What is an organizational unit (OU)?
An organizational unit (OU) is a container in Active Directory for storing objects
such as accounts, groups, and other OUs. Organizing accounts into OUs allows for
easier administration and makes it possible to delegate administrative tasks.
One important idea to keep in mind when usings OUs: They are not security principles.
This means that they cannot be used to secure resources.
How do I administer accounts in my department's OU?
As an OU administrator you have a limited ability to administer accounts that
reside in the root domain and belong to users from your department. Accounts
for your department have been placed in an Organizational Unit named after the
DNS zone to which your department belongs.
How do I install Administrative Tools on Windows 2000 Professional or a Member Server?
Any computer running Windows 2000 Professional or Server can be used to administer
accounts in Active Directory, but you must first install the Windows 2000 Administrative
Tools from the Windows 2000 Server CD. Log on as an administrator of the workstation and
insert the Windows 2000 Server CD into the computer and browse the CD. Go to the \i386
directory. Locate and run the adminpak.msi program. The Windows 2000 Administrative Tool
Setup Wizard appears, as shown below. [continued]
What is a good backup strategy for Windows 2000?
We recommend a three-tiered approach to backing up your Windows 2000 Domain Controllers.
The first step is to take a "snap-shot" of the OS partition on your server before Active
Directory is installed. This provides the ability to recover a clean operating system
after a disaster. We recommend using Norton Ghost
for this step, just make sure you have a recent version (6.0 or later) that understands
After your server has been promoted to a Domain Controller and Active Directory has
been installed, use Windows 2000's built-in backup software, Ntbackup, to perform
nightly backups of your server. Ntbackup has the advantage of being able to backup
your server's "system state", which includes open Jet databases such as the AD
databases and the registry, which many backup programs cannot handle. Backup
everything to one file and store it locally. Finally, move the backup file offsite.
Check out the Virginia Tech Computing Center's
Network Backup Service
for more information.
Here's how this strategy pays off if the worst happens. Recover the base OS with
the Ghost image. Recover the backup file with ADSM, NSR, or whatever software you've
used to store the backup file remotely. Recover the System State and other data using
Ntbackup and the backup file.
How should I partition my Domain Controllers?
The disk partitioning scheme that we recommend is consistent with our backup
strategy and Microsoft's recommendations about where to place the Active Directory
volumes. In the diagram to the right there are three partitions: BOOT, OS, and AD.
Click on the diagram to view the full-sized version.
BOOT is a FAT partition and is initiatlly used to store the ghost image that is
created in the first step of our backup strategy. BOOT should also be used to store
the backup file created in the second step of backup. OS contains the operating system
and any programs and AD contains the Active Directory volumes. For performance reasons,
Microsoft recommends that the AD volumes be located on a different physical drive than
the operating system.
If your department can afford to equip your domain controllers with RAID hardware,
please do so. Mirroring or RAID5 will protect your AD databases from hard disk
failure and could save you from the anguish of having to re-build your servers.
How can I add an NT 4.0 Workstation to my Windows 2000 Domain?
Some of our child domain administrators have encountered problems when trying to
add NT 4.0 Workstations to their new Windows 2000 domain. Through trial and error,
hair-loss, and reading the resource kit manuals, the following solution was discovered.
There is a tool on the Windows 2000 Server CD named netdom.exe. Netdom can be used,
among many things, to reset the secure channel between members of a domain and join
a workstation or member server to a domain. The following paragraph is taken from
Chapter 10, page 557 of the Distributed System Guide in the Windows 2000
To join a workstation or member server to a domain, you can use the Netdom tool.
For example, to join a workstation called Work1 to the reskit.com domain in the
my-computers organizational unit, carry out the following:
Netdom join work1 /d:reskit.com /OU:OU=my-computers,DC=reskit,DC=com /reboot:20
In addition to adding the computer account to the domain, the workstation is
modified to contain the appropriate shared secret to complete the Join procedure.
If the Join procedure can be completed, the /reboot switch causes the computer
to be automatically shut down and restarted after giving the user two minutes
to save work in progress.
Running Netdom on the Domain Controller will place the "shared secret" on the
workstation, completing the Join.
Please Note: the resource kit is incorrect about the location
of Netdom. The utility is in Support\Tools\Support.cab on the Windows 2000
Server CD-ROM, not the Resource Kit CD-ROM.
Much thanks to Ziggy Hill for discovering this solution.
How do I get a Hokies account?
Faculty and staff currently affiliated with Virginia Tech may create a Hokies
ID by using the My Security tab of the
web site. Use your Virginia Tech PID and password when logging on for the first
What is the Recovery Console? How do I install it and why?
When considering which file system to install Windows 2000 on to, the decision
is fairly obvious: NTFS is far superior to the myriad incarnations of FAT in
almost every respect, especially in terms of security. In fact, NTFS is so secure
that if someone had physical access to a computer running Windows 2000 and booted
from a DOS floppy, hoping to use DOS commands to damage or compromise your OS,
they would be thwarted by their inability to read or write to the NTFS partition.
However, this also creates a catch-22 for system administrators who need to
trouble-shoot problems on the NTFS partition that are preventing the graphical
interface from loading. In Windows 2000, Microsoft's solution to this quandary
is the Recovery Console. [continued]