You are previewing Active Directory, Second Edition.
O'Reilly logo
Active Directory, Second Edition

Book Description

When Microsoft introduced Windows 2000, the most important change was the inclusion of Active Directory. With many great benefits, it continues to be a huge headache for network and system administrators to design, implement and support. The first edition of this book, O'Reilly's best-selling Windows 2000 Active Directory, eased their pain considerably. Now titled Active Directory, 2nd Edition, this book provides system and network administrators, IT professionals, technical project managers, and programmers with a clear, detailed look at Active Directory for both Windows 2000 and Windows Server 2003. The upgraded Active Directory that ships with Windows Server 2003 has over 100 new and enhanced features and once again, O'Reilly has the answers to puzzling questions. While Microsoft's documentation serves as an important reference, Active Directory, 2nd Edition is a guide to help the curious (and weary) understand the big picture. In addition to the technical details for implementing Active Directory, several new and significantly enhanced chapters describe the numerous features that have been updated or added in Windows Server 2003 along with coverage of new programmatic interfaces that are available to manage it. After reading the book you will be familiar with the Lightweight Directory Access Protocol (LDAP), multi-master replication, Domain Name System (DNS), Group Policy, and the Active Directory Schema, among many other topics. Authors Robbie Allen and Alistair G. Lowe-Norris are experienced veterans with real-world experience. Robbie is a Senior Systems Architect in the Advanced Services Technology Group at Cisco Systems. He was instrumental in the deployment and automation of Active Directory, DNS and DHCP at Cisco, and is now working on network automation tools. Alistair is an enterprise program manager for Microsoft U.K. and previously worked for Leicester University as the project manager and technical lead of the Rapid Deployment Program for Windows 2000. Active Directory, 2nd Edition will guide you through the maze of concepts, design issues and scripting options enabling you to get the most out of your deployment.

Table of Contents

  1. Active Directory, 2nd Edition
    1. Preface
      1. Intended Audience
      2. Contents of the Book
      3. Conventions in This Book
      4. How to Contact Us
      5. Acknowledgments
        1. For the First Edition (Alistair)
        2. For the Second Edition (Robbie)
    2. I. Active Directory Basics
      1. 1. A Brief Introduction
        1. Evolution of the Microsoft NOS
          1. Brief History of Directories
        2. Windows NT Versus Active Directory
        3. Windows 2000 Versus Windows Server 2003
        4. Summary
      2. 2. Active Directory Fundamentals
        1. How Objects Are Stored and Identified
          1. Uniquely Identifying Objects
            1. ADsPaths
            2. Examples
        2. Building Blocks
          1. Domains and Domain Trees
          2. Forests
          3. Organizational Units
          4. Global Catalog
          5. Flexible Single Master of Operations (FSMO)
          6. Windows 2000 Domain Mode
          7. Windows Server 2003 Functional Levels
          8. Groups
            1. Groups in Windows NT
            2. Group availability in various functional levels
            3. Group nesting in different functional levels
            4. Group membership across domain boundaries
            5. Converting groups
            6. Wrap-up
        3. Summary
      3. 3. Naming Contexts and Application Partitions
        1. Domain Naming Context
        2. Configuration Naming Context
        3. Schema Naming Context
        4. Application Partitions
          1. Storing Dynamic Data
        5. Summary
      4. 4. Active Directory Schema
        1. Structure of the Schema
          1. X.500 and the OID Namespace
        2. Attributes (attributeSchema Objects)
          1. Dissecting an Example Attribute
        3. Attribute Syntax
        4. Classes (classSchema Objects)
          1. Object Class Category and Inheritance
          2. Dissecting an Example Class
            1. How inheritance affects mustContain, mayContain, possSuperiors, and auxiliaryClass
            2. Viewing the user class with the Active Directory Schema snap-in
          3. Dynamically Linked Auxiliary Classes
        5. Summary
      5. 5. Site Topology and Replication
        1. Site Topology
          1. Site and Replication Management Tools
          2. Why Have Active Directory Sites?
          3. The First Site
        2. Data Replication
          1. A Background to Metadata—Data That Governs the Replication Process
            1. The High-Watermark Vector and orginating/replicated updates
            2. High-Watermark Vector table
            3. Up-To-Date Vector
            4. Up-To-Date Vector table
            5. Recap
          2. How an Object’s Metadata Is Modified During Replication
            1. Step 1—Initial creation of a user on Server A
            2. Step 2—Replication of the originating write to Server B
            3. Step 3—Password change for the user on Server B
            4. Step 4—Password change replication to Server A
          3. The Replication of a Naming Context Between Two Servers
            1. Step 1—Replication with a partner is initiated
            2. Step 2—The partner works out what updates to send
            3. Step 3—The partner sends the updates to the initiating server
            4. Step 4— The initiating server processes the updates
            5. Step 5—The initiating server checks whether it is up to date
            6. Recap
          4. How Replication Conflicts Are Reconciled
            1. Conflict due to identical property change
            2. Conflict due to a move of an object under a now deleted parent
            3. Conflict due to creation of objects with names that conflict
            4. Replicating the conflict resolution
        3. Summary
      6. 6. Active Directory and DNS
        1. DNS Fundamentals
          1. Zones
          2. Resource Records
          3. DDNS
        2. DC Locator
        3. Resource Records Used by Active Directory
        4. Delegation Options
          1. Not Delegating the AD DNS Zones
            1. Political factors
            2. Initial setup and configuration
            3. Support and maintenance
            4. Integration issues
          2. Delegating the AD DNS Zones
            1. Political factors
            2. Initial setup and configuration
            3. Support and maintenance
            4. Integration issues
          3. DNS for Standalone AD
        5. Active Directory Integrated DNS
          1. Replication Impact
        6. Using Application Partitions for DNS
        7. Summary
      7. 7. Profiles and Group Policy Primer
        1. A Profile Primer
          1. The Default User and All User Folders
          2. Logging On Locally to the Workstation
          3. Logging On to the Domain
          4. Cached Profile Deletion
          5. A Server-Based Default User Profile
        2. Capabilities of GPOs
          1. Software Installation Settings (Computer and User)
          2. Windows Settings (Computer)
          3. Administrative Templates (Computer)
            1. Windows components
            2. Windows settings (user)
            3. Administrative templates (user)
          4. Windows Components
        3. Summary
    3. II. Designing an Active Directory Infrastructure
      1. 8. Designing the Namespace
        1. The Complexities of a Design
        2. Where to Start
        3. Overview of the Design Process
        4. Domain Namespace Design
          1. Objectives
            1. Represent the structure of your business
            2. Minimize the number of domains
          2. Step 1—Decide on the Number of Domains
            1. Isolated replication
            2. Unique domain policy
            3. In-place upgrade of current domain
            4. Final notes
          3. Step 2—Design and Name the Tree Structure
            1. Choose the forest root domain
            2. Design the namespace naming scheme
            3. Create additional trees
            4. Create additional forests
            5. Arrange subdomain hierarchy
          4. Step 3—Design the Workstation and Server Naming Scheme
        5. Design of the Internal Domain Structure
          1. Step 4—Design the Hierarchy of Organizational Units
            1. Recreating the business model
            2. Delegating full administration
            3. Delegating other rights
          2. Step 5—Design of Users and Groups
            1. Naming and placing users
            2. Naming and placing groups
            3. Creating proper security group designs
          3. Step 6—Global Catalog Design
          4. Including and Excluding Attributes
          5. Step 7—Design the Application Partition Structure
        6. Other Design Considerations
        7. Design Examples
          1. TwoSiteCorp
            1. Step 1—Set the number of domains
            2. Step 2—Design and name the tree structure
            3. Step 3—Design the workstation and server naming scheme
            4. Step 4—Design the hierarchy of Organizational Units
            5. Step 5—Design the users and groups
            6. Step 6—Design the Global Catalog
            7. Step 7—Design the application partition structure
            8. Recap
          2. RetailCorp
            1. Step 1—Identify the number of domains
            2. Step 2—Design and name the tree structure
            3. Step 3— Design the workstation and server naming scheme
            4. Step 4—Design the hierarchy of Organizational Units
            5. Step 5— Design the users and groups
            6. Step 6—Design the Global Catalog
            7. Step 7—Design the application partition structure
            8. Recap
          3. PetroCorp
            1. Step 1—Set the number of domains
            2. Step 2—Design and name the tree structure
            3. Step 3—Design the workstation and server naming scheme
            4. Step 4—Design the hierarchy of Organizational Units
            5. Step 5—Design the users and groups
            6. Step 6—Design the Global Catalog
            7. Step 7—Design the application partition structure
            8. Recap
        8. Designing for the Real World
          1. Identify the Number of Domains
          2. Design to Help Business Plans and Budget Proposals
          3. Recognizing Nirvana’s Problems
        9. Summary
      2. 9. Creating a Site Topology
        1. Intrasite and Intersite Topologies
          1. The KCC
          2. Automatic Intrasite Topology Generation by the KCC
            1. Two servers
            2. Three servers
            3. Four servers
            4. Eight servers
            5. Now what?
          3. Site Links—The Basic Building Blocks of Intersite Topologies
            1. Cost
            2. Schedule
            3. Transport
            4. When the KCC becomes involved
            5. Having the KCC compound your mistakes
          4. Site Link Bridges—The Second Building Blocks of Intersite Topologies
        2. Designing Sites and Links for Replication
          1. Step 1—Gather Background Data for Your Network
          2. Step 2—Design the Sites
          3. Step 3—Design the Domain Controller Locations
            1. Where to put DCs
            2. How many DCs to have
            3. Reasons for putting a server in more than one site
          4. Step 4—Plan Intrasite Replication
          5. Step 5—Decide How You Will Use the KCC to Your Advantage
          6. Step 6—Create Site Links for Low-Cost, Well-Connected Links
          7. Step 7—Create Site Links for Medium-Cost Links
          8. Step 8—Create Site Links for High-Cost Links
          9. Step 9—Create Site Link Bridges
          10. Step 10—Design the Replication Schedule
        3. Examples
          1. TwoSiteCorp
          2. RetailCorp
          3. PetroCorp
        4. Summary
      3. 10. Designing Organization-Wide Group Policies
        1. How GPOs Work
          1. How GPOs Are Stored in Active Directory
          2. How GPOs Are Used in Active Directory
          3. Prioritizing the Application of Multiple Policies
          4. Standard GPO Inheritance Rules in Organizational Units
          5. Blocking Inheritance and Overriding the Block in Organizational Unit GPOs
            1. Summary
          6. When Policies Apply
          7. Local Group Policy Objects
          8. How Existing Windows NT 4.0 System Policies Affect GPO Processing
          9. When to Use Windows NT System Policies
          10. Combating Slowdown Due to GPOs
            1. Limiting the number of GPOs that apply
            2. Block Inheritance and No Override
            3. Disabling parts of GPOs
            4. Limiting cross-domain linking
            5. Limiting GPO application across WAN links
            6. Use simple queries in WMI filters
          11. The Power of Access Control Lists on Group Policy Objects
          12. Loopback Merge Mode and Loopback Replace Mode
          13. WMI Filtering in Windows Server 2003
          14. How GPOs Work Across RAS and Slow Links
          15. Summary of Policy Options
        2. Managing Group Policies
          1. Using the Group Policy Object Editor
          2. Using the Group Policy Management Console (GPMC)
          3. Scripting Group Policies
        3. Using GPOs to Help Design the Organizational Unit Structure
          1. Identifying Areas of Policy
          2. How GPOs Influenced a Real Organizational Unit Design
            1. The merits of collapsing the Organizational Unit structure
            2. A bridge too far
            3. Loopback mode
          3. Guidelines for Designing GPOs
          4. Designing Delegation and Change Control
            1. The importance of change-control procedures
            2. Designing the delegation of GPO administration
            3. Creating customized GPOEs for administrators
        4. Debugging Group Policies
          1. Using the RSoP
          2. Enabling Extra Logging
        5. Summary
      4. 11. Active Directory Security: Permissions and Auditing
        1. Using the GUI to Examine Permissions
          1. Reverting to the Default Permissions
          2. Viewing the Effective Permissions for a User or Group
          3. Using the Delegation of Control Wizard
        2. Using the GUI to Examine Auditing
        3. Designing Permission Schemes
          1. The Five Golden Rules of Permissions Design
            1. Rule 1—Apply permissions to groups whenever possible
            2. Rule 2—Design group permissions so that you have minimum duplication
            3. Rule 3—Manage Advanced permissions only when absolutely necessary
            4. Rule 4—Allow inheritance; do not orphan branches of the domain tree unless you have to
            5. Rule 5—Keep a log of unusual changes
          2. How to Plan Permissions
          3. Bringing Order Out of Chaos
        4. Designing Auditing Schemes
        5. Real-World Examples
          1. Hiding Specific Personal Details for All Users in an Organizational Unit from a Group
          2. Hiding Specific Personal Details for Some Users in an Organizational Unit from a Group
            1. The less elegant restricting inheritance solution
            2. The more elegant rearrange-the-tree solution
          3. A More Complex Hiding Problem
            1. The less elegant restricting inheritance solution
            2. The more elegant rearrange-the-tree solution
          4. Allowing Only a Specific Group of Users to Access a New Published Resource
          5. Restricting Users in an Organizational Unit from Viewing Properties of Users Outside That Organizational Unit
        6. Summary
      5. 12. Designing and Implementing Schema Extensions
        1. Nominating Responsible People in Your Organization
        2. Thinking of Changing the Schema
          1. Designing the Data
          2. To Change or Not to Change
          3. The Global Picture
        3. Creating Schema Extensions
          1. Running the Schema Manager MMC for the First Time
          2. The Schema Cache
          3. The Schema FSMO
          4. Using LDIF to Extend the Schema
          5. Checks the System Makes When You Modify the Schema
          6. Making Classes and Attributes Defunct
        4. Wreaking Havoc with Your Schema
        5. Summary
      6. 13. Backup, Recovery, and Maintenance
        1. Backing Up Active Directory
          1. Using the NT Backup Utility
        2. Restoring a Domain Controller
          1. Restore from Replication
            1. Manually removing a domain controller from Active Directory
          2. Restore from Backup
        3. Restoring Active Directory
          1. Nonauthoritative Restore
          2. Partial Authoritative Restore
          3. Complete Authoritative Restore
        4. FSMO Recovery
        5. DIT Maintenance
          1. Checking the Integrity of the DIT
          2. Reclaiming Space
          3. Changing the DS Restore Mode Admin Password
        6. Summary
      7. 14. Upgrading to Windows Server 2003
        1. New Features in Windows Server 2003
        2. Differences With Windows 2000
        3. Functional Levels Explained
          1. How to Raise the Functional Level
        4. Preparing for ADPrep
          1. ForestPrep
          2. DomainPrep
        5. Upgrade Process
          1. Inventory Domain Controllers
          2. Inventory Clients
          3. Trial Run
          4. Prepare the Forest and Domains
            1. Exchange 2000
            2. SFU 2.0
          5. Upgrade Domain Controllers
        6. Post-Upgrade Tasks
          1. Monitor
          2. Raise Functional Levels
          3. Tweak Settings
          4. Start Implementing New Features
        7. Summary
      8. 15. Migrating from Windows NT
        1. The Principles of Upgrading Windows NT Domains
          1. Preparing for a Domain Upgrade
          2. Forests and the Forest Root Domain
          3. Windows NT Domain Upgrades
            1. Solution 1—Migration to a new forest root domain
            2. Solution 2—Migration with one domain as the domain-tree root
            3. Solution 3—Migration to separate domain trees in a forest
          4. A Solution-Independent Migration Process
          5. Consolidating Domains After the Move
            1. Windows 2003 Interim and Windows 2003 functional levels and groups
            2. Computers
            3. Users
            4. Member servers and removing domains
        2. Summary
      9. 16. Integrating Microsoft Exchange
        1. Quick Word about Exchange Server 2003
        2. Preparing Active Directory for Exchange 2000
          1. Forestprep
          2. Domainprep
          3. Running Forestprep and Domainprep
          4. Other Considerations
        3. Exchange 5.5 and the Active Directory Connector
          1. Configuring the ADC
          2. Mail-Enabling Objects via the GUI
          3. Why Bidirectional Replication May Not Solve Your Problems
        4. Summary
      10. 17. Interoperability, Integration, and Future Direction
        1. Microsoft’s Directory Strategy
          1. Active Directory Application Mode
          2. Microsoft Metadirectory Services
          3. Active Directory’s Role
        2. Interoperating with Other Directories
          1. Getting Data from One Directory to Another
          2. Using Common Tools Across Directories
          3. Porting Scripts to Work Across Directories
          4. Making Searches Across Directories Seamless
        3. Integrating Applications and Services
          1. The Application Integration Challenge
            1. Challenges for application vendors
            2. Challenges for Active Directory administrators
            3. AD/AM to the rescue
          2. Integrating Unix
            1. Kerberos and LDAP support
            2. Migrating from NIS
            3. Integrating with NFS
            4. Synchronizing passwords
        4. Summary
    4. III. Scripting Active Directory with ADSI, ADO, and WMI
      1. 18. Scripting with ADSI
        1. What Are All These Buzzwords?
          1. ActiveX
          2. Windows Scripting Host (WSH)
          3. Active Server Pages (ASPs)
          4. Active Directory Service Interfaces (ADSI)
          5. ActiveX Data Objects (ADO)
          6. Windows Management Instrumentation (WMI)
          7. .NET and .NET Framework
        2. Writing and Running Scripts
          1. A Brief Primer on COM and WSH
          2. How to Write Scripts
          3. WSH 2.0 Versus 5.6
        3. ADSI
          1. Objects and Interfaces
          2. Namespaces, ProgIDs, and ADsPaths
          3. Retrieving Objects
        4. Simple Manipulation of ADSI Objects
          1. Creating the OU
          2. Creating the Users
          3. Tearing Down What Was Created
        5. Further Information
        6. Summary
      2. 19. IADs and the Property Cache
        1. The IADs Properties
          1. Using IADs::Get and IADs::Put
          2. The Property Cache
          3. Be Careful
          4. More Complexities of Property Access: IADs::GetEx and IADs::PutEx
            1. Using IADs::GetEx
            2. Using IADs::PutEx
        2. Manipulating the Property Cache
          1. Property Cache Mechanics
          2. Adding Individual Values
          3. Adding Sets of Values
          4. Walking Through the Property Cache
            1. Approach 1—Using the IADsPropertyList::PropertyCount property method
            2. Approach 2—Using the IADsPropertyList::Next method
            3. Approach 3—Using the IADsPropertyList::Next and IADsPropertyList::Skip methods
          5. Writing the Modifications
          6. Walking the Property Cache—The Solution
          7. Walking the Property Cache Using the Formal Schema Class Definition
        3. Checking for Errors in VBScript
        4. Summary
      3. 20. Using ADO for Searching
        1. The First Search
          1. Step 1—Define the Constants and Variables
          2. Step 2—Establish an ADO Database Connection
          3. Step 3—Open the ADO Connection
          4. Step 4—Execute the Query
          5. Step 5—Navigate Through the Resultset
          6. Step 6—Close the ADO Connection
          7. The Entire Script for a Simple Search
        2. Other Ways of Connecting and Retrieving Results
          1. Searching With SQL
            1. Using the Connection::Execute method
            2. Using the Recordset::Open method
            3. Executing a specific command
            4. The Command object and Recordset::Open
        3. Understanding Search Filters
          1. Items Within a Filter
          2. Connecting Filters
        4. Optimizing Searches
          1. Efficient Searching
          2. Objectclass Versus Objectcategory
          3. Filtering an Existing Resultset
            1. Using a criteria string
            2. Using bookmarks
        5. Advanced Search Function—SearchAD
        6. Summary
      4. 21. Users and Groups
        1. Creating a Simple User Account
        2. Creating a Full-Featured User Account
          1. WinNT Provider
          2. LDAP Provider
        3. Creating Many User Accounts
        4. Modifying Many User Accounts
        5. Account Unlocker Utility
        6. Creating a Group
        7. Adding Members to a Group
          1. Adding Many USER Groups to DRUP Groups
        8. Evaluating Group Membership
        9. Summary
      5. 22. Manipulating Persistent and Dynamic Objects
        1. The Interface Methods and Properties
        2. Creating and Manipulating Shares with ADSI
        3. Enumerating Sessions and Resources
          1. Identifying a Machine’s Sessions
          2. Identifying a Machine’s Resources
          3. A Utility to Show User Sessions
            1. Obtaining the data
            2. Manipulating the data
            3. The sort subprocedure
            4. The duplicate-removal subprocedure
            5. Displaying the data
            6. Room for improvement
        4. Manipulating Print Queues and Print Jobs
          1. Identifying Print Queues in Active Directory
          2. Binding to a Print Queue
          3. IADsPrintQueueOperations and Print Queues
          4. Print Jobs
        5. Summary
      6. 23. Permissions and Auditing
        1. How to Create an ACE Using ADSI
          1. Trustee
          2. AccessMask
          3. AceType
          4. AceFlags
          5. Flags, ObjectType, and InheritedObjectType
        2. A Simple ADSI Example
        3. A Complex ACE Example
        4. Creating Security Descriptors
        5. Listing ACEs to a File for All Objects in an OU and Below
        6. Summary
      7. 24. Extending the Schema and the Active Directory Snap-Ins
        1. Modifying the Schema with ADSI
          1. IADsClass and IADsProperty
          2. Creating the Mycorp-LanguagesSpoken attribute
          3. Creating the FinanceUser class
            1. Creating instances of the new class
          4. Finding the Schema Container and Schema FSMO
          5. Transferring the Schema FSMO Role
          6. Forcing a Reload of the Schema Cache
          7. Finding Which Attributes Are in the GC for an Object
          8. Adding an Attribute to the GC
        2. Customizing the Active Directory Administrative Snap-ins
          1. Display Specifiers
          2. Property Pages
          3. Context Menus
          4. Icons
          5. Display Names
          6. Leaf or Container
          7. Object Creation Wizard
        3. Summary
      8. 25. Using ADSI and ADO from ASP or VB
        1. VBScript Limitations and Solutions
        2. How to Avoid Problems When Using ADSI and ASP
        3. Combining VBScript and HTML
          1. Incorporating Scripts into Active Server Pages
            1. Client-side scripting
            2. Server-side scripting
          2. ActiveX Controls and ASPs
          3. Forms
        4. Binding to Objects Via Authentication
          1. When to Use VBScript’s GetObject Function
          2. When to Use IADsOpenDSObject::OpenDSObject
          3. When to Use IADsContainer::GetObject
          4. Authenticating from Passwords Input Via Forms
          5. A Simple Password Changer
          6. Adding Users to Groups
        5. Incorporating Searches into ASP
          1. ASP Searches Allowing User Navigation of a Resultset
          2. Enhancing the User Navigation ASP
            1. Empty resultsets
            2. Starting from scratch
            3. Filters
            4. Displaying the location of individual records
            5. The enhanced ASP search
            6. Problems with this example
          3. Other Ideas for Expansion
        6. Migrating Your ADSI Scriptsfrom VBScript to VB
          1. Platform Software Development Kit
          2. The Differences Between VB and VBScript
            1. Screen functions
            2. Variables
            3. Loop constructs
          3. Getting Help from VB When Coding in ADSI
          4. A Simple Password Changer in VB
          5. The ModifyUserDetails Program in VB
        7. Summary
      9. 26. Scripting with WMI
        1. Origins of WMI
        2. WMI Architecture
          1. CIMOM and CIM Repository
          2. WMI Providers
        3. Getting Started with WMI Scripting
          1. Referencing an Object
          2. Enumerating Objects of a Particular Class
          3. Searching with WQL
          4. Authentication with WMI
        4. WMI Tools
          1. WMI from a Command line
          2. WMI from the Web
          3. WMI SDK
        5. Manipulating Services
        6. Querying the Event Logs
        7. Querying AD with WMI
        8. Monitoring Trusts
        9. Monitoring Replication
        10. Summary
      10. 27. Manipulating DNS
        1. DNS Provider Overview
          1. Installing the DNS Provider
          2. Managing DNS with the DNS Provider
        2. Manipulating DNS Server Configuration
          1. Listing a DNS Server’s Properties
          2. Configuring a DNS server
          3. Restarting the DNS Service
          4. DNS Server Configuration Check Script
        3. Creating and Manipulating Zones
          1. Creating a Zone
          2. Configuring a Zone
          3. Listing the Zones on a Server
        4. Creating and Manipulating Resource Records
          1. Finding Resource Records in a Zone
          2. Creating Resource Records
        5. Summary
      11. 28. Getting Started with VB.NET and System.Directory Services
        1. The .NET Framework
        2. Using VB.NET
        3. Overview of System.DirectoryServices
        4. DirectoryEntry Basics
        5. Searching with DirectorySearcher
        6. Manipulating Objects
        7. Summary
    5. Index
    6. Colophon