Active DirectoryWhen Microsoft introduced Windows 2000, the most important change was the inclusion of Active Directory. With many great benefits, it continues to be a huge headache for network and system administrators to design, implement and support. The first edition of this book, O'Reilly's best-selling Windows 2000 Active Directory, eased their pain considerably. Now titled Active Directory, 2nd Edition, this book provides system and network administrators, IT professionals, technical project managers, and programmers with a clear, detailed look at Active Directory for both Windows 2000 and Windows Server 2003. The upgraded Active Directory that ships with Windows Server 2003 has over 100 new and enhanced features and once again, O'Reilly has the answers to puzzling questions. While Microsoft's documentation serves as an important reference, Active Directory, 2nd Edition is a guide to help the curious (and weary) understand the big picture. In addition to the technical details for implementing Active Directory, several new and significantly enhanced chapters describe the numerous features that have been updated or added in Windows Server 2003 along with coverage of new programmatic interfaces that are available to manage it. After reading the book you will be familiar with the Lightweight Directory Access Protocol (LDAP), multi-master replication, Domain Name System (DNS), Group Policy, and the Active Directory Schema, among many other topics. Authors Robbie Allen and Alistair G. Lowe-Norris are experienced veterans with real-world experience. Robbie is a Senior Systems Architect in the Advanced Services Technology Group at Cisco Systems. He was instrumental in the deployment and automation of Active Directory, DNS and DHCP at Cisco, and is now working on network automation tools. Alistair is an enterprise program manager for Microsoft U.K. and previously worked for Leicester University as the project manager and technical lead of the Rapid Deployment Program for Windows 2000. Active Directory, 2nd Edition will guide you through the maze of concepts, design issues and scripting options enabling you to get the most out of your deployment. |
Contents
Preface | xi |
Active Directory Basics | 1 |
A Brief Introduction | 3 |
Evolution of the Microsoft NOS | 4 |
Windows NT Versus Active Directory | 5 |
Windows 2000 Versus Windows Server 2003 | 9 |
Active Directory Fundamentals | 13 |
Building Blocks | 16 |
Preparing Active Directory for Exchange 2000 | 344 |
Exchange 55 and the Active Directory Connector | 347 |
Interoperability Integration and Future Direction | 362 |
Interoperating with Other Directories | 366 |
Integrating Applications and Services | 367 |
Scripting Active Directory with ADSI ADO and WMI | 377 |
Scripting with ADSI | 379 |
Writing and Running Scripts | 383 |
Naming Contexts and Application Partitions | 32 |
Domain Naming Context | 33 |
Configuration Naming Context | 34 |
Schema Naming Context | 35 |
Application Partitions | 36 |
Active Directory Schema | 39 |
Attributes attributeSchema Objects | 43 |
Attribute Syntax | 48 |
Classes classSchema Objects | 49 |
Site Topology and Replication | 60 |
Data Replication | 63 |
Active Directory and DNS | 79 |
DC Locator | 81 |
Resource Records Used by Active Directory | 83 |
Delegation Options | 86 |
Active Directory Integrated DNS | 91 |
Using Application Partitions for DNS | 93 |
Profiles and Group Policy Primer | 95 |
A Profile Primer | 97 |
Capabilities of GPOs | 102 |
Summary | 119 |
Designing an Active Directory Infrastructure | 121 |
Designing the Namespace | 123 |
The Complexities of a Design | 124 |
Where to Start | 126 |
Design of the Internal Domain Structure | 136 |
Other Design Considerations | 147 |
Design Examples | 148 |
Designing for the Real World | 157 |
Creating a Site Topology | 163 |
Designing Sites and Links for Replication | 175 |
Examples | 181 |
Designing OrganizationWide Group Policies | 187 |
Managing Group Policies | 212 |
Debugging Group Policies | 233 |
Active Directory Security Permissions and Auditing | 239 |
Using the GUI to Examine Permissions | 241 |
Using the GUI to Examine Auditing | 250 |
Designing Permission Schemes | 251 |
Designing Auditing Schemes | 262 |
RealWorld Examples | 264 |
Designing and Implementing Schema Extensions | 271 |
Nominating Responsible People in Your Organization | 272 |
Thinking of Changing the Schema | 273 |
Creating Schema Extensions | 277 |
Wreaking Havoc with Your Schema | 286 |
Backup Recovery and Maintenance | 289 |
Restoring a Domain Controller | 292 |
Restoring Active Directory | 297 |
FSMO Recovery | 303 |
DIT Maintenance | 306 |
Upgrading to Windows Server 2003 | 311 |
New Features in Windows Server 2003 | 312 |
Differences With Windows 2000 | 314 |
Functional Levels Explained | 316 |
Preparing for ADPrep | 319 |
Upgrade Process | 323 |
PostUpgrade Tasks | 327 |
Migrating from Windows NT | 331 |
Integrating Microsoft Exchange | 343 |
ADSI | 386 |
Simple Manipulation of ADSI Objects | 396 |
Further Information | 399 |
IADs and the Property Cache | 401 |
Manipulating the Property Cache | 411 |
Checking for Errors in VBScript | 427 |
Using ADO for Searching | 430 |
The First Search | 431 |
Other Ways of Connecting and Retrieving Results | 436 |
Understanding Search Filters | 439 |
Optimizing Searches | 442 |
Advanced Search Function SearchAD | 447 |
Users and Groups | 452 |
Creating a FullFeatured User Account | 453 |
Creating Many User Accounts | 461 |
Modifying Many User Accounts | 464 |
Account Unlocker Utility | 466 |
Creating a Group | 471 |
Adding Members to a Group | 472 |
Evaluating Group Membership | 474 |
Manipulating Persistent and Dynamic Objects | 476 |
Creating and Manipulating Shares with ADSIART III | 477 |
Enumerating Sessions and Resources | 479 |
Manipulating Print Queues and Print Jobs | 491 |
Permissions and Auditing | 501 |
How to Create an ACE Using ADSI | 502 |
A Simple ADSI Example | 511 |
A Complex ACE Example | 513 |
Creating Security Descriptors | 517 |
Listing ACEs to a File for All Objects in an OU and Below | 522 |
Extending the Schema and the Active Directory SnapIns | 532 |
Customizing the Active Directory Administrative Snapins | 542 |
Using ADSI and ADO from ASP or VB | 551 |
VBScript Limitations and Solutions | 552 |
How to Avoid Problems When Using ADSI and ASP | 553 |
Binding to Objects Via Authentication | 559 |
Incorporating Searches into ASP | 569 |
Migrating Your ADSI Scripts from VBScript to VB | 582 |
Scripting with WMI | 591 |
Origins of WMI | 592 |
Getting Started with WMI Scripting | 594 |
WMI Tools | 597 |
Manipulating Services | 599 |
Querying the Event Logs | 601 |
Querying AD with WMI | 604 |
Monitoring Trusts | 607 |
Monitoring Replication | 609 |
Manipulating DNS | 612 |
Manipulating DNS Server Configuration | 614 |
Creating and Manipulating Zones | 620 |
Creating and Manipulating Resource Records | 623 |
Getting Started with VBNET and SystemDirectoryServices | 629 |
Using VBNET | 630 |
Overview of SystemDirectoryServices | 632 |
DirectoryEntry Basics | 633 |
Searching with DirectorySearcher | 639 |
Manipulating Objects | 640 |
| 645 | |
Common terms and phrases
2003 Active Directory Active Direc Active Directory administrators ADSI ADsPath allows application partition apply attribute auditing authenticate backup changes chapter client Configuration connection Const container create database dc-mycorp,dc=com default delete Directory Services DNS server domain controllers entry Event Log example Exchange existing Figure filter FSMO role functional level Global Catalog Group Policy IADS inherited installed interface LDAP logon manage Microsoft modify mycorp.com namespace native mode NET Framework objectclass objUser options Organizational Unit password permissions property cache property method query replication resource records restore resultset retrieve root domain schema script Security Descriptor security groups Server 2003 Active snap-in specify SRV records string strOutput tree ts.WriteLine updates upgrade user accounts user object username vbCrLf VBScript vbTab Windows NT Windows Server 2003 WScript.Echo zone