Managing Active Directory from MMC
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Managing Active Directory from MMC
The Active Directory administrative tools simplify directory service administration. You can use the standard tools or, using Microsoft Management Console (MMC), create custom tools that focus on single management tasks. You can combine several tools into one console. You can also assign custom tools to individual administrators with specific administrative responsibilities. For information about MMC, see Working with MMC console files.
The Active Directory administrative tools can only be used from a computer with access to a domain. The following Active Directory administrative tools are available on the Administrative Tools menu:
Active Directory Users and Computers
Active Directory Domains and Trusts
Active Directory Sites and Services
You can also remotely administer Active Directory from a computer that is not a domain controller, such as a computer running Windows XP Professional. To do this, you must install the Windows Server 2003 Administration Tools Pack. For more information, see Windows Server 2003 Administration Tools Pack Overview.
The Active Directory Schema snap-in is an Active Directory administrative tool for managing the schema. It is not available by default on the Administrative Tools menu, and must be added manually. For more information, see Install the Active Directory Schema snap-in.
For advanced administrators and network support specialists, there are many command-line tools that can be used to configure, manage, and troubleshoot Active Directory. For more information, see Active Directory support tools.
You can also create scripts that use Active Directory Service Interfaces (ADSI). Several sample scripts are supplied on the operating system installation media. For more information about the sample scripts, see Using the Windows Deployment and Resource Kits. For more information about using ADSI, see Programming interfaces.
Customizing how data is displayed in Active Directory administrative tools and snap-ins
The Active Directory administrative tools, such as Active Directory Users and Computers, and the Windows shell extensions use display specifiers to dynamically create context menu items and property pages. Display specifiers permit localization of class and attribute names, context menus, and property pages, and also support new classes and attributes. You can add and modify classes and attributes in the schema and extend both the administrative tools and the Windows shell in many ways by modifying attributes in display specifiers. For more information the Active Directory schema and display specifiers, see the Active Directory programmer's Guide at the Microsoft Web site.
Using Active Directory Users and Computers
You can change how directory objects are displayed in Active Directory Users and Computers by selecting commands on the View menu of the console. Menu commands include the ability to toggle features on and off, such as the console tree, description bar, status bar, large icons, small icons, and so on.
When you start Active Directory Users and Computers and expand the domain node, several containers are displayed in the console tree. If you have just created a domain controller, the containers that are displayed by default are:
Builtin: Contains objects that define the default built-in groups, such as Account Operators or Administrators.
Computers: Contains Windows 2000, Windows XP, and Windows Server 2003 computer objects, including computer accounts that were originally created using application programming interfaces (APIs) that could not use Active Directory. Computer objects are moved to the Computer container when Windows NT domains are upgraded to Windows 2000 or a Windows Server 2003 operating system.
Domain Controllers: Contains computer objects for domain controllers running Windows 2000 or Windows Server 2003.
Users: Contains user accounts and groups that were originally created using APIs that could not use Active Directory. User accounts and groups are moved to the Users container when Windows NT domains are upgraded to Windows 2000 or a Windows Server 2003 operating system. You can use the Windows NT 4.0 User Manager (Usrmgr) tool to modify users and groups created using the APIs that could not use Active Directory.
When you select Advanced Features on the View menu, two additional folders are displayed in the console:
LostAndFound: Contains objects whose containers were deleted at the same time that the object was created. If an object has been created in or moved to a location that is missing after replication, the lost object is added to the LostAndFound container. The LostAndFoundConfig container in the configuration directory partition serves the same purpose for forest-wide objects.
System: Contains built-in system settings for the various system service containers and objects. For more information about the System container, see Using the Windows Deployment and Resource Kits.
When you select Filter options on the View menu, you can show all objects, show only selected objects, configure the number of items that can be displayed for each folder, or create custom filters using object attributes and LDAP queries.
Starting Active Directory MMC consoles from the command-line
Active Directory MMC consoles, including Active Directory Users and Computers (dsa.msc), Active Directory Domains and Trusts (domain.msc) and Active Directory Sites and Services (dssite.msc), provide command-line options that allow you to start a console focused on a particular domain or domain controller. The command-line options support both fully qualified domain names and NetBIOS names.
The command-line options are:
**/domain=**FullyQualifiedDomainName
**/domain=**NetBIOSDomainName
**/server=**FullyQualifiedDomainControllerName
**/server=**NetBIOSDomainControllerName
You can use these command-line options to run the Active Directory MMC consoles directly from the command line, or you can create a shortcut to start a console and add the appropriate command-line options to the shortcut. You can also use the command-line options with any custom consoles that you create. For more information about creating and saving console files, see Windows interface administrative tool reference A-Z: Microsoft Management Console.
Command-line examples:
To start Active Directory Users and Computers focused on domain1, type:
**dsa.msc /domain=**domain1
To start Active Directory Users and Computers focused on server1, type:
**dsa.msc /server=server1.**domain1
To start Active Directory Sites and Services focused on server1, type:
**dssite.msc /server=server1.**domain1
To start Active Directory Domains and Trusts focused on server1, type:
**domain.msc /server=server1.**domain1
Notes
Do not use both a /domain and /server command-line option at the same time.
The /domain options can only be used with Active Directory Users and Computers.