Book description
Those of you who run networks on Windows 2000 know the benefits of using Active Directory for managing user information and permissions. You also know what a bear it can be. The newer version included with Windows Server 2003 has over 100 new and updated features to simplify deployment, but once it's in place many system administrators still find Active Directory challenging. If you're among those looking for practical hands-on support, help is here with our new Active Directory Cookbook for Windows Server 2003 & Windows 2000, a unique problem-solving guide that offers quick answers for both versions of the directory. The book contains hundreds of step-by-step solutions for both common and uncommon problems that you might encounter with Active Directory on a daily basis--including recipes to deal with the Lightweight Directory Access Protocol (LDAP), multi-master replication, Domain Name System (DNS), Group Policy, the Active Directory Schema, and many other features. Author Robbie Allen, a Senior Systems Architect at Cisco Systems and co-author of our Active Directory tutorial, based this collection of troubleshooting recipes on his own experience, along with input from Windows administrators throughout the industry. Each recipe includes a discussion to explain how and why the solution works, so you can adapt the problem-solving techniques to similar situations. If your company is considering an upgrade from Windows NT or 2000 to Windows Server 2003, the Active Directory Cookbook for Windows Server 2003 & Windows 2000 will help reduce the time and trouble it takes to configure and deploy Active Directory for your network. This Cookbook is also a perfect companion to Active Directory, the tutorial that experts hail as the best source for understanding Microsoft's network directory service. While Active Directory provides the big picture, Active Directory Cookbook for Windows Server 2003 & Windows 2000 gives you the quick solutions you need to cope with day-to-day dilemmas. Together, these books supply the knowledge and tools so you can get the most out of Active Directory to manage users, groups, computers, domains, organizational units, and security policies on your network.
Publisher resources
Table of contents
-
Active Directory Cookbook
- Foreword
- Preface
- 1. Getting Started
-
2. Forests, Domains, and Trusts
- Introduction
- 2.1. Creating a Forest
- 2.2. Removing a Forest
- 2.3. Creating a Domain
- 2.4. Removing a Domain
- 2.5. Removing an Orphaned Domain
- 2.6. Finding the Domains in a Forest
- 2.7. Finding the NetBIOS Name of a Domain
- 2.8. Renaming a Domain
- 2.9. Changing the Mode of a Domain
- 2.10. Using ADPrep to Prepare a Domain or Forest for Windows Server 2003
- 2.11. Determining if ADPrep Has Completed
- 2.12. Checking Whether a Windows 2000 Domain Controller Can Be Upgraded to Windows Server 2003
- 2.13. Raising the Functional Level of a Windows Server 2003 Domain
- 2.14. Raising the Functional Level of a Windows Server 2003 Forest
- 2.15. Creating a Trust Between a Windows NT Domain and an AD Domain
- 2.16. Creating a Transitive Trust Between Two AD Forests
- 2.17. Creating a Shortcut Trust Between Two AD Domains
- 2.18. Creating a Trust to a Kerberos Realm
- 2.19. Viewing the Trusts for a Domain
- 2.20. Verifying a Trust
- 2.21. Resetting a Trust
- 2.22. Removing a Trust
- 2.23. Enabling SID Filtering for a Trust
- 2.24. Finding Duplicate SIDs in a Domain
-
3. Domain Controllers, Global Catalogs, and FSMOs
- Introduction
- 3.1. Promoting a Domain Controller
- 3.2. Promoting a Domain Controller from Media
- 3.3. Demoting a Domain Controller
- 3.4. Automating the Promotion or Demotion of a Domain Controller
- 3.5. Troubleshooting Domain Controller Promotion or Demotion Problems
- 3.6. Removing an Unsuccessfully Demoted Domain Controller
- 3.7. Renaming a Domain Controller
- 3.8. Finding the Domain Controllers for a Domain
- 3.9. Finding the Closest Domain Controller
- 3.10. Finding a Domain Controller’s Site
- 3.11. Moving a Domain Controller to a Different Site
- 3.12. Finding the Services a Domain Controller Is Advertising
- 3.13. Configuring a Domain Controller to Use an External Time Source
- 3.14. Finding the Number of Logon Attempts Made Against a Domain Controller
- 3.15. Enabling the /3GB Switch to Increase the LSASS Cache
- 3.16. Cleaning Up Distributed Link Tracking Objects
- 3.17. Enabling and Disabling the Global Catalog
- 3.18. Determining if Global Catalog Promotion Is Complete
- 3.19. Finding the Global Catalog Servers in a Forest
- 3.20. Finding the Domain Controllers or Global Catalog Servers in a Site
- 3.21. Finding Domain Controllers and Global Catalogs via DNS
- 3.22. Changing the Preference for a Domain Controller
- 3.23. Disabling the Global Catalog Requirement During a Windows 2000 Domain Login
- 3.24. Disabling the Global Catalog Requirement During a Windows 2003 Domain Login
- 3.25. Finding the FSMO Role Holders
- 3.26. Transferring a FSMO Role
- 3.27. Seizing a FSMO Role
- 3.28. Finding the PDC Emulator FSMO Role Owner via DNS
-
4. Searching and Manipulating Objects
- Introduction
- 4.1. Viewing the RootDSE
- 4.2. Viewing the Attributes of an Object
- 4.3. Using LDAP Controls
- 4.4. Using a Fast or Concurrent Bind
- 4.5. Searching for Objects in a Domain
- 4.6. Searching the Global Catalog
- 4.7. Searching for a Large Number of Objects
- 4.8. Searching with an Attribute-Scoped Query
- 4.9. Searching with a Bitwise Filter
- 4.10. Creating an Object
- 4.11. Modifying an Object
- 4.12. Modifying a Bit-Flag Attribute
- 4.13. Dynamically Linking an Auxiliary Class
- 4.14. Creating a Dynamic Object
- 4.15. Refreshing a Dynamic Object
- 4.16. Modifying the Default TTL Settings for Dynamic Objects
- 4.17. Moving an Object to a Different OU or Container
- 4.18. Moving an Object to a Different Domain
- 4.19. Renaming an Object
- 4.20. Deleting an Object
- 4.21. Deleting a Container That Has Child Objects
- 4.22. Viewing the Created and Last Modified Timestamp of an Object
- 4.23. Modifying the Default LDAP Query Policy
- 4.24. Exporting Objects to an LDIF File
- 4.25. Importing Objects Using an LDIF File
- 4.26. Exporting Objects to a CSV File
- 4.27. Importing Objects Using a CSV File
-
5. Organizational Units
- Introduction
- 5.1. Creating an OU
- 5.2. Enumerating the OUs in a Domain
- 5.3. Enumerating the Objects in an OU
- 5.4. Deleting the Objects in an OU
- 5.5. Deleting an OU
- 5.6. Moving the Objects in an OU to a Different OU
- 5.7. Moving an OU
- 5.8. Determining How Many Child Objects an OU Has
- 5.9. Delegating Control of an OU
- 5.10. Allowing OUs to Be Created Within Containers
- 5.11. Linking a GPO to an OU
-
6. Users
- Introduction
- 6.1. Creating a User
- 6.2. Creating a Large Number of Users
- 6.3. Creating an inetOrgPerson User
- 6.4. Modifying an Attribute for Several Users at Once
- 6.5. Moving a User
- 6.6. Renaming a User
- 6.7. Copying a User
- 6.8. Unlocking a User
- 6.9. Finding Locked Out Users
- 6.10. Troubleshooting Account Lockout Problems
- 6.11. Viewing the Account Lockout and Password Policies
- 6.12. Enabling and Disabling a User
- 6.13. Finding Disabled Users
- 6.14. Viewing a User’s Group Membership
- 6.15. Changing a User’s Primary Group
- 6.16. Transferring a User’s Group Membership to Another User
- 6.17. Setting a User’s Password
- 6.18. Setting a User’s Password via LDAP
- 6.19. Setting a User’s Password via Kerberos
- 6.20. Preventing a User from Changing His Password
- 6.21. Requiring a User to Change Her Password at Next Logon
- 6.22. Preventing a User’s Password from Expiring
- 6.23. Finding Users Whose Passwords Are About to Expire
- 6.24. Setting a User’s Account Options (userAccountControl)
- 6.25. Setting a User’s Account to Expire in the Future
- 6.26. Finding Users Whose AccountsAre About to Expire
- 6.27. Determining a User’s Last Logon Time
- 6.28. Finding Users Who Have Not Logged On Recently
- 6.29. Setting a User’s Profile Attributes
- 6.30. Viewing a User’s Managed Objects
- 6.31. Modifying the Default Display Name Used When Creating Users in ADUC
- 6.32. Creating a UPN Suffix for a Forest
-
7. Groups
- Introduction
- 7.1. Creating a Group
- 7.2. Viewing the Direct Members of a Group
- 7.3. Viewing the Nested Members of a Group
- 7.4. Adding and Removing Members of a Group
- 7.5. Moving a Group
- 7.6. Changing the Scope or Type of a Group
- 7.7. Delegating Control for Managing Membership of a Group
- 7.8. Resolving a Primary Group ID
- 7.9. Enabling Universal Group Membership Caching
-
8. Computers
- Introduction
- 8.1. Creating a Computer
- 8.2. Creating a Computer for a Specific User or Group
- 8.3. Joining a Computer to a Domain
- 8.4. Moving a Computer
- 8.5. Renaming a Computer
- 8.6. Testing the Secure Channel for a Computer
- 8.7. Resetting a Computer
- 8.8. Finding Inactive or Unused Computers
- 8.9. Changing the Maximum Number of Computers a User Can Join to the Domain
- 8.10. Finding Computers with a Particular OS
- 8.11. Binding to the Default Container for Computers
- 8.12. Changing the Default Container for Computers
-
9. Group Policy Objects (GPOs)
- Introduction
- 9.1. Finding the GPOs in a Domain
- 9.2. Creating a GPO
- 9.3. Copying a GPO
- 9.4. Deleting a GPO
- 9.5. Viewing the Settings of a GPO
- 9.6. Modifying the Settings of a GPO
- 9.7. Importing Settings into a GPO
- 9.8. Assigning Logon/Logoff and Startup/Shutdown Scripts in a GPO
- 9.9. Installing Applications with a GPO
- 9.10. Disabling the User or Computer Settings in a GPO
- 9.11. Listing the Links for GPO
- 9.12. Creating a GPO Link to an OU
- 9.13. Blocking Inheritance of GPOs on an OU
- 9.14. Applying a Security Filter to a GPO
- 9.15. Creating a WMI Filter
- 9.16. Applying a WMI Filter to a GPO
- 9.17. Backing Up a GPO
- 9.18. Restoring a GPO
- 9.19. Simulating the RSoP
- 9.20. Viewing the RSoP
- 9.21. Refreshing GPO Settings on a Computer
- 9.22. Restoring a Default GPO
-
10. Schema
- Introduction
- 10.1. Registering the Active Directory Schema MMC Snap-in
- 10.2. Enabling Schema Updates
- 10.3. Generating an OID to Use for a New Class or Attribute
- 10.4. Generating a GUID to Use for a New Class or Attribute
- 10.5. Extending the Schema
- 10.6. Documenting Schema Extensions
- 10.7. Adding a New Attribute
- 10.8. Viewing an Attribute
- 10.9. Adding a New Class
- 10.10. Viewing a Class
- 10.11. Indexing an Attribute
- 10.12. Modifying the Attributes That Are Copied When Duplicating a User
- 10.13. Modifying the Attributes Included with Ambiguous Name Resolution
- 10.14. Adding or Removing an Attribute in the Global Catalog
- 10.15. Finding the Nonreplicated and Constructed Attributes
- 10.16. Finding the Linked Attributes
- 10.17. Finding the Structural, Auxiliary, Abstract, and 88 Classes
- 10.18. Finding the Mandatory and Optional Attributes of a Class
- 10.19. Modifying the Default Security of a Class
- 10.20. Deactivating Classes and Attributes
- 10.21. Redefining Classes and Attributes
- 10.22. Reloading the Schema Cache
-
11. Site Topology
- Introduction
- 11.1. Creating a Site
- 11.2. Listing the Sites
- 11.3. Deleting a Site
- 11.4. Creating a Subnet
- 11.5. Listing the Subnets
- 11.6. Finding Missing Subnets
- 11.7. Creating a Site Link
- 11.8. Finding the Site Links for a Site
- 11.9. Modifying the Sites That Are Part of a Site Link
- 11.10. Modifying the Cost for a Site Link
- 11.11. Disabling Site Link Transitivity or Site Link Schedules
- 11.12. Creating a Site Link Bridge
- 11.13. Finding the Bridgehead Servers for a Site
- 11.14. Setting a Preferred Bridgehead Server for a Site
- 11.15. Listing the Servers
- 11.16. Moving a Domain Controller to a Different Site
- 11.17. Configuring a Domain Controller to Cover Multiple Sites
- 11.18. Viewing the Site Coverage for a Domain Controller
- 11.19. Disabling Automatic Site Coverage for a Domain Controller
- 11.20. Finding the Site for a Client
- 11.21. Forcing a Host to a Particular Site
- 11.22. Creating a Connection Object
- 11.23. Listing the Connection Objects for a Server
- 11.24. Load-Balancing Connection Objects
- 11.25. Finding the ISTG for a Site
- 11.26. Transferring the ISTG to Another Server
- 11.27. Triggering the KCC
- 11.28. Determining if the KCC Is Completing Successfully
- 11.29. Disabling the KCC for a Site
- 11.30. Changing the Interval at Which the KCC Runs
-
12. Replication
- Introduction
- 12.1. Determining if Two Domain Controllers Are in Sync
- 12.2. Viewing the Replication Status of Several Domain Controllers
- 12.3. Viewing Unreplicated Changes Between Two Domain Controllers
- 12.4. Forcing Replication from One Domain Controller to Another
- 12.5. Changing the Intra-Site Replication Interval
- 12.6. Changing the Inter-Site Replication Interval
- 12.7. Disabling Inter-Site Compression of Replication Traffic
- 12.8. Checking for Potential Replication Problems
- 12.9. Enabling Enhanced Logging of Replication Events
- 12.10. Enabling Strict or Loose Replication Consistency
- 12.11. Finding Conflict Objects
- 12.12. Viewing Object Metadata
-
13. Domain Name System (DNS)
- Introduction
- 13.1. Creating a Forward Lookup Zone
- 13.2. Creating a Reverse Lookup Zone
- 13.3. Viewing a Server’s Zones
- 13.4. Converting a Zone to an AD-Integrated Zone
- 13.5. Moving AD-Integrated Zones into an Application Partition
- 13.6. Delegating Control of a Zone
- 13.7. Creating and Deleting Resource Records
- 13.8. Querying Resource Records
- 13.9. Modifying the DNS Server Configuration
- 13.10. Scavenging Old Resource Records
- 13.11. Clearing the DNS Cache
- 13.12. Verifying That a Domain Controller Can Register Its Resource Records
- 13.13. Registering a Domain Controller’s Resource Records
- 13.14. Preventing a Domain Controller from Dynamically Registering All Resource Records
- 13.15. Preventing a Domain Controller from Dynamically Registering Certain Resource Records
- 13.16. Deregistering a Domain Controller’s Resource Records
- 13.17. Allowing Computers to Use a Different Domain Suffix from Their AD Domain
-
14. Security and Authentication
- Introduction
- 14.1. Enabling SSL/TLS
- 14.2. Encrypting LDAP Traffic with SSL, TLS, or Signing
- 14.3. Enabling Anonymous LDAP Access
- 14.4. Restricting Hosts from Performing LDAP Queries
- 14.5. Using the Delegation of Control Wizard
- 14.6. Customizing the Delegation of Control Wizard
- 14.7. Viewing the ACL for an Object
- 14.8. Customizing the ACL Editor
- 14.9. Viewing the Effective Permissions on an Object
- 14.10. Changing the ACL of an Object
- 14.11. Changing the Default ACL for an Object Class in the Schema
- 14.12. Comparing the ACL of an Object to the Default Defined in the Schema
- 14.13. Resetting an Object’s ACL to the Default Defined in the Schema
- 14.14. Preventing the LM Hash of a Password from Being Stored
- 14.15. Enabling List Object Access Mode
- 14.16. Modifying the ACL on Administrator Accounts
- 14.17. Viewing and Purging Your Kerberos Tickets
- 14.18. Forcing Kerberos to Use TCP
- 14.19. Modifying Kerberos Settings
-
15. Logging, Monitoring, and Quotas
- Introduction
- 15.1. Enabling Extended dcpromo Logging
- 15.2. Enabling Diagnostics Logging
- 15.3. Enabling NetLogon Logging
- 15.4. Enabling GPO Client Logging
- 15.5. Enabling Kerberos Logging
- 15.6. Enabling DNS Server Debug Logging
- 15.7. Viewing DNS Server Performance Statistics
- 15.8. Enabling Inefficient and Expensive LDAP Query Logging
- 15.9. Using the STATS Control to View LDAP Query Statistics
- 15.10. Using Perfmon to Monitor AD
- 15.11. Using Perfmon Trace Logs to Monitor AD
- 15.12. Enabling Auditing of Directory Access
- 15.13. Creating a Quota
- 15.14. Finding the Quotas Assigned to a Security Principal
- 15.15. Changing How Tombstone Objects Count Against Quota Usage
- 15.16. Setting the Default Quota for All Security Principals in a Partition
- 15.17. Finding the Quota Usage for a Security Principal
-
16. Backup, Recovery, DIT Maintenance, and Deleted Objects
- Introduction
- 16.1. Backing Up Active Directory
- 16.2. Restarting a Domain Controller in Directory Services Restore Mode
- 16.3. Resetting the Directory Service Restore Mode Administrator Password
- 16.4. Performing a Nonauthoritative Restore
- 16.5. Performing an Authoritative Restore of an Object or Subtree
- 16.6. Performing a Complete Authoritative Restore
- 16.7. Checking the DIT File’s Integrity
- 16.8. Moving the DIT Files
- 16.9. Repairing or Recovering the DIT
- 16.10. Performing an Online Defrag Manually
- 16.11. Determining How Much Whitespace Is in the DIT
- 16.12. Performing an Offline Defrag to Reclaim Space
- 16.13. Changing the Garbage Collection Interval
- 16.14. Logging the Number of Expired Tombstone Objects
- 16.15. Determining the Size of the Active Directory Database
- 16.16. Searching for Deleted Objects
- 16.17. Restoring a Deleted Object
- 16.18. Modifying the Tombstone Lifetime for a Domain
-
17. Application Partitions
- Introduction
- 17.1. Creating and Deleting an Application Partition
- 17.2. Finding the Application Partitions in a Forest
- 17.3. Adding or Removing a Replica Server for an Application Partition
- 17.4. Finding the Replica Servers for an Application Partition
- 17.5. Finding the Application Partitions Hosted by a Server
- 17.6. Verifying Application Partitions Are Instantiated on a Server Correctly
- 17.7. Setting the Replication Notification Delay for an Application Partition
- 17.8. Setting the Reference Domain for an Application Partition
- 17.9. Delegating Control of Managing an Application Partition
-
18. Interoperability and Integration
- Introduction
- 18.1. Accessing AD from a Non-Windows Platform
- 18.2. Programming with .NET
- 18.3. Programming with DSML
- 18.4. Programming with Perl
- 18.5. Programming with Java
- 18.6. Programming with Python
- 18.7. Integrating with MIT Kerberos
- 18.8. Integrating with Samba
- 18.9. Integrating with Apache
- 18.10. Replacing NIS
- 18.11. Using BIND for DNS
- 18.12. Authorizing a Microsoft DHCP Server
- 18.13. Using VMWare for Testing AD
-
A. Tool List
- ACL Diagnostics Command (acldiag.exe)
- Active Directory Domains and Trusts Snap-in (domain.msc)
- Active Directory Installation Wizard (dcpromo.exe)
- Active Directory Load Balancer Command (adlb.exe)
- Active Directory Schema Snap-in (schmmgmt.msc)
- Active Directory Sites and Services (dssite.msc)
- Active Directory Users and Computers Snap-in (dsa.msc)
- AD Prep Utility (adprep.exe)
- ADSI Edit (adsiedit.msc)
- Audit Policy Command (auditpol.exe)
- Backup Wizard (ntbackup.exe)
- CSVDE Command (csvde.exe)
- Default Domain Controller Security Policy Snap-in (dcpol.msc)
- Default Domain Security Policy Snap-in (dompol.msc)
- Default Group Policy Restore Command (dcgpofix.exe)
- DNS Snap-in (dnsmgmt.msc)
- DNSCmd Command (dnscmd.exe)
- Domain Controller Diagnosis Command (dcdiag.exe)
- DS ACL Command (dsacls.exe)
- DS Add Command (dsadd.exe)
- DS Get Command (dsget.exe)
- DS Modify Command (dsmodify.exe)
- DS Move Command (dsmove.exe)
- DS Query Command (dsquery.exe)
- DS Remove Command (dsrm.exe)
- Enumprop Command (enumprop.exe)
- Group Policy Management Console (gpmc.msc)
- Group Policy Object Editor (gpedit.msc)
- Group Policy Verification Tool (gpotool.exe)
- Group Policy Results Command (gpresult.exe)
- Group Policy Refresh Command (gpupdate.exe)
- IP Configuration (ipconfig.exe)
- Kerberos List (klist.exe)
- Kerberos Tray (kerbtray.exe)
- LDIFDE Command (ldifde.exe)
- LDP (ldp.exe)
- Move Tree Command (movetree.exe)
- Netdom Command (netdom.exe)
- Network Connectivity Tester (netdiag.exe)
- NLTest Command (nltest.exe)
- Nslookup Command (nslookup.exe)
- NTDS Util Command (ntdsutil.exe)
- OID Generator Command (oidgen.exe)
- Redirect Default Computers Command (redircmp.exe)
- Redirect Default Users Command (redirusr.exe)
- Reg Command (reg.exe)
- Registry Editor (regedit.exe)
- Rename Domain Command (rendom.exe)
- Replication Diagnostics Command (repadmin.exe)
- Replication Monitor (replmon.exe)
- Resultant Set of Policy Snap-in (rsop.msc)
- SecEdit Command (secedit.exe)
- Time Service (w32tm.exe)
- Unlock (unlock.exe)
- UUID Generator Command (uuidgen.exe)
- WinNT32 Command (winnt32.exe)
- Index
- Colophon
Product information
- Title: Active Directory Cookbook
- Author(s):
- Release date: September 2003
- Publisher(s): O'Reilly Media, Inc.
- ISBN: 9780596004644
You might also like
book
Kerberos: The Definitive Guide
Kerberos, the single sign-on authentication system originally developed at MIT, deserves its name. It's a faithful …
book
Mastering Windows Group Policy
Improve and reimagine your organization's security stance, desktop standards, and server administration with centralized management via …
book
Learning Go
Go is rapidly becoming the preferred language for building web services. While there are plenty of …
book
Designing Data-Intensive Applications
Data is at the center of many challenges in system design today. Difficult issues need to …
