Active Directory is a common repository for information about objects that reside on the network, such as users, groups, computers, printers, applications, and files. The default Active Directory schema supports numerous attributes for each object class that can be used to store a variety of information. Access control lists (ACLs) are also stored with each object, which allows you to maintain permissions for who can access and manage the object. Having a single source for this information makes it more accessible and easier to manage; however, accomplishing this requires a significant amount of knowledge on such topics as the Lightweight Directory Access Protocol (LDAP), Kerberos, the Domain Name System (DNS), multimaster replication, group policies, and data partitioning, to name a few. This book will be your guide through this maze of technologies, showing you how to deploy a scalable and reliable Active Directory infrastructure.

This book is a major update to the very successful fourth edition. All of the existing chapters have been brought up to date through Windows Server 2012, in addition to updates in concepts and approaches to managing Active Directory and script updates. There are five new chapters (Chapter 3, Chapter 7, Chapter 10, Chapter 19, and Chapter 21) to explain features or concepts not covered in previous editions. These chapters include in-depth coverage of management tools, LDAP query syntax, Kerberos, Active Directory Federation Services (ADFS), and more.

This book describes Active Directory in depth, but not in the traditional way of going through the graphical user interface screen by screen. Instead, the book sets out to tell administrators how to design, manage, and maintain a small, medium, or enterprise Active Directory infrastructure.

We begin in general terms with how Active Directory works, giving you a thorough grounding in its concepts. Some of the topics include Active Directory replication, the schema, application partitions, group policies, interaction with DNS, domain controllers, password policies, Kerberos, and LDAP.

Next, we describe in copious detail the issues around properly designing the directory infrastructure. Topics include in-depth looks at designing the namespace, creating a site topology, designing group policies, auditing, permissions, Dynamic Access Control (DAC), backup and recovery, Active Directory Lightweight Directory Services (AD LDS, formerly ADAM), upgrading Active Directory, and ADFS.

If you’re simply looking for in-depth coverage of how to use the Microsoft Management Console (MMC) snap-ins or Resource Kit tools, look elsewhere. However, if you want a book that lays bare the design and management of an enterprise or departmental Active Directory, you need not look any further.

1. Intended Audience

This book is intended for all Active Directory administrators, whether you manage a single server or a global multinational with thousands of servers. Even if you have a previous edition, you will find this fifth edition to be full of updates and corrections and a worthy addition to your “good” bookshelf: the bookshelf next to your PC with the books you really read that are all dog-eared with soda drink spills and pizza grease on them. To get the most out of the book, you will probably find it useful to have a server running Windows Server 2012 available so that you can check out various items as we point them out.

2. Contents of the Book

Chapter 1, A Brief Introduction

Reviews the evolution of the Microsoft network operating system (NOS)and some of the major features and benefits of Active Directory.

Chapter 2, Active Directory Fundamentals

Provides a high-level look at how objects are stored in Active Directory and explains some of the internal structures and concepts that it relies on.

Chapter 3, Active Directory Management Tools

Demonstrates how to use the various MMC snap-ins and management tools that are commonly used by Active Directory administrators.

Chapter 4, Naming Contexts and Application Partitions

Reviews the predefined naming contexts within Active Directory, what is contained within each, and the purpose of application partitions.

Chapter 5, Active Directory Schema

Describes how the blueprint for each object and each object’s attributes are stored in Active Directory.

Chapter 6, Site Topology and Active Directory Replication

Details how the actual replication process for data takes place between domain controllers.

Chapter 7, Searching Active Directory

Explains the LDAP query syntax used for gathering data from Active Directory.

Chapter 8, Active Directory and DNS

Describes the importance of the Domain Name System and what it is used for within Active Directory.

Chapter 9, Domain Controllers

Describes the deployment and operation of writable and read-only domain controllers (RODCs) as well as the impacts of hardware virtualization on Active Directory.

Chapter 10, Authentication and Security Protocols

Describes the Kerberos security protocol that is fundamental to Active Directory, as well as managed service accounts.

Chapter 11, Group Policy Primer

Provides a detailed introduction to the capabilities of group policy objects and how to manage them.

Chapter 12, Fine-Grained Password Policies

Gives comprehensive coverage of how to design, implement, and manage fine-grained password policies.

Chapter 13, Designing the Active Directory Structure

Introduces the steps and techniques involved in properly preparing a design that reduces the number of domains and increases administrative control through the use of organizational unit(s).

Chapter 14, Creating a Site Topology

Shows you how to design a representation of your physical infrastructure within Active Directory to gain very fine-grained control over intrasite and intersite replication.

Chapter 15, Planning for Group Policy

Explains how group policy objects function in Active Directory and how you can properly design an Active Directory structure to make the most effective use of these functions.

Chapter 16, Active Directory Security: Permissions and Auditing

Describes how you can design effective security for all areas of your Active Directory infrastructure, both in terms of access to objects and their properties; includes information on how to design effective security access logging in any areas you choose. This chapter also covers Dynamic Access Control.

Chapter 17, Designing and Implementing Schema Extensions

Covers procedures for extending the classes and attributes in the Active Directory schema.

Chapter 18, Backup, Recovery, and Maintenance

Describes how you can back up and restore Active Directory, from the entire directory down to the object level.

Chapter 19, Upgrading Active Directory

Discusses the features introduced in each version of Active Directory, followed by an outline of how you can upgrade your existing Active Directory infrastructure to Windows Server 2012.

Chapter 20, Active Directory Lightweight Directory Services

Introduces Active Directory Lightweight Directory Services.

Chapter 21, Active Directory Federation Services

Introduces Active Directory Federation Services.

Appendix A

Starts off by providing some background information on the .NET Framework and then dives into several examples using the System.DirectoryServices namespaces with VB.NET.

3. Conventions Used in This Book

The following typographical conventions are used in this book:

Constant width

Indicates command-line input, computer output, registry keys and values, objects, methods, namespaces, and code examples.

Constant width italic

Indicates text that should be replaced with user-supplied values.

Constant width bold

Indicates user input.


Introduces new terms and indicates URLs, commands, command-line utilities and switches, file extensions, filenames, directory or folder names, and UNC pathnames.


Indicates a tip, suggestion, or general note. For example, we’ll tell you if you need to use a particular version or if an operation requires certain privileges.


Indicates a warning or caution. For example, we’ll tell you if Active Directory does not behave as you’d expect or if a particular operation has a negative impact on performance.

Using Code Examples

This book is here to help you get your job done. In general, if this book includes code examples, you may use the code in your programs and documentation. You do not need to contact us for permission unless you’re reproducing a significant portion of the code. For example, writing a program that uses several chunks of code from this book does not require permission. Selling or distributing a CD-ROM of examples from O’Reilly books does require permission. Answering a question by citing this book and quoting example code does not require permission. Incorporating a significant amount of example code from this book into your product’s documentation does require permission.

We appreciate, but do not require, attribution. An attribution usually includes the title, author, publisher, and ISBN. For example: “Active Directory by Brian Desmond, Joe Richards, Robbie Allen, and Alistair G. Lowe-Norris (O’Reilly). Copyright 2013 Brian Desmond, Joe Richards, Robbie Allen, and Alistair Lowe-Norris, 978-1-449-32002-7.”

If you feel your use of code examples falls outside fair use or the permission given above, feel free to contact us at .

Safari® Books Online


Safari Books Online ( is an on-demand digital library that delivers expert content in both book and video form from the world’s leading authors in technology and business.

Technology professionals, software developers, web designers, and business and creative professionals use Safari Books Online as their primary resource for research, problem solving, learning, and certification training.

Safari Books Online offers a range of product mixes and pricing programs for organizations, government agencies, and individuals. Subscribers have access to thousands of books, training videos, and prepublication manuscripts in one fully searchable database from publishers like O’Reilly Media, Prentice Hall Professional, Addison-Wesley Professional, Microsoft Press, Sams, Que, Peachpit Press, Focal Press, Cisco Press, John Wiley & Sons, Syngress, Morgan Kaufmann, IBM Redbooks, Packt, Adobe Press, FT Press, Apress, Manning, New Riders, McGraw-Hill, Jones & Bartlett, Course Technology, and dozens more. For more information about Safari Books Online, please visit us online.

How to Contact Us

Please address comments and questions concerning this book to the publisher:

O’Reilly Media, Inc.

1005 Gravenstein Highway North

Sebastopol, CA 95472

800-998-9938 (in the United States or Canada)

707-829-0515 (international or local)

707-829-0104 (fax)

We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at

To comment or ask technical questions about this book, send email to .

For more information about our books, courses, conferences, and news, see our website at

Find us on Facebook:

Follow us on Twitter:

Watch us on YouTube:

4. Acknowledgments

For the Fourth and Fifth Editions (Brian)

I wouldn’t be here if it weren’t for the fine folks at O’Reilly who decided to entrust this project to me. Special thanks to editors Rachel Roumeliotis and Laurel Ruma, who made this a very smooth-running adventure. Joe, Robbie, and Alistair have of course provided an excellent foundation, which made this project so much easier. I would not have been able to get this done in the time I did without their hard work.

There are numerous individuals whose contributions to the depth and accuracy of the content in these latest editions are irreplaceable. Without their help, this book would not be what it is:

  • .NET expert Joe Kaplan contributed the fine content in this book on this important topic.

  • Technical reviewers Joe Richards, Mark Parris, Mark Morowczynski, Michael B. Smith, and Guido Grillenmeier, thank you for the comments, corrections, and invaluable feedback. Mark Morowczynski and Guido Grillenmeier, thank you for voluntarily taking the time out of your days and vacations to provide your expertise.

  • Special thanks to Eric Kotz. Your feedback from the perspective of an Active Directory beginner brought clarity to the chapters you reviewed.

  • Thank you to Microsoft experts Mark Morowczynski, Dean Wells, James McColl, Siddharth Bhai, Dmitri Gavrilov, Eric Fleischman, and Stephanie Cheung for your help with the details that made this book what it is!

  • Darren Mar-Elia (C-GPO), your feedback on the Group Policy chapters was instrumental.

  • Dean Wells, your crucial assistance in decrypting English phraseology is priceless, and of course thanks for your help in consistently transforming complex technical content to plain English.

  • Susan Bradley, Small Business Server Diva, your contributions were critical.

  • Jorge de Almeida Pinto (Princess), thank you for the last-minute contributions to our list of new Active Directory features in Windows Server 2008.

John Tanner, thanks for all your help behind the scenes, making the Fourth Edition successful. Matt Wagner at Fresh Books, your assistance and expertise in handling the business end of this project were key.

Patrick Sheren and Scott Weyandt, thank you for the opportunity you gave me. I would not be where I am today if it weren’t for the years we spent working together. And yes, you too, Kurt.

To the special people in my life who are always trying to get me to explain what I do all day, you have provided the impetus for this project. Thank you for putting up with the hours I spent in my home office working on it.

To my readers, I had a lot of fun on this project, and I hope you have as much fun reading this book as I had writing it.

For the Third Edition (Joe)

I want to thank Robbie Allen for my introduction into the world of book writing and for putting up with my often-grumpy responses to silly issues we encountered on this project. Truly, I wouldn’t have worked on this book had it not been for Robbie; if I did not say it before, I am happy I had the opportunity to have this experience—thank you.

Thanks to Alistair for the first edition. I recall being involved with the decision to migrate a company of 200k+ users to Windows 2000 and realizing that I knew nothing about Active Directory (AD) other than it was supposed to be “super-cool” and fixed everything that was broken in NT. “The Cat Book,” the only book on AD around at the time, prepared me with the essential concepts and ideas to get started. After five years, I am happy to be able to give back some of what I have learned to that very same book.

Thanks to the folks who had the onerous task of finding the mistakes. I was lucky to have very knowledgeable reviewers who spent a lot of time reading every word (old and new) and bluntly telling me the issues. To Hunter Colman and Stuart Fuller: you guys were afraid you wouldn’t add value. You were completely wrong; you added a lot of value. To Lee Flight: thanks for reviewing another edition of this book; your comments were invaluable. To Laura Hunter: I will never look at a comma the same way again; you helped the structure and flow immensely. To Ulf B. Simon-Weidner: your comments and ideas were a great help. Finally, thanks to Dean Wells, a great source of information, fear, and humorous English phrases. Dean couldn’t review everything but he happily helped me out when I asked. He spent at least 90 minutes on the phone one night just discussing changes that needed to be made to a few pages of Chapter 5. All of these guys (and the gal) are extremely knowledgeable, opinionated, and professional. It was an honor having them tell me what was screwed up. Thanks to my friend Vern Rottmann for being an “unofficial” reviewer and running interference for me when I worked with him.

Thanks to the Microsoft Directory Service Developers: because of you, we have a “super-cool” DS. P.S.: AD/AM rocks. Thanks to Dmitri Gavrilov for going above and beyond by responding to my unsolicited emails. Thanks to Stuart Kwan (of the Ottawa Kwan Clan) for being one of the most insanely energetic speakers and, at the same time, actually listening to what we thought was wrong and working to get corrections. I am thrilled that someday I will be able to run DCs without IE loaded. May your energizer battery never run out of juice. Thanks to Brett Shirley for telling me to correct stuff in Chapter 13 and writing the most brilliant parts of REPADMIN and being a killer JET Blue (ESE) dev. Thanks to Eric Fleischman for answering all the random AD questions from myself as well as everyone else at all hours of the day and night. Your answers, comments, thoughts, and insight into the actual questions themselves are all greatly appreciated.

Thanks to the listserv crowd. Hands down, that list is the best Active Directory (and often Exchange) resource outside of Microsoft. It has helped me a lot.

And last but not least, thanks to my family, great people I love without bound.

For the Second Edition (Robbie)

I would like to thank the people at O’Reilly for giving me the opportunity to work on this book. Special thanks goes to Robert Denn, who was a great editor to work with.

I would like to thank Alistair Lowe-Norris for providing such a solid foundation in the first edition. While there was a lot of new material to include, much of the information in the first edition was still pertinent and useful. He deserves a lot of credit since the first edition was done before Windows 2000 had even been released to the public, and there was virtually no information on Active Directory available.

Thanks to Alistair, Mitch Tulloch, and Paul Turcotte for providing very insightful feedback during the review process. Their comments rounded out the rough edges in the book.

And no acknowledgments section would be complete without recognition to my significant other, Janet. She was supportive during the many late nights and weekends I spent writing. I appreciate everything she does for me.

For the First Edition (Alistair)

Many people have encouraged me in the writing of this book, principally Vicky Launders, my partner, friend, and fountain of useful information, who has been a pinnacle of understanding during all the late nights and early mornings. Without you my life would not be complete.

My parents, Pauline and Peter Norris, also have encouraged me at every step of the way; many thanks to you both.

For keeping me sane, my thanks go to my good friend Keith Cooper, a natural polymath, superb scientist, and original skeptic; to Steve Joint for keeping my enthusiasm for Microsoft in check; to Dave and Sue Peace for “Tuesdays,” and the ability to look interested in what I was saying and how the book was going no matter how uninterested they must have felt; and to Mike Felmeri for his interest in this book and his eagerness to read an early draft.

I had a lot of help from my colleagues at Leicester University. To Lee Flight, a true networking guru without peer, many thanks for all the discussions, arguments, suggestions, and solutions. I’ll remember forever how one morning very early you took the first draft of my 11-chapter book and spread it all over the floor to produce the 21 chapters that now constitute the book. It’s so much better for it. Chris Heaton gave many years of dedicated and enjoyable teamwork; you have my thanks. Brian Kerr, who came onto the fast-moving train at high speed, managed to hold on tight through all the twists and turns along the way, and then finally took over the helm. Thanks to Paul Crow for his remarkable work on the Windows 2000 client rollout and GPOs at Leicester. And thanks to Phil Beesley, Carl Nelson, Paul Youngman, and Peter Burnham for all the discussions and arguments along the way. A special thank you goes to Wendy Ferguson for our chats over the past few years.

To the Cormyr crew: Paul Burke, for his in-depth knowledge across all aspects of technology and databases in particular, who really is without peer, and thanks for being so eager to read the book that you were daft enough to take it on your honeymoon; Simon Williams for discussions on enterprise infrastructure consulting and practices, how you can’t get the staff these days, and everything else under the sun that came up; Richard Lang for acting as a sounding board for the most complex parts of replication internals, as I struggled to make sense of what was going on; Jason Norton for his constant ability to cheer me up; Mark Newell for his gadgets and Ian Harcombe for his wit, two of the best analyst programmers that I’ve ever met; and finally, Paul “Vaguely” Buxton for simply being himself. Many thanks to you all.

To Allan Kelly, another analyst programmer par excellence, for various discussions that he probably doesn’t remember but that helped in a number of ways.

At Microsoft: Walter Dickson for his insightful ability to get right to the root of any problem, his constant accessibility via email and phone, and his desire to make sure that any job is done to the best of its ability; Bob Wells for his personal enthusiasm and interest in what I was doing; Daniel Turner for his help, enthusiasm, and key role in getting Leicester University involved in the Windows 2000 RDP; Oliver Bell for actually getting Leicester University accepted on the Windows 2000 RDP and taking a chance by allocating free consultancy time to the project; Brad Tipp, whose enthusiasm and ability galvanized me into action at the UK Professional Developers Conference in 1997; Julius Davies for various discussions and, among other things, telling me how the auditing and permissions aspects of Active Directory had all changed just after I finished the chapter; and Karl Noakes, Steve Douglas, Jonathan Phillips, Stuart Hudman, Stuart Okin, Nick McGrath, and Alan Bennett for various discussions.

To Tony Lees, director of Avantek Computer Ltd., for being attentive, thoughtful, and the best all-round salesman I have ever met—many thanks for taking the time to get Leicester University onto the Windows 2000 RDP.

Thanks to Amit D. Chaudhary and Cricket Liu for reviewing parts of the book.

I also would like to thank everyone at O’Reilly: especially my editor Robert Denn, for his encouragement, patience, and keen desire to get this book crafted properly.

Content Updates

May 15, 2013

Fixed three incorrect figures in Chapter 9: Figures 9-1, 9-10, and 9-11.

Get Active Directory, 5th Edition now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.