FAQ

Frequently Asked Questions

  1. What is an organizational unit (OU)?
  2. How do I administer accounts in my department's OU?
  3. How do I install Administrative Tools on Windows 2000 Professional or a Member Server?
  4. What is a good backup strategy for Windows 2000?
  5. How should I partition my Domain Controllers?
  6. How can I add an NT 4.0 Workstation to my Windows 2000 Domain?
  7. How do I get a Hokies account?
  8. What is the Recovery Console? How do I install it and why?
  1. What is an organizational unit (OU)?

    An organizational unit (OU) is a container in Active Directory for storing objects such as accounts, groups, and other OUs. Organizing accounts into OUs allows for easier administration and makes it possible to delegate administrative tasks.

    One important idea to keep in mind when usings OUs: They are not security principles. This means that they cannot be used to secure resources.

  2. How do I administer accounts in my department's OU?

    As an OU administrator you have a limited ability to administer accounts that reside in the root domain and belong to users from your department. Accounts for your department have been placed in an Organizational Unit named after the DNS zone to which your department belongs. [continued]

  3. How do I install Administrative Tools on Windows 2000 Professional or a Member Server?

    Any computer running Windows 2000 Professional or Server can be used to administer accounts in Active Directory, but you must first install the Windows 2000 Administrative Tools from the Windows 2000 Server CD. Log on as an administrator of the workstation and insert the Windows 2000 Server CD into the computer and browse the CD. Go to the \i386 directory. Locate and run the adminpak.msi program. The Windows 2000 Administrative Tool Setup Wizard appears, as shown below. [continued]

  4. What is a good backup strategy for Windows 2000?

    We recommend a three-tiered approach to backing up your Windows 2000 Domain Controllers. The first step is to take a "snap-shot" of the OS partition on your server before Active Directory is installed. This provides the ability to recover a clean operating system after a disaster. We recommend using Norton Ghost for this step, just make sure you have a recent version (6.0 or later) that understands NTFS 5.

    After your server has been promoted to a Domain Controller and Active Directory has been installed, use Windows 2000's built-in backup software, Ntbackup, to perform nightly backups of your server. Ntbackup has the advantage of being able to backup your server's "system state", which includes open Jet databases such as the AD databases and the registry, which many backup programs cannot handle. Backup everything to one file and store it locally. Finally, move the backup file offsite. Check out the Virginia Tech Computing Center's Network Backup Service for more information.

    Here's how this strategy pays off if the worst happens. Recover the base OS with the Ghost image. Recover the backup file with ADSM, NSR, or whatever software you've used to store the backup file remotely. Recover the System State and other data using Ntbackup and the backup file.

  5. How should I partition my Domain Controllers?

    Paritition The disk partitioning scheme that we recommend is consistent with our backup strategy and Microsoft's recommendations about where to place the Active Directory volumes. In the diagram to the right there are three partitions: BOOT, OS, and AD. Click on the diagram to view the full-sized version.

    BOOT is a FAT partition and is initiatlly used to store the ghost image that is created in the first step of our backup strategy. BOOT should also be used to store the backup file created in the second step of backup. OS contains the operating system and any programs and AD contains the Active Directory volumes. For performance reasons, Microsoft recommends that the AD volumes be located on a different physical drive than the operating system.

    If your department can afford to equip your domain controllers with RAID hardware, please do so. Mirroring or RAID5 will protect your AD databases from hard disk failure and could save you from the anguish of having to re-build your servers.

  6. How can I add an NT 4.0 Workstation to my Windows 2000 Domain?

    Some of our child domain administrators have encountered problems when trying to add NT 4.0 Workstations to their new Windows 2000 domain. Through trial and error, hair-loss, and reading the resource kit manuals, the following solution was discovered.

    There is a tool on the Windows 2000 Server CD named netdom.exe. Netdom can be used, among many things, to reset the secure channel between members of a domain and join a workstation or member server to a domain. The following paragraph is taken from Chapter 10, page 557 of the Distributed System Guide in the Windows 2000 Resource Kit:

    To join a workstation or member server to a domain, you can use the Netdom tool. For example, to join a workstation called Work1 to the reskit.com domain in the my-computers organizational unit, carry out the following:

    Netdom join work1 /d:reskit.com /OU:OU=my-computers,DC=reskit,DC=com /reboot:20

    In addition to adding the computer account to the domain, the workstation is modified to contain the appropriate shared secret to complete the Join procedure. If the Join procedure can be completed, the /reboot switch causes the computer to be automatically shut down and restarted after giving the user two minutes to save work in progress.

    Running Netdom on the Domain Controller will place the "shared secret" on the workstation, completing the Join.

    Please Note:  the resource kit is incorrect about the location of Netdom. The utility is in Support\Tools\Support.cab on the Windows 2000 Server CD-ROM, not the Resource Kit CD-ROM.

    Much thanks to Ziggy Hill for discovering this solution.

  7. How do I get a Hokies account?

    Faculty and staff currently affiliated with Virginia Tech may create a Hokies ID by using the My Security tab of the Hokies Self-Service web site. Use your Virginia Tech PID and password when logging on for the first time.

  8. What is the Recovery Console? How do I install it and why?

    When considering which file system to install Windows 2000 on to, the decision is fairly obvious: NTFS is far superior to the myriad incarnations of FAT in almost every respect, especially in terms of security. In fact, NTFS is so secure that if someone had physical access to a computer running Windows 2000 and booted from a DOS floppy, hoping to use DOS commands to damage or compromise your OS, they would be thwarted by their inability to read or write to the NTFS partition. However, this also creates a catch-22 for system administrators who need to trouble-shoot problems on the NTFS partition that are preventing the graphical interface from loading. In Windows 2000, Microsoft's solution to this quandary is the Recovery Console. [continued]