💫 Summary
In this "Ask SME Anything" episode, IT Pro TV experts tackle questions about the difference between domain admins and enterprise admins, demonstrate how to use Active Directory administrative center and PowerShell commands for creating new users, explain the importance of understanding the five FSMO roles in Active Directory, and show how to make changes to the schema using GUI tools and PowerShell commands.
✨ Highlights📊 Transcript
This section introduces the "Ask SME Anything" show, where viewers can submit IT-related questions to subject matter experts.
Viewers can submit IT-related questions by tweeting to "asks me anything".
The show features subject matter experts who will answer the submitted questions.
The host introduces Mike Roderick as an expert in Microsoft, Windows Server, client operating systems, networking, security, and PowerShell.
Viewers are encouraged to submit questions related to the mentioned topics.
The speaker explains how using the GUI to perform tasks in the administrative center can help to learn PowerShell commands and their syntax.
Using the GUI in the administrative center executes PowerShell commands in the background.
The PowerShell history shows the executed commands, allowing users to learn the syntax.
By using the GUI, users can focus on specific tasks and learn the corresponding PowerShell commands.
The speaker demonstrates using the GUI to create a new user in the active directory administrative center.
The discussion emphasizes the importance of understanding PowerShell's purpose, testing it out, and starting with the administrative center before diving into overwhelming documentation.
Testing PowerShell on a non-production server is recommended.
Microsoft Docs may have overwhelming documentation with numerous parameters for commands.
Starting with the administrative center can help in understanding the syntax before moving on to using variables.
Using the GUI can help visualize the minimum requirements and then fill in additional options as needed.
In Active Directory, there are certain operations roles called FSMOs that can only be performed by one domain controller.
There are five FSMOs in Windows Active Directory.
Two of the FSMOs, the schema master and the domain naming master, are forest-wide roles.
The schema master is responsible for making changes to the schema, which applies to all domains within the forest.
The domain naming master is responsible for managing the names of domains within the forest.
The difference between a domain admin and an enterprise admin is explained, addressing the confusion between the two roles.
Understanding which machines hold these roles and being able to move them is important.
Domain admin permissions may not be sufficient for certain actions that require enterprise admin permissions.
Domain admins are found in the root domain and have control over the entire forest, so membership should be limited to a few people.
Domain admins can perform actions that can affect the entire forest.
People are often added temporarily to the domain admin group and then removed once their task is completed.
Enterprise admins have even higher privileges and are needed for tasks like installing Exchange and making changes to the schema.
It is recommended to have a separate account for domain admin access and limit the number of people who have the password.
The video explains how to register a schema management DLL in Active Directory and use it to make changes to the schema.
To register the DLL, use the command "regsvr32 <DLL name>" in PowerShell.
After registering, the Active Directory schema will appear in the snap-in list.
The schema defines the classes of objects that can be created in Active Directory.
The schema management tool allows you to work with the schema and make changes, such as adding new attributes.
00:01welcome to asks me anything
00:06your chance dress the IT Pro TVs subject
00:09matter experts questions why
00:16here's your host rowdy walk all right
00:20and welcome to ask me anything it is a
00:23show from IT Pro TV where well you get
00:25to interact with us the subject matter
00:27experts right here on IT Pro TV we are
00:29glad that you've joined this today as we
00:31begin our segment today as well and I
00:34have with me of course well mr. Mike
00:36Roderick himself Mike glad you're here
00:39with us how are you doing today I'm
00:40doing great Ronnie thank you for having
00:41me excited as always to participate in
00:44the old ask me anything yeah this is
00:46actually a great opportunity for
00:47everyone as we think about right so if
00:49you're out there and you're watching you
00:50don't have to be a member of course all
00:52you have to do if you have any IT
00:54related questions please submit them and
00:56all you have to do is tweet too asks me
00:59anything and we'll get our subject
01:01matter experts of course to go ahead and
01:03try and answer them for you so so that
01:06we actually do cover what we can and if
01:08it actually does apply to what we're
01:09talking about today
01:10we'll get Mike to actually answer them
01:12for us today as well okay so that that
01:19limits it down to soap operas and no I'm
01:21joking okay
01:22so overall though Mike Rajic of course
01:24uh as we start talking here I've known
01:27Mike for over a decade and Mike an
01:29expert in all things just about
01:31Microsoft here so take a look of course
01:34at Windows Server and of course the
01:36client operating systems as well as
01:38networking and security he's done the
01:40whole gamut and he likes to dabble of
01:41course in PowerShell so we focusing
01:43around those questions in that way when
01:46we start to take a look but please don't
01:48hesitate if you do have other questions
01:49we do have other subject matter experts
01:51so please go ahead and submit them as we
01:53do so as we continue through the show
01:55and this is what we'll actually be
01:56taking a look at and doing so Mike as we
01:59begin we've already got some questions
02:01that have been lined up for us so that
02:03means we are ready to jump right in how
02:05do you feel about answering some
02:06questions right away I'm ready to go
02:08let's get to it
02:08yeah all right well the first question
02:10that we have of course as we get started
02:12here is hey I want to actually be able
02:15to use PowerShell to administer Active
02:19Directory ok there are so many commands
02:22where do I where should I start now Mike
02:25when I think about this I can kind of
02:26understand the the frustration that
02:28they're talking about
02:29because this is kind of the big push
02:31right the idea of moving the PowerShell
02:33when everybody's been so used to the GUI
02:35now for what since at least 2000 ok the
02:39idea of this and now people are starting
02:41go no no no PowerShell is the way to go
02:42and this has been a big push at least
02:44that's 2012 but if you're just getting
02:46into it now you're probably wondering
02:48why and where the heck do we start it is
02:50it can be very daunting because as the
02:52the viewer asked there you know there
02:53are a lot of commands Microsoft has
02:56great documentation first of all let me
02:57just say that if you go out to docs on
02:59Microsoft comm you know I'll show you a
03:01trick that I do here if you take a look
03:03at my screen she could open up my
03:05browser and I'm gonna type in a command
03:07that I know get - 80 user alright just a
03:11PowerShell command and I see a link
03:13right here get - 80 user out to
03:14Microsoft docs I click on that and that
03:17gets me in the right ballpark right now
03:20I'm in Microsoft Docs I'm in PowerShell
03:22and even if that wasn't the command that
03:25I wanted I can scroll through this list
03:27and I can find really good documentation
03:29on the different commands that are
03:32available so that's you know a good
03:33place to have reference bookmark Windows
03:3610 and Windows Server 2016 PowerShell
03:38have that reference available but as far
03:40as getting started you know what I would
03:42recommend is think about what it is that
03:44you do what is it that we typically use
03:47PowerShell in an administrative fashion
03:49to automate certain tasks things that I
03:52normally have to do that I you know
03:54going through the GUI is okay but if I
03:56could do this with a script if I could
03:58work through PowerShell I could start
04:00automating some of this you know
04:01creating new users creating OU's
04:04whatever the case may be so what I would
04:06recommend is is take an advantage of
04:08something that a lot of people are
04:09unaware of we've got the new
04:11administrative tool for Active Directory
04:13there windows are the active directory
04:15administrative center right which is a
04:17GUI based tool for administering Active
04:19Directory what a lot of people don't
04:21realize is there's a feature in there
04:23called the windows or the powershell
04:24history and what it'll do is it'll show
04:26you what commands are being executed
04:29because unlike our old GUI tools like
04:31Active Directory users of computers
04:33Active Directory sites and services
04:35things like that that are using various
04:37protocols to complete those commands the
04:40Active Directory administrative center
04:42really a GUI front-end for power show
04:44what's happening is when you right click
04:46in that GUI and you say new user and you
04:49fill in the information you click ok
04:51what it's doing is it's actually
04:53executing a PowerShell command in the
04:55background and the powershell history
04:58will let you see the command that's
05:00being executed and now you can go oh
05:02that's the command i would have used to
05:04create a new user and you can start
05:06learning the syntax that way rather than
05:08just try to read through microsoft Docs
05:10and looking at the tons of commands that
05:13are out there it's a good way to to
05:14really focus in on what it is that you
05:16do so use the administrative center to
05:18perform a task and then look at that
05:20history in fact let's take a look at my
05:21screen I'll show you what I mean I'll
05:24pull up one of my domain controllers
05:26here and from the server manager simply
05:29going to launch the active directory
05:31administrative center get that go in
05:35here and I'm gonna go let's see what we
05:39want to do here let's just say I want to
05:41go into my employees sales oh you and I
05:45want to make a new user so I don't know
05:47the PowerShell command to do that or all
05:48the parameters that are required to do
05:50that so I'm gonna use the GUI to
05:52accomplish that over here I'm gonna go
05:53underneath sales new and user and easy
05:59enough I can see the red asterisks are
06:01telling me what the required parameters
06:03are I'll fill this out save Ronnie
06:05last name long and I'll give you a logon
06:11name of Ronnie give you a super-secret
06:16yeah so fill out all the required
06:18information and any other information
06:20that you typically use in your company
06:22if you fill out things like Department
06:25and job title if you fill that
06:27information out in your organization go
06:28ahead and do so in fact let's put
06:30Department host output or let's do this
06:34let's say yeah departments let's do a
06:36job title and say well see Angie Taner
06:40right and so go through here fill out
06:43the information and go ahead and click
06:45OK to create that user so now I see I
06:48should have Ronny Wong new user right
06:51down here at the very bottom Windows
06:54PowerShell history those
06:56little Chevron hidden over here in the
06:58corner and if I click that I'll actually
07:00see let me drag this up a little bit so
07:02you can get a better look at it here are
07:04the commands that were issued to create
07:06that user I can see if right here and
07:09I'll zoom in a little bit for us new -
07:12ad user right and I got - Department was
07:16null because I didn't provide the
07:17department you can see display name
07:19given name and the various parameters
07:21that were used what path right which is
07:25where to create it and let me zoom out
07:26that's getting a little clunky with the
07:28the video feed here and I can expand
07:31this out and I can see it a little
07:32better view all the different parameters
07:34that were provided right and so what I
07:36can do from here is I can actually copy
07:39this command out and we can click copy
07:43actually if I select something then I
07:46click copy I could take that over to
07:47PowerShell alright I could paste that in
07:50there and now I could start writing a
07:52script taking out maybe specific
07:54information starting to replace it with
07:56variables starting to automate that
07:58process and what you'll see is that now
08:02gives you a chance to okay this is
08:04something that I do on a daily basis or
08:06pretty often I want to go back out to
08:08Microsoft Docs and read a little more
08:09about new - dat user that's a command I
08:12want to get familiar with and then I see
08:14like set - a t-account password so
08:17that's telling me that I wasn't able to
08:19set this with the new - eiated user it's
08:21actually a separate command I use to set
08:23the password then I have to enable the
08:25account these are things that I might
08:27not have thought about because I've
08:28always used the GUI to do this and I all
08:30want to start using PowerShell this is
08:32what's going to show you how to do that
08:33set the account control and then setting
08:36the ad users these are all commands that
08:38were issued to create that user that we
08:41did through the GUI so what I would
08:43recommend then like I said is you know
08:45use Microsoft documentation they have
08:47great documentation out there there's
08:48great help
08:49built into PowerShell but rather than
08:52just start at the beginning and try to
08:54go through every command think about the
08:56things that you do and focus in on that
08:58at first and then you'll slowly round
09:00out your PowerShell skills by adding
09:02additional commands next time I go back
09:04and I create a new organizational unit
09:07right and I fill that information in
09:09here and I go ahead and create that and
09:13I go back down in my powershell history
09:16and i can see for your fresh here new -
09:2080 organizational unit and i can start
09:22learning that command so take advantage
09:24that powershell history in this tool the
09:27active directory administrative center
09:28is a good place to start
09:29yeah Mike I think some of the
09:31misunderstanding we have when we want to
09:32start trying to administer with
09:34PowerShell is not understanding its
09:36purpose so the idea of scripting
09:37especially for automating those tasks is
09:39a good reminder for us to think about as
09:42well as the idea of actually testing it
09:45out and playing with it and trying to
09:47make sure that we get into it it's easy
09:49to kind of go okay I understand the
09:51concept but to actually do it now I
09:53don't recommend you do this on a
09:54production server if you're doing this
09:57especially if somebody's watching you
09:58but do take the time to at least test it
10:00out and see what happens yeah and it can
10:02be daunting right if you go out to
10:03Microsoft Docs and you look at that
10:05command new - 80 user you're gonna see
10:07dozens and dozens of parameters that you
10:11can use they're not all required but
10:12looking at that documentation can be
10:14overwhelming oh my gosh how much do I
10:17have to actually type in when in the end
10:18there's just very few parameters that
10:20are actually required so I you know the
10:23documentation if that's a little scary
10:24for you start with that administrative
10:26center and go from there you know that
10:28history seems to be a great way to at
10:30least see the syntax when you're not
10:32exactly sure how the syntax works and
10:33then replacing it with variables like
10:35you said it's taking it to the next
10:37level and that way you start seeing the
10:38power of it right away instead you
10:41haven't read and understand like what's
10:42this option for what's it that's where I
10:44get a little bit messed up at times is
10:46when I think gosh should I include this
10:47or should I not include this well Mike
10:50is showing you just by using the GUI
10:51it's helping you to at least see the
10:53minimum that you might want to do and
10:55then of course well you can max it out
10:57by filling in every possible blank that
10:59there is and that will help us out -
11:01okay so Mike that's a great way for us
11:04to actually think about beginning here
11:06okay as we start to to continue on of
11:10course in the realm of active directory
11:11and administration and different things
11:13there are some other questions that have
11:14come up and we have our next one ready
11:16what do you think Mike let's do all
11:18right so here's our next question that
11:20we have ready to go
11:23are the F s M Oh Rose rolls unwise have
11:28a hard time saying that and why should I
11:30even care
11:31so Mike what this sounds like when I'm
11:33starting to see this is maybe at this
11:36point this particular person that
11:39submitted this they may be studying and
11:41trying to understand the idea of
11:43building Active Directory up and they've
11:45come across this idea of these FSM Oh
11:48Rose I always say I'm backward for one
11:50reason or another and now they're
11:52they're not really understanding so Mike
11:54kind of give us that that overview of
11:55what we need knowing and then answer its
11:57question why the heck should I care
11:58about it
11:59yeah and that's typically you're right
12:01on when you say somebody's probably
12:02studying for an exam because that's
12:03really where we see this more often than
12:05not because it is something we don't
12:07have to think about all the time when
12:10we're administering our Active Directory
12:11domains but it is important that we
12:13understand the concepts and we
12:14understand what they are because it
12:16can't affect us as soon as we start
12:18moving to multiple domain controllers
12:20multiple domains and then we start
12:22upgrading or replacing domain
12:25maybe you're upgrading that hardware
12:27you're building up a new machine very
12:29important that we understand these roles
12:31and windows is really good about warning
12:33us nowadays it wasn't the case you know
12:36back in in 2000 and 2003 but let's start
12:39by defining that right fsmo is a
12:42flexible single master operations that's
12:45what that's going to stand for and when
12:47we talk about Active Directory one of
12:49the great things about Active Directory
12:50is its it uses what they call multi
12:53master with loose convergence yeah you
12:56just overwhelm somebody fancy term for
12:59saying that there is no one domain
13:02controller that's any more important
13:04than the others right if we go back to
13:06the NT days you had primary domain
13:08controllers and backup domain
13:10controllers and that primary domain
13:11controller was the only writable copy of
13:14Active Directory if you wanted multiple
13:16domain controllers for fault tolerance
13:19for load balancing you added additional
13:21BD C's or backup domain controllers and
13:24those gave you that fault tolerance and
13:26that that load balancing capability but
13:29they were read-only they couldn't take
13:31any changes you couldn't change
13:33passwords one of the B DC's it could
13:36still answer query
13:37authenticate logon attempts things like
13:39that and the reason for this was because
13:40of conflicts I didn't want
13:42administrators from two different domain
13:44controllers making changes to the same
13:46objects and making you know Ronnie said
13:49a phone number two five five five one
13:51two one two
13:51I set the same user's phone number on a
13:54different domain controller two five
13:55five five one three one three and now
13:57when we replicate which change do we
13:59keep so to solve that they simply made
14:02one copy writable that way changes could
14:04only be made on that primary two main
14:06controller but that became very limiting
14:08if that primary domain controller was
14:09down then no changes can be made until
14:13we got that guy back up so it became a
14:15very single point of failure type
14:17scenario when we went into a server 2000
14:20an active directory as we know it today
14:22we got the the what they call the bolte
14:24master right we have ways of dealing
14:27with replication conflicts and I can now
14:30have all my domain controllers being
14:32writable there isn't a primary domain
14:34controller anymore and then back up to
14:36main controllers which is great except
14:39there are a few things that the risk is
14:43too great right because we can still end
14:45up with conflict now that we have
14:46multiple writable copies there can be a
14:48conflict right this is just like I was
14:50describing a minute ago and for most
14:52things Active Directory has ways of
14:53dealing with those conflicts last right
14:55irwins type thing you know which one was
14:58the update server to which one was the
15:00update done on timestamp we can use that
15:03to solve most conflicts there are some
15:05things however that we really don't want
15:06to take a chance with and those are
15:09known as the the single master operation
15:11roles these are things that while most
15:14of main controllers can do everything
15:15there are certain things that only one
15:17domain controller is going to be allowed
15:18to do there's five FSM O's in Windows
15:22Active Directory as of now there's the
15:24see if I can remember all these rodding
15:26the schema master the domain naming
15:29master the relative identifier master or
15:32the rid master the infrastructure master
15:34and the PDC emulator right right there's
15:38five of those guys two of them are what
15:40we call forest wide roles
15:42there's the schema master and the domain
15:45naming master and what that means is
15:47only one domain controller in the entire
15:50tourist is able is the schema master the
15:52schema master is where we can make
15:54changes to the schema remember the
15:56schema applies to all domains within the
15:58forest no matter how many domains there
15:59are and again there's only one writable
16:02copy because I cannot take a chance on
16:04there being any conflicts any you know
16:06to administrators making changes the
16:08schema on two different domain
16:09controllers and then trying to figure
16:11out what to keep and what to throw away
16:12we can't take that chance so the schema
16:15master is a one of the FSM OS the domain
16:18naming master is also forest wide
16:19meaning there's only one domain naming
16:21master in the entire forest the other
16:24three the PDC emulator the rid master
16:25and the infrastructure master those
16:27three are domain wide roles meaning that
16:29there's one domain controller in each
16:31domain that holds that role domain a has
16:34its own PDC emulator rid master and
16:37infrastructure master and there's only
16:39one of each of those in that domain but
16:41domain B has its own a PDC emulator rid
16:46master infrastructure master only one in
16:48that domain but each domain has its own
16:50and that's what we mean by domain wide
16:52roles all right now we could spend hours
16:55rani talking about what each one of
16:57these roles does how important they are
16:59and things like that and if you if you
17:00want more information about those make
17:01sure you jump in our library and check
17:03out our courses where we talk about that
17:05here I think what this really question
17:07is asking is why should I be concerned
17:09with these roles and the answer is
17:11because of the fact that they are single
17:14master operations and you'll you'll hear
17:16them called different things
17:17FSM owes single master operations single
17:20operation roles they all really
17:22referring to the same thing the reason
17:24it's important is because what if the
17:26domain controller let's say I have a
17:27domain controller that failed and that
17:28domain controller happened to be holding
17:30one of those single master operation
17:32roles that means now I don't have one of
17:35those right if the PDC emulator failed
17:38now my domain does not have a PDC
17:40emulator and it's a very important role
17:42again check out our library and we'll
17:43talk about all of the things that that
17:45particular role does so this is why it's
17:47important to understand what these roles
17:48are and being able to identify which
17:50domain controllers are holding them and
17:53paying attention to that so if I need to
17:55bring a machine down because we're going
17:56to do a hardware update on it you know
17:58we're gonna change Hardware out or make
18:00a new domain controller if the old
18:02domain controller is holding one of
18:03rolls I need to move that roll off
18:05before I remove Active Directory from it
18:08now like I said Windows is pretty good
18:10about warning us nowadays if you go to
18:12demote a domain controller and it
18:14happens to have one of those roles on it
18:16it'll warn you it'll say hey do you want
18:18me to migrate this role or this
18:20particular server has this role on it
18:22you need to move it before and it'll
18:24even do it for you if I'm not mistaken
18:26if another domain controller is
18:28available so that's that the main thing
18:30with those roles and why I should care
18:32is because they do very important
18:34functions in our domain for example the
18:37PDC emulator handles password changes
18:40and password synchronizations and if
18:42that's unavailable some of our older
18:44clients might not be able to update
18:45passwords right the the rid master
18:50generates the relative identifier so
18:52that when I create new objects in Active
18:54Directory I have a unique number to
18:56assign to generate the SID for that
18:59object well if that rid master is down
19:01we'll eventually run out of rids and I
19:04go to create a new object we'll try to
19:05reach out and talk to the rid master and
19:07say hey give me some more rids so I can
19:09create more objects and the server's not
19:11available I won't be able to create any
19:12more objects in Active Directory
19:13it'll stop working so understanding what
19:17machines are holding these roles and
19:19being able to move them if I need to is
19:22very important like I said it's it's
19:24something that we really you know ninety
19:26ninety percent of time it's like you
19:28don't see it you don't even think about
19:30it it just does what it's supposed to do
19:32but when you start making changes to
19:35your infrastructure moving things around
19:36we've got to be aware of where those
19:38roles are alright my thank you for
19:41answering that because it is a confusing
19:43bit of knowledge if you're really just
19:45starting to study it and you're you're
19:46getting into it and you're seeing all
19:48these descriptions of what each one of
19:49those single master roles as trying to
19:51get it to fit all into that that idea of
19:55why it's important is a big part of us
19:58at least understand the concept of how
20:00Active Directory works and is so
20:02flexible in the way that it is all right
20:04Mike there's another question that is
20:06out there and waiting for us as well and
20:09it seems like we're staying in to the
20:11certification realm again because well
20:14actually this could be more practical at
20:15the same time
20:16as you might see this as well the very
20:19fact is we have a question that says
20:20what is the difference between a domain
20:23admin and an enterprise admin now I can
20:26understand this one too
20:28from both sides right if I'm studying
20:30for the exam I may be said you know and
20:32I read this okay so so what's the big
20:34deal between them but in a real
20:36production scenario I might see that I
20:39go and try and do something and it says
20:41I need enterprise admin permissions I go
20:43wait wait a minute I'm a domain admin I
20:45have rights to everything so what is
20:47this here and you know what do we
20:49actually take a look at in terms of the
20:50differences yeah that's a great question
20:52Rylan it and it just like Ronnie said
20:54that's typically what's going to happen
20:55is you're gonna be trying to do
20:57something and it's going to tell you you
20:59don't have permissions to do it and
21:01you're logged on as the domain admin and
21:03you start banging your head against the
21:05desk going what do you mean I don't have
21:07permissions I am the highest there's
21:09nothing higher than me I'm the domain
21:11admin and that's not true there actually
21:13is a group that has more authority than
21:15domain admins and really in a lot of
21:18environments especially today we don't
21:20see as many multi domain forests as we
21:24used to but that's not to say that
21:26they're not out there when we think
21:28about the domain admin it is true that
21:29is the uber account right is the it can
21:32do anything within a domain but that
21:34domain is the boundary the limit of that
21:37domain admins rights if we get outside
21:39of that domain the domain admin has no
21:41rights in a forest remember a forest is
21:45a collection of domains under the same
21:49administration all the domains within
21:51that forest share the same schema for
21:54example and an enterprise admin actually
21:58has rights across the entire forest
22:00so if I have domain a and domain B in my
22:02forest and I'm a domain admin in domain
22:05a I have no administrative rights in
22:07domain B and if I try to do something in
22:10domain B I'm not going to be able to
22:12because I don't have administrative
22:13rights over there if I try to do
22:15something in my domain that could affect
22:17other domains in the forest I might be
22:20within my domain so I'm domain admin I
22:22should be able to do anything but if
22:23what I get ready to do could potentially
22:26affect other domains in the enterprise
22:28in the forest
22:29it's going
22:30stop me because my rights as a domain
22:32admin stop in my domain and it's not
22:35gonna let me do anything that is going
22:36to affect other domains that's when you
22:39need to be an enterprise admin an
22:40enterprise admin has full control over
22:43the entire forest can do anything that
22:45would affect multiple domains like if we
22:48start linking group policies to a site
22:50the site can span domain boundaries you
22:53need to be an enterprise admin to do
22:55that you want to make changes to the
22:56schema for example that is something
22:59that would share by all domains in the
23:01forest so I need to be an enterprise
23:02admin to make those changes I actually
23:04need a few more rights than that but
23:06enterprise admin would be a good start
23:09so that's the difference there between
23:10domain admin and enterprise admin and
23:12the reason I think a lot of us don't
23:14realize that at first is we're in a
23:16single domain environment and so the
23:18domain admin is able to do anything it
23:20wants and there's never really a
23:21question but as soon as you move to a
23:23multi domain environment if you have a
23:25force that has more than one domain now
23:27of a sudden that enterprise admin
23:28accounts becomes very important because
23:30of the fact and really even in a single
23:33domain environment if you want to make
23:35changes to the schema for example you're
23:37gonna have to be in the enterprise
23:38admins group because even though you
23:40don't have another domain what you're
23:42doing could potentially affect more than
23:44one domain so it is gonna verify or
23:46valid or require that you have those
23:48enterprise admin rights so this is a
23:50group that you want to be really careful
23:51with too it's found in your root domain
23:54the first domain you create in your
23:56forest and you want to really control
23:58the membership to that group because
24:01like I said they can do something that
24:03can infect the entire the entire forest
24:06so very few people in fact a lot of
24:08times will add people to that group
24:11temporarily and then when they're done
24:13doing whatever it is like if you're
24:15installing an exchange which is gonna
24:17make changes to the schema you need
24:20enterprise admin rights I might add
24:21Ronnie to that enterprise admin group so
24:24that he can get that job done
24:25once he confirms that he's finished it
24:27he no longer needs that role I'll remove
24:30him from that group I won't leave him in
24:31there because it is such a what's good
24:35word for it you know that they have that
24:36account can do so much there's so many
24:39rights yeah it is since you mentioned
24:42that right the idea that we
24:43in that single domain I think is
24:45probably the context like you said that
24:47most of us are actually dealing with so
24:48in this instance when you talk about the
24:52the limitation of this if that is that
24:55that the nature of my my domain at this
24:58point not only have one domain I don't
25:00have anything else in that fort except
25:02for that one domain
25:02shouldn't I be an enterprise admin
25:05anyway then yes
25:06yeah and typically like if you what I
25:09would recommend is you have an account
25:11that you add to that group that's not
25:13your daily driver right so how would you
25:15log on with and you put an account in
25:18there and and very few people should
25:20have the password to that account if you
25:22really want to leave somebody in that
25:23group and like you said in a single
25:25domain environment if you're the only IT
25:26person you know there's one or two
25:28people that are managing your forest or
25:30in your your Active Directory
25:31environment then maybe you do leave
25:33yourself in that group and you don't
25:35have to worry about adding yourself
25:37every time you want to do something you
25:39shouldn't be logging on with that
25:40account obviously we're going to follow
25:41best practices and every admin should
25:43have a standard user account and we do
25:45the run ass and then you're careful with
25:48again who has that password
25:49I wouldn't put the built in domain
25:52administrator account isn't because
25:54typically most of the IT staff has that
25:56particular password so you just want to
25:59you just want to be careful with it
26:00understand that that account has all the
26:02rights to do whatever it wants and you
26:04just have to be cautious and awed it
26:07there's no doubt the the idea of
26:09actually understanding that the power
26:11and the nature of what this could count
26:12can do is is something that we pride
26:15don't deal with on a daily basis and
26:16only in special occasions but speaking
26:19of that we have a follow-up question at
26:21least what seemed like a follow-up
26:23question here so let's go ahead and take
26:25a look at what our next question is
26:27going to be as well and so it's not
26:29exactly the same user but notice this
26:32I'm an enterprise admin why can't I make
26:35changes to the schema now you just said
26:37that hey you want to make changes to the
26:40schema you got to be in the enterprise
26:41admins group here it is a very good date
26:44it's like they're reading my mind and
26:46and yes that that's your in the
26:48enterprise admins group so now we've
26:49we've solved that problem I'm not just a
26:51domain admin I'm
26:52Enterprise admin that means I can make
26:54changes that would affect the entire
26:56forest I should be able to make changes
26:58to the schema
26:59well the schema is very very protected
27:02and while as an enterprise admin you do
27:05have full control over the entire forest
27:07the schema still has one more layer of
27:09protection because the schema is the
27:12blueprints for the objects that I can
27:14create in Active Directory it's what
27:16defines you know what a user is what
27:18parameters are what properties and oh
27:20you has and much more
27:23so making change that the schema can can
27:25break lots of things very easily so it's
27:29got this extra layer of security there's
27:30another security group built into Active
27:33Directory known as the schema admins and
27:35the schema admins group are the only
27:38ones that can make changes to the schema
27:41so not only do you have to be an
27:42enterprise admin because changes you
27:44make can affect the entire forest you
27:47also have to be in the schema admins
27:48group to give you write permissions over
27:51the schema so it's just another layer of
27:53security and it is one that again will
27:55have you pulling out your hair I'm an
27:57enterprise admin why can't I why are you
27:59telling me I do not have rights to make
28:01these changes or to install this
28:03application that's modifying the schema
28:05I'm enterprise admin I should be able to
28:07do whatever I want and it's just that
28:10extra layer of security to protect the
28:11schema so you need to be in the
28:13enterprise admins group and the schema
28:15admins group to make changes to the
28:17schema you know that one there's
28:19probably the stumper for everybody
28:20that's fairly studying at least at the
28:22beginning not understanding when you
28:24when you read the definition for the
28:26enterprise admin that says yeah you can
28:28do anything in the entire force that you
28:30want to be able to do except it's one
28:32thing that you can't do then you get a
28:34pop-up that says no you can't and this
28:37it probably is a little bit more
28:38mind-numbing or you know it's blinding
28:40for what we want now when we start
28:43talking about all this stuff Mike where
28:46do we where do we learn more about this
28:48so I know an IT protein like TV library
28:51we have shows on this what are we
28:53particularly looking at what exam
28:55objectives are we looking at here
28:56probably 410 and 411 I say 410 or 411
28:59the 70 - 410 class and the 70 - 411 we
29:03took a bit take a look at
29:05active director or the administration
29:06with with server and identity was server
29:10probably those two or the Dec ones yeah
29:12and that's actually pretty good because
29:15I think we do you know quite a bit of
29:17material on on all of the server stuff
29:20but at least getting into into the
29:22Active Directory and trying to figure
29:23out all the things that need to be done
29:25those are shows that you might want to
29:26hit in our library to make sure that you
29:28get to the place where you want to go
29:32the numbers for the 2016 oh that's true
29:38Oh 741 okay I think 410 and 411 might
29:42have been the old ones that 2012 so but
29:45yet take a look going to Microsoft in
29:47the library there look for the track for
29:49the MCSA courses and those will be the
29:52ones whether you want 2012 or 2016
29:54alright Mike well that actually brings
29:57us to this point where we have it looks
29:58like our final question here that we
30:01have submitted overall and let's take a
30:04look at this one as well
30:05I need to make changes to the schema is
30:07there a GUI or I always say GUI tool
30:10that is available now Mike I am assuming
30:13this means that what they've actually
30:15experienced is that there's only a
30:17command-line tool that they've been
30:19trying to use here is there a GUI tool
30:22that is available who is this Martin
30:24Martin has a good question and yes you
30:26know that when you start working with
30:27the schema and if you start doing some
30:29research out there a lot of times they
30:31will point you to tools like try the 80s
30:34I add it you know or something yeah you
30:36know some command-line utility to work
30:39with that and make those changes and
30:41those will work just fine but there's a
30:43little bit of a learning curve
30:44associated there that there is actually
30:47a GUI tool associated with the schema
30:49you just don't see it it's not
30:51registered by default so it doesn't show
30:53up and again I talked about the schema
30:57admins group coming image of being
30:58another layer of security it's the same
31:01thing with this they don't make that
31:02tool readily available it doesn't show
31:04up on your tools list to where you can
31:06go oh look Active Directory schema and
31:08start going through there and
31:09accidentally making changes they make it
31:12very not difficult but they make it to
31:15where you have to go through certain
31:16steps to be able to work with and
31:18modify the schema again because if we
31:20said yeah it's just so important so the
31:22key here is there's no built-in tool
31:25well I say there's no pre-built console
31:28right there's not going to be an Active
31:31Directory users and computers type tool
31:33pre-built for you but there is a snap-in
31:36available so we'll create our blank
31:38Microsoft management console or MMC and
31:40then we'll add the schema snap in and
31:43then just save that as a tool we can add
31:45it to our various menus and shortcut
31:48places and things like that but the
31:50trick here is understanding that you
31:52have to register the schema management
31:54DLL before it will even show up in your
31:57list and let's take a look at my screen
31:58here we'll do another little
31:59demonstration I am making sure let me
32:02see I'm still on my domain controller
32:03and if we go to our Tools menu I'll see
32:05those pre-built consoles like sites and
32:08services users of computers group policy
32:11you know all of this good stuff from
32:13managing Active Directory what I don't
32:15see is anything related to the schema so
32:17let's go to our Start menu down here
32:19actually they've changed this Ronnie
32:22this is driving me crazy if your Start
32:24menu and type MMC oh it doesn't pull up
32:27the blank console anymore Wow super
32:30random and this will change so what
32:32you'll do if you're used to going to
32:34that like I am just do a run and then do
32:37MMC and it'll pull up your blank
32:40Microsoft management console and then if
32:44I want to add a snap in to provide
32:45functionality in this console file add
32:47remove snap in and you'll see here that
32:51I don't see anything to do with the
32:54schema right there's no Active Directory
32:55schema I take a look at the esses and
32:58there's nothing to do with schema down
33:00here and this is what I was saying you
33:01have to register this this DLL before
33:04that'll work so let me pull up a will do
33:07PowerShell here you would need
33:09administrative rights to register this
33:11DLL and the command is reg and I always
33:14get this backwards it's SVR or SRV we'll
33:17find out register of 32 and that is the
33:21command alright so we'll double check
33:22that I always get the V R or the RV
33:24backwards so it's reg serv 32 space and
33:29then the name of this DLL that you want
33:31to write
33:31which in our case is schm MGMT dot dll
33:37that sounds crazy but if you think about
33:39what it stands for you'll be a
33:41management schema management right and
33:43the one that gets people is there are
33:44two M's there right schm MGMT dll so hit
33:50enter and I'll get a message the
33:52register server and schema management
33:54DLL succeeded
33:55all right so we'll click OK minimize
33:57PowerShell and I might have to refresh
33:59this console let's see we'll go to file
34:01add remove snap in and nope there we go
34:05Active Directory schema now that I've
34:07registered that it shows up in my list
34:09I'll click Add to add that to my console
34:12I'll click OK and there's my Active
34:14Directory schema and assuming that I am
34:16in the enterprise admins group and if I
34:19want to make changes I would need to be
34:21in the schema admins group as well but
34:23now I've got a tool that I can use to
34:25work with it right this is where maybe I
34:27want to define a new attribute we're a
34:29shoe company and we give away a pair of
34:32shoes for our users or our employees
34:34every Christmas well there's nowhere in
34:36Active Directory for me and their users
34:37accounts properties to track shoe size
34:41so I could add an attribute right or I
34:44mean that's probably a silly example but
34:45just to show you know that's the kind of
34:47thing we can do but that's what the
34:49schema does it defines all of the the
34:51classes of objects that we can create
34:53the fact that I can create a new user is
34:56because there is a user class in here so
35:01I can get to a user right this is what
35:04defines what a user is so when you right
35:06click new user this is how Active
35:08Directory knows how to create a new user
35:10because it's all defined here in the
35:11schema and this is the tool that I would
35:13use to work with the schema in a nice
35:15friendly way and now that I've created
35:18I don't want have to go through that I
35:19only have to register that DLL once on
35:23this particular server if I was going to
35:25do this on a different server I would
35:27have to register that snap-in over there
35:29and but I only have to register at once
35:32I don't have to register it every time I
35:33need to use that if I close this console
35:35there's still no built-in tool so I'd
35:38have to create a new blank console and I
35:40have to add the snap in every time so
35:42what I'm gonna do is I'm gonna say file
35:44or save as either one and it's going to
35:47put it by default in my Administrative
35:49Tools I could choose wherever I wanted
35:51to place that maybe I'll dump it out on
35:53a desktop just so we can find it I'll
35:56call it the ad schema I'll click Save
36:01close it and now on my desktop I have a
36:04new console anytime I want to work with
36:07the schema I can access that so to work
36:10with the schema in the GUI you can do it
36:12you just have to remember that the tools
36:14not available by default you're gonna
36:16have to register the snap-in and then
36:19your the DLL then you have to go create
36:22your own blank console and add that
36:24schema snap into it and then save it so
36:26you have to do it every time well Mike
36:28thank you for helping us out with that
36:30last question as well all these
36:32questions that seem to be directed
36:33towards Active Directory remember that
36:35in the IT Pro TV library there are
36:37plenty of shows that help you to get
36:39started in Active Directory as well as
36:41of course in our Microsoft Windows
36:42Server series which whichever one you
36:45choose whether it's to 2012 or 2016
36:47there's plenty of material out there for
36:49you to be able to jump into and dive
36:50into and begin to learn more about the
36:53idea of Active Directory so take
36:56advantage of that because well that's
36:57where we want you to be now don't forget
36:59even though we're actually ending this
37:01particular episode of ask me anything it
37:03doesn't mean you have to stop submitting
37:05you to questions you can continue to go
37:07ahead and submit your questions and
37:08we'll go ahead and queue them up for
37:10whoever is actually next and or if we
37:13actually need to will answer them of
37:14course by hashtagging asks me anything
37:17and that will also get you an answer if
37:19you need that as well okay so Mike thank
37:22you again for helping us as we've taken
37:25a look at all these questions and also
37:27thank you for joining us as well so
37:29everybody signing off for ask me
37:30anything and for Mike Rajic I'm Ronnie
37:32Wong everybody take care and have a
37:34great day
37:50are you enjoying ask me anything then be
37:53sure to check out our other podcasts
37:54Tech NATO where we take a look at the
37:56most interesting techniques stories from
37:58the week and interviews from people in
38:00the industry here's the latest episode
38:03and here's the full playlist and as
38:05always be sure to subscribe to IT Pro
38:07TVs Channel
Chat with video

FAQs about This YouTube Video

1. What is the difference between domain admins and enterprise admins?

Domain admins have administrative control over a single domain in a Windows Server environment, while enterprise admins have administrative control over the entire forest. Enterprise admins have the highest level of administrative privilege and can perform actions across all domains within the forest.

2. How can I use Active Directory administrative center and PowerShell commands for creating new users?

You can use the Active Directory administrative center to create new users by navigating to the Users folder, right-clicking, and selecting 'New' and then 'User'. For PowerShell commands, you can use the New-ADUser cmdlet to create new users with specific attributes and settings.

3. Why is it important to understand the five FSMO roles in Active Directory?

Understanding the five FSMO (Flexible Single Master Operations) roles in Active Directory is crucial for maintaining a healthy and functional Active Directory environment. These roles are responsible for handling specific tasks like schema updates, domain naming operations, and more, so understanding them is essential for effective management.

4. How can I make changes to the schema using GUI tools and PowerShell commands?

You can make changes to the schema using GUI tools by accessing the Active Directory Schema snap-in within the MMC console. For PowerShell commands, you can use the Set-ADObject cmdlet to modify schema attributes and configurations.

5. What are some best practices for managing Active Directory in an enterprise environment?

Some best practices for managing Active Directory in an enterprise environment include implementing strong password policies, regular backup and recovery procedures, monitoring and auditing user activity, and staying current with security updates and patches.

Save time on long videos, get key ideas instantly

⏰ Grasp the gist of any video in seconds
✨ Get the key insight of the video
🪄 No barriers to support 20+ languages of summaries
👀 Navigate through timestamped breakdowns
Get AI Summary Now

More Long YouTube Videos Summaries

This video tells the tragic story of El Pirata de Culiacán, a 17-year-old boy who gained fame as an influencer through his partying and excessive lifestyle but ultimately met a violent end when he crossed paths with a dangerous cartel leader. Despite his online popularity, he faced criticism for his destructive behavior and his death raised questions about the authenticity of his relationships and the whereabouts of his supposed fortune.

The video discusses the differences between TrueNAS Scale and TrueNAS Core, both of which are open source and free. TrueNAS Core is BSD-based and uses io cage for jails and beehive for virtualization, while TrueNAS Scale is Debian-based and uses Kubernetes, Docker, and KVM for containerization and virtualization. TrueNAS Scale also offers clustering and gluster for scale-out capabilities.

The video provides a step-by-step guide on how to fix game crashes, DirectX errors, and Dev errors in Warzone Season 2, including uninstalling the game, deleting cache files, and doing a disk cleanup. Following these steps and restarting the computer should result in a working game.

The Lost Ark 2023 Roadmap - Part 3 introduces upcoming updates and changes, including improvements to the in-game economy, addressing botting issues, and making gameplay more rewarding; the addition of Jump Start Servers to eliminate gatekeeping and provide a fresh start for players; and the introduction of new content such as affection ranks for Thirain and Nineveh, the Pleccia continent, and the Ivory Tower Abyssal Dungeon with the new Elixirs system.

This video compares Substack and Patreon, outlining their main differences and features for content creators looking to monetize their work through monthly memberships. Substack is focused on single monthly subscriptions for writers and podcasters, while Patreon offers recurring memberships with multiple tiers for any type of content creator. The video discusses the pricing models, features, analytics, and support provided by both platforms to help viewers choose the one that suits their needs.

This video discusses the top 5 peptides that can boost muscle gains, including CJC1295, BPC-157, GHRP-6, Testolone, and Ipamorelin; it emphasizes the importance of combining peptides for synergistic effects; and provides tips for maximizing muscle building effects through timing, dosage, diet, exercise, and sleep.