Service Management Task

Installation management task

Schema management task

Operation Master role

management task

LDAP Policy management task

LDAP Policy management task

Trust management task

Replication management Task
Backup/Restore Management
task

Directory Database File

Manangement task

Directory Service Configuration

Management Tasks
 Security Policy Management
Tasks
DNS Management Tasks

Organizational Unit (OU)

Data Management Management Tasks
 Group Management Tasks

Computer Management Tasks

User Account Management

Tasks
Print Queue Management Tasks

Service Connection Points

Management Tasks
Group Policy Management Tasks
Sub-Task
Create the first domain in a new tree in a new/existing forest
Create a child domain in an existing domain tree
Create a replica (additional Domain Controller)
Remove a replica
Demote the last Domain Controller in a child domain
Demote the last Domain Controller in a tree-root domain
Demote the last Domain Controller in a forest
Designate a Domain Controller as a Global Catalog
Undesignate a Domain Controller as a Global Catalog
Raise Forest Functionality Level
Raise Domain Functionality Level
Migrate SID-History
Create the first domain in a new tree in a new/existing forest
Create a child domain in an existing domain tree
Create a replica (additional Domain Controller)
Enable Schema modification on a DC in the enterprise
Change the current Schema Master
Add a Class definition in the Schema
Add an Attribute definition in the Schema
Modify a Class definition in the Schema
Modify an Attribute definition in the Schema
Update the Schema cache on demand
Deactivate a Schema Class object /
Resurrect a deactivated Schema Class object
Deactivate an Attribute Class object /
Resurrect a deactivated Schema Attribute object
Make an attribute indexed
Add attributes to the ANR Set
Designate an attribute as a member of the partial attribute-set that is
replicated to the Global Catalog
Remove an attribute from the partial attribute-set that is replicated to the
Global Catalog
Transfer the Schema Master Role

Transfer the Domain Naming Master Role

Transfer the RID Master Role
Transfer the PDC Emulator Master Role
Transfer the Infrastructure Master Role
Seize the Schema Master Role
Seize the Domain Naming Master Role
Seize the RID Master Role
Seize the PDC Emulator Master Role
Seize the Infrastructure Master Role
Configure the server to require all LDAP traffic to be signed

Create a new Query Policy object

Modify the LDAP admin limits associated with a query policy object

Affect the LDAP query policies associated with a specific DC

Affect the LDAP query policies associated with all domain controllers in a
site
Specify the maximum time (in seconds) that the server waits for the initial
request before the connection closes
Specify the maximum number of concurrent LDAP connections allowed
on the server
Specify the maximum amount of time (in seconds) that the client is
allowed to be idle before the connection is closed
Specify the maximum number of concurrent search operations allowed
on the server
Specify the maximum number of concurrent notification requests allowed
per connection on the server
Specify the maximum number of objects the server will return to any
single search request
Specify the maximum elapsed time (in seconds) allowed for a query to
complete
Specify the limit (in candidate objects) of the temporary database table
the server might create for intermediate results during the course of
query
Specify the total amount of intermediate data that the server will store for
the client between the individual searches that make up a paged result
search (in order to speed up the next leg of the search)

Specify the maximum number of threads per processor that can be

simultaneously allocated to answer LDAP requests
Specify the maximum size of datagrams that can be received by the
server
Specify the maximum sized LDAP request (in bytes) that the server will
attempt to process
Create a shortcut (cross-link) trust relationship
Create an external trust relationship
Create a non-Windows Kerberos realm trust relationship
Create an Outbound Forest Trust
Create an Inbound Forest Trust
Delete a shortcut (cross-link) trust relationship
Delete an external trust relationship
Delete a non-Windows Kerberos realm trust relationship
Delete a forest trust
Verify that a trust is working properly
Change the direction of a trust
Enable Name Suffix Routing (for a given suffix) in a forest
Disable Name Suffix Routing (for a given suffix) in a forest
Add/Remove an exception to a name suffix for a given forest trust

Reset the trust passwords shared by a trust-pair

Force the removal of a trust
Enable/Disable SID History on an outbound forest trust
Enable/Disable SID Filtering
Enable Selective Authentication on an outbound forest/external trust

Enable/Disable placing of Name Suffix (Top Level Names) information on

a realm trust
Add/remove top-level names from a realm trust
Add/remove top-level name exclusions from a realm trust
Modify the transitivity of a realm-trust
Create a Site / Add a Site

Specify the location of a Site

Associate a Group Policy with a Site
Modify Site Group Policy Options
Disable automatic topology generation for a site
Disable automatic topology cleanup for a site
Disable minimum hops topology for a site
Disable automatic stale server detection for a site
Disable automatic inter-site topology generation for a site
Disable Inbound Replication on a DC
Disable Outbound Replication on a DC
Delete a Site
Create a Subnet / Add a Subnet
Specify the location of a Subnet
Associate a Subnet with a Site
Delete a Subnet
Create a Site Link
Add/Remove sites to/from a Site Link
Modify the cost associated with a site link
Modify the replication period associated with a site link / Control link
availability
Modify the replication schedule for a site link
Delete a Site Link
Create a Site Link bridge (object)
Add/Remove sites to/from a Site Link Bridge
Create a single bridge for the entire network / Turn off the “Bridge all site
links” option for IP/SMTP transport
Enable Reciprocal Replication between sites (only for IP transport links)

Enable Change Notification between sites (only for IP transport links)

Delete a Site Link bridge (object)

Create a Connection (object)
Take ownership of a KCC-generated connection object
Manually set a schedule for connection objects
Enable/disable data compression for intersite replication
Delete a Connection (object)
Change the default setting for the intra-site replication schedule within a
site
Designate / Remove a preferred bridgehead server
Replace a failed Preferred Bridgehead Server
Specify a fixed-port for RPC-based replication
Adjust default size of packets that transport Active Directory replication
data
Increase the level of detail logged by the KCC in the event log
Modify the interval at which the KCC runs its first replication topology
after the DC starts
Modify the interval at which the KCC checks the replication topology
(after it has run the first time)
Force Replication Topology Generation
Modify the holdback timer that determines the interval between the time a
change is made and the time that the source server notifies its replication
partners within a site
Modify the default delay between notifications to all the replication
partners of a DC
Force replication between two servers
Force a synchronization between two servers
Set a DC not to contact the PDC emulator if the PDC emulator role
owner is not in the current site
Modify the thresholds that make the KCC exclude non-responding
servers when it recognizes that a DC has failed or is unresponsive

Get Replication Latency Information

Get Pending operations on DC ( Queue Length )
Check Replication Status
Back up Active Directory

Perform an Non-Authoritative restore of Active Directory from Backup

Media
Perform an Authoritative restore of Active Directory from Backup Media

Perform an online defragmentation of the Ntds.dit database

Perform an offline defragmentation of the Ntds.dit database

Move the Ntds.dit file to a new location
Move the directory service log files to a new location
Perform a soft recovery of the database
Specify the location of the Ntds.dit file
Specify the location of the log files
Specify the Active Directory working directory
Restore Database/Subtree of database
Perform semantic database analysis
Designate a DC as a Global Catalog
Force the directory service to do garbage collection
Specify the directory service garbage collection period
Force the directory service to recalculate the Exchange Address Book
information hierarchy
Update the Schema cache on demand
Force directory service to recompute ACL inheritance on a naming
context
Force the directory service to check stale phantom objects
Force the directory service to immediately refresh the group cache by
contacting an available GC
Force the directory service to remove lingering objects from a Domain
Controller
Reanimate Tombstones
Force the directory service to perform an online defrag on a Domain
Controller
Specify the default amount of time a dynamic object will exist in the
directory
Specify the minimum amount of time a dynamic object will exist in the
directory
Specify the delay between deleting a server object and it being
permanently removed from the replication topology
Specify the number of days before a deleted object is removed from the
directory (tombstone lifetime)
Adjust ANR searching behavior
Put the directory in the special “List Object” mode
Restrict anonymous operations (other than rootDSE searches and binds)
through LDAP
Control the behavior of the userPassword attribute
Specify which SPN types are mapped to “host”
Increase the level of detail logged by the KCC in the event log
Modify the level of detail logged for Security Events
Modify the level of detail logged by events related to communication
between Active Directory and Exchange clients
Modify the level of detail logged when objects marked for deletion are
actually deleted
Modify the level of detail logged by directory service operations
Modify the level of detail logged by directory access events
Modify the level of detail logged by internal operation of directory service
code
Modify the level of detail logged by events related to loading and
unloading the NTDS performance object and performance counters

Modify the level of detail logged by events related to starting and

stopping the directory service
Modify the level of detail logged by directory service events
Modify the level of detail logged by the events related to address
resolution and Active Directory names
Modify the level of detail logged by the events related to the backup of
Active Directory
Modify the level of detail logged by events related to LDAP
Modify the level of detail logged by events related to running the Active
Directory Installation wizard
Modify the level of detail logged by events related to the Global Catalog

Modify the level of detail logged by events the Inter-site messaging

service
Designate a DC as a Global Catalog
Modify the default Domain Controller Group Policy
Modify the default Domain Policy
Create a new Active Directory–integrated zone
Delete an Active Directory–integrated zone
Write Active Directory–integrated zone parameters
Write the RootHints (stored in Active Directory)
Create a new name in the Active Directory–integrated zone
Write the records in the Active Directory–integrated zone

Create an Organizational Unit

Delete an Organizational Unit
Rename an Organizational Unit
Move an Organizational Unit
Modify Description of an Organizational Unit
Modify Street of an Organizational Unit
Modify City/Province an Organizational Unit
Modify State of an Organizational Unit
Modify Zip/Postal Code of an Organizational Unit
Modify Country/Region of an Organizational Unit
Modify Managed-By Information of an OU
Change the COM+ partition set that an Organizational Unit is a member
of
Modify the Group Policy applied to an Organizational Unit
Delegate Control of an Organizational Unit
Create a group
Delete a group
Move a group
Rename a group
Specify the Pre-Windows 2000 compatible name for the group
Modify the description of a group
Modify the e-mail address for a group
Modify the scope of the group
Modify the type of the group
Modify notes for a group
Modify group membership
Specify Managed-By Information of a Group
Create a computer account
Delete a computer account
Rename a computer account
Move a computer account
Disable a computer account
Reset a computer account
Add a computer account to a group
Specify the Pre-Windows 2000 compatible name for a computer
Set a computer’s DNS name
Specify a computer’s role
Specify the computer’s description
Specify the computer’s location
Specify Managed-By information for a computer account
Specify the Operating System running on a computer
Specify the Operating System Service Pack for a computer
Specify the Operating System Version for the Computer
Specify a computer’s physical location
Specify that a computer account be trusted for delegation
Specify whether a computer account can be trusted for delegation to any
service (Kerberos only)
Specify that a computer account be trusted for delegation to specific
services only
Specify “Use Kerberos Only”
Specify “Use any authentication protocol”
Add/Remove the services to which a computer account can be present
delegated credentials

Create a user account in disabled state

Create a user account
Delete a user account
Rename a user account
Move a user account
Disable a user account
Unlock a user account
Enable a disabled user account
Reset a user account’s password
Force a user account to change the password at the next logon
Modify a user’s first name
Modify a user’s initials
Modify a user’s last name
Modify a user’s display name
Modify a user account’s description
Modify a user’s office location
Modify a user’s telephone number
Modify the location of a user’s primary web page
Modify a user’s e-mail address
Modify a user’s street address
Modify a user’s P.O box
Modify a user’s city/province
Modify a user’s state
Modify a user’s zip/postal code
Modify a user’s country/region
Modify a user’s UPN
Modify a user’s Pre-Windows 2000 user logon name
Modify the hours during which a user can log on
Specify the computers from which a user can log on
Set User cannot change password for a user account
Set Password Never Expires for a user account

Set Store Password Using Reversible Encryption for a user account

Disable a user account

Set Smart card is required for interactive logon for a user account

Set Account is sensitive and cannot be delegated for a user account

Set Use DES encryption types for this account for a user account

Set Do not require Kerberos pre-authentication for a user account

Specify the date when a user account expires
Specify a profile path for a user
Specify a logon script for a user
Specify the drive letter to which to map the UNC path specified by the
home directory for a user account
Specify a user’s home folder local path
Specify the home folder to connect to for a user account
Specify a user’s home telephone number
Specify the user’s other Home Telephone numbers
Specify a user’s pager number
Specify other pager numbers for a user
Specify a user’s mobile number
Specify other mobile numbers for a user
Specify a user’s facsimile number
Specify other facsimile numbers for a user
Specify a user’s IP phone number
Specify other IP phone numbers for a user
Modify notes for a user account
Specify a user’s title
Specify a user’s department
Specify a user’s manager
View certificates issued to a user
Add certificates from store for a user
Add certificates from file for a user
Remove a certificate for a user
Copy a user’s certificate to a file
Add a user account to a group
Remove the user from a group
Set the Primary Group (used for POSIX Compliance) for a user
Create a user account in disabled state
Create a user account
Delete a user account
Rename a user account
Move a user account
Disable a user account
Unlock a user account
Enable a disabled user account
Reset a user account’s password
Force a user account to change the password at the next logon
Modify a user’s first name
Modify a user’s initials
Modify a user’s last name
Modify a user’s display name
Modify a user account’s description
Modify a user’s office location
Modify a user’s telephone number
Modify the location of a user’s primary web page
Modify a user’s e-mail address
Modify a user’s street address
Modify a user’s P.O box
Modify a user’s city/province
Modify a user’s state
Modify a user’s zip/postal code
Modify a user’s country/region
Modify a user’s UPN
Modify a user’s Pre-Windows 2000 user logon name
Modify the hours during which a user can log on
Specify the computers from which a user can log on

Create a print-queue
Delete a print-queue
Rename a print-queue
Move a print-queue
Specify the display name of an attached printer
Specify the server name for a print server

Specify the Pre-Windows 2000 compatible server name for print servers

Create a service-specific container in the System container

Publish service-related objects in the System container
Create a connection-point object
Specify the version of the schema an application was based on
Specify service-specific binding information for a service
Specify the string name of the service that an administration point
represents
Specify the type of DNS Record that an application would lookup for a
service
Specify an application or other vendor name
Specify a general purpose version number for a service
Specify a general purpose Major version number for a service
Specify a general purpose Minor version number for a service
Create a service-specific container in the System container

Edit a Group Policy object

Modify security on a Group Policy object
Link a GPO to an OU, domain, or site.

Perform Group Policy Modeling analysis for objects in a domain or OU

Perform Group Policy Results analysis for objects in a domain or OU