Books & Videos

Table of Contents

  1. Chapter 1 Getting Started

    1. Approach to the Book

    2. Where to Find the Tools

    3. Getting Familiar with LDIF

    4. Replaceable Text

    5. Where to Find More Information

  2. Chapter 2 Forests, Domains, and Trusts

    1. Introduction

    2. Creating a Forest

    3. Removing a Forest

    4. Creating a Domain

    5. Removing a Domain

    6. Removing an Orphaned Domain

    7. Finding the Domains in a Forest

    8. Finding the NetBIOS Name of a Domain

    9. Renaming a Domain

    10. Raising the Domain Functional Level to Windows Server 2012

    11. Raising the Functional Level of a Windows Server 2008 or 2008 R2 Forest

    12. Using AdPrep to Prepare a Domain or Forest for Windows Server 2012

    13. Determining Whether AdPrep Has Completed

    14. Checking Whether a Windows Domain Controller Can Be Upgraded to Windows Server 2003 or 2008

    15. Creating an External Trust

    16. Creating a Transitive Trust Between Two AD Forests

    17. Creating a Shortcut Trust Between Two AD Domains

    18. Creating a Trust to a Kerberos Realm

    19. Viewing the Trusts for a Domain

    20. Verifying a Trust

    21. Resetting a Trust

    22. Removing a Trust

    23. Enabling SID Filtering for a Trust

    24. Enabling Quarantine for a Trust

    25. Managing Selective Authentication for a Trust

    26. Finding Duplicate SIDs in a Domain

    27. Adding Additional Fields to Active Directory Users and Computers

  3. Chapter 3 Domain Controllers, Global Catalogs, and FSMOs

    1. Introduction

    2. Promoting a Server to a Domain Controller

    3. Promoting a Server to a Read-Only Domain Controller

    4. Performing a Two-Stage RODC Installation

    5. Modifying the Password Replication Policy

    6. Promoting a Server to a Windows Server 2012 Domain Controller from Media

    7. Demoting a Domain Controller

    8. Automating the Promotion or Demotion of a Domain Controller

    9. Troubleshooting Domain Controller Promotion or Demotion Problems

    10. Verifying the Promotion of a Domain Controller

    11. Removing an Unsuccessfully Demoted Domain Controller

    12. Renaming a Domain Controller

    13. Finding the Domain Controllers for a Domain

    14. Finding the Closest Domain Controller

    15. Finding a Domain Controller’s Site

    16. Moving a Domain Controller to a Different Site

    17. Finding the Services a Domain Controller Is Advertising

    18. Restoring a Deleted Domain Controller in Windows Server 2012

    19. Resetting the TCP/IP Stack on a Domain Controller

    20. Configuring a Domain Controller to Use an External Time Source

    21. Finding the Number of Logon Attempts Made Against a Domain Controller

    22. Enabling the /3GB Switch to Increase the LSASS Cache

    23. Enabling and Disabling the Global Catalog

    24. Determining Whether Global Catalog Promotion Is Complete

    25. Finding the Global Catalog Servers in a Forest

    26. Finding the Domain Controllers or Global Catalog Servers in a Site

    27. Finding Domain Controllers and Global Catalogs via DNS

    28. Changing the Preference for a Domain Controller

    29. Disabling the Global Catalog Requirement for User Logon

    30. Finding the FSMO Role Holders

    31. Transferring a FSMO Role

    32. Seizing a FSMO Role

    33. Finding the PDC Emulator FSMO Role Owner via DNS

  4. Chapter 4 Searching and Manipulating Objects

    1. Introduction

    2. Viewing the RootDSE

    3. Viewing the Attributes of an Object

    4. Counting Objects in Active Directory

    5. Using LDAP Controls

    6. Using a Fast or Concurrent Bind

    7. Connecting to an Object GUID

    8. Connecting to a Well-Known GUID

    9. Searching for Objects in a Domain

    10. Searching the Global Catalog

    11. Searching for a Large Number of Objects

    12. Searching with an Attribute-Scoped Query

    13. Searching with a Bitwise Filter

    14. Creating an Object

    15. Modifying an Object

    16. Modifying a Bit-Flag Attribute

    17. Dynamically Linking an Auxiliary Class

    18. Creating a Dynamic Object

    19. Refreshing a Dynamic Object

    20. Modifying the Default TTL Settings for Dynamic Objects

    21. Moving an Object to a Different OU or Container

    22. Moving an Object to a Different Domain

    23. Referencing an External Domain

    24. Renaming an Object

    25. Deleting an Object

    26. Deleting a Container That Has Child Objects

    27. Viewing the Created and Last-Modified Timestamp of an Object

    28. Modifying the Default LDAP Query Policy

    29. Exporting Objects to an LDIF File

    30. Importing Objects Using an LDIF File

    31. Exporting Objects to a CSV File

    32. Importing Objects Using PowerShell and a CSV File

  5. Chapter 5 Organizational Units

    1. Introduction

    2. Creating an OU

    3. Enumerating the OUs in a Domain

    4. Finding an OU

    5. Enumerating the Objects in an OU

    6. Deleting the Objects in an OU

    7. Deleting an OU

    8. Moving the Objects in an OU to a Different OU

    9. Moving an OU

    10. Renaming an OU

    11. Modifying an OU

    12. Determining Approximately How Many Child Objects an OU Has

    13. Delegating Control of an OU

    14. Assigning or Removing a Manager for an OU

    15. Linking a GPO to an OU

    16. Protecting an OU Against Accidental Deletion

  6. Chapter 6 Users

    1. Introduction

    2. Modifying the Default Display Name Used When Creating Users in ADUC or ADAC

    3. Creating a User

    4. Creating a Large Number of Users

    5. Creating an inetOrgPerson User

    6. Converting a user Object to an inetOrgPerson Object (or Vice Versa)

    7. Modifying an Attribute for Several Users at Once

    8. Deleting a User

    9. Setting a User’s Profile Attributes

    10. Moving a User

    11. Redirecting Users to an Alternative OU

    12. Renaming a User

    13. Copying a User

    14. Finding Locked-Out Users

    15. Unlocking a User

    16. Troubleshooting Account Lockout Problems

    17. Viewing the Domain-Wide Account Lockout and Password Policies

    18. Applying a Fine-Grained Password Policy to a User Object

    19. Viewing the Fine-Grained Password Policy That Is in Effect for a User Account

    20. Enabling and Disabling a User

    21. Finding Disabled Users

    22. Viewing a User’s Group Membership

    23. Removing All Group Memberships from a User

    24. Changing a User’s Primary Group

    25. Copying a User’s Group Membership to Another User

    26. Setting a User’s Password

    27. Preventing a User from Changing a Password

    28. Requiring a User to Change a Password at Next Logon

    29. Preventing a User’s Password from Expiring

    30. Finding Users Whose Passwords Are About to Expire

    31. Viewing the RODCs That Have Cached a User’s Password

    32. Setting a User’s Account Options (userAccountControl)

    33. Setting a User’s Account to Expire

    34. Determining a User’s Last Logon Time

    35. Finding Users Who Have Not Logged On Recently

    36. Viewing and Modifying a User’s Permitted Logon Hours

    37. Viewing a User’s Managed Objects

    38. Creating a UPN Suffix for a Forest

    39. Restoring a Deleted User

    40. Protecting a User Against Accidental Deletion

  7. Chapter 7 Groups

    1. Introduction

    2. Creating a Group

    3. Viewing the Permissions of a Group

    4. Viewing the Direct Members of a Group

    5. Viewing the Nested Members of a Group

    6. Adding and Removing Members of a Group

    7. Moving a Group Within a Domain

    8. Moving a Group to Another Domain

    9. Changing the Scope or Type of a Group

    10. Modifying Group Attributes

    11. Delegating Control for Managing Membership of a Group

    12. Resolving a Primary Group ID

    13. Enabling Universal Group Membership Caching

    14. Restoring a Deleted Group

    15. Protecting a Group Against Accidental Deletion

    16. Applying a Fine-Grained Password Policy to a Group Object

  8. Chapter 8 Computer Objects

    1. Introduction

    2. Creating a Computer

    3. Creating a Computer for a Specific User or Group

    4. Deleting a Computer

    5. Joining a Computer to a Domain

    6. Moving a Computer Within the Same Domain

    7. Moving a Computer to a New Domain

    8. Renaming a Computer

    9. Adding or Removing a Computer Account from a Group

    10. Testing the Secure Channel for a Computer

    11. Resetting a Computer Account

    12. Finding Inactive or Unused Computers

    13. Changing the Maximum Number of Computers a User Can Join to the Domain

    14. Modifying the Attributes of a computer Object

    15. Finding Computers with a Particular OS

    16. Binding to the Default Container for Computers

    17. Changing the Default Container for Computers

    18. Listing All the Computer Accounts in a Domain

    19. Identifying a Computer Role

    20. Protecting a Computer Against Accidental Deletion

    21. Viewing the RODCs That Have Cached a Computer’s Password

  9. Chapter 9 Group Policy Objects

    1. Introduction

    2. Finding the GPOs in a Domain

    3. Creating a GPO

    4. Copying a GPO

    5. Deleting a GPO

    6. Viewing the Settings of a GPO

    7. Modifying the Settings of a GPO

    8. Importing Settings into a GPO

    9. Creating a Migration Table

    10. Creating Custom Group Policy Settings

    11. Assigning Logon/Logoff and Startup/Shutdown Scripts in a GPO

    12. Installing Applications with a GPO

    13. Disabling the User or Computer Settings in a GPO

    14. Listing the Links for a GPO

    15. Creating a GPO Link to an OU

    16. Blocking Inheritance of GPOs on an OU

    17. Enforcing the Settings of a GPO Link

    18. Applying a Security Filter to a GPO

    19. Delegating Administration of GPOs

    20. Importing a Security Template

    21. Creating a WMI Filter

    22. Applying a WMI Filter to a GPO

    23. Configuring Loopback Processing for a GPO

    24. Backing Up a GPO

    25. Restoring a GPO

    26. Simulating the RSoP

    27. Viewing the RSoP

    28. Refreshing GPO Settings on a Computer

    29. Restoring a Default GPO

    30. Creating a Fine-Grained Password Policy

    31. Editing a Fine-Grained Password Policy

    32. Viewing the Effective PSO for a User

  10. Chapter 10 Schema

    1. Introduction

    2. Registering the Active Directory Schema MMC Snap-in

    3. Generating an OID to Use for a New Class or Attribute

    4. Extending the Schema

    5. Preparing the Schema for an Active Directory Upgrade

    6. Documenting Schema Extensions

    7. Adding a New Attribute

    8. Viewing an Attribute

    9. Adding a New Class

    10. Viewing a Class

    11. Indexing an Attribute

    12. Modifying the Attributes That Are Copied When Duplicating a User

    13. Modifying the Attributes Included with ANR

    14. Modifying the Set of Attributes Stored on a Global Catalog

    15. Finding Nonreplicated and Constructed Attributes

    16. Finding the Linked Attributes

    17. Finding the Structural, Auxiliary, Abstract, and 88 Classes

    18. Finding the Mandatory and Optional Attributes of a Class

    19. Modifying the Default Security of a Class

    20. Managing the Confidentiality Bit

    21. Adding an Attribute to the Read-Only Filtered Attribute Set (RO-FAS)

    22. Deactivating Classes and Attributes

    23. Redefining Classes and Attributes

    24. Reloading the Schema Cache

    25. Managing the Schema Master FSMO

  11. Chapter 11 Site Topology

    1. Introduction

    2. Creating a Site

    3. Listing Sites in a Domain

    4. Renaming a Site

    5. Deleting a Site

    6. Delegating Control of a Site

    7. Configuring Universal Group Caching for a Site

    8. Creating a Subnet

    9. Listing the Subnets

    10. Finding Missing Subnets

    11. Deleting a Subnet

    12. Changing a Subnet’s Site Assignment

    13. Creating a Site Link

    14. Finding the Site Links for a Site

    15. Modifying the Sites That Are Part of a Site Link

    16. Modifying the Cost for a Site Link

    17. Enabling Change Notification for a Site Link

    18. Modifying Replication Schedules

    19. Disabling Site Link Transitivity or Site Link Schedules

    20. Creating a Site Link Bridge

    21. Finding the Bridgehead Servers for a Site

    22. Setting a Preferred Bridgehead Server for a Site

    23. Listing the Servers

    24. Moving a Domain Controller to a Different Site

    25. Configuring a Domain Controller to Cover Multiple Sites

    26. Viewing the Site Coverage for a Domain Controller

    27. Disabling Automatic Site Coverage for a Domain Controller

    28. Finding the Site for a Client

    29. Forcing a Host into a Particular Site

    30. Creating a connection Object

    31. Listing the connection Objects for a Server

    32. Finding the ISTG for a Site

    33. Transferring the ISTG to Another Server

    34. Triggering the KCC

    35. Determining Whether the KCC Is Completing Successfully

    36. Disabling the KCC for a Site

    37. Changing the Interval at Which the KCC Runs

  12. Chapter 12 Replication

    1. Introduction

    2. Determining Whether Two Domain Controllers Are in Sync

    3. Viewing the Replication Status of Several Domain Controllers

    4. Viewing Unreplicated Changes Between Two Domain Controllers

    5. Forcing Replication from One Domain Controller to Another

    6. Enabling and Disabling Replication

    7. Changing the Intra-Site Replication Notification Interval

    8. Changing the Inter-Site Replication Interval

    9. Disabling Inter-Site Compression of Replication Traffic

    10. Checking for Potential Replication Problems

    11. Enabling Enhanced Logging of Replication Events

    12. Enabling Strict or Loose Replication Consistency

    13. Finding conflict Objects

    14. Finding Orphaned Objects

    15. Listing the Replication Partners for a DC

    16. Viewing Object Metadata

  13. Chapter 13 DNS and DHCP

    1. Introduction

    2. Creating a Forward Lookup Zone

    3. Creating a Reverse Lookup Zone

    4. Viewing a Server’s Zones

    5. Converting a Zone to an AD Integrated Zone

    6. Moving AD Integrated Zones into an Application Partition

    7. Configuring Zone Transfers

    8. Configuring Forwarding

    9. Configuring Conditional Forwarding

    10. Delegating Control of an Active Directory Integrated Zone

    11. Creating and Deleting Resource Records

    12. Querying Resource Records

    13. Modifying the DNS Server Configuration

    14. Scavenging Old Resource Records

    15. Clearing the DNS Cache

    16. Verifying That a Domain Controller Can Register Its Resource Records

    17. Enabling DNS Server Debug Logging

    18. Registering a Domain Controller’s Resource Records

    19. Deregistering a Domain Controller’s Resource Records

    20. Preventing a Domain Controller from Dynamically Registering All Resource Records

    21. Preventing a Domain Controller from Dynamically Registering Certain Resource Records

    22. Allowing Computers to Use a Domain Suffix That Is Different from Their AD Domain

    23. Authorizing a DHCP Server

    24. Restricting DHCP Administrators

  14. Chapter 14 Security and Authentication

    1. Introduction

    2. Enabling SSL/TLS

    3. Securing LDAP Traffic with SSL, TLS, or Signing

    4. Disabling LDAP Signing

    5. Enabling Anonymous LDAP Access

    6. Using the Delegation of Control Wizard

    7. Customizing the Delegation of Control Wizard

    8. Revoking Delegated Permissions

    9. Viewing the ACL for an Object

    10. Customizing the ACL Editor

    11. Viewing the Effective Permissions on an Object

    12. Configuring Permission Inheritance

    13. Changing the ACL of an Object

    14. Changing the Default ACL for an Object Class in the Schema

    15. Comparing the ACL of an Object to the Default Defined in the Schema

    16. Resetting an Object’s ACL to the Default Defined in the Schema

    17. Enabling Strong Domain Authentication

    18. Enabling List Object Access Mode

    19. Modifying the ACL on Administrator Accounts

    20. Viewing and Purging Your Kerberos Tickets

    21. Forcing Kerberos to Use TCP

    22. Modifying Kerberos Settings

    23. Viewing Access Tokens

    24. Creating a Claim Type

    25. Creating a Resource Property

    26. Configuring a Central Access Rule

    27. Creating a Central Access Policy

    28. Applying a Central Access Policy

    29. Enabling Domain Controller Support for Claims and Compound Authentication

    30. Enabling Claims for Devices in a Domain

  15. Chapter 15 Logging, Monitoring, and Quotas

    1. Introduction

    2. Enabling Diagnostics Logging

    3. Enabling NetLogon Logging

    4. Enabling GPO Client Logging

    5. Enabling Kerberos Logging

    6. Viewing DNS Server Performance Statistics

    7. Monitoring the Windows Time Service

    8. Enabling Inefficient and Expensive LDAP Query Logging

    9. Using the STATS Control to View LDAP Query Statistics

    10. Monitoring the Performance of Active Directory

    11. Using Perfmon Trace Logs to Monitor Active Directory

    12. Creating an Administrative Alert

    13. Emailing an Administrator on a Performance Alert

    14. Enabling Auditing of Directory Access

    15. Enabling Auditing of Registry Keys

    16. Creating a Quota

    17. Finding the Quotas Assigned to a Security Principal

    18. Changing How Tombstone Objects Count Against Quota Usage

    19. Setting the Default Quota for All Security Principals in a Partition

    20. Finding the Quota Usage for a Security Principal

  16. Chapter 16 Backup, Recovery, DIT Maintenance, and Deleted Objects

    1. Introduction

    2. Backing Up the Active Directory Database

    3. Creating an Active Directory Snapshot

    4. Mounting an Active Directory Snapshot

    5. Accessing Active Directory Snapshot Data

    6. Restarting a Domain Controller in Directory Services Repair Mode

    7. Resetting the Directory Services Repair Mode Administrator Password

    8. Performing a Nonauthoritative Restore

    9. Performing an Authoritative Restore of an Object or Subtree

    10. Performing a Complete Authoritative Restore

    11. Checking the DIT File’s Integrity

    12. Moving the DIT Files

    13. Repairing or Recovering the DIT

    14. Performing an Online Defrag Manually

    15. Performing a Database Recovery

    16. Creating a Reserve File

    17. Determining How Much Whitespace Is in the DIT

    18. Performing an Offline Defrag to Reclaim Space

    19. Changing the Garbage Collection Interval

    20. Logging the Number of Expired Tombstone Objects

    21. Determining the Size of the Active Directory Database

    22. Searching for Deleted Objects

    23. Undeleting a Single Object

    24. Undeleting a Container Object

    25. Modifying the Tombstone Lifetime for a Domain

  17. Chapter 17 Application Partitions

    1. Introduction

    2. Creating and Deleting an Application Partition

    3. Finding the Application Partitions in a Forest

    4. Adding or Removing a Replica Server for an Application Partition

    5. Finding the Replica Servers for an Application Partition

    6. Finding the Application Partitions Hosted by a Server

    7. Verifying Application Partitions Are Instantiated Correctly on a Server

    8. Setting the Replication Notification Delay for an Application Partition

    9. Setting the Reference Domain for an Application Partition

    10. Delegating Control of Managing an Application Partition

  18. Chapter 18 Active Directory Lightweight Directory Service

    1. Introduction

    2. Installing AD LDS

    3. Creating a New AD LDS Instance

    4. Creating a New Replica of an AD LDS Configuration Set

    5. Stopping and Starting an AD LDS Instance

    6. Changing the Ports Used by an AD LDS Instance

    7. Listing the AD LDS Instances Installed on a Computer

    8. Extending the AD LDS Schema

    9. Managing AD LDS Application Partitions

    10. Managing AD LDS Organizational Units

    11. Managing AD LDS Users

    12. Changing the Password for an AD LDS User

    13. Enabling and Disabling an AD LDS User

    14. Creating AD LDS Groups

    15. Managing AD LDS Group Memberships

    16. Viewing and Modifying AD LDS Object Attributes

    17. Importing Data into an AD LDS Instance

    18. Configuring Intra-Site Replication

    19. Forcing AD LDS Replication

    20. Managing AD LDS Replication Authentication

    21. Managing AD LDS Permissions

    22. Enabling Auditing of AD LDS Access

  19. Chapter 19 Active Directory Federation Services

    1. Introduction

    2. Installing AD FS Prerequisites

    3. Installing the AD FS Federation Service

    4. Configuring an LDAP Attribute Store

    5. Configuring a Microsoft SQL Server Attribute Store

    6. Creating Claim Descriptions

    7. Creating a Relying Party Trust

    8. Configuring a Claims Provider Trust

    9. Configuring an Alternate UPN Suffix

    10. Configuring AD FS 2.x and AD FS 1.x Interoperability

    11. Configuring Logging for AD FS

  20. Chapter 20 Microsoft Exchange Server 2013

    1. Introduction

    2. Exchange Server and Active Directory

    3. Exchange Server 2013 Architecture

    4. Finding Exchange Server Cmdlets

    5. Preparing Active Directory for Exchange

    6. Installing the First Exchange Server 2013 Server in an Organization

    7. Creating Unattended Installation Files for Exchange Server

    8. Installing Exchange Management Tools

    9. Stopping and Starting Exchange Server

    10. Mail-Enabling a User

    11. Mail-Disabling a User

    12. Mailbox-Enabling a User

    13. Deleting a User’s Mailbox

    14. Moving a Mailbox

    15. Viewing Mailbox Sizes and Message Counts

    16. Configuring Mailbox Limits

    17. Creating an Address List

    18. Creating a Database Availability Group

    19. Creating a Mailbox Database

    20. Enabling or Disabling Anti-Malware Scanning

    21. Enabling Message Tracking

  21. Chapter 21 Microsoft Forefront Identity Manager

    1. Introduction

    2. Creating a SQL Server Management Agent

    3. Creating an Active Directory Management Agent

    4. Setting Up a Metaverse Object Deletion Rule

    5. Setting Up a Simple Import Attribute Flow

    6. Setting Up a Simple Export Attribute Flow to Active Directory

    7. Defining an Advanced Import Attribute Flow

    8. Implementing an Advanced Attribute Flow Rules Extension

    9. Setting Up Advanced Export Attribute Flow in Active Directory

    10. Configuring a Run Profile to Do an Initial Load of Data from a SQL Server Management Agent

    11. Loading Initial SQL Server Database Data into FIM 2010 R2 Using a Run Profile

    12. Configuring a Run Profile to Load the Container Structure from Active Directory

    13. Loading the Initial Active Directory Container Structure into FIM 2010 R2 Using a Run Profile

    14. Setting Up a SQL Server Management Agent to Project Objects to the Metaverse

    15. Writing a Rules Extension to Provision User Objects

    16. Creating a Run Profile for Provisioning

    17. Executing the Provisioning Rule

    18. Creating a Run Profile to Export Objects from the AD MA to Active Directory

    19. Exporting Objects to Active Directory Using an Export Run Profile

    20. Creating a Run Profile Script

    21. Creating a Controlling Script

    22. Enabling Directory Synchronization from Active Directory to the HR Database

    23. Configuring a Run Profile to Load the telephoneNumber from Active Directory

    24. Loading telephoneNumber Changes from AD into FIM Using a Delta Import/Delta Sync Run Profile

    25. Exporting telephoneNumber Data to a SQL Server Database

    26. Using a SQL Server MA Export Run Profile to Export the telephoneNumber to a SQL Server Database

    27. Searching Data in the Connector Space

    28. Searching Data in the Metaverse

    29. Deleting Data in the Connector Space and Metaverse

    30. Extending Object Types to Include a New Attribute

    31. Previewing Changes to the FIM Configuration

    32. Committing Changes to Individual Identities Using the Commit Preview Feature

    33. Passing Data Between Rules Extensions Using Transaction Properties

    34. Using a Single Rules Extension to Affect Multiple Attribute Flows

    35. Flowing a Null Value to a Data Source

    36. Importing and Decoding the accountExpires Attribute

    37. Exporting and Encoding the accountExpires Attribute

  1. Colophon