The Active Directory Domains and Trusts snap-in provides a graphical view of all domain trees in the forest. Using this tool, an administrator can manage each of the domains in the forest, manage trust relationships between domains, configure the mode of operation for each domain (native or mixed mode), and configure the alternative User Principal Name (UPN) suffixes for the forest.

Starting the Active Directory Domains and Trusts Snap-in

1. Click Start , point to Programs, point to Administrative Tools, and then click Active Directory Domains and Trusts. The Active Directory Domains and Trusts snap-in appears as in Figure 1 below.
   
   
   Figure 1. Active Directory Domains and Trust snap-in
2. The User Principal Name (UPN) provides an easy-to-use naming style for users to log on to Active Directory. The style of the UPN is based on Internet standard RFC 822, which is sometimes referred to as a mail address. The default UPN suffix is the forest DNS name, which is the DNS name of the first domain in the first tree of the forest. In this and the other step-by-step guides on this site, the default UPN suffix is reskit.com.
3. You can add alternate User Principal Name suffixes, which increase logon security. And you can simplify user logon names by providing a single UPN suffix for all users. The UPN suffix is only used within the Windows 2000 domain and is not required to be a valid DNS domain name.
4. Select Active Directory Domains and Trusts in the upper left pane, right-click it, and then click Properties.
5. Enter any preferred alternate UPN suffixes in the Alternate UPN Suffixes box and click Add.
6. Click OK to close the window.

Changing the Domain Mode

Windows 2000 domains operate in one of two modes:

• Mixed Mode. Allows domain controllers running both Windows 2000 and earlier versions of Windows NT® Server to co-exist in the domain. In mixed mode, the domain features from previous versions of Windows NT Server are still enabled, while some Windows 2000 features are disabled.
• Native Mode. Requires all the domain controllers in a domain to run Windows 2000 Server. In native mode, you can take advantages of new features such as Universal groups, nested group membership, and inter-domain user move. (A Universal group is a collection of user accounts that can contain members from any Active Directory domain in the forest, and permissions can be assigned to a universal group to resources on any member computer in the forest. Universal groups are available only in native mode.)

When a domain is first installed, it is in mixed mode. The mode of operation can be changed from mixed mode to native, but this is not reversible. In native mode, Windows NT 4.0 Domain Controllers cannot participate in the domain.

You can change to native mode after making sure all domain controllers in your domain are running Windows 2000 Server.

To switch to native mode

1. Right-click the domain object (in our example, reskit.com), and then click Properties.
2. Click Change Mode.
3. You receive a message requiring confirmation. Click Yes to continue. Click OK to proceed, or No to stop this action. If you plan to add Windows NT 4.0 domain controllers to your configuration, do not proceed.

Using the Active Directory Users and Computers Snap-in

1. To start the Active Directory Users and Computers snap-in, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Expand Reskit.com by clicking +.

Figure 2 below displays the key components of the Active Directory Users and Computers snap-in.

Figure 2. The Active Directory Users and Computers Snap-In

Recognizing Active Directory Objects

The objects described in the following table are created during the installation of Active Directory.

Icon	Folder	Description
	Domain	The root node of the snap-in represents the domain being administered.
	Computers	Contains all Windows NT® and Windows 2000-based computers that join a domain. This includes computers running Windows NT versions 3.51 and 4.0, as well as those running Windows 2000. If you upgrade from a previous version, Active Directory migrates the machine account to this folder. You can move these objects.
	System	Contains Active Directory systems and services information.
	Users	Contains all the users in the domain. In an upgrade, all users from the previous domain will be migrated. Like computers, the user objects can be moved.

You can use Active Directory to create the following objects.

Icon	Object	Description
	User	A user object is an object that is a security principal in the directory. A user can log on to the network with these credentials and access permissions can be granted to users.
	Contact	A contact object is an account that does not have any security permissions. You cannot log on to the network as a contact. Contacts are typically used to represent external users for the purpose of e-mail.
	Computer	An object that represents a computer on the network. For Windows NT-based workstations and servers, this is the machine account.
	Organizational Unit	Organizational units are used as containers to logically organize directory objects such as users, groups, and computers in much the same way that folders are used to organize files on your hard disk.
	Group	Groups can have users, computers, and other groups. Groups simplify the management of large numbers of objects.
	Shared Folder	A shared Folder is a network share that has been published in the directory.
	Shared printer	A shared printer is a network printer that has been published in the directory

Adding an Organizational Unit

This procedure creates an organizational unit (OU) in the Reskit domain. Note that you can create nested organizational units and there is no limit to the nesting levels.

These steps follow the Active Directory structure begun in the Common Infrastructure Part One Step-by-Step Guide. If you did not create that structure, add the OUs and users directly under Reskit.com; that is, where Accounts is referred to below, substitute Reskit.com.

1. Click the + next to Accounts to expand it.
2. Right-click Accounts.
3. Point to New and click Organizational Unit. Type Construction as the name of your new organizational unit. Click OK.

For the rest of the exercises in this guide, repeat steps 1 and 2 above to create additional organizational units, as follows:

• Organizational unit Engineering under Reskit.com.
• Organizational unit Manufacturing under Reskit.com.
• Organizational unit Consumer under the Manufacturing organizational unit. (To do this, right-click > Manufacturing, point to New, and then click Organizational Unit.)
• Organizational units Corporate and Government under the Manufacturing organizational unit. Click > Manufacturing so that its contents will display in the right pane.

When you are finished, you should have the following hierarchy as in Figure 3 below:

Figure 3: New OUs

Creating a User Account

The following procedure creates the user account James Smith in the Construction OU.

To create a new user account

1. Right-click the Construction organizational unit, point to New, and then click User, or click New User on the snap-in toolbar.
2. Type user information as in Figure 4 below:
   
   
   Figure 4: New User dialog
   
   Note that the Full name is automatically filled in after you enter the First and Last names. Click Next to proceed.
3. Type a password in both the Password and Confirm password boxes and click Next.
4. Accept the confirmation in the next dialog box by clicking Finish.

You have now created an account for James Smith in the Construction OU. To add additional information about this user:

5. Select Construction in the left pane, right-click James Smith in the right pane, and then click Properties.
6. 6. Add more information about the user in the Properties dialog box on the General tab as shown in Figure 5 below, and click OK. You are provided with this selection of optional entries. Click each tab you want to go to.

Figure 5: Additional User Information

Moving a User Account

Users can be moved from one organizational unit to another in the same domain or a different domain. For example, in this procedure, James Smith moves from the Construction division to the Engineering division.

1. Click the James Smith user account in the right pane, right-click it, and click Move.
2. Click the + next to Accounts to expand it as in Figure 6 below.
   
   
   Figure 6: List of available OUs
3. Click the Engineering OU, and click OK.

If you upgrade from an earlier version of Windows NT Server, you might want to move existing users from the Users folder to some of the OUs that you create.

Creating a Group

1. Right-click the Engineering OU, click New, and then click Group.
2. In the Name of New Group text box, type: Tools
3. Select the appropriate Group type and Group scope and then click OK.

• The Group type indicates whether the group can be used to assign permissions to other network resources, such as files and printers. Both security and distribution groups can be used for e-mail distribution lists.
• The Group scope determines the visibility of the group and what type of objects can be contained within the group.

Adding a User to a Group

1. Click Engineering in the left pane.
2. Right-click the Tools group in the right pane, and click Properties.
3. Click the Members Tab and click Add.
4. Scroll to James Smith, select his name, click Add, then click OK as in Figure 7 below.

Figure 7: Add James Smith to the Tools Group

Note: You can select multiple users or groups in this dialog by pressing the CTRL key as you click them. You can also type the name directly. If the name is ambiguous, a further list is displayed to confirm your selection.

Alternatively, you can select the users from the results pane, right click then click Add members to a Group. Or you can click Add the selected objects to a group you specify on the snap-in toolbar. This may be more efficient for adding large numbers of members to a group.

Publishing a Shared Folder

Any shared network folder, including a Distributed File System (Dfs) folder, can be published in Active Directory. Creating a Shared folder object in the directory does not automatically share the folder. This is a two-step process: you must first share the folder, and then publish it in Active Directory.

1. Use Windows Explorer to create a new folder called Engineering Specs on one of your disk volumes.
2. In Windows Explorer, right-click the folder name, and then click Properties. Click Sharing, and then click Share this folder.
3. In the New Object—Shared Folder dialog box, type ES in the Share name box and click OK. By default, Everyone has permissions to this shared folder. If you want, you can change the default by clicking the Permissions button.
4. Populate the folder with files, such as documents, spreadsheets, or presentations.

To publish the shared folder in the directory

1. In the Active Directory Users and Computers snap-in, right-click the Engineering OU, point to New, and click Shared Folder.
2. In the Name box, type Engineering Specs.
3. In the Network Path name box, type \\hq-res-dc-01.reskit.com\ES and click OK.

The Engineering organizational unit appears as shown in Figure 8 below:

Figure 8: Engineering OU contents

Users can now see this volume while browsing in the directory.

To browse the directory

1. Double-click My Network Places on the desktop.
2. Double-click Entire Network, and then click Entire contents of the network.
3. Double-click the Directory.
4. Double-click the domain name, Reskit, and then double-click Engineering.
5. To view the files in the volume, either right-click the Engineering Specs volume, and click Open, or double-click Engineering Specs.

Publishing a Printer

This section describes the processes for publishing printers in a Windows 2000 Active Directory-based network.

Windows 2000 Printers

You can publish a printer shared by a computer running Windows 2000 by using the Sharing tab of the printer Properties dialog box. By default, Listed in the directory is enabled. The directory is the Active Directory data store. (This means that Windows 2000 Server publishes the shared printer by default.) The print subsystem will automatically propagate changes made to the printer attributes (location, description, loaded paper, and so forth) to the directory.

Note: For this section of this guide, you must have a printer available and know its IP address. If you do not have an IP printer, you can still run through these procedures, substituting the correct port for Standard TCP/IP Port.

To add a new printer

1. Click Start, point to Settings, click Printers, and then double-click Add Printer. The Add Printer Wizard appears. Click Next.
2. Click Local Printer, clear the Automatically detect and install my Plug and Play printer checkbox, and click Next.
3. Click the Create a new port option, then scroll to Standard TCP/IP Port, and click Next.
4. The Add Standard TCP/IP Printer Port Wizard appears. Click Next.
5. On the Add Port page, type the IP address of the printer in the Printer Name or IP Address box, type the port name in the Port name box, and click Next. Click Finish.
6. Select your printer's manufacturer and model in the Printers list box, and then click Next.
7. In the Printer name text box, type the name of your printer.
8. On the Printer Sharing page, type a name for the shared printer. Choose a name no more than eight characters long so computers running earlier versions of the operating system display it correctly.
9. Type in the Location and Comment in those text boxes.
10. Print a test page. Click Finish.

After you create the printer, the printer is automatically published in Active Directory and the Listed in the Directory check box is selected.

You might also need to find the server from which a printer is shared out before adding it to the machine you're working on.

To locate a printer

1. Click Start, point to Settings, and then click on Printers.
2. Double-click the Add Printer icon.
3. In the Add Printer Wizard dialog box, click the Next button.
4. Select the Network printer button, and then click Next.
5. Select the Find a printer in the Directory button, and then click Next.
6. The Find Printers dialog box displays. If you know which domain your printer resides in, click the Browse button and choose that domain to narrow your search. Then, on the Printer tab, add the printer Name, Location, or Model to those text boxes, and click the Find Now button.

Note: If you don't know the name, location, or model of the printer, you can simply click the Find Now button, and all the printers in the domain you selected will be listed in the list box.

Adding Non-Windows 2000 Printers

You can publish printers shared by operating systems other than Windows 2000 in the directory. The simplest way to do this is to use the pubprn script. This script will publish all the shared printers on a given server. It is located in the \winnt\system32 directory.

To publish a printer shared from a non-Windows 2000 server using the pubprn.vbs script

1. Click Start, click Run, and type cmd in the text box. Click OK.
2. Type cd\ winnt/system32 and press Enter.
3. Type cscript pubprn.vbs printer server name where in this example "< b>LDAP://ou=marketing,dc=reskit,dc=com"
   and press Enter. This publishes the printer to the specified OU.

This script copies only the following subset of the printer attributes:

• Location
• Model
• Comment
• UNCPath

You can add other attributes by using the Active Directory Users and Computers snap-in. Note that you can rerun pubprn and it will update rather than overwrite existing printers.

Alternatively, you can use the Active Directory Users and Computers snap-in to publish printers on non-Windows 2000 servers.

To use the Active Directory Users and Computers snap-in to publish printers

1. Right-click the Marketing organizational unit, click New, and click Printer.
2. The New Object-Printer dialog box pops up. In the text box, type the path to the printer, such as \\server\share name. Click OK.

End users can realize the benefit of printers being published in the directory because they can browse for printers, submit jobs to those printers, and install the printer drivers directly from the server.

To browse and use printers in the directory

1. On the Desktop, click Start, click Search, and click For Printers.
2. In the Find Printers dialog, select the subdirectory in which you’d like to search for printers. Then type information into the Name, Location, or Model text boxes. Click the Find Now button to get a list of published printers.

Creating a Computer Object

A computer object is can be created automatically when a computer joins a domain. You can also create the computer object before the computer joins a domain.

1. Right-click the Engineering organizational unit, point to New, and then click Computer.
2. For the computer name, type Vancouver.
3. You can manage this computer In the Active Directory Users and Computers snap-in, by right-clicking the computer object, and then clicking Manage.

Optionally, you can select which users are permitted to join a computer to the domain. This allows the administrator to create the computer account and someone with lesser permissions to install the computer and join it to the domain.

Renaming, Moving, and Deleting Objects

1. Every object in the directory can be renamed and deleted, and most objects can be moved to different containers.
2. To move an object, right-click the object, and then click Move.
3. Click Browse. The Directory Browser will appear, enabling you to select the destination container for the object that you are moving.

Creating Nested Groups

You can use nested groups providing that you are running the Active Directory in Native Mode. Nested groups are easier to manage, and thus reduce administrative overhead.

1. Create a new group by right-clicking Engineering, pointing to New, and then clicking Group. Type All Engineering and then click OK.
2. Right-click the All Engineering Group, and click Properties.
3. Click the Members tab and click Add.
4. In the list box, select Tools, click Add, and then click OK.
5. Click Apply, and then click OK. You've now created a nested group.

To check the nested groups

1. Right-click All Engineering, click Properties, and then click Membership. You will see Press Liaison as a member of All Engineering.
2. Double-click Tools, and then click Membership. You will see Tools listed as a member of the group All Engineering.

Finding Specific Objects

Rather than browsing the list of objects in the results pane, it is often more efficient to find specific objects that meet a certain criteria. In this example you will find all users who have a surname of "Smith" and are in the Marketing organizational unit.

1. Select the Engineering OU. Right-click Engineering, and then click Find.

2. In the Name box, type Smith.

3. Click Find Now.

Filtering a List of Objects

Filtering the list of returned objects from the directory can allow you to manage the directory more efficiently. The filtering option allows you to restrict the types of objects returned to the snap-in–for example, you can choose to view only users and groups, or you may want to create a more complex filter.

If an OU has more than a specified number of objects, the filter function allows you to restrict the number of objects displayed in the results pane. You can use the Filter function to configure this option.

In this example, you create a filter designed to retrieve users only.

1. In the Active Directory Users and Computers snap-in, click the View menu, click Filter Options.
2. Click the radio button for Show only the following types of objects, and then select Users and Groups.
3. Click OK.

After you click OK, whenever you view a container, it retrieves user and group objects only. For example, if you now view the Engineering OU, the shared folder Engineering Specs will no longer be displayed. The description bar above the contents of the right pane will show that the list is filtered.

Important Notes

The example company, organization, products, people, and events depicted in this step-by-step guide is fictitious. No association with any real company, organization, product, person, or event is intended or should be inferred.

This common infrastructure is designed for use on a private network. The fictitious company name and DNS name used in the common infrastructure are not registered for use on the Internet. Please do not use this name on a public network or Internet.

The Active Directory structure for this common infrastructure is designed to show how Windows 2000 features work and function with the Active Directory. It was not designed as a model for configuring an Active Directory for any organization—for such information see the Active Directory documentation.

This feature information was obtained from the Microsoft Windows 2000 website at http://www.microsoft.com/windows2000 and are linked from ActiveWin.com for your convenience and is subject to Microsoft's copyright. For the most accurate information please visit the official site.

Return To The Windows 2000 Section