• Table of Contents

  Page V

• + Preface

  Page XIII

  • Intended Audience

    Page XIV

  • + Contents of the Book

    Page XV

    • Part I, Active Directory Basics

      Page XV

    • Part II, Designing an Active Directory Infrastructure

      Page XV

    • Part III, Scripting Active Directory with ADSI, ADO, and WMI

      Page XVI

  • Conventions Used in This Book

    Page XVIII

  • Using Code Examples

    Page XVIII

  • How to Contact Us

    Page XIX

  • Safari Enabled

    Page XIX

  • + Acknowledgments

    Page XIX

    • For the Third Edition (Joe)

      Page XIX

    • For the Second Edition (Robbie)

      Page XXI

    • For the First Edition (Alistair)

      Page XXI

• Part I

  Page 1

• + A Brief Introduction

  Page 3

  • + Evolution of the Microsoft NOS

    Page 4

    • Brief History of Directories

      Page 4

  • Windows NT Versus Active Directory

    Page 5

  • Windows 2000 Versus Windows Server 2003

    Page 10

  • Windows Server 2003 Versus Windows Server 2003 R2

    Page 13

  • Summary

    Page 14

• + Active Directory Fundamentals

  Page 15

  • + How Objects Are Stored and Identified

    Page 15

    • + Uniquely Identifying Objects

      Page 16

      • ADsPaths

        Page 17

      • Examples

        Page 18

  • + Building Blocks

    Page 18

    • Domains and Domain Trees

      Page 19

    • Forests

      Page 20

    • Organizational Units

      Page 22

    • Global Catalog

      Page 23

    • Flexible Single Master of Operations (FSMO)

      Page 23

    • Windows 2000 Domain Mode

      Page 28

    • Windows Server 2003 Functional Levels

      Page 29

    • + Groups

      Page 30

      • Groups in Windows NT

        Page 32

      • Group availability in various functional levels

        Page 32

      • Group nesting in different functional levels

        Page 33

      • Group membership across domain boundaries

        Page 34

      • Converting groups

        Page 35

      • Wrap-up

        Page 35

  • Summary

    Page 36

• + Naming Contexts and Application Partitions

  Page 37

  • Domain Naming Context

    Page 38

  • Configuration Naming Context

    Page 39

  • Schema Naming Context

    Page 40

  • + Application Partitions

    Page 41

    • Storing Dynamic Data

      Page 42

  • Summary

    Page 43

• + Active Directory Schema

  Page 44

  • + Structure of the Schema

    Page 44

    • X.500 and the OID Namespace

      Page 45

  • + Attributes (attributeSchema Objects)

    Page 50

    • Dissecting an Example Active Directory Attribute

      Page 53

  • + Attribute Properties

    Page 54

    • Attribute Syntax

      Page 55

    • + System Flags

      Page 57

      • Constructed attributes

        Page 57

      • Category 1 objects

        Page 58

    • + Search Flags

      Page 58

      • Indexed attributes

        Page 58

      • ANR

        Page 59

      • Preserve attribute in tombstone

        Page 60

      • Tuple index

        Page 61

      • Confidential

        Page 61

    • Property Sets and attributeSecurityGUID

      Page 63

    • Linked Attributes

      Page 63

  • + Classes (classSchema Objects)

    Page 64

    • Object Class Category and Inheritance

      Page 66

    • + Dissecting an Example Active Directory Class

      Page 69

      • How inheritance affects mustContain, mayContain, possSuperiors, and auxiliaryClass

        Page 73

      • Viewing the user class with the Active Directory Schema snap-in

        Page 74

    • Dynamically Linked Auxiliary Classes

      Page 75

  • Summary

    Page 77

• + Site Topology and Replication

  Page 78

  • + Site Topology

    Page 78

    • Subnets

      Page 79

    • Sites

      Page 79

    • Site Links

      Page 81

    • Connection Objects

      Page 82

    • Knowledge Consistency Checker (KCC)

      Page 82

    • Site and Replication Management Tools

      Page 83

  • + Data Replication

    Page 84

    • + A Background to Metadata (Data That Governs the Replication Process)

      Page 84

      • Update Sequence Numbers (USN) and highestCommittedUSN

        Page 84

      • Originating updates versus replicated updates

        Page 85

      • DSA GUID and Invocation ID

        Page 86

      • High-watermark vector (direct up-to-dateness vector)

        Page 86

      • Up-to-dateness vector

        Page 87

      • Recap

        Page 87

    • + How an Object’s Metadata Is Modified During Replication

      Page 88

      • Step 1: Initial creation of a user on Server A

        Page 88

      • Step 2: Replication of the originating write to Server B

        Page 90

      • Step 3: Password change for the user on Server B

        Page 90

      • Step 4: Password change replication to Server A

        Page 90

    • + The Replication of a Naming Context Between Two Servers

      Page 91

      • Step 1: Replication with a partner is initiated

        Page 92

      • Step 2: The partner works out what updates to send

        Page 93

      • Step 3: The partner sends the updates to the initiating server

        Page 95

      • Step 4: The initiating server processes the updates

        Page 96

      • Step 5: The initiating server checks whether it is up to date

        Page 96

      • Recap

        Page 97

    • + How Replication Conflicts Are Reconciled

      Page 97

      • Conflict due to identical property change

        Page 98

      • Conflict due to a move or creation of an object under a now-deleted parent

        Page 98

      • Conflict due to creation of objects with names that conflict

        Page 98

      • Replicating the conflict resolution

        Page 99

  • Summary

    Page 99

• + Active Directory and DNS

  Page 101

  • + DNS Fundamentals

    Page 101

    • Zones

      Page 102

    • Resource Records

      Page 102

    • DDNS

      Page 103

  • DC Locator

    Page 103

  • + Resource Records Used by Active Directory

    Page 105

    • Overriding SRV Record Registration

      Page 109

  • + Delegation Options

    Page 109

    • + Not Delegating the AD DNS Zones

      Page 109

      • Political factors

        Page 110

      • Initial setup and configuration

        Page 110

      • Support and maintenance

        Page 110

      • Integration issues

        Page 110

    • + Delegating the AD DNS Zones

      Page 111

      • Political factors

        Page 111

      • Initial setup and configuration

        Page 111

      • Support and maintenance

        Page 112

      • Integration issues

        Page 112

    • DNS for Standalone AD

      Page 112

  • + Active Directory Integrated DNS

    Page 114

    • Replication Impact

      Page 117

  • Using Application Partitions for DNS

    Page 117

  • Summary

    Page 118

• + Profiles and Group Policy Primer

  Page 119

  • + A Profile Primer

    Page 121

    • The Default User and All User Folders

      Page 122

    • Logging On Locally to the Workstation

      Page 124

    • Logging On to the Domain

      Page 124

    • Cached Profile Deletion

      Page 125

    • A Server-Based Default User Profile

      Page 125

  • + Capabilities of GPOs

    Page 126

    • Group Policy Refresh Frequency

      Page 128

    • Software Installation Settings (Computer and User)

      Page 128

    • Windows Settings (Computer)

      Page 130

    • + Administrative Templates (Computer)

      Page 134

      • Windows components

        Page 134

      • Windows settings (user)

        Page 139

      • Administrative templates (user)

        Page 140

    • Windows Components

      Page 143

  • Additional Resources

    Page 145

  • Summary

    Page 146

• Part II

  Page 147

• + Designing the Namespace

  Page 149

  • The Complexities of a Design

    Page 150

  • Where to Start

    Page 151

  • Overview of the Design Process

    Page 152

  • + Domain Namespace Design

    Page 153

    • + Objectives

      Page 153

      • Represent the structure of your business

        Page 153

      • Minimize the number of domains

        Page 154

    • + Step 1: Decide on the Number of Domains

      Page 154

      • Isolated replication

        Page 155

      • Unique domain policy

        Page 156

      • In-place upgrade of current domain

        Page 156

      • Final notes

        Page 157

    • + Step 2: Design and Name the Tree Structure

      Page 157

      • Choose the forest root domain

        Page 157

      • Design the namespace naming scheme

        Page 158

      • Create additional trees

        Page 159

      • Create additional forests

        Page 160

      • Arrange subdomain hierarchy

        Page 161

    • Step 3: Design the Workstation and Server-Naming Scheme

      Page 162

  • + Design of the Internal Domain Structure

    Page 164

    • + Step 4: Design the Hierarchy of Organizational Units

      Page 164

      • Recreating the business model

        Page 166

      • Delegating full administration

        Page 166

      • Delegating other rights

        Page 168

    • + Step 5: Design the Users and Groups

      Page 169

      • Naming and placing users

        Page 169

      • Naming and placing groups

        Page 170

      • Creating proper security group designs

        Page 171

    • + Step 6: Design the Global Catalog

      Page 172

      • Including and excluding attributes

        Page 173

    • Step 7: Design the Application Partition Structure

      Page 174

  • Other Design Considerations

    Page 175

  • + Design Examples

    Page 176

    • + TwoSiteCorp

      Page 177

      • Step 1: Set the number of domains

        Page 177

      • Step 2: Design and name the tree structure

        Page 177

      • Step 3: Design the workstation and server-naming scheme

        Page 177

      • Step 4: Design the hierarchy of Organizational Units

        Page 178

      • Step 5: Design the users and groups

        Page 179

      • Step 6: Design the Global Catalog

        Page 179

      • Step 7: Design the application partition structure

        Page 179

      • Recap

        Page 179

    • + RetailCorp

      Page 179

      • Step 1: Identify the number of domains

        Page 180

      • Step 2: Design and name the tree structure

        Page 180

      • Step 3: Design the workstation and server-naming scheme

        Page 180

      • Step 4: Design the hierarchy of Organizational Units

        Page 180

      • Step 5: Design the users and groups

        Page 180

      • Step 6: Design the Global Catalog

        Page 180

      • Step 7: Design the application partition structure

        Page 181

      • Recap

        Page 181

    • + PetroCorp

      Page 181

      • Step 1: Set the number of domains

        Page 182

      • Step 2: Design and name the tree structure

        Page 183

      • Step 3: Design the workstation and server-naming scheme

        Page 184

      • Step 4: Design the hierarchy of Organizational Units

        Page 185

      • Step 5: Design the users and groups

        Page 186

      • Step 6: Design the Global Catalog

        Page 186

      • Step 7: Design the application partition structure

        Page 187

      • Recap

        Page 187

  • + Designing for the Real World

    Page 187

    • Identify the Number of Domains

      Page 188

    • Design to Help Business Plans and Budget Proposals

      Page 188

    • Recognizing Nirvana’s Problems

      Page 191

  • Summary

    Page 191

• + Creating a Site Topology

  Page 193

  • + Intrasite and Intersite Topologies

    Page 193

    • The KCC

      Page 194

    • + Automatic Intrasite Topology Generation by the KCC

      Page 195

      • Two servers

        Page 196

      • Three servers

        Page 196

      • Four servers

        Page 197

      • Eight servers

        Page 198

      • Now what?

        Page 199

    • + Site Links: The Basic Building Blocks of Intersite Topologies

      Page 200

      • Cost

        Page 202

      • Schedule

        Page 202

      • Transport

        Page 202

      • When the KCC becomes involved

        Page 203

      • Having the KCC compound your mistakes

        Page 203

    • Site Link Bridges: The Second Building Blocks of Intersite Topologies

      Page 204

  • + Designing Sites and Links for Replication

    Page 206

    • Step 1: Gather Background Data for Your Network

      Page 206

    • Step 2: Design the Sites

      Page 207

    • + Step 3: Design the Domain Controller Locations

      Page 207

      • Where to put DCs

        Page 207

      • How many DCs to have

        Page 208

      • Reasons for putting a server in more than one site

        Page 209

    • Step 4: Plan Intrasite Replication

      Page 210

    • Step 5: Decide How You Will Use the KCC to Your Advantage

      Page 210

    • Step 6: Create Site Links for Low-Cost, Well-Connected Links

      Page 211

    • Step 7: Create Site Links for Medium-Cost Links

      Page 211

    • Step 8: Create Site Links for High-Cost Links

      Page 212

    • Step 9: Create Site Link Bridges

      Page 212

    • Step 10: Design the Replication Schedule

      Page 212

  • + Examples

    Page 212

    • TwoSiteCorp

      Page 212

    • RetailCorp

      Page 213

    • PetroCorp

      Page 213

  • Additional Resources

    Page 217

  • Summary

    Page 217

• + Designing Organization-Wide Group Policies

  Page 219

  • + How GPOs Work

    Page 219

    • How GPOs Are Stored in Active Directory

      Page 219

    • How GPOs Are Used in Active Directory

      Page 221

    • Prioritizing the Application of Multiple Policies

      Page 223

    • Standard GPO Inheritance Rules in Organizational Units

      Page 225

    • + Blocking Inheritance and Overriding the Block in Organizational Unit GPOs

      Page 225

      • Summary

        Page 227

    • When Policies Apply

      Page 227

    • Local Group Policy Objects

      Page 227

    • How Existing Windows NT 4.0 System Policies Affect GPO Processing

      Page 228

    • When to Use Windows NT System Policies

      Page 229

    • + Combating Slowdown Due to GPOs

      Page 230

      • Limiting the number of GPOs that apply

        Page 230

      • Block Inheritance and No Override

        Page 231

      • Disabling parts of GPOs

        Page 232

      • Limiting cross-domain linking

        Page 233

      • Limiting GPO application across WAN links

        Page 233

      • Use simple queries in WMI filters

        Page 233

    • The Power of Access Control Lists on Group Policy Objects

      Page 234

    • Loopback Merge Mode and Loopback Replace Mode

      Page 235

    • WMI Filtering in Windows Server 2003

      Page 238

    • How GPOs Work Across RAS and Slow Links

      Page 239

    • Summary of Policy Options

      Page 241

  • + Managing Group Policies

    Page 243

    • Using the Group Policy Object Editor

      Page 244

    • Using the Group Policy Management Console (GPMC)

      Page 247

    • Scripting Group Policies

      Page 249

  • + Using GPOs to Help Design the Organizational Unit Structure

    Page 250

    • Identifying Areas of Policy

      Page 251

    • + How GPOs Influenced a Real Organizational Unit Design

      Page 252

      • The merits of collapsing the Organizational Unit structure

        Page 254

      • A bridge too far

        Page 257

      • Loopback mode

        Page 258

    • Guidelines for Designing GPOs

      Page 258

    • + Designing Delegation and Change Control

      Page 261

      • The importance of change-control procedures

        Page 261

      • Designing the delegation of GPO administration

        Page 262

      • Creating customized GPOEs for administrators

        Page 264

  • + Debugging Group Policies

    Page 265

    • Using the RSoP

      Page 265

    • Enabling Extra Logging

      Page 268

  • Summary

    Page 269

• + Active Directory Security: Permissions and Auditing

  Page 270

  • + Permission Basics

    Page 271

    • Permission ACE

      Page 272

    • Property Sets, Validated Writes, and Extended Rights

      Page 273

    • Inherited Versus Explicit Permissions

      Page 274

    • Default Security Descriptors

      Page 274

    • Permission Lockdown

      Page 275

    • Confidentiality Bit

      Page 277

  • + Using the GUI to Examine Permissions

    Page 279

    • Reverting to the Default Permissions

      Page 283

    • Viewing the Effective Permissions for a User or Group

      Page 284

    • Using the Delegation of Control Wizard

      Page 285

  • Using the GUI to Examine Auditing

    Page 288

  • + Designing Permission Schemes

    Page 289

    • + The Five Golden Rules of Permissions Design

      Page 289

      • Rule 1: Apply permissions to groups whenever possible

        Page 290

      • Rule 2: Design group permissions so that you have minimum duplication

        Page 293

      • Rule 3: Manage Advanced permissions only when absolutely necessary

        Page 294

      • Rule 4: Allow inheritance; do not protect sections of the domain tree from inheritance

        Page 295

      • Rule 5: Keep a log of unusual changes

        Page 297

    • How to Plan Permissions

      Page 297

    • Bringing Order out of Chaos

      Page 299

  • Designing Auditing Schemes

    Page 301

  • + Real-World Examples

    Page 302

    • Hiding Specific Personal Details for All Users in an Organizational Unit from a Group

      Page 303

    • Allowing Only a Specific Group of Users to Access a New Published Resource

      Page 305

    • Restricting Everyone but HR from Viewing Social Security Numbers with Confidential Access Capability

      Page 305

  • Summary

    Page 306

• + Designing and Implementing Schema Extensions

  Page 307

  • Nominating Responsible People in Your Organization

    Page 308

  • + Thinking of Changing the Schema

    Page 309

    • Designing the Data

      Page 309

    • To Change or Not to Change

      Page 310

    • The Global Picture

      Page 312

  • + Creating Schema Extensions

    Page 314

    • Running the Schema Manager MMC for the First Time

      Page 314

    • The Schema Cache

      Page 314

    • The Schema FSMO

      Page 316

    • Using LDIF to Extend the Schema

      Page 318

    • Checks the System Makes When You Modify the Schema

      Page 320

    • Making Classes and Attributes Defunct

      Page 321

  • Summary

    Page 322

• + Backup, Recovery, and Maintenance

  Page 323

  • + Backing Up Active Directory

    Page 323

    • Using the NT Backup Utility

      Page 325

  • + Restoring a Domain Controller

    Page 327

    • + Restore from Replication

      Page 328

      • Manually removing a domain controller from Active Directory

        Page 329

    • Restore from Backup

      Page 331

  • + Restoring Active Directory

    Page 332

    • Non-Authoritative Restore

      Page 332

    • Partial Authoritative Restore

      Page 335

    • Complete Authoritative Restore

      Page 337

  • FSMO Recovery

    Page 338

  • + DIT Maintenance

    Page 341

    • Checking the Integrity of the DIT

      Page 342

    • Reclaiming Space

      Page 343

    • Changing the DS Restore Mode Admin Password

      Page 345

  • Summary

    Page 346

• + Upgrading to Windows Server 2003

  Page 347

  • New Features in Windows Server 2003

    Page 348

  • Differences with Windows 2000

    Page 351

  • + Functional Levels Explained

    Page 353

    • How to Raise the Functional Level

      Page 354

  • + Preparing for ADPrep

    Page 356

    • ForestPrep

      Page 357

    • DomainPrep

      Page 358

  • + Upgrade Process

    Page 360

    • Inventory Domain Controllers

      Page 360

    • Inventory Clients

      Page 361

    • Trial Run

      Page 362

    • + Prepare the Forest and Domains

      Page 362

      • Exchange 2000

        Page 363

      • SFU 2.0

        Page 363

    • Upgrade Domain Controllers

      Page 363

  • + Post-Upgrade Tasks

    Page 364

    • Monitor

      Page 364

    • Raise Functional Levels

      Page 365

    • Tweak Settings

      Page 366

    • Start Implementing New Features

      Page 366

  • Summary

    Page 366

• + Upgrading to Windows Server 2003 R2

  Page 368

  • New Active Directory Features in Windows Server 2003 Service Pack 1

    Page 369

  • Differences with Windows Server 2003

    Page 370

  • New Active Directory Features in Windows Server 2003 R2

    Page 371

  • + Preparing for ADPrep

    Page 371

    • ForestPrep

      Page 372

  • Service Pack 1 Upgrade Process

    Page 373

  • + R2 Upgrade Process

    Page 374

    • Prepare the Forest

      Page 374

    • Upgrade Domain Controllers

      Page 374

  • Summary

    Page 375

• + Migrating from Windows NT

  Page 376

  • + The Principles of Upgrading Windows NT Domains

    Page 376

    • Preparing for a Domain Upgrade

      Page 377

    • Forests and the Forest Root Domain

      Page 378

    • + Windows NT Domain Upgrades

      Page 378

      • Solution 1: Migration to a new forest root domain

        Page 379

      • Solution 2: Migration with one domain as the domain-tree root

        Page 379

      • Solution 3: Migration to separate domain trees in a forest

        Page 379

    • A Solution-Independent Migration Process

      Page 380

    • + Consolidating Domains After the Move

      Page 382

      • Windows 2003 Interim and Windows 2003 functional levels and groups

        Page 382

      • Computers

        Page 382

      • Users

        Page 384

      • Member servers and removing domains

        Page 385

  • Summary

    Page 385

• + Integrating Microsoft Exchange

  Page 386

  • A Quick Word About Exchange/AD Interaction

    Page 386

  • + Preparing Active Directory for Exchange

    Page 387

    • Forestprep

      Page 387

    • Domainprep

      Page 388

    • Running Forestprep and Domainprep

      Page 388

    • Active Directory Site Design and Domain Controller Placement

      Page 389

    • Other Considerations

      Page 390

  • + Exchange 5.5 and the Active Directory Connector

    Page 392

    • Configuring the ADC

      Page 394

    • Mailbox-Enabling Objects via the GUI

      Page 402

    • Why Bidirectional Replication May Not Solve Your Problems

      Page 406

  • Summary

    Page 407

• + Active Directory Application Mode (ADAM)

  Page 408

  • ADAM Terms

    Page 409

  • + Differences Between AD and ADAM V1.0

    Page 410

    • Standalone Application Service

      Page 410

    • Configurable LDAP Ports

      Page 411

    • No SRV Records

      Page 411

    • No Global Catalog

      Page 413

    • Top-Level Application Partition Object Classes

      Page 414

    • Group and User Scope

      Page 414

    • FSMOs

      Page 414

    • Schema

      Page 415

    • Service Account

      Page 415

    • Configuration/Schema Partition Names

      Page 415

    • Default Directory Security

      Page 415

    • User Principal Names

      Page 417

    • Authentication

      Page 417

  • + ADAM R2 Updates

    Page 418

    • Users in the Configuration Partition

      Page 418

    • Password Reset/Change Chaining to Windows

      Page 419

    • Virtual List View (VLV) Searching

      Page 419

    • Confidentiality Bit

      Page 419

    • New and Updated Tools

      Page 419

    • Installation

      Page 419

    • Authentication

      Page 420

    • R2 ADAM for R2 Server Only

      Page 420

  • + ADAM R2 Installation

    Page 420

    • Installing Components

      Page 420

    • Installing a New ADAM Instance

      Page 421

    • Installing an ADAM Replica

      Page 429

  • + Tools

    Page 434

    • ADAM ADSIEDIT

      Page 434

    • ADAM Schema Management

      Page 434

    • ADAM Install

      Page 435

    • ADAMSync

      Page 435

    • ADAM Uninstall

      Page 435

    • AD Schema Analyzer

      Page 435

    • CSVDE

      Page 435

    • DSACLS

      Page 436

    • DSDBUTIL

      Page 436

    • DSDiag

      Page 436

    • DSMgmt

      Page 436

    • LDIFDE

      Page 436

    • LDP

      Page 437

    • RepAdmin

      Page 437

  • + ADAM Schema

    Page 437

    • Virtual List View (VLV) Index Support

      Page 437

    • Default Security Descriptors

      Page 439

    • Bindable Objects and Bindable Proxy Objects

      Page 439

  • + Using ADAM

    Page 440

    • Creating Application Partitions

      Page 440

    • Creating Containers

      Page 441

    • Creating Users

      Page 442

    • + Creating User Proxies

      Page 443

      • Special considerations

        Page 444

    • Renaming Users

      Page 445

    • Creating Groups

      Page 446

    • Adding Members to Groups

      Page 446

    • Removing Members from Groups

      Page 447

    • Deleting Objects

      Page 448

    • Deleting Application Partitions

      Page 449

  • Summary

    Page 449

• + Interoperability, Integration, and Future Direction

  Page 451

  • + Microsoft’s Directory Strategy

    Page 451

    • Active Directory Application Mode

      Page 452

    • Microsoft Identity Integration Server

      Page 452

    • Active Directory’s Role

      Page 454

  • + Interoperating with Other Directories

    Page 454

    • Getting Data from One Directory to Another

      Page 454

    • Using Common Tools Across Directories

      Page 455

    • Porting Scripts to Work Across Directories

      Page 455

    • Making Searches Across Directories Seamless

      Page 455

  • + Integrating Applications and Services

    Page 456

    • + The Application Integration Challenge

      Page 456

      • Challenges for application vendors

        Page 456

      • Challenges for Active Directory administrators

        Page 459

      • ADAM to the rescue

        Page 461

    • + Integrating Unix

      Page 462

      • Kerberos and LDAP support

        Page 463

      • Migrating from NIS

        Page 463

      • Integrating with NFS

        Page 463

      • Synchronizing passwords

        Page 464

      • Third-party integration tools

        Page 464

  • Summary

    Page 465

• Part III

  Page 467

• + Scripting with ADSI

  Page 469

  • + What Are All These Buzzwords?

    Page 469

    • ActiveX

      Page 469

    • Windows Scripting Host (WSH)

      Page 470

    • Active Server Pages (ASPs)

      Page 470

    • Active Directory Service Interfaces (ADSI)

      Page 471

    • ActiveX Data Objects (ADO)

      Page 472

    • Windows Management Instrumentation (WMI)

      Page 472

    • .NET and .NET Framework

      Page 473

  • + Writing and Running Scripts

    Page 473

    • A Brief Primer on COM and WSH

      Page 473

    • How to Write Scripts

      Page 474

    • WSH 2.0 Versus 5.6

      Page 475

  • + ADSI

    Page 476

    • Objects and Interfaces

      Page 477

    • Namespaces, ProgIDs, and ADsPaths

      Page 478

    • Retrieving Objects

      Page 480

  • + Simple Manipulation of ADSI Objects

    Page 485

    • Creating the OU

      Page 486

    • Creating the Users

      Page 487

    • Tearing Down What Was Created

      Page 488

  • Further Information

    Page 489

  • Summary

    Page 490

• + IADs and the Property Cache

  Page 491

  • + The IADs Properties

    Page 491

    • Using IADs::Get and IADs::Put

      Page 493

    • The Property Cache

      Page 495

    • Be Careful

      Page 496

    • + More Complexities of Property Access: IADs::GetEx and IADs::PutEx

      Page 497

      • Using IADs::GetEx

        Page 498

      • Using IADs::PutEx

        Page 499

  • + Manipulating the Property Cache

    Page 501

    • Property Cache Mechanics

      Page 501

    • Adding Individual Values

      Page 502

    • Adding Sets of Values

      Page 504

    • + Walking Through the Property Cache

      Page 505

      • Approach 1: Using the IADsPropertyList::PropertyCount property method

        Page 507

      • Approach 2: Using the IADsPropertyList::Next method

        Page 508

      • Approach 3: Using the IADsPropertyList::Next and IADsPropertyList::Skip methods

        Page 509

    • Writing the Modifications

      Page 509

    • Walking the Property Cache: The Solution

      Page 511

    • Walking the Property Cache Using the Formal Schema Class Definition

      Page 514

  • Checking for Errors in VBScript

    Page 517

  • Summary

    Page 519

• + Using ADO for Searching

  Page 520

  • + The First Search

    Page 521

    • Step 1: Define the Constants and Variables

      Page 521

    • Step 2: Establish an ADO Database Connection

      Page 521

    • Step 3: Open the ADO Connection

      Page 522

    • Step 4: Execute the Query

      Page 523

    • Step 5: Navigate Through the Resultset

      Page 524

    • Step 6: Close the ADO Connection

      Page 525

    • The Entire Script for a Simple Search

      Page 525

  • + Other Ways of Connecting and Retrieving Results

    Page 526

    • + Searching with SQL

      Page 527

      • Using the Connection::Execute method

        Page 527

      • Using the Recordset::Open method

        Page 527

      • Executing a specific command

        Page 528

      • The Command object and Recordset::Open

        Page 528

  • + Understanding Search Filters

    Page 529

    • Items Within a Filter

      Page 530

    • Connecting Filters

      Page 531

  • + Optimizing Searches

    Page 532

    • Efficient Searching

      Page 532

    • Objectclass Versus Objectcategory

      Page 534

    • + Filtering an Existing Resultset

      Page 536

      • Using a criteria string

        Page 538

      • Using bookmarks

        Page 538

  • Advanced Search Function: SearchAD

    Page 539

  • Summary

    Page 543

• + Users and Groups

  Page 545

  • Creating a Simple User Account

    Page 545

  • + Creating a Full-Featured User Account

    Page 546

    • WinNT Provider

      Page 548

    • LDAP Provider

      Page 550

  • Creating Many User Accounts

    Page 555

  • Modifying Many User Accounts

    Page 558

  • Account Unlocker Utility

    Page 560

  • Creating a Group

    Page 565

  • + Adding Members to a Group

    Page 566

    • Adding Many USER Groups to DRUP Groups

      Page 566

  • Evaluating Group Membership

    Page 568

  • Summary

    Page 569

• + Basic Exchange Tasks

  Page 570

  • Notes on Managing Exchange

    Page 570

  • Exchange Management Tools

    Page 571

  • Mail-Enabling Versus Mailbox-Enabling

    Page 571

  • Exchange Delegation

    Page 572

  • Mail-Enabling a User

    Page 574

  • Mail-Disabling a User

    Page 576

  • Creating and Mail-Enabling a Contact

    Page 577

  • Mail-Disabling a Contact

    Page 578

  • Mail-Enabling a Group (Distribution List)

    Page 578

  • Mail-Disabling a Group

    Page 579

  • Mailbox-Enabling a User

    Page 580

  • Mailbox-Disabling a User (Mailbox Deletion)

    Page 582

  • Purging a Disconnected Mailbox

    Page 582

  • Reconnecting a Disconnected Mailbox

    Page 583

  • Moving a Mailbox

    Page 584

  • Enumerating Disconnected Mailboxes

    Page 586

  • Viewing Mailbox Sizes and Message Counts

    Page 586

  • Viewing All Store Details of All Mailboxes on a Server

    Page 587

  • Dumping All Store Details of All Mailboxes on All Servers in Exchange Org

    Page 588

  • Summary

    Page 590

• + Shares and Print Queues

  Page 591

  • The Interface Methods and Properties

    Page 591

  • Creating and Manipulating Shares with ADSI

    Page 593

  • + Enumerating Sessions and Resources

    Page 595

    • Identifying a Machine’s Sessions

      Page 595

    • Identifying a Machine’s Resources

      Page 597

    • + A Utility to Show User Sessions

      Page 597

      • Obtaining the data

        Page 598

      • Manipulating the data

        Page 599

      • The sort subprocedure

        Page 600

      • The duplicate-removal subprocedure

        Page 600

      • Displaying the data

        Page 601

      • Room for improvement

        Page 606

  • + Manipulating Print Queues and Print Jobs

    Page 606

    • Identifying Print Queues in Active Directory

      Page 607

    • Binding to a Print Queue

      Page 609

    • IADsPrintQueueOperations and Print Queues

      Page 611

    • Print Jobs

      Page 613

  • Summary

    Page 615

• + Permissions and Auditing

  Page 616

  • + How to Create an ACE Using ADSI

    Page 616

    • Trustee

      Page 620

    • AccessMask

      Page 621

    • AceType

      Page 624

    • AceFlags

      Page 625

    • Flags, ObjectType, and InheritedObjectType

      Page 626

  • + A Simple ADSI Example

    Page 628

    • Discussion

      Page 629

  • + A Complex ADSI Example

    Page 630

    • + Discussion

      Page 633

      • Unlock account

        Page 634

      • Set/clear “User Must Change Password On Next Logon” flag

        Page 635

      • Reset Password

        Page 635

    • + Making Your Own ACEs

      Page 635

      • Delegate member attribute on groups

        Page 636

      • Delegate ability to view Confidential Attribute

        Page 636

      • How to implement other delegations

        Page 636

  • Creating Security Descriptors

    Page 636

  • Listing the Security Descriptor of an Object

    Page 642

  • Summary

    Page 651

• + Extending the Schema and the Active Directory Snap-ins

  Page 652

  • + Modifying the Schema with ADSI

    Page 652

    • IADsClass and IADsProperty

      Page 652

    • Creating the Mycorp-LanguagesSpoken Attribute

      Page 653

    • + Creating the FinanceUser class

      Page 655

      • Creating instances of the new class

        Page 656

    • Finding the Schema Container and Schema FSMO

      Page 658

    • Transferring the Schema FSMO Role

      Page 659

    • Forcing a Reload of the Schema Cache

      Page 660

    • Finding Which Attributes Are in the GC for an Object

      Page 661

    • Adding an Attribute to the GC

      Page 662

  • + Customizing the Active Directory Administrative Snap-ins

    Page 663

    • Display Specifiers

      Page 665

    • Property Pages

      Page 666

    • Context Menus

      Page 667

    • Icons

      Page 668

    • Display Names

      Page 669

    • Leaf or Container

      Page 669

    • Object Creation Wizard

      Page 670

  • Summary

    Page 670

• + Using ADSI and ADO from ASP or VB

  Page 672

  • VBScript Limitations and Solutions

    Page 673

  • How to Avoid Problems When Using ADSI and ASP

    Page 674

  • + Combining VBScript and HTML

    Page 674

    • + Incorporating Scripts into Active Server Pages

      Page 675

      • Client-side scripting

        Page 675

      • Server-side scripting

        Page 676

    • ActiveX Controls and ASPs

      Page 677

    • Forms

      Page 679

  • + Binding to Objects via Authentication

    Page 680

    • When to Use VBScript’s GetObject Function

      Page 680

    • When to Use IADsOpenDSObject::OpenDSObject

      Page 681

    • When to Use IADsContainer::GetObject

      Page 683

    • Authenticating from Passwords Input via Forms

      Page 684

    • A Simple Password Changer

      Page 685

    • Adding Users to Groups

      Page 688

  • + Incorporating Searches into ASP

    Page 691

    • ASP Searches Allowing User Navigation of a Resultset

      Page 693

    • + Enhancing the User Navigation ASP

      Page 697

      • Empty resultsets

        Page 697

      • Starting from scratch

        Page 698

      • Filters

        Page 698

      • Displaying the location of individual records

        Page 699

      • The enhanced ASP search

        Page 700

      • Problems with this example

        Page 702

    • Other Ideas for Expansion

      Page 703

  • + Migrating Your ADSI Scripts from VBScript to VB

    Page 704

    • Platform Software Development Kit

      Page 704

    • + The Differences Between VB and VBScript

      Page 705

      • Screen functions

        Page 706

      • Variables

        Page 706

      • Loop constructs

        Page 707

    • Getting Help from VB When Coding in ADSI

      Page 707

    • A Simple Password Changer in VB

      Page 708

    • The ModifyUserDetails Program in VB

      Page 710

  • Summary

    Page 712

• + Scripting with WMI

  Page 713

  • Origins of WMI

    Page 714

  • + WMI Architecture

    Page 714

    • CIMOM and CIM Repository

      Page 715

    • WMI Providers

      Page 715

  • + Getting Started with WMI Scripting

    Page 716

    • Referencing an Object

      Page 716

    • Enumerating Objects of a Particular Class

      Page 717

    • Searching with WQL

      Page 718

    • Authentication with WMI

      Page 719

  • + WMI Tools

    Page 719

    • WMI from a Command Line

      Page 720

    • WMI from the Web

      Page 720

    • WMI SDK

      Page 721

    • Scriptomatic Version 2.0; WMI Scripting Tool

      Page 721

  • Manipulating Services

    Page 721

  • Querying the Event Logs

    Page 724

  • Querying AD with WMI

    Page 727

  • Monitoring Trusts

    Page 729

  • Monitoring Replication

    Page 732

  • Summary

    Page 734

• + Manipulating DNS

  Page 735

  • + DNS Provider Overview

    Page 735

    • Installing the DNS Provider

      Page 736

    • Managing DNS with the DNS Provider

      Page 736

  • + Manipulating DNS Server Configuration

    Page 737

    • Listing a DNS Server’s Properties

      Page 739

    • Configuring a DNS server

      Page 740

    • Restarting the DNS Service

      Page 741

    • DNS Server Configuration Check Script

      Page 741

  • + Creating and Manipulating Zones

    Page 743

    • Creating a Zone

      Page 745

    • Configuring a Zone

      Page 746

    • Listing the Zones on a Server

      Page 747

  • + Creating and Manipulating Resource Records

    Page 747

    • Finding Resource Records in a Zone

      Page 750

    • Creating Resource Records

      Page 751

  • Summary

    Page 752

• + Getting Started with VB.NET and System.Directory Services

  Page 753

  • The .NET Framework

    Page 753

  • Using VB.NET

    Page 754

  • Overview of System.DirectoryServices

    Page 755

  • DirectoryEntry Basics

    Page 757

  • Searching with DirectorySearcher

    Page 763

  • Manipulating Objects

    Page 764

  • Summary

    Page 767

• Index

  Page 769

Working with Microsoft's network directory service for the first time can be a headache for system and network administrators, IT professionals, technical project managers, and programmers alike. This authoritative guide is meant to relieve that pain. Instead of going through the graphical user interface screen by screen, O'Reilly's bestselling Active Directory tells you how to design, manage, and maintain a small, medium, or enterprise Active Directory infrastructure.

Fully updated to cover Active Directory for Windows Server 2003 SP1 and R2, this third edition is full of important updates and corrections. It's perfect for all Active Directory administrators, whether you manage a single server or a global multinational with thousands of servers.

Active Directory, 3rd Edition is divided into three parts. Part I introduces much of how Active Directory works, giving you a thorough grounding in its concepts. Some of the topics include Active Directory replication, the schema, application partitions, group policies, and interaction with DNS. Part II details the issues around properly designing the directory infrastructure. Topics include designing the namespace, creating a site topology, designing group policies for locking down client settings, auditing, permissions, backup and recovery, and a look at Microsoft's future direction with Directory Services. Part III covers how to create and manipulate users, groups, printers, and other objects that you may need in your everyday management of Active Directory.

If you want a book that lays bare the design and management of an enterprise or departmental Active Directory, then look no further. Active Directory, 3rd Edition will quickly earn its place among the books you don't want to be without.