book

Active Directory, 5th Edition

by Brian Desmond, Joe Richards, Robbie Allen, Alistair G. Lowe-Norris

May 2013

Intermediate to advanced

735 pages

22h 5m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
1. Intended Audience2. Contents of the Book3. Conventions Used in This BookUsing Code ExamplesSafari® Books OnlineHow to Contact Us4. AcknowledgmentsFor the Fourth and Fifth Editions (Brian)For the Third Edition (Joe)For the Second Edition (Robbie)For the First Edition (Alistair)Content UpdatesMay 15, 2013
1. A Brief Introduction
1.1. Evolution of the Microsoft NOSA Brief History of Directories1.2. Summary
2. Active Directory Fundamentals
2.1. How Objects Are Stored and IdentifiedUniquely Identifying ObjectsDistinguished namesExamples2.2. Building BlocksDomains and Domain TreesForestsOrganizational UnitsThe Global CatalogFlexible Single Master Operator (FSMO) RolesTime Synchronization in Active DirectoryDomain and Forest Functional LevelsWindows 2000 domain modeGroupsGroup membership across domain boundariesConverting groups2.3. Summary
3. Active Directory Management Tools
3.1. Management ToolsActive Directory Administrative CenterPowerShell HistoryGlobal SearchMultiple-domain supportExtensibilityActive Directory Users and ComputersAdvanced FeaturesSaved QueriesControlling drag-and-drop movesTaskpadsADSI EditLDP3.2. Customizing the Active Directory Administrative Snap-insDisplay SpecifiersProperty PagesContext MenusIconsDisplay NamesObject Creation Wizard3.3. Active Directory PowerShell Module3.4. Best Practices Analyzer3.5. Active Directory-Based Machine Activation3.6. Summary
4. Naming Contexts and Application Partitions
4.1. Domain Naming Context4.2. Configuration Naming Context4.3. Schema Naming Context4.4. Application PartitionsStoring Dynamic Data4.5. Summary
5. Active Directory Schema
5.1. Structure of the SchemaX.500 and the OID Namespace5.2. Attributes (attributeSchema Objects)Dissecting an Example Active Directory Attribute5.3. Attribute PropertiesAttribute SyntaxsystemFlagsConstructed attributesCategory 1 objectsschemaFlagsExsearchFlagsIndexed attributesAmbiguous name resolutionPreserving attributes in a tombstoneThe subtree indexThe tuple indexConfidentialityAttribute change auditingThe filtered attribute setProperty Sets and attributeSecurityGUIDLinked AttributesMAPI IDs5.4. Classes (classSchema Objects)Object Class Category and InheritanceDissecting an Example Active Directory ClassHow inheritance affects mustContain, mayContain, possSuperiors, and auxiliaryClassViewing the user class with the Active Directory Schema snap-inDynamically Linked Auxiliary Classes5.5. Summary
6. Site Topology and Active Directory Replication
6.1. Site TopologySite and Replication Management ToolsSubnetsManaging subnetsTroubleshooting subnet data problemsSitesManaging sitesSite LinksManaging site linksSite Link BridgesConnection ObjectsKnowledge Consistency Checker6.2. How Replication WorksA Background to MetadataUpdate sequence numbers (USNs) and highestCommittedUSNOriginating updates versus replicated updatesDSA GUIDs and invocation IDsHigh-watermark vector (direct up-to-dateness vector)Up-to-dateness vectorRecapHow an Object’s Metadata Is Modified During ReplicationStep 1: Initial creation of a user on Server AStep 2: Replication of the originating write to DC BStep 3: Password change for the user on DC BStep 4: Password-change replication to DC AThe Replication of a Naming Context Between Two ServersStep 1: Replication with a partner is initiatedStep 2: The partner works out what updates to sendStep 3: The partner sends the updates to the initiating serverStep 4: The initiating server processes the updatesStep 5: The initiating server checks whether it is up to dateRecapHow Replication Conflicts Are ReconciledConflict due to identical attribute changeConflict due to a move or creation of an object under a now-deleted parentConflict due to creation of objects with names that conflictReplicating the conflict resolution6.3. Common Replication ProblemsLingering ObjectsUSN Rollback6.4. Summary
7. Searching Active Directory
7.1. The Directory Information TreeDatabase StructureHidden tableData tableLink tableSecurity descriptor table7.2. Searching the DatabaseFilter OperatorsConnecting Filter ComponentsSearch BasesModifying Behavior with LDAP Controls7.3. Attribute Data TypesDates and TimesBit MasksThe In-Chain Matching Rule7.4. Optimizing SearchesEfficient SearchingUsing the stats controlobjectClass Versus objectCategory7.5. Summary
8. Active Directory and DNS
8.1. DNS FundamentalsZonesResource RecordsClient Lookup ProcessDynamic DNSGlobal Names Zones8.2. DNSSECHow Does DNSSEC Work?Resource recordsLookup processConfiguring DNSSEC for Active Directory DNS8.3. DC Locator8.4. Resource Records Used by Active DirectoryOverriding SRV Record Registration8.5. Delegation OptionsNot Delegating the AD DNS ZonesPolitical factorsInitial setup and configurationSupport and maintenanceIntegration issuesDelegating the AD DNS ZonesPolitical factorsInitial setup and configurationSupport and maintenanceIntegration issues8.6. Active Directory-Integrated DNSReplication ImpactBackground Zone Loading8.7. Using Application Partitions for DNS8.8. Aging and ScavengingConfiguring ScavengingSetting zone-specific optionsEnabling scavenging on the DNS server8.9. Managing DNS with Windows PowerShell8.10. Summary
9. Domain Controllers
9.1. Building Domain ControllersDeploying with Server ManagerUsing DCPromo on Earlier Versions of WindowsAutomating the DC Build Process9.2. VirtualizationWhen to VirtualizeImpact of VirtualizationUSN rollbackRID pool reuseSystem clock changesVirtualization Safe RestoreCloning Domain ControllersThe DC cloning processCloning a domain controller9.3. Read-Only Domain ControllersPrerequisitesPassword Replication PoliciesManaging the password replication policyManaging the loss of an RODCThe Client Logon ProcessPopulating the password cacheRODCs and Write RequestsUser password changesComputer account password changesThe lastLogonTimeStampAttributeLast-logon statisticsLogon success/failure informationNetLogon secure channel updatesReplication connection objectsDNS updatesThe W32Time ServiceApplication CompatibilityRODC Placement ConsiderationsAdministrator Role SeparationPromoting an RODCPrestaging RODC domain controller accounts9.4. Summary

10. Authentication and Security Protocols
10.1. KerberosUser LogonService AccessService principal namesService ticketsApplication AccessLogon and Service Access SummaryDelegation and Protocol TransitionDelegationProtocol Transition10.2. Authentication Mechanism Assurance10.3. Managed Service AccountsPreparing for Group Managed Service AccountsUsing Group Managed Service Accounts10.4. Summary
11. Group Policy Primer
11.1. Capabilities of Group Policy ObjectsGroup Policy StorageADM or ADMX filesHow GPOs are stored in Active DirectoryGroup Policy replication11.2. How Group Policies WorkGPOs and Active DirectoryPrioritizing the Application of Multiple PoliciesStandard GPO Inheritance Rules in Organizational UnitsBlocking Inheritance and Overriding the Block in Organizational Unit GPOsSummaryWhen Policies ApplyGroup Policy Refresh FrequencyCombating Slowdown Due to Group PolicyLimiting the number of GPOs that applyLimiting cross-domain linkingLimiting use of site policiesUse simple queries in WMI filtersSecurity Filtering and Group Policy ObjectsLoopback Merge Mode and Loopback Replace ModeSummarizing Group Policy ApplicationWMI FilteringGroup Policy11.3. Managing Group PoliciesUsing the Group Policy Management ConsoleUsing the Group Policy Management EditorGroup Policy PreferencesDeploying group policy preferencesItem-Level TargetingRunning Scripts with Group PolicyGroup Policy ModelingDelegation and Change ControlThe importance of change-control proceduresDesigning the delegation of GPO administrationUsing Starter GPOsGroup Policy Backup and RestoreScripting Group Policy11.4. Troubleshooting Group PolicyGroup Policy Infrastructure StatusGroup Policy Results WizardForcing Group Policy UpdatesEnabling Extra LoggingGroup Policy Logging in Windows 2000, Windows XP, and Windows Server 2003Group Policy Logging in Windows Vista/Windows Server 2008 and NewerGroup Policy Diagnostic Best Practices AnalyzerThird-Party Troubleshooting Tools11.5. Summary
12. Fine-Grained Password Policies
12.1. Understanding Password Settings Objects12.2. Scenarios for Fine-Grained Password PoliciesDefining Password Settings ObjectsDefining PSO precedence12.3. Creating Password Settings ObjectsPSO Quick StartBuilding a PSO from ScratchCreating a PSO with the Active Directory Administrative CenterCreating a PSO with PSOMgr12.4. Managing Password Settings ObjectsStrategies for Controlling PSO ApplicationApplying PSOs to groupsApplying PSOs to usersMixing group application and user applicationManaging PSO ApplicationApplying a PSO with ADACApplying a PSO with ADSI EditApplying a PSO with ADUCApplying a PSO with PSOMgrViewing the effective PSO12.5. Delegating Management of PSOs12.6. Summary
13. Designing the Active Directory Structure
13.1. The Complexities of a Design13.2. Where to Start13.3. Overview of the Design Process13.4. Domain Namespace DesignObjectivesRepresent the structure of your businessStep 1: Decide on the Number of DomainsIsolated replicationUnique domain policyFinal notesStep 2: Design and Name the Tree StructureChoose the forest root domainDesign the namespace naming schemeCreate additional treesCreate additional forestsArrange the subdomain hierarchy13.5. Design of the Internal Domain StructureStep 3: Design the Hierarchy of Organizational UnitsRecreating the business modelDelegating full administrationDelegating other rightsStep 4: Design the Workstation and Server Naming ConventionsStep 5: Plan for Users and GroupsNaming and placing usersNaming and placing groups13.6. Other Design Considerations13.7. Design ExamplesTailspin ToysStep 1: Decide on the number of domainsStep 2: Design and name the tree structureStep 3: Design the hierarchy of organizational unitsStep 4: Design the workstation and server naming conventionsStep 5: Plan for users and groupsContoso CollegeStep 1: Decide on the number of domainsStep 2: Design and name the tree structureStep 3: Design the hierarchy of organizational unitsStep 4: Design the workstation and server naming conventionsStep 5: Plan for users and groupsFabrikamStep 1: Decide on number of domainsStep 2: Design and name the tree structureStep 3: Design the hierarchy of organizational unitsStep 4: Design the workstation and server naming conventionsStep 5: Plan for users and groups13.8. Recognizing Nirvana’s Problems13.9. Summary
14. Creating a Site Topology
14.1. Intrasite and Intersite TopologiesThe KCCAutomatic Intrasite Topology Generation by the KCCTwo serversThree serversFour serversEight serversNow what?Site Links: The Basic Building Blocks of Intersite TopologiesCostScheduleTransportWhen the ISTG becomes involvedSite Link Bridges: The Second Building Blocks of Intersite Topologies14.2. Designing Sites and Links for ReplicationStep 1: Gather Background Data for Your NetworkStep 2: Plan the Domain Controller LocationsWhere to put domain controllersHow many domain controllers to havePlacing a domain controller in more than one siteStep 3: Design the SitesStep 4: Create Site LinksStep 5: Create Site Link Bridges14.3. Design ExamplesTailspin ToysStep 1: Gather background data for your networkStep 2: Plan the domain controller locationsStep 3: Design the sitesStep 4: Create site linksContoso CollegeStep 1: Gather background data for your networkStep 2: Plan the domain controller locationsStep 3: Design the sitesStep 4: Create site linksFabrikamStep 1: Gather background data for your networkStep 2: Plan the domain controller locationsStep 3: Design the sitesStep 4: Create site links14.4. Additional Resources14.5. Summary
15. Planning for Group Policy
15.1. Using GPOs to Help Design the Organizational Unit StructureIdentifying Areas of PolicyGuidelines for Designing GPOs15.2. Design ExamplesTailspin ToysContoso CollegeFabrikam15.3. Summary
16. Active Directory Security: Permissions and Auditing
16.1. Permission BasicsPermission ACEsProperty Sets, Validated Writes, and Extended RightsInherited Versus Explicit PermissionsDefault Security DescriptorsPermission LockdownThe Confidentiality BitProtecting Objects from Accidental Deletion16.2. Using the GUI to Examine PermissionsReverting to the Default PermissionsViewing the Effective Permissions for a User or GroupUsing the Delegation of Control Wizard16.3. Using the GUI to Examine Auditing16.4. Designing Permissions SchemesThe Five Golden Rules of Permissions DesignRule 1: Apply permissions to groups whenever possibleRule 2: Design group permissions so that you have minimal duplicationRule 3: Manage advanced permissions only when absolutely necessaryRule 4: Allow inheritance; do not protect sections of the domain tree from inheritanceRule 5: Keep a log of changesHow to Plan PermissionsBringing Order out of Chaos16.5. Designing Auditing SchemesImplementing AuditingTracking Last Interactive Logon Information16.6. Real-World Active Directory Delegation ExamplesHiding Specific Personal Details for All Users in an Organizational Unit from a GroupAllowing Only a Specific Group of Users to Access a New Published ResourceRestricting Everyone but HR from Viewing National/Regional ID Numbers with the Confidential Bit16.7. The AdminSDHolder Process16.8. Dynamic Access ControlConfiguring Active Directory for DACConfiguring claim typesConfiguring central access policiesKerberos policiesUsing DAC on the File ServerCompound expressions with groupsUsing claims in your ACLsAuditing16.9. Summary
17. Designing and Implementing Schema Extensions
17.1. Nominating Responsible People in Your Organization17.2. Thinking of Changing the SchemaDesigning the DataTo Change or Not to ChangeThe Global Picture17.3. Creating Schema ExtensionsRunning the AD Schema Management MMC Snap-in for the First TimeThe Schema CacheThe Schema Master FSMOUsing LDIF to Extend the SchemaChecks the System Makes When You Modify the SchemaMaking Classes and Attributes DefunctMitigating a Schema Conflict17.4. Summary
18. Backup, Recovery, and Maintenance
18.1. Backing Up Active DirectoryUsing the NT Backup UtilityUsing Windows Server Backup18.2. Restoring a Domain ControllerRestore from ReplicationManually removing a domain controller from Active DirectoryRestore from BackupInstall from MediaCreating and using IFM media on Windows Server 2003Creating and using IFM media on Windows Server 2008 and newer18.3. Restoring Active DirectoryNonauthoritative RestoreRestoring with NT BackupRestoring with Windows Server BackupPartial Authoritative RestoreComplete Authoritative Restore18.4. Working with Snapshots18.5. Active Directory Recycle BinDeleted Object LifecycleEnabling the Recycle BinUndeleting ObjectsUsing ADACUsing PowerShell18.6. FSMO Recovery18.7. Restartable Directory Service18.8. DIT MaintenanceChecking the Integrity of the DITReclaiming SpaceChanging the DS Restore Mode Admin Password18.9. Summary
19. Upgrading Active Directory
19.1. Active Directory VersionsWindows Server 2003New featuresDifferences in functionalityWindows Server 2008New featuresDifferences in functionalityWindows Server 2008 R2New featuresDifferences in functionalityWindows Server 2012New featuresDifferences in functionality19.2. Functional LevelsRaising the Functional LevelFunctional Level Rollback19.3. Beginning the Upgrade19.4. Known Issues19.5. Summary
20. Active Directory Lightweight Directory Services
20.1. Common Uses for AD LDS20.2. AD LDS Terms20.3. Differences Between AD and AD LDSStandalone Application ServiceConfigurable LDAP PortsNo SRV RecordsNo Global CatalogTop-Level Application Partition Object ClassesGroup and User ScopeFSMOsSchemaService AccountConfiguration/Schema Partition NamesDefault Directory SecurityUser Principal NamesAuthenticationUsers in the Configuration PartitionNew and Updated Tools20.4. AD LDS InstallationInstalling the Server RoleInstalling a New AD LDS InstanceInstalling an AD LDS ReplicaEnabling the Recycle Bin20.5. ToolsADAM InstallADAM SyncADAM UninstallAD Schema AnalyzerAD Schema MMC Snap-inADSI EditdsdbutildsmgmtldifdeLDPrepadmin20.6. The AD LDS SchemaDefault Security DescriptorsBindable Objects and Bindable Proxy Objects20.7. Using AD LDSCreating Application PartitionsCreating ContainersCreating UsersCreating User ProxiesSpecial considerationsRenaming UsersCreating GroupsAdding Members to GroupsRemoving Members from GroupsDeleting ObjectsDeleting Application PartitionsControlling Access to Objects and Attributes20.8. Summary
21. Active Directory Federation Services
21.1. Introduction to Federated IdentityHow It WorksSAMLWS-Federation21.2. Understanding ADFS ComponentsThe Configuration DatabaseFederation ServersFederation Server ProxiesADFS TopologiesSingle federation serverSingle federation server and federation proxyLoad-balanced ADFS serversGeographically redundant ADFS servers21.3. Deploying ADFSFederation ServersCertificatesConfiguring ADFSService configurationFederation Server Proxies21.4. Relying Party Trusts21.5. Claims Rules and the Claims PipelineThe PipelineCreating and Sending Claims Through the Pipeline21.6. Customizing ADFSForms-Based Logon PagesAttribute Stores21.7. Troubleshooting ADFSEvent LogsFiddler21.8. Summary
A. Programming the Directory with the .NET Framework
A.1. Choosing a .NET Programming LanguageA.2. Choosing a Development Tool.NET IDE Options.NET Development Without an IDEA.3. .NET Framework VersionsWhich .NET Framework Comes with Which OS?Directory Programming Features by .NET Framework ReleaseAssemblies Versus NamespacesSummary of Namespaces, Assemblies, and Framework VersionsA.4. Directory Services Programming LandscapeSystem.DirectoryServices OverviewOther nice things in System.DirectoryServicesSystem.DirectoryServices summarySystem.DirectoryServices.ActiveDirectory OverviewWhy use System.DirectoryServices.ActiveDirectory?System.DirectoryServices.ActiveDirectory summarySystem.DirectoryServices.Protocols OverviewWhy use System.DirectoryServices.Protocols?System.DirectoryServices.Protocols summarySystem.DirectoryServices.AccountManagement OverviewWhy use System.DirectoryServices.AccountManagement?System.DirectoryServices.AccountManagement summaryA.5. .NET Directory Services Programming by ExampleConnecting to the DirectorySearching the DirectoryBasics of Modifying the DirectoryBasic add exampleBasic remove examplesMoving and renaming objectsModifying existing objectsManaging UsersManaging users with System.DirectoryServices.AccountManagementOverriding SSL Server Certificate Verification with SDS.PA.6. Summary
Index
About the Authors
Colophon
Copyright

Content preview from Active Directory, 5th Edition

Chapter 8. Active Directory and DNS

One of the big advantages of Active Directory over its predecessor, Windows NT, is its reliance on the Domain Name System (DNS) as opposed to the Windows Internet Naming Service (WINS) for name resolution. DNS is the ubiquitous, standards-based naming service used on the Internet. WINS, on the other hand, never garnered industry support and has become a candidate for elimination on many enterprise networks.

The good news is that with Active Directory, the dependencies on WINS have been eliminated, but the potentially bad news is that Active Directory has many dependencies on the DNS infrastructure. This is only potentially because it depends on the flexibility of your DNS environment. Often, the groups that manage DNS and Active Directory within an organization are different, and getting the two teams to agree on implementation can be difficult due to political turf battles or technology clashes.

Warning

Although Active Directory doesn’t need WINS, or more accurately, NetBIOS name resolution, other systems and technologies may require it. Many administrators are quick to try to remove WINS from their environment, but generally speaking, the administrative cost of maintaining a WINS infrastructure is substantially smaller than the cost involved in executing a project to remove WINS.

The intent of this chapter is to provide you with a good understanding of how Active Directory uses DNS and to review some of the options for setting it up within your ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781449361211Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Active Directory, 5th Edition

by Brian Desmond, Joe Richards, Robbie Allen, Alistair G. Lowe-Norris