Smart Index of the Inside Active Directory Book

Inside Active Directory, ISBN 0321228480, publisher Addison-Wesley
Authors Sakari Kouti and Mika Seitsonen

Back to the book's Web site

Chapter 1
Active Directory: The Big Picture

500 2000 2003 access active ad2000 ad2003 address architecture authentication basic big blocks brief building built catalog chapters comparison concepts container containers control controllers data dcs definitions delegation depth differences directory directory’s discuss dns domain domains dynamic explanation fits forests frame gc global group groups hierarchies history include including infrastructure inheritance interest introduce introduction kerberos key ldap leaf lightweight limitations major model name naming nds noninclusive novell novell’s nt object objects organizational ou ous overview partitions picture pki policy presentation programmatic protocol provides public publishing read reference relationships replication schema server services sites system topic topics trees trust units updates windows virtual

Introduction to Active Directory

access according account active adds administrators anyone anything application computer configuration contact database directory distributed domain entities find folders group helps manage models network nt objects optimized permissions printers provide providing purpose qualify rather relational relatively replaces represented resources scalable server service services shared simple sql static store storing ultimate user users wealth windows

A Brief Description

20 2000 2003 access according accordingly accounts act active addition additionally address administration administrators affect affects afterward allow allowance allows anything application applications applied appropriate approval area aspect aspects assisting attributes available book build building call card categories characterize check choose client code codes com companies company computing concept configuration configure configured connection consequently consider consistency consistent contains content continents control controller controllers controlling controls copied creating criteria customers data date deas definitions delegate delegated den describe design desired desktop desktops device devices directory dispersed distributed doing domain done door during effective efficient else employees enable enabled enforces enterprise environment extranets face faces falls fault faxing file finally find fit foundations general geographically globally granular group guaranteed having head help hierarchical hierarchies high highly identical important including informational infrastructure inside interesting intranets itself jack’s key lan large ldap levels likely lives local located location log logon loose lower main maintain manage management managing minute minutes model modify month name necessary needs network networking networks nt objects offer office offices open optimization organization out part partitions parts password perhaps periodically permissions permitted piece place point points policies possibly postal printers programmed protocol provide provides proximity publish put reach read reads reference refreshed relatively relevant remaining reside resources restrictions result rpc rules s satellite scalability scalable search searches secure security server servers services settings significant sized smart somewhere specific specified specify sql standards static still store storing structure system take talk tasks technical technologies terms time tolerance try typed types understand useful user users users’ various ways verified very while view windows winsock within work write

The First Look at Active Directory

2000 2003 active adjacent administrator administrator’s among available basic browse browsing contact contacts contain contents copying directory directory’s enable exactly explained file folder folders group groups interface left meant my navigation network newer objects open opens others ou pane part places practice screen search sees server she shot show similar small structure time tree typically user user’s users versions view views windows xp

History

2000 2003 active development directories directory explore history including latest line long look microsoft microsoft’s network nos operating previous products review server systems vendors windows

Previous Microsoft Network Operating Systems

51 1988 1989 1990 1993 1994 1995 1996 1997 1998 2000 2003 1980s agreed became before beginning brought cooperation develop developed developer developing development disk dos early efforts encouraged ended especially finally focused gain gradually had hadn’t huge ibm integrated interfaces jointly june lan launch major manager march microsoft microsoft’s momentum ms name net network nos nt operating os owner pack packs parallel plus popular presentation product programming published released separate server service shipped simultaneously since sole started subsequent success system truly understandably until user version versions while windows work years

The History of Directories

40 500 1487 1777 1988 1992 1993 1995 1996 1997 1998 2000 2003 2251 1980s accessing account active ad2000 ad2003 address allows announced anything banyan before being bigfoot bindery book call catalogs chronology com comments commercial companies computer concentrate contact contain currently databases developers directories directory discuss era examples exchange existed finalized foremost groupwise had history ibm important including indicates international internet iplanet kind kinds lan ldap ldapv1 ldapv2 ldapv3 listed log long lotus mail major manager michigan microsoft milestones nds netscape netware network notable notes now novell nt offered open operating organization others outside owned paper part passwords popular practically product products protocol published purposes real released request rfc rfcs selling server services shipped short software standard standards started store storing streettalk support switchboard system systems telephone university user usernames users verisign version versions whitepages whowhere windows vines yahoo

The History of Windows 2000

500 1990 1991 1993 1996 1997 1998 1999 2000 2003 1990s accompanied active actually advantage allchin among anticipated appointed banyan before began behind benefit beta bill born build burden cairo cairo’s carries choice chronology class code comdex complex computers concept consequently considered consolidate contain couldn’t course current currently definition demonstrated designation develop development did directory distributed domain early enterprise era evolved feature file fingertips forthcoming fresh future gates got guy had he illustrates imagine incorporating industry intensive internet intranet introduced introduces jim joining kerberos keynote launch launched ldap lead least lighter long longer made main maker marketing maturing microsoft microsoft’s models mostly music name named nds needed needs networks nortel northern novell nt nt’s object officer often old oriented originally parallel part passed peaks personal phase picture planned planning platform point preview product professor project public published reasons refer renamed resource rigidity roots run security separate series server service services seven ship shipped show simply specific speech started streettalk successor suitable system teams technologies technology telecom testing themes things time too trade trademark tv twin type understand until wasn’t version versions windows vision years

The History of Windows Server 2003

1993 2000 2001 2002 2003 1990s active actually ad2000 ad2003 adoption again ago anytime approach aspect attended b back balance before beginning brought c causing changed circles code coding company computing concept conferences confusion consider contains corresponding creates current decision default delays deliver deployment derided describes design development didn’t directory dropped dropping during easier easy effort efforts enhance enhanced entire events everything excellent extra fall fast fix focus former functionality gain general get giving guidance hacker had half heat iis improvements increased integral intense internet itself largest late launched lead little made maintain manifested market massive materialized maturation maturity mentioned mere microsoft microsoft’s millennium missed momentum months name necessary net newer none now occurred off often ongoing operating par paragraph participant policy practices press previous product product’s proliferation promote reason reengineering referred regard regarding remarkable respect retrospect sd3 secure security server shipped side similar since situation slightly slow software soon sponsors stance strictly substantially succeeded system taking time times took training turnaround turning understandably users various weaknesses version versions very whistler windows workstation wouldn’t xp year years

AD2003 Compared to AD2000

ad2000 ad2003 afterward assume better briefly changed decisions describe design environment exhaustive goal goals large manageability minimize monitoring pretty principles scalability security skills skip structure valid

Deployment

20 2000 2003 active ad2000 ad2003 admt admtv2 along available backup cd computer contents controller controllers database directory disk domain domains enables enhancements forest functional groups hours includes initial install installing interforest interim intraforest large latest level levels load locations media migrate migrating migration mixed mode modes native nt objects others passwords provided provides r regardless remote replicated replication require rising save server target tool user users version windows

Domain Management

accounts active add administration among application applications attribute authorization azman basic command commands computer computers contains controllers default delete determined directory domain drag drop ds dsadd dynamically easier editing effective enable enables enhancements filter group group’s groups include inheritance lastlogon lastlogontimestamp ldap line logged manager members membership modify moving msc multiple nonreplicating normal objects parent partition permissions principals queries query quotas read replicated restoring role saving security showing snap tracking types user users windows

Replication

0 20 200 2003 access act active ad2000 ad2003 added addition affected algorithm algorithms application area attribute automatically b balancing beneficial branch bridgehead c catalog chunk communicate compress compression control controller controllers cpu data depending directory domain domains drawbacks efficient eliminated especially excellent existed fast finally find forest generator gives global group hardware having hub improved improvement improvements independently inter intersite istg kept large latency least limitation linked links little load lost lvr management maximum member members membership microsoft’s minutes modern modified much multivalued needed network off office out partition partitions percent performance place problem problems progress protocol query ratio reached replica replicated replication reside rpc s scenario scopes server servers since site sites smtp specify still store testing thousands together topology trade value values wan wide windows within worse writing

Global Catalog

ad2000 ad2003 added again applications attribute caches caching catalog cause connection constant contact controller domain during eight exchange find forest full gc gigabytes global group groups having hours large logged logon logons meaning member membership modified mostly much needed network normally occurred out part partial pas processing reduced relieves replicated replication schema server servers subsequently sync turn universal updates user values words

Forest Management

60 access active ad2003 always among application applications attributes authentication b back backups benefits better brought caution com command computers control controller controllers days dc default deleted detection directory dns domain domains during enables enabling except exchange external feature filtering foreign forest forests great green happen her id integrated jill kerberos lan ldp limit lingering log manager name netbios netdom nt ntlm object objects occur offline old older once online operation owners panel partitions principal process really reappears recommended reinstall removal remove rename repadmin replicate restore restoring restructure root routine routing sanao security selective server she sid snap still suffix temporarily tool trust trusts unfortunately upn user users ways whereas windows workstation zone zones

Security

115 145 1510 2000 2003 2829 2830 128mb 16mb ability access account accounts acl active admin affect allows anonymous attacks attribute auditing authenticate authentication center changed channel characters clears clients communications compatibility compatible complex compliance computer computers connections constrained constructed contains controller controllers correct dcpromo decrypting default delegated delegation digest directory distribution domain editor effective efficient encrypted enhanced everyone feature group her inherited items kdc kerberos key keys layer ldap least level local locate log logged logon long makes man maximum md5 member middle network numbering numbers old option password passwords period permission permissions policy pre privileged rather reduce resources rfc run running sasl secure security selected server servers service services settings seven signed signing size smb sp4 system tab thirty time timestamp tls traffic transport update user version whereas windows vulnerability

Group Policy

32 4gb actual addition analyzing application apply aspects backup combined comes console disk download editor effect enables enhanced except filters free gpmc gpo gpos group inheritance installing instrumentation interface least limit manage management microsoft’s multiple objects performed permissions policies policy sample scope scriptable scripts separately settings simulating site snap space specify traditional user web windows wmi workstations

Directory Database

40 2000 active contain database defaults defragmentation directory enables entries gain identical inheritance instance lot manual objects offline once online percent perform permission reduce schema server single sis size storage storing trigger upgrade windows

Schema

2798 active ad2003 affected attribute attributeid attributes automatically auxiliary class classes consequently converted data deactivated default defines defunct directory dynamic dynamically easier elapsed freely identifiers inetorgperson interoperability ldapdisplayname linked listed live makes migrating names normal object objects passwords predetermined product products rather removed reuse rfc schema store storing temporary time ttl unicodepwd user userpassword valid versa whole vice

Active Directory Compared to Windows NT

0 10 32 70 200 1kb 4kb account active add administration always amount applies attribute authentication base bdc bdcs bidirectional cases changed classes compatibility compressed container controller data database delegation developed direction directory distribution domain downward engine ese except explain extensible familiar feature folders free global group groups hierarchy intransitive ip item jet kerberos latest least link local master mean member members multimaster multiple needed needs nesting netbios nt ntlm object objects once operator organizational ou part pdc policies policy present privileges properties refer registry reinstalling relationships replicate replicated replicates replication s sam schema scope scopes security server servers settings single sites skip special storage supported system tcp technical time times transitive trust type types units universal user wan version versions versus whole windows within workstations yes

Active Directory Compared to NDS

active ad2003 add administration administrative advantage alias allows appears apply aspects attribute basis better big boundary canonical cases catalog changing close column compared comparison competitive cons context continually country covers criteria current delegation despite developed differences difficult directory disadvantage distracting distribution domain domains drawbacks easier edirectory effective equivalence except exist extensible familiar feature forest forests formerly free functionality gateway get global group groups help hierarchy host impossible included indicates ins invisible ip knowledge ldap learn legacy linked listed local locality mainly mentioned merely merge merged minus minutes mmc mostly much multimaster multiple n names naming native nds needed neither nesting netware newer newest numbers nwadmin object objects once opinion organization ou our ous partition partitions permissions plus policies policy privileges pros purpose rarely rdn relate relative replicas replication result schema scope scopes security sense separate sequence server servers services shipping sign since site skip small snap somewhat special split starting still support synchronized tcp time tool tree trees trusts type typeless types universal update users wan various version versions versus whole visibility visible within works worse writing yes z

A Sample Company

book chapters com company corporation corporations demonstrational depending dns domain domains name needs our present registered sample sanao slightly throughout

Basic Building Blocks

active addition administration basic beginning blocks briefly building catalog controller controllers dc directory domain domains explain global groups help independent installing introduce kinds knows located logical mostly object objects organizational organize physical relationships replicated sections servers sites stands structure trust units

Domain Controllers

2000 2003 active belongs computer controller dcpromo directory domain during exactly install installation itself join joined member option perform promote right running server utility windows workstation

Domains

account active acts add administrative administrators admins affect basic blocks boundary building choose com contain control controller controllers directory dns domain domains domainwide except groups hasn’t include items kerberos locations lockout maintained name namespace nt object operators organization outcome part password permissions physical policy preferably reached replicated replication reside rights sales sanao security server settings therefore things time trusts unit user various whole windows words yet

Trust Relationships

15 30 4a 4b 4c access accounts across active actually administration advantage allow architecture arrangement arrows b benefit bidirectional c centralized circles comparable complete complex connect connected consequently contain contained course created define direct directory domain domains draw emphasize enable equal establish everything explicitly far fewer finally forest formula functionality go goes greatly group groups having headed her him intransitive keep large led likely lines look made makes maximum members minimum model models n necessary needed needs neither nor normal nt often organization pair paper permission permissions proper reason reduce relationships required resource resources rotated sense separate six smaller streamline structure symbolized symmetrical tier tiers totally trans transitive tree triangles trust trusted trusts turn unlike user users ways while windows words works

Organizational Units and Other Objects

30 access active addition administration administrative administrator administrators assign automatically below better choice computer computers contains contents control correspond covering created creates criterion delegate delegation directory dispersed domains during easier especially file files finance folder folders forgotten geographically group grouping groupings human implemented impractical include including installation level local locations logical marketing match modify nds network object objects order organizational ou ous passwords perhaps permission permissions physical policies printer printers properties purposes put read reset resources security shared software specific specifying stick store structure system time top tree types unfortunately units useful user users various write zones

Groups

able access across active addition additionally administration allow anything application applications approach assign assigned assigning assignments attached avoid b become being boundaries c capable catalog combinations company computers contains control correspond d defined defines depending described determines dictates directly directory distribution domain domains door doors easier easiest easily efficient energy entire everything facilitates feature file follow free freely function giving global go greatly group grouping groups help illustrates indicates individual large leads least let limitations line local logons lose mail managed management member members membership memberships multiple nds nest nesting normally now nt nt’s object old operating others parts path penalty permission permissions point purposes put quickly read recommended related remaining replication represents resource resources save scope scopes security selection servers shouldn’t sites slower something sound strategy system take thicker time track traffic type types universal usage user users valid various versa while vice windows workstations

Sites

2000 active addition administrator administrators affect applications areas assign aware clients closest communicate communications compress connections connectivity controllers cost costs cycles data decide decisions define determines dfs directed directory distributed domain efficiently enabled fast file find folders frs functions good group help her intelligent intersite intrasite ip knowledge knows lan lans link links listed locate locations logon mainly makes multiple network offered optimization option parameter physical policies printer printers processor purposes queries replicate replicated replicating replication requests route router routing save search send server servers service she site sites slow subnet subnets system sysvol tcp technically techniques typically uncompressed understand unless user users wan wants vendor why windows world

Replication

15 30 2000 2003 accessing accounts achieves across active add adding addition address administrator admins advantage against allowed alternatively always among application appropriate arranging authentication automated average b backup bad balancing base bdcs behind benefit bit builds c call care chain changed choose clock clocks communicate compresses configuration connections consequences contains controller controllers copying creation current d data database date default delays describing determine difficult direct directory disastrous domain domains domainwide down emulator ensures enterprise entire environments equal especially explained failure fall fashion fault feasible fix flexible forest forestwide fsmos functions get good had having held hop hops hour hours identifier implies indexed indexes infrastructure initiate inside intersite interval intrasite introductory j keep kept kerberos link links load local locally locked logged long made mail mainly making marked master masters mean meaning messaging minimum minutes much multimaster name naming nds needed network nine nonreplicating normal novell nt numbers objects off once operation operations option organization out part particular partitions pdc periodically piece place placed primary procedure properties property protocol provides proximity reasons relative rely remember remote replicate replicated replicates replicating replication requires reside respectively rid ring roles rpc schema seconds sequence server servers service setup shortcut shortcuts simultaneously single site sites situation situations smtp sometimes stands stay successful synchronization synchronized take takes tell ten things third time tolerance tolerant too topology total tracks turn under units unless unlike until update user users usns waited wan warning version windows within words work workstation workstations

Global Catalog

0 70 138 151 863 across active ad2000 additionally administrators alternatively appropriate avoid back basic better box catalog collect complete consuming contact contains contrast controller controllers copy costly data day define designate directory distinguished domain domains dramatically easy efficiency efficient enterprise entire explain forest global helps host included increase large least leave likely link links locally locate location makes mechanism name names needed netware network normal normally object occurs once operations out part path performed perhaps permissions possibility printers process properties property query raises read replicate replicated replication requested resources result search searched searches separate server services site sites slow sometimes soon specifies steps subject tie time together transfer travel user user’s users wan whole workstation

Hierarchies

active administration administrator appropriate better build centralized choose company concepts considerations decentralized depending directory discuss domain enterprise follows forest forests further guess hierarchy introduce introduced kind large largest model models multidomain multiple network ou sections simple simplest single situations size small smallest structure summarize topic tree trees whereas

Single Domain with No OU Structure

accounts active actually addition addresses administration administrative administrator administrators allow always amount applications apply applying appropriate assign assigned automatically basis call centralized chances changed companies company company’s container controller controllers couple currently data database depends directory disallow disks domain domains enough entire environments fax folders form format fortunately frequency group groups had hand handle hard helps her hierarchy his host improvement internal keyboard less limited links local locally locations log london long model nt numbers ou ous perform predefined printers privileges properties put remote replicate replicated replication represented resources right rights server services share similar simplest single site sites size small still store storing structure suitable talk tasks time tree triangles unfortunately user users wan whole via windows

OU Tree in a Single Domain

51 2000 achieve active administration administrator administrators amount assign basis capabilities complete compressed control controllers copy created currently decentralize deeper delegate directory domain domains double draw elect entire evaluate explained feels file forest get goal good group had handle he hierarchy inside larger level limited links logical longer master migrate model models modify multiple my naming necessary network nice nt object objects obviously open otherwise ou our ous part place places policies previous rather reason reasons remaining replicated replication represent resource resulting run separate server single sites specific structure therefore thing top tree tree’s triangle unit unless users wan versions windows xp

Domain Trees

administrative administrators agree authentication automatically b base become becomes below better bidirectional big business catalog child choice common consider continents contrast controller controllers decentralization directly disks distant domain domains domainwide established everything everywhere explained extra family folders forest form format get global group groups grows happy hard hierarchy higher implementing impractical independent inside large level likely locations lockout long lower maintain memberships model nds needs object often operators organization organize others ou ous parent parents password path permissions place policies possibly privileges put relationships replicate resource root schema separate server share shortcut similarly someone speed stated step structures subdomain subsequent top totally toward transitive tree trust trusts unidirectional units user whereas via

Domain Names

active add addition arrangement belong child child’s com company company’s computer contiguous controllers dc difficult directory dns domain domains eastcost forest get largecust ldap level maintain match member name names namespace normally our parent’s part preceding prepending rd recommended registered root sales sample sanao sanaoint servers surprisingly therefore tree trees workstations ws1

Forest of Domain Trees

10 11 access address administration administrative admins assignments beginning below bottom branch business call catalog child com common contains contiguous control controller course described difference differences dns domain domains drawn ending enterprise equal forest forestwide fourth gives global group groups had illustrates impression includes incorrectly independent intertree layout level look looks lower main model name names namespace namespaces naming normal now objects our par perform permissions placing point previous problem rather remember represent right root sanao sanaoint schema scope search search’s seem shown sides single slight specifically starting subject subsection subtree term time top transitive tree trees triangle triangles trust trusts units unless view True

Multiple Forests

10 2003 access acquisitions ad2000 ad2003 addition among authentication benefits com company compared cooperation decentralized divisions domain domains enables explained external extra filtering foreign forest forests forestwide functional green her illustrate illustrates independent jill kerberos level limit log mergers methods model models multiple name nature nt ntlm offer older organization owners perhaps process requires root routing sanao selective server she sid single suffix totally trees trust trusts upn user ways whereas windows work workstation

DNS Integration

2000 able active addition allows authenticated basic benefit berkeley best bind broader character characters choice chooses client close common companies computers configuration consequently continue controller dash depend directory dns domain domains dynamic easier ensure feature file foremost former fulfill hardly implementation included infrastructure installed internet interoperability intranets life locate locating location main master members much multimaster name naming naturally needed network offers option organization perform possibility primary product purposes records related relationship replication requirements running runs secure selection serve server servers service services single srv standard stick store storing support supports system systems therefore traditional unicode unix updates various version windows wise work z zone

Locating Computers and Services

14 15 168 192 able active address addresses along among answer anyone asks best choose closest com communicate computer controller corresponds dc1 desired directory dns domain find involve ip job log looks name needs offer particular priority process queries query querying rather request return sanao secondarily server server’s service site something specific tell therefore user weight workstation

Dynamic DNS Updates

2000 2136 active adding address administrator applications automatically boots comments companies computer computers configuration configure configured contain controllers defined dhcp directory dns documents domain download dynamic editing eliminate eventually find forced form happen host http ietf internet ip legacy machines manually meaning name names naming necessary netbios nt obsolete org organizations original protocol read records register registers registration relieves request resolution retrieved rfc rfc  server service services site sites standard startup statically supports until updates web versions windows wins workstation www

Security and Policies

2000 access active anyone authenticated base computing control directory discretionary file files ntfs part password protected subject system trusted username wants windows

Access Control

12 13 2000 access aces active actually allow assign attached computer contains control dacl dacls define deny descriptor descriptors detailed differences directory discretionary enables enough entries explained fax figures fine fit full go groups individual inetorgpersons inheritance inside interface known latter level major maps model name necessary nt ntfs object objects old ones options ou ous owner permission permissions principals properties read remaining sacl sd sds security show similar someone special standard system third tune user user’s users very window windows write True

Inheritance

2003 above access accessed aces active add advantage affects allow apply applying appropriate assigned beneath carry check child children choose completely cons container control controllers copied copies copy copying couple database descriptor directly directory disk domain dynamic exactly flag identical immediate improvements indicates inheritable inheritance inherited inheriting instance locally machines nds needs nt ntfs object objects old once opposite ou parent permission permissions power processing processor pros receive recognize replace replicated save saved security server significant single space specify static storage store take takes technology thousand tree type walk whole windows won’t word

Delegation of Administration

12 13 access addresses administration administrators assigns beginning boxes control delegate delegation dialog edit else especially figures helps interface intimidating learning less mail manage nothing object objects ou ous part permissions postal process property shown tree ultimately user users wizard

Group Policy

14 10000000000 10gb ad2000 ad2003 administrators affect affects application applies apply appropriate assign assigned assuming automated avoid billion blocked blocking burden bytes centrally chain choice chosen compared computer computers console contain contains contents correctly criteria data define desktop despite determine directly disable discussion disk documents domain domains dynamically enable enforce environment farther feature files filter filters folder folders follows force forced fortunately free freespace get gigabyte giving gpo gpos group groups hundreds includes individual inheritance installation language least level located locations logicaldisk logoff logon lower manage management manually menu my name nearer network nor normal nt object objects optional ou ous overrides part permissions policies policy precedence preceding predefined profile query read redirection registry remaining remote replaces resides result rights ris scripts secure security server servers services settings shutdown simultaneously site sites somewhat space startup store system takes tedious templates tool typical unless upper user users users’ win32 wmi working workstation workstations wql yet

Architecture

500 access active architecture covered data directory infrastructure introduces issues kerberos key ldap model naming object physical programmatic public related schema

Data Model

1 4 11 14 15 23 26 59 60 70 142 191 207 250 257 863 2000 abc account active actually ad2000 administrative again always attribute basic belong belonging box class classes computer computers corresponding criteria data database decent defines directly directory enter entities examples faster fortunately having homephone implementation indexed integer logon mandatory match model multivalued name network object objects often optional otherhomephone out pm present printer printqueue properties property relationship represented resources respectively script search searching seem single sn snap stores string supports surname syntaxes time tool total type underlying unless user userprincipalname users value valued values

The Schema

500 active addition adds among attribute attributes auxiliary badpwdcount catalog chain class classes come contain content defines dictate directory discussed facsimiletelephonenumber finally gets global governs homedirectory indexed indicates inherit inheritance inherits little mailrecipient mandatory names object optional organizationalperson person relationships replicated rules schema securityprincipal services sn specifies standard states strange structure surname syntaxes telephonenumber title user wonder words True

Extending the Schema

2000 able active add adding administration administrators admins agree allows application applications areas attributes australian base belong canadians careful centralized chose class classes common creating default defined described directory disastrous enabled enterprise exchange extend find forest fortunately global group guarding human implications inheritance install installations irreversible itself least management mechanisms messaging microsoft network objects organization out planning preceding prevent purposes query reinstalling require resource resources restrictions schema security sometimes store supports testing usersalaryinformation whole

Container and Leaf Objects

56 67 86 124 500 active actually ad2000 addition base call class classes classstore contact contain container country defines directory directory’s files folders hood interface leaf locality normally ntfrssubscriptions objects obvious organization organizationalunit others refer referring rest schema seems specific standard total type types under user words

Partitions

16 2003 active ad2003 addition among application attributes boundaries catalog child classes com combination computer computers configuration contain contains context controller controllers copies copy correspond corresponding default designated directory dns domain domaindnszones domains exist forest forest’s forestdnszones form global groups hold holds independent least leftmost listed logical manage manager mentioned naming nc objects ous part partial partition partitions partly principals relevance replica replicas replicated replication reside resides rightmost sales sample sanao schema security server servers services sites snap sometimes structure together tree type unit users whereas windows zone

Naming Objects

2000 2003 access account active actually address administrators almost alternative among attribute attributes bottom brief brown c canonical cd classes cn com commas common component components computer computers container country dc define depending directory discussion distinguished dn domain domain’s downlevel easy enter examples exists file format formats fortunately go graphical group groups gui identifies include included ins inside jack jackb kit l ldap learn least left locality location locator log logon long looks mail mandatory microsoft mmc mostly name names naming needs none nt o object object’s objects optional organization organizational ou our package page’s parent path place places prefix prefixes principal rdn relative relieves remember require required resides resource right sales sam sample sanao sensitive separately separators server shipping sibling significant similar slashes snap sold sometimes specifies stands support survive syntax syntaxes system therefore time top tree trees turn type types typing uniform unique unit upn upns url user username users utilities web versions while windows windowsserver2003 words www

The X 500 Standards

10 12 34 88 93 96 500 501 509 511 518 519 520 521 525 530 583 584 585 586 1988 1993 1997 2000 2001 9594 abstract access active administration adopted agents appeared approves area aspects attribute authentication away bad best binding certificate ch classes clients collaboratively commission communication communications complex concepts concerns conference conformance conforms considered dap data define definition derived designated developed device difference directory disp distributed dsas dsp electrotechnical examples four framework frameworks full functional good had hasn’t held http iec implementation implements including int intensive interconnection international iso itu key ldap letters lightweight made makes management mentioned microsoft model models modem name namespace nations network networks object often open operation operational organization organizations osi overview particularly parts pics prepared previously procedures proforma protocol protocols public publishes reasons recommendation recommendations referred refers replication reputation reputations resource run sector selected series servers service services shadowing similarly slow specifications standard standardization standards stands statement streamlining stripped subset system systems t taking telecommunication telecommunications telephone top traditionally transport types union united unnecessary v version versions viable widely world www years True

LDAP

40 977 1487 1777 1986 1993 1995 1997 2000 2251 access active actual administrative ads almost announced areas articles authenticated average back cake carry clients companies compared complex connect controllers current dap day defines directories directory discussions distribute domain dramatically emphasize era finally generate historical includes including inside internet ip iso junk late ldap ldapv2 ldapv3 light lighter lightweight made methods microcomputers microsoft millions modify netscape network news nntp nowadays novell obsolete organization osi pc piece place popular practice products protocol published query rather read rfc running runs search servers services shouldn’t simplified since slower standard status still support supported taken takes talk tcp technologies tens too traffic wanted various version widely windows words worry write writing year yet

LDAPv3 Specifications

10 12 53 56 80 96 389 500 1823 1995 1997 1998 1999 2000 2001 2002 2003 2004 2164 2247 2251 2252 2253 2254 2255 2256 2589 2596 2696 2713 2714 2739 2798 2820 2829 2830 2849 2891 2926 2927 3045 3062 3112 3296 3377 3384 3671 3672 3673 3674 3687 3698 3703 3712 3727 access active actually address application asn attribute attributes authentication being browse browsing calendar carry category class clients codes collective communicate component control controller conversion corba core data date default definition definitions developed directories directory discovery distinguished dns domain domains done dse dynamic extended extension extensions family feature filters finally format general get half idea included includes indicated inetorgperson informational interchange interest interface internet introduced ip java kind language layer ldap ldap’s ldapv2 ldapv3 ldif lightweight lookups manipulation mapping matching methods mime mixer modify module named names normal object objects ones operation operational organization paged password perhaps policy port printer profile program protocol published quickly recommended references remaining replication representation representing requirements results rfc rfcs root rules schema schemas search security server services side simple six slp sorting specification specifications standards status storing string subentries subordinate summary support supports syntax tables tcp technical templates things ties title tm together track transport url user utf v3 vcard web vendor version work yet

LDAPv3 Operations

11 555 1234 2251 abandon abandons actually add adding adds advisory allows anonymously answer anything application applies ask asynchronously attribute attributes authenticates become bind choice client compare compares condition connects criteria dap defines delete deletes described description designated directory distinguished dn else error event exact exactly exclusion extended extending extraordinary former fulfilling functionality genuine included indicates insufficient jack’s latter ldap ldapv3 lightened location message modifications modify move moves name normal notification object objects operation operations opposite perhaps permissions phone prevent previous provide read renames request requests response restrictions retrieves rfc say search selected send sends server session situation specify subtree synchronously terminates unbind unnecessary unsolicited waits value values ways while won’t yes

Physical Architecture

17 500 2000 2003 above access active actual agent among application applied atomic attribute authority call clients column completes component components contain containers contains context controller corresponds corruption created creates customer data database db decent directory disk dit dll domain drawn dsa engine ese esent excel exchange exe executed extensible feature file files flat form frs full functionality functions generally handles hierarchical hierarchy implements indexed interfaces isam jet large layer ldap level link lives loaded local log logical logs lsass manager meaningful method microsoft model modified modifies modify mostly namespace needed normal nt ntds ntdsa object objects obviously offers operation others ous perhaps permanent physical place previously process product protects protocol ram read relationships requested reside row searched security selection sequential server similar spreadsheet sql storage subsystem succeeds system tables takes technique technology tens think tracking transaction transactions tree typical whenever while windows wins words written

ADSI

18 2000 2003 abstract access account active activex administering administration administrator ado adsi affects allows among api applications array attributes authentication besides binary built c center cn com command component components computer container controllers corresponding creating criteria cscript data database dc default deleting description descriptions directories directory distribution domain echo enter eventually exist file filename filter folder general get getobject groups guest idea illustrates implemented included includes including interact interface interfaces internet key krbtgt ldap level line lines look low manage management manipulates member microsoft microsoft’s model mytests name names netware notepad nt objchild objcontainer object objects operations oracle output press principle program programmatically programmers programming prompt protocol provider providers queries quotes reading real recommends resources sample sanao save saved script scripts search searching server servers service shares simple simultaneous source sql strategic technology things top turn type user users utilities vbs vbscript vbtab windows winnt workstations world write writing wscript xp

Kerberos Authentication

19 1510 accessing account acquires active advantages authenticating authentication b c caches center check client client’s clients communicating computers connections connects contact contacts controller controllers correct credentials data directory distribution domain downlevel enough especially external faster file fixed forest fulfill gets granting her illustrates impersonate impersonation issues kdc kerberos key lan logs makes manager member mentioning method mutual needs nt ntlm offers operating order primary request returns rfc running server servers service session she speeds starts still supports talking tgt ticket tickets trust user user’s users validity wants version windows workstation workstations worth

Public Key Infrastructure

509 2000 2003 access accounts active assigned authenticate authentication authenticode authority available browser business buy ca card cards certificate certificates choose commercial credit customers described digitally directory dramatically drivers editable edition efs encrypting encryption enterprise extranet file files gain https identification included increases infrastructure introduces ip ipsec key keys logon mail memory network pairs partners password personal pin pki place private processor public purposes referred resources secure security server services signed smart store support system tcp technology templates traditional traffic user username users users’ web verisign version very windows words yourself

Other Features

active adds connecting considerations containers covered current delve directories directory external far haven’t internet introductory limitations mention network publish say services special too we’ll virtual words

Virtual Containers

active common container copy creating cross define directory dn dns external foreign happen holding ldap look name object part point reference server starting things virtual

Publishing

2003 acceleration active adam address administrators advertise allow alternatively application applications attribute automatically available beforehand centralized choose class client com company computer configuration connect connection consistent controllers covered created data database dea developing differently directory domain elsewhere enabled exact exists explained extending file find flexibility folder freely happens help interest interesting internet introduced isa items itself job large little making mentioned microsoft mode name object objects often option partition partitions pays phone point points previous print printer provide provided publish publishing put reason reference replica replicated rpc schema security separate server servers service services settings shared something standard static storage store storing structure suitable suited system technology term themselves time user user’s users whenever windows winsock

Connecting to the Internet

20 137 139 2000 accessible accessing active addresses administrators assigned authority being choice com communications company comprehend computer confusing connect context control controllers corp corporation crackers database delegated demilitarized directory displayed dmz dns domain easily else employees external externally filtering firewall firewalls forest gateway get hackers highly host http icann implement incoming inner install interested internal internally internet ip issues level local logical made mail medium much name names netbios network networks nt numbers org organization outgoing outside pick placed ports practice presence pretty protection protocols provider public recommended register registered registration remember resources router safe sanao sanaoint send separate server servers service services sized small something sort still tcp top traffic unless users ways web windows visible visit world www zone zones

Active Directory’s Current Limitations

active address appear concepts directory directory’s expected full indicates introduced limitations mentioned nothing perfect picture real serves shortcomings summary versions world years

No Forest Changes

2003 active ad2000 ad2003 addition afterward again allow always boundaries child choices concept constantly control controller controllers current demote development differentiate difficulty directory domain domains eliminate eliminating enables except fact feature forest forests freely functional future higher installation join laboriously level levels limitations local location locations member merge move nds novell objects offers older partition partitions place prohibits promote relieved remote remove removed removing rename replicate replication research right running server somewhat split things tied time transparent under versions windows

Domain Nature

active administrative anything boundaries boundary choose claim coincide consider criteria directory dns domain easily fortunately independent match namespace nds often part partition partitions planning policy replication security shouldn’t structure things time unit units

Other Limitations

20 30 able active advantages allow application avoid better branch common compared controller databases directory directory’s domain domains extra flexibility focus folders gives group hand having headquarters host main mentioned multiple nds object objects office offices ou ous partitions parts permissions place placing preceding previously put replicas replicate say sections server servers shortcomings small thing unnecessarily useful user users various

Some Differences from NDS

active alias always around capability command concept consider context creating current cx depends directly directory distinguished extensive filename folder great line location mention missing move name nds necessary non object objects obviously parent path point possibilities rdn refer relative search shared shortcoming somefile somefolder support techniques tree unlike upns user workstation

The Next Version of Active Directory

2 2003 2004 2005 2007 active adam ads application around automated blackcomb client code console contain copy currently deployment directory downloaded dsml expected expects feature future gpmc group identity iifp include integration management manager march microsoft mode named netware pack packs part policy product r2 release resource rights rms separately server service services shadow sharepoint ship software sp2 sus system update version windows writing wsrm wss

Conclusion

active base concepts directory elements explains exploring forms installation introduced knowledge now offers process running server soon understanding

Chapter 2
Active Directory Installation

10 100 255 2000 2003 8gb access according across actions active actually ad2003 add address administering administration administrative administrator adminpak advanced afterward again alias aliases alone along alternatively always analyzing automated automating available aware backup basically better book briefly brings browse c cd center changed changing character chm client com come command common complex component components computer concept configuration connection consider console content controller controllers copied cover date decided decisions default demoting depending described design designs desktop desktops directory disable disabled discuss discusses disk display divided dns docs documentation doing domain domains double down drive during easily easy edition enable enables enforced enhanced enough enterprise environment evaluation event everyone examples exe explorer f10 f11 far feature files finally find folder forest formatted functional functionality further generally get good gpedit group gui had help hit http i386 ie ieesc image implementing implies include included includes including install installation installed installing internet introduced introduces ip issue keyword lab language least levels license licensing line local locate location long lonsanao1 look looking management managing mask media member microsoft mixed mmc mode modes msc msi mstsc name native now nt ntfs numerous ok online open operating options order pack part partition parts password permissions person phase phases policy preferences presents pressing primary problems process proddoc promote promoting prompt properties provides purpose raises rdtoggle reaching read reasons recovery regional reinstall related remote remotely removable remove renaming reports restart restarting retail right role root run running sample sanao scenarios search seat sections security separated server servers service services settings setup setuptxt seven share shift shutdown shutting since site skilled snap stand standard static structure studying subfolder subnet success suggests support supported switch system system’s system32 systems take taken techinfo technique technologically templates terminal test thing time tip tips toolbar topics tracker tracking trusted under uninstall uninstalling users value values web verifying version windir windows windows2000 windowsserver2003 wish wmi wmic volume workgroup worth www xp zone

Domain and Forest Functional Levels

1510 2000 2003 2589 5585 access accounts acl act active ad ad2000 ad2003 added adding addition admin affect algorithm allow alternatives application applications assign assigned attribute attributes authentication authorization auxiliary available back backup backward balancing basic become becomes bridgehead caching capabilities catalog cd changed changing class classes coexist com command communications compatible compliance complicated component computer computername computers concept connected connection constrained constructed contacts contains controller controllers conversion conversions correct creating cross dc dcs deactivating decrypting default defunct delegated delegation deny directory displayed distribution dns domain domains domainwide domren down drag drop ds dynamic dynamically dynamicobject easier editor effective efficient enables encrypted enforced enhancements enough es especially exe exist forest forests full functional functionality further fwlink gc generator global go group groups hand having health her highest history http important improved improvements improves including individual inetorgperson inheritance installation installed instance instances integrated inter interact interface interim introduced introduces introducing irrespective istg kdc kerberos key keys large lastlogontimestamp ldap less level levels limit line linked linkid listed live load local locate log logging logon longer lvr makes managed management manager managing media member members membership mgmt microsoft mixed mode modes monitoring moving msft multiple narrowed native nesting netdom network networks nt numbering numbers object objects old operations option order ordinary originating ou parent partial partition partitions partners pas password passwords pdc period permissions picker place plus policies policy prevents previously primarily principals prior properties provided providers providing queries query quota quotas raise raised rather records redefinitions reliable remote removes rename renaming rendom replicated replication require requirement requirements resources restore reversed rfc role roles roll root run running saved scalability schema scope search security selected selection selective server servers services setup show sid signed since site six specific step still stops storage storing stub subclass support supported supports synchronization system system32 takes tasks term time timestamp topology tracking traffic transitive trust trusted trusting trusts ttl types unicodepwd universal unsuccessful until update updates upgrade upgraded upgrading user userpassword users value valueadd warning versa version versions whole vice windir windows within wmi words workstations zones

Installing Active Directory

2000 2003 access active administrative administrator alone alternatively checked command completely computer configure controller dcpromo demote directory display displayed domain important installation installed installing logon logs manage member nt onto page promoted right role roles separate server setup stand started time tip uninstall window windows

Requirements and Recommendations

0 20 1995 2000 2003 2136 239924 10mb 2000’s 2003’s 200mb 2gb 42mb 4gb 500mb 50mb ability across active activedirectory ad ad2003 adapter addition address adequate administrative administrators admins adsizer advanced allow alternatively apps around article asp available base bind cable catalog com come comes complete component computer config configure configured connection considerably controller controllers database datacenter dc default define depending detect dhcp directory disabling disconnected disk dit dns domain domains download dynamic dynamically edition editor effort enterprise environment estimate file files find folder forest formatted gc get global group hardware hierarchy hosting http illustrates incremental install installable installation instructions internet ip itself kb kit knowledge known laptop least local location log loopback manually media member microsoft minimum needs netlogon network ntds ntfs objects operating order org partition permissions planning problem protocol recommendation recommended records reduces register registers replicated required requirement requirements resource rfc running sense server servers service settings situation sizer space srv stack standard standards status sum supplement support supports system system32 sysvol takes taking tcp techinfo technology tip transaction transfers update updated users version windir windows windows2000 virtual wizard volume won’t working www xp zone

Creating Domains Trees and Forests

2000 active command consequences dcpromo decisions directory during especially far initiated installation installing involved mentioned reaching starts steps windows wizard

Before Installation

0 1034 1035 1036 2000 2003 2052 accommodate acquired active ad2003 adam addition application applications arise authority available becomes before book child choose com companies company company’s conflict conform connected connection controller controllers currently dc dcs decide deploying deployment designing directory dns domain domains ensure entire essential ever exists extranet fault firewalls forest forests form forms frd http identity implemented include install installing integrated internet internet’s join joined kind kit knowledge known latest learning least locate microsoft mode name namespace naming network notice options order organization provide proxy recommend recommends records registering registration represents requiring rfcs root rule rules scenario scheme security separate server servers services smallest solution standards strong suitable thorough thumb tightly tolerance tree trust unique uniqueness users while windows windowsserver2003 wise www

The Installation Process

15 64 155 2000 2003 $ ^` ‘ accepted access accessing account acls active actual add added addition address administrator administrators admins allowed allows along among analysis anonymous appears applications applies appropriate ask attacks attribute authenticated authentication automatically before behind belong book builtin bytes c careful center channels character characters check checks choose clicked client clients clock com com’ command common company compatible complete completed computer computer’s computers configuration configure configured configures confirm consider consists contact contain continue controller controllers copy created creates creating creation credentials data database decide default defaults define defined depending detail detailed determine diagnostics differ directory disk disks display displayed displays distributed distribution distsys dit dns documentation domain domains drive dsgch02 dsrm during dynamic en enable enabling ensures entered enterprise especially events everyone existence exists external extra f8 file files flowchart folder forest formatted found generates goes grants group groups guide handles having http hyphens implications improperly improved include included increases initial install installation installed installing interface intersite ip ismserv kdc kerberos key keys kit labels length less let lets letters likelihood limit link local localgroup locate located location locator log logon lsa manages maximum members membership message messages messaging methods microsoft mode moved mspx mutual name net netbios netlogon network nobody notes nt ntds ntdsutil ntfs null numbers object objects obviously ok omitted operating operation optimize option options order our part1 partition password perform performance periods permission permissions physical place policies policy position pre preferred prepare pressing previous privileges process progress promoting promotion properly protocol ras reached read receiving records reducing registers registry removal remove replicated replication reset reskit resource resources restarted restore results review role root rpc rpclocator running runs sample sanao scenarios scenes screen secure security sending separate separated sequence server servers service services session setpwd settings shared shown significantly similarly sites snap source sp2 space spaces srv stack started starting starts startup static step steps stop storage store stores structure successful suffixed suggests summary supports synchronizes system system32 systemroot systems sysvol take taken tcp temporarily tickets time tip tracked tracking tree trksvr twice type unicode unique uniqueness unless update updated us user user’s users utility w32time valid value various weaken verified verifies version very whereas while window windows winnt within wizard volume volumes work www you’ve yourself zero

Installing Additional Domain Controllers

2003 accessories accommodate accomplished active ad ad2000 ad2003 addition adv advanced alternate alternatively amount asked authentication automatically backed backup bandwidth basis before behavior being boot branch bulk catalog cd check checking clicking close com command complete configure connecting connection considerably consists contacted controller controllers copy created database date dc dcpromo deleted deliver delivered dialog did directories directory disk displayed dns domain during dvd except facilitate facilitating fault file files follows gc global good had idea increase install installation installed installing introduces it’s least link links locate location low main media menu metadata necessary network normal normally ntbackup office ongoing online onto option order parameter permission permissions phases placing process programs promote promoting promotion protected reason recent records reduce registration registry remote removable replicate replicated replication required restore restored result run running save searches server servers shipped shown slow sometimes source starting state steps still store surfing synchronized system sysvol take technique tip tolerance tool topology transfer transferred typing unreliable unselect update user wan windows wish wizard

After Active Directory Installation

23 56 2000 2003 308592 accomplished active adds administrator article being briefly cn command complete computer configuration consequently controller correctly created csv csvde dc dcphelp dcpromo dcpromohelp debug determine directory display displayspecifiers dispspec domain english everything exe flash forest further gui import installation instructions interrupt kb locales log logs mui name non now objects prevent process prompt restart runs seeing server specifier steps supported system32 systemroot takes time tip unsuccessful users went windir windows

Verifying the Installation

2000 2003 access active added addition address administrative alternative analyze appended applies builtin check checking client command completed computer computers config containers controller controllers copy created csv database dcphelp dcpromo dcpromoui dcpromoui001 debug default defaults directory display displayed dit dns domain domains during dynamic elsewhere ensure errors file files folder foreignsecurityprincipals forest gc group ins install installation installed installing ip items line linked local located location locations log menu mmc msc name net netlogon newer ntds older order ou parameter place policies policy present promoted promotion prompt properties provided records refreshing removed repadmin replicating replication replsum resolver resource respectively restarting run saved secpol security sequence server servers service services settings shared shortcuts showreps site sites snap specifiers srv states still stop successful successfully support sure system system32 systemroot sysvol testing thereafter times tip trusts try under unfortunately updates users verify version whereas windir windows within volume xp you’re yourserver

Ensuring Compatibility with Earlier Clients

95 2002 2003 ability active affect affects aforementioned always attacks authenticate box care ce channel channels check checked client clients communications computer computers configuration controller controllers data default define defined devices digitally directory disabled disabling domain encrypt enough group improvements including increases inheritance lan leave local machines man manager member members microsoft middle net network nt older options overwriting pack pc pocket policies policy previous prior reduce relationships remove requirement requirements resources running samba secure security server servers service services settings sign signing since smb take time tip trust unchecking under upgrade ways version versions windows workgroups vulnerability

Configuring Time Service

123 2000 2003 active ad2000 alternative c clock clocks commands computer config configure controllers correct dc directory domain edu ending external find firewall forest get hierarchy http including isc isi lowermost manual manualpeerlist members necessary net network ntp open order org pdc port professional protocol public resync resynchronize root server service source starting stop syncfromflags synchronize synchronized time timekeeper tip udp update w32time w32tm windows working workstation www

DNS-Related Tasks

2003 active allen allow basic book catalog clients com cornerstone cricket  directory discussion dns dnswinsvr get http including larson learn liu matt  network o’reilly order oreilly robbie  running scope server servers service steps thorough tip walk windows working www

Removing the DNS Root Domain and Configuring a Forwarding Address

2000 2003 active add address administrative answer assumed circumstances clients company computer conditional configuration configure configuring connect connected consequently created defined delete depending directory dns domain double enable enables entire external f5 feature finer firewall forests forward forwarder forwarders forwarding forwards go grade help icon important installation internet introduces ip isp itself lookup name nat network online order possibly pressing properties queries rather record records refresh remove replicated resolution restart result root server servers service snap started starting stub support tab tip translation useful versions windows wizard zone zones

Creating a Forward Lookup Zone and Enabling Dynamic Updates

10 2000 2003 active add administrative allows automatically available box check checked com command components computer configure context control controller decided default directory dns doing domain double dynamic enter field file finally finish forest forward good icon install installation ipconfig isn’t latter let line lookup managing manually menu name net netlogon networking nonsecure now order panel perform previous primary programs provide reasons record register registerdns remove replicated replication restart right root running sanao scope secure selecting server servers service services similar snap specify step steps stop store system32 transfers type unless updates very windir windows wizard zone zones

Creating a Reverse Lookup Zone and Enabling Dynamic Updates

10 100 active address allows available box c can't check checked command computer computers configure context controller corresponding default diagnostics directory dns doing domain double dynamic enter error field finally find finish good icon id interactive ip ipconfig isn’t line lookup managing menu mode monitoring name network nonsecure now nslookup octets ok once order out perform pointer previous primary provide ptr reasons record register registerdns replication request resides reverse right running scope seconds secure server service snap specify step steps store subnet test thing timed timeout too tool try twice type unknown unless updates work you’ll zone zones

Storing DNS Zones in Active Directory

2078 2137 active allow before checked configure configuring defined directory dns dynamic field include install installation installing integrated let perform permissions properties records replicated rfcs secure selecting service support tasks updates within wizard zone zones

Application Partitions

323 act active ad2000 ad2003 aka api application applications architecture automatically availability catalog child com command configuration configure configuring contain container containers containing context contexts controller controllers created creating dc default depth differently directory discuss diverse dns domain domaindnszones domains domainwide dynamic ensure especially fixes forest forestdnszones forestwide geographically global greater guids h had ils important install integrated internet introduced introduces ip latency let located locating locator manage managing msdcs name naming ndncs nearest network networks non nor objects order ou partition partitions principals problem problems program records referred replicate replicated replicating replication requires root running schema secondary security separate server servers service sometimes subdomain system tapi tapi3directory tapicfg telephony topology within yourdomain zone

Managing DNS Replication

10 active application appropriate checking consequently controllers created creation default define directory displayed displays dns domain ensure event forestdnszones log option partition partitions recorded replicated replication store zone zones

Managing Functional Levels

11 2000 2003 absence active ad2000 ad2003 administration administrator admins adsi assuming attribute attributes automatically bdcs behaves behavior changing check checking class cn com computers configuration consider container controller controllers created crossrefcontainer dc default directory displayed displays domain domaindns domains dropped edit ensures enterprise exist exists forest functional functionality implications increased indicates install installed installing interim ldp level levels location lonsanao1 making member mixed mode msds name native newly nt ntds ntdsdsa ntmixeddomain object option order out partitions perform product raise raised raises raising represented reverse root rootdse running sanao security server servers settings similarly since site sites still storage stores support system tip trusts type users value values verify version view windows windows  workstation

Installing Additional Tools

active adsiedit book cd com console depth directory discuss download downloading exe exploring extensively gpmc group http install installation installing kit least management microsoft msc msi obvious package packages policy promotion repadmin reskits resource support suptools surface tool under valuable worth www

Changing Folder Locations

18545 accomplish active become changing com command compact complicated computer contain controllers created database default defragmentation defragments detailed directory domain file files folder folders fwlink go guide http installed instructions large linkid location log microsoft mode move moving necessary ntds ntdsutil objects online operations order rather reduce reinstalling related removed restore services size starting subsequently systemroot sysvol takes tip

Other Post-installation Tasks

accounts active ad alternatively best changing chapters computer computers containers controllers created default directory discuss document domain download during follow guide installation installations installed master microsoft off operation ous practice read redirect roles securing security services settings site tasks transfer turning unnecessary user users web

Automating Active Directory Installation

2000 2003 223757 active alternatively answer article assume autoconfigdns automate automated c cab cabinet cd chm com command confirmgc contains contents controller createorjoin databasepath dcinstall dcpromo default deploy differences directory dnsonnetwork documents domain domainnetbiosname editor examples far file files folder forest further hw92 include inside install installation installed kb let’s lines logpath london media mentioned modify newdomain newdomaindnsname notepad ntds operating order preceding previously r7rg read reasonably rebootonsuccess ref replicaornewdomain root safemodeadminpassword sample sanao say server settings setup simple sitename slightly subsequently support switch system systemroot sysvol sysvolpath template tip tree treeorchild txt windows yes

Problems with Active Directory Installation

10 100 389 2003 active address alternatively bind box button c check checking clicking cmd com command common computing dcdiag deeper default delve diagnostics dig directory dns dnslint dnstool domain download edu enter especially filters find follows hostname htm html http inability include index internet isc ldap line location lonsanao1 looks menu name netdiag now nslookup open operation org out output parent pl port press pressing priority problems prompt properties queries query quotes records recursive related replies resolution response right run sanao selecting server service simple snap sort srv support sw svr tcp test testing tip tool try type utilities utility uwdomains washington weight version windows www

Recovery Options

2000 2003 access accessing bios blank bottom briefly diagnostics discuss f8 finished further goes help important includes logo menu message missed online options pressing recovery reference screen sections server shown startup technical timing windows

Startup Options

17 95 98 2000 2003 access active administer administration administrator always appended available back base basic boot cable card cases caused causes command computer configuration consequently controller controllers corrupted creates cure debug debugging default defined devices directory displays dns domain driver drivers during enable enables everyone familiar file files functionality good includes incorrect installation installed introduced keyboard known loaded loading log logging lost made mass minimal missing mode monitor mouse named necessary network networking newly ntbtlog option options password pcmcia presents preventing previous problems prompt properly purpose registry restore restoring restricted retain roll safe saved sending serial server service services settings shutdown since solve started starting starts startup state stop storage successful successfully support system systemroot tab tip txt useful various version vga while video windows working xp

Directory Services Restore Mode

2003 active backup computer data database defragment directory fulfills functionality help keywords mode necessary ntdsutil online portion recover restore restoring running server services situations state system tip windows

Recovery Console

10 2000 2003 able access active administrator administrators allowallpaths arc around attrib attributes autochk automatically available batch before boot bootcfg booted booting cab cabinet cd chdir checks chkdsk clears cls cmdcons com command commander commands compressed computer configures console contains contents copies copy creates current damaged default del delete deletes devices dir directories directory disable disabled disables disabling disk diskpart displays dots drive driver drivers during enable enabled enables environment equivalent erd exe executes existed exit exits expand extracted extracts fat fat32 file files fixboot fixmbr folder folders format formats forward functionality group hard help hidden http ini installation installations intel interface kind letters line listsvc local location logon long looked management managing map mappings marks mbr md media mkdir name nt ntfs old onto operation operations options original parameter parameters partition partitions party password paths physical platform policy products purpose purposes quotation rd rebuild recovery related removable removes ren rename renames repairs replacing report requests requires resetting restarts restricted restrictions results rmdir root scan screen sector server service services sets setup similar single source sources space spaces specified starts startup status support supports sysinternals system systemroot third time type utility variables various versions wildcards windows volume work works writes www

Installing and Starting the Recovery Console

2000 2003 810562 6mb 8mb alternatively anytime appears article available boot c cd cmdcons command computer console contains disk disks dos download drivers enter erd files floppy included install installation installed installing introduced kb latest load longer menu ms necessary nt operating option order partition pressing process r recovery repair screen server setup space startup supported system takes traditional try update windows winnt32 you’ve

Using the Recovery Console

10 2000 2003 account administrative administrator administrator’s allow ask automatic commands computer configuration configuring console country default directory disabled disk english exit finish hard installation installations keyboard layout listed local logon mode options password passwords policies prior process recommend recovery registry repair reset restart restore s scans security server services settings starts time tip type typing u windows

Automated System Recovery

2003 application asr associated attempts automated backup cd components computer configuration data disk disks enables f2 fail floppy introduced operating order press recovery restore restoring server services setup starting state store system windows xp

Uninstalling Active Directory

12 2000 2003 216498 able access active actual ad added administrator admins alone along application appropriate article asked attributes available become becomes before center certificate certificates classes clean command complete computer computers connection consequences continues controller controllers couldn’t created credentials cryptographic data dcpromo decrypted define defined delegated delete deleted demote demoted demoting demotion developer directory disable dns domain domains easier encrypted ensure enter enterprise exist exists experimenting export exported exporting extinct failures finally forced forceremoval forest forward further gc going group handled happen help ignores inconsistent install instructions introduces isn’t kb keys keywords local log longer lookup major master member metadata much necessary network nor objects online operations order otherwise pack partitions password permissions private problem question really records reinstall relevant remain removal remove removed removing replica requirements restarting roles root schema search server service services situation situations software srv stand subdomains support sure technique things tip transferring uninstall uninstallation uninstalling unrecoverable updates upon user users warning windows wizard zone

Automating Active Directory Uninstallation

8992 63trg active administrator administratorpassword answer answered automated c command dcinstall dcpromo dcuninst differs directory file here’s installation islastdcindomain obviously password questions rebootonsuccess sample somewhat txt ud uninstalling username yes

Conclusion

2000 2003 active aspects begins content controller core directory domain exploration explore groups learned least management network now ous promote ready running server small users various windows

Chapter 3
Managing OUs Users and Groups

23 35 59 active ad2000 ad2003 administration alias aliases alternative alternatively appear applications behind book class classes computers contacts contain contents corresponding cover covers creating csvde custom describe directory discuss discussion domain dsadd eight enables explore finally focuses folders follows further groups help include inetorgpersons install installation kit ldifde listed locate manage managing mention message microsoft msmq nine normally object objects organizational ou ous outside part populate printers proceed queue queues queuing recipient reside resource right scenes scope scripting shared snap topic tree units users visible

Active Directory after Installation

account accounts active administrative argue authenticate button clicking com computer computers containers contains controller created directory domain dsa enter forest group groups installed installing msc newly nt object objects often ou place predefined press promoting referred root run sanao selecting server snap something sometimes tip type upgrade user users windows

Predefined OUs and Other Containers

20 2000 accordingly active administering administration adsi advanced affects always anything assign assigned authenticated back below built builtin cds classes column come comparable computer computers contact container containers contents controllers cookbooks corresponding creating default delegate delete described describes directory discuss disk doing domain domains edit explained external extra files flags folder folders foreign foreignsecurityprincipals forest gpo group groups hood ies in’s includes inetorgperson issue keep known level likely likewise little local member members move music neither nor nt object objects ou ous outside placeholders placing point policy predefined principals printer protection purpose putting redirect redirecting rename represent reside root security servers settings shared shelf shouldn’t snap system therefore things together tool turned types under unless user users why windows visible workstations xp yes yourself

Why These Containers

2000 account accounts active add addition apis brought built builtin chosen command commands computer computers container containers controller controllers created default directory discouraged domain downlevel during ease explanation fact form group groups intentionally internally joins local localgroup long manager member migrated migration net netdom nt objects odd old ou ous precreated predefined process run seem separately separation server support switch tool upgrade user users whenever why windows workstation xp

Redirecting the Users and Computers Containers to OUs

2003 324949 advantage allow apply article base com commands computers container containers created dc default delete domain during employees flags functional group groups hand http knowledge level microsoft moved much normal old ones ou ous perform policies predefined protection redircmp redirect redirection redirusr rename sanao server system therefore users windows workstations www

Predefined Users

2000 access account account’s accounts active ad2000 ad2003 adding addition administrative administrator allow allows always anonymous anyone anywhere application automatically besides box browsers careful catch center chose clients compatible component confusing connect connector controller controllers correct crack decrypt default delete denied depending derived description dialog directory disabled discussion distribution domain domains door enable enabled encrypt everyone extra forest granted group groups guess guest he hidden hurdle iis iiswam installed internet intruder intruder’s iusr iwam jack jack’s kdc kdc’s kerberos key knows krbtgt large license likely log logged logon manager member minimal name names network never objects offers optional outofprocesspool part password path periodically permissions personnel potential pre predefined present principal prompted protection really recognize rename renamed renaming resources server servername servers service services small someone spn stands switches symmetric terminal tgts think thinks time trying tsinternetuser type typical user users walks ways web wide widest windows workgroup workstation

Predefined Groups

ability accepts account active adding addition administer administrative administrator administrators admins among anyone anything applies apply appropriate assign assigned associated built builtin categories container containers controlled controllers corresponding database delete difference difficult direct directory dns domain drives easier easy else exact existed far files fixed folders follows foreign format get global group groups guests had hard he him illustrated includes individual individually items jack jill keys least life local locally log making meaning member members mostly names needs network nt objects often operators package partial permission permissions policy predefined primary printers privileges purpose put registry relationship relationships required reside resources rest right rights security servers settings shown specific sticking story suitable system that’s time turn types user users windows won’t workstations worrying True

Predefined Built-in Local Security Groups

44 47 2000 2003 297938 331951 abilities able access account accounts active ad2000 administrator administrators admins adminsdholder alerts allowed almost always anonymous appears application apply article attribute authenticated authorization back backup base being builders built builtin child compatible complete computer configuration configure connection console constructed container contains control controller controllers corresponding decisions default delete describe describes descriptive desktop detail directory domain domains down drives enterprise everyone except exhaustive file files flags folders forest formatting four full global group groups guest guests hard ignore including incoming inetorgperson inetorgpersons installed interactive ip iusr iwam knowledge known latter license licensing local locally log logged logon logs manage managing member members memberships microsoft modify monitor monitoring move name network none nt object object’s objects operating operators organization otherwise ou perform performance permission permissions pre predefined present principal print printer printers properties protection question read refers remote remotely rename replicator restore rights root running sanaobostonusers sanaousers security selected separate server servername servers service services settings share shares shut similar sp4 specific starting stop subtree system systems tables tcp terminal tggau therefore time tokengroupsglobalanduniversal tool total trust trusts universal user users windows visible workstation workstations

Predefined Groups in the Users Container

2000 2003 access account ad2000 ad2003 addition administer administrator administrators admins allows anonymous appears apply appropriate assign authenticated authority become behalf built cert certificate certificates child client clients computer computers configuration container control controlled controller controllers controls created creating creator default described describes description dhcp discuss discussed discussion dns dnsadmins dnsupdateproxy domain domains dynamically enable enterprise everyone forest full functional global gpo gpos group group’s groups guest guests hierarchy ias iis illustrate illustrates include included install internet joined known let level listed local located logon maintaining manage member members membership memberships missing modify mostly name native necessary needs network none objects operating options ou owners part permission permissions placing policies policy practically predefined principals problem process property publish publishers ras read real record records register remaining remote resolved resource restrictions reveals rights root routing rras running saw schema security seen server servers service services settings similarly sites system tables therefore tightened type typically universal user usercertificate users wants various whole windows won’t worker workstation workstations wpg write True

Predefined Computer Objects

beginning computer container controller controllers domain object point

Administering OUs

active behaves better circle directory disk domain drop efficient files folders form groups illustrates image inside it’s keep natural object objects off organizational organize ou ous out part rather referred represents root similarly store structure think tree triangle units uppermost users ways whole

Features of OUs

2000 2003 able access active administration administrators’ assign bad benefits besides big box brown browse browsing button child clicking command continue control convenient copy correspond couldn’t created database define delegate dialog difference difficult directory dll doing domain domains dsfolder easier enable entire extra file folder forest form found get good group hand he hiding illustrates independent inside jack level logical look lower manage matter microsoft my nds network object objects offer operation opinion ou ous outcome partition partitioning performs permissions person places policy primarily printer production properties providing purely put register regsvr32 related resource result sales sanao search searching security selecting selects server show sibling siblings single stick structure supported system32 target tell thing tip totally track tree turn unfortunately unit units upper user users users’ wanted various via windows visibility words work workstation xp True

Managing OUs

2003 administrative assigning center chapters checking com creating delegating deleting discussed domain encourage focus follows group harm help includes irreversible item items management managing moving ou ous partition permissions policy properties read renaming resultant rsop server sets support tasks try windows

Creating OUs

64 best character characters choose computers creating descriptive disk distinguished domain easy enough enter folder follow gurmukhi had harder key launch least life maximum name names nds now nwadmin object organizational ou ou’s parent press punctuation put right short snap software steps string theory trick type unfortunately unicode unit users

Setting OU Properties

24 24 24 40 104 123 128 840 abbreviation ad2000 add addition address advanced affects appear base behind beings box c catalog characters choices choosing city clicking co code common computers contact contains country country’s countrycode created description dialog discussed distinguished dn domains enter faster fields former gc get global human include included indexed indexing indicate informational integer iso kit l latter ldap line locality makes managed managedby manager manager’s matter maximum multiple name names none numeric object ou ou’s parentheses part permissions postal postalcode properties property provide province purely reading region related resource right scenes schema scripting searches security sites snap st state states street string syntax tab tabs takes turned unicode united us user users utilities windows works zip

Moving Renaming and Deleting OUs in a Tree

above accept assigned b being c changed choose circumstances clicking command contains ctrl cut delete deleted deleting described destination discussed domain drag easily enter f2 find forest further group hand inherit inherited inside insufficient key keyboard keys line location longer mouse move moved movetree name object objects ok once ones opens optimal original ou ou’s ous pane paste permissions planning policies press pressing previously proceed prompted rearrange rename result right selecting shift sibling similarly snap support too tool tree type

Planning OUs

2000 according administer administration administrative administrators aforesaid application aspects assignment boston bullet company confuse controlling corporate deep delegation department disk division divisions domain domains easy employees entities exist folder geographical geography group including isn’t keep learned level limit locations logical london mainly match mind necessarily object organization organizational organized others ou ous partitions physical planned planning policy practical previous principles printers production publishing purely purpose related reorganize reorganizing replication right sales scenarios similar specific stands structure suggests top tree trees type types typical typically unit units users windows visibility

Administering Users InetOrgPersons and Contacts

2000 -- able access account accounts active actually ad2003 add addition address administration advanced appear application applications applies apply aspect assign being beings book box brought card category certificates chapters collection column com common comp computers contact contacts contain container contains control copy corresponding corresponds couple course cover creating date de define delegate delete dial dialog dictates directory discussed discussion distinguish distribution eight employee enabled entry environment examples except exchange expiration fax faxing folder function functions general group had home human identical include inetorgperson inetorgpersons informational install introduced introduces item items latter left little location log logon mail makes manage management meant member memberships mentioned menu move much name nature natures network never object objects official organization ou outside page password path permissions person personnel placeholder please point policies policy practically primary principal production profile properties published question reason refer related remote rename requirement resources right screen sections security services sessions shots shown significant smart snap software store subset summarize tab tabs tasks telephones tend terminal terms test third title traditional try turn turning twice type types typically user user’s users web whose view visible

Creating Users

10 20 24 64 256 2000 access accesses account accounts active actual addition address administrative administrator alone alternatively base becomes brown call can’t canonical capability cases catalog cause changing characters choose cn command common compatibility computer computers configuration consequently creation default describes description despite device directory display displayname displays distinguished domain enforces enter european everyday except experience explain explicit fewer firstname folder forest forests full furthermore generation givenname global graphical handle hasn’t he her his iii independent indexed informational initial initially initials jack jb joined jr knows label lastname latter ldap legitimately length line local log logon logs machine mail maximum middle mobile modify name names needs network normal nt object object’s often old ou page part password performing permissions pre prevent principle privileges problems profile properties property purely qualifier rdn regard relate require required rights rule rules safer sam samaccountname schema selected server settings she shown situations sn snap specify sr stand strings suggests summary supported surname tasks third throughout time treats tree trust unicode unique useful user user’s userprincipalname users utilities various warning windows within wizard workgroup workstation ä

UPN Suffixes

active actual add administrative administrator appears box brown button choose clicks com consist contains corp default define dialog directory domain domains enables enter enterprise fixed forest jack left line logon name names once pane part parts properties right root sales sanao selects snap started suffix suffixes trusts upn uppermost user users

Creating InetOrgPersons

2798 311555 active actually ad2003 administrators affects along appear applications article authentication base before brought class com computers context defaulthidingvalue defined definition directory easier forest http identical includes inetorgperson interoperate knowledge menu method microsoft migrate modify needed network object objects practically products projected property purpose recommends represent rfc scenarios schema services snap standard test therefore tool type unless usage user users www True

Creating Contacts

11 address applications becomes book common company computers contact contains creating creation entry full informational log logon mail name names network object ou page password person properties represents saw settings shown significant snap specify therefore tree user users wizard working

Setting User InetOrgPerson and Contact Properties

30 50 138 150 165 207 257 account ad2000 addition address administering always behind contact context count counts covered creating define dial discussion easier exact explanatory express fortunately general groups help informational interface major member mention mentioned names numbers object objects organization our places precise profile properties provides required say scenes self sensitive settings significant simply tab tabs telephones user users windows

Significant Properties of a User Object The Account Tab

0 0 0 0 10 11 12 20 24 24 30 256 2000 2003 abcdef able acceptable access account accountexpires accounts active address adjustments administrator administrator’s affects ahead allowed allows am amount anymore appear appears assign assigned associated attack attacks attempts authentication away back becomes being belgium binary bit boston boxes bpactlck brown calculated card causes cbc changing character characters check checks clear com command compatible computer computers configuration consequently contents control controller correction corresponding current data date daylight days default define defining delegated delegation delete denial des described description despite determined dictionary digest directory disabled discussed document domain during eight empty enable encrypt encrypted encryption enters except exempt expires explanatory expose firewall folder force forwarded freeze functional gmt going good granting group having he his hmac hour hours http human iis impersonation implementation implementations includes increments indicate initial interactive internally irreversible jack jackb kerberos key label ldap learn least length level line local locked lockouttime log logon logonhours logs long longer looks machine macintosh mail maximum md5 meaning microsoft minimum month mspx name names net netbios never normally nt object often old online option options out pass password passwordreq passwords periodically periods permissions pm policies policy practice pre preauthentication prepared prevent principal prodtechnol profile properties property pwdlastset rc4 regardless relieves represents require required reversible rsa rsadsi rule sam samaccountname saving schema security selecting self sensitive server service sets settings she shown significant sitting six smart snap someone soon special specified standard still store stores string syntax tab taken technet technologies temporary ten tgt tgts thorough throughout ticket tickets time times too tries trusted twice type types unicode unlocks until usable useful user user’s useraccountcontrol userprincipalname users userworkstations utc vanish wants weekdays windows windowsserver2003 visible won’t workstation workstations wrong www xp year yes zone

Significant Properties of a User Object The Profile Tab

11 13 2000 $ able account active actually administrators alternative anydomaincontroller applications assign back bat brown browse characters connect connects contain contents control convention creates d default define defines description directory documents dollar downlevel downloaded drive edit environment exists field fields folder four full gives group handy he his home homedirectory homedrive homepath inherited invisible it’s jack jack’s jackb ldap letter local logon logs machine makes maps my name naming netlogon network newer nt object off old once path permission permissions policy pre private prof profile profilepath properties property providing read relative remove roaming saving script scriptpath server services shared sharename sign significant snap specifies store tab tab’s time unc unicode uniform unlimited uploaded user user’s username users value variable variables whereas whichever windows workstation xp

Significant Properties of a User Object The Dial-in Tab

14 apply book communication connections define defines dial managing network outside private properties provided reference scope screen settings shot significant tab therefore user virtual vpn

Informational Properties of Users and Contacts

12 24 24 24 40 43 64 89 93 128 256 840 2048 acceptable active ad2000 address advantage affect anything appear applications authorization base blank box boxes brown c categories categorized characters checking choose city cn co code color comments common company computer consequently consist consistency consistently consisting contact containing country countrycode covered creation criteria deals default department described describes description detail determining dialog dictate direct directory directreports display displayname dn document edit enter entered entries especially except facsimiletelephonenumber favorite fax field fields file fill fixed format four free ftp gc general givenname group groups guidelines hair her his home homephone http ideally important include index indicates info informational initial initials integer interested ip ipphone jack jack’s jb jill keep l label ldap leave little locality locked logged mail management manager mentioned middle mind mobile multiple name network notes numbers o objects offer office operations options organization otherfacsimiletelephonenumber otherhomephone otheripphone othermobile otherpager others othertelephone otherwise ou p page pager permissions personal phone physicaldeliveryofficename postal postalcode postofficebox previously primary properties property provide province public query read recipes region rein reports requirements result rules screen search securing shots show shown simply sn snap something st state stated states street streetaddress stringent surname syntax tab tabs take telephone telephonenumber telephones tell therefore title together total treats tree unfortunately united unless url us user user’s users values web very wizard written wwwhomepage zip

Editing Multiple Users

15 2003 computers description edit enables feature inetorgperson multiple object objects possibly properties server simultaneously snap time types typically user users version windows

Other Operations to Manage Users InetOrgPersons and Contacts

account clicking contacts context copy created delete disable full home inetorgpersons key mail manipulate menu mouse move open operations packed page password perform possibly press properties ready rename reset right send shortcut users ways

Copying Users and InetOrgPersons

13 20 33 account accountexpires add adsi anticipate assistant attributes behave brevity c categories category city clicking co code codepage company computers copied copy copying country countrycode default defined department description division done edit employeetype enables explain facsimiletelephonenumber fax hand homedirector