Cover image for Active Directory, 3rd Edition

Book description

Working with Microsoft's network directory service for the first time can be a headache for system and network administrators, IT professionals, technical project managers, and programmers alike. This authoritative guide is meant to relieve that pain. Instead of going through the graphical user interface screen by screen, O'Reilly's bestselling Active Directory tells you how to design, manage, and maintain a small, medium, or enterprise Active Directory infrastructure.

Fully updated to cover Active Directory for Windows Server 2003 SP1 and R2, this third edition is full of important updates and corrections. It's perfect for all Active Directory administrators, whether you manage a single server or a global multinational with thousands of servers.

Active Directory, 3rd Edition is divided into three parts. Part I introduces much of how Active Directory works, giving you a thorough grounding in its concepts. Some of the topics include Active Directory replication, the schema, application partitions, group policies, and interaction with DNS. Part II details the issues around properly designing the directory infrastructure. Topics include designing the namespace, creating a site topology, designing group policies for locking down client settings, auditing, permissions, backup and recovery, and a look at Microsoft's future direction with Directory Services. Part III covers how to create and manipulate users, groups, printers, and other objects that you may need in your everyday management of Active Directory.

If you want a book that lays bare the design and management of an enterprise or departmental Active Directory, then look no further. Active Directory, 3rd Edition will quickly earn its place among the books you don't want to be without.

Table of Contents

  1. Active Directory, 3rd Edition
  2. A Note Regarding Supplemental Files
  3. Preface
    1. Intended Audience
    2. Contents of the Book
      1. Part I, Active Directory Basics
      2. Part II, Designing an Active Directory Infrastructure
      3. Part III, Scripting Active Directory with ADSI, ADO, and WMI
    3. Conventions Used in This Book
    4. Using Code Examples
    5. How to Contact Us
    6. Safari Enabled
    7. Acknowledgments
      1. For the Third Edition (Joe)
      2. For the Second Edition (Robbie)
      3. For the First Edition (Alistair)
  4. I. Active Directory Basics
    1. 1. A Brief Introduction
      1. 1.1. Evolution of the Microsoft NOS
        1. 1.1.1. Brief History of Directories
      2. 1.2. Windows NT Versus Active Directory
      3. 1.3. Windows 2000 Versus Windows Server 2003
      4. 1.4. Windows Server 2003 Versus Windows Server 2003 R2
      5. 1.5. Summary
    2. 2. Active Directory Fundamentals
      1. 2.1. How Objects Are Stored and Identified
        1. 2.1.1. Uniquely Identifying Objects
          1. 2.1.1.1. ADsPaths
          2. 2.1.1.2. Examples
      2. 2.2. Building Blocks
        1. 2.2.1. Domains and Domain Trees
        2. 2.2.2. Forests
        3. 2.2.3. Organizational Units
        4. 2.2.4. Global Catalog
        5. 2.2.5. Flexible Single Master of Operations (FSMO)
        6. 2.2.6. Windows 2000 Domain Mode
        7. 2.2.7. Windows Server 2003 Functional Levels
        8. 2.2.8. Groups
          1. 2.2.8.1. Groups in Windows NT
          2. 2.2.8.2. Group availability in various functional levels
          3. 2.2.8.3. Group nesting in different functional levels
          4. 2.2.8.4. Group membership across domain boundaries
          5. 2.2.8.5. Converting groups
          6. 2.2.8.6. Wrap-up
      3. 2.3. Summary
    3. 3. Naming Contexts and Application Partitions
      1. 3.1. Domain Naming Context
      2. 3.2. Configuration Naming Context
      3. 3.3. Schema Naming Context
      4. 3.4. Application Partitions
        1. 3.4.1. Storing Dynamic Data
      5. 3.5. Summary
    4. 4. Active Directory Schema
      1. 4.1. Structure of the Schema
        1. 4.1.1. X.500 and the OID Namespace
      2. 4.2. Attributes (attributeSchema Objects)
        1. 4.2.1. Dissecting an Example Active Directory Attribute
      3. 4.3. Attribute Properties
        1. 4.3.1. Attribute Syntax
        2. 4.3.2. System Flags
          1. 4.3.2.1. Constructed attributes
          2. 4.3.2.2. Category 1 objects
        3. 4.3.3. Search Flags
          1. 4.3.3.1. Indexed attributes
          2. 4.3.3.2. ANR
          3. 4.3.3.3. Preserve attribute in tombstone
          4. 4.3.3.4. Tuple index
          5. 4.3.3.5. Confidential
        4. 4.3.4. Property Sets and attributeSecurityGUID
        5. 4.3.5. Linked Attributes
      4. 4.4. Classes (classSchema Objects)
        1. 4.4.1. Object Class Category and Inheritance
        2. 4.4.2. Dissecting an Example Active Directory Class
          1. 4.4.2.1. How inheritance affects mustContain, mayContain, possSuperiors, and auxiliaryClass
          2. 4.4.2.2. Viewing the user class with the Active Directory Schema snap-in
        3. 4.4.3. Dynamically Linked Auxiliary Classes
      5. 4.5. Summary
    5. 5. Site Topology and Replication
      1. 5.1. Site Topology
        1. 5.1.1. Subnets
        2. 5.1.2. Sites
        3. 5.1.3. Site Links
        4. 5.1.4. Connection Objects
        5. 5.1.5. Knowledge Consistency Checker (KCC)
        6. 5.1.6. Site and Replication Management Tools
      2. 5.2. Data Replication
        1. 5.2.1. A Background to Metadata (Data That Governs the Replication Process)
          1. 5.2.1.1. Update Sequence Numbers (USN) and highestCommittedUSN
          2. 5.2.1.2. Originating updates versus replicated updates
          3. 5.2.1.3. DSA GUID and Invocation ID
          4. 5.2.1.4. High-watermark vector (direct up-to-dateness vector)
          5. 5.2.1.5. Up-to-dateness vector
          6. 5.2.1.6. Recap
        2. 5.2.2. How an Object's Metadata Is Modified During Replication
          1. 5.2.2.1. Step 1: Initial creation of a user on Server A
          2. 5.2.2.2. Step 2: Replication of the originating write to Server B
          3. 5.2.2.3. Step 3: Password change for the user on Server B
          4. 5.2.2.4. Step 4: Password change replication to Server A
        3. 5.2.3. The Replication of a Naming Context Between Two Servers
          1. 5.2.3.1. Step 1: Replication with a partner is initiated
          2. 5.2.3.2. Step 2: The partner works out what updates to send
          3. 5.2.3.3. Step 3: The partner sends the updates to the initiating server
          4. 5.2.3.4. Step 4: The initiating server processes the updates
          5. 5.2.3.5. Step 5: The initiating server checks whether it is up to date
          6. 5.2.3.6. Recap
        4. 5.2.4. How Replication Conflicts Are Reconciled
          1. 5.2.4.1. Conflict due to identical property change
          2. 5.2.4.2. Conflict due to a move or creation of an object under a now-deleted parent
          3. 5.2.4.3. Conflict due to creation of objects with names that conflict
          4. 5.2.4.4. Replicating the conflict resolution
      3. 5.3. Summary
    6. 6. Active Directory and DNS
      1. 6.1. DNS Fundamentals
        1. 6.1.1. Zones
        2. 6.1.2. Resource Records
        3. 6.1.3. DDNS
      2. 6.2. DC Locator
      3. 6.3. Resource Records Used by Active Directory
        1. 6.3.1. Overriding SRV Record Registration
      4. 6.4. Delegation Options
        1. 6.4.1. Not Delegating the AD DNS Zones
          1. 6.4.1.1. Political factors
          2. 6.4.1.2. Initial setup and configuration
          3. 6.4.1.3. Support and maintenance
          4. 6.4.1.4. Integration issues
        2. 6.4.2. Delegating the AD DNS Zones
          1. 6.4.2.1. Political factors
          2. 6.4.2.2. Initial setup and configuration
          3. 6.4.2.3. Support and maintenance
          4. 6.4.2.4. Integration issues
        3. 6.4.3. DNS for Standalone AD
      5. 6.5. Active Directory Integrated DNS
        1. 6.5.1. Replication Impact
      6. 6.6. Using Application Partitions for DNS
      7. 6.7. Summary
    7. 7. Profiles and Group Policy Primer
      1. 7.1. A Profile Primer
        1. 7.1.1. The Default User and All User Folders
        2. 7.1.2. Logging On Locally to the Workstation
        3. 7.1.3. Logging On to the Domain
        4. 7.1.4. Cached Profile Deletion
        5. 7.1.5. A Server-Based Default User Profile
      2. 7.2. Capabilities of GPOs
        1. 7.2.1. Group Policy Refresh Frequency
        2. 7.2.2. Software Installation Settings (Computer and User)
        3. 7.2.3. Windows Settings (Computer)
        4. 7.2.4. Administrative Templates (Computer)
          1. 7.2.4.1. Windows components
          2. 7.2.4.2. Windows settings (user)
          3. 7.2.4.3. Administrative templates (user)
        5. 7.2.5. Windows Components
      3. 7.3. Additional Resources
      4. 7.4. Summary
  5. II. Designing an Active Directory Infrastructure
    1. 8. Designing the Namespace
      1. 8.1. The Complexities of a Design
      2. 8.2. Where to Start
      3. 8.3. Overview of the Design Process
      4. 8.4. Domain Namespace Design
        1. 8.4.1. Objectives
          1. 8.4.1.1. Represent the structure of your business
          2. 8.4.1.2. Minimize the number of domains
        2. 8.4.2. Step 1: Decide on the Number of Domains
          1. 8.4.2.1. Isolated replication
          2. 8.4.2.2. Unique domain policy
          3. 8.4.2.3. In-place upgrade of current domain
          4. 8.4.2.4. Final notes
        3. 8.4.3. Step 2: Design and Name the Tree Structure
          1. 8.4.3.1. Choose the forest root domain
          2. 8.4.3.2. Design the namespace naming scheme
          3. 8.4.3.3. Create additional trees
          4. 8.4.3.4. Create additional forests
          5. 8.4.3.5. Arrange subdomain hierarchy
        4. 8.4.4. Step 3: Design the Workstation and Server-Naming Scheme
      5. 8.5. Design of the Internal Domain Structure
        1. 8.5.1. Step 4: Design the Hierarchy of Organizational Units
          1. 8.5.1.1. Recreating the business model
          2. 8.5.1.2. Delegating full administration
          3. 8.5.1.3. Delegating other rights
        2. 8.5.2. Step 5: Design the Users and Groups
          1. 8.5.2.1. Naming and placing users
          2. 8.5.2.2. Naming and placing groups
          3. 8.5.2.3. Creating proper security group designs
        3. 8.5.3. Step 6: Design the Global Catalog
          1. 8.5.3.1. Including and excluding attributes
        4. 8.5.4. Step 7: Design the Application Partition Structure
      6. 8.6. Other Design Considerations
      7. 8.7. Design Examples
        1. 8.7.1. TwoSiteCorp
          1. 8.7.1.1. Step 1: Set the number of domains
          2. 8.7.1.2. Step 2: Design and name the tree structure
          3. 8.7.1.3. Step 3: Design the workstation and server-naming scheme
          4. 8.7.1.4. Step 4: Design the hierarchy of Organizational Units
          5. 8.7.1.5. Step 5: Design the users and groups
          6. 8.7.1.6. Step 6: Design the Global Catalog
          7. 8.7.1.7. Step 7: Design the application partition structure
          8. 8.7.1.8. Recap
        2. 8.7.2. RetailCorp
          1. 8.7.2.1. Step 1: Identify the number of domains
          2. 8.7.2.2. Step 2: Design and name the tree structure
          3. 8.7.2.3. Step 3: Design the workstation and server-naming scheme
          4. 8.7.2.4. Step 4: Design the hierarchy of Organizational Units
          5. 8.7.2.5. Step 5: Design the users and groups
          6. 8.7.2.6. Step 6: Design the Global Catalog
          7. 8.7.2.7. Step 7: Design the application partition structure
          8. 8.7.2.8. Recap
        3. 8.7.3. PetroCorp
          1. 8.7.3.1. Step 1: Set the number of domains
          2. 8.7.3.2. Step 2: Design and name the tree structure
          3. 8.7.3.3. Step 3: Design the workstation and server-naming scheme
          4. 8.7.3.4. Step 4: Design the hierarchy of Organizational Units
          5. 8.7.3.5. Step 5: Design the users and groups
          6. 8.7.3.6. Step 6: Design the Global Catalog
          7. 8.7.3.7. Step 7: Design the application partition structure
          8. 8.7.3.8. Recap
      8. 8.8. Designing for the Real World
        1. 8.8.1. Identify the Number of Domains
        2. 8.8.2. Design to Help Business Plans and Budget Proposals
        3. 8.8.3. Recognizing Nirvana's Problems
      9. 8.9. Summary
    2. 9. Creating a Site Topology
      1. 9.1. Intrasite and Intersite Topologies
        1. 9.1.1. The KCC
        2. 9.1.2. Automatic Intrasite Topology Generation by the KCC
          1. 9.1.2.1. Two servers
          2. 9.1.2.2. Three servers
          3. 9.1.2.3. Four servers
          4. 9.1.2.4. Eight servers
          5. 9.1.2.5. Now what?
        3. 9.1.3. Site Links: The Basic Building Blocks of Intersite Topologies
          1. 9.1.3.1. Cost
          2. 9.1.3.2. Schedule
          3. 9.1.3.3. Transport
          4. 9.1.3.4. When the KCC becomes involved
          5. 9.1.3.5. Having the KCC compound your mistakes
        4. 9.1.4. Site Link Bridges: The Second Building Blocks of Intersite Topologies
      2. 9.2. Designing Sites and Links for Replication
        1. 9.2.1. Step 1: Gather Background Data for Your Network
        2. 9.2.2. Step 2: Design the Sites
        3. 9.2.3. Step 3: Design the Domain Controller Locations
          1. 9.2.3.1. Where to put DCs
          2. 9.2.3.2. How many DCs to have
          3. 9.2.3.3. Reasons for putting a server in more than one site
        4. 9.2.4. Step 4: Plan Intrasite Replication
        5. 9.2.5. Step 5: Decide How You Will Use the KCC to Your Advantage
        6. 9.2.6. Step 6: Create Site Links for Low-Cost, Well-Connected Links
        7. 9.2.7. Step 7: Create Site Links for Medium-Cost Links
        8. 9.2.8. Step 8: Create Site Links for High-Cost Links
        9. 9.2.9. Step 9: Create Site Link Bridges
        10. 9.2.10. Step 10: Design the Replication Schedule
      3. 9.3. Examples
        1. 9.3.1. TwoSiteCorp
        2. 9.3.2. RetailCorp
        3. 9.3.3. PetroCorp
      4. 9.4. Additional Resources
      5. 9.5. Summary
    3. 10. Designing Organization-Wide Group Policies
      1. 10.1. How GPOs Work
        1. 10.1.1. How GPOs Are Stored in Active Directory
        2. 10.1.2. How GPOs Are Used in Active Directory
        3. 10.1.3. Prioritizing the Application of Multiple Policies
        4. 10.1.4. Standard GPO Inheritance Rules in Organizational Units
        5. 10.1.5. Blocking Inheritance and Overriding the Block in Organizational Unit GPOs
          1. 10.1.5.1. Summary
        6. 10.1.6. When Policies Apply
        7. 10.1.7. Local Group Policy Objects
        8. 10.1.8. How Existing Windows NT 4.0 System Policies Affect GPO Processing
        9. 10.1.9. When to Use Windows NT System Policies
        10. 10.1.10. Combating Slowdown Due to GPOs
          1. 10.1.10.1. Limiting the number of GPOs that apply
          2. 10.1.10.2. Block Inheritance and No Override
          3. 10.1.10.3. Disabling parts of GPOs
          4. 10.1.10.4. Limiting cross-domain linking
          5. 10.1.10.5. Limiting GPO application across WAN links
          6. 10.1.10.6. Use simple queries in WMI filters
        11. 10.1.11. The Power of Access Control Lists on Group Policy Objects
        12. 10.1.12. Loopback Merge Mode and Loopback Replace Mode
        13. 10.1.13. WMI Filtering in Windows Server 2003
        14. 10.1.14. How GPOs Work Across RAS and Slow Links
        15. 10.1.15. Summary of Policy Options
      2. 10.2. Managing Group Policies
        1. 10.2.1. Using the Group Policy Object Editor
        2. 10.2.2. Using the Group Policy Management Console (GPMC)
        3. 10.2.3. Scripting Group Policies
      3. 10.3. Using GPOs to Help Design the Organizational Unit Structure
        1. 10.3.1. Identifying Areas of Policy
        2. 10.3.2. How GPOs Influenced a Real Organizational Unit Design
          1. 10.3.2.1. The merits of collapsing the Organizational Unit structure
          2. 10.3.2.2. A bridge too far
          3. 10.3.2.3. Loopback mode
        3. 10.3.3. Guidelines for Designing GPOs
        4. 10.3.4. Designing Delegation and Change Control
          1. 10.3.4.1. The importance of change-control procedures
          2. 10.3.4.2. Designing the delegation of GPO administration
          3. 10.3.4.3. Creating customized GPOEs for administrators
      4. 10.4. Debugging Group Policies
        1. 10.4.1. Using the RSoP
        2. 10.4.2. Enabling Extra Logging
      5. 10.5. Summary
    4. 11. Active Directory Security: Permissions and Auditing
      1. 11.1. Permission Basics
        1. 11.1.1. Permission ACE
        2. 11.1.2. Property Sets, Validated Writes, and Extended Rights
        3. 11.1.3. Inherited Versus Explicit Permissions
        4. 11.1.4. Default Security Descriptors
        5. 11.1.5. Permission Lockdown
        6. 11.1.6. Confidentiality Bit
      2. 11.2. Using the GUI to Examine Permissions
        1. 11.2.1. Reverting to the Default Permissions
        2. 11.2.2. Viewing the Effective Permissions for a User or Group
        3. 11.2.3. Using the Delegation of Control Wizard
      3. 11.3. Using the GUI to Examine Auditing
      4. 11.4. Designing Permission Schemes
        1. 11.4.1. The Five Golden Rules of Permissions Design
          1. 11.4.1.1. Rule 1: Apply permissions to groups whenever possible
          2. 11.4.1.2. Rule 2: Design group permissions so that you have minimum duplication
          3. 11.4.1.3. Rule 3: Manage Advanced permissions only when absolutely necessary
          4. 11.4.1.4. Rule 4: Allow inheritance; do not protect sections of the domain tree from inheritance
          5. 11.4.1.5. Rule 5: Keep a log of unusual changes
        2. 11.4.2. How to Plan Permissions
        3. 11.4.3. Bringing Order out of Chaos
      5. 11.5. Designing Auditing Schemes
      6. 11.6. Real-World Examples
        1. 11.6.1. Hiding Specific Personal Details for All Users in an Organizational Unit from a Group
        2. 11.6.2. Allowing Only a Specific Group of Users to Access a New Published Resource
        3. 11.6.3. Restricting Everyone but HR from Viewing Social Security Numbers with Confidential Access Capability
      7. 11.7. Summary
    5. 12. Designing and Implementing Schema Extensions
      1. 12.1. Nominating Responsible People in Your Organization
      2. 12.2. Thinking of Changing the Schema
        1. 12.2.1. Designing the Data
        2. 12.2.2. To Change or Not to Change
        3. 12.2.3. The Global Picture
      3. 12.3. Creating Schema Extensions
        1. 12.3.1. Running the Schema Manager MMC for the First Time
        2. 12.3.2. The Schema Cache
        3. 12.3.3. The Schema FSMO
        4. 12.3.4. Using LDIF to Extend the Schema
        5. 12.3.5. Checks the System Makes When You Modify the Schema
        6. 12.3.6. Making Classes and Attributes Defunct
      4. 12.4. Summary
    6. 13. Backup, Recovery, and Maintenance
      1. 13.1. Backing Up Active Directory
        1. 13.1.1. Using the NT Backup Utility
      2. 13.2. Restoring a Domain Controller
        1. 13.2.1. Restore from Replication
          1. 13.2.1.1. Manually removing a domain controller from Active Directory
        2. 13.2.2. Restore from Backup
      3. 13.3. Restoring Active Directory
        1. 13.3.1. Non-Authoritative Restore
        2. 13.3.2. Partial Authoritative Restore
        3. 13.3.3. Complete Authoritative Restore
      4. 13.4. FSMO Recovery
      5. 13.5. DIT Maintenance
        1. 13.5.1. Checking the Integrity of the DIT
        2. 13.5.2. Reclaiming Space
        3. 13.5.3. Changing the DS Restore Mode Admin Password
      6. 13.6. Summary
    7. 14. Upgrading to Windows Server 2003
      1. 14.1. New Features in Windows Server 2003
      2. 14.2. Differences with Windows 2000
      3. 14.3. Functional Levels Explained
        1. 14.3.1. How to Raise the Functional Level
      4. 14.4. Preparing for ADPrep
        1. 14.4.1. ForestPrep
        2. 14.4.2. DomainPrep
      5. 14.5. Upgrade Process
        1. 14.5.1. Inventory Domain Controllers
        2. 14.5.2. Inventory Clients
        3. 14.5.3. Trial Run
        4. 14.5.4. Prepare the Forest and Domains
          1. 14.5.4.1. Exchange 2000
          2. 14.5.4.2. SFU 2.0
        5. 14.5.5. Upgrade Domain Controllers
      6. 14.6. Post-Upgrade Tasks
        1. 14.6.1. Monitor
        2. 14.6.2. Raise Functional Levels
        3. 14.6.3. Tweak Settings
        4. 14.6.4. Start Implementing New Features
      7. 14.7. Summary
    8. 15. Upgrading to Windows Server 2003 R2
      1. 15.1. New Active Directory Features in Windows Server 2003 Service Pack 1
      2. 15.2. Differences with Windows Server 2003
      3. 15.3. New Active Directory Features in Windows Server 2003 R2
      4. 15.4. Preparing for ADPrep
        1. 15.4.1. ForestPrep
      5. 15.5. Service Pack 1 Upgrade Process
      6. 15.6. R2 Upgrade Process
        1. 15.6.1. Prepare the Forest
        2. 15.6.2. Upgrade Domain Controllers
      7. 15.7. Summary
    9. 16. Migrating from Windows NT
      1. 16.1. The Principles of Upgrading Windows NT Domains
        1. 16.1.1. Preparing for a Domain Upgrade
        2. 16.1.2. Forests and the Forest Root Domain
        3. 16.1.3. Windows NT Domain Upgrades
          1. 16.1.3.1. Solution 1: Migration to a new forest root domain
          2. 16.1.3.2. Solution 2: Migration with one domain as the domain-tree root
          3. 16.1.3.3. Solution 3: Migration to separate domain trees in a forest
        4. 16.1.4. A Solution-Independent Migration Process
        5. 16.1.5. Consolidating Domains After the Move
          1. 16.1.5.1. Windows 2003 Interim and Windows 2003 functional levels and groups
          2. 16.1.5.2. Computers
          3. 16.1.5.3. Users
          4. 16.1.5.4. Member servers and removing domains
      2. 16.2. Summary
    10. 17. Integrating Microsoft Exchange
      1. 17.1. A Quick Word About Exchange/AD Interaction
      2. 17.2. Preparing Active Directory for Exchange
        1. 17.2.1. Forestprep
        2. 17.2.2. Domainprep
        3. 17.2.3. Running Forestprep and Domainprep
        4. 17.2.4. Active Directory Site Design and Domain Controller Placement
        5. 17.2.5. Other Considerations
      3. 17.3. Exchange 5.5 and the Active Directory Connector
        1. 17.3.1. Configuring the ADC
        2. 17.3.2. Mailbox-Enabling Objects via the GUI
        3. 17.3.3. Why Bidirectional Replication May Not Solve Your Problems
      4. 17.4. Summary
    11. 18. Active Directory Application Mode (ADAM)
      1. 18.1. ADAM Terms
      2. 18.2. Differences Between AD and ADAM V1.0
        1. 18.2.1. Standalone Application Service
        2. 18.2.2. Configurable LDAP Ports
        3. 18.2.3. No SRV Records
        4. 18.2.4. No Global Catalog
        5. 18.2.5. Top-Level Application Partition Object Classes
        6. 18.2.6. Group and User Scope
        7. 18.2.7. FSMOs
        8. 18.2.8. Schema
        9. 18.2.9. Service Account
        10. 18.2.10. Configuration/Schema Partition Names
        11. 18.2.11. Default Directory Security
        12. 18.2.12. User Principal Names
        13. 18.2.13. Authentication
      3. 18.3. ADAM R2 Updates
        1. 18.3.1. Users in the Configuration Partition
        2. 18.3.2. Password Reset/Change Chaining to Windows
        3. 18.3.3. Virtual List View (VLV) Searching
        4. 18.3.4. Confidentiality Bit
        5. 18.3.5. New and Updated Tools
        6. 18.3.6. Installation
        7. 18.3.7. Authentication
        8. 18.3.8. R2 ADAM for R2 Server Only
      4. 18.4. ADAM R2 Installation
        1. 18.4.1. Installing Components
        2. 18.4.2. Installing a New ADAM Instance
        3. 18.4.3. Installing an ADAM Replica
      5. 18.5. Tools
        1. 18.5.1. ADAM ADSIEDIT
        2. 18.5.2. ADAM Schema Management
        3. 18.5.3. ADAM Install
        4. 18.5.4. ADAMSync
        5. 18.5.5. ADAM Uninstall
        6. 18.5.6. AD Schema Analyzer
        7. 18.5.7. CSVDE
        8. 18.5.8. DSACLS
        9. 18.5.9. DSDBUTIL
        10. 18.5.10. DSDiag
        11. 18.5.11. DSMgmt
        12. 18.5.12. LDIFDE
        13. 18.5.13. LDP
        14. 18.5.14. RepAdmin
      6. 18.6. ADAM Schema
        1. 18.6.1. Virtual List View (VLV) Index Support
        2. 18.6.2. Default Security Descriptors
        3. 18.6.3. Bindable Objects and Bindable Proxy Objects
      7. 18.7. Using ADAM
        1. 18.7.1. Creating Application Partitions
        2. 18.7.2. Creating Containers
        3. 18.7.3. Creating Users
        4. 18.7.4. Creating User Proxies
          1. 18.7.4.1. Special considerations
        5. 18.7.5. Renaming Users
        6. 18.7.6. Creating Groups
        7. 18.7.7. Adding Members to Groups
        8. 18.7.8. Removing Members from Groups
        9. 18.7.9. Deleting Objects
        10. 18.7.10. Deleting Application Partitions
      8. 18.8. Summary
    12. 19. Interoperability, Integration, and Future Direction
      1. 19.1. Microsoft's Directory Strategy
        1. 19.1.1. Active Directory Application Mode
        2. 19.1.2. Microsoft Identity Integration Server
        3. 19.1.3. Active Directory's Role
      2. 19.2. Interoperating with Other Directories
        1. 19.2.1. Getting Data from One Directory to Another
        2. 19.2.2. Using Common Tools Across Directories
        3. 19.2.3. Porting Scripts to Work Across Directories
        4. 19.2.4. Making Searches Across Directories Seamless
      3. 19.3. Integrating Applications and Services
        1. 19.3.1. The Application Integration Challenge
          1. 19.3.1.1. Challenges for application vendors
          2. 19.3.1.2. Challenges for Active Directory administrators
          3. 19.3.1.3. ADAM to the rescue
        2. 19.3.2. Integrating Unix
          1. 19.3.2.1. Kerberos and LDAP support
          2. 19.3.2.2. Migrating from NIS
          3. 19.3.2.3. Integrating with NFS
          4. 19.3.2.4. Synchronizing passwords
          5. 19.3.2.5. Third-party integration tools
      4. 19.4. Summary
  6. III. Scripting Active Directory with ADSI, ADO, and WMI
    1. 20. Scripting with ADSI
      1. 20.1. What Are All These Buzzwords?
        1. 20.1.1. ActiveX
        2. 20.1.2. Windows Scripting Host (WSH)
        3. 20.1.3. Active Server Pages (ASPs)
        4. 20.1.4. Active Directory Service Interfaces (ADSI)
        5. 20.1.5. ActiveX Data Objects (ADO)
        6. 20.1.6. Windows Management Instrumentation (WMI)
        7. 20.1.7. .NET and .NET Framework
      2. 20.2. Writing and Running Scripts
        1. 20.2.1. A Brief Primer on COM and WSH
        2. 20.2.2. How to Write Scripts
        3. 20.2.3. WSH 2.0 Versus 5.6
      3. 20.3. ADSI
        1. 20.3.1. Objects and Interfaces
        2. 20.3.2. Namespaces, ProgIDs, and ADsPaths
        3. 20.3.3. Retrieving Objects
      4. 20.4. Simple Manipulation of ADSI Objects
        1. 20.4.1. Creating the OU
        2. 20.4.2. Creating the Users
        3. 20.4.3. Tearing Down What Was Created
      5. 20.5. Further Information
      6. 20.6. Summary
    2. 21. IADs and the Property Cache
      1. 21.1. The IADs Properties
        1. 21.1.1. Using IADs::Get and IADs::Put
        2. 21.1.2. The Property Cache
        3. 21.1.3. Be Careful
        4. 21.1.4. More Complexities of Property Access: IADs::GetEx and IADs::PutEx
          1. 21.1.4.1. Using IADs::GetEx
          2. 21.1.4.2. Using IADs::PutEx
      2. 21.2. Manipulating the Property Cache
        1. 21.2.1. Property Cache Mechanics
        2. 21.2.2. Adding Individual Values
        3. 21.2.3. Adding Sets of Values
        4. 21.2.4. Walking Through the Property Cache
          1. 21.2.4.1. Approach 1: Using the IADsPropertyList::PropertyCount property method
          2. 21.2.4.2. Approach 2: Using the IADsPropertyList::Next method
          3. 21.2.4.3. Approach 3: Using the IADsPropertyList::Next and IADsPropertyList::Skip methods
        5. 21.2.5. Writing the Modifications
        6. 21.2.6. Walking the Property Cache: The Solution
        7. 21.2.7. Walking the Property Cache Using the Formal Schema Class Definition
      3. 21.3. Checking for Errors in VBScript
      4. 21.4. Summary
    3. 22. Using ADO for Searching
      1. 22.1. The First Search
        1. 22.1.1. Step 1: Define the Constants and Variables
        2. 22.1.2. Step 2: Establish an ADO Database Connection
        3. 22.1.3. Step 3: Open the ADO Connection
        4. 22.1.4. Step 4: Execute the Query
        5. 22.1.5. Step 5: Navigate Through the Resultset
        6. 22.1.6. Step 6: Close the ADO Connection
        7. 22.1.7. The Entire Script for a Simple Search
      2. 22.2. Other Ways of Connecting and Retrieving Results
        1. 22.2.1. Searching with SQL
          1. 22.2.1.1. Using the Connection::Execute method
          2. 22.2.1.2. Using the Recordset::Open method
          3. 22.2.1.3. Executing a specific command
          4. 22.2.1.4. The Command object and Recordset::Open
      3. 22.3. Understanding Search Filters
        1. 22.3.1. Items Within a Filter
        2. 22.3.2. Connecting Filters
      4. 22.4. Optimizing Searches
        1. 22.4.1. Efficient Searching
        2. 22.4.2. Objectclass Versus Objectcategory
        3. 22.4.3. Filtering an Existing Resultset
          1. 22.4.3.1. Using a criteria string
          2. 22.4.3.2. Using bookmarks
      5. 22.5. Advanced Search Function: SearchAD
      6. 22.6. Summary
    4. 23. Users and Groups
      1. 23.1. Creating a Simple User Account
      2. 23.2. Creating a Full-Featured User Account
        1. 23.2.1. WinNT Provider
        2. 23.2.2. LDAP Provider
      3. 23.3. Creating Many User Accounts
      4. 23.4. Modifying Many User Accounts
      5. 23.5. Account Unlocker Utility
      6. 23.6. Creating a Group
      7. 23.7. Adding Members to a Group
        1. 23.7.1. Adding Many USER Groups to DRUP Groups
      8. 23.8. Evaluating Group Membership
      9. 23.9. Summary
    5. 24. Basic Exchange Tasks
      1. 24.1. Notes on Managing Exchange
      2. 24.2. Exchange Management Tools
      3. 24.3. Mail-Enabling Versus Mailbox-Enabling
      4. 24.4. Exchange Delegation
      5. 24.5. Mail-Enabling a User
      6. 24.6. Mail-Disabling a User
      7. 24.7. Creating and Mail-Enabling a Contact
      8. 24.8. Mail-Disabling a Contact
      9. 24.9. Mail-Enabling a Group (Distribution List)
      10. 24.10. Mail-Disabling a Group
      11. 24.11. Mailbox-Enabling a User
      12. 24.12. Mailbox-Disabling a User (Mailbox Deletion)
      13. 24.13. Purging a Disconnected Mailbox
      14. 24.14. Reconnecting a Disconnected Mailbox
      15. 24.15. Moving a Mailbox
      16. 24.16. Enumerating Disconnected Mailboxes
      17. 24.17. Viewing Mailbox Sizes and Message Counts
      18. 24.18. Viewing All Store Details of All Mailboxes on a Server
      19. 24.19. Dumping All Store Details of All Mailboxes on All Servers in Exchange Org
      20. 24.20. Summary
    6. 25. Shares and Print Queues
      1. 25.1. The Interface Methods and Properties
      2. 25.2. Creating and Manipulating Shares with ADSI
      3. 25.3. Enumerating Sessions and Resources
        1. 25.3.1. Identifying a Machine's Sessions
        2. 25.3.2. Identifying a Machine's Resources
        3. 25.3.3. A Utility to Show User Sessions
          1. 25.3.3.1. Obtaining the data
          2. 25.3.3.2. Manipulating the data
          3. 25.3.3.3. The sort subprocedure
          4. 25.3.3.4. The duplicate-removal subprocedure
          5. 25.3.3.5. Displaying the data
          6. 25.3.3.6. Room for improvement
      4. 25.4. Manipulating Print Queues and Print Jobs
        1. 25.4.1. Identifying Print Queues in Active Directory
        2. 25.4.2. Binding to a Print Queue
        3. 25.4.3. IADsPrintQueueOperations and Print Queues
        4. 25.4.4. Print Jobs
      5. 25.5. Summary
    7. 26. Permissions and Auditing
      1. 26.1. How to Create an ACE Using ADSI
        1. 26.1.1. Trustee
        2. 26.1.2. AccessMask
        3. 26.1.3. AceType
        4. 26.1.4. AceFlags
        5. 26.1.5. Flags, ObjectType, and InheritedObjectType
      2. 26.2. A Simple ADSI Example
        1. 26.2.1. Discussion
      3. 26.3. A Complex ADSI Example
        1. 26.3.1. Discussion
          1. 26.3.1.1. Unlock account
          2. 26.3.1.2. Set/clear "User Must Change Password On Next Logon" flag
          3. 26.3.1.3. Reset Password
        2. 26.3.2. Making Your Own ACEs
          1. 26.3.2.1. Delegate member attribute on groups
          2. 26.3.2.2. Delegate ability to view Confidential Attribute
          3. 26.3.2.3. How to implement other delegations
      4. 26.4. Creating Security Descriptors
      5. 26.5. Listing the Security Descriptor of an Object
      6. 26.6. Summary
    8. 27. Extending the Schema and the Active Directory Snap-ins
      1. 27.1. Modifying the Schema with ADSI
        1. 27.1.1. IADsClass and IADsProperty
        2. 27.1.2. Creating the Mycorp-LanguagesSpoken Attribute
        3. 27.1.3. Creating the FinanceUser class
          1. 27.1.3.1. Creating instances of the new class
        4. 27.1.4. Finding the Schema Container and Schema FSMO
        5. 27.1.5. Transferring the Schema FSMO Role
        6. 27.1.6. Forcing a Reload of the Schema Cache
        7. 27.1.7. Finding Which Attributes Are in the GC for an Object
        8. 27.1.8. Adding an Attribute to the GC
      2. 27.2. Customizing the Active Directory Administrative Snap-ins
        1. 27.2.1. Display Specifiers
        2. 27.2.2. Property Pages
        3. 27.2.3. Context Menus
        4. 27.2.4. Icons
        5. 27.2.5. Display Names
        6. 27.2.6. Leaf or Container
        7. 27.2.7. Object Creation Wizard
      3. 27.3. Summary
    9. 28. Using ADSI and ADO from ASP or VB
      1. 28.1. VBScript Limitations and Solutions
      2. 28.2. How to Avoid Problems When Using ADSI and ASP
      3. 28.3. Combining VBScript and HTML
        1. 28.3.1. Incorporating Scripts into Active Server Pages
          1. 28.3.1.1. Client-side scripting
          2. 28.3.1.2. Server-side scripting
        2. 28.3.2. ActiveX Controls and ASPs
        3. 28.3.3. Forms
      4. 28.4. Binding to Objects via Authentication
        1. 28.4.1. When to Use VBScript's GetObject Function
        2. 28.4.2. When to Use IADsOpenDSObject::OpenDSObject
        3. 28.4.3. When to Use IADsContainer::GetObject
        4. 28.4.4. Authenticating from Passwords Input via Forms
        5. 28.4.5. A Simple Password Changer
        6. 28.4.6. Adding Users to Groups
      5. 28.5. Incorporating Searches into ASP
        1. 28.5.1. ASP Searches Allowing User Navigation of a Resultset
        2. 28.5.2. Enhancing the User Navigation ASP
          1. 28.5.2.1. Empty resultsets
          2. 28.5.2.2. Starting from scratch
          3. 28.5.2.3. Filters
          4. 28.5.2.4. Displaying the location of individual records
          5. 28.5.2.5. The enhanced ASP search
          6. 28.5.2.6. Problems with this example
        3. 28.5.3. Other Ideas for Expansion
      6. 28.6. Migrating Your ADSI Scripts from VBScript to VB
        1. 28.6.1. Platform Software Development Kit
        2. 28.6.2. The Differences Between VB and VBScript
          1. 28.6.2.1. Screen functions
          2. 28.6.2.2. Variables
          3. 28.6.2.3. Loop constructs
        3. 28.6.3. Getting Help from VB When Coding in ADSI
        4. 28.6.4. A Simple Password Changer in VB
        5. 28.6.5. The ModifyUserDetails Program in VB
      7. 28.7. Summary
    10. 29. Scripting with WMI
      1. 29.1. Origins of WMI
      2. 29.2. WMI Architecture
        1. 29.2.1. CIMOM and CIM Repository
        2. 29.2.2. WMI Providers
      3. 29.3. Getting Started with WMI Scripting
        1. 29.3.1. Referencing an Object
        2. 29.3.2. Enumerating Objects of a Particular Class
        3. 29.3.3. Searching with WQL
        4. 29.3.4. Authentication with WMI
      4. 29.4. WMI Tools
        1. 29.4.1. WMI from a Command Line
        2. 29.4.2. WMI from the Web
        3. 29.4.3. WMI SDK
        4. 29.4.4. Scriptomatic Version 2.0; WMI Scripting Tool
      5. 29.5. Manipulating Services
      6. 29.6. Querying the Event Logs
      7. 29.7. Querying AD with WMI
      8. 29.8. Monitoring Trusts
      9. 29.9. Monitoring Replication
      10. 29.10. Summary
    11. 30. Manipulating DNS
      1. 30.1. DNS Provider Overview
        1. 30.1.1. Installing the DNS Provider
        2. 30.1.2. Managing DNS with the DNS Provider
      2. 30.2. Manipulating DNS Server Configuration
        1. 30.2.1. Listing a DNS Server's Properties
        2. 30.2.2. Configuring a DNS server
        3. 30.2.3. Restarting the DNS Service
        4. 30.2.4. DNS Server Configuration Check Script
      3. 30.3. Creating and Manipulating Zones
        1. 30.3.1. Creating a Zone
        2. 30.3.2. Configuring a Zone
        3. 30.3.3. Listing the Zones on a Server
      4. 30.4. Creating and Manipulating Resource Records
        1. 30.4.1. Finding Resource Records in a Zone
        2. 30.4.2. Creating Resource Records
      5. 30.5. Summary
    12. 31. Getting Started with VB.NET and System.Directory Services
      1. 31.1. The .NET Framework
      2. 31.2. Using VB.NET
      3. 31.3. Overview of System.DirectoryServices
      4. 31.4. DirectoryEntry Basics
      5. 31.5. Searching with DirectorySearcher
      6. 31.6. Manipulating Objects
      7. 31.7. Summary
  7. Index
  8. About the Authors
  9. Colophon
  10. Copyright