Log In
Or create an account ->
Imperial Library
Home
About
News
Upload
Forum
Help
Login/SignUp
Index
Active Directory
Preface
1. Intended Audience
2. Contents of the Book
3. Conventions Used in This Book
Using Code Examples
Safari® Books Online
How to Contact Us
4. Acknowledgments
For the Fourth and Fifth Editions (Brian)
For the Third Edition (Joe)
For the Second Edition (Robbie)
For the First Edition (Alistair)
1. A Brief Introduction
1.1. Evolution of the Microsoft NOS
A Brief History of Directories
1.2. Summary
2. Active Directory Fundamentals
2.1. How Objects Are Stored and Identified
Uniquely Identifying Objects
Distinguished names
Examples
2.2. Building Blocks
Domains and Domain Trees
Forests
Organizational Units
The Global Catalog
Flexible Single Master Operator (FSMO) Roles
Time Synchronization in Active Directory
Domain and Forest Functional Levels
Windows 2000 domain mode
Groups
Group membership across domain boundaries
Converting groups
2.3. Summary
3. Active Directory Management Tools
3.1. Management Tools
Active Directory Administrative Center
PowerShell History
Global Search
Multiple-domain support
Extensibility
Active Directory Users and Computers
Advanced Features
Saved Queries
Controlling drag-and-drop moves
Taskpads
ADSI Edit
LDP
3.2. Customizing the Active Directory Administrative Snap-ins
Display Specifiers
Property Pages
Context Menus
Icons
Display Names
Object Creation Wizard
3.3. Active Directory PowerShell Module
3.4. Best Practices Analyzer
3.5. Active Directory-Based Machine Activation
3.6. Summary
4. Naming Contexts and Application Partitions
4.1. Domain Naming Context
4.2. Configuration Naming Context
4.3. Schema Naming Context
4.4. Application Partitions
Storing Dynamic Data
4.5. Summary
5. Active Directory Schema
5.1. Structure of the Schema
X.500 and the OID Namespace
5.2. Attributes (attributeSchema Objects)
Dissecting an Example Active Directory Attribute
5.3. Attribute Properties
Attribute Syntax
systemFlags
Constructed attributes
Category 1 objects
schemaFlagsEx
searchFlags
Indexed attributes
Ambiguous name resolution
Preserving attributes in a tombstone
The subtree index
The tuple index
Confidentiality
Attribute change auditing
The filtered attribute set
Property Sets and attributeSecurityGUID
Linked Attributes
MAPI IDs
5.4. Classes (classSchema Objects)
Object Class Category and Inheritance
Dissecting an Example Active Directory Class
How inheritance affects mustContain, mayContain, possSuperiors, and auxiliaryClass
Viewing the user class with the Active Directory Schema snap-in
Dynamically Linked Auxiliary Classes
5.5. Summary
6. Site Topology and Active Directory Replication
6.1. Site Topology
Site and Replication Management Tools
Subnets
Managing subnets
Troubleshooting subnet data problems
Sites
Managing sites
Site Links
Managing site links
Site Link Bridges
Connection Objects
Knowledge Consistency Checker
6.2. How Replication Works
A Background to Metadata
Update sequence numbers (USNs) and highestCommittedUSN
Originating updates versus replicated updates
DSA GUIDs and invocation IDs
High-watermark vector (direct up-to-dateness vector)
Up-to-dateness vector
Recap
How an Object’s Metadata Is Modified During Replication
Step 1: Initial creation of a user on Server A
Step 2: Replication of the originating write to DC B
Step 3: Password change for the user on DC B
Step 4: Password-change replication to DC A
The Replication of a Naming Context Between Two Servers
Step 1: Replication with a partner is initiated
Step 2: The partner works out what updates to send
Step 3: The partner sends the updates to the initiating server
Step 4: The initiating server processes the updates
Step 5: The initiating server checks whether it is up to date
Recap
How Replication Conflicts Are Reconciled
Conflict due to identical attribute change
Conflict due to a move or creation of an object under a now-deleted parent
Conflict due to creation of objects with names that conflict
Replicating the conflict resolution
6.3. Common Replication Problems
Lingering Objects
USN Rollback
6.4. Summary
7. Searching Active Directory
7.1. The Directory Information Tree
Database Structure
Hidden table
Data table
Link table
Security descriptor table
7.2. Searching the Database
Filter Operators
Connecting Filter Components
Search Bases
Modifying Behavior with LDAP Controls
7.3. Attribute Data Types
Dates and Times
Bit Masks
The In-Chain Matching Rule
7.4. Optimizing Searches
Efficient Searching
Using the stats control
objectClass Versus objectCategory
7.5. Summary
8. Active Directory and DNS
8.1. DNS Fundamentals
Zones
Resource Records
Client Lookup Process
Dynamic DNS
Global Names Zones
8.2. DNSSEC
How Does DNSSEC Work?
Resource records
Lookup process
Configuring DNSSEC for Active Directory DNS
8.3. DC Locator
8.4. Resource Records Used by Active Directory
Overriding SRV Record Registration
8.5. Delegation Options
Not Delegating the AD DNS Zones
Political factors
Initial setup and configuration
Support and maintenance
Integration issues
Delegating the AD DNS Zones
Political factors
Initial setup and configuration
Support and maintenance
Integration issues
8.6. Active Directory-Integrated DNS
Replication Impact
Background Zone Loading
8.7. Using Application Partitions for DNS
8.8. Aging and Scavenging
Configuring Scavenging
Setting zone-specific options
Enabling scavenging on the DNS server
8.9. Managing DNS with Windows PowerShell
8.10. Summary
9. Domain Controllers
9.1. Building Domain Controllers
Deploying with Server Manager
Using DCPromo on Earlier Versions of Windows
Automating the DC Build Process
9.2. Virtualization
When to Virtualize
Impact of Virtualization
USN rollback
RID pool reuse
System clock changes
Virtualization Safe Restore
Cloning Domain Controllers
The DC cloning process
Cloning a domain controller
9.3. Read-Only Domain Controllers
Prerequisites
Password Replication Policies
Managing the password replication policy
Managing the loss of an RODC
The Client Logon Process
Populating the password cache
RODCs and Write Requests
User password changes
Computer account password changes
The lastLogonTimeStampAttribute
Last-logon statistics
Logon success/failure information
NetLogon secure channel updates
Replication connection objects
DNS updates
The W32Time Service
Application Compatibility
RODC Placement Considerations
Administrator Role Separation
Promoting an RODC
Prestaging RODC domain controller accounts
9.4. Summary
10. Authentication and Security Protocols
10.1. Kerberos
User Logon
Service Access
Service principal names
Service tickets
Application Access
Logon and Service Access Summary
Delegation and Protocol Transition
Delegation
Protocol Transition
10.2. Authentication Mechanism Assurance
10.3. Managed Service Accounts
Preparing for Group Managed Service Accounts
Using Group Managed Service Accounts
10.4. Summary
11. Group Policy Primer
11.1. Capabilities of Group Policy Objects
Group Policy Storage
ADM or ADMX files
How GPOs are stored in Active Directory
Group Policy replication
11.2. How Group Policies Work
GPOs and Active Directory
Prioritizing the Application of Multiple Policies
Standard GPO Inheritance Rules in Organizational Units
Blocking Inheritance and Overriding the Block in Organizational Unit GPOs
Summary
When Policies Apply
Group Policy Refresh Frequency
Combating Slowdown Due to Group Policy
Limiting the number of GPOs that apply
Limiting cross-domain linking
Limiting use of site policies
Use simple queries in WMI filters
Security Filtering and Group Policy Objects
Loopback Merge Mode and Loopback Replace Mode
Summarizing Group Policy Application
WMI Filtering
Group Policy
11.3. Managing Group Policies
Using the Group Policy Management Console
Using the Group Policy Management Editor
Group Policy Preferences
Deploying group policy preferences
Item-Level Targeting
Running Scripts with Group Policy
Group Policy Modeling
Delegation and Change Control
The importance of change-control procedures
Designing the delegation of GPO administration
Using Starter GPOs
Group Policy Backup and Restore
Scripting Group Policy
11.4. Troubleshooting Group Policy
Group Policy Infrastructure Status
Group Policy Results Wizard
Forcing Group Policy Updates
Enabling Extra Logging
Group Policy Logging in Windows 2000, Windows XP, and Windows Server 2003
Group Policy Logging in Windows Vista/Windows Server 2008 and Newer
Group Policy Diagnostic Best Practices Analyzer
Third-Party Troubleshooting Tools
11.5. Summary
12. Fine-Grained Password Policies
12.1. Understanding Password Settings Objects
12.2. Scenarios for Fine-Grained Password Policies
Defining Password Settings Objects
Defining PSO precedence
12.3. Creating Password Settings Objects
PSO Quick Start
Building a PSO from Scratch
Creating a PSO with the Active Directory Administrative Center
Creating a PSO with PSOMgr
12.4. Managing Password Settings Objects
Strategies for Controlling PSO Application
Applying PSOs to groups
Applying PSOs to users
Mixing group application and user application
Managing PSO Application
Applying a PSO with ADAC
Applying a PSO with ADSI Edit
Applying a PSO with ADUC
Applying a PSO with PSOMgr
Viewing the effective PSO
12.5. Delegating Management of PSOs
12.6. Summary
13. Designing the Active Directory Structure
13.1. The Complexities of a Design
13.2. Where to Start
13.3. Overview of the Design Process
13.4. Domain Namespace Design
Objectives
Represent the structure of your business
Step 1: Decide on the Number of Domains
Isolated replication
Unique domain policy
Final notes
Step 2: Design and Name the Tree Structure
Choose the forest root domain
Design the namespace naming scheme
Create additional trees
Create additional forests
Arrange the subdomain hierarchy
13.5. Design of the Internal Domain Structure
Step 3: Design the Hierarchy of Organizational Units
Recreating the business model
Delegating full administration
Delegating other rights
Step 4: Design the Workstation and Server Naming Conventions
Step 5: Plan for Users and Groups
Naming and placing users
Naming and placing groups
13.6. Other Design Considerations
13.7. Design Examples
Tailspin Toys
Step 1: Decide on the number of domains
Step 2: Design and name the tree structure
Step 3: Design the hierarchy of organizational units
Step 4: Design the workstation and server naming conventions
Step 5: Plan for users and groups
Contoso College
Step 1: Decide on the number of domains
Step 2: Design and name the tree structure
Step 3: Design the hierarchy of organizational units
Step 4: Design the workstation and server naming conventions
Step 5: Plan for users and groups
Fabrikam
Step 1: Decide on number of domains
Step 2: Design and name the tree structure
Step 3: Design the hierarchy of organizational units
Step 4: Design the workstation and server naming conventions
Step 5: Plan for users and groups
13.8. Recognizing Nirvana’s Problems
13.9. Summary
14. Creating a Site Topology
14.1. Intrasite and Intersite Topologies
The KCC
Automatic Intrasite Topology Generation by the KCC
Two servers
Three servers
Four servers
Eight servers
Now what?
Site Links: The Basic Building Blocks of Intersite Topologies
Cost
Schedule
Transport
When the ISTG becomes involved
Site Link Bridges: The Second Building Blocks of Intersite Topologies
14.2. Designing Sites and Links for Replication
Step 1: Gather Background Data for Your Network
Step 2: Plan the Domain Controller Locations
Where to put domain controllers
How many domain controllers to have
Placing a domain controller in more than one site
Step 3: Design the Sites
Step 4: Create Site Links
Step 5: Create Site Link Bridges
14.3. Design Examples
Tailspin Toys
Step 1: Gather background data for your network
Step 2: Plan the domain controller locations
Step 3: Design the sites
Step 4: Create site links
Contoso College
Step 1: Gather background data for your network
Step 2: Plan the domain controller locations
Step 3: Design the sites
Step 4: Create site links
Fabrikam
Step 1: Gather background data for your network
Step 2: Plan the domain controller locations
Step 3: Design the sites
Step 4: Create site links
14.4. Additional Resources
14.5. Summary
15. Planning for Group Policy
15.1. Using GPOs to Help Design the Organizational Unit Structure
Identifying Areas of Policy
Guidelines for Designing GPOs
15.2. Design Examples
Tailspin Toys
Contoso College
Fabrikam
15.3. Summary
16. Active Directory Security: Permissions and Auditing
16.1. Permission Basics
Permission ACEs
Property Sets, Validated Writes, and Extended Rights
Inherited Versus Explicit Permissions
Default Security Descriptors
Permission Lockdown
The Confidentiality Bit
Protecting Objects from Accidental Deletion
16.2. Using the GUI to Examine Permissions
Reverting to the Default Permissions
Viewing the Effective Permissions for a User or Group
Using the Delegation of Control Wizard
16.3. Using the GUI to Examine Auditing
16.4. Designing Permissions Schemes
The Five Golden Rules of Permissions Design
Rule 1: Apply permissions to groups whenever possible
Rule 2: Design group permissions so that you have minimal duplication
Rule 3: Manage advanced permissions only when absolutely necessary
Rule 4: Allow inheritance; do not protect sections of the domain tree from inheritance
Rule 5: Keep a log of changes
How to Plan Permissions
Bringing Order out of Chaos
16.5. Designing Auditing Schemes
Implementing Auditing
Tracking Last Interactive Logon Information
16.6. Real-World Active Directory Delegation Examples
Hiding Specific Personal Details for All Users in an Organizational Unit from a Group
Allowing Only a Specific Group of Users to Access a New Published Resource
Restricting Everyone but HR from Viewing National/Regional ID Numbers with the Confidential Bit
16.7. The AdminSDHolder Process
16.8. Dynamic Access Control
Configuring Active Directory for DAC
Configuring claim types
Configuring central access policies
Kerberos policies
Using DAC on the File Server
Compound expressions with groups
Using claims in your ACLs
Auditing
16.9. Summary
17. Designing and Implementing Schema Extensions
17.1. Nominating Responsible People in Your Organization
17.2. Thinking of Changing the Schema
Designing the Data
To Change or Not to Change
The Global Picture
17.3. Creating Schema Extensions
Running the AD Schema Management MMC Snap-in for the First Time
The Schema Cache
The Schema Master FSMO
Using LDIF to Extend the Schema
Checks the System Makes When You Modify the Schema
Making Classes and Attributes Defunct
Mitigating a Schema Conflict
17.4. Summary
18. Backup, Recovery, and Maintenance
18.1. Backing Up Active Directory
Using the NT Backup Utility
Using Windows Server Backup
18.2. Restoring a Domain Controller
Restore from Replication
Manually removing a domain controller from Active Directory
Restore from Backup
Install from Media
Creating and using IFM media on Windows Server 2003
Creating and using IFM media on Windows Server 2008 and newer
18.3. Restoring Active Directory
Nonauthoritative Restore
Restoring with NT Backup
Restoring with Windows Server Backup
Partial Authoritative Restore
Complete Authoritative Restore
18.4. Working with Snapshots
18.5. Active Directory Recycle Bin
Deleted Object Lifecycle
Enabling the Recycle Bin
Undeleting Objects
Using ADAC
Using PowerShell
18.6. FSMO Recovery
18.7. Restartable Directory Service
18.8. DIT Maintenance
Checking the Integrity of the DIT
Reclaiming Space
Changing the DS Restore Mode Admin Password
18.9. Summary
19. Upgrading Active Directory
19.1. Active Directory Versions
Windows Server 2003
New features
Differences in functionality
Windows Server 2008
New features
Differences in functionality
Windows Server 2008 R2
New features
Differences in functionality
Windows Server 2012
New features
Differences in functionality
19.2. Functional Levels
Raising the Functional Level
Functional Level Rollback
19.3. Beginning the Upgrade
19.4. Known Issues
19.5. Summary
20. Active Directory Lightweight Directory Services
20.1. Common Uses for AD LDS
20.2. AD LDS Terms
20.3. Differences Between AD and AD LDS
Standalone Application Service
Configurable LDAP Ports
No SRV Records
No Global Catalog
Top-Level Application Partition Object Classes
Group and User Scope
FSMOs
Schema
Service Account
Configuration/Schema Partition Names
Default Directory Security
User Principal Names
Authentication
Users in the Configuration Partition
New and Updated Tools
20.4. AD LDS Installation
Installing the Server Role
Installing a New AD LDS Instance
Installing an AD LDS Replica
Enabling the Recycle Bin
20.5. Tools
ADAM Install
ADAM Sync
ADAM Uninstall
AD Schema Analyzer
AD Schema MMC Snap-in
ADSI Edit
dsdbutil
dsmgmt
ldifde
LDP
repadmin
20.6. The AD LDS Schema
Default Security Descriptors
Bindable Objects and Bindable Proxy Objects
20.7. Using AD LDS
Creating Application Partitions
Creating Containers
Creating Users
Creating User Proxies
Special considerations
Renaming Users
Creating Groups
Adding Members to Groups
Removing Members from Groups
Deleting Objects
Deleting Application Partitions
Controlling Access to Objects and Attributes
20.8. Summary
21. Active Directory Federation Services
21.1. Introduction to Federated Identity
How It Works
SAML
WS-Federation
21.2. Understanding ADFS Components
The Configuration Database
Federation Servers
Federation Server Proxies
ADFS Topologies
Single federation server
Single federation server and federation proxy
Load-balanced ADFS servers
Geographically redundant ADFS servers
21.3. Deploying ADFS
Federation Servers
Certificates
Configuring ADFS
Service configuration
Federation Server Proxies
21.4. Relying Party Trusts
21.5. Claims Rules and the Claims Pipeline
The Pipeline
Creating and Sending Claims Through the Pipeline
21.6. Customizing ADFS
Forms-Based Logon Pages
Attribute Stores
21.7. Troubleshooting ADFS
Event Logs
Fiddler
21.8. Summary
A. Programming the Directory with the .NET Framework
A.1. Choosing a .NET Programming Language
A.2. Choosing a Development Tool
.NET IDE Options
.NET Development Without an IDE
A.3. .NET Framework Versions
Which .NET Framework Comes with Which OS?
Directory Programming Features by .NET Framework Release
Assemblies Versus Namespaces
Summary of Namespaces, Assemblies, and Framework Versions
A.4. Directory Services Programming Landscape
System.DirectoryServices Overview
Other nice things in System.DirectoryServices
System.DirectoryServices summary
System.DirectoryServices.ActiveDirectory Overview
Why use System.DirectoryServices.ActiveDirectory?
System.DirectoryServices.ActiveDirectory summary
System.DirectoryServices.Protocols Overview
Why use System.DirectoryServices.Protocols?
System.DirectoryServices.Protocols summary
System.DirectoryServices.AccountManagement Overview
Why use System.DirectoryServices.AccountManagement?
System.DirectoryServices.AccountManagement summary
A.5. .NET Directory Services Programming by Example
Connecting to the Directory
Searching the Directory
Basics of Modifying the Directory
Basic add example
Basic remove examples
Moving and renaming objects
Modifying existing objects
Managing Users
Managing users with System.DirectoryServices.AccountManagement
Overriding SSL Server Certificate Verification with SDS.P
A.6. Summary
Index
About the Authors
Colophon
Copyright
← Prev
Back
Next →
← Prev
Back
Next →