Active Directory Administrative Tasks

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

As mentioned earlier, Active Directory management can be separated into service and data management.

Data management includes such tasks as creating and managing user and computer accounts, security groups, and application-specific data, all of which are stored in Active Directory. In certain cases, a small subset of tasks might involve the modification of Group Policy settings to affect the configuration state of member computers. Creation of user accounts and modification of group memberships are both examples of data management tasks.

Data management tasks include, but are not limited to, managing the following Active Directory content:

  • User accounts, which represent the identities of people who use the network.

  • Computer accounts, which represent the computers that are joined to domains in the Active Directory forest.

  • Security groups, which are used to aggregate accounts for the purpose of authorizing access to resources.

  • Application-specific attributes for Active Directory–enabled and –integrated applications, such as Microsoft Exchange and Microsoft Office Live Communications Server 2003.

Service management tasks are tasks that are related to the creation and maintenance of Active Directory configuration data. For example, adding a domain controller to a child domain, associating a new subnet to a site, and extending the Active Directory schema are all Active Directory service management administrative tasks that effect changes to configuration data. A majority of Active Directory configuration data is stored in Active Directory itself. However, certain aspects of Active Directory behavior can or must be configured on a domain controller. The configuration data that is associated with these tasks might be stored in the registry or file system of domain controllers.

Service management includes, but is not limited to, the following administrative tasks:

  • Adding and removing domain controllers.

  • Managing and monitoring replication.

  • Ensuring the proper assignment and configuration of operations master roles.

  • Performing regular backups of the directory database.

  • Configuring forest-wide Lightweight Directory Access Protocol (LDAP) settings.

  • Managing domain and domain controller security policies.

  • Configuring directory service parameters, such as setting the functional level of a forest or putting the directory in the special List-Object security mode.

For a comprehensive list of administrative tasks involved in Active Directory service and data management, see Appendix A: Active Directory Administrative Tasks in Best Practices for Delegating Active Directory Administration: Appendices, which accompanies this document. For an overview of the categories of administrative tasks, see Chapter 3: Delegating Service Management and Chapter 4: Delegating Data Management later in this document.