server-2003-and-2008.aspx
• http://support.microsoft.com/kb/324800
• http://securityadmin.info/faq.asp?encryption
• http://www.winserverkb.com/Uwe/Forum.aspx/windows-2000/33887/demote-the-server
• http://www.google.com.au/search?hl=en&q=sysvol+%22logon+type%22&meta
• http://eventid.net/display.asp?eventid=1058&eventno=1752&source=Userenv&phase=1
• http://www.google.com.au/search?hl=en&q=2003+Logon+failure%3A+the+user+has+not+been+granted+the+requested+logon+type+at+this+computer.&meta
• http://www.itnewsgroups.net/group/microsoft.public.windows.server.general/topic29493.aspx
• http://techrepublic.com.com/5208-6230-0.html?forumID=101&threadID=227991&start=0

Resources

• Windows Server TechCentre / Windows Server 2003 Technical Library / Windows Server 2003: Planning and Architecture Whitepapers

Tools

• Dumpsec (http://www.systemtools.com/somarsoft/index.html)
• OBJ::SID - query a SID and return the associated AD object, and vise versa

Scoping

• Rule of thumb - two GCs per site, or if it's a one-site, one-domain enterprise, according to a Microsoft AD expert, every DC should be a GC. (source: Mastering Server 2003)