Professional Documents
Culture Documents
Step by Step Guide To Managing Active Directory
Step by Step Guide To Managing Active Directory
Overview
Additional Resources
Introduction
Step-by-Step Guides
The Microsoft Windows Server 2003 Deployment step-by-step guides provide hands-on experience
for many common operating system configurations. The guides begin by establishing a common
network infrastructure through the installation of Windows Server 2003, the configuration of Active
Directory, the installation of a Windows XP Professional workstation, and finally the addition of this
workstation to a domain. Subsequent step-by-step guides assume that you have this common
network infrastructure in place. If you do not wish to follow this common network infrastructure,
you will need to make appropriate modifications while using these guides.
The common network infrastructure requires the completion of the following guides.
Microsoft Virtual PC
The Windows Server 2003 Deployment step-by-step guides may be implemented within a physical
lab environment or through virtualization technologies like Microsoft Virtual PC 2004 or Microsoft
Virtual Server 2005. Virtual machine technology enables customers to run multiple operating
systems concurrently on a single physical server. Virtual PC 2004 and Virtual Server 2005 are
designed to increase operational efficiency in software testing and development, legacy application
migration, and server consolidation scenarios.
The Windows Server 2003 Deployment step-by-step guides assume that all configurations will occur
within a physical lab environment, although most configurations can be applied to a virtual
environment without modification.
Applying the concepts provided in these step-by-step guides to a virtual environment is beyond the
scope of this document.
Important Notes
The example companies, organizations, products, domain names, e-mail addresses, logos, people,
places, and events depicted herein are fictitious. No association with any real company,
organization, product, domain name, e-mail address, logo, person, places, or events is intended or
should be inferred.
This common infrastructure is designed for use on a private network. The fictitious company name
and Domain Name System (DNS) name used in the common infrastructure are not registered for
use on the Internet. You should not use this name on a public network or Internet.
The Active Directory service structure for this common infrastructure is designed to show how
Windows Server 2003 Change and Configuration Management works and functions with Active
Directory. It was not designed as a model for configuring Active Directory for any organization.
Top of page
Overview
This guide introduces you to administration of the Windows Server 2003 Active Directory service.
The Active Directory administrative tools simplify directory service administration. You can use the
standard tools or, using Microsoft Management Console (MMC), create custom tools that focus on
single management tasks. You can combine several tools into one console. You can also assign
custom tools to individual administrators with specific administrative responsibilities.
The Active Directory administrative tools can only be used from a computer with access to a
domain. The following Active Directory administrative tools are available on the Administrative Tools
menu:
Prerequisites
• Part 1: Installing Windows Server 2003 as a Domain Controller
Part II: Installing a Windows XP Professional Workstation and Connecting It to a
•
Domain
• Step by Step Guide to Setting up Additional Domain Controllers
Guide Requirements
You must be logged on as a user with administrative privileges to perform the procedures in this
•
document.
If you are working on a domain controller, the Active Directory Schema snap-in might not be
•
installed. To install it:
At a command-line prompt, type
•
regsvr32 schmmgmt.dll
The Active Directory Schema management snap-in will now be available within MMC.
On Windows Server 2003–based stand-alone servers or Windows XP Professional workstations,
•
Active Directory Administrative Tools are optional. You can install them from Add/Remove
Programs in the Control Panel using the Windows Components wizard or from the ADMINPAK
on the Windows Server 2003 CD.
Top of page
Computers Contains all Windows NT, Windows 2000, Windows XP, and Windows Server
2003–based computers that join a domain. This includes computers running
Windows NT versions 3.51 and 4.0. If you upgrade from a previous version, Active
Directory migrates the machine account to this folder. You can move these
objects.
System Contains Active Directory systems and services information.
Users Contains all the users in the domain. In an upgrade, all users from the previous
domain will be migrated. Like computers, the user objects can be moved.
Shared printer A shared printer is a network printer that has been published in the directory.
Adding an Organizational Unit
This procedure creates an additional OU in the Contoso domain. Note that you can create nested
OUs, and there is no limit to the nesting levels.
These steps follow the Active Directory structure established in the common infrastructure step-by-
step guides. If you did not create that structure, add the OUs and users directly under
Contoso.com; that is, where Accounts is referred to in the procedure, substitute Contoso.com.
To add an OU
1. Click the + next to Accounts to expand it.
2. Right-click Accounts.
3. Point to New and click Organizational Unit. Type Construction as the name of your new
organizational unit, and then click OK.
Repeat the previous steps to create additional OUs as follows:
Creating a Group
To create a group
1. Right-click the Engineering OU, click New, and then click Group.
2. In the New Object – Group dialog box, type Tools for Name.
3. Review the type and scope of groups available in Windows Server 2003 as shown in the
following table. Leave the default settings, and then click OK to create the Tools group.
The Group type indicates whether the group can be used to assign permissions to other
•
network resources, such as files and printers. Both security and distribution groups can be
used for e-mail distribution lists.
The Group scope determines the visibility of the group and what type of objects can be
•
contained within the group.
Note: When populated, the ES shared folder contents will be available to end users through
directory searches. Users may also map this shared resource as a network drive.
4. Close the Find Shared Folders dialog box.
Publishing a Printer
You can also publish information about shared printers in Active Directory. Information about
printers shared from Windows NT must be published manually. Information about printers shared
from the Windows Server 2003 family or the Windows 2000 Server family is published to the
directory automatically when you create a shared printer. Use Active Directory Users and Computers
to manually publish shared printer information.
The print subsystem will automatically propagate changes to the printer attributes (location,
description, loaded paper, and so on) to the directory.
Note: This section details the steps to configure and publish a printer, which prints directly to a
file. If you want to use an IP, LPT, or USB–based printer, you must modify the steps in these
procedures.
Adding a New Printer
To add a new printer
1. Click the Start button, click Printers and Faxes, and then double-click Add Printer. The Add
Printer Wizard appears. Click Next.
2. Click Local printer attached to this computer, clear the Automatically detect and install
my Plug and Play printer check box, and then click Next.
3. In the Use the following port drop-down list, click the FILE: (Print to File) option, and then
click Next.
4. In the Manufacturer results pane, click Generic. In the Printers results pane, click Generic /
Text Only. Click Next to continue.
5. On the Name Your Printer page, change the Printer name to Print to File, and then click
Next.
6. On the Printer Sharing page, change the Share name to FilePrinter, and then click Next.
7. For Location on the Location and Comment page, type Headquarters – Bldg 4 – Room
2200. Click Next to continue.
8. Click Next to print a test page, and then click Finish to complete the installation.
9. When prompted, type Test Print as the file name for the printer test page. Click OK once
complete.
The printer is automatically published in Active Directory.
Locating a Printer in Active Directory
To find a printer in Active Directory
1. On the Printers and Faxes screen, double-click the Add Printer icon.
2. The Add Printer Wizard dialog box appears. Click Next to continue.
3. Click A network printer, and then click Next.
4. Click Find a printer in the Directory (default), and then click Next.
5. The Find Printers dialog box appears. Click Find Now to search for all printers published in
Active Directory. Setting additional search options can limit results by available features or
printer location.
Printer Location Tracking: Use printer location tracking to streamline printer searches. When
printer location tracking is enabled and the user clicks Find Now, Active Directory lists all
printers matching the user's query that are in the user location. Users can change the location
field by clicking Browse to search for printers in other locations. For more information about
configuring printer location tracking, see the Windows Server 2003 Help and Support Center.
6. In the Search results on the Find Printers page, double-click Print to File to install the
printer. Click Yes (default) to set this printer as the default printer for your system, and then
click Next.
Figure 9. Searching for Shared Printers in Active Directory
Click Finish to complete the printer installation.
7.
8. Close the Printers and Faxes window.
You can publish printers shared by operating systems other than Windows Server 2003, Windows
2000, or Windows XP in Active Directory. The simplest way to do this is to use the pubprn.vbs
script, although the Active Directory Users and Computers snap-in can be used. This script will
publish all the shared printers on a given server. It is located in the \winnt\system32 directory.
Publishing a Printer Manually Using the pubprn.vbs Script
To publish a printer manually using the pubprn.vbs script
1. Click the Start button, and then click Run. Type cmd in the text box, and then click OK.
2. Type cd \ windows\ system32,and then press Enter.
3. Type cscript pubprn.vbs prserv1 "LDAP://ou=accounts,dc=contoso,dc=com", and then
press Enter.
Note: This example publishes all the printers on the Prserv1 server to the Accounts OU. The
script copies only the following subset of the printer attributes including Location, Model,
Comment, and UNCPath. This script will not work on Windows Server 2003, it is
provided as a manual tool for publishing printers to Active Directory from down-level
print servers only.
4. Close the window.
Publishing a Printer Manually Using the Active Directory Users and Computers Snap-
In
1. Right-click the Marketing OU, click New, and then click Printer.
2. The New Object-Printer dialog box appears. In the text box, type the path to the printer, such
as \\server\share name, and then click OK.
End users experience seamless operations from printers being published in the directory since they
can browse for printers, submit jobs to those printers, and install the printer drivers directly from
the server.
Nested Groups
Nested groups allow you to provide company-wide or department-wide access to resources with
minimum maintenance. Placing every team account group into a single company-wide resource
group is not an effective solution because it requires the creation and maintenance of a large
number of membership links. To use nested groups, administrators create a series of account
groups that represent the managerial divisions of the company.
For example, the top account group might be called "All Employees," and would be attached to a
resource group that gives access to resources and shared directories. The next level might contain
account groups that represent major divisions of the company. Each group at this level is a member
of All Employees, and is attached to a resource group giving access to shares and other resources
appropriate to the division it represents.
Within a division, the next level of account groups might represent departments. Shared resources
for the department might include project schedules, meeting schedules, vacation schedules, or any
network information appropriate to the whole department. The department account groups are all
members of the division account group.
Within a department, the management structure can be organized into security groups to any
required level of specificity. These might be team account groups and might represent leaf nodes in
the organization’s hierarchical tree.
With this group hierarchy in place, you can give a new employee instant access to the resources of
the team, the department, the division, and the company as a whole by placing the employee in a
team account group. This system supports the principle of least access because the new employee
cannot view the resources of adjacent teams, other departments, or other divisions.
Creating Nested Groups
To create a nested group
1. In the Active Directory Users and Computers snap-in, right-click vancouver.contoso.com,
and then click Connect to Domain.
2. Click Browse, and then click contoso.com. Click OK twice to finish.
3. Expand contoso.com, and then expand the Accounts OU.
4. Create a new group by right-clicking Engineering, pointing to New, and then clicking Group.
Type All Engineering, and then click OK.
5. Right-click the All Engineering Group, and then click Properties.
6. Click the Members tab, and then click Add.
7. In the Enter the objects name to select box, type Tools, and then click OK.
8. Click OK again. A nested group has been created.