A few days ago we posted a document to TechNet that outlines some of the various port requirements for Active Directory. We gathered the port information from various KB articles and consolidated them into one document. I think it should serve as a great reference guide for those of you configuring Active Directory communication through internal and external firewalls. It details ports used by trusts, replication, global catalog, DNS, DHCP, etc. It also outlines the new default dynamic port range, 49152-65535, for Windows Server 2008 and Windows Vista and pointers to why the range was increased from previous versions of our operating systems.
Active Directory and Active Directory Domain Services Port Requirements (http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx)
As always, if you have any suggestions for improvement please leave us feedback.
Windows Server 2008 R2 domain controllers include a new feature named Offline Domain Join. A new utility named Djoin.exe lets you join a computer to a domain, without contacting a domain controller while completing the domain join operation, by obtaining a blob from a Windows Server 2008 R2 domain controller at an earlier point in time. The computer is domain-joined when it first starts, so no restart is needed as with a normal domain join. The general steps for using Djoin.exe are:
- Run djoin /provision to create the computer account metadata. The output of this command is a .txt file that includes a base-64 encoded blob.
- Run djoin /requestODJ to insert the computer account metadata from the .txt file into the Windows directory of the destination computer.
- Start the destination computer, and the computer will be joined to the domain.
The computer where you run djoin /provision and the destination computer both need to run Windows Server 2008 R2 or Windows 7. We have a step-by-step guide published at http://technet.microsoft.com/en-us/library/dd392267(WS.10).aspx and appreciate any feedback you have.
Account Operators is a default groups located in the Builtin container. Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Therefore, the Account Operators group has significant power in the domain and we recommend that you add members to it with caution.
On computers running Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2, by default, a newly created computer account is assigned an "Account Ops-FC" access control entry (ACE) that gives members of the Account Operators group full control over the computer account. If a server that is represented by this computer account is promoted to a domain controller, the computer account retains this "Account Ops-FC" ACE and therefore, members of the Account Operators group will have full control on this domain controller, which is not a recommended configuration.
The "Account Ops-FC" ACE is also assigned by default to domain controllers that you promote by running dcpromo.exe on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 machines and joining them to an existing Active Directory domain.
To modify permissions for Account Operators on such computer accounts and domain controller accounts, you can use the Active Directory Administrative Center (in Windows Server 2008 R2) or Active Directory Users and Computers (in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2) and complete the following steps:
- Right-click the computer account that represents the server that you want to promote to a domain controller status (or the affected domain controller account), and then click Properties.
- On the Security tab, (in the Active Directory Administrative Center, locate the Security tab in the Extensions section of the Properties window), select Account Operators in the Group or user names list, and then modify permissions according to the specifications of your environment.
When you delete or recover an Active Directory object with link-valued attributes, AD DS must process the object’s link value table to maintain referential integrity on the linked attribute’s values. Because deleting or recovering an Active Directory object results in modifications to the object’s link value table, if you attempt to delete or recover an object during its ongoing link-value-table processing time, the operation will be blocked. For example, if you use the Active Directory Recycle Bin to recover a deleted object with a large number of link-valued attributes (for example, a group object with 10 million users) immediately after it was deleted (or anytime throughout the duration of its link-value-table processing), the object recovery will be blocked. (If you are using Ldp.exe to perform the recovery, you might see the following error message: "Error 0x2093 The operation cannot continue because the object is in the process of being removed.") For more information about Active Directory Recycle Bin, see
Active Directory Recycle Bin Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=133971).
In Windows Server 2008, there are new tools you can use to create a snapshot of your Active Directory database at a point in time, ntdsutil snapshot, and then you can view the contents of that snapshot by using dsamain.exe. This is a great tool for data recovery and comparing changes made to your Active Directory database when the snapshot was taken and how the database looks today.
In cases where you need to perform forest recovery, these tools can help you compare backups taken at different points in time without taking your domain controllers offline to restore the backup and then to later find out this was not the backup you wanted.
In instances where you accidentally delete an object from Active Directory Users and Computers, you can view a snapshot of your environment before that object was deleted and recover the stripped back link information that is needed to fully restore the object. In the case of a deleted user object, you can use the snapshot to determine the user’s group membership before the object was deleted and then restore that information after you have used LDP or the Active Directory Module for Windows PowerShell to reanimate the tombstone (deleted) object.
To fully take advantage of snapshots, you should schedule a task that regularly takes snapshots of your AD DS database. By doing this, you can keep detailed records of the changes made to your AD DS database over time.
For more information about the AD DS Mounting tool including information about snapshots see:
UPDATE: A faster way to open the UAC settings in Windows 7 was just brought to my attention by Dean Wells. Click Start, type UAC and press ENTER. Thanks, Dean!
If that doesn’t work for some reason, you can do the following:
- Run wscui.cpl from the Start Search or Run dialog box, or launch it from the command prompt.
- Then, select the User Account Control settings option on the left side of the screen
- Then you’ll see the UAC settings for Windows 7
While this has been true for a while, I figured that it is worth mentioning that if you are running Windows 7, you can download the Remote Server Administration Tools (RSAT) for Windows 7. If you’ve used the Administration Tools for Windows XP (Adminpak.msi), this is the equivalent for Windows 7. Windows Vista has its own version. The important thing to note after downloading and installing the RSAT package is that you then have to access the Turn Windows features on or off dialog box inside the Control Panel - Programs and Features to actually enable the specific tools you want. To manage Active Directory, for example, you will have to install the AD DS Snap-Ins and Command-Line Tools
Are you in danger of running out of relative identifiers (RIDs) in your domain? If you haven’t heard of this before, you should see Active Directory Maximum Limits - Scalability and read the section Maximum Number of Security Identifiers. Then, come back here to see how to check out how many RIDs remain to be assigned in your domain.
From a command prompt running on a domain controller, run the following command:
dcdiag /test:ridmanager /v | find /i “available RID”
That will display something like the following:
* Available RID Pool for the Domain is 12100 to 1073741823
You can add the switch /s:hostname (where hostname is the actual name of the domain controller) to run the command remotely. Alternately, try /s:%userdnsdomain% to connect to an available domain controller in your domain. Thanks to Dean Wells for this information.
What do you do with that information? Subtract the first number from the second and you will have the number of unique RIDs left in the global pool that can be assigned in your domain. Don’t wait until the two numbers match before you make a plan to migrate to a new domain or add another domain.
You can also determine the number of RIDs that remain by using LDP. The basic steps are below and there is a screencast video that follows:
- Open LDP; Connect to a domain controller in the domain you want to check and bind as a domain user.
- Open Tree View (View Menu) and select CN=System,YourDomainDistinguishedName.
- Expand the System container and double-click the RID Manager$ account record.
- Locate the rIDAvailablePool in the RID Manager $ record.
- Copy the integer you see there and paste it into the Large Integer Converter (Utilities menu)
- Click Run. The High Part represents the total number of RIDs that can be assigned in a domain. The Low Part represents the first RID in the next RID block that will be assigned.
- You can subtract the Low Part from the High Part to determine the number of RIDs you have remaining that can be assigned to security principals in your domain. This is not an exact number because RIDs are assigned in blocks of 500, by default. So the real number remaining is the number of RIDs left unassigned by each domain controller (up to 500 each) plus the number that you determine are left to be assigned by the RID Manager.
Again, don’t wait until you are out (or almost out) of RIDs in order to make a plan to migrate to a new domain or create another domain. Once the RID pool is exhausted and all the RIDs left in the domain controllers are assigned, you won’t be able to create a trust relationship (since doing so creates a user account to maintain the trust). RIDs are not reused, so you cannot simply delete a bunch of user accounts to get out of the situation.
You can use Active Directory and Active Directory Domain Services (AD DS) to implement limitations on the number of objects that a security principal (a user, computer, and group) can create in a directory node. You can define these limitations through Active Directory quotas. Quotas have been around since the days of Windows Server 2003 and are very useful when trying to prevent a rogue attack against Active Directory. An example of this would be a security principal has been delegated the permission to create objects in Active Directory. Well, with no quota limitation in place, they can create objects until the disk housing the NTDS.dit file until runs out of space. If you implement quotas, you can limit the number of objects that a security principal can create in the directory, which helps insulate the directory from a denial-of-service attack through the creation of a very large number of objects.
A few key pointers:
-
You can specify quotas for security principals on each directory partition. These partitions include application partitions, domain partitions, and configuration partitions.
-
Schema partitions are exempt from quota restrictions. Modifications to the schema are highly restricted operations that only members of the Schema Admins group can perform. In addition, members of the Domain Admins and Enterprise Admins groups are also exempt from quota limitations.
-
Quota objects are stored in the NTDS Quotas container under the domain, application, and configuration naming contexts. To view the NTDS Quotas container in the Active Directory Users and Computers snap-in, you must enable Advanced Features on the View menu.
-
Tombstone objects, which are created when you delete an object from a partition, count toward a security principal’s quota limit. You can define the percentage by which tombstone objects count against a security principal’s quota limit by modifying the NTDS Quotas container’s msDS-TombstoneQuotaFactor attribute.
-
By default, only members of the Domain Admins group can administer quotas.
-
To assign a quota to a security principal, you must use the directory services tools. The command and required parameters for assigning a quota to a security principal are as follows:
dsadd quota –part <partition distinguished name> –qlimit <quotalimit> –acct <security prinicipal>
-
To determine a security principal’s quota, use the following command:
dsget user <userDN> -part <partitionDN> -qlimit –qused
For more information about Active Directory quotas see, Active Directory Quotas (http://technet.microsoft.com/en-us/library/cc904295.aspx).
Kurt Hudson from the Active Directory documentation team will be presenting the session Best Practices for Virtual Domain Controllers at TechMentor in Orlando. See the conference ad video.
If you are looking for Active Directory scalability information for Windows Server 2003 or Windows Server 2008, you should check out the Active Directory Maximum Limits (http://technet.microsoft.com/en-us/library/cc756101.aspx) document. This may answer some of your questions, or at least give you some warnings about the recommended maximum number of domain controllers in a domain, maximum number of users supported by NTDS.DIT (Active Directory database), and recommended maximum number of users in a group. See Active Directory scalability for information on the scale limitations of Active Directory.
Active Directory objects can have several different types of attributes. The two basic types are single valued and multivalued. The most frequently asked question regarding attributes that I have seen is that regarding the member attribute because it comes into play when discussing the maximum number of members (users) you can have in a group. In Windows 2000 Active Directory, the recommendation was to have not more than 5,000 members in each group. However, in Windows Server 2003 (as long as you have a forest functional level of Windows Server 2003 interim) there is no stated limit on group membership and millions of members per group are possible (and up to 500 million have been tested). This is explained in the Active Directory Maximum Limits (http://technet.microsoft.com/en-us/library/cc756101.aspx) article. Since this is made possible through the use and replication of multivalued linked attributes, some people have asked for a list of the multivalued linked attributes in Active Directory. To generate such a list, since it might be different depending on your specific version and what you’ve got installed, you can use Ldp. Search the Active Directory Schema for isSingleValued=FALSE and LinkID=* to generate the list. I show a couple of examples in the figures below: the first one using Windows Server 2003 R2 for the Contoso.com schema and the second one using Windows Server 2008 R2 on the Fineartschool.net schema.
Notice in the second query that I’ve specified attributes adminDisplayName; adminDescription, which reports all the information I need for a list. Often the adminDescription is exactly the same as the display name, but on some attributes you’ll actually see additional information. An example portion of the output generated by the query above in the following figure:
You can also set the attribute output in the Windows Server 2003 version of Ldp, just click the Options button to access those options. To learn more about performing Ldp queries, see the Ldp Overview and its subordinate topics (http://technet.microsoft.com/en-us/library/cc772839.aspx).
Launching Tools Using Alternate Credentials from a Command Prompt Window
One of the easiest ways to launch tools using alternate credentials is to first launch a Command Prompt with the credentials you want to use. Once the Command Prompt is launched using the alternate credentials, all subsequent commands and tools run from that Command Prompt start using the elevated credentials you provided.
As an example, assume that you are logged on as a typical domain user to a workstation in the domain, but you needed to run several tools using a more privileged account. You could do the following:
- Open a Command Prompt window. Click Start, click Run, type cmd and press ENTER.
- In the Command Prompt window you just opened, type runas /user:<domain\username> cmd and press ENTER to open another Command Prompt using alternate credentials. Substitute the actual domain and username of the account you want to use for <domain\username>. For example, assume that the administrator account name is cgreen in the domain cpandl.com, the command would look like this runas /user:cpandl\cgreen.
Note: Instead of opening two different Command Prompt windows, you could run the following command from the Run dialog box cmd /k runas /user:<domain\username> cmd. For example, to open a Command Prompt as cgreen from the domain cpandl.com, you could run the following command: cmd /k runas /user:cpandl\cgreen cmd.
From here a new Command Prompt window opens with the credentials of the user account provided and you are prompted to type the password for the account. Once you enter the password for the account, you can run commands and launch additional tools from that Command Prompt window that will run using the credentials that you used to launch the window. For example, to run the Registry Editor, you could type regedit and press ENTER. To make use of the Command Prompt window to open graphical tools and snap-ins, you must know the name of the tools or their respective snap-ins.
The following list provides the tool’s full name followed by the name to type from the Command Prompt to launch the tool:
- Active Directory Federation Services – adfs.msc
- Active Directory Rights Management Services – adrms.msc
- Active Directory Sites and Services – dssite.msc
- Active Directory Users and Computers – dsa.msc
- Add Hardware – hdwwiz.cpl
- ADSI Edit – adsiedit.msc
- Authorization Manager – azman.msc
- Certificates [Current User] – certmgr.msc
- Component Services – comexp.msc
- Computer Management – compmgmt.msc
- Control Panel Network Connections – ncpa.cpl
- Date and Time – timedate.cpl
- Device Manager – devmgmt.msc
- DFS Management – dfsmgmt.msc
- DHCP – dhcpmgmt.msc
- Disk Management – diskmgmt.msc
- Display Settings – desk.cpl
- DNS Manager – dnsmgmt.msc
- Enterprise PKI – pkiview.msc
- Event Viewer – eventvwr.msc
- Failover Cluster Management – CluAdmin.msc
- File Server Resource Manager – fsrm.msc
- Hyper-V Manager – virtmgmt.msc
- Indexing Service – ciadv.msc
- Internet Information Services (IIS) 6.0 Manager – iis6.msc
- Internet Information Services (IIS) Manager – iis.msc
- Internet Properties – inetcpl.cpl
- Local Group Policy Editor – gpedit.msc
- Local Security Policy – secpol.msc
- Local Users and Groups – lusrmgr.msc
- Microsoft Fax Service Manager – fxadmin.msc
- Mouse Properties – main.cpl
- NAP Client Configuration – napclcfg.msc
- Network Policy Server – nps.msc
- Power Options – powercfg.cpl
- Print Management – printmanagement.msc
- Programs and Features - appwiz.cpl
- Reliability and Performance Monitor – perfmon.msc
- Remote Desktops – tsmmc.msc
- Removable Storage – ntmsmgr.msc
- Removable Storage Operator Requests – ntmsoprq.msc
- Resultant Set of Policy – rsop.msc
- Routing and Remote Access Management – rrasmgmt.msc
- Server Manager – servermanager.msc
- Services – services.msc
- Share and Storage Management – storagemgmt.msc
- Shared Folders – fsmgmt.msc
- Sound – mmsys.cpl
- Storage Explorer – storexpl.msc
- System Properties – sysdm.cpl
- Task Scheduler – taskschd.msc
- Telephony – tapimgmt.msc
- Terminal Services Configuration - tsconfig.msc
- Terminal Services Manager - tsadmin.msc
- Trusted Platform Module (TPM) Management – tpm.msc
- TS Gateway Manager - tsgateway.msc
- TS RemoteApp Manager – remoteprograms.msc
- UDDI Services Console – uddi.msc
- Windows Deployment Services – wdsmgmt.msc
- Windows Firewall – firewall.cpl
- Windows Firewall – ws.msc
- Windows Server Backup – wbadmin.msc
- Windows System Resource Manager – wsrm.msc
- WINS – winsmgmt.msc
- WMI Control – wmimgmt.msc
Related information:
How to open an elevated Command Prompt in Windows Vista (http://www.winhelponline.com/articles/158/1/How-to-open-an-elevated-Command-Prompt-in-Windows-Vista.html)
How to use User Account Control (UAC) in Windows Vista (http://support.microsoft.com/default.aspx?scid=kb;EN-US;922708)
Active Directory Administrative Center provides network administrators with an enhanced Active Directory data management experience and a rich graphical user interface (GUI). Administrators can use Active Directory Administrative Center to perform common Active Directory object management tasks (such as user, computer, group, and organization units management) through both data-driven and task-oriented navigation. Administrators can use the enhanced Active Directory Administrative Center GUI to customize Active Directory Administrative Center to suite their particular directory service administering requirements.
There are several special considerations:
1. Active Directory Administrative Center can be installed only on computers running the Windows Server 2008 R2 operating system. Active Directory Administrative Center cannot be installed on computers running Windows 2000, Windows Server 2003, or Windows Server 2008.
2. Active Directory Administrative Center cannot be installed on the Windows 7 operating system. However, this functionality will be available in future releases of Windows 7.
3. In this release of Windows Server 2008 R2, you cannot use Active Directory Administrative Center to manage Active Directory Lightweight Directory Services (AD LDS) instances and configuration sets.
One of the collest features of Active Directory Administrative Center is that it gives administrators the ability to manage Active Directory objects across multiple domains within the same instance of Active Directory Administrative Center. When you open the Active Directory Administrative Center, the domain that you are currently logged on to (the local domain) appears in the Active Directory Administrative Center navigation pane. Depending on the rights of your current set of logon credentials, you can view or manage the Active Directory objects in this local domain. You can also use the same instance of the Active Directory Administrative Center and the same set of logon credentials to view or manage Active Directory objects from any other domain (that belongs or does not belong to the same forest as the local domain) as long as it has an established trust with the local domain (Both one-way trusts and two-way trusts are supported.)
You can also open the Active Directory Administrative Center using a set of logon credentials that is different from your current set of logon credentials. This can be useful if you are logged on to the computer that is running the Active Directory Administrative Center with normal user credentials, but you want to use Active Directory Administrative Center on this computer to manage your local domain as an administrator. This can also be useful if you want to use Active Directory Administrative Center to remotely manage a domain that is different from your local domain with a set of credentials that is different from your current set of logon credentials. However, this domain must have an established trust with the local domain.
For more information on Active Directory Administrative Center features, including details on the Overview page, the customizable navigation pane, the breadcrumb bar, the query building search and filtering mechanisms, etc. see What's New in AD DS: Active Directory Administrative Center (http://go.microsoft.com/fwlink/?LinkID=131022).
Active Directory Domain Services (AD DS) Best Practices Analyzer (BPA) is a server management tool that can help you implement best practices in the configuration of your Active Directory environment. AD DS BPA scans the AD DS server role as it is installed on your Windows Server 2008 R2 domain controllers, and it reports best practice violations. You can filter or exclude results from AD DS BPA reports that you do not need to see. You can also perform AD DS BPA tasks by using either the Server Manager graphical user interface (GUI) or cmdlets in the Windows PowerShell command-line interface.
The AD DS BPA service is installed automatically when AD DS is installed on a computer that is running the Windows Server 2008 R2 and that computer becomes a domain controller. This includes both writable domain controllers and read-only domain controllers (RODCs). No other preparations are required.
For more information, including detailed explanation of the AD DS BPA logic and the list of the Active Directory configuration settings that AD DS BPA scans, see What's New in AD DS: Active Directory Best Practices Analyzer (http://go.microsoft.com/fwlink/?LinkId=141413).
