Inside Active Directory
A book by Sakari Kouti and Mika Seitsonen

Index (1st Edition, AD2000)

' (apostrophe), 717, 894

* (asterisk), 458, 485, 719

\ (backslash), 483

: (colon), 499

, (comma), 718

. (decimal point), 718

. (dot), 452

" (double quotes), 718, 724

= (equal sign), 499

/ (forward slash), 499

- (hyphen), 500

< (less-than sign), 499

+ (plus sign), 499, 719

# (pound sign), 499

; (semicolon), 617

[] (square brackets), 237

_ (underscore), 719

169.254.xx, 87

Abandon operation of LDAP, 52

Abstract schema objects, 801–806. See also Subschema object

Access (Microsoft), 53

Access control. See also ACEs (access control entries); ACLs (access control
lists)

architecture, 280–296

background for, 206–212

basic description of, 36–37

delegation and, 282–283

impersonation and, 282–283

security principals and, 207–212

Access tokens

basic description of, 175–176, 287–288

universal groups and, 196

Account(s)

basic description of, 123

disabling, 163, 172

Group Policies and, 511

options, listing, 784–788

policies, 511

resetting, 172–173

Account Operators group, 129

Account Restrictions property set, 235

Account tab, 144, 149–154, 232

ACEs (access control entries), 36, 214. See also Access control; ACLs (access
control lists)

adding, 39, 848–856

basic description of, 219, 288–289

contents of, 289–292

fields of, 290–291

Group Policies and, 554

inheritance and, 240, 851

listing, 834–837, 839–846

order of, 850–851

schema and, 617–618

ACL Editor. See also ACLs (access control lists)

basic description of, 212

dialog boxes, anatomy of, 215–222

DSSec.Dat and, 237, 239

procedures for using, 213

setting permissions with, 222–251

SIDs and, 286

viewing permissions with, 260

ACLDiag, 250

ACLs (access control lists). See also Access control; ACEs (access control
entries); ACL Editor; DACL (discretionary access control list)

administration scripts and, 832–856

default, changing, 267

ACPI (Advanced Configuration and Power Interface)

installation and, 74, 110

problems with, 110

Active Directory

brief description of, 4–6

building blocks of, 16–26

current limitations of, 61

directory face of, 4

enterprise services face of, 4

first look at, 7–8

history of, 7–8

installation of, 67, 93–105, 109–111

introduction to, 4–16

as a loosely-consistent database, 308–310

NDS and, comparison of, 13–15, 63

next version of, 64–65

requirements/recommendations, 93–94

Restore Mode, 97

three faces of, 5–6

uninstalling, 113, 115–117

what data to put in, 645–646

Windows NT and, comparison of, 11–13

Windows NT face of, 4

ADC (Active Directory Connector), 310

Add ACEs to a Folder.vbs, 854–856

Add ACEs.vbs, 846–854

Add Members to a Group option, 192

Add operation of LDAPv3, 52

Add/Remove applet, 85, 102, 558, 560

Address Book, 9, 425, 635

Address tab, 144

Administration. See also Administration scripts

delegation of, 12, 19, 39, 141, 268, 269–276

duplicate, as a cost of adding additional domains, 437

units of, using multiple domains because of, 434–435

Administration script(s)

as command-line tools, 706–708, 884–887

concepts, 697–758

configuration information and, 822–832

debugging, 755–759

development environment for, 712–715

examples of, 761–794, 804–805

execution environment for, 698–703

file types, 703

help files and, 713–714

killing, 710–711

property caches and, 730–750, 767–772

schema and, 801–822

settings, 708–710

testing, 704–705

Administrative groups. See also Groups

in forests, 466–467

predefined, 128–133, 466–467

Administrative templates, 515–519

Administrative view to a forest, 446

Administrator account, 126, 259, 261–263

Administrators group

AdminSDHolder object and, 251

basic description of, 129

ownership and, 243–244

AdminSDHolder object, 251

ADMT (Microsoft Active Directory Migration Tool), 463

ADO (Microsoft ActiveX Data Objects)

administration scripts and, 699, 700, 703, 888, 904

ADSI and, 55–56, 888–890

basic description of, 888

Basic Example.vbs, 893–896

Basic Example with SQL.vbs, 896–897

concepts, 888

mechanics, 890–891

using, 888–903

ADsFMO component, 754, 830–831

ADSI (Active Directory Service Interfaces), 54–56, 123, 888–890

without the Active Directory, 862–870

administration scripts and, 700, 713–714

concepts, 721–752

examples, 724–725, 761–763

help files, 713–714

interface, 702–703, 736–839

operations, 724

paths, 725–726

properties and, 735–736

Resource Kit, 754

syntax, 749–753

ADSI Edit, 174, 201–202

basic description of, 488–489

creating new attributes with, 669–670

inspecting schema with, 588–591

renaming objects and, 239

ADSizer (Active Directory Sizer), 420

ADsSecurity component, 754, 830–831

Aggregate object, 596

Aliases (built-in local security groups), 286

Alias objects, 63

Allchin, Jim, 10

ANR (Ambiguous Name Resolution), 226, 635–637, 639, 642, 654, 655, 813

ANSI (American National Standards Institute), 606, 607

Answer files, 106–107

APIPA (Automatic Private Internet Protocol Addressing), 87

APIs (application program interfaces)

ADSI (Active Directory Service Interfaces) API, 54–56

GetGPOList API, 538–539

LDAP C API, 425, 490, 702

user rights and, 297

Win32 API, 755

APM (Advanced Power Management), 74

Application(s). See also Software

data, storing, 59

deployment, 508–509

patching, 561

permissions in, 240–243

published versus assigned, 560

removing, 509, 562

self-repairing, 558

upgrading, 561

Application tab, 711

Architecture

access control, 280–296

ADSI and, 54–56

basic description of, 41–58

container objects and, 43–44

data models and, 41–42

LDAP and, 49–52

objects and, 43–47

partitions and, 44–45

physical, 51–54

schema and, 42–43

X.500 standard and, 47–49

Arguments

basic description of, 718–719

command-line arguments (options) in scripts, 754, 805

optional, 719

ASCII (American Standard Code for Information Interchange), 483, 687

ASN.1 (Abstract Syntax Notation One), 606

ASP (Microsoft Active Server Pages), 701, 756

ATTRIB command, 114

Attribute(s). See also Properties

ANR, 813–814

basic description of, 622–631

bit-field, 635

constructed, 599, 813–814

creating, 652–655, 661, 664–666, 669–670, 818–823

deactivating, 656–659

inspecting, 589–590

linked, 627–629

listing, 805–807

mandatory, 42, 582, 583, 612, 803

miscellaneous characteristics for, 637

modifying, 655–656, 664–666

multivalued, 582, 634

names, 591–592

nonreplicated, 813–814

optional, 42, 582, 583, 612, 803

permissions for, 677, 696

planning new, 660

reactivating, 659

schema and, 582–583

searching on new, 694–696

single-valued, 582

syntax, 583

tombstone, 401–402

use of the term, 41

values, managing, 693–694

attributeSchema objects, 585, 622–637, 637–639, 817–818

Attributes tab, 621–622

Auditing

basic description of, 204, 276–280

entries, adding, 276–278

Group Policies and, 512–513

records, viewing, 279–280

turning on, 278–279

Authentication

basic description of, 204

cross-forest, 65

Kerberos and, 56

mutual, 56

Automatic Certificate Request settings, 514

Backup Operators group

basic description of, 129

user rights and, 296

Base

DNs, 494

objects, 469, 479

schema, 582, 584, 635–636

Base64 encoding, 499

BATCH command, 114

Batch files

administration scripts and, 701, 793–794

creating, 687–688

creating users with, 793–794

testing, 687–688

BDCs (backup domain controllers)

domain modes and, 133

PDC emulator and, 406, 411

replication and, 25, 310

Binary GUIDs, 837–839. See also GUIDs (globally unique identifiers)

BIND (Berkeley Internet Name Domain), 34, 94

Bindery (of Netware 3), 9, 723

Binding

with credentials, 870–872

early, 721

to the GC, 876–877

late, 721

strings, 726–727

with WKGUIDs, 872–876

Bind operation of LDAPv3, 52

BindView bv-Admin, 463

BIOS (Basic Input/Output System), 74, 83, 109

Bit(s)

ACE AccessMask, 290–291

ACE AceType, 292, 293

ACE Flags, 292

connection object, 385

-fields, 290–291, 635

least-significant, 291

site link, 385

Bitwise AND, 485

Bitwise OR, 485

Blackcomb, 65

Boolean values, 483

Bootable CDs, 108–109

BOOTDISK folder, 76

Boot partition, 69

Breakpoints, 759

Bridgehead servers, 315, 371–374

Browser service, 406, 518, 519

Browsers, encryption for, 57

Building Enterprise Active Directory Services—Notes from the Field, 420

Builtin container, 124, 126–130

C (high-level language), 54, 680

administration scripts and, 701, 702

compilers, 701

C++ (high-level language), 54, 680

administration scripts and, 701, 702

compilers, 701

CA Unicenter, 509

Cache

property. See Property cache.

schema. See Schema cache.

CACLS command, 793, 794, 795, 796, 797

“Cairo,” 10–11

CAL (client access license), 70

Canonical names, 46

Carriage return/linefeed character pair, 719–720

CAs (certificate authorities), 57–58, 92

Group Policies and, 514

SMTP replication and, 386

Case-sensitivity, 718

Catalog Services, 26

CCM (Change and Configuration Management), 503

CD/CHDIR command, 114

CDO (Collaborative Data Objects), 700

CDs (compact discs), bootable, 108–109

Certificate Export Wizard, 116

Certificates, exporting, 116

Change notification, 320, 384–385

Channels, secure, 457

Characters

ASCII, 483, 687

carriage return/linefeed, 719–720

number of, in passwords, 530

Unicode, 34, 483, 516

unsafe, 499

CHKDSK command, 114

Class(es)

ADSI and, 54–46

attributes of, inspecting, 589–590

basic description of, 599–622

categories of, 612

creating, 647–650, 661, 666–669

deactivating, 656–659

derived, 610

extended rights for, 227–229

identifiers, 600, 603

identifiers (CLSIDs), 682, 683, 684, 709

miscellaneous characteristics of, 612–618

modifying, 650–652, 666–669

names, 600, 603

objects of specific, creating/deleting, 229

planning new, 660

reactivating, 659

schema and, 582–583

classSchema objects, 585, 599–622, 815–817

Clean Install option, 80

Client(s)

access license (CAL), 70

access tokens, 287

extensions, 512

LDAP referrals to, 469

-server applications, connection points for, 59

-side extensions (CSEs), 504, 538, 571–573, 575

slow link detection and, 576–578

traffic, 420–421, 425

ClonePrincipal tool, 463

CLS command, 114

CLSIDs. See Class(es)—identifiers (CLSIDs)

CMDTOOL.vbs, 885–887

CNs (common names)

basic description of, 46

renaming objects and, 239

Collisions, 398–401

COM (Component Object Model), 54–56, 699

basic description of, 728–730

components, using, 753–755

connection points and, 59

files, registering, 559

COM+, 559

Comdex, 10

Command-line

CScript options, 706–708

parameters, 465. See also Arguments

redirection of output, 707, 773, 799–800

tools, 111, 112, 173, 250, 353, 355–356, 458, 462, 498, 550, 762, 794,
884–887

Compare operation of LDAPv3, 52

Compilers, 701

Complete trust areas, 441–443

Components

COM, 755–757

homemade, 753

installation of, 85–87

using, 753–755

Computer(s). See also Computer accounts; Computer objects

licensing, 351–352

locating, 35

managing, 173, 856–858

objects, predefined, 133

registering, 91

renaming, 173–174

Computer accounts

disabling, 172

resetting, 172–173

Computer object(s)

administering, 164–174

creating, 166–168

creating with a script, 861–864

deleting, 172

Group Policies and, 507–508

moving, 172

properties, 168–171

Computers container, 124

Concurrency control, 661, 675

Configuration

information, handling, 59, 822–832

partition, 44, 311, 313, 362

Connection object(s)

creating/managing, 380–384

explanation of, 326, 327–331, 358–359

properties, 899

replication and, 358–359

Consistency checks, 650

Constant(s)

administration scripts and, 718–719

basic description of, 718

definitions, 758

intrinsic, 719

names, 718

Contact(s)

administering, 142–164

creating, 148

deleting, 162–163

home pages of, opening, 164

moving, 162

properties, setting, 148–157

renaming, 162

sending e-mail to, 164

Container(s)

basic description of, 123–125

classes, 583–585

objects, 43–44, 583–585

predefined, 123–125

Containment rules (of schema classes), 607–610

Context menus, adding scripts to, 693–694

Continuation references in LDAP, 487–488

Control Panel, 85, 558. See also Add/Remove applet

Controls dialog box, 497

Control statements, 719

Convergence of Active Directory information, 309

COPY command, 114

Create a Computer Object.vbs, 859–862

Create a Group.vbs, 858

Create a Home Folder for a User - Ver 1.vbs, 794–796

Create a Home Folder for a User - Ver 2.vbs, 796–797

Create a Share.vbs, 867

Create a User in a Workstation.vbs, 869–870

Create a User with a Batch File.bat, 793–794

Create a User with Minimum Attributes.vbs, 788–790

Create a User with More Attributes.vbs, 790–793

Create Object dialog box, 677–678

Credentials, binding with, 870–872

Cross-reference(s)

basic description of, 469–473

external, creating, 470–473

objects, 469–470

CScript, 690, 703–705, 711

CSEs (client-side extensions), 504, 538, 571–573, 575

CSVDE, 202, 662, 663, 674

CTLs (certificate trust lists), 514

Current context, 63

DACL (discretionary access control list), 36, 214, 288–289, 290. See also ACLs
(access control lists)

Dampening, propagation, 388

DAP (Directory Access Protocol), 48–49

Data model, 41–42

Data types

administration scripts and, 734–735

handling special, 734–735

Date and time settings, 87. See also time

DB layer, 52–53

DCDiag, 458–459

DCE (Distributed Computing Environment), 452

DCOM, 559

DCPromo, 16–17, 352, 354, 473, 476–477, 586, 673

command, 93, 115

Deactivation, of classes, 656–659

DEAs (directory-enabled applications), 5, 43, 59, 642, 659–662

Debugging

administration scripts, 755–759

with extra output commands, 755–756

mode, 112

Default Domain Controllers Policy, 511

Default permissions. See also Permissions

basic description of, 258–267

listing, 260–265

sources of, 259

DEL/DELETE command, 114

Delegating

basic description of, 19, 39, 269–270

domain controller installation, 476–478

domain installation, 473–478

management of GPOs, 554–557

Delegation (relating to authentication), 282–284

Delegation of Control Wizard, 39, 212

basic description of, 251–258

common tasks completed with, 252–256

custom tasks completed with, 256–258

customizing list of common tasks, 254–256

support tools and, 250

DelegWiz.Inf, 254–256

Delete operation of LDAPv3, 52

Deleted objects, listing, 495–497

Deleting

contacts, 162–163

GPOs, 552–553

groups, 194, 861

objects, 172, 229, 857

OUs, 857

users, 162–163

DEN (directory-enabled networking), 5

Deploying software, with Group Policies, 559–561

Description property, 140

Device Manager, 110

Devices

incompatible, 110

incorrectly detected, 110

DFS (Windows 2000 Distributed File System), 23, 315–316, 341, 559–561

DHCP (Dynamic Host Configuration Protocol)

DNS updates and, 35–36

Group Policies and, 538

installation and, 70, 87, 90

RIS and, 520

Dial-in tab, 144, 155–156

DIR command, 114

Directories

history of, 9

information about, determining the placement of, 426–432

Directory-enabled applications (DEAs), 5, 43, 59, 642, 659–662

Directory-enabled networking (DEN), 5

Directory service, 4, 9, 11, 42, 47, 142, 310, 585, 723–724

Directory Services Restore Mode option, 112

DISABLE command, 114

Disk images, duplicating, 107–108

DISKPART command, 114

DISP (Directory Information Shadowing Protocol), 48

Display name property, 147

Display specifiers, 682–685

Distributed Systems Guide, 354–355

Distribution groups, 174. See also Groups

DLLs (Dynamic Link Libraries), 557, 573, 684, 898

DMZ (demilitarized zone), 60–61

DNs (distinguished names), 407, 466

base, 494

basic description of, 45–47

features recommended for, 94

LDAP and, 46, 485, 494

LDIF and, 498, 501

DNS (Domain Name Service). See also Domain names

Group Policies and, 550

host names, 84

host records, 476

installation and, 70, 84–90, 93–105, 110–111, 117

integration, 34–36

namespaces, 17, 31, 32–33

-related tasks, after installation, 102–105

RIS and, 520

root domain, removing, 102

servers, requesting IP addresses from, 35

updates, dynamic, 35–36

virtual containers and, 58

zones, 61

DnsAdmins group, 132

DnsUpdateProxy group, 132

DNS Zones, 34, 60–61, 94, 102–105, 117, 425, 450

Domain(s). See also Domain controllers; Domain names

adding workstations to, 302

basic description of, 17, 62

choosing, 200

cost of additional, 437–438

creating, 94–95

designing, 432–452

forest root, 95, 448–452

installation, delegation of, 473–478

local groups, 21–22

looking at single, 429–430

managing, 452–478

master browser, 406

mode, changing, 133–135

placement of directory information and, 426–432

single, OU trees in, 29–30

single, with no OU structure, 27–28

trees, 30–33

using multiple, 433–438

using single, advantages of, 433–438

Domain Admins group, 131, 243–244, 251, 261–264

Domain Computers group, 131

Domain controller(s). See also Domains

additional, cost of, 437

basic description of, 6, 16–17

choosing, 200

default assignments for, 299–302

installing, 65, 476–478

logon rights and, 298

operations master (OMDCs), 408, 410–411, 413–414, 415

originating, 390

placement of, 419–502

placement of directory information and, 426–432

privileges and, 28

promoting, to be GC servers, 346–347

removing, 352–354

targeting, for Group Policy operations, 547–548

USNs and, 390

Domain Controllers container, 124

Domain Controllers group, 131

Domain Guests group, 131

Domain names. See also Domains

basic description of, 31–32

Domain naming master, 405

Domain Password & Lockout Policies property set, 231

Domains and Trusts snap-in, 454

Domain Users group, 131, 134

DOS (Disk Operating System), 77, 78. See also MS-DOS

DOSNET.INF, 106

Drivers, installation using alternate, 81–83

DSAs (Directory System Agents), 49, 51, 53

DSClient (Directory Service Client), 702

DSP (Directory System Protocol), 48

DSSec.Dat, 237–239, 257, 677

Dual booting, 70–73

Dynamic disks, 92

Dynamic DNS, 35–36

Dynamic updates, enabling, 102–103. See also Updates

ECMAScript, 702

EditPlus, 712, 713, 763

EFS (Encrypting File System), 47, 514. See also Encryption

E-mail

encryption, 57

sending, to groups, 194

sending, to users and contacts, 164

systems, history of, 9

Empty lines, 718

Enable Boot Logging option, 112

ENABLE command, 114

Enable VGA Mode option, 112

Encryption. See also EFS (Encrypting File System)

e-mail, 57

installation and, 92

TCP/IP traffic, 57

Web browser traffic, 57

Enterprise Admins group, 98, 131, 259, 261

Error(s)

categories, 880

checking, 879–884

levels, 765

mechanics, 879–880

Error Checking.vbs, 879–884

Escape sequences, 483

ESE (Extensible Storage Engine), 52–53

ESENT.DLL, 51

Event(s)

Group Policies and, 562–565

logs, 513, 562–565

Excel (Microsoft)

ACEs and, 834–837

administration scripts and, 701, 766–767, 797–798, 807–809, 815–818

importing text files into, 595–596

table of default permissions, 260

Exchange (Microsoft), 9, 43, 53, 142, 143, 310, 431, 444, 605, 723

EXIT command, 114

Extended operation of LDAPv3, 52

Extended rights, adding, 293–294

Extensible matching rules, 485

EXTRACT command, 114

FastLane Developers, 701

FastLane Migrator, 463

FAT (file allocation table), 71, 73, 81

FAT32, 71, 81

Fault tolerance, 308

FAZAM 2000 RFV (Reduced Functionality Version) tool, 551, 554, 570

File system(s). See also NTFS (Windows NT File System)

DFS (Windows 2000 Distributed File System), 23, 315–316, 341, 559–561

EFS (Encrypting File System), 47, 514

policies, 514

supported by Windows 2000, 72–73

Filters, 200–201, 592, 616, 889, 901–903

Find command, 762

Find dialog box, 488, 695

FindStr command, 762

Firewalls, 60

First name property, 147

FIXBOOT command, 114

FIXMBR command, 71, 114

flatName property, 453

Folder(s)

adding ACEs to, 854–856

creating, 794–797

home, 794–797

redirection policies, 520

Foreign security principals, 124, 462

ForeignSecurityPrincipals container, 124, 462

Forest(s). See also Forest root domains

authentication and, 65

changes to, 62

configurations, number of, 440

creating, 94–95

designing, 432–452

managing, 452–478

managing groups and permissions in, 466–469

moving groups in, 464–465

moving objects in, 462–466

permission assignments in, 468–469

planning considerations for, 445–452

predefined administrative groups in, 466–467

testing schema modifications in, 660, 685–690

three faces of, 445–446

trusts, 65, 441–443

using multiple, 433–444

using single, 438–445

Forest root domains, 95, 448–452. See also Forests

empty, 449–450

nonempty, 450–451

FORMAT command, 114

Forwarding addresses, configuring, 102

Forward lookup zones, creating, 102–103

FRS (Windows 2000 File Replication System), 23, 53, 315

FSMOs (flexible single-master operations), 25, 324, 404. See also Operations
master(s)

FullArmor.com, 570

Full Control permission, 273

Full name property, 147

Function(s)

basic description of, 718–719

conversion, 719

Garbage collector, 402

Gates, Bill, 10

GCs. See Global Catalogs

General Information property set, 231–232, 483

General tab, 144, 170, 195, 232

GetGPOList API, 538–539

GetSID, 286–287

Global Catalogs, 64, 115, 196

attributes and, 814–815

basic description of, 26

binding to, 876–877

indexing and, 585

LDAP searches and, 486

multipartition queries and, 899

number of, 440–441

replication and, 323, 364, 375–378

servers for, placement of, 431–432

servers for, promoting domain controllers to, 346–347

Global groups, 21–22. See also groups

GPC (Group Policy container), 523–524, 567

GPOs (Group Policy Objects)

assigning, 40–41, 124

basic description of, 40, 522–528

creating, 548–550

default permissions for, 575–576

delegated, creating MMC consoles for, 555–556

deleting, 552–553

editing, 550–551

listing, 827–828

management of, delegating, 554–557

GPT (Group Policy templates), 524, 525, 567

GPT.INI, 524, 525

Group(s)

administering, 174–200

built-in, 128–130, 184

creating, 186–187

deleting, 194, 861

distribution of, 20, 174

filtering Group Policies with, 532–534

global, 21–22

listing, 865

local, 128–130, 184

managing, 121–202, 466–469, 856–859

membership, 64, 188–192, 468–469

moving, 194, 464–465

nesting, 21–22

planning, 194–200

predefined, 127–133

primary, for users, 192–193

properties of, setting, 193–194

renaming, 194

restricted, 513

scope, 21–22, 177–184, 187–188

security, 21, 174

sending e-mail to, 194

strategies for, 197–200

types of, 174–177, 187–188

universal, 196–197

usage, example of, 180–181

in the Users container, 130–133

Group Policies

administrative templates and, 515–519

administration of, delegating, 272–273

advanced topics, 571–578

backing up, 553–554

basic description of, 39–41, 204, 503–578

concepts for, 503–507

CSEs and, 504, 571–573

deploying software with, 559–561

effective, determining, 539–546

event logs and, 513, 562–565

filtering, with groups, 532–534

folder redirection and, 520

forcing, 532

inheritance, 529, 534

links to, 528–529

local, 511–513

loopback processing, 536–537

managing, 546–557

operations for, targeting domain controllers for, 547–548

permissions and, 272–273

preference, 517–518

processing, 534–546

redeploying, 509

registry settings for, 573–575

Resource Kit tools for, 566–571

restricted groups and, 513

RIS and, 520–521

security settings and, 510

slow link detection algorithm and, 576–578

software management with, 557–562

troubleshooting, 562–571

version number for, 524–526

Windows NT 4 system policy and, comparison of, 505–506

Group Policy dialog box, 528–529, 546–548, 551–552

Group Policy Migration tool, 566, 569–570

Group Policy Reference, 570

Group Policy Results tool, 539, 566–567

Group Policy Scenarios tool, 571

Group Policy tab, 522, 525, 549, 553, 555

Group Policy Verification tool, 567–569

Guests group, 129, 259

GUIDGen, 648, 653, 679

GUIDs (globally unique identifiers), 167–168, 407

ACEs and, 292–293, 295

basic description of, 292–293

binary, 837–839

cloning objects between forests and, 444

converting, with regular expressions, 845–846

database, 389, 394–395, 398

Group Policies and, 504, 522, 525, 527

listing, 824–828, 837, 839

replication and, 357–358, 375, 389

schema and, 648, 653, 679–680

server, 389, 395

Hardware

abstraction layer (HAL), 83

compatibility, with Windows 2000 Server, 74–75

HCL (Hardware Compatibility List), 74

Hello.vbs, 704

HELP command, 114

Help files, 713–714

Hierarchies, 27–34

High encryption pack, 92

High-watermark vectors, 394–395

Home

folders, creating, 794–797

pages, opening, 164

HTML (HyperText Markup Language), 757

IADsContainer interface, 741–743

IADsGroup interface, 748–749

IADS interface, 739–742

IADsTools, 754

IADsUser interface, 743–748

IBM (International Business Machines), 8–9

ICANN (Internet Corporation for Assigned Names and Numbers), 61, 605, 607

IDE (integrated development environment), 700

IEAK (Internet Explorer Administration Kit), 517, 521. See also Internet Explorer
browser (Microsoft)

IIS (Microsoft Internet Information Server), 85, 86, 93

administration scripts and, 701, 756

ADSI and, 54

debugging and, 756

replication and, 387

Impersonation

basic description of, 56, 282–283

Kerberos and, 56

tokens, 287

InetOrgPerson class, 65

Infinite loops, 710–711

Informational properties of users and contacts,
156–158

Infrastructure master, 25, 229, 324, 334, 407–408, 829. See also Operations
masters

Inheritance, 600, 602, 610–612

basic description of, 37–38

blocking, 531–533

Delegation of Control Wizard and, 252

dynamic, 240–243

Group Policies and, 529–534

static, 37–38, 240–243

Installation

Active Directory, 67–68, 93–105, 109–111, 122–135

answer files and, 106–107

automating, 105–109

from CDs, 80

Clean Install option for, 80

configuring forwarding addresses after, 102

creating domains, trees, and forests during, 94–95

creating forward lookup zones after, 102–103

creating reverse lookup zones after, 104

decisions to make before, 68–76, 94–95

defining date and time settings during, 87

disk duplication and, 107–108

domain controller, 65, 476–478

dual booting, 70–73

enabling dynamic updates after, 102–103

EXE files for, schema and, 674–675

finalizing, 89

from networks, 80–81

partitions, selecting, 83

preparation for, 74–76

recovery options and, 111–113

removing DNS root domains after, 102

reversing, 113–117

starting, 76–79

steps to take after, 90–92, 100–101

troubleshooting, 110–113

using alternative drivers, 81–83

verifying, 100–101

Windows 2000 Server, 68–93

InstallShield, 559

Instantiation, of classes, 582

Integers, 483, 485, 486

Integrity, referential, 629

IntelliMirror (Microsoft), 503

Interdomain communications, cost of, 437

Internet

connecting to, 59–61

directories, 9

routers, 60

Internet Explorer browser (Microsoft)

Administration Kit (IEAK), 517, 521

debugging and, 756

Group Policies and, 521

IP (Internet Protocol), 35, 605. See also IPSec (IP Security)

Group Policies and, 514–515

installation and, 70, 87, 88, 90

replication and, 368, 378, 387

IPSec (IP Security), 387, 514–515. See also IP (Internet Protocol)

IRQ (Interrupt) settings, 110

ISAM (Indexed Sequential Access Method), 53

ISDN (Integrated Services Digital Network), 370

ISM (Intersite Messaging) service, 25, 387

ISO (International Organization for Standardization), 47–49, 605–606

ISTG (inter-site topology generator), 366–367, 370–374, 380–381

ITU (International Telecommunications Union), 47–49, 605–606

JScript, 509

KCC (Knowledge Consistency Checker), 314, 327, 330, 343, 347, 353, 357–365

KDCs (key distribution centers), 56

Kerberos, 56–57, 420, 435, 437–438, 444

Cairo and, 10

Group Policies and, 511, 539

synchronization services and, 25

trusts and, 452

Keyboard settings, 81

Knowledge Base. See Microsoft Knowledge Base

Kouti.com, 260, 714, 759

Language Options dialog box, 81

Language settings, during installation, 81, 84

LAN Manager, 8–9, 512, 732

access tokens and, 287

NET commands and, 202

LANs (local area networks)

loose consistency and, 6

replication and, 309, 315, 317

schema and, 655

as sites, 23

Last Known Good Configuration option, 111, 112

Latency, 309, 342

LAYOUT.INF, 106

LDAP (Lightweight Directory Access Protocol)

ADSI and, 54

ANR and, 635

Base64 encoding and, 499

basic description of, 6, 49–52

binding strings, 725–726

C API, 425, 490, 702

Cairo and, 11

client traffic, 425

continuation references and, 487–488

controls, extended, 495–497

Data Interchange Format (LDIF), 498–501

data model, 581–585

domain names and, 31

Group Policies and, 564

the history of directories and, 10

NCs and, 308

property lists and, 480–481

referrals, to clients, 469

schema and, 611, 616, 622–626, 645–646, 652

searches, 473–501, 893–894

setting properties for OUs and, 139–140

version 3 operations, 51–52

LDIF (LDAP Data Interchange Format), 498–501. See also LDIFDE (LDIF Directory
Exchange)

LDIFDE (LDIF Directory Exchange), 202, 489, 498–499, 598, 660

creating/modifying objects with, 670–674

schema and, 662, 663, 664, 670–674

LDP tool, 490–494

Leaf

classes, 583–585

objects, 43–44, 583–585

Least-significant bit, 291

LGPO (Local GPO), 504, 527–528, 557

Linear regression analysis, 422

Lines

cutting long, 719

including, from another file, 758–759

indenting, 719

Link(s)

bridges, 321, 378–380

costs of, 369–371

creating/managing, 348–351

disabling parts of, 551–552

replication topology and, 367–369

tables, 53

WANs as, 23

Linked attributes, 627–629

Linux, 472–473

List ACEs—Long.vbs, 839–846

List ACEs—Short.vbs, 834

List ACEs to Excel - Short.vbs, 834–837

List ADSystemInfo.vbs, 831–833

List All Abstract Schema Objects.vbs, 806

List All attributeSchemas to Excel.vbs, 817–818

List All Real Schema Objects.vbs, 811–812

List Attribute Display Names.vbs, 823–824

List Binary GUIDs.vbs, 837–839

List Indexed Attributes.vbs, 812–813

List Global Catalog Attributes.vbs, 814–815

List Objects That Have Blocked ACL Inheritance.vbs, 901–903

List Services.vbs, 863–865

List Shares.vbs, 865–867

LISTSVC command, 114

List the Account Options of a User.vbs, 784–788

List the DC GUIDs.vbs, 824–826

List the GPO GUIDs.vbs, 827–828

List the Member Attributes of a Given Class to Excel.vbs, 805–807

List the Member Attributes of a Given Class.vbs, 805–806

List the Operations Masters.vbs, 828–830

List the Operations Masters with ADsFSMO.vbs, 830–831

List the Property Cache Contents.vbs, 767–772

List the rootDSE Property Cache.vbs, 826–827

List the Supported Namespaces.vbs, 822–823

List the Users of One Container to Excel.vbs, 766–767

List the Users of One Container.vbs, 764–766

List User Properties with Get.vbs, 772–779

List User Properties with Methods.vbs, 779–784

List WinNT Properties of User Class.vbs, 868–869

Load balancing, 308

Local GPO, 504, 527–528

Local policies, 511–513

LocalSystem account, 211, 282, 283, 284

Location tab, 171

Logging. See also Auditing

events, 562–565

detailed, 564–565

Logoff scripts, 509

Logon. See also Access control; Authentication

GCs and, 64

Group Policies and, 509–510

Information property set, 235

rights, 297–298

smart card, 440, 661

traffic, 420–421

Loopback Adapter (Microsoft), 94

Loopback processing, 536–539

Loops, 710–711

Loose consistency, 6, 308–310

LSA (Local Security Authority), 51, 322

MAKEBOOT command, 76

Managed By property, 140

Managed By tab, 195

Manual refresh, of Group Policies, 536

MAP command, 114

MBR (master boot record), 71

MD/MKDIR command, 114

Member Of tab, 144, 149, 188, 192, 232

Member servers

basic description of, 88

modifying user rights for, 305–306

Members tab, 188, 190–191

Menu(s)

adding scripts to, 693–694

definitions, adding, 686–687

Merge mode, 536–537

Metadata replication, 391–394

MicroHouse ImageCast, 108

Microsoft Access, 53

Microsoft Active Directory. See Active Directory

Microsoft Active Directory Migration Tool (ADMT), 463

Microsoft Active Server Pages (ASP), 701, 756

Microsoft ActiveX Data Objects (ADO). See ADO

Microsoft Excel

ACEs and, 832–837

administration scripts and, 701, 766–767, 797–798, 807–809, 815–818

importing text files into, 595–596

table of default permissions, 260

Microsoft Exchange, 53

Microsoft IntelliMirror, 503

Microsoft Internet Explorer browser. See Internet Explorer browser (Microsoft)

Microsoft Internet Information Server (IIS). See IIS (Microsoft Internet
Information Server)

Microsoft Knowledge Base, 249, 353, 380, 501, 511

Microsoft Loopback Adapter, 94

Microsoft Management Console (MMC), 504–505, 547–548, 550–551, 555–556

Microsoft Metadirectory Services (MMS), 310

Microsoft Office, 754

Microsoft Platform SDK (Software Development Kit), 617

Microsoft Script Debugger, 85, 86, 756–757

Microsoft Software Installer (MSI), 557, 559

Microsoft System Management Server, 509

Microsoft Visual Basic for Applications (VBA), 701

Microsoft Visual Basic Scripting Edition (VBScript)

ADSI and, 54

basic description of, 698, 702, 715–721

COM components and, 753–754

Editor, 713

Group Policies and, 509

schema and, 663

scripts, creating/testing, 688–690

scripts, sample, 716–721

Microsoft Visual Studio Installer, 559

Microsoft Windows Internet Naming Service (WINS), 36, 53, 70, 88

Microsoft Windows NT

Active Directory and, comparison of, 11–13

Cairo and, 10–11

domains, using multiple domains because of, 436

history of, 8–9

properties, listing, 870–871

system policy, 505–506

Microsoft Windows NT Directory Service (NTDS), 257, 327, 330–332, 341–347,
353–354, 380–381, 411, 415

Microsoft Windows NT File System (NTFS). See NTFS (Microsoft Windows NT File
System)

Microsoft Windows NT LAN Manager (NTLM), 56, 512

Microsoft Windows 2000 Server

answer files and, 106–107

components, installation of, 85–87

dual booting, 70–73

hardware compatibility with, 74–75

history of, 10–11

installation, 68–76, 80–92, 105–107

Professional, 92–93

requirements/recommendations, 74

Resource Kit, 255, 566–571

server upgrades, 837–90

uninstalling, 113–117

Microsoft Windows Update Corporate Web site, 91

Mixed mode, 133–135, 177–180

MMC (Microsoft Management Console), 593, 504–505, 547–548, 550–551,
555–556

MMC Group Policy extension, 547–548

MMC Group Policy snap-in, 504–505

MMS (Microsoft Metadirectory Services), 310

Modify DN operation of LDAPv3, 52

Modifying Objects.vbs, 897–898

ModifyLDAP.vbs, 344

Modify operation of LDAPv3, 52

MORE command, 114

MoveTree tool

basic description of, 462–466

moving groups and, 464–465

options, 465–466

MS-DOS, 8, 80–81. See also DOS (Disk Operating System)

MSI (Microsoft Software Installer), 557, 559

Multilanguage version, 84

My Network Places, 8, 518

Namespaces, listing, 822–823

Namespace view to a forest, 446

NAT (network address translation), 102

Native mode, 133–135, 181–184

NCs (naming contexts), 308

NDS (Novell Directory Services)

Active Directory and, comparison of, 13–15, 63

dynamic inheritance and, 38

the history of directories and, 9

introduction of, 11

partitions and, 62

NetBIOS

Browser service, 518

installation and, 84, 95, 100

names, 36, 59–60, 84, 95

ports, 59–60

trusts and, 453, 455

NET commands, 202

NetDom tool, 173, 454, 456, 458, 464

NetIQ Domain Migration Administrator, 463

Netlogon service, 102

NET TIME, 403–404

NetWare (Novell)

Active Directory and, comparison of, 13–15, 63

ADSI and, 54

Catalog Services, 26

the history of directories and, 9

Network(s)

installing/configuring, 87–88

installing Windows 2000 Server from, 80–81

operating systems, previous Microsoft, 8–9

traffic, measuring, 420–425

Network Identification tab, 173

Network Monitor, 85, 474

NLTest tool, 173, 454, 456, 458–459

No Override option, 532

Nortel Networks, 11

Northern Telecom. See Nortel Networks

Norton Ghost, 108

Notepad, 54, 109, 510, 545, 687, 704, 713

Notification, change, 320, 384–385

Novell NetWare. See NetWare (Novell)

NTDS (Microsoft Windows NT Directory Service), 257, 327, 330–332, 341–347,
353–354, 380–381, 411, 415

NTDSA.DLL, 51

NTDSUtil tool, 344, 412, 473–475

NTFS (Microsoft Windows NT File System)

folder redirection and, 520

Group Policies and, 557

installation and, 68–69, 71–73, 81, 83, 89–90, 93, 97

permissions and, 36–37, 214

SIDs and, 284

NTLM (Microsoft Windows NT LAN Manager), 56, 512

NTRights command, 304–306

NtSecurityDescriptor property, 206–207, 289

Null sessions, 210

Object(s)

administering, 164–174

base, 469, 479

basic description of, 4

that block ACL Inheritance.vbs, 901–903

creating, 166–168, 229, 680–681

deleting, 172, 229, 859

displaying, 680–681

extended rights for, 227–229

finding, 200

listing, 495–497, 805, 811–812, 901–903

moving, 172

names, 45–47, 238–239, 626–629

predefined, 133

properties of, setting, 149–157, 168–171

renaming, 238–239

schema and, 582–583, 626–629, 676–690

tables, 52–53

where to place new, 676–690

Object tab, 143

ObjectType field, 292–293, 294

Octet strings, 483

OIDGEN tool, 606–607

OIDs (object identifiers), 485, 486

base, 606–607

basic description of, 603–607

obtaining, 606–607, 660

schema and, 603, 660–661, 691

OLE automation

data types, 749–752

explanation of, 723

OMDCs (operations master domain controllers), 408, 410–411, 413–414, 415

Open Group, 452, 629

Operating System tab, 170

Operations master(s), 26, 324

changing, 829–830

failures, 413–414

listing, 828–831

managing, 404–416

placement of, 408–411

roles, transferring, 411–412

Oracle, 55

Organizational units (OUs), 27–34, 135–142

adding users of, to a Group.vbs, 859

administration scripts and, 856–857, 859

basic description of, 19–20

creating, 138, 857

deleting, 140–141, 857

features of, 136–137

managing, 121–202, 856–857

moving, 140–141

planning, 141–142

predefined, 123–125

properties for, setting, 138–140

renaming, 140–141

Organization tab, 144

Originating updates, 388. See also Updates

Orphan containers, 463

OS/2 (IBM), 8–9

OSI (Open Systems Interconnection) directory services, 48–49

OUs (organizational units). See Organizational units (OUs); OU trees

OU trees. See also Organizational units (OUs)

delegating, without blocking, 272

delegating, with possible blocking, 270–271

permissions and, 270–272

roots of, 452

in single domains, 39–40

Ownership, 243–245

Packages

customizable installation, 558

non-MSI, deploying, 560–561

patches for, 509

upgrades for, 509

Parameters, ADO command object, 899–901

Parent domains

basic description of, 30

domain trees and, 30–31

Partition(s)

administration scripts and, 896–899

basic description of, 44–45

configuration, 310–311

creating, 62

enterprise, 310–311

installation and, 81, 83

merging, 62

replication and, 310–312, 362–363, 374–375

schema and, 310–311

selecting, 83

topologies of several, 374–375

types, 311

Whistler and, 65

Passfilt.dll, 511

Passprop.exe, 511

Password(s)

administrator, 97

age, maximum, 530

creating users and, 145

forcing complex, 511

installation and, 97

minimum number of characters in, 530

policies, 435

resetting, 164

Patches, 509

Paths, to abstract schema objects, retrieving, 803–804

PDC emulator, 406–407. See also PDCs (Primary Domain Controllers)

PDCs (Primary Domain Controllers). See also PDC emulator

installation and, 837

replication and, 25, 310

time convergence and, 403

Permission(s)

accumulation of, 245–246

administration scripts and, 852–854

in applications, 240–243

attribute, 677, 696

basic description of, 36–37

concepts, 213–215

cross-object, 274–275

default, 212, 258–267, 575–576

delegation scenarios for, 269–275

denying, 246–249

entries, ordering of, 246–249

in forests, 466–469

general practices using, 268–269

generic, 854–856

handling, with the ACL Editor, 212, 215–229

inheritance and, 214, 240–243, 259

list object, 224–227

managing, 212–251, 466–469, 677–679

object, 214, 222–239

ownership and, 243–245

performance and, 249–250

property, 214, 229–239

property set, 230–236

replication and, 356

security principals and, 265–267

special, 36, 213, 222–229

standard, 36, 213, 222–229

usage scenarios for, 267–276

using, instead of rights, 301–302

Personal Information property set, 232–233

Phantoms, 407, 408, 409

Phone and Mail Options property set, 231

Physical structure. See also Physical architecture

concepts, 308–324

diagnosing, 354–356

managing, 325–356

monitoring, 354–356

Physical architecture, 51–54. See also Physical structure

PINs (personal identification numbers), 58

PKI (public key infrastructure), 47–48, 57–58, 204, 442, 514

Plug and Play, 83

Policies. See Group Policies

PowerQuest

Drive Image, 108

Partition Magic, 69, 115

Pre-Windows 2000 Compatible Access group, 97, 130, 260

Preference, use of the term, 517

Primalscript, 713

Primary access tokens, 287. See also Access tokens

Print Operators group, 129

Print queues, listing, 865

Processes tab, 711

Processing

loopback, 536–539

Group Policies, 534–546

periodic, 535

slow link, 536

Profile tab, 144, 154–155

Propagation dampening, 388

Properties. See also Attributes; Property cache; Property sets

delegating administration of informational, 275–276

informational, 142–144, 164, 791

listing, 772–784, 868–869

mandatory, 41

multivalued, 41, 737–738

nonreplicating, 322–323

optional, 41

significant, 142–144, 164, 791

single-valued, 41, 737–738

syntax of, 41

Property cache

administration scripts and, 730–736, 767–772

contents of, listing, 770–772

interfaces, 669–770

special data types and, 734–735

ways to read and write, 732–733

Property lists, 480–481

Property pages of schema objects, 618–622, 637–639

Property sets, 230–236, 294–296, 677–679

Protocols (listed by name). See also LDAP (Lightweight Directory Access Protocol); SMTP (Simple Mail Transfer Protocol)

DAP (Directory Access Protocol), 48–49

DHCP (Dynamic Host Configuration Protocol), 35–36, 70, 87, 90, 520, 538

DISP (Directory Information Shadowing Protocol), 48

DSP (Directory System Protocol), 48

IP (Internet Protocol), 35, 70, 87, 88, 90, 368, 378, 387, 514–515, 605

SNTP (Simple Network Time Protocol), 403

TCP (Transmission Control Protocol), 490

TCP/IP (Transmission Control Protocol/Internet Protocol), 23, 57, 59, 70, 87,
93–94, 97

Public Information property set, 232

Published Certificates tab, 142, 144

Publishing, basic description of, 58–59

QGrep command, 762

Queries, multipartition, 896–899

RAID drivers, 81

RAM (random-access memory). See also Caches

access tokens and, 175

administration scripts and, 700

installation and, 75, 81, 93

loading DLLs in, 51

schema cache and, 597–599

RAS and IAS Servers group, 132

RCP, 59, 287

RCP Server, 287

RDNs (relative distinguished names)

basic description of, 46–47

renaming objects and, 238–239

NDS and, 63

RD/RMDIR command, 115

Read User Information from Excel.xls, 797–798

Read User Information from Standard Input.vbs, 799–801

Recovery Console

basic description of, 112–113

FIXMBR command, 71

starting, 113

using, 113

Recovery options

basic description of, 111–113

Safe Mode and, 111–112

RepAdmin command, 355, 391, 398, 416, 746, 768

References

continuation, 487–488

cross-, 469–473

Referential integrity, 629

Referrals, 469–473, 486, 898–899

RegEdit, 562

RegEdt32, 562–565, 662

Regional settings, 84

Registry

administration scripts and, 704–705, 708–710

Group Policies and, 514, 538, 543, 562–565, 571, 573–575

schema and, 662

tattooing, 506

Regular expressions, converting GUIDs with, 845–846

Relationship tab, 620

Remote Administration mode, 85

Remote Install tab, 171

REN/RENAME command, 115

RepAdmin command, 398

Replace mode, 536–537

Replicas. See also Replication

basic description of, 44, 310–312

partial, 364

partitions and, 310–312

Replicated updates, 388

Replication. See also Replicas

Active Directory objects for, 325–331

advanced topics, 357–364

basic description of, 24–26, 307–419

change notification and, 320, 384–385

collisions and, 398–401

connection objects and, 358–359

global catalogs and, 323

Group Policies and, 547

high-watermark vectors and, 394–395

intersite, 319–321, 364–386

intrasite, 319–321, 357–364

latency, 309, 342

managing the physical structure with, 325–356

metadata, 391–394

multimaster, 25, 309

nature of, 308–310

nonreplicating properties and, 322–323

operation masters and, 324, 404–416

partitions and, 310–312, 362–363, 374–375

PDC emulator and, 406–407

permissions and, 356

reasons to use, 308

reciprocal, 384

removing domain controllers and, 352–354

rings, 357–361

scheduled, 320–321

schema and, 662, 675

server objects and, 341–343

single-master, 25, 310

site link bridges and, 321

SMTP, configuring, 386–387

subnet objects and, 339–340

test environments, 332–333

time synchronization and, 402–404

tombstones and, 401–402

topologies, 314–315

traffic, 421–425

transitive nature of, 319

units of, 17, 435–436

up-to-date vectors and, 395–398

urgent, 321–322

Replication Monitor tool, 569

Replicator group, 130

Reverse lookup zones, 104

RFCs (requests for comments)

downloading RFC documents, 35

RFC 977, 35

RFCs 1034–1036, 95

RFC 1278, 633

RFC 1487, 10, 49

RFC 1510, 56

RFC 1769, 403

RFC 1777, 10, 49

RFC 1995, 94

RFC 2052, 95

RFC 2078, 104

RFC 2136, 35, 94

RFC 2137, 104

RFC 2251, 10, 49, 488

RFC 2798, 65

RFC 2849, 489, 498, 501, 876

RFCs related to LDAPv3, 50–51

RID MASTER, 405–406

RIDs (relative IDs), 285, 324, 405–406, 413–414

Rights

extending, 227–229

using permissions instead of, 301–302

RIS (Remote Installation Services), 39, 503

creating computer objects and, 166–168

Group Policies and, 520–521, 573

Root domains

basic description of, 30

domain trees and, 30–31

forest, 95, 448–452

removing, 102

RootDSE, 451, 495, 598, 727–728, 826–827

Root object, 479

RPC (remote procedure call), 348, 378, 383

domain controller placement and, 423

replication and, 24

SACLs (system access control lists)

basic description of, 36, 288–289

Group Policies and, 512, 513

Safe Mode, 111–112

Safe Mode with Command Prompt option, 112

Safe Mode with Networking option, 112

Schema

administration scripts and, 801–822

ADSI and, 54

basic description of, 42–44, 581–640

cache, 597–599

containment rules, 607–610

content rules, 629–634

disabling modifications to, 661

dumping, to spreadsheets, 594–596

extending, 43, 641–696

GC and, 585

inspecting, 588–594

location of, 585–592

masters, 405, 660–662

modification of, 642–659

number of, 438

objects, 616–617

permissions and, 677–679

physical location of, 586

replication, 675

role of, 585

searches and, 634–637

structure rules, 607–610

sub-, subentries, 596–597

syntax, 622–631

updates, forcing, 662

Schema Admins group, 131, 259, 661

Schema cache

explanation of, 597–598

update of, 228, 598–599, 661, 662, 672

update with a script, 819, 821

Schema container, 586

Schema Manager snap-in, 592–594, 620, 662, 663

basic description of, 664–674

creating/modifying attributes with, 664–666

creating/modifying classes with, 666–669

Schema master, 405

Script(s)

adding, to context menus, 693–694

as command-line tools, 706–708, 884–887

concepts, 697–758

configuration information and, 822–832

debugging, 755–759

development environment for, 712–715

editors, 712–713

examples of, 761–794, 804–805

execution environment for, 699–703

file types, 703

Group Policies and, 509–510

help files and, 713–714

killing, 710–711

property caches and, 730–750, 767–772

schema access, 801–822

settings, 708–710

testing, 704–705

Script Debugger (Microsoft), 85, 86, 756–757

Script tab, 709

SCSI (Small Computer Systems Interface), 81

SDCheck, 250

SDDL (Security Descriptor Definition Language), 617–618

default ACLs and, 267

definition of acronyms in, 255

schema and, 613, 617–618

SDs (security descriptors), 36, 288–296

Search(es)

with ADO, 891

with LDAP, 52, 473–501, 893–894

multidomain, 486

on new attributes, 694–696

options, as command object parameters, 899–901

schema and, 634–637

specifying values for, 484–486

strings, 893–894

tools, 488–494

Search Options dialog box, 497

Secedit command, 510

Security Configuration and Analysis Snap-in, 510

Security Configuration Toolset, 510

Security tab, 143

Security Templates snap-in, 510–511

Server(s)

bridgehead, 315, 371–374

GUIDs, 389, 395

member, 88, 305–306

objects, moving/managing, 341–343

stand-alone, 88

Server Operators group, 129

Service packs, 80

Services, listing, 863–865

Session Manager, 287

Session tickets, 56

SET command, 115

Setup. See also Installation

finalizing, 89

Wizard, 92–93

Setup Manager Wizard, 106–107

Shortcut trusts, 31

ShowInAdvancedViewOnly attribute, 613–616

Show Property Properties.vbs, 809–810

SIDs (security IDs)

ACEs and, 288–292

basic description of, 283–287

deleting users and, 162

foreignSecurityPrincipal object and, 462

installation and, 108

MoveTree tool and, 463

RID master and, 405–406

Single sign-on, 204

Site(s). See also Site links

Active Directory objects for, 325–331

administering, 337–338

basic description of, 23

coverage, 318

Default-First-Site-Name, using, 338–339

objects, creating/managing, 340–341

placement of directory information and, 426–432

replication and, 307–419

setting up multiple, 334–337

setting up single, 333–334

Site link(s)

bridges, 321, 378–380

costs of, 369–371

creating/managing, 348–351

replication topology and, 367–369

WANs as, 23

Sites and Services snap-in, 331–333

SLDs (second-level domains), 452

Slow link detection algorithm, 576–578

Smart cards, 57, 440, 661

SMARTDRIVE command, 78

SMTP (Simple Mail Transfer Protocol), 326–327, 330, 348–350, 378, 382–383

domain controller placement and, 423

replication and, 24–25, 386–387, 436

schema and, 601

SNTP (Simple Network Time Protocol), 403

Software. See also Applications

deploying, 559–561

managing, 557–562

Spreadsheets, 594–596

SQL (Structured Query Language), 894–895

SQL Server, 52, 55

SRM (security reference monitor), 246

SRV records, 34, 93, 102

Stamps, 391, 398

Stand-alone servers, 88

Statistically unique numbers, 285

Strings

binding, 725–726

octet, 483

search, 893–894

Structure rules (of schema classes), 607–610

Subnet objects, creating/managing, 339–340

Subschema object. See Abstract schema objects

SUPPORT folder, 74

Switchboard, 9

Switches, 78–79

Synchronization services, 25

Syntax

ADSI, 749–752

choices, 629–634

highlighting, 712

rules, 629–634

SYSOC.INF, 85

SYSOCMGR command, 85

SysPrep (System Preparation Tool), 108

System account, 282. See also LocalSystem account

System container, 674

System Management Server (Microsoft), 509

System partition, 69

System Policy, 40, 505–506

SYSTEMROOT command, 115

System services, 513

System State, 553–554

SysVol (System Volume) folder, 68–69

Task Manager, 704, 711, 756, 864

Task Scheduler, 210, 700, 711

TCO (total cost of ownership), 503

TCP (Transmission Control Protocol), 490. See also TCP/IP (Transmission Control Protocol/Internet Protocol)

TCP/IP (Transmission Control Protocol/Internet Protocol). See also TCP
(Transmission Control Protocol)

connecting to the Internet and, 59

installation and, 70, 87, 93–94, 97

site functions and, 23

traffic encryption, 57

Telephones tab, 144

Templates

administrative, 515–519

basic description of, 204

Group Policy, 524, 525, 567

security, 41, 204, 510–511

Terminal Services, 85, 87, 93, 476

Testing

batch files, 687–688

environments, 332–333

schema modifications, in forests, 660, 685–690

scripts, 688–690

TGT (ticket-granting ticket), 56, 435

Time

convergence hierarchy, 403

GMT/UTC, 390, 485, 689

services, controlling, 403–404

settings during installation, 87

-stamps, 390

strings, generalized, 485

synchronization, 402–404

target, 404

TLDs (top-level domains), 452

Tombstones, 401–402

Topologies

intersite, 64–65, 364–386

intrasite, 357–364

replication, 314–315, 357–386

Transactions, 52

Transitivity, of replication, 319

Tree(s)

creating, 94–95

deleting OUs in, 140–141

moving OUs in, 140–141

renaming OUs in, 140–141

root domain, 451

Troubleshooting

Group Policies, 562–571

installation, 110–113

Trust(s)

basic description of, 17–18

bidirectional, 18–19, 30, 453, 455, 462

computer, 441–443

creating explicit, 460–462

managing, 452–562

shortcut, 31, 446–447

transitive, 18–19

tree root, 33

trusted domain objects and, 452–454

verifying, 457–459

viewing, 454–457

TrustAttributes property, 454

TrustDirection property, 453

Trustees, defining, 852

TrustPartner property, 453

Trust view to a forest, 446

TXTSETUP.SIF, 106

TYPE command, 115

UDF (Uniqueness Database File), 106

UltraEdit, 713

Unbind operation of LDAPv3, 52

Unicode character set, 34, 483, 516

UNINST.TXT, 117

United Nations, 47

Universal groups, 21–22

University of Michigan, 10

UNIX, 34–35, 192, 629

Unsolicited Notification operation of LDAPv3, 52

Updates. See also USNs (update sequence numbers)

DNS, 35–36

dynamic, 35–36, 102–104

forcing, 662

schema, 662

schema cache, 598–599

Upgrades, 89–90, 509

UPNs (user principal names)

basic description of, 46–47, 440

domain controller placement and, 431

locating user objects via, 440

smart card logons and, 440

suffixes for, 148, 440

UPS (uninterruptible power supply), 74, 92

Up-to-date vectors, 395–398

U.S. Department of Defense, 605

User(s)

accounts, disabling, 163

accounts, options for, listing, 784–788

administering, 142–164

class, extending, 690–696

copying, 160–161

creating, 145–148, 788–794, 869–870

deleting, 162–163

domain modes and, 134

editing multiple, 65

groups, predefined, 468

home pages of, opening, 164

informational properties of, 156–157

information, reading, 797–801

listing, 764–767, 865, 877–878

managing, 121–202, 764–822

moving, 162, 857

objects, properties of, setting, 149–157

predefined, 125–126

primary groups for, setting, 192–193

properties of, listing, 772–784

properties of, setting, 148–157

renaming, 162

sending e-mail to, 164

User interface

bringing schema extensions to, 676–690

creating objects for, 680–681

where to place new objects in, 676–690

User logon name property, 147

User rights

applying, 303–305

assigning, 302

User rights (cont.)

basic description of, 296–306

modifying, for domain controllers, 304–306

normal privileges, 299–300

Users and Computers snap-in, 92, 140, 160, 200–202

auditing and, 280

basic description of, 200–201, 489

changing group types in, 188

CN=Configuration object and, 586

creating groups with, 186–187

creating user objects with, 582

display of editable properties in, 236

installation and, 92

predefined groups in, 130–133

user property pages of, 236–237

viewing default permissions with, 259

Users container, 124, 126–133

U.S. Naval Observatory, 403

USNs (update sequence numbers), 25, 392–395. See also Updates

basic description of, 313–314, 389–391

high-watermark vectors and, 394–395

local, 390

originating, 390

timestamps and, 390

up-to-date vectors and, 395–398

version numbers and, 390

UUIDGen, 648, 653, 679

V.34 modems, 47

Value(s)

attribute, managing, 693–694

specifying, for LDAP searches, 484–486

string, 718

Variable(s)

administration scripts and, 718

names, 718

VBA (Microsoft Visual Basic for Applications), 701

VBScript (Microsoft)

ADSI and, 54

basic description of, 698, 702, 715–721

COM components and, 753–754

Editor, 713

Group Policies and, 509

schema and, 663

scripts, creating/testing, 688–690

scripts, sample, 716–721

Vectors, 394–395

Verbose mode, 489–490

VeriSign, 57

Veritas WinInstall2000, 559

VINES, 9

Virtual containers, 58

Virtual private networks (VPNs), 155

Visual Basic, 680, 701, 702

Visual Studio Installer (Microsoft), 559

VMware, 73

VMware Workstation, 73

VPNs (virtual private networks), 155

WANs (wide-area networks), 23, 436

bandwidth and, 425

domain controller placement and, 427–432

Group Policies and, 547

hierarchies and, 27, 29

installation and, 109

replication and, 24, 308–309, 315, 318, 334, 338, 368, 370

schema and, 654, 655

Web Information property set, 235

Well-known security principals, 209–212

Whistler, 64–65

WhoWhere, 9

Win32 API, 755

Windows Installer, 557–562

Windows NT (Microsoft)

Active Directory and, comparison of, 11–13

Cairo and, 10–11

domains, using multiple domains because of, 436

history of, 8–9

properties, listing, 870–871

system policy, 505–506

Windows 2000 Server (Microsoft)

answer files and, 106–107

components, installation of, 85–87

dual booting, 70–73

hardware compatibility with, 74–75

history of, 10–11

installation, 68–76, 80–92, 105–107

requirements/recommendations, 74

Resource Kit, 255, 566–571

server upgrades, 837–90

uninstalling, 113–117

Windows.NET Server, 64–65, 231, 347, 539, 643, 655

Windows 2000 Professional, 92–93

Windows Update Corporate Web site, 91

Windows XP, 64, 539, 578

WinEdit, 715

WINNT command, 78–81

WINNT folder, 68–69

WINNT32 command, 78, 80, 81

WINNT32.EXE, 73

WINS (Microsoft Windows Internet Naming Service), 36, 53, 70, 88

WinSock, 59

Wise for Windows Installer, 559

WKGUIDs, 874–878

WMI (Windows Management Instrumentation), 754–755

Workstations, 302, 305–306, 869–870

World Telecommunication Standardization Conference, 48

WScript, 680, 703–705, 711

WSH (Windows Script Host), 202, 509, 699–742

W32Time, 403

W32TM, 403–404

X.500 standard, 10, 44, 47–49, 606, 613, 629

X.509 certificates, 48, 57, 86. See also PKI (public key infrastructure)

XLNT, 703

XML (Extensible Markup Language), 703, 758, 759

XOM (XAPIA X/Open Object Management) syntax, 629

Yahoo!, 9

Zap files, 560–561, 562

Zones. See DNS Zones

Last modified 07/22/07

Inside Active DirectoryA book by Sakari Kouti and Mika Seitsonen

Index (1st Edition, AD2000)

Inside Active Directory
A book by Sakari Kouti and Mika Seitsonen