Cover image for Active Directory, 5th Edition

Book description

Organize your network resources by learning how to design, manage, and maintain Active Directory. Updated to cover Windows Server 2012, the fifth edition of this bestselling book gives you a thorough grounding in Microsoft’s network directory service by explaining concepts in an easy-to-understand, narrative style.

Table of Contents

  1. Special Upgrade Offer
  2. Preface
    1. 1. Intended Audience
    2. 2. Contents of the Book
    3. 3. Conventions Used in This Book
    4. Using Code Examples
    5. Safari® Books Online
    6. How to Contact Us
    7. 4. Acknowledgments
      1. For the Fourth and Fifth Editions (Brian)
      2. For the Third Edition (Joe)
      3. For the Second Edition (Robbie)
      4. For the First Edition (Alistair)
    8. Content Updates
      1. May 15, 2013
  3. 1. A Brief Introduction
    1. 1.1. Evolution of the Microsoft NOS
      1. A Brief History of Directories
    2. 1.2. Summary
  4. 2. Active Directory Fundamentals
    1. 2.1. How Objects Are Stored and Identified
      1. Uniquely Identifying Objects
        1. Distinguished names
        2. Examples
    2. 2.2. Building Blocks
      1. Domains and Domain Trees
      2. Forests
      3. Organizational Units
      4. The Global Catalog
      5. Flexible Single Master Operator (FSMO) Roles
      6. Time Synchronization in Active Directory
      7. Domain and Forest Functional Levels
        1. Windows 2000 domain mode
      8. Groups
        1. Group membership across domain boundaries
        2. Converting groups
    3. 2.3. Summary
  5. 3. Active Directory Management Tools
    1. 3.1. Management Tools
      1. Active Directory Administrative Center
        1. PowerShell History
        2. Global Search
        3. Multiple-domain support
        4. Extensibility
      2. Active Directory Users and Computers
        1. Advanced Features
        2. Saved Queries
        3. Controlling drag-and-drop moves
        4. Taskpads
      3. ADSI Edit
      4. LDP
    2. 3.2. Customizing the Active Directory Administrative Snap-ins
      1. Display Specifiers
      2. Property Pages
      3. Context Menus
      4. Icons
      5. Display Names
      6. Object Creation Wizard
    3. 3.3. Active Directory PowerShell Module
    4. 3.4. Best Practices Analyzer
    5. 3.5. Active Directory-Based Machine Activation
    6. 3.6. Summary
  6. 4. Naming Contexts and Application Partitions
    1. 4.1. Domain Naming Context
    2. 4.2. Configuration Naming Context
    3. 4.3. Schema Naming Context
    4. 4.4. Application Partitions
      1. Storing Dynamic Data
    5. 4.5. Summary
  7. 5. Active Directory Schema
    1. 5.1. Structure of the Schema
      1. X.500 and the OID Namespace
    2. 5.2. Attributes (attributeSchema Objects)
      1. Dissecting an Example Active Directory Attribute
    3. 5.3. Attribute Properties
      1. Attribute Syntax
      2. systemFlags
        1. Constructed attributes
        2. Category 1 objects
      3. schemaFlagsEx
      4. searchFlags
        1. Indexed attributes
        2. Ambiguous name resolution
        3. Preserving attributes in a tombstone
        4. The subtree index
        5. The tuple index
        6. Confidentiality
        7. Attribute change auditing
        8. The filtered attribute set
      5. Property Sets and attributeSecurityGUID
      6. Linked Attributes
      7. MAPI IDs
    4. 5.4. Classes (classSchema Objects)
      1. Object Class Category and Inheritance
      2. Dissecting an Example Active Directory Class
        1. How inheritance affects mustContain, mayContain, possSuperiors, and auxiliaryClass
        2. Viewing the user class with the Active Directory Schema snap-in
      3. Dynamically Linked Auxiliary Classes
    5. 5.5. Summary
  8. 6. Site Topology and Active Directory Replication
    1. 6.1. Site Topology
      1. Site and Replication Management Tools
      2. Subnets
        1. Managing subnets
        2. Troubleshooting subnet data problems
      3. Sites
        1. Managing sites
      4. Site Links
        1. Managing site links
      5. Site Link Bridges
      6. Connection Objects
      7. Knowledge Consistency Checker
    2. 6.2. How Replication Works
      1. A Background to Metadata
        1. Update sequence numbers (USNs) and highestCommittedUSN
        2. Originating updates versus replicated updates
        3. DSA GUIDs and invocation IDs
        4. High-watermark vector (direct up-to-dateness vector)
        5. Up-to-dateness vector
        6. Recap
      2. How an Object’s Metadata Is Modified During Replication
        1. Step 1: Initial creation of a user on Server A
        2. Step 2: Replication of the originating write to DC B
        3. Step 3: Password change for the user on DC B
        4. Step 4: Password-change replication to DC A
      3. The Replication of a Naming Context Between Two Servers
        1. Step 1: Replication with a partner is initiated
        2. Step 2: The partner works out what updates to send
        3. Step 3: The partner sends the updates to the initiating server
        4. Step 4: The initiating server processes the updates
        5. Step 5: The initiating server checks whether it is up to date
        6. Recap
      4. How Replication Conflicts Are Reconciled
        1. Conflict due to identical attribute change
        2. Conflict due to a move or creation of an object under a now-deleted parent
        3. Conflict due to creation of objects with names that conflict
        4. Replicating the conflict resolution
    3. 6.3. Common Replication Problems
      1. Lingering Objects
      2. USN Rollback
    4. 6.4. Summary
  9. 7. Searching Active Directory
    1. 7.1. The Directory Information Tree
      1. Database Structure
        1. Hidden table
        2. Data table
        3. Link table
        4. Security descriptor table
    2. 7.2. Searching the Database
      1. Filter Operators
      2. Connecting Filter Components
      3. Search Bases
      4. Modifying Behavior with LDAP Controls
    3. 7.3. Attribute Data Types
      1. Dates and Times
      2. Bit Masks
      3. The In-Chain Matching Rule
    4. 7.4. Optimizing Searches
      1. Efficient Searching
        1. Using the stats control
      2. objectClass Versus objectCategory
    5. 7.5. Summary
  10. 8. Active Directory and DNS
    1. 8.1. DNS Fundamentals
      1. Zones
      2. Resource Records
      3. Client Lookup Process
      4. Dynamic DNS
      5. Global Names Zones
    2. 8.2. DNSSEC
      1. How Does DNSSEC Work?
        1. Resource records
        2. Lookup process
      2. Configuring DNSSEC for Active Directory DNS
    3. 8.3. DC Locator
    4. 8.4. Resource Records Used by Active Directory
      1. Overriding SRV Record Registration
    5. 8.5. Delegation Options
      1. Not Delegating the AD DNS Zones
        1. Political factors
        2. Initial setup and configuration
        3. Support and maintenance
        4. Integration issues
      2. Delegating the AD DNS Zones
        1. Political factors
        2. Initial setup and configuration
        3. Support and maintenance
        4. Integration issues
    6. 8.6. Active Directory-Integrated DNS
      1. Replication Impact
      2. Background Zone Loading
    7. 8.7. Using Application Partitions for DNS
    8. 8.8. Aging and Scavenging
      1. Configuring Scavenging
        1. Setting zone-specific options
        2. Enabling scavenging on the DNS server
    9. 8.9. Managing DNS with Windows PowerShell
    10. 8.10. Summary
  11. 9. Domain Controllers
    1. 9.1. Building Domain Controllers
      1. Deploying with Server Manager
      2. Using DCPromo on Earlier Versions of Windows
      3. Automating the DC Build Process
    2. 9.2. Virtualization
      1. When to Virtualize
      2. Impact of Virtualization
        1. USN rollback
        2. RID pool reuse
        3. System clock changes
      3. Virtualization Safe Restore
      4. Cloning Domain Controllers
        1. The DC cloning process
        2. Cloning a domain controller
    3. 9.3. Read-Only Domain Controllers
      1. Prerequisites
      2. Password Replication Policies
        1. Managing the password replication policy
        2. Managing the loss of an RODC
      3. The Client Logon Process
        1. Populating the password cache
      4. RODCs and Write Requests
        1. User password changes
        2. Computer account password changes
        3. The lastLogonTimeStampAttribute
        4. Last-logon statistics
        5. Logon success/failure information
        6. NetLogon secure channel updates
        7. Replication connection objects
        8. DNS updates
      5. The W32Time Service
      6. Application Compatibility
      7. RODC Placement Considerations
      8. Administrator Role Separation
      9. Promoting an RODC
        1. Prestaging RODC domain controller accounts
    4. 9.4. Summary
  12. 10. Authentication and Security Protocols
    1. 10.1. Kerberos
      1. User Logon
      2. Service Access
        1. Service principal names
        2. Service tickets
      3. Application Access
      4. Logon and Service Access Summary
      5. Delegation and Protocol Transition
        1. Delegation
        2. Protocol Transition
    2. 10.2. Authentication Mechanism Assurance
    3. 10.3. Managed Service Accounts
      1. Preparing for Group Managed Service Accounts
      2. Using Group Managed Service Accounts
    4. 10.4. Summary
  13. 11. Group Policy Primer
    1. 11.1. Capabilities of Group Policy Objects
      1. Group Policy Storage
        1. ADM or ADMX files
        2. How GPOs are stored in Active Directory
        3. Group Policy replication
    2. 11.2. How Group Policies Work
      1. GPOs and Active Directory
      2. Prioritizing the Application of Multiple Policies
      3. Standard GPO Inheritance Rules in Organizational Units
      4. Blocking Inheritance and Overriding the Block in Organizational Unit GPOs
        1. Summary
      5. When Policies Apply
        1. Group Policy Refresh Frequency
      6. Combating Slowdown Due to Group Policy
        1. Limiting the number of GPOs that apply
        2. Limiting cross-domain linking
        3. Limiting use of site policies
        4. Use simple queries in WMI filters
      7. Security Filtering and Group Policy Objects
      8. Loopback Merge Mode and Loopback Replace Mode
      9. Summarizing Group Policy Application
      10. WMI Filtering
      11. Group Policy
    3. 11.3. Managing Group Policies
      1. Using the Group Policy Management Console
      2. Using the Group Policy Management Editor
      3. Group Policy Preferences
        1. Deploying group policy preferences
        2. Item-Level Targeting
      4. Running Scripts with Group Policy
      5. Group Policy Modeling
      6. Delegation and Change Control
        1. The importance of change-control procedures
        2. Designing the delegation of GPO administration
      7. Using Starter GPOs
      8. Group Policy Backup and Restore
      9. Scripting Group Policy
    4. 11.4. Troubleshooting Group Policy
      1. Group Policy Infrastructure Status
      2. Group Policy Results Wizard
      3. Forcing Group Policy Updates
      4. Enabling Extra Logging
        1. Group Policy Logging in Windows 2000, Windows XP, and Windows Server 2003
        2. Group Policy Logging in Windows Vista/Windows Server 2008 and Newer
      5. Group Policy Diagnostic Best Practices Analyzer
      6. Third-Party Troubleshooting Tools
    5. 11.5. Summary
  14. 12. Fine-Grained Password Policies
    1. 12.1. Understanding Password Settings Objects
    2. 12.2. Scenarios for Fine-Grained Password Policies
      1. Defining Password Settings Objects
        1. Defining PSO precedence
    3. 12.3. Creating Password Settings Objects
      1. PSO Quick Start
      2. Building a PSO from Scratch
        1. Creating a PSO with the Active Directory Administrative Center
        2. Creating a PSO with PSOMgr
    4. 12.4. Managing Password Settings Objects
      1. Strategies for Controlling PSO Application
        1. Applying PSOs to groups
        2. Applying PSOs to users
        3. Mixing group application and user application
      2. Managing PSO Application
        1. Applying a PSO with ADAC
        2. Applying a PSO with ADSI Edit
        3. Applying a PSO with ADUC
        4. Applying a PSO with PSOMgr
        5. Viewing the effective PSO
    5. 12.5. Delegating Management of PSOs
    6. 12.6. Summary
  15. 13. Designing the Active Directory Structure
    1. 13.1. The Complexities of a Design
    2. 13.2. Where to Start
    3. 13.3. Overview of the Design Process
    4. 13.4. Domain Namespace Design
      1. Objectives
        1. Represent the structure of your business
      2. Step 1: Decide on the Number of Domains
        1. Isolated replication
        2. Unique domain policy
        3. Final notes
      3. Step 2: Design and Name the Tree Structure
        1. Choose the forest root domain
        2. Design the namespace naming scheme
        3. Create additional trees
        4. Create additional forests
        5. Arrange the subdomain hierarchy
    5. 13.5. Design of the Internal Domain Structure
      1. Step 3: Design the Hierarchy of Organizational Units
        1. Recreating the business model
        2. Delegating full administration
        3. Delegating other rights
      2. Step 4: Design the Workstation and Server Naming Conventions
      3. Step 5: Plan for Users and Groups
        1. Naming and placing users
        2. Naming and placing groups
    6. 13.6. Other Design Considerations
    7. 13.7. Design Examples
      1. Tailspin Toys
        1. Step 1: Decide on the number of domains
        2. Step 2: Design and name the tree structure
        3. Step 3: Design the hierarchy of organizational units
        4. Step 4: Design the workstation and server naming conventions
        5. Step 5: Plan for users and groups
      2. Contoso College
        1. Step 1: Decide on the number of domains
        2. Step 2: Design and name the tree structure
        3. Step 3: Design the hierarchy of organizational units
        4. Step 4: Design the workstation and server naming conventions
        5. Step 5: Plan for users and groups
      3. Fabrikam
        1. Step 1: Decide on number of domains
        2. Step 2: Design and name the tree structure
        3. Step 3: Design the hierarchy of organizational units
        4. Step 4: Design the workstation and server naming conventions
        5. Step 5: Plan for users and groups
    8. 13.8. Recognizing Nirvana’s Problems
    9. 13.9. Summary
  16. 14. Creating a Site Topology
    1. 14.1. Intrasite and Intersite Topologies
      1. The KCC
      2. Automatic Intrasite Topology Generation by the KCC
        1. Two servers
        2. Three servers
        3. Four servers
        4. Eight servers
        5. Now what?
      3. Site Links: The Basic Building Blocks of Intersite Topologies
        1. Cost
        2. Schedule
        3. Transport
        4. When the ISTG becomes involved
      4. Site Link Bridges: The Second Building Blocks of Intersite Topologies
    2. 14.2. Designing Sites and Links for Replication
      1. Step 1: Gather Background Data for Your Network
      2. Step 2: Plan the Domain Controller Locations
        1. Where to put domain controllers
        2. How many domain controllers to have
        3. Placing a domain controller in more than one site
      3. Step 3: Design the Sites
      4. Step 4: Create Site Links
      5. Step 5: Create Site Link Bridges
    3. 14.3. Design Examples
      1. Tailspin Toys
        1. Step 1: Gather background data for your network
        2. Step 2: Plan the domain controller locations
        3. Step 3: Design the sites
        4. Step 4: Create site links
      2. Contoso College
        1. Step 1: Gather background data for your network
        2. Step 2: Plan the domain controller locations
        3. Step 3: Design the sites
        4. Step 4: Create site links
      3. Fabrikam
        1. Step 1: Gather background data for your network
        2. Step 2: Plan the domain controller locations
        3. Step 3: Design the sites
        4. Step 4: Create site links
    4. 14.4. Additional Resources
    5. 14.5. Summary
  17. 15. Planning for Group Policy
    1. 15.1. Using GPOs to Help Design the Organizational Unit Structure
      1. Identifying Areas of Policy
      2. Guidelines for Designing GPOs
    2. 15.2. Design Examples
      1. Tailspin Toys
      2. Contoso College
      3. Fabrikam
    3. 15.3. Summary
  18. 16. Active Directory Security: Permissions and Auditing
    1. 16.1. Permission Basics
      1. Permission ACEs
      2. Property Sets, Validated Writes, and Extended Rights
      3. Inherited Versus Explicit Permissions
      4. Default Security Descriptors
      5. Permission Lockdown
      6. The Confidentiality Bit
      7. Protecting Objects from Accidental Deletion
    2. 16.2. Using the GUI to Examine Permissions
      1. Reverting to the Default Permissions
      2. Viewing the Effective Permissions for a User or Group
      3. Using the Delegation of Control Wizard
    3. 16.3. Using the GUI to Examine Auditing
    4. 16.4. Designing Permissions Schemes
      1. The Five Golden Rules of Permissions Design
        1. Rule 1: Apply permissions to groups whenever possible
        2. Rule 2: Design group permissions so that you have minimal duplication
        3. Rule 3: Manage advanced permissions only when absolutely necessary
        4. Rule 4: Allow inheritance; do not protect sections of the domain tree from inheritance
        5. Rule 5: Keep a log of changes
      2. How to Plan Permissions
      3. Bringing Order out of Chaos
    5. 16.5. Designing Auditing Schemes
      1. Implementing Auditing
      2. Tracking Last Interactive Logon Information
    6. 16.6. Real-World Active Directory Delegation Examples
      1. Hiding Specific Personal Details for All Users in an Organizational Unit from a Group
      2. Allowing Only a Specific Group of Users to Access a New Published Resource
      3. Restricting Everyone but HR from Viewing National/Regional ID Numbers with the Confidential Bit
    7. 16.7. The AdminSDHolder Process
    8. 16.8. Dynamic Access Control
      1. Configuring Active Directory for DAC
        1. Configuring claim types
        2. Configuring central access policies
        3. Kerberos policies
      2. Using DAC on the File Server
        1. Compound expressions with groups
        2. Using claims in your ACLs
        3. Auditing
    9. 16.9. Summary
  19. 17. Designing and Implementing Schema Extensions
    1. 17.1. Nominating Responsible People in Your Organization
    2. 17.2. Thinking of Changing the Schema
      1. Designing the Data
      2. To Change or Not to Change
      3. The Global Picture
    3. 17.3. Creating Schema Extensions
      1. Running the AD Schema Management MMC Snap-in for the First Time
      2. The Schema Cache
      3. The Schema Master FSMO
      4. Using LDIF to Extend the Schema
      5. Checks the System Makes When You Modify the Schema
      6. Making Classes and Attributes Defunct
      7. Mitigating a Schema Conflict
    4. 17.4. Summary
  20. 18. Backup, Recovery, and Maintenance
    1. 18.1. Backing Up Active Directory
      1. Using the NT Backup Utility
      2. Using Windows Server Backup
    2. 18.2. Restoring a Domain Controller
      1. Restore from Replication
        1. Manually removing a domain controller from Active Directory
      2. Restore from Backup
      3. Install from Media
        1. Creating and using IFM media on Windows Server 2003
        2. Creating and using IFM media on Windows Server 2008 and newer
    3. 18.3. Restoring Active Directory
      1. Nonauthoritative Restore
        1. Restoring with NT Backup
        2. Restoring with Windows Server Backup
      2. Partial Authoritative Restore
      3. Complete Authoritative Restore
    4. 18.4. Working with Snapshots
    5. 18.5. Active Directory Recycle Bin
      1. Deleted Object Lifecycle
      2. Enabling the Recycle Bin
      3. Undeleting Objects
        1. Using ADAC
        2. Using PowerShell
    6. 18.6. FSMO Recovery
    7. 18.7. Restartable Directory Service
    8. 18.8. DIT Maintenance
      1. Checking the Integrity of the DIT
      2. Reclaiming Space
      3. Changing the DS Restore Mode Admin Password
    9. 18.9. Summary
  21. 19. Upgrading Active Directory
    1. 19.1. Active Directory Versions
      1. Windows Server 2003
        1. New features
        2. Differences in functionality
      2. Windows Server 2008
        1. New features
        2. Differences in functionality
      3. Windows Server 2008 R2
        1. New features
        2. Differences in functionality
      4. Windows Server 2012
        1. New features
        2. Differences in functionality
    2. 19.2. Functional Levels
      1. Raising the Functional Level
      2. Functional Level Rollback
    3. 19.3. Beginning the Upgrade
    4. 19.4. Known Issues
    5. 19.5. Summary
  22. 20. Active Directory Lightweight Directory Services
    1. 20.1. Common Uses for AD LDS
    2. 20.2. AD LDS Terms
    3. 20.3. Differences Between AD and AD LDS
      1. Standalone Application Service
      2. Configurable LDAP Ports
      3. No SRV Records
      4. No Global Catalog
      5. Top-Level Application Partition Object Classes
      6. Group and User Scope
      7. FSMOs
      8. Schema
      9. Service Account
      10. Configuration/Schema Partition Names
      11. Default Directory Security
      12. User Principal Names
      13. Authentication
      14. Users in the Configuration Partition
      15. New and Updated Tools
    4. 20.4. AD LDS Installation
      1. Installing the Server Role
      2. Installing a New AD LDS Instance
      3. Installing an AD LDS Replica
      4. Enabling the Recycle Bin
    5. 20.5. Tools
      1. ADAM Install
      2. ADAM Sync
      3. ADAM Uninstall
      4. AD Schema Analyzer
      5. AD Schema MMC Snap-in
      6. ADSI Edit
      7. dsdbutil
      8. dsmgmt
      9. ldifde
      10. LDP
      11. repadmin
    6. 20.6. The AD LDS Schema
      1. Default Security Descriptors
      2. Bindable Objects and Bindable Proxy Objects
    7. 20.7. Using AD LDS
      1. Creating Application Partitions
      2. Creating Containers
      3. Creating Users
      4. Creating User Proxies
        1. Special considerations
      5. Renaming Users
      6. Creating Groups
      7. Adding Members to Groups
      8. Removing Members from Groups
      9. Deleting Objects
      10. Deleting Application Partitions
      11. Controlling Access to Objects and Attributes
    8. 20.8. Summary
  23. 21. Active Directory Federation Services
    1. 21.1. Introduction to Federated Identity
      1. How It Works
      2. SAML
      3. WS-Federation
    2. 21.2. Understanding ADFS Components
      1. The Configuration Database
      2. Federation Servers
      3. Federation Server Proxies
      4. ADFS Topologies
        1. Single federation server
        2. Single federation server and federation proxy
        3. Load-balanced ADFS servers
        4. Geographically redundant ADFS servers
    3. 21.3. Deploying ADFS
      1. Federation Servers
        1. Certificates
        2. Configuring ADFS
        3. Service configuration
      2. Federation Server Proxies
    4. 21.4. Relying Party Trusts
    5. 21.5. Claims Rules and the Claims Pipeline
      1. The Pipeline
      2. Creating and Sending Claims Through the Pipeline
    6. 21.6. Customizing ADFS
      1. Forms-Based Logon Pages
      2. Attribute Stores
    7. 21.7. Troubleshooting ADFS
      1. Event Logs
      2. Fiddler
    8. 21.8. Summary
  24. A. Programming the Directory with the .NET Framework
    1. A.1. Choosing a .NET Programming Language
    2. A.2. Choosing a Development Tool
      1. .NET IDE Options
      2. .NET Development Without an IDE
    3. A.3. .NET Framework Versions
      1. Which .NET Framework Comes with Which OS?
      2. Directory Programming Features by .NET Framework Release
      3. Assemblies Versus Namespaces
      4. Summary of Namespaces, Assemblies, and Framework Versions
    4. A.4. Directory Services Programming Landscape
      1. System.DirectoryServices Overview
        1. Other nice things in System.DirectoryServices
        2. System.DirectoryServices summary
      2. System.DirectoryServices.ActiveDirectory Overview
        1. Why use System.DirectoryServices.ActiveDirectory?
        2. System.DirectoryServices.ActiveDirectory summary
      3. System.DirectoryServices.Protocols Overview
        1. Why use System.DirectoryServices.Protocols?
        2. System.DirectoryServices.Protocols summary
      4. System.DirectoryServices.AccountManagement Overview
        1. Why use System.DirectoryServices.AccountManagement?
        2. System.DirectoryServices.AccountManagement summary
    5. A.5. .NET Directory Services Programming by Example
      1. Connecting to the Directory
      2. Searching the Directory
      3. Basics of Modifying the Directory
        1. Basic add example
        2. Basic remove examples
        3. Moving and renaming objects
        4. Modifying existing objects
      4. Managing Users
        1. Managing users with System.DirectoryServices.AccountManagement
      5. Overriding SSL Server Certificate Verification with SDS.P
    6. A.6. Summary
  25. Index
  26. About the Authors
  27. Colophon
  28. Special Upgrade Offer
  29. Copyright