Microsoft Active Directory tools and trouble shooting

bullet1 A.D. Info bits

  • Max AD size=16 Terabytes
  • Adding to the partial attribute set causes full GC re synch (this does not happen in .net )
  • Search using LDP
  • Adsi edit is good for looking at AD attributes using a UI
  • Schema manager is for looking at the schema
  • RootDSE will tell you the name of the server, naming context etc.
  • Each objects and attributes are protected using DACLs and ACLs. Bulk changes can be made using the command line tool "DSACLS"
  • Full path to a directory object is the DN (distinguished name) - name - GUID - OID
  • Enter Sub-topic
  • RULE OID let you change individual bits.
  • Classes - TOP, with must contains and may contains
  • To modify the schema, you need to be in the schema Admin group and you need to disable the schema interlock using schema manager (path to schema FSMO)
  • LDIFDE is used rather than CSV files because with CSV you can't make modifications, only bulk imports
  • An operational attribute is one that doesn't really exist, but can be referred to (a right that can be referred to)
  • An ANR search (ambiguous name resolution) lets you search through the ANR set for a match (does a wild card match on your search input)
  • Gc on port 3268
  • Directory on port??
  • DNS resolves name to IP, IP to name and Service to identify a host
  • To seize a FSMO role use ntdsutil (look for the most up to date one by referring to USN's)
  • Tombstones are cleaned up after 60 days
  • 16 terra bytes ad max size of database
  • FSMO roles = 2 for the forest and 3 per domain
  • DCPROMOUI
  • ADSizer lets you estimate teh size of teh AD
  • USN is increased incrementally (1+1)
  • UG membership is published to the GC
  • GG membership is not published to the GC
  • GC resolves Universal group (UG) and UPN
  • If a kerberose problem occurs (time skew) then servers are out of synch. The PDCFSMO take care of being the time master for the domain
  • To do a bit test you need a Ruleoid
  • A property set is a collection of attributes. Members of the property set are identified by the attribute security GUID
  • Dssec.dat controls what you can see in the security UI
  • Delegwiz.inf allows you to create new tasks in teh delegation control wizard
  • If your RIDmaster is dead, you can only create another 500 security principles per server
  • Repadmin / showvectors
  • When you deleted a server you cannot get rid of ntds settings.
  • Turn on auditing via group policy at the domain controller level
  • Trusts are transitive two way and cannot be broken. they use kerberos (rather than the old NTLM)