Beruflich Dokumente
Kultur Dokumente
0
Active Directory environment March 25, 2008
By Rick Vanover
Active Directory Services is the going standard for account provisioning, basic system management, and DNS
authority in most environments. Having some accountability to determine what has changed over time can be a
challenge. Here are some strategies for achieving accountability in your Active Directory environment. They'll help
supplement your existing strategies, give you an extra dimension for testing, and provide a strong set of data to
determine what has changed when you're troubleshooting issues.
Page 1
Copyright ©2008 CNET Networks, Inc. All rights reserved.
For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html
10 ways to benchmark your Active Directory environment
Managing Group Policy objects in AD is a challenging feat as well. How difficult is it to determine an issue with a
complicated Group Policy? Exporting the Group Policy is a way to benchmark the configuration from a point in
time. The Windows Resource Kit tool ADMX.EXE allows for an export of Group Policy objects from AD for
archival and comparison purposes.
If your IP addressing is managed or tracked within Active Directory, you can export the zone that contains your
domain systems. This will enable you to see how the addresses are used and where your domain systems are
addressed across all networks in the domain. The DNSCMD command is the best utility to perform this export.
The command to export a DNS zone for the sample WS2K3DEV.LOCAL zone from the DC001 server would be:
DNSCMD DC001 /zoneprint WS2K3DEV.LOCAL
You can optionally direct the command to a file for the archival. While you can also use DNSCMD for importing
and modifications, the output functionality is very useful in the course of benchmarking the AD environment. The
relevant output from this command is about the third line from the bottom. The output for individual systems and
their addressing (in the form of DNS A records) is shown below:
DC001 [Aging:3569020] 3600 A 192.168.1.100
Page 2
Copyright ©2008 CNET Networks, Inc. All rights reserved.
For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html
10 ways to benchmark your Active Directory environment
ADFind.exe provides a great way to take a quick snapshot outside Active Directory Users And Computers and
outside of normal administrative rights situations. ADFind does not require special domain privileges or
permissions through the Delegation Of Control wizard. So you can comfortably have your AD environment
documented by computer operators, temporary employees, junior administrators, or anyone else whom you are
not 100 percent comfortable giving additional rights.
Using ADFind is a little different than using the normal tools, as it is not a Microsoft tool. But a quick jog through
the usage section of the Joeware Web site will have you making queries in no time at all. Here is an example I
performed on a test domain (WS2K3DEV.LOCAL):
adfind -b dc=WS2K3DEV,DC=LOCAL -f "objectcategory=computer"
All computer accounts are returned, and they have a format like the following sample result:
dn:CN=VM-SERVER1,OU=VServers,DC=WS2K3DEV,DC=LOCAL
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>objectClass: computer
>cn: VM-SERVER1
>distinguishedName: CN=VM-SERVER1,OU=VServers,DC=WS2K3DEV,DC=LOCAL
>instanceType: 4
>whenCreated: 20071109010719.0Z
>whenChanged: 20071109010838.0Z
>displayName: VM-SERVER1$
>uSNCreated: 98317
>uSNChanged: 98336
>name: VM-SERVER1
>objectGUID: {305864AA-98F3-4F0C-A813-5832F73F7BD1}
>userAccountControl: 4096
>badPwdCount: 0
>codePage: 0
>countryCode: 0
>badPasswordTime: 0
>lastLogoff: 0
>lastLogon: 128390526426562500
>localPolicyFlags: 0
>pwdLastSet: 128390440401406250
>primaryGroupID: 515
>objectSid: S-1-5-21-1529256218-1546654017-687563949-1123
>accountExpires: 9223372036854775807
>logonCount: 5
>sAMAccountName: VM-SERVER1$
>sAMAccountType: 805306369
>operatingSystem: Windows Server 2003
>operatingSystemVersion: 5.2 (3790)
>operatingSystemServicePack: Service Pack 2
>dNSHostName: VM-SERVER1.WS2K3DEV.LOCAL
>servicePrincipalName: HOST/VM-SERVER1
>servicePrincipalName: HOST/VM-SERVER1.WS2K3DEV.LOCAL
>objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=WS2K3DEV,DC=LOCAL
>isCriticalSystemObject: FALSE
>dSCorePropagationData: 20071109010838.0Z
>dSCorePropagationData: 20071109010838.0Z
>dSCorePropagationData: 20071109010838.0Z
>dSCorePropagationData: 16010108151056.0Z
Page 3
Copyright ©2008 CNET Networks, Inc. All rights reserved.
For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html
10 ways to benchmark your Active Directory environment
As with any good tool or procedure, I recommend learning the ropes in a test environment. While it is generally a
query and lookup tool, you want to be sure of any load placed on your domain controllers for big queries or
exports. Using these tools in a test environment first can ensure no surprises while running in the live domain.
We all agree that assigning permissions via group membership is the best practice for most situations. However,
having too many groups in your AD environment poses a management challenge of its own. I have found it useful
to determine which groups have either no members or very few members and to consider removal or
consolidation. I generally do this with the CSVDE command within the organizational unit that contains the groups
in question for a quick view of the membership inventory. In this fashion, the lesser groups will pave the way for
simpler administration.
Benchmarking your Active Directory environment for a look into the past can be the best indicator of the future
use and needs. It's also great for troubleshooting something that used to work. Many of the strategies described
here can be run as a scheduled task for automated documentation.
Rick Vanover works for Safelite Auto Glass (Belron US) in Columbus, OH, providing central
Windows-based server administration. Previous experiences included working for Dematic Corp
(formerly Siemens L&A, Siemens Dematic, Rapistan) in various capacities deploying custom software
solutions to the material handling industry using a mix of current hardware and software products.
You can reach Rick at b4real@usa.net.
Page 4
Copyright ©2008 CNET Networks, Inc. All rights reserved.
For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html
10 ways to benchmark your Active Directory environment
Additional resources
Version history
Version: 1.0
Published: March 25, 2008
TechRepublic downloads are designed to help you get your job done as painlessly and effectively as possible.
Because we're continually looking for ways to improve the usefulness of these tools, we need your feedback.
Please take a minute to drop us a line and tell us how well this download worked for you and offer your
suggestions for improvement.
Thanks!
Page 5
Copyright ©2008 CNET Networks, Inc. All rights reserved.
For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html