Log In
Or create an account -> 
Imperial Library
  • Home
  • About
  • News
  • Upload
  • Forum
  • Help
  • Login/SignUp

Index
Active Directory
A Note Regarding Supplemental Files Preface
Intended Audience Contents of the Book
Part 1, Active Directory Basics Part 2, Designing an Active Directory Infrastructure Part 3, Scripting Active Directory with ADSI, ADO, and WMI
Conventions Used in This Book Using Code Examples Safari® Books Online How to Contact Us Acknowledgments
For the Fourth Edition (Brian) For the Third Edition (Joe) For the Second Edition (Robbie) For the First Edition (Alistair)
I. Active Directory Basics
1. A Brief Introduction
Evolution of the Microsoft NOS
Brief History of Directories
Windows NT Versus Active Directory Windows 2000 Versus Windows Server 2003 Windows Server 2003 Versus Windows Server 2003 R2 Windows Server 2003 R2 Versus Windows Server 2008 Summary
2. Active Directory Fundamentals
How Objects Are Stored and Identified
Uniquely Identifying Objects
Distinguished names Examples
Building Blocks
Domains and Domain Trees Forests Organizational Units Global Catalog Flexible Single Master Operator (FSMO) Time Synchronization in Active Directory Domain and Forest Functional Levels
Windows 2000 Domain Mode
Groups
Groups in Windows NT Group nesting in different functional levels Group membership across domain boundaries Converting groups Wrap-up
Summary
3. Naming Contexts and Application Partitions
Domain Naming Context Configuration Naming Context Schema Naming Context Application Partitions
Storing Dynamic Data
Summary
4. Active Directory Schema
Structure of the Schema
X.500 and the OID Namespace
Attributes (attributeSchema Objects)
Dissecting an Example Active Directory Attribute
Attribute Properties
Attribute Syntax System Flags
Constructed attributes Category 1 objects
Schema FlagsEx Search Flags
Indexed attributes Ambiguous Name Resolution Preserve attribute in tombstone Tuple index Confidential Attribute change auditing Filtered attribute set
Property Sets and attributeSecurityGUID Linked Attributes
Classes (classSchema Objects)
Object Class Category and Inheritance Dissecting an Example Active Directory Class
How inheritance affects mustContain, mayContain, possSuperiors, and auxiliaryClass Viewing the user class with the Active Directory Schema snap-in
Dynamically Linked Auxiliary Classes
Summary
5. Site Topology and Replication
Site Topology
Subnets Sites Site Links Site Link Bridges Connection Objects Knowledge Consistency Checker (KCC) Site and Replication Management Tools
How Replication Works
A Background to Metadata
Update Sequence Numbers (USN) and highestCommittedUSN Originating updates versus replicated updates DSA GUID and Invocation ID High-watermark vector (direct up-to-dateness vector) Up-to-dateness vector Recap
How an Object’s Metadata Is Modified During Replication
Step 1: Initial creation of a user on Server A Step 2: Replication of the originating write to DC B Step 3: Password change for the user on DC B Step 4: Password-change replication to DC A
The Replication of a Naming Context Between Two Servers
Step 1: Replication with a partner is initiated Step 2: The partner works out what updates to send Step 3: The partner sends the updates to the initiating server Step 4: The initiating server processes the updates Step 5: The initiating server checks whether it is up-to-date Recap
How Replication Conflicts Are Reconciled
Conflict due to identical attribute change Conflict due to a move or creation of an object under a now-deleted parent Conflict due to creation of objects with names that conflict Replicating the conflict resolution
Summary
6. Active Directory and DNS
DNS Fundamentals
Zones Resource Records DDNS Global Names Zone
DC Locator Resource Records Used by Active Directory
Overriding SRV Record Registration
Delegation Options
Not Delegating the AD DNS Zones
Political factors Initial setup and configuration Support and maintenance Integration issues
Delegating the AD DNS Zones
Political factors Initial setup and configuration Support and maintenance Integration issues
DNS for Standalone AD
Active Directory Integrated DNS
Replication Impact Background Zone Loading
Using Application Partitions for DNS Aging and Scavenging
Configuring Scavenging
Setting zone-specific options Enabling scavenging on the DNS server
Summary
7. Read-Only Domain Controllers
Prerequisites Password Replication Policies
Managing the Password Replication Policy Managing RODC Theft
The Client Logon Process
Populating the Password Cache
RODCs and Write Requests
User Password Changes Computer Account Password Changes The lastLogonTimeStampAttribute Last-Logon Statistics Logon Success/Fail Information NetLogon Secure Channel Updates Replication Connection Objects DNS Updates
The W32Time Service Application Compatibility RODC Placement Considerations RODCs and Replication Administrator Role Separation Summary
8. Group Policy Primer
Capabilities of GPOs
Group Policy Storage
ADM or ADMX files How GPOs are stored in Active Directory Group Policy replication
How Group Policies Work
GPOs and Active Directory Prioritizing the Application of Multiple Policies Standard GPO Inheritance Rules in Organizational Units Blocking Inheritance and Overriding the Block in Organizational Unit GPOs
Summary
When Policies Apply
Group Policy refresh frequency
Combating Slowdown Due to Group Policy
Limiting the number of GPOs that apply Limiting cross-domain linking Limiting use of site policies Use simple queries in WMI filters
Security Filtering and Group Policy Objects Loopback Merge Mode and Loopback Replace Mode WMI Filtering Summary of Policy Options
Managing Group Policies
Using the Group Policy Management Console (GPMC) Group Policy Modeling Delegation and Change Control
The importance of change-control procedures Designing the delegation of GPO administration
Using Starter GPOs Group Policy Backup and Restore Scripting Group Policies
Troubleshooting Group Policy
Group Policy Results Wizard Forcing Group Policy Updates Enabling Extra Logging Group Policy Diagnostic Best Practices Analyzer Third-Party Troubleshooting Tools
Summary
9. Fine-Grained Password Policies
Understanding Password Setting Objects Scenarios for Fine-Grained Password Policies
Defining Password Setting Objects
Defining PSO precedence
Creating Password Setting Objects
PSO Quick Start Building a PSO from Scratch
Creating a PSO with ADSI edit Creating a PSO with PSOMgr
Managing Password Settings Objects
Strategies for Controlling PSO Application
Applying PSOs to groups Applying PSOs to users Mixing group application and user application
Managing PSO Application
Applying a PSO with ADSI Edit Applying a PSO with Active Directory users and computers Applying a PSO with PSOMgr Viewing the effective PSO
Delegating Management of PSOs Summary
II. Designing an Active Directory Infrastructure
10. Designing the Namespace
The Complexities of a Design Where to Start Overview of the Design Process Domain Namespace Design
Objectives
Represent the structure of your business
Step 1: Decide on the Number of Domains
Isolated replication Unique domain policy In-place upgrade of current domain Final notes
Step 2: Design and Name the Tree Structure
Choose the forest root domain Design the namespace naming scheme Create additional trees Create additional forests Arrange subdomain hierarchy
Step 3: Design the Workstation and Server-Naming Scheme
Design of the Internal Domain Structure
Step 4: Design the Hierarchy of Organizational Units
Recreating the business model Delegating full administration Delegating other rights
Step 5: Design the Users and Groups
Naming and placing users Naming and placing groups Creating proper security group designs
Step 6: Design the Application Partition Structure
Other Design Considerations Design Examples
TwoSiteCorp
Step 1: Set the number of domains Step 2: Design and name the tree structure Step 3: Design the workstation- and server-naming scheme Step 4: Design the hierarchy of Organizational Units Step 5: Design the users and groups Step 6: Design the application partition structure Recap
RetailCorp
Step 1: Identify the number of domains Step 2: Design and name the tree structure Step 3: Design the workstation- and server-naming scheme Step 4: Design the hierarchy of Organizational Units Step 5: Design the users and groups Step 6: Design the application partition structure Recap
PetroCorp
Step 1: Set the number of domains Step 2: Design and name the tree structure Step 3: Design the workstation- and server-naming scheme Step 4: Design the hierarchy of Organizational Units Step 5: Design the users and groups Step 6: Design the application partition structure Recap
Designing for the Real World
Identify the Number of Domains Design to Help Business Plans and Budget Proposals Recognizing Nirvana’s Problems
Summary
11. Creating a Site Topology
Intrasite and Intersite Topologies
The KCC Automatic Intrasite Topology Generation by the KCC
Two servers Three servers Four servers Eight servers Now what?
Site Links: The Basic Building Blocks of Intersite Topologies
Cost Schedule Transport When the ISTG becomes involved
Site Link Bridges: The Second Building Blocks of Intersite Topologies
Designing Sites and Links for Replication
Step 1: Gather Background Data for Your Network Step 2: Design the Sites Step 3: Plan the Domain Controller Locations
Where to put domain controllers How many domain controllers to have Placing a domain controller in more than one site
Step 4: Decide How You Will Use the KCC to Your Advantage Step 5: Create Site Links Step 6: Create Site Link Bridges
Examples
TwoSiteCorp RetailCorp PetroCorp
Additional Resources Summary
12. Designing Organization-Wide Group Policies
Using GPOs to Help Design the Organizational Unit Structure
Identifying Areas of Policy How GPOs Influenced a Real Organizational Unit Design
The merits of collapsing the Organizational Unit structure A bridge too far Loopback mode
Guidelines for Designing GPOs
Summary
13. Active Directory Security: Permissions and Auditing
Permission Basics
Permission ACE Property Sets, Validated Writes, and Extended Rights Inherited Versus Explicit Permissions Default Security Descriptors Permission Lockdown Confidentiality Bit Protecting Objects from Accidental Deletion
Using the GUI to Examine Permissions
Reverting to the Default Permissions Viewing the Effective Permissions for a User or Group Using the Delegation of Control Wizard
Using the GUI to Examine Auditing Designing Permission Schemes
The Five Golden Rules of Permissions Design
Rule 1: Apply permissions to groups whenever possible Rule 2: Design group permissions so that you have minimum duplication Rule 3: Manage Advanced permissions only when absolutely necessary Rule 4: Allow inheritance; do not protect sections of the domain tree from inheritance Rule 5: Keep a log of unusual changes
How to Plan Permissions Bringing Order Out of Chaos
Designing Auditing Schemes
Implementing Auditing under Windows Server 2008 Tracking Last Interactive Logon Information
Real-World Examples
Hiding Specific Personal Details for All Users in an Organizational Unit from a Group Allowing Only a Specific Group of Users to Access a New Published Resource Restricting Everyone but HR from Viewing Social Security Numbers with Confidential Access Capability
Summary
14. Designing and Implementing Schema Extensions
Nominating Responsible People in Your Organization Thinking of Changing the Schema
Designing the Data To Change or Not to Change The Global Picture
Creating Schema Extensions
Running the Schema Manager MMC for the First Time The Schema Cache The Schema Master FSMO Using LDIF to Extend the Schema Checks the System Makes When You Modify the Schema Making Classes and Attributes Defunct
Summary
15. Backup, Recovery, and Maintenance
Backing Up Active Directory
Using the NT Backup Utility Using Windows Server Backup
Restoring a Domain Controller
Restore from Replication
Manually removing a domain controller from Active Directory
Restore from Backup Install from Media
Creating and using IFM media on Windows Server 2003 Creating and using IFM media on Windows Server 2008
Restoring Active Directory
Non-Authoritative Restore
Restoring with NT Backup Restoring with Windows Server Backup
Partial Authoritative Restore Complete Authoritative Restore
Working with Snapshots FSMO Recovery Restartable Directory Service DIT Maintenance
Checking the Integrity of the DIT Reclaiming Space Changing the DS Restore Mode Admin Password
Summary
16. Upgrading to Windows Server 2003
New Features in Windows Server 2003 Differences with Windows 2000 Functional Levels Explained
How to Raise the Functional Level
Preparing for ADPrep
ForestPrep DomainPrep
GPPrep
Upgrade Process
Inventory Domain Controllers Inventory Clients Trial Run Prepare the Forest and Domains
Exchange 2000 SFU 2.0
Tweak Settings Upgrade Domain Controllers
Post-Upgrade Tasks
Monitor Raise Functional Levels Start Implementing New Features
Summary
17. Upgrading to Windows Server 2003 R2
New Active Directory Features in Windows Server 2003 Service Pack 1 Differences with Windows Server 2003 New Active Directory Features in Windows Server 2003 R2 Preparing for ADPrep
ForestPrep
Service Pack 1 Upgrade Process R2 Upgrade Process
Prepare the Forest Upgrade Domain Controllers
Summary
18. Upgrading to Windows Server 2008
New Features in Windows Server 2008 Differences with Windows Server 2003 Preparing for ADPrep
ForestPrep RODCPrep DomainPrep
GPPrep
Windows Server 2008 Upgrade Process Summary
19. Integrating Microsoft Exchange
A Quick Word about Exchange/AD Interaction Preparing Active Directory for Exchange
Setup Prerequisites PrepareLegacyExchangePermissions PrepareSchema PrepareAD PrepareDomain Active Directory Site Design and Domain Controller Placement
Site topology Domain controller impact
Other Considerations
Mail-Enabling Objects
Using the Exchange Management Console
Mailbox-enabling a user Linked mailboxes Mail-enabling a group
Using PowerShell
Summary
20. Active Directory Lightweight Directory Service (a.k.a. ADAM)
ADAM Terms Differences Between AD and ADAM V1.0
Standalone Application Service Configurable LDAP Ports No SRV Records No Global Catalog Top-Level Application Partition Object Classes Group and User Scope FSMOs Schema Service Account Configuration/Schema Partition Names Default Directory Security User Principal Names Authentication
ADAM R2 Updates
Users in the Configuration Partition Password Reset/Change Chaining to Windows Virtual List View (VLV) Searching Confidentiality Bit New and Updated Tools Installation Authentication R2 ADAM for R2 Server Only
Active Directory Lightweight Directory Services Updates
GUI Tools Availability on Server Core Support for Install from Media Support for Snapshots and the Database Mounting Tool Support for Enhanced Auditing Features
AD LDS Installation
Installing Components Installing a New ADAM Instance Installing an ADAM Replica
Tools
ADAM ADSIEDIT ADAM Schema Management ADAM Install ADAMSync ADAM Uninstall AD Schema Analyzer CSVDE DSACLS DSDBUTIL DSDiag DSMgmt LDIFDE LDP RepAdmin
ADAM Schema
Virtual List View (VLV) Index Support Default Security Descriptors Bindable Objects and Bindable Proxy Objects
Using ADAM
Creating Application Partitions Creating Containers Creating Users Creating User Proxies
Special considerations
Renaming Users Creating Groups Adding Members to Groups Removing Members from Groups Deleting Objects Deleting Application Partitions
Summary
III. Scripting Active Directory with ADSI, ADO, and WMI
21. Scripting with ADSI
What Are All These Buzzwords?
ActiveX Windows Scripting Host (WSH) Active Server Pages (ASPs) Active Directory Service Interface (ADSI) ActiveX Data Objects (ADO) Windows Management Instrumentation (WMI) .NET and .NET Framework Writing and Running Scripts A Brief Primer on COM and WSH How to Write Scripts WSH File Formats
ADSI
Objects and Interfaces Namespaces, ProgIDs, and ADsPath Retrieving Objects
Simple Manipulation of ADSI Objects
Creating the OU Creating the Users Tearing Down What Was Created
Summary
22. IADs and the Property Cache
The IADs Properties
Using IADs::Get and IADs::Put The Property Cache Be Careful More Complexities of Property Access: IADs::GetEx and IADs::PutEx
Using IADs::GetEx Using IADs::PutEx
Manipulating the Property Cache
Property Cache Mechanics Adding Individual Values Adding Sets of Values Walking Through the Property Cache
Approach 1: Using the IADsPropertyList::PropertyCount property method Approach 2: Using the IADsPropertyList::Next method Approach 3: Using the IADsPropertyList::Next and IADsPropertyList::Skip methods
Writing the Modifications Walking the Property Cache: The Solution Walking the Property Cache Using the Formal Schema Class Definition
Checking for Errors in VBScript Summary
23. Using ADO for Searching
The First Search
Step 1: Define the Constants and Variables Step 2: Establish an ADO Database Connection Step 3: Open the ADO Connection Step 4: Execute the Query Step 5: Navigate Through the Resultset Step 6: Close the ADO Connection The Entire Script for a Simple Search
Understanding Search Filters
Items Within a Filter Connecting Filters
Optimizing Searches
Efficient Searching ObjectClass Versus ObjectCategory
Advanced Search Function: SearchAD Summary
24. Users and Groups
Creating a Simple User Account Creating a Full-Featured User Account
LDAP Provider
Creating Many User Accounts Modifying Many User Accounts Account Unlocker Utility Creating a Group Adding Members to a Group
Adding Many USER Groups to Groups
Evaluating Group Membership Summary
25. Permissions and Auditing
How to Create an ACE Using ADSI
Trustee AccessMask AceType AceFlags Flags, ObjectType, and InheritedObjectType
A Simple ADSI Example
Discussion
A Complex ADSI Example
Discussion
Unlock account Set/clear “User Must Change Password On Next Logon” flag Reset Password
Making Your Own ACEs
Delegate member attribute on groups Delegate ability to view Confidential Attribute How to implement other delegations
Creating Security Descriptors Listing the Security Descriptor of an Object Summary
26. Extending the Schema and the Active Directory Snap-ins
Modifying the Schema with ADSI
IADsClass and IADsProperty Creating the Mycorp-LanguagesSpoken Attribute Creating the FinanceUser class
Creating instances of the new class
Finding the Schema Container and Schema FSMO Transferring the Schema FSMO Role Forcing a Reload of the Schema Cache Adding an Attribute to the Partial Attribute Set
Customizing the Active Directory Administrative Snap-ins
Display Specifiers Property Pages Context Menus Icons Display Names Leaf or Container Object Creation Wizard
Summary
27. Scripting with WMI
Origins of WMI WMI Architecture
CIMOM and CIM Repository WMI Providers
Getting Started with WMI Scripting
Referencing an Object Enumerating Objects of a Particular Class Searching with WQL Authentication with WMI
WMI Tools
WMI from a Command Line WMI from the Web WMI SDK Scriptomatic Version 2.0; WMI Scripting Tool
Manipulating Services Querying the Event Logs Monitoring Trusts Monitoring Replication Summary
28. Scripting DNS
DNS Provider Overview
Installing the DNS Provider Managing DNS with the DNS Provider
Manipulating DNS Server Configuration
Listing a DNS Server’s Properties Configuring a DNS server Restarting the DNS Service DNS Server Configuration Check Script
Creating and Manipulating Zones
Creating a Zone Configuring a Zone Listing the Zones on a Server
Creating and Manipulating Resource Records
Finding Resource Records in a Zone Creating Resource Records
Summary
29. Programming the Directory with the .NET Framework
Why .NET? Choosing a .NET Programming Language Choosing a Development Tool
.NET IDE Options .NET Development Without an IDE
.NET Framework Versions
Which .NET Framework Comes with Which OS? Directory Programming Features by .NET Framework Release Assemblies Versus Namespaces Summary of Namespaces, Assemblies, and Framework Versions
Directory Services Programming Landscape
System.DirectoryServices Overview
Other nice things in System.DirectoryServices System.DirectoryServices Summary
System.DirectoryServices.ActiveDirectory Overview
Why use System.DirectoryServices.ActiveDirectory? System.DirectoryServices.ActiveDirectory summary
System.DirectoryServices.Protocols Overview
Why use System.DirectoryServices.Protocols? System.DirectoryServices.Protocols summary
System.DirectoryServices.AccountManagement Overview
Why use System.DirectoryServices.AccountManagement? System.DirectoryServices.AccountManagement summary
.NET Directory Services Programming by Example
Connecting to the Directory Searching the Directory Basics of Modifying the Directory
Basic add example Basic remove examples Moving and renaming objects Modifying existing objects
Managing Users
Managing users with System.DirectoryServices.AccountManagement
Overriding SSL Server Certificate Verification with SDS.P
Summary
30. PowerShell Basics
Exploring the PowerShell
Variables and Objects Working with Quotes Profiles
Working with the Pipeline
The $_ Expression Pipeline by Example
Cmdlets
The Cmdlet Naming Scheme Cmdlet Parameters Working with Built-in Cmdlets
Get-Help Get-Command Get-Member
Managing the Environment
Set-Location Set-ExecutionPolicy Get-PSSnapin Add-PSSnapin
Formatting Output
Format-List Format-Table Out-Null
Processing and Filtering Output
Foreach-Object Where-Object
Importing Information
Get-Content Import-Csv Import-CliXml
Exporting Information
Export-Csv Export-CliXml Out-File
Building PowerShell Scripts
Arguments Functions Error Handling Flow Control
Conditional Statements Loops
Using WMI Summary
31. Scripting Active Directory with PowerShell
Becoming Familiar with .NET
DirectoryEntry DirectorySearcher Domain Forest DirectoryContext DomainController GlobalCatalog ApplicationPartition
Understanding Client-Side Processing Building the Lab Build Script
Setup Creating Organizational Units Creating User Accounts Creating Computer Accounts Creating Groups
Adding group members
Putting It All Together
Working with Forests and Domains
Gathering Forest Information Gathering Domain Information
Understanding Group Policy
Group Policy Refresh Cmdlet GPMC Cmdlets Quest Cmdlets
Summary
32. Scripting Basic Exchange 2003 Tasks
Notes on Managing Exchange Exchange Management Tools Mail-Enabling Versus Mailbox-Enabling Exchange Delegation Mail-Enabling a User Mail-Disabling a User Creating and Mail-Enabling a Contact Mail-Disabling a Contact Mail-Enabling a Group (Distribution List) Mail-Disabling a Group Mailbox-Enabling a User Mailbox-Disabling a User (Mailbox Deletion) Purging a Disconnected Mailbox Reconnecting a Disconnected Mailbox Moving a Mailbox Enumerating Disconnected Mailboxes Viewing Mailbox Sizes and Message Counts Viewing All Store Details of All Mailboxes on a Server Dumping All Store Details of All Mailboxes on All Servers in Exchange Org Summary
33. Scripting Basic Exchange 2007 Tasks
Exchange Scripting Notes
The Departure of the Recipient Update Service Mail-Enabling Versus Mailbox-Enabling Exchange Cmdlet Primer
Managing Users
Mailbox-Enabling a User Mailbox-Disabling a User Mail-Enabling a User Mail-Disabling a User Viewing Mailbox Properties Moving a User Mailbox Provisioning Mailboxes Out-of-Band
Managing Groups
Mail-Enabling a Group Mail-Disabling a Group Managing Group Membership Displaying Group Properties
Summary
Index About the Authors Colophon
  • ← Prev
  • Back
  • Next →
  • ← Prev
  • Back
  • Next →

Chief Librarian: Las Zenow <zenow@riseup.net>
Fork the source code from gitlab.

This is a mirror of the Tor onion service:
http://kx5thpx2olielkihfyo4jgjqfb7zx7wxr3sd4xzt26ochei4m6f7tayd.onion