Active Directory Tutorial

From the later 90s to the 2000s and beyond, Microsoft has long been a staple in computer technology and network systems, and even in our day-to-day modern living. The company has given us various technological advancements over the years, including the Windows OS (Operating System) for the PC (Personal Computer) itself, as well as the many primary programs that go with it. One such program that has been used by companies over a number of years is the Microsoft Active Directory Server.

The Active Directory Server is a directory service used by companies and other organizations for security and administration within their networks. It is the center of a network where a number of computers are hooked up to, the head that authorizes and authenticates every computer and the sessions on it. It is basically a network manager, overseeing the activity of users and groups, computers, applications, etc, from one central location. The Article Directory Server stores and manages information, connects different computers and data sources through a single network, secures important information, etc.  It also allows the central location or unit access to domain resources.  The server computers that run Active Directory are called domain controllers.

The market for this product is usually found in organizations, corporations and businesses that run on Windows domain networks.

The Active Directory Server isn’t available for just anyone, though. There are certain requirements, criteria that need to be met, before an Active Directory Server can be installed.

First of all, you have to have purchased the Windows Server 2008 R2 to be able to even consider getting an Active Directory Server. The Active Directory Server is accessible to you granted that you have the Windows Server 2008 R2 license rights, which come with the Windows Server itself.

Other  requirements have been listed, including:

• An NTFS partition with enough free space
• An Administrator’s username and password
• The correct operating system version
• A NIC
• Properly configured TCP/IP (IP address, subnet mask and – optional – default gateway)
• A network connection (to a hub or to another computer via a crossover cable)
• An operational DNS server (which can be installed on the DC itself)
• A Domain name that you want to use
• The Windows Server 2003 CD media (or at least the i386 folder)

When the Active Directory is to be installed, it is assuming that all of the above are present in the system. Though the installation process is extensive, there are a number of online sources that outline the steps to the processes and explain installation from start to finish.

Once the primary installation is finished, the next step is usually to add users or computers to the network connected to the Active Directory Server.

To do this, you need to create an administrative account for the domain, adjusted and added to the necessary security groups so that this account can become a sort of ‘primary account’ that can be used to add other computers and other users.

Usually, after all this is accomplished, you have to try troubleshooting the different components such as the DNS server, to check if everything is working properly. Checking and re-checking is prudent when it comes to an elaborate system like the Active Directory Server.

The Active Directory Server also has different services which can be used by clients.

The services are as follows:

• Active Directory Domain Service

• This service is the secure, central location where tasks within the network are managed, such as authentication, security, authorization, configuration, and information, among others.

• Active Directory Rights Management Service

• This service is a security service which states and controls the rights of a user when it comes to viewing and managing information within the network. It identifies the rights of a user and guards any restricted actions depending on how it’s configured per person.

• Active Directory Federation Service

• This service is for those organizations, companies and businesses which have partners who also need to access certain information within the network. This service allows users from outside the network from partners to be authenticated so that they have access to domain resources.

• Active Directory Certificate Service

• This service can be best compared to a ‘password’ to secure a user’s account, but it isn’t exactly the same. It provides each user his or her own certificate and private key, which are stored within the Active Directory for safekeeping and for ready access to those who need them and who have the proper authority and authentication to open them.

• Active Directory Lightweight Directory Service

• Formerly known as the Active Directory Application Mode, this service makes it easier for the Active Directory to act as a directory, storing any necessary information in appropriately separate locations and managing data without having to replicate the Active Directory.

A lot of what makes the Active Directory Server tick can’t be explained in just a few pages. Listed instructions and extensive information, as well as Microsoft’s own website, explain the ways by which the Active Directory Server can be installed, as well as its features and other important information.

What can be explained, though, is the fact that with its different services and uses, the Microsoft Active Directory Server is a very useful tool to managers from small businesses to large-scale corporations for the security and organization of their important information.

The concept of Active Directory Users was introduced with the Microsoft Windows 2000 Operating system platform including most Microsoft Windows Server Operating systems.  The Active Directory service describes user authentication and authorization including accreditation of computer accounts in relation to the distribution and security boundary of groups.  Through this concept, the operating system integrates user, computer, and the whole group security subsystem.

The concept of authorization of Active Directory Users refers to the confirmation of the user identity while he is trying to log into a domain in order to access resources of the network to provide credentials only once.  User authorization on the other hand is the process that secures resources from unauthorized access after an account has received authentication.

User Authentication

Single sign-on for multiple Active Directory Users allows the logging into a domain once via passwords or smart cards to deliver a fast and efficient method to potentially access resources.  The single sign-on is essentially a two-part process, which needs to be satisfied from both parts to implement a successful user authentication.  The two parts of the process are:

1. Interactive logon

This part of the single sign-on process involves the confirmation of the identity of the user with the Active Directory domain account or using the local computer.  At the log on process, the user presents the credentials in an attempt to gain access to the resources of the computer and may differ based on the following user accounts:

• Domain account – this allows the logging in by a network user using credentials stored in the Active Directory.  A successful log in will provide access to the resources of the domain including trusting domains.

• Local account – this authentication confirms accounts based on the Security Accounts Manager (SAM) stored in the local computer.  This represents the local security account database of the operating system responsible for storing local user accounts for that specific computer only and acts as its user manager protocol.

2. Network Authentication

The next part of the single sign-on process confirms the identity of the user to all network services based on the attempts to access their availability.  The following industry-standard authentications are implemented during this step of the process.

• Kerberos V5 authentication – this type of network authentication for the services of the computers running under the server or client software presents the primary security authentication protocol.  This works with both passwords and smart cards for fast interactive logons in environments that support this protocol.

The protocol involves managing user identity and network services even when the user attempts to change the password afterwards.  The process is referred to as mutual authentication between the client and server operations.  A ticket is issued by the domain controllers for the mechanism for the access of network services.  It contains the encrypted identification data that will confirm the identity for the requested service.

• Windows NT LAN Manager (NTLM) – this authentication process involves the network user authentication for the domains.  The protocol describes the transactions between two computers in a domain.  NTLM normally involves either the client or the server that runs on older versions of the operating system.  This is the same type of authentication protocol used by computers not involved in a domain like standalone workgroups and servers for example.

• Secure Sockets Layer/Transport Layer Security (SSL/TLS) – with this particular authentication process, the user attempts to access the resources of a secure Web server.  The authentication procedure involves four different operations:

• Handshake cipher suite negotiations – the client and the server contact each other to choose a cipher suite common to them.  The suite incorporates the method for transaction involving a type of data encryption method called shared secret key.  It makes use of a Message Authentication Code (MAC) that specifies how the signing and proving of the integrity of the application data will be handled.

• User identity authentication – this network authentication component of the Active Directory Users allows the server to always authenticate the identity of its client.  The authentication of the client would depend primarily on the type of application that needs to be accessed. The exact authentication process for the digital certificate will be determined by the negotiated cipher suite.

• Key exchange – once the cipher suite has been chosen, the client and the server exchange a key.  This can also serve as a precursor to the creation of a key that need to be used for data encryption.

•  Application data exchange – multiple applications of both the client and the server communicate with each other in order to ensure that all the data will be encrypted using a negotiated bulk encryption process.

User Authorization

Once the identity of any user wanting to gain access to the network resources has been done, a method of protection mechanisms will also be implemented to prevent access to certain resources that are inappropriate for the user.  This also applies to the process where you rename user accounts.

With Active Directory Users, controlling the access to objects and resources being protected is known as user authorization.  From the point of the object that is protected, the same process is referred to as the object-based access control.

If a user receives the authentication to access objects, the type of access that is granted by the operating system would depend primarily on the rights assigned or the type of access control granted permission identified with the object.

User Rights

Part of the user authorization for Active Directory Users, it allows the administrator or help desk to assign specific rights to an account name for both groups and individual users.  In general, the rights are assigned more to a group policy instead of individual users.  For Active Directory, there are two kinds of user rights:

1. Privileges – this allows for the overriding of control permissions that have been assigned to Active Directory objects.  It gives the right to backup files and even competing directories.

2. Logon rights – this refers mostly to local computers and provides the user with the right to log into a local computer.

It is essential to understand that in terms of the Active Directory, the user rights is not synonymous to permissions primarily because user rights apply strictly to user accounts, whereas permissions are associated and attached mostly to objects.  User rights however can apply to individual user accounts in order to simplify account administration.  This is best administered based on a group account.

Assigning user rights once to a particular group is deemed easier than having to assign the same set of rights to individual accounts of multiple users.  Removing the rights of a particular user involves removing the user from a specific group membership.

The Active Directory concept plays an important role in network administration.  It involves user management including computers and groups.  For an operating system to be successful, the service for Active Directory Users must ensure that only authenticated users and computers gain discretionary access to network resources.

The Active Directory allows Windows users to perform administrative and managerial tasks over users and computers within a directory. Windows Server editions also integrate security for users, computers and groups altogether. Combined with the flexibility and organizational features that the active directory allows, administrators can now arrange users, computers and groups based on user authentication and authorization.

Administrators must exercise caution so that only authenticated groups, computers and users can log into a network at one time. Since a network should only allow authenticated users to log in at any time, the Active Directory itself offers many features to ensure security. Some of these features include the aforementioned organizational tools, as well as the on-board Windows security sub-system that is fully integrated with the Active Directory.

User Authentication

User authentication will confirm the identity of a user who attempts to log into a network or domain in order to access resources. The modern Windows server framework allows a user to log on into a domain or network only once using a smart card or password. Also known as the “single sign-on,” this will allow users, as well as administrators, much quicker and more efficient management of network resources.

The authentication process involves two steps: The interactive log on and network authentication.

• Interactive Log On – This step will cross-check and confirm a user’s identity with data contained within an Active Directory domain account or local computer.
• The domain account allows a user to log onto a network using a password or smart card, and can access resources in trusting domains.
• A local account is limited to local networks; any computer that uses Windows and is not assigned as a domain controller can store local user accounts.
• Network Authentication – Windows will also use two types of authentication in order to confirm a user’s identity before logging into a network:
• Kerberos V5 authentication – This is the default and primary security measure within all Windows domains. It will verify the identity of a user as well as any network services that run on the active directory.
• Windows NT LAN Manager authentication – NTLM authentication is also used to verify user identities in the active directory. In this method, one or both computers need to be running a certain version of Windows NT to be approved.

Users and computers also need to be authorized on top of authenticated; security systems also need to protect sensitive system resources from unauthorized users. The Active Directory does this by integrating an authorization protocol on top of the authentication process, and includes the assignment of user rights and access control permissions to users.

• User Rights – Administrators can assign specific rights to users who are able to log into an active directory. Rights are assigned to whole groups rather than individual users in most cases, and come in two different types:
• Privileges – Options under privileges set the abilities of users within an Active Directory, such as the rights to moving files.
• Log on Rights – Administrators can also choose whether to allow a user access to either a local or internet network, or both.

Access control permissions can also be attached to objects within an active directory. Permissions can be granted or denied for objects based on the following aspects:

• Groups, users and special identities contained in a domain.
• Groups and users within a domain, as well as within any trusted domains.
• Local groups and users contained on the same computer as the residing object.

Kinds of Objects

Each kind of object on an Active Directory, or computer in general, is controlled by a corresponding object manager, and managed using a specific kind of tool. Here is a list of objects contained on an Active Directory, along with the corresponding managers and tools:

• Active Directory objects – These are managed with the Active Directory, and modified by Active Directory Users and Computers.
• Files and Folders – These are managed with the NTFS file system exclusive to Windows, and are managed with Windows Explorer.
• Shares – Server services are used as object managers with shares. Windows Explorer can also be used to manage them, too.
• Printers – The print spooler serves as the object manager for this type. The management tool is found in the Windows Control Panel.
• Services – Service controllers manage network and computer services in a Windows system. Security Templates, Security Configuration and Analysis can all be used as tools.
• Registry Keys – The system registry allows a user to manage registry keys for server and computer functions. The “regedit32” command allows a user to use the registry editor.

Non-active directory objects, such as queued print jobs, can also appear in the Active Directory as an object if published. Users who have sufficient permission for non-active directory objects may be able to view them in the Active Directory.

With full integration alongside the Windows security sub-system, the Active Directory provides an easy, intuitive and safe way for administrators and users to access a network. Many kinds of directory objects also allow for added flexibility and use within larger corporate settings. All users and computers within an Active Directory will be able to feel the benefits, so long as the administrator is competent enough to manage the entire network in question.

The Active Directory Rights Management Services or AD RMS is a technology that helps in protecting vital information. It functions with applications that are AD RMS-enabled to aid in protecting users’ digital information from unauthorized online and offline use, whether outside or within a firewall.

The AD RMS is particularly developed for organizations that require utmost protection of proprietary and sensitive information like confidential correspondences, financial reports, customer data, and product specs among others. It enhances data protection via implementing usage conditions and rights, also called persistent usage policies; these stay with the information even when you relocate the information.

The Active Directory Rights Management Services is capable of persistently safeguarding binary data by letting the usage policies stick to the data instead of the network. Likewise, this allows usage policies to be employed once the data has been accessed by authorized users and recipients, whether offline, online, and outside or within the organization.

Features of the Active Directory Rights Management Services

When implementing the Server Manager, users are allowed to set up these AD RMS components.

• The Active Directory Rights Management Services Role Service

This role service is required for the installation of the components of AD RMS utilized for publishing and using content that are protected by usage rights.

• Identity Federation Support Role Service

This role service is optional. This enables federated entities to use content that are protected by usage rights with the Active Directory Federation Services.

• Microsoft Federation Gateway Support Identity Service

This identity service runs across the Internet and acts as an arbitrator of sorts among various external services and an organization. It is capable of connecting other identities and users to the particular services they function with. This is done so that organizations will only have to handle one identity-federation relationship to allow its identities access to Microsoft and services based on Microsoft.

The Active Directory Rights Management Services runs on a machine that runs on the operating system Windows Server 2008. All the other required services will also be installed with the installation of the AD RMS server role. It also needs a database that can be operated remotely on a different server or on the same server as the AD RMS, and an AD DS forest.

Active Directory Rights Management Services System

An Active Directory Rights Management Services System is combination of an AD RMS client, a database server, and a Windows Server 2008 R2-based server that runs the AD RMS server role, which in turn handles licensing and certificates. Presently, the most current AD RMS client version is a component of the Windows Vista and Windows 7 operating systems.

Organizations will be able to take advantage from the following benefits once they implement the Active Directory Rights Management Services.

• Protection of critical information – Common applications used by organizations for their businesses such as email clients and word processors may be ‘AD RMS-enabled’ in order to aid in protecting vital information. Users will then be able to explicitly define other users who may open, edit, forward, print, or perform other actions with the shared information. Further, they can also make personalized templates for usage rights like ‘read-only’ or ‘confidential’ which can then be applied to specific information.

• Persistent protection of vital data – The Active Directory Rights Management Services also enhances an organization’s perimeter-based safety measures like ACLs or access control lists and firewalls. This enhanced and persistent protection is done via locking usage policies within the data files themselves and by controlling the usage of information even if a recipient has already opened the file.

• Highly flexible technology – Developers and ISVs, independent software vendors, may AD RMS-enable servers and applications including portal servers or content management systems that run on Windows and other operating systems. This is done so that they can function efficiently with the Active Directory Rights Management Services to aid in protecting critical information.

ISVs and developers are allowed to incorporate protection policies into solutions that are server-based like management of records and documents, inspection of content, automated workflows, archival systems, and email gateways.

The Active Directory Rights Management Services also provides industry tools and security technologies to developers such as authentication, encryption, and certificates to aid organizations in creating robust and consistent protection procedures. A SDK or software development kit is likewise provided for making customized protection solutions.

Considerations before Installing Active Directory Rights Management Services

• AD RMS and Windows Internal Database should only be utilized in a test environment. This is because Windows Internal Database does not have support for remote connections, so users will not have the option of adding another server to the cluster in AD RMS.
• Certificates that are self-signed can only be utilized in test environments. Microsoft recommends that for production and pilot environments, users can utilize a SSL certificate from a reliable certification body.
• ‘localhost’ isn’t a supported cluster universal resource locator when installing the AD RMS.
• In the event that there is already a SCP in the AD forest you’re trying to install AD RMS for, check to make certain that the SCP’s cluster URL is the same as the new installation’s cluster URL. If not, don’t register the SCP while installing the AD RMS.
• When incorporating an old cluster to a new server, the new server should first have a SSL certificate prior to the installation of the AD RMS.
• When specifying service accounts for the AD RMS upon installation, check to make certain no smart card is attached to the system. If there is and you continue with your installation, an error message will popup and state that you don’t have access to query AD DS.
• The Windows Rights Management Services Client version 1, or RMS is not supported by the Windows Server 2008 R2.

The Active Directory Browser is attached to the Active Directory services provided in network aware operating system platforms of Microsoft Windows.  It works in conjunction with the network basic input/output system name resolution or commonly called NetBIOS.  This type of service also provides backwards compatibility with client computers that are running on earlier Microsoft Windows operating system versions.

The primary function of the Active Directory Browser is to provide a list of computers that are sharing resource in a specific client domain.  It also delivers a list of other domain and workgroup names that exist along a Wide Area Network or WAN.  The list that is provided to clients that are viewing the network resources are commonly delivered using the Network Neighborhood or NET VIEW commands.  Here are some of the common queries associated with this service.

1. What is the Master Browser?

The Active Directory Browser service maintains a list of domain and workgroup names where the computer is located including the protocol that is used for every computer on the network segment that is being served by the computer where the browser is running.  A master browser is normally selected for every group of computers within the segment where the browser service is running.

It is important to understand that in every given network segment, only one master browser exists.  The rest of the domain controllers aside from the PDC are all identified as backup browsers.  There is always one backup browser that is assigned to cater to every 32 computers on a particular network segment.  If no domain controller is present in the network segment, an election is started to identify the master browser and backup browsers based on these priorities:

• Windows 2000 Server
• Windows 2000 Professional
• Microsoft Windows NT 4.0 Server Enterprise Edition
• Microsoft Windows NT 4.0 Server
• Microsoft Windows NT 4.0 Workstation
• Microsoft Windows 98
• Microsoft Windows 95
• Microsoft Windows for Workgroups 3.11

2. What is the role of the Domain Master Browser?

Since the browser service is bounded by broadcast segments and every master browser is responsible for maintaining its own separate list, there is a need to facilitate the merger of these lists into one domain-wide list.  The domain Active Directory Browser provides the functionality for the domain, but is not required for other network protocols except the Transmission Control Protocol/Internet Protocol or TCP/IP.

The PDC has been tasked with the responsibility to connect with the primary Windows Internet Name Service or WINS server in a cycle of 12 minutes to update the list from all Domain Name type entries registered with the PDC.  The names as well as the workgroup announcement datagrams collected by the master browser using the Wide Area Network.  Based on this, it builds the full list of domain and workgroup names discovered by workgroup announcements.  These take precedence over the list obtained from WINS.

The domain and workgroup names also include the name of the server that is registering any given computer in the browser list.  When a WINS server is not available, or not registered, the browser of the client requests the list of servers from the computer responsible for registering the name.  The operation is carried out for the client by the browser and is normally referred to as double-hop.

3. What is the Registration and Propagation time?

The Active Directory Browser relies mostly on server broadcasts that implement connectionless communication and by far considered as unreliable.  Once the server starts, it sends out a host of announcement frames immediately.  The process is repeated at four and eight minutes, after which it is done again at an interval of 12 minutes thereafter.

With a few datagram frames lost in the process, it can be reasonably expected that the master browser of the network segment will add any given computer name to the browser list within that span of 12 minutes.  Connection oriented traffic is resorted to after this point with the sequences involved becoming more deterministic.

Within the 12 minutes window, the master browser of the segment connects to the PDC to get the domain-wide list, simultaneous to the connection with the master browser to retrieve the new server.

4. How long are computers removed from the Browser List? 

Removing computers from the Active Directory Browser can take a substantially longer time in order to give ample time for lost datagram frames.  In general the master browser will not remove a server from the existing list until three announcement periods have been reached.  When the server is not properly shut down or the network connectivity has been inadvertently lost, the server can be in the list of the master browser for as long as 36 minutes.

When this time expires, the PDC is given notification for the removal of the server name.  This same flow of communication is followed to remove the name of the server.  In 12 minutes the master browser of the remote segment will obtain the domain wide list from the PDC.  Every backup browser will connect to the master browser in another 12 minutes, which means that the entire process can take as long as 72 minutes to complete.

5. What are the Requirements for Name Resolution?

The name resolution of the Active Directory Browser across the domain is a very critical process, especially for the operation of the distributed browsing model.  All computers operating on the WAN can become the potential master browser and should be able to resolve the Domain Name types of the PDC.  Once a potential master browser receives the positive response to a PDC query, it must equally resolve the names of the computers available for connection.

Using the UDP port, the PDC listens for directed announcements from the master browser to maintain the list.  The announcement serves as the trigger for the PDC to resolve the computer name of the master browser as well as request for the browser list being maintained by the master.  The browser list is presented to the client computer and resolves the NetBIOS entry in the list to be able to view shared resources.

With the domain structure of the Windows NT, the Primary Domain Controller or PDC is normally selected as the domain master browser.  In most instances, only the PDC can play the role of the master Active Directory Browser.

There are various ways available that will allow system administrators to conduct Active Directory Query procedures.  This process is normally done in relation to the management of system resources under the Active Directory services of the Microsoft Windows Operating System platform.  The Active Directory Services Interface (ADSI) provided by the operating system delivers the necessary interaction that includes:

• Internet Information Services (IIS)
• Lightweight Directory Access Protocol (LDAP)
• Novell Netware Directory Service (NDS)
• Windows NT technology

There are many results that can be returned by querying the Active Directory, the most common of which are computers, printers, and users residing in the same domain as the machine of the user.  The Active Directory Query makes it easier to retrieve objects of the service based on a number of rules.  Take note of some of the ways that the query process can be achieved.

Using Bitwise Flags

Essentially, some of the attributes of the objects associated with the Active Directory are made up of bitwise flags.  This means that an Active Directory Query can be done using the bitwise operator.  The process is expected to return only the objects that will match the specific bit that is set during the query.  The LDAP (Lightweight Directory Access Protocol) Matching Rule controls are the mains operators in this process.

The main format requires the query to follow a particular syntax in order to retrieve the desired result.  It is important that the specific value be defined for the attribute name, which represents the LDAPDisplayName of the particular attribute.  The object ID or OID is also required for the syntax of the matching rule control.  The specified value should be in decimal notation to be used for comparison.  Sometimes conversion from hexadecimal to decimal format may be required.

There are two possible values for the ruleOID in this instance, which must be considered when conducting queries:

• 1.2.840.113556.1.4.803 – this represents the AND rule for the LDAP matching, which means that it will only become true if all the bits are matched properly with the value.  It is also considered as the bitwise AND operator.
• 1.2.840.113556.1.4.804 – this is the OR rule of the LDAP matching, and can be considered as true when any of the bits in the value match with those from the property.  This is the OR operator of the bitwise.

Structured Query Language

When dealing with linked servers, one of the most common solutions for Active Directory Query is to use SQL CLR.  This is made possible with the use of SQL Server based on the ADSI provider functioning as a linked server.  This process has been proven extremely useful and effective, but is limited especially when numerous users are in the Active Directory.

Based on the best practice recommendations of system engineers of Microsoft Windows Operating System platforms, the Active Directory is configured to consistently return results that will not exceed 1,000 rows for any single query.  To go around this limitation, range keywords are normally used, but require a deeper understanding of the Active Directory service.

To effectively use this Active Directory Query solution, it is important to learn how to register various assemblies in the SQL Server using UNSAFE permission coupled with the WITHOUT setting.  The database property TRUSTWORTHY ON should also be observed based on the best practice guidelines for security.  This will allow for security checks to be done based on certificate permissions.

It is equally important to note that the system administrator should create simple CLR procedures to query the Active Directory.  This is consistent with other SQL data sources and without creating linked server instances.

C# Programming Language

There are actually a number of ways that Active Directory Query can be done using the C# programming language.  One of the most common solutions is to use the ADSI via the COM Interop.  This is normally done using the Add References option in the commands.  This will allow the selection of the COM tab, including the Active Directory Service Type Library from the predefined list.

The ActiveDs statement should be included at the top of the file or fully qualified class names should be used to provide ample access to the ADSI functions.  Another option is to use the Active Directory Services OleDB Provider or ADsDSOObject.  The solution is considered most effective when used in combination with the Active Directory functioning as a linked server under an SQL Server environment.

It is likewise entirely possible to use the .NET System.DirectoryServices namespace, which is part of its classes.  In order to access these types of classes, the System.DirectoryServices.dll should be added to the references.  It is important to remember that the attribute objectCategory should be used instead of the objectClass, if possible.

The use of the objectClass attribute can result in multiple values, which may cause some problems during the retrieval process.  The objectCategory on the other hand represents the indexed attribute of the Active Directory, which means it can actually speed up the query procedure.  This is vital when dealing with large queries because of the possibility of the action timing out.

When the query times out, it is possible that the list returned may not be complete.  It is important to remember that the value associated with the ServerTimeLimit cannot be set by the query higher than the 120 seconds default value.  Because of this, it may be necessary to change the filter string incrementally and proceeding by combining the results afterwards.

Sometimes there is a need to determine the properties of the objects that are being retrieved.  This can be done with Active Directory Query by using the C# commands PropertyNamesOnly and PropertiesToLoad from the DirectorySearcher.  When the PropertyNamesOnly value is set to true, the query will return only the names of the properties where the value is set.  Fetch time can be reduced with the PropertiesToLoad, which by default has an empty StringCollection value to allow it to retrieve all properties.

These are just some of the ways on how to proceed with a query procedure on the Active Directory service.  It is important to realize that for majority of the Active Directory Query processes, a certain degree of technical skills may be required.

There are many inherent benefits that can be derived by system administrators and other computer users when using Active Directory Viewer, provided that they have the proper authorization to run such utilities.

Basically, one of the goals of these utilities is to be able to provide assistance for the consistency of directory data to ensure optimum levels of service. This goes a long way in ensuring maximum online time for servers and network connections, which is essential to the operation of businesses and organizations.

Monitoring the Active Directory protocol, including its associated services, become necessary to keep track of some indicators that will allow system administrators to avert potential operational risks that can result in large scale problems.

For majority of organizations and businesses that maintain multiple domains as well as remote sites, the use of automated monitoring systems of their Active Directory service is implemented to institute timely resolution and consolidation of issues. Other benefits delivered by Active Directory Viewer tools include the ones below.

Editing

Some types of these utilities not only allow for the viewing of services, but editing as well. It provides the system administrator with the critical functionality of easily navigating through the Active Directory database by defining favorite locations, attributes, and object properties, without necessarily having to open dialog boxes. This functionality also allows quick editing of permissions, viewing of object schema, and execution of sophisticated searches that can be saved for re-execution.

Snapshots Flexibility

A system administrator will also gain the ability of saving snapshots of the Active Directory database for viewing and comparisons even when offline. The Active Directory Viewer allows for the navigation and exploration of the database as if you were live. The ability to compare two snapshots of the database will allow you to see the attributes, objects, as well as security permissions that have changed over time.

Better Monitoring Results

Other monitoring systems that allow for viewing of the Active Directory service provide for centralized control over the whole forest and monitor specific, vital indicators for the performance of the system. The use of Active Directory Viewer can deliver some key specific monitoring results in terms of:

• Faster resolution of network and performance issues regardless of priority
• Better levels of service due to the improved reliability of the system
• Schedule flexibility is improved and maximized
• More possibilities for prioritization of workload
• Increased capability of the system to adjust to periodic outages of the service
• Lesser stress on help desk support requirements
• Maximized resource utilization reliability and quicker logon time

Monitoring that Works

The Active Directory Viewer helps to take into account the different levels or degrees of monitoring based on the various operation factors like the organization size, service outages costs, response time to identify and resolve potential system problems. Basically, small-sized organizations have fewer domains, sites, and domain controllers.

This means that these types of utilities can be used in conjunction with the built-in tools of the Windows Server 2000. Larger enterprises that feature more domains, domain controllers, and sites, cannot afford service outages because it directly affects their productivity. This is why it is extremely necessary for them to use monitoring solutions like these.

Enhanced Centralization

Collation of monitoring data as well as consolidation of the results can become centralized. The Active Directory Viewer can also lead to reduced network traffic and increased performance of the system based on the physical network topology. The independent services that allow for effective monitoring are used by these tools to tackle the following:

• Domain controller failure due to disk space problems associated with Ntds.dit execution
• Application failure normally caused by queries into a directory
• Security policy failure due to the replication of the SYSVOL shared folder for security policies and GPOs
• Inconsistent directory data brought about by replication failure over an extended period of time
• Logon failure because of the problems with trust relationship, name resolution, or the failure of the global catalog server to determine the universal group membership
• Account lockout due to the failure of the replication process among several domain controllers or emulators resulting in users getting locked out

System Support

The Active Directory Viewer can support various Microsoft Windows Operating System environments like the Windows Server 2003 and Windows 2008 R2 among others. The utility can also allow for the book marking of Active Directory objects, which is extremely useful in viewing same objects constantly. It likewise offers quicker navigation among objects provided by the ADUC snap-in using a single-click operation. Copying to the clipboard and emailing of data can also be done effectively.

Added Functionalities.

Using these types of utilities can also provide additional functionality in terms of the modification of Active Directory objects based on certain prevailing conditions. This means that once the objects have been deleted, the tools do not have enough functionality to deal with this type of scenario.

It means that reanimation of tombstone objects cannot be undertaken with these types of utilities. It is extremely important to note that snapshots taken cannot be used as a backup of the Active Directory. Reports generated cannot be exported, only sent out as email. Snapshots cannot be taken while in current mode.

Likewise, since these types of utilities are intended to support the Active Directory service through the Active Directory Schema snap-in, this service must be installed and running in the network server environment.

The beauty of these tools is that they can be executed in relation with other Administrative Tools and scripts of the network environment. It is likewise essential that two domain controllers should exist within the same domain to successfully utilize the functionalities of these tools.

These tools can also be used to add user information for the fictional corporation stores in Active Directory. The information is used to contain sensitive Human Resources data as well as Social Security numbers of employees as well as their salary levels. The support for this information is provided by an auxiliary class containing the attributes that is added to the user class.

All of these benefits emphasize the many options and functionalities provided for system administrators based on the implementation of programs for a network-wide environment. The Active Directory Viewer is an extremely useful tool that will ensure the stability of all network resources and services.

Aside from the Active Directory Utilities that are built into the operating system platform, there are a number of third party tools and utilities identified with the Active Directory service.  The third party tools and utilities are normally not only designed for system administrators, unlike those of the operating system.  However, this does not mean that normal users will have ample control over the Active Directory service.

Whereas the Active Directory Utilities that usually come with the operating system platform allow system administrators to control and manage single master operation including the creation of application directory partitions and removal of metadata left by the domain controllers, there are a number of reasons why third party tools and utilities should be used.  Consider the following reasons to utilize third party software with the Active Directory service.

Strengthening Network Security

There is no question that there are multiple threats being experienced by different Information Technology environments in various organizations and businesses.  Some of these threats may emanate either internally or externally.  Regardless of the source though, one thing that is sure is that they are all malicious in nature and can unnecessarily expose important stored data to unauthorized access.

Internal threats normally result from unchecked user access and privileges to storage facilities containing sensitive data.  Some third party tools and utilities have been explicitly designed to respond to these types of threats by investigating and reporting the causes.  Based on previous instances of threats, approximately 48% of security breaches have started internally, and at times have been caused by unwary users.

It is quite alarming however, that about 90% of these internal breaches have been done intentionally with varying reasons.  This can cause numerous untold problems for many system administrators, especially those faced with declining budgets due to financial cuts of their organizations.  Essentially, it is important to limit the access of users only to the performance of their jobs.

Providing increased access is synonymous to increasing the security risk faced by the organization.  The use of third party software should be viewed in conjunction with the built-in functionalities of the Active Directory service, which allows for reducing risks and maintaining services within the allotted budget of the organization.

Application and Enforcement of Controls

The use Active Directory Utilities can provide necessary solutions for system administrators that cannot be readily implemented with the built-in tools of the Active Directory service.  It is extremely important to understand that granular separation should be implemented as part of the administrative duties of the system administrator.  This type of solution is necessary for virtually all types of networking environments.

In order to provide better solution for the application and enforcement of controls, it may be necessary to make use of third party tools and utilities.  This goes towards the implementation of access authorization that is necessary for the performance of the duties of various users.  The use of controls should be viewed from the varying needs of network users including their wide range of duties.

Automation of Detection of Unauthorized System Changes

The Active Directory service is intended to simplify the entire process of monitoring not only user access, but also running processes in the domain.  Because of this, the tools and utilities that can be used in conjunction with this service should support this implementation.  The use of Active Directory Utilities can help to minimize the risks faced by organizations through the automation of events.

The detection and notification features of these tools and utilities helps to alert the organization of unauthorized changes made to the system.  As part of the functionality of these tools and utilities, they are equipped with rollback and remediation features, which can provide solutions for unauthorized changes while minimizing associated risks.

The automation of the event notification and detection can be done not only for the benefit of system administrators, but also for key stakeholders of the organization.  To further improve the response time of the network security, the notification and rollback features can also be automated.  To assist in the evaluation of the overall network security, audit logs that capture all related activities is done.  The logs can also assist in the investigation of security breach like unauthorized system changes.

Reduction of Administrative Processes and Workloads

Some of the Active Directory Utilities that are in the market today are intended to support the reduction of administrative processes and workloads.  This means that they represent solutions to routine activities being handled by system administrators.  By reducing the workload of system administrators, they will become more efficient in monitoring the delivery of network services essential to organization operation.

Some of the tools and utilities can be implemented to smoothly transition to the automation of tasks like the provisioning and de-provisioning of user accounts.  The automation of the routine tasks can also cover compliance reporting aside from the periodic maintenance required by the network.  The tasks are automated to ensure that processes are improved in relation to the adherence to the network requirements and workload reduction.

Simplification of Reporting and Auditing Procedures

The Active Directory Utilities can be used to improve the implementation of procedures for reporting and auditing.  It should be understood that there is a native auditing function of the Active Directory service.  However, since the built-in tools are intended mostly for system administrators, the native auditing can be challenging to understand for most users.

The third party tools and utilities are commonly designed to deliver readable and understandable results when conducting reporting and auditing procedures.  They common address the vital questions associated with network and domain processes.  This makes monitoring of active data exchanges easier and simpler, especially for systems administrators with limited technical skills.  Subscribing to this process, the tracking of specific activities can be easily handled by virtually any Information Technology staff.

In order to leverage the power of the Active Directory service and extend its functionalities,the use of third party tools and utilities should be carefully considered by Information Technology departments in general, and system administrators in particular.  The Active Directory Utilities can go a long way in standardizing the policies, securities, reporting, auditing, and risk management of network resources.

It is in the Microsoft Active Directory schema where you can find formal definitions of all the Object classes that you can create in an Active Directory forest. The AD schema also contains definitions of all the attributes than can exist in an AD object. Since AD stores information about various services and applications, the schema helps in its standardization. This Active Directory component is also responsible for defining how data will be stored and how the information will be retrieved, updated, or replicated by the directory service.

In the Active Directory, the main storage units are referred to as Objects. These Objects are then defined under the Active Directory schema. The directory service queries the AD schema for the correct object definition every time that there is information to be handled. While the AD creates these Objects and stores the information and data in it, the schema will define how it can be stored since this component controls how information can be stored in Objects.

The types of data that exist within the Active Directory Schema definitions can only be stored using the Objects. In order for a new data type to be stored in these Objects, a new definition for the new Object should be created first in the AD schema.

Implementation of the AD Schema

In an Active Directory Domain Service, the attribute and the class definitions are stored within the directory. These are stored as instances of the attributeSchema and the classSchema classes. The attributeSchema and the classSchema are types of classes that are defined in the Active Directory schema. In order for you to control the AD schema, you should be using the LDPAP operations that you are using to control other Objects.

Since the Active Directory Schema is an important component of the Active Directory, which affects the whole Forest, there are some special restrictions that may apply when using AD schema extensions. Here is a summarization of the implementation of the AD Schema:

• The attributeSchema class instances define all the attributes supported by the AD Domain Services. An example of the attributeSchema object attributes is its isSingleValued attribute. This describes an attribute the exact way that an attribute of a user Object describes that same user.
• The classSchema class instances define all object classes that are supported by the AD Domain Services. An example of the classSchema object attributes is its attributeSyntax. This works similary to how the attributeSchema works.
• The schema container of the Active Directory Schema is where both the attributeSchema and classSchema instances are stored.

Attributes and Its Characteristics

The attributeSchema object in the schema container of the Active Directory schema defines each of the attributes in the Active Directory Domain Service. An attributeSchema object’s characteristics are specified and defined by its properties including:

• The Attribute Identifiers: An attribute has several indentifiers, one of which is the IDAPDisplayName. This indentifier is actually considered by most programmers as the most interesting of all. This is used by the LDAP clients to write and read the attribute. The schemaIDGUID, on the other hand, is used in the security descriptors to control and manipulate access to an attribute.
• Another characteristic of the attributeSchema is the data types that are contained by an attribute’s instances. The syntax properties of an attribute determine the data type including the binary, the string, or the integer. Additional attributeSchema properties can also specify the values’ range allowed for an attribute. This can also determine whether an attribute’s instance can have several or multiple values.
• Another attributeSchema characteristic is its ability to include any attribute in a group or in several groups. There are some properties that can tag an attribute in order for it to be included in a specified property set. Property set refers to a set of properties that are related. This characteristic of the attributeSchema in an Active Directory schema can also be used to include an attribute within a set of attributes replicated within a global catalog. Attributes can also be indexed in order for the search performance to be optimized.

Object Classes and Its Characteristics

The classSchema object in the schema container of the Active Directory schema defines each of the Object class in the Active Directory Domain Service. A classSchema object’s attributes specifies and defines the characteristics of each classes including:

• The Class Identifiers: There are many types of class identifiers which include the schemaIDGUID and the IdapDisplayName. The schemaIDGUID are used for the security descriptors which control and manipulate access to its class. The IdapDisplayName are used by the LDAP clients in order to identify classes within the search filters.
• Possible Attributes: A definition of an Object class includes information as well as lists of the optional and the mandatory attributes that can be set on any instance of that class.
• Possible Parents: Except for the direct hierarchy’s root, every other Object instance has one parent. A definition of an Object class includes information on the possible parents of an object class that may contain the same instance of that class.

Superclasses and Auxiliary Classes: In an Active Directory schema, each Object class, with the exception of top, is derived or taken from another Object class. In a class hierarchy, a class may inherit the same possible parents and possible attributes from the other classes that are above it. An Object class can also have several auxiliary classes where it may also inherit possible attributes.

There are many Free Active Directory Tools for Windows operating system that you will find being offered by numerous websites. Because of this, you might find it hard to choose the best tools that you can use. One way to find the best active directory tools that are absolutely for free is to do an online search. Reading helpful and unbiased product and customer reviews is also a good idea when you are out looking for these useful tools.

We have compiled this list of 10 really useful Active Directory tools that will help you setup and maintain your Active Directory Installation, they are not listed in any particular order.

Below is a list of the Free Active Directory Tools for the Windows operating system that you will find very useful:

1. Local User Manager

One of the Free Active Directory Tools that you will find very useful is the Local User Manager tool. This is “Powershell cmdlet” that helps manage local user accounts of different domain users more effectively. This active directory tool provides information on local user accounts. It also allows the easy management of these user accounts using a convenient and simplified interface.

2. Last Logon Reporter

The Last Logon Reporter is another tool making it to the list of the most useful Free Active Directory Tools for the Windows operating system. This tool provides information and reports on the last logon time of a selected user or of all users. This tool is very important for clean up and audit activities. With its easy-to-use, simple, and hassle-free interface, you should consider getting the Last Logon Reporter as one of your Active Directory Tools.

3. Terminal Session Manager

This is another “Powershell cmdlet” that is very useful in identifying and managing several terminal sessions in one Domain. This is considered by a lot of IT administrators as one of the most useful Free Active Directory Tools since terminal multiple user sessions across a single Domain can easily be managed, logged off, and disconnected from just a single point or console. This active directory tool for the Windows operating system is not only 100% free; it is also fast, efficient, and easy-to-use.

4. Password Policy Manager

The Password Policy Manager allows all users to view and retrieve the Domain Password Policy. It also allows users who have administrative rights to revise, edit, or change the Domain Password Policy. This tool can also be installed on any machine being used within the Domain. With all the features that the Password Policy Manager has to offer, you should definitely consider including it in your list of Free Active Directory Tools.

5. AD Replication Manager

The AD Replication Manager tool allows an administrator to force replication of data within a Domain or the replication of the Entire Forest. This also allows data to be replicated between the controllers of two Domains. This tool is also a “Powershell cmdlet” that lists comprehensive information and reports on the last replication performed on an Active Directory data. Aside from being one of the Free Active Directory Tools, the AD Replication Manager is also simple and convenient to use which helps users save a lot of time.

6. DMZ Port Analyzer

This is another Free Active Directory Tool that enables administrators to check the status of different ports required by third party applications in order to work with the Active Directory. In a DMZ or multi-LAN environment, a firewall application should not block the ports that the Active Directory requires. In using the DMZ Port Analyzer, you can identify and check the status of the ports in order for those being blocked to be opened.

7. Sharepoint Manager

The Sharepoint Manager provides reports and vital information on Sharepoint Environments. This gives access to administrators to view a specific Tree Structure of the whole environment. This consists of several useful tools that provide a list of all Web Parts that are available for a selected Site or SiteCollection. It also provides information on Web Parts available for a selected Web page. Information on Web pages linked to a specified Web Part can also be accessed using this tool. Reports on all file sizes in a SiteCollection or Site is also provided by this Free Active Directory Tool.

8. Domain and DC Roles Reporter

The Domain and DC Roles Reporter is another useful Active Directory Tool that is available free of cost. This tool provides a list of all Domain Controllers together with the roles that they perform in the Domain. It also aids administrators to identify associated roles of Domain Controllers. If you want to get the best out of your Servers, then the Domain and DC Roles Reporter is the right tool for the job.

9. AD Query Tool

Another useful Free Active Directory Tool is the AD Query that makes use of a simple user interface, which enables users to query the Microsoft Active Directory. If you need any data from the Active Directory such as the first name, the last name, the telephone, or the address of a User’s object, this tool will provide you with the information that you need.

10. DC Monitor

The DC Monitor is an important Active Directory Tool that automatically discovers and displays Domains. You are provided with several options on how you would want this tool to perform its job, as well as the information that you want to retrieve. You can also use this Free Active Directory Tool to use parameters such as Memory Utilization, Disk Utilization, and CPU Utilization for extraction. You can also view information and other details of various parameters such as the Page Writes per second, the Page Reads per second, File Writes, and File reads when you use this tool.