You use /domainprep to update AD objects and security (e.g., access control entries—ACEs) for each domain. You must run /domainprep from the console of the infrastructure master DC in every domain. The /domainprep switch is much faster and generates a lot less output than /forestprep. If all goes well, the only feedback you receive is Adprep successfully updated the domain-wide information.
Adprep is located in the \i386 directory on the Windows 2003 CD-ROM; it isn't installed by default into the %windir% folder as are the other command-line tools in this article. To successfully run Adprep /forestprep you must
- be logged on to the console of the schema master DC
- have installed at least Win2K Service Pack 2 (SP2—SP3 is highly recommended) on all your DCs
- be a member of both the Enterprise Admins and Schema Admins groups
To run Adprep /domainprep, you must
- be logged on to the domain's infrastructure master DC
- be a member of the Enterprise Admins or the local Domain Admins group
You can find many more details about the crucial process of preparing your Win2K forest for Windows 2003 in "Preparing for Upgrades in a Domain Containing Windows 2000 Domain Controllers," Section 4.1 in \docs\xxxsrv1.txt (where xxx is the product SKU number) on the Windows 2003 CD-ROM.
You must successfully complete both Adprep procedures before you can begin your DC upgrades. Although you won't run Adprep nearly as much as the other command-line utilities, it's more important than any of them.
The Dsadd Utility
The Dsadd utility adds to AD the most common types of objects: users, computers, groups (security or distribution), OUs, and even contacts. You can specify many common attributes to add with the object, but the command doesn't support all possible objects.
To add an OU to BigTex.net, type
dsadd ou OU=roughnecks,
DC=bigtex,DC=net
-desc "Oilfield Roughnecks"
all on one line. To add a group in the new OU, type
dsadd group CN=goodolboys,
OU=roughnecks,DC=bigtex,
DC=net -secgrp yes
At the same time you create the group, you can add members to it by using the -members option and nest it in other groups by using the -memberof option. To add a user named Jim Bob to the new group, type
dsadd user "CN=James Robert,
CN=Users,DC=bigtex,DC=net"
-samid JIMBOB
-upn jimbob@bigtex.net
-fn James -ln Robert
-empid 123456 -pwd n0tsecure!
-mustchpwd yes
-memberof CN=goodolboys,
OU=roughnecks,DC=bigtex,DC=net
Note that I've specified a password so that I can add multiple users without pausing at each one to enter a password. However, because I've set the -mustchpwd parameter to yes, users must change their password on first logon.
The Dsquery Utility
You can use two new command-line utilities to retrieve information about eight Windows 2003 AD objects: sites, subnets, servers, computers, OUs, groups, users, and contacts. Dsquery is meant for broader searches and supports the asterisk character (*) as a wildcard to search for all objects that match specific criteria. Dsget is more specific; you use it to view the properties of a specific object in the directory.
Figure 2 shows Dsquery's syntax with the most common parameters and their possible values. For Dsquery's first parameter you can specify a starting node for the search; forestroot, to use the GC; or domainroot (the default), to start at the root of the domain to which you're connected. The -scope parameter defines how deeply you want to search: subtree (the default) searches subtrees under the starting node, onelevel doesn't search any subtrees, and base searches only the object you specified in StartNode. The -filter parameter lets you specify a Lightweight Directory Access Protocol (LDAP) query filter if you want to retrieve only a specific object or attribute. An example of a valid search filter is (&(objectCategory=Person)(sn=smith*)). The -attr parameter returns only the attributes specified in AttributeList; and the -attrsonly parameter displays only the attributes that are present, not their values. The -l parameter returns the results in list format instead of the default table format.
For example, if you have an extensive AD implementation with many subnets, you could use the following Dsquery command to search for a specific subnet without digging through all the subnet definitions in the MMC Active Directory Sites and Services console:
dsquery * cn=subnets,cn=sites,
cn=configuration,dc=bigtex,
dc=net -scope subtree
Dsquery would return the results that Figure 3 shows.
The Dsget Utility
You can use the Dsget utility to display certain properties of AD objects. Like all the other AD-related command-line utilities, you select the object you want to display by DN. Figure 4 shows the general syntax of Dsget. DN is the DN of the object you're searching for, and AttributeOptions lists which of up to 33 attributes (e.g., -empid, -office) you want to display. The number of available attributes depends on the kind of object you're searching for.
For example, to check a user account to see whether the password was set to never expire (a setting that usually requires a security waiver), you could type
dsget user "cn=James Robert,
OU=roughnecks,DC=bigtex,
DC=net" -pwdneverexpires
and receive the following result:
pwdneverexpires
yes
dsget succeeded
Register
