You are previewing Active Directory Domain Services 2008 How-To.
O'Reilly logo
Active Directory Domain Services 2008 How-To

Book Description

Active Directory Domain Services 2008 How-To

Real Solutions for Active Directory 2008 Administrators

John Policelli

Need fast, reliable, easy-to-implement solutions for Microsoft Active Directory 2008? This book delivers exactly what you’re looking for. You’ll find nearly 250 tested, step-by-step procedures for planning, installing, customizing, and managing Active Directory Domain Services (AD DS) in any production environment. Completely up-to-date, it fully reflects the brand new version of Active Directory introduced in Windows Server 2008, which contains the most significant changes since AD was first introduced. When time is of the essence, turn here first: get answers you can trust—and use—right now!

Fast, Accurate, and Easy-to-Use!

  • Prepare for Active Directory Domain Services installation

  • Install and uninstall Active Directory Domain Services

  • Manage trust relationships and functional levels

  • Manage Operations Master Roles and Global Catalog Servers

  • Efficiently administer sites and replication

  • Manage the Active Domain Services schema

  • Administer Active Directory DS data

  • Make the most of Active Directory Group Policies

  • Manage password replication policies

  • Implement fine-grained password and account lockout policies

  • Safely back up and recover Active Directory DS

  • Use Active Directory’s improved auditing capabilities to track changes more effectively

  • John Policelli has been honored by Microsoft as a Microsoft MVP for Directory Services. A solutions-focused IT consultant with over a decade of success in architecture, security, IT strategy, and disaster recovery, John has designed and implemented dozens of complex directory service, e-Messaging, web, networking, and security enterprise solutions. He has provided thought leadership for some of Canada’s largest Active Directory installations. He has also served as an author, technical reviewer, and subject matter expert for more than 50 training, exam writing, press, and whitepaper projects related to Windows Server 2008 Identity and Access Management, networking, and collaboration. His technology certifications include MCTS, MCSA, ITSM, iNet+, Network+, and A+.

    Category:  Microsoft / Windows Server 

    Table of Contents

    1. Copyright
      1. Dedication
    2. About the Author
    3. Acknowledgments
    4. We Want to Hear from You!
      1. Reader Services
    5. Introduction
      1. Overview of This Book
      2. How-To Benefit from This Book
      3. How-To Continue Expanding Your Knowledge
    6. 1. Introduction to Active Directory Domain Services
      1. What’s New in Windows Server 2008 Active Directory Domain Services
      2. Windows Server 2008 System Requirements
      3. Installing Windows Server 2008
    7. 2. Prepare for Active Directory Domain Services Installation
      1. Prepare an Existing Forest for Windows Server 2008 Active Directory Domain Services
      2. Prepare an Existing Domain for Windows Server 2008 Active Directory Domain Services
      3. Prepare an Existing Domain for a Read-Only Domain Controller
    8. 3. Install and Uninstall Active Directory Domain Services
      1. Install a New Windows Server 2008 Forest
        1. Install a New Forest by Using the Windows Interface
        2. Install a New Forest by Using the Command Line
        3. Install a New Forest by Using an Answer File
      2. Install a New Windows Server 2008 Child Domain
        1. Install a Child Domain by Using the Windows Interface
        2. Install a Child Domain by Using the Command Line
        3. Install a Child Domain by Using an Answer File
      3. Install a New Windows Server 2008 Domain Tree
        1. Install a Domain Tree by Using the Windows Interface
        2. Install a Domain Tree by Using the Command Line
        3. Install a Domain Tree by Using an Answer File
      4. Install an Additional Windows Server 2008 Domain Controller
        1. Install an Additional Domain Controller by Using the Windows Interface
        2. Install an Additional Domain Controller by Using the Command Line
        3. Install an Additional Domain Controller by Using an Answer File
      5. Perform a Staged Installation of a Read-Only Domain Controller
        1. Stage 1: Create an RODC Account in AD DS
        2. Stage 2: Attach Server to RODC Account
      6. Install AD DS from Restored Backup Media
        1. Create Installation Media
        2. Install AD DS from Media
      7. Remove a Domain Controller from a Domain
      8. Forcing the Removal of a Windows Server 2008 Domain Controller
      9. Performing Metadata Cleanup
      10. Rename a Domain Controller
    9. 4. Manage Trusts and Functional Levels
      1. Create Forest Trusts
        1. Create a Two-way Forest Trust
        2. Create a One-way Incoming Forest Trust
        3. Create a One-Way Outgoing Forest Trust
      2. Create External Trusts
        1. Create a Two-Way External Trust
        2. Create a One-Way Incoming Forest Trust
        3. Create a One-Way Outgoing Forest Trust
      3. Create Realm Trusts
      4. Create Shortcut Trusts
      5. Change the Routing Status of a Name Suffix
      6. Enable or Disable an Existing Name Suffix from Routing
      7. Exclude Name Suffixes from Routing to a Local Forest
      8. Configure Authentication Scope for a Trust
      9. Validate Trusts
      10. Remove Trusts
      11. Add a User Principal Name to a Forest
      12. Remove a User Principal Name from a Forest
      13. Configure Domain Functional Levels
      14. Configure Forest Functional Levels
    10. 5. Manage Operations Master Roles and Global Catalog Servers
      1. Enable the Global Catalog Role
        1. Enable the Global Catalog Role by Using the Windows Interface
        2. Enable the Global Catalog Role by Using the Command Line
      2. Disable the Global Catalog Role
        1. Disable the Global Catalog Role by Using the Windows Interface
        2. Disable the Global Catalog Role by Using the Command Line
      3. Verify Global Catalog Server Readiness
        1. Verify Global Catalog Server Readiness by Using LDP
        2. Verify Global Catalog Server Readiness by Using NLTest
      4. Verify Global Catalog DNS Registrations
      5. Determine Global Catalog Servers
        1. Identify All Global Catalog Servers in the Forest
        2. Identify All Global Catalog Servers in a Domain
      6. Identify Operations Master Role Holders
        1. Identify Operations Master Role Holders by Using Dsquery
        2. Identify Operations Master Role Holders by Using Netdom
      7. Validate Domain Controller Advertising
      8. Transfer the Schema Master Role
        1. Transfer the Schema Master Role by Using the Windows Interface
        2. Transfer the Schema Master Role by Using the Command Line
      9. Transfer the Domain Naming Master Role
        1. Transfer the Domain Naming Master Role by Using the Windows Interface
        2. Transfer the Domain Naming Master Role by Using the Command Line
      10. Transfer the RID Master Role
        1. Transfer the RID Master Role by Using the Windows Interface
        2. Transfer the RID Master Role by Using the Command Line
      11. Transfer the PDC Emulator Role
        1. Transfer the PDC Emulator Role by Using the Windows Interface
        2. Transfer the PDC Emulator Role by Using the Command Line
      12. Transfer the Infrastructure Master Role
        1. Transfer the Infrastructure Master Role by Using the Windows Interface
        2. Transfer the Infrastructure Master Role by Using the Command Line
      13. Seize the Schema Master Role
      14. Seize the Domain Naming Master Role
      15. Seize the RID Master Role
      16. Seize the PDC Emulator Role
      17. Seize the Infrastructure Master Role
    11. 6. Manage Sites and Replication
      1. Create Sites
      2. Remove Sites
      3. Enable Universal Group Membership Caching
      4. Disable Universal Group Membership Caching
      5. Configure Site Properties
      6. Create Site Links
      7. Remove Site Links
      8. Configure Site Link Properties
      9. Associate a Site with a Site Link
      10. Create Site Link Bridges
      11. Remove Site Link Bridges
      12. Add a Subnet
      13. Remove a Subnet
      14. Move Domain Controllers Between Sites
      15. Enable a Domain Controller as a Preferred Bridgehead Server
      16. Disable a Domain Controller as a Preferred Bridgehead Server
      17. Create Manual Connection Objects
      18. Remove Connection Objects
      19. Disable KCC for a Site
      20. Enable KCC for a Site
      21. Disable Inbound Replication
      22. Enable Inbound Replication
      23. Disable Outbound Replication
      24. Enable Outbound Replication
      25. Disable the Bridge All Site Links Option
      26. Enable the Bridge All Site Links Option
      27. Verify Replication Is Functioning
      28. Trigger Replication
    12. 7. Manage the Active Directory Domain Services Schema
      1. Install the Active Directory Schema Snap-In
      2. Apply Active Directory Schema Administrative Permissions
      3. View Schema Class and Attribute Definitions
      4. Create Attributes
      5. Deactivate Attributes
      6. Activate Attributes
      7. Index Attributes
      8. Remove Attributes from the Index
      9. Add Attributes to Ambiguous Name Resolution Filter
      10. Remove Attributes from Ambiguous Name Resolution Filter
      11. Add Attributes to Global Catalog Replication
      12. Remove Attributes from Global Catalog Replication
      13. Configure Attributes to Be Copied When Duplicating Users
      14. Configure Attributes Not to Be Copied When Duplicating Users
      15. Configuring Attributes to Be Indexed for Containerized Searches
      16. Configuring Attributes Not to Be Indexed for Containerized Searches
      17. Configure Attribute Range
      18. Create Classes
      19. Deactivate Classes
      20. Activate Classes
      21. Configure Classes to Be Visible in Advanced View
      22. Configure Classes Not to Be Visible in Advanced View
      23. Configure Class Relationships
      24. Configure Class Attributes
    13. 8. Manage Active Directory Domain Services Data
      1. Create User Object
        1. Create User Object by Using the Windows Interface
        2. Create User Object by Using the Command Line
      2. Delete User Object
        1. Delete User Object by Using the Windows Interface
        2. Delete User Object by Using the Command Line
      3. Rename User Object
        1. Rename User Object by Using the Windows Interface
        2. Rename User Object by Using the Command Line
      4. Copy User Object
      5. Move User Object
        1. Move User Object by Using the Windows Interface
        2. Move User Object by Using the Command Line
      6. Add User to Group
        1. Add User to Group by Using the Windows Interface
        2. Add User to Group by Using the Command Line
      7. Disable a User Object
        1. Disable User Object by Using the Windows Interface
        2. Disable a User Object by Using the Command Line
      8. Enable a User Object
        1. Enable User Object by Using the Windows Interface
        2. Enable User Object by Using the Command Line
      9. Reset a User Account Password
        1. Reset a User Account Password by Using the Windows Interface
        2. Reset a User Account Password by Using the Command Line
      10. Modify a User Object’s General Properties
      11. Modify a User Object’s Address Properties
      12. Modify a User Object’s Account Properties
      13. Modify a User’s Logon Hours
      14. Modify the Computers a User Can Log On To
      15. Modify a User Object’s Profile Properties
      16. Modify a User’s Object Telephone Properties
      17. Modify a User’s Object Organization Properties
      18. Modify a User’s Manager
      19. View a User Object’s Direct Reports
      20. Modify a User’s Group Membership
      21. Modify a User Object’s Dial-in Properties
      22. Modify a User Object’s Environment Properties
      23. Modify a User Object’s Sessions Properties
      24. Modify a User Object’s Remote Control Properties
      25. Modify a User Object’s Terminal Services Properties
      26. Modify a User Object’s COM+ Properties
      27. Modify a User Object’s Published Certificates Properties
      28. View the Password Replication Policies Applied to a User Object
      29. Modify a User Object’s Protection from Deletion Properties
      30. Modify a User Object’s Custom Attributes
      31. Create a Group Object
        1. Create Group Object by Using the Windows Interface
        2. Create Group Object by Using the Command Line
      32. Delete a Group Object
        1. Delete a Group Object by Using the Windows Interface
        2. Delete a Group Object by Using the Command Line
      33. Rename a Group Object
        1. Rename a Group Object by Using the Windows Interface
        2. Rename a Group Object by Using the Command Line
      34. Move a Group Object
        1. Move a Group Object by Using the Windows Interface
        2. Move a Group Object by Using the Command Line
      35. Add a Group to a Group
        1. Add a Group to a Group by Using the Windows Interface
        2. Add a Group to a Group by Using the Command Line
      36. Modify a Group Object’s General Properties
      37. Modify a Group Object’s Scope
      38. Modify a Group Object’s Type
      39. Modify a Group Object’s Members
      40. Modify a Group Object Managed By Properties
      41. Modify a Group Object Protection from Deletion
      42. Modify a Group Object’s Custom Attributes
      43. Create a Computer Object
        1. Create a Computer Object by Using the Windows Interface
        2. Create a Computer Object by Using the Command Line
      44. Delete a Computer Object
        1. Delete a Computer Object by Using the Windows Interface
        2. Delete a Computer Object by Using the Command Line
      45. Move a Computer Object
        1. Move a Computer Object by Using the Windows Interface
        2. Move a Computer Object by Using the Command Line
      46. Add a Computer to a Group
        1. Add a Computer to a Group by Using the Windows Interface
        2. Add a Computer to a Group by Using the Command Line
      47. Disable a Computer Object
        1. Disable a Computer Object by Using the Windows Interface
        2. Disable a Computer Object by Using the Command Line
      48. Enable a Computer Object
        1. Enable a Computer Object by Using the Windows Interface
        2. Enable a Computer Object by Using the Command Line
      49. Modify a Computer Object’s General Properties
      50. View a Computer Object’s Operating System Properties
      51. Modify a Computer Object’s Delegation Properties
      52. View the Password Replication Policies Applied to a Computer Object
      53. Modify a Computer Object’s Location Properties
      54. Modify a Computer Object’s Managed By Properties
      55. Modify a Computer Object’s Protection from Deletion
      56. Modify a Computer Object’s Custom Attributes
      57. Create an Organizational Unit
        1. Create an Organizational Unit by Using the Windows Interface
        2. Create an Organizational Unit by Using the Command Line
      58. Delete an Organizational Unit
        1. Delete an Organizational Unit by Using the Windows Interface
        2. Delete an Organizational Unit by Using the Command Line
      59. Rename an Organizational Unit
        1. Rename an Organizational Unit by Using the Windows Interface
        2. Rename an Organizational Unit by Using the Command Line
      60. Move an Organizational Unit
        1. Move an Organizational Unit by Using the Windows Interface
        2. Move an Organizational Unit Object by Using the Command Line
      61. Modify an Organizational Unit’s General Properties
      62. Modify an Organizational Unit’s Managed By Properties
      63. Modify an Organizational Unit’s COM+ Properties
      64. Modify an Organizational Unit’s Protection from Deletion
      65. Modify an Organizational Unit’s Custom Attributes
    14. 9. Manage Group Policy
      1. Create Group Policy Objects
      2. Delete Group Policy Objects
      3. Create Starter GPOs
      4. Delete Starter GPOs
      5. Create a New Group Policy Object from a Starter GPO
      6. Edit Group Policy Objects and Starter GPOs
      7. Copy Group Policy Objects and Starter GPOs
      8. Comment Group Policy Objects and Starter GPOs
      9. View, Print, and Save a Report for Group Policy Objects
      10. Back Up Group Policy Objects and Starter GPOs
      11. Restore Group Policy Objects and Starter GPOs
      12. Export a Starter GPO
      13. Import a Starter GPO
      14. Search Group Policy Objects
      15. Create a Migration Table
      16. Automatically Populate a Migration Table from a Group Policy Object
      17. Link a Group Policy Object
      18. Remove a Group Policy Object Link
      19. Disable a Group Policy Object Link
      20. Enable a Group Policy Object Link
      21. Enforce a Group Policy Object Link
      22. Remove the Enforcement of a Group Policy Object Link
      23. Block Inheritance of Group Policy Objects
      24. Remove Block Inheritance of Group Policy Objects
      25. Change the Order of Group Policy Object Links
      26. Filter Group Policy Object Scope by Using Security Groups
      27. Disable User Settings in a Group Policy Object
      28. Disable Computer Settings in a Group Policy Object
      29. Create a WMI Filter
      30. Import a WMI Filter
      31. Export a WMI Filter
      32. Copy a WMI Filter
      33. Link a WMI Filter to a Group Policy Object
      34. Determine a Resultant Set of Policy
      35. Simulate a Resultant Set of Policy Using Group Policy Modeling
      36. Delegate Permissions on a Group Policy Object
      37. Modify Delegated Permissions on a Group Policy Object
      38. Remove Delegated Permissions on a Group Policy Object
      39. Delegate Permissions to Link Group Policy Objects
      40. Modify Delegated Permissions to Link Group Policy Objects
      41. Remove Delegated Permissions to Link Group Policy Objects
      42. Delegate Permissions for Generating Group Policy Modeling Data
      43. Modify Delegated Permissions for Generating Group Policy Modeling Data
      44. Remove Delegated Permissions for Generating Group Policy Modeling Data
      45. Delegate Permissions for Generating Group Policy Results
      46. Modify Delegated Permissions for Generating Group Policy Results
      47. Remove Delegated Permissions for Generating Group Policy Results
      48. Delegate Permissions for WMI Filters
      49. Modify Delegated Permissions for WMI Filters
      50. Remove Delegated Permissions for WMI Filters
    15. 10. Manage Password Replication Policies
      1. Add a User, Group, or Computer to the Password Replication Policy
      2. Remove a User, Group, or Computer from the Password Replication Policy
      3. View Cached Credentials on a Read-Only Domain Controller
      4. Review Accounts That Have Been Authenticated on a Read-only Domain Controller
      5. Automatically Move Accounts That Have Been Authenticated by an RODC to the Allowed List
      6. Pre-populate the Password Cache for Read-only Domain Controller
      7. Reset the Credentials That Are Cached on a Read-only Domain Controller
    16. 11. Manage Fine-Grained Password and Account Lockout Policies
      1. Create Password Settings Objects
      2. Delete Password Settings Objects
      3. View Settings Defined in Password Settings Objects
      4. Modify Settings Defined in Password Settings Objects
      5. Apply a Password Settings Object to Users and Security Groups
      6. Modify the Precedence for Password Settings Objects
      7. View the Resultant Password Settings Objects for a User or Group
      8. Create Shadow Groups
    17. 12. Manage Active Directory Domain Services Backup and Recovery
      1. Install the Windows Server Backup Server Feature
      2. Perform an Unscheduled Backup of Critical Volumes of a Domain Controller
        1. Perform an Unscheduled Backup of Critical Volumes of a Domain Controller by Using the Windows Interface
        2. Perform an Unscheduled Backup of Critical Volumes of a Domain Controller by Using the Command Line
      3. Perform an Unscheduled System State Backup of a Domain Controller
      4. Perform an Unscheduled Full Server Backup of a Domain Controller
        1. Perform an Unscheduled Full Server Backup of a Domain Controller by Using the Windows Interface
        2. Perform an Unscheduled Full Server Backup of a Domain Controller by Using the Command Line
      5. Schedule Regular Full Server Backups of a Domain Controller
        1. Schedule Regular Full Server Backups of a Domain Controller by Using the Windows Interface
        2. Schedule Regular Full Server Backups of a Domain Controller by Using the Command Line
      6. Perform a Nonauthoritative Restore of Active Directory Domain Services
      7. Perform an Authoritative Restore of Deleted Active Directory Domain Services Objects
      8. Perform a Full Server Recovery of a Domain Controller
        1. Perform a Full Server Recovery of a Domain Controller by Using the Windows Interface
        2. Perform a Full Server Recovery of a Domain Controller by Using the Command Line
      9. Create a Onetime Active Directory Domain Services Snapshot
      10. Create Scheduled Active Directory Domain Services Snapshots
      11. Expose an Active Directory Domain Services Snapshot as an LDAP Server
      12. Access Data Stored in Active Directory Domain Services Snapshots
        1. Access Data Stored in Active Directory Domain Services Snapshots by Using LDP.exe
        2. Access Data Stored in Active Directory Domain Services Snapshots by Active Directory Users and Computers
    18. 13. Manage Active Directory Domain Services Auditing
      1. Enable the Global Audit Policy
        1. Enable the Global Audit Policy by Using the Windows Interface
        2. Enable the Global Audit Policy by Using the Command Line
      2. Disable the Global Audit Policy
        1. Disable the Global Audit Policy by Using the Windows Interface
        2. Disable the Global Audit Policy by Using the Command Line
      3. Retrieve the State of Directory Service Access Auditing Subcategories
      4. Enable the Directory Service Access Auditing Subcategory
      5. Disable the Directory Service Access Auditing Subcategory
      6. Enable the Directory Service Changes Auditing Subcategory
      7. Disable the Directory Service Changes Auditing Subcategory
      8. Enable the Directory Service Replication Auditing Subcategory
      9. Disable the Directory Service Replication Auditing Subcategory
      10. Enable the Detailed Directory Service Replication Auditing Subcategory
      11. Disable the Detailed Directory Service Replication Auditing Subcategory
      12. Configure Auditing on Object Security Access Control Lists
      13. Exclude an Attribute from Directory Service Auditing