These pages provide information for Oxford University IT Support Staff on installing
and running Active Directory within University departments and colleges.
Active Directory is a large subject area and many publications and courses already
exist, so these web pages are not intended to duplicate this information. Rather
they concentrate on details that are specific to the Oxford University environment,
providing a checklist of key tasks for IT officers installing or running Active
Directory, and listing pointers to useful tools, utilities and sources of support.
In particular these pages include information on naming domains, and configuring DNS
to support Active Directory within the University environment.
We recommend that everyone running Active Directory, including experienced Active
Directory administrators who are new to the Oxford environment, read at least the
pages on How to configure DNS for Active Directory within the
Oxford University Environment.
The devolved nature of IT provision within Oxford University means that there is
no single central directory service for managing desktops. Instead departments
and colleges run their own according to their requirements. Departments and
Colleges running Active Directory generally install and run their own
self-contained, single-domain Active Directory forest.
It is not compulsory to run one Active Directory forest per department, and there
are some instances where several departments share a common Active Directory
infrastructure. Although less common, this configuration is equally valid.
Active Directory relies heavily on DNS and various problems can arise from an
incorrectly configured DNS. The DNS configuration for Active Directory is
slightly unusual, so refer to the How to configure DNS for
Active Directory within the Oxford University Environment pages for
If you're familiar with the ways in which DNS is configured for Active Directory
within the University you can skip directly to the recommended configuration: Configuring DNS to
Support Active Directory using an Existing DNS Name (Option 1).
It is also possible to configure DNS slightly differently, to use a different
domain name to the usual DNS domain name in use. This is documented in the Alternative configuration: Configuring DNS to
support Active Directory using a Private Internal Name (Option 2).
NB these pages were revised in August 2008. If you are using the DNS
configuration detailed in the previous version, you need the recommended
configuration (Option 1).
3. Checklist for Planning, Installing and Configuring Active Directory
This section provides a summary of the steps that are usually needed when
planning, installing and configuring an Active Directory domain or forest,
including recommendations for the Oxford environment. It covers common tasks,
but is not an exhaustive list as details will depend on local environments and
- Plan and configure your namespace and DNS
- As described above, this is vital as incorrect configuration can lead to a
variety of problems. More detailed information is provided on naming and DNS configuration. Consider including DNS
checks as part of a regular maintenance plan. Changing domain names is not
something to be undertaken lightly, so it's worth planning naming carefully.
Note that in Windows 2008 Server, IPv6 is enabled by default; if you're not
using it, you may decide to disable it until it's needed (see Microsoft's
IPv6 for Microsoft Windows: Frequently Asked Questions).
- Domain Controllers
- Aiming for a minimum of two, possibly three domain controllers reduces the
probability of ever needing to restore the Active Directory database from
backup. For more flexibility, consider putting other services (e.g. file
sharing) onto member servers, and use your domain controllers only for
authentication and name resolution services such as DNS, WINS etc. This
makes them much easier to move, upgrade etc.
- NetBIOS Names
- If you are using the central WINS servers, plan the NetBIOS names of your
servers and domains (the first part of the DNS name, up to the first ".") to
minimise the risk of name clashes. See The Central
Windows Internet Name Service (WINS) for further information. If
you use internal WINS servers (or don't use any) then you only need to make
sure you use unique names within your college or department.
- If you are adding a new type of domain controller into an existing domain
(e.g. a 2008 domain controller into a domain of 2003 R2 servers), you
normally need to prepare the forest and/or domain before you
add or upgrade the first server running the new operating system. This is
done using the
adprep.exe command on the install media of
the new operating system. Among other things it upgrades the schema to the
required level. See for example the Microsoft Adprep page on preparing to add a server running 2008 to a 2000
or 2003 domain or forest, and their other Adprep page for adding 2003 to a 2000 domain. Note that to add
a 2003 R2 server to a 2003 or 2000 domain, you need to use the version of
adprep.exe on the second CD. Also that
this only applies for domain controllers.
- Under 2003 (or 2000), use dcpromo to install Active Directory. It's a more
flexible method than one of the wizards, particularly if you need to change
the NetBIOS name of a domain. Under 2008 the wizard is more flexible and
should allow you to select the Advanced mode near the start of the process.
- Restore Mode Password
- During the installation of Active Directory, you will be prompted for the
Restore Mode Password. Keep this safe as although it's rarely used you might
need to know it for certain maintenance and restore operations.
- If you have more than one domain controller, check replication each time
you add or remove a domain controller. Consider checking periodically for
errors as part of a maintenance plan.
- Configure time
- Configure the PDC emulator for the forest root to synchronise with an
external time source. This may be your college/departmental ntp servers, if
you have them, or else the OUCS
stratum 3 ntp servers. Remember to change this if you move the
PDC emulator role. Everything time-related should follow automatically. See
Configure the Windows Time service on the PDC emulator for more
information and instructions.
- Running your Active Directory infrastructure within a virtual environment
can work, but there are some watch points. Avoid the use of REDO and
snapshots for your domain controllers. Also take care with time
synchronisation. There are various different schemes in use but the common
principle seems to be, don't synchronize to multiple sources on the same
machine (e.g. don't use both VMWare synchronisation and Active Directory's
normal mechanisms). Also watch out for time problems when you boot up a
virtual server that has been down for some time. See for example Virtualizing
a Windows Active Directory Domain Infrastructure for this and
other information. NB for time synchronisation instructions, see the links
in the previous point above.
- Global Catalog
- In a single-domain environment, consider making all your domain
controllers into global catalog servers. In multi-domain environments, plan
the placement of global catalog servers together with the location of your
operations master role-holders. See Planning Global Catalog Server Placement and Designate a domain controller to be a global catalog server.
- Operations Master Roles
- These are installed by default onto the first domain controller in a
domain or forest. It's important to know where they are as some operations
may fail if the relevant operations master is unavailable. In more complex
environments, particularly multi-domain forests, you may need to move some
of them. See Operations master roles.
- Install Additional Tools and Utilities
- Some useful tools are not installed by default under Windows 2000 and
2003. Install the Support Tools package on all domain controllers (from the
support folder on the 2003 or 2000 Server CD or
download the latest version from Microsoft.)
Under Windows 2008 many of these tools are included as part of the operating
system. Also install the Group Policy
Management Console on any systems that you use to manage group
policy (again it's included on Windows 2008). It's more sophisticated than
the built-in tools. It needs at least Windows 2003 or XP (it is included
with 2008 by default).
- Backup and Restore
- Configure backup for Active Directory as well as your file stores just in
case. If you use Group Policy, consider backing them up periodically, for
example using the Group Policy Management Console (see Tools and Utilities).
- Functional Level
- to enable additional features, raise the functional level of your domain
and forest as high as possible. See Raising domain and forest functional levels and What Are Active Directory Functional Levels?
- Assess security. For example, consider applying a password policy using
Group Policy; increasing the size of all the event logs, configuring
security logging, and keep an eye on the event logs. Consider enabling some
security logging on clients as this isn't enabled by default. Group Policy
can make this easier. If you decide to apply more security settings, test
thoroughly before letting them into the wild. For example Microsoft's Windows 2003 Security Guide contains various predefined group
policy templates, but benefits from some understanding before implementing
or it can have unexpected consequences.
- Certificate Services
- Implementing a PKI infrastructure is a major topic in its own right and
again benefits from reading around before installing. The JANET
certificate service can also be used to secure certain services
such as IIS web sites. Further information on setting up your own
certificate server as part of an Active Directory installation is available
on the Designing a Public Key Infrastructure pages.
- Domain controllers by default use dynamic port allocation so take care if
you have firewalls between your domain controllers, on your domain
controllers, or between domain controllers and domain members. It is
possible to firewall a domain controller using the built-in firewall, but
it's not straightforward prior to Windows 2008 server. On Windows 2008
server the firewall is enabled; it is also configured automatically as
required when you add roles.
- Maintenance Plan
- Consider developing and using a maintenance plan. A minimum might be to
check event logs daily to weekly, paying particular attention to the
additional logs available on domain controllers. The
Services log will tell you about directory replication, the
File Replication Service log will tell you about file
replication, and the
DNS Service log will tell you about the
health of your DNS Service.
- Health Check
- Consider developing a more thorough health check procedure using the
available Tools and Utilities. Consider running
through it or appropriate parts of it after any major changes such as adding
and removing domain controllers, renumbering a subnet, etc., or just
periodically (e.g every 612 months).
- Development and Testing
- Consider using a copy of your preferred virtualisation software to set up
a test domain where you can try out changes in a development environment. It
may be worth purchasing a subscription to Microsoft
Technet (email the Shop for details) .
4. Tools and Utilities
Many tools are available to help monitor and troubleshoot Active Directory
installations. Some of these tools are included as part of the Support Tools
package which is available from the 2003 Server CD, or can be downloaded from
(2003 SP2 version). The Support Tools are particularly useful and are worth
installing as standard. On Windows 2008 separate Support Tools are no longer
available; many have been incorporated into the standard 2008 installation
Command Reference Overview in the
Support system to find out which as some tools haven't been
This list is intended as a starting point to provide brief details of tools that
between them will provide a reasonable view of the health of Active Directory
(plus a couple of utilities for managing accounts.) It is not intended as a
definitive list as there are many other useful tools available.
- Use for command-line maintenance of your Active Directory database.
Installed by default on domain controllers and menu driven. Although many of
its functions are also available via the GUI, it's worth becoming familiar
with this tool as sometimes nothing else will do. For example, it's needed
for cleaning up if a domain controller isn't demoted cleanly.
- Command-line tool to perform various domain controller tests to help
confirm health and diagnose problems. Part of the Support Tools suite
(2000/2003) or included by default in Windows 2008.
- For network-related tests and troubleshooting. Part of the Support Tools
suite (2000/2003) or included by default in Windows 2008.
- repadmin.exe and replmon.exe
- Command-line tool to monitor and troubleshoot replication issues
(repadmin.exe) and a GUI version that provides much of the same
functionality (replmon.exe). Part of the Support Tools suite (2000/2003) or
included by default in Windows 2008 (replmon is no longer provided).
- Accesses information on the ntfrs service including subscription
information etc. Part of the Support Tools suite (2000/2003) or included by
default in Windows 2008.
- A graphical tool to monitor the status of the File Replication Service.
Look for it on the Microsoft Download Center.
- ADSI Edit
- Low level editor for Active Directory. Installed as part of the Support
Tools for Windows Server 2000 and 2003, and installed by default when you
install Active Directory on Windows Server 2008.
- Group Policy Management Console (GPMC)
- It's been around for a while but you need to download it separately on
2003 (it's included in 2008). An improvement on the built-in group policy
editor, you need at least 2003 server or XP SP1 to run it. Download it from
- dsadd, dsget, dsmod, dsmove, dsquery, dsrm
- Built-in command-line tools included with 2003 and 2008, use /? after the
command for syntax.
- csvde, ldifde
- Built-in command-line tools included with 2000 and above, csvde is
particularly useful for dumping the contents of Active Directory into a csv
file, or creating new objects from a similar file. Again, use /? after the
command for help.
- Created to make it easier to do bulk operations on Active Directory
objects, such as modifications, imports and exports. Requires .NET framework
installed (version 2 probably). It's currently travelling the internet so
download from http://ADModify.NET and check the
Microsoft Exchange Team Blog for an introduction.
- redirusr.exe and redircmp.exe
- Built-in command-line tools included with Windows 2003 and above. Change
the default containers for new user and computer objects respectively.
- Account lockout and Management Tools
- Microsoft have provided a number of tools in their Account lockout and
Management Tools package, to help in these areas, along with a
script to turn on Kerberos logging. They also provide some information on
the Account Management Tools.
5. Further Information, Support and Training
For the most part support will be from the ITSS community or from
knowledgebases, forums etc. A list of starting points is given below. The
Computing Services will focus particularly on assisting with DNS related issues.
- itss-discuss mailing list
- A message to this mailing list will often provide some useful help
- ITSS Wiki
- Members of the Oxford University IT Support Staff community can contribute
to the ITSS Wiki. Various Windows and Active Directory information is
included here, such as setting up a trust from Active Directory to the
central Kerberos servers, or installing an external certificate for IIS.
- Support from OUCS
- If you need advice on DNS-related issues, email email@example.com.
- Microsoft Support Site
- Provides an interface for
searching the knowledgebase.
- Microsoft Technet
- Includes the Technet
Website aimed at IT professionals. The bulk of the server
documentation lives here. Also includes Technet Plus, a subscription service which gives you full
versions of many of the operating systems and common server products without
time limits, as well as access to forums, some free support calls etc. It
should be available at a discount; email the Shop
to request details of how to purchase.
- MSDN (Microsoft Developer Network)
- Aimed at developers, it also operates the MSDN website, and similarly has
various Subscription services available offering access to various
resources. Again, email the Shop to request
details of how to purchase at a discount.
- Training Courses
- From time to time ITS3 organise on-site training
courses on Active Directory and on Windows Server.
- Microsoft Events
- Microsoft also organise various UK-based events, some
of which are free of charge. Some of these run in Reading and are fairly
easy to get to (train plus shuttle bus). Their main events page also
includes on-line events such as webcasts.
6. Active Directory Concepts
If you are new to Active Directory, it may be difficult to know how to get
started. If you've picked it up as you go along, you may want to identify the
gaps in your knowledge. This section provides a checklist of the key areas that
you will need to understand and some pointers to finding more information. It
isn't absolutely exhaustive, but aims to include most major areas.
If you're after a more formal approach, ITS3 sometimes
organise on-site Active Directory Design and Implementation courses and Windows
- Domain Name System
- A basic understanding of how DNS works is essential, as well as the way
computers use it to locate Active Directory services. You will need to know
how to configure, monitor and maintain DNS servers that support your chosen
Active Directory namespace. See the How to configure DNS
for Active Directory within the Oxford University Environment
page for more information.
- NetBIOS Naming
- Technically it's on the way out; in reality switching it off may be
problematic, particularly if you're reliant on browsing for resources.
Understand the essentials is useful, together with the role of WINS servers.
If you use the central WINS service, be aware that names must be unique
within the whole of the University. See The
Central Windows Internet Name Service (WINS) web pages for
- Operations Master Roles, or Flexible Single Master Operations (FSMO)
- Not all domain controllers are considered equal. One or more will hold
your five or more operations master roles. Microsoft provide a useful
summary in their Operations master roles document. Make sure you understand the
main functions of the roles, which servers hold them, which ones should not
hold them in a multi-domain forest, which ones you can least live without
for any length of time, how to move them and what to do if you lose a server
that holds one or more of them.
- Global Catalog
- A domain controller that is a global catalog server contains partial
information on all objects in an Active Directory installation. It can play
a major role in the logging-in process, particularly in a multi-domain
environment. Knowing how to assign this role to a server is essential, and
some understanding of the part it plays useful. See for example Microsoft's
document on The role of the global catalog.
- Backing Up and Restoring Active Directory
- For preference, you probably want to avoid ever needing to restore your
Active Directory database from backup by running at least 2 or 3 domain
controllers. Cost may be an issue but for small to medium sized units, if
you limit the additional services that they run to name resolution services
(e.g. DNS and WINS, if used), they may not all need to be of particularly
high specification. Limiting the services running on domain controllers also
makes them easier to replace if they fail. If you ever need to restore all
or part of your Active Directory, it will help to understand the difference
between authoritative and non-authoritative restore modes. Also make sure
you know the Directory Services Restore Mode passwords set when you
installed Active Directory onto your domain controllers. See Microsoft's
Introduction to Administering Active Directory Backup and
Restore for more information.
- Organisational Units
- Useful for organising your user and computer accounts, and particularly to
group accounts for applying Group Policy. For many units, the design of your
organisational units will depend primarily on which policies you want to
apply to which groups computers and users.
- Group Policy
- Powerful tool for enforcing your chosen configuration for users and
workstations. Anything and everything (well, almost) ranging from what
appears on the Start menu, which software people can run, the startup mode
for services, security and audit settings, logon/logoff scripts, through to
software installation and much more. Extensible via templates, group policy
can also be used to manage some of the main Microsoft programs such as
Office. It's helpful to understand concepts such as inheritance, blocking
inheritance, enforcing links, where group policy settings are stored, how
they are applied, backing up and restoring etc. One place to start is
Microsoft's Group Policy Home Page.
- Domain and Forest Functional Levels
- These depend on the operating systems running on domain controllers in
your Active Directory, i.e. whether NT, 2000, 2003, 2008. Different features
become available when you raise the functional level, and it's useful to
know how to do so. There's normally little reason not to raise the level as
high as you can. See Raising domain and forest functional levels and What Are Active Directory Functional Levels?
- Synchronised time is vital to certain types of authentication (Kerberos)
and it's useful to know how time is synchronised automatically through
domains and forests. The role of the PDC emulator(s) is pivotal. Take extra
care if running virtualised Windows servers. See How Windows Time Service Works particularly the Windows Time Service Processes and Interactions section. See
also Configure the Windows Time service on the PDC emulator for
- The replication topology and operation are usually quite straight forward
in the single-domain environment that is most common in the University. Even
so, it is vital that replication works smoothly. One source of problems is
probably DNS configuration. More complex environments such as multiple
domains and/or multiple sites warrant more attention. See Replication overview and How Replication Works.
- Particularly important if you're planning on enhancing security, or
linking to the central Kerberos infrastructure. See the Authentication protocols overview and Introduction to authentication for some introductory
information, and Logon and Authentication Technologies for a more detailed
When Microsoft first introduced Active Directory, various interested departments
and colleges within the University considered some of the implications, in
particular its close integration with DNS services, and how best to implement
the Active Directory within the complex University structure. The links below
document the meetings in 2000 at which decisions were reached regarding
integration of Active Directory with the existing DNS.
7.1. Minutes and Papers
Minutes of the first Windows 2000 Active Directory Meeting
- Minutes of the meeting held on Wednesday 26 April 2000 to discuss
implementation of Windows 2000 Active Directory in Oxford
of the Network Advisory Group Meeting of 9 May 2000
- At the NAG meeting on 9 May 2000, the full minutes of the meeting of
26 April 2000 (see above) were tabled, together with a summary
highlighting the preferred model for implementing Active Directory as
decided at the 26 April meeting.
Windows 2000 Active Directory in the
University of Oxford
- Background paper following on from the meeting of 26 April outlining
possible models for implementing Active Directory in Oxford, together
with their advantages and disadvantages, and including the implications
for the DNS.
Second Windows 2000 Active Directory Meeting
- Brief notes regarding the second meeting held on Tuesday 13 June