Managing Data in Active Directory

1
Managing Data in Active Directory
Robbie Allen Senior Systems Architect Cisco
Systems
2
Setting the Stage

• A directory is only as useful as the data
  contained within it
• Data must be
• Interesting
• Accurate
• Timely
• Usable
• To ensure this criteria is met, you need some
  guidelines around data management
• Effort spent now and defining policies,
  procedures and processes will reduce painful
  cleanup efforts later (remember NT 4.0?)
• Much easier to implement policies now rather than
  later

3
Developing a Data Management Policy

• Any special requirements for what can go in?
• Where will the data be stored?
• How will the data be added, updated and removed?
• Manually is not a good answer
• Require an upstream managed data source if
  possible
• Must have processes in place to remove stale data
• Should be able to restore from a certain point

4
Structuring Data

• Organizational Units
• Keep it simple!
• Good reasons for creating an OU
• Delegate administration
• Apply group policy
• Simple classification, structuring or hiding
• Bad reasons for creating an OU
• Granular classification
• It will be needed "at some point"

5
Structuring Data (contd)

• New feature with Windows Server 2003
  Application Partitions
• Good reasons for creating an App Partition
• Data does not need to be replicated everywhere
• Application creates a lot of short-lived objects
• Reduce multi-domain data distribution
  complexities
• Bad reason for creating an App Partition
• As a replacement for OUs
• Some limitations with App Partitions
• Objects stored in App Partitions are not
  replicated to the GC
• Cannot create security principals in App
  Partitions

6
Managing Data

• Three basic options
• MS MMCs and CLIs
• Pros already installed, free (kinda), good for
  doing something quick
• Cons hard to customize significantly,
  distributed client
• Third party tools
• Pros feature rich, somewhat customizable
• Cons no silver bullets, long turnaround on
  enhancements, hard to integrate into existing
  management apps
• Home grown tools
• Pros build exactly what you want, integrate into
  existing framework
• Cons requires programming expertise, longer time
  to market
• Most companies use a combination of all three
• MMS 2003 is another option
• Integration is the challenge
• Logging/auditing actions is important

7
Tracking Ownership

• Options for tracking ownership
• managedBy attribute
• ACE
• Misc attribute (e.g. description)
• Critical objects to track ownership
• Admin Accounts
• Application and Service Accounts
• Groups
• Computers
• Application data
• Issues with ownership
• What happens when an owner leaves or is
  terminated?
• What happens when an owner moves to a different
  group?
• It may be necessary to send out periodic notices
  to determine if an owner is still the owner

8
Limiting Data Proliferation

• Check your ACLs and administrative group
  memberships regularly
• Remove inactive/unused objects
• New features with Windows Server 2003
• Quotas
• Can set a default quota for all users
• Does not apply to administrators
• Tombstones count, but thats configurable
• Dynamic Objects
• Can be refreshed by setting the entryTTL
  attribute
• No tombstones are left behind

9
Finding and Removing Inactive Objects

• Inactive Unused Stale
• Users and Computers
• pwdLastSet and lastLogon (ugh)
• Groups
• Query managedBy or look for empty groups
• Printers
• Printer Pruner
• Other objects?
• New features with Windows Server 2003
• lastLogonTimeStamp attribute
• Approximate last logon
• Replicated!
• dsquery.exe
• dsquery user/computer inactive ltNumWeeksgt
• dsquery user/computer stalepwd ltNumDaysgt
• Dynamic Objects

10
Dealing with Data Problems

• Conflict objects
• Object with the same name was created on two
  different DCs
• Second one created wins
• First one (older) gets renamed to
  ltNamegt\0CNFltGUIDgt
• Event Id 12292 is logged
• MS KB 297083, 218614
• Orphaned objects
• Object was created after its parent was deleted
  (somewhere else)
• Stored in LostAndFound container
• Good to check periodically
• Lingering objects
• Deleted objects that are reintroduced due a DC
  being offline for longer than the tombstone
  interval
• Strict vs Loose Consistency
• MS KB 314282, 316829, 317097

11
Regaining Space in NTDS.DIT

• Online defrag process
• Runs twice a day
• Combines whitespace, but file size stays the same
• Event Ids 700 and 701 logged
• Offline defrag process
• Be sure you have a good backup
• Reboot in DS Restore Mode
• Run ntdsutil files compact to c\temp
• Copy current ntds.dit to c\temp\ntds_orig.dit
• Copy c\temp\ntds.dit over current ntds.dit
• Delete .log files
• Restart into normal mode
• Good to do after W2K3 upgrade

12
Other Maintenance Activities

• Tracking Schema Changes
• Need a schema extension process
• LDIF files, SchemaDoc
• Site Topology
• Are you missing subnets?
• Event Id 5778
• Scavenging Old DNS Records
• Keeping track of GPOs
• GPMC recently released!
• Distributed Link Tracking Objects
• Getting rid of DLT objects (MS KB 312403, 315229)
• Changes with Windows Server 2003

13
New books from OReilly

• Active Directory 2nd Edition
• Available now!
• An update of the Alistairs best selling Windows
  2000 Active Directory book
• Covers Windows Server 2003 Active Directory, WMI,
  System.DirectoryServices and much more
• Active Directory Cookbook
• Available this Summer/Fall
• Follows the OReilly Cookbook format
• Over 400 AD tasks covered
• DNS on Windows Server 2003
• Available this Fall
• An update of Cricket and Matts highly successful
  DNS on Windows 2000 book
• Covers new Windows Server 2003 features plus new
  chapters on Active Directory, WMI and dnscmd.exe

14
Questions?