Active Directory Cookbook

Larger Cover

By Robbie Allen

Publisher: O'Reilly Media

Released: September 2003

Pages: 624

Those of you who run networks on Windows 2000 know the benefits of using Active Directory for managing user information and permissions. You also know what a bear it can be. The newer version included with Windows Server 2003 has over 100 new and updated features to simplify deployment, but once it's in place many system administrators still find Active Directory challenging. If you're among those looking for practical hands-on support, help is here with our new Active Directory Cookbook for Windows Server 2003 & Windows 2000, a unique problem-solving guide that offers quick answers for both versions of the directory.

The book contains hundreds of step-by-step solutions for both common and uncommon problems that you might encounter with Active Directory on a daily basis--including recipes to deal with the Lightweight Directory Access Protocol (LDAP), multi-master replication, Domain Name System (DNS), Group Policy, the Active Directory Schema, and many other features. Author Robbie Allen, a Senior Systems Architect at Cisco Systems and co-author of our Active Directory tutorial, based this collection of troubleshooting recipes on his own experience, along with input from Windows administrators throughout the industry. Each recipe includes a discussion to explain how and why the solution works, so you can adapt the problem-solving techniques to similar situations.

If your company is considering an upgrade from Windows NT or 2000 to Windows Server 2003, the Active Directory Cookbook for Windows Server 2003 & Windows 2000 will help reduce the time and trouble it takes to configure and deploy Active Directory for your network.

This Cookbook is also a perfect companion to Active Directory, the tutorial that experts hail as the best source for understanding Microsoft's network directory service. While Active Directory provides the big picture, Active Directory Cookbook for Windows Server 2003 & Windows 2000 gives you the quick solutions you need to cope with day-to-day dilemmas. Together, these books supply the knowledge and tools so you can get the most out of Active Directory to manage users, groups, computers, domains, organizational units, and security policies on your network.

Chapter 1 Getting Started
1. Approach to the Book
2. Where to Find the Tools
3. Getting Familiar with LDIF
4. Programming Notes
5. Replaceable Text
6. Where to Find More Information
Chapter 2 Forests, Domains, and Trusts
1. Introduction
2. Creating a Forest
3. Removing a Forest
4. Creating a Domain
5. Removing a Domain
6. Removing an Orphaned Domain
7. Finding the Domains in a Forest
8. Finding the NetBIOS Name of a Domain
9. Renaming a Domain
10. Changing the Mode of a Domain
11. Using ADPrep to Prepare a Domain or Forest for Windows Server 2003
12. Determining if ADPrep Has Completed
13. Checking Whether a Windows 2000 Domain Controller Can Be Upgraded to Windows Server 2003
14. Raising the Functional Level of a Windows Server 2003 Domain
15. Raising the Functional Level of a Windows Server 2003 Forest
16. Creating a Trust Between a Windows NT Domain and an AD Domain
17. Creating a Transitive Trust Between Two AD Forests
18. Creating a Shortcut Trust Between Two AD Domains
19. Creating a Trust to a Kerberos Realm
20. Viewing the Trusts for a Domain
21. Verifying a Trust
22. Resetting a Trust
23. Removing a Trust
24. Enabling SID Filtering for a Trust
25. Finding Duplicate SIDs in a Domain
Chapter 3 Domain Controllers, Global Catalogs, and FSMOs
1. Introduction
2. Promoting a Domain Controller
3. Promoting a Domain Controller from Media
4. Demoting a Domain Controller
5. Automating the Promotion or Demotion of a Domain Controller
6. Troubleshooting Domain Controller Promotion or Demotion Problems
7. Removing an Unsuccessfully Demoted Domain Controller
8. Renaming a Domain Controller
9. Finding the Domain Controllers for a Domain
10. Finding the Closest Domain Controller
11. Finding a Domain Controller’s Site
12. Moving a Domain Controller to a Different Site
13. Finding the Services a Domain Controller Is Advertising
14. Configuring a Domain Controller to Use an External Time Source
15. Finding the Number of Logon Attempts Made Against a Domain Controller
16. Enabling the /3GB Switch to Increase the LSASS Cache
17. Cleaning Up Distributed Link Tracking Objects
18. Enabling and Disabling the Global Catalog
19. Determining if Global Catalog Promotion Is Complete
20. Finding the Global Catalog Servers in a Forest
21. Finding the Domain Controllers or Global Catalog Servers in a Site
22. Finding Domain Controllers and Global Catalogs via DNS
23. Changing the Preference for a Domain Controller
24. Disabling the Global Catalog Requirement During a Windows 2000 Domain Login
25. Disabling the Global Catalog Requirement During a Windows 2003 Domain Login
26. Finding the FSMO Role Holders
27. Transferring a FSMO Role
28. Seizing a FSMO Role
29. Finding the PDC Emulator FSMO Role Owner via DNS
Chapter 4 Searching and Manipulating Objects
1. Introduction
2. Viewing the RootDSE
3. Viewing the Attributes of an Object
4. Using LDAP Controls
5. Using a Fast or Concurrent Bind
6. Searching for Objects in a Domain
7. Searching the Global Catalog
8. Searching for a Large Number of Objects
9. Searching with an Attribute-Scoped Query
10. Searching with a Bitwise Filter
11. Creating an Object
12. Modifying an Object
13. Modifying a Bit-Flag Attribute
14. Dynamically Linking an Auxiliary Class
15. Creating a Dynamic Object
16. Refreshing a Dynamic Object
17. Modifying the Default TTL Settings for Dynamic Objects
18. Moving an Object to a Different OU or Container
19. Moving an Object to a Different Domain
20. Renaming an Object
21. Deleting an Object
22. Deleting a Container That Has Child Objects
23. Viewing the Created and Last Modified Timestamp of an Object
24. Modifying the Default LDAP Query Policy
25. Exporting Objects to an LDIF File
26. Importing Objects Using an LDIF File
27. Exporting Objects to a CSV File
28. Importing Objects Using a CSV File
Chapter 5 Organizational Units
1. Introduction
2. Creating an OU
3. Enumerating the OUs in a Domain
4. Enumerating the Objects in an OU
5. Deleting the Objects in an OU
6. Deleting an OU
7. Moving the Objects in an OU to a Different OU
8. Moving an OU
9. Determining How Many Child Objects an OU Has
10. Delegating Control of an OU
11. Allowing OUs to Be Created Within Containers
12. Linking a GPO to an OU
Chapter 6 Users
1. Introduction
2. Creating a User
3. Creating a Large Number of Users
4. Creating an inetOrgPerson User
5. Modifying an Attribute for Several Users at Once
6. Moving a User
7. Renaming a User
8. Copying a User
9. Unlocking a User
10. Finding Locked Out Users
11. Troubleshooting Account Lockout Problems
12. Viewing the Account Lockout and Password Policies
13. Enabling and Disabling a User
14. Finding Disabled Users
15. Viewing a User’s Group Membership
16. Changing a User’s Primary Group
17. Transferring a User’s Group Membership to Another User
18. Setting a User’s Password
19. Setting a User’s Password via LDAP
20. Setting a User’s Password via Kerberos
21. Preventing a User from Changing His Password
22. Requiring a User to Change Her Password at Next Logon
23. Preventing a User’s Password from Expiring
24. Finding Users Whose Passwords Are About to Expire
25. Setting a User’s Account Options (userAccountControl)
26. Setting a User’s Account to Expire in the Future
27. Finding Users Whose AccountsAre About to Expire
28. Determining a User’s Last Logon Time
29. Finding Users Who Have Not Logged On Recently
30. Setting a User’s Profile Attributes
31. Viewing a User’s Managed Objects
32. Modifying the Default Display Name Used When Creating Users in ADUC
33. Creating a UPN Suffix for a Forest
Chapter 7 Groups
1. Introduction
2. Creating a Group
3. Viewing the Direct Members of a Group
4. Viewing the Nested Members of a Group
5. Adding and Removing Members of a Group
6. Moving a Group
7. Changing the Scope or Type of a Group
8. Delegating Control for Managing Membership of a Group
9. Resolving a Primary Group ID
10. Enabling Universal Group Membership Caching
Chapter 8 Computers
1. Introduction
2. Creating a Computer
3. Creating a Computer for a Specific User or Group
4. Joining a Computer to a Domain
5. Moving a Computer
6. Renaming a Computer
7. Testing the Secure Channel for a Computer
8. Resetting a Computer
9. Finding Inactive or Unused Computers
10. Changing the Maximum Number of Computers a User Can Join to the Domain
11. Finding Computers with a Particular OS
12. Binding to the Default Container for Computers
13. Changing the Default Container for Computers
Chapter 9 Group Policy Objects (GPOs)
1. Introduction
2. Finding the GPOs in a Domain
3. Creating a GPO
4. Copying a GPO
5. Deleting a GPO
6. Viewing the Settings of a GPO
7. Modifying the Settings of a GPO
8. Importing Settings into a GPO
9. Assigning Logon/Logoff and Startup/Shutdown Scripts in a GPO
10. Installing Applications with a GPO
11. Disabling the User or Computer Settings in a GPO
12. Listing the Links for GPO
13. Creating a GPO Link to an OU
14. Blocking Inheritance of GPOs on an OU
15. Applying a Security Filter to a GPO
16. Creating a WMI Filter
17. Applying a WMI Filter to a GPO
18. Backing Up a GPO
19. Restoring a GPO
20. Simulating the RSoP
21. Viewing the RSoP
22. Refreshing GPO Settings on a Computer
23. Restoring a Default GPO
Chapter 10 Schema
1. Introduction
2. Registering the Active Directory Schema MMC Snap-in
3. Enabling Schema Updates
4. Generating an OID to Use for a New Class or Attribute
5. Generating a GUID to Use for a New Class or Attribute
6. Extending the Schema
7. Documenting Schema Extensions
8. Adding a New Attribute
9. Viewing an Attribute
10. Adding a New Class
11. Viewing a Class
12. Indexing an Attribute
13. Modifying the Attributes That Are Copied When Duplicating a User
14. Modifying the Attributes Included with Ambiguous Name Resolution
15. Adding or Removing an Attribute in the Global Catalog
16. Finding the Nonreplicated and Constructed Attributes
17. Finding the Linked Attributes
18. Finding the Structural, Auxiliary, Abstract, and 88 Classes
19. Finding the Mandatory and Optional Attributes of a Class
20. Modifying the Default Security of a Class
21. Deactivating Classes and Attributes
22. Redefining Classes and Attributes
23. Reloading the Schema Cache
Chapter 11 Site Topology
1. Introduction
2. Creating a Site
3. Listing the Sites
4. Deleting a Site
5. Creating a Subnet
6. Listing the Subnets
7. Finding Missing Subnets
8. Creating a Site Link
9. Finding the Site Links for a Site
10. Modifying the Sites That Are Part of a Site Link
11. Modifying the Cost for a Site Link
12. Disabling Site Link Transitivity or Site Link Schedules
13. Creating a Site Link Bridge
14. Finding the Bridgehead Servers for a Site
15. Setting a Preferred Bridgehead Server for a Site
16. Listing the Servers
17. Moving a Domain Controller to a Different Site
18. Configuring a Domain Controller to Cover Multiple Sites
19. Viewing the Site Coverage for a Domain Controller
20. Disabling Automatic Site Coverage for a Domain Controller
21. Finding the Site for a Client
22. Forcing a Host to a Particular Site
23. Creating a Connection Object
24. Listing the Connection Objects for a Server
25. Load-Balancing Connection Objects
26. Finding the ISTG for a Site
27. Transferring the ISTG to Another Server
28. Triggering the KCC
29. Determining if the KCC Is Completing Successfully
30. Disabling the KCC for a Site
31. Changing the Interval at Which the KCC Runs
Chapter 12 Replication
1. Introduction
2. Determining if Two Domain Controllers Are in Sync
3. Viewing the Replication Status of Several Domain Controllers
4. Viewing Unreplicated Changes Between Two Domain Controllers
5. Forcing Replication from One Domain Controller to Another
6. Changing the Intra-Site Replication Interval
7. Changing the Inter-Site Replication Interval
8. Disabling Inter-Site Compression of Replication Traffic
9. Checking for Potential Replication Problems
10. Enabling Enhanced Logging of Replication Events
11. Enabling Strict or Loose Replication Consistency
12. Finding Conflict Objects
13. Viewing Object Metadata
Chapter 13 Domain Name System (DNS)
1. Introduction
2. Creating a Forward Lookup Zone
3. Creating a Reverse Lookup Zone
4. Viewing a Server’s Zones
5. Converting a Zone to an AD-Integrated Zone
6. Moving AD-Integrated Zones into an Application Partition
7. Delegating Control of a Zone
8. Creating and Deleting Resource Records
9. Querying Resource Records
10. Modifying the DNS Server Configuration
11. Scavenging Old Resource Records
12. Clearing the DNS Cache
13. Verifying That a Domain Controller Can Register Its Resource Records
14. Registering a Domain Controller’s Resource Records
15. Preventing a Domain Controller from Dynamically Registering All Resource Records
16. Preventing a Domain Controller from Dynamically Registering Certain Resource Records
17. Deregistering a Domain Controller’s Resource Records
18. Allowing Computers to Use a Different Domain Suffix from Their AD Domain
Chapter 14 Security and Authentication
1. Introduction
2. Enabling SSL/TLS
3. Encrypting LDAP Traffic with SSL, TLS, or Signing
4. Enabling Anonymous LDAP Access
5. Restricting Hosts from Performing LDAP Queries
6. Using the Delegation of Control Wizard
7. Customizing the Delegation of Control Wizard
8. Viewing the ACL for an Object
9. Customizing the ACL Editor
10. Viewing the Effective Permissions on an Object
11. Changing the ACL of an Object
12. Changing the Default ACL for an Object Class in the Schema
13. Comparing the ACL of an Object to the Default Defined in the Schema
14. Resetting an Object’s ACL to the Default Defined in the Schema
15. Preventing the LM Hash of a Password from Being Stored
16. Enabling List Object Access Mode
17. Modifying the ACL on Administrator Accounts
18. Viewing and Purging Your Kerberos Tickets
19. Forcing Kerberos to Use TCP
20. Modifying Kerberos Settings
Chapter 15 Logging, Monitoring, and Quotas
1. Introduction
2. Enabling Extended dcpromo Logging
3. Enabling Diagnostics Logging
4. Enabling NetLogon Logging
5. Enabling GPO Client Logging
6. Enabling Kerberos Logging
7. Enabling DNS Server Debug Logging
8. Viewing DNS Server Performance Statistics
9. Enabling Inefficient and Expensive LDAP Query Logging
10. Using the STATS Control to View LDAP Query Statistics
11. Using Perfmon to Monitor AD
12. Using Perfmon Trace Logs to Monitor AD
13. Enabling Auditing of Directory Access
14. Creating a Quota
15. Finding the Quotas Assigned to a Security Principal
16. Changing How Tombstone Objects Count Against Quota Usage
17. Setting the Default Quota for All Security Principals in a Partition
18. Finding the Quota Usage for a Security Principal
Chapter 16 Backup, Recovery, DIT Maintenance, and Deleted Objects
1. Introduction
2. Backing Up Active Directory
3. Restarting a Domain Controller in Directory Services Restore Mode
4. Resetting the Directory Service Restore Mode Administrator Password
5. Performing a Nonauthoritative Restore
6. Performing an Authoritative Restore of an Object or Subtree
7. Performing a Complete Authoritative Restore
8. Checking the DIT File’s Integrity
9. Moving the DIT Files
10. Repairing or Recovering the DIT
11. Performing an Online Defrag Manually
12. Determining How Much Whitespace Is in the DIT
13. Performing an Offline Defrag to Reclaim Space
14. Changing the Garbage Collection Interval
15. Logging the Number of Expired Tombstone Objects
16. Determining the Size of the Active Directory Database
17. Searching for Deleted Objects
18. Restoring a Deleted Object
19. Modifying the Tombstone Lifetime for a Domain
Chapter 17 Application Partitions
1. Introduction
2. Creating and Deleting an Application Partition
3. Finding the Application Partitions in a Forest
4. Adding or Removing a Replica Server for an Application Partition
5. Finding the Replica Servers for an Application Partition
6. Finding the Application Partitions Hosted by a Server
7. Verifying Application Partitions Are Instantiated on a Server Correctly
8. Setting the Replication Notification Delay for an Application Partition
9. Setting the Reference Domain for an Application Partition
10. Delegating Control of Managing an Application Partition
Chapter 18 Interoperability and Integration
1. Introduction
2. Accessing AD from a Non-Windows Platform
3. Programming with .NET
4. Programming with DSML
5. Programming with Perl
6. Programming with Java
7. Programming with Python
8. Integrating with MIT Kerberos
9. Integrating with Samba
10. Integrating with Apache
11. Replacing NIS
12. Using BIND for DNS
13. Authorizing a Microsoft DHCP Server
14. Using VMWare for Testing AD

Appendix Tool List
Colophon

Title:

Active Directory Cookbook

By:

Robbie Allen

Publisher:

O'Reilly Media

Formats:

Print
Safari Books Online

Print:

September 2003

Pages:

624

Print ISBN:

978-0-596-00464-4

| ISBN 10:

0-596-00464-8

Colophon

Our look is the result of reader comments, our own experimentation, and feedback from distribution channels. Distinctive covers complement our distinctive approach to technical topics, breathing personality and life into potentially dry subjects. The animal on the cover of Active Directory Cookbook for Windows Server 2003 & Windows 2000 is a bluefin tuna (Thunnus thynnus), also known as a horse mackerel. It inhabits both the Atlantic and Pacific Oceans in temperate and subtropical waters. The body of a bluefin tuna is a metallic, deep blue on top, while the undersides and belly are silvery white. The first dorsal fin is yellow or blue; the second is redor brown. The rear fin and finlets are yellow, edged with black. The central caudal keel is black.

The bluefin tuna is one of the largest and fastest species of marine fish. An adult can weigh as much as 1,500 pounds (680 kilograms), and can swim up to speeds of 55 miles per hour (88.5 kilometers per hour). A bluefin tuna can swim across the Atlantic Ocean in 40 days. Recent pop-up satellite tracking has revealed that the bluefin tuna can dive to depths greater than 3,000 feet in a matter of minutes and still maintain a body temperature of 77 degrees Fahrenheit (25 degrees Celsius), even in near-freezing water.

Commercial fishing has reduced the stock of bluefin tuna to the extent that a single fish, once caught, can be worth up to $40,000 (U.S.). However, the situation is reversible, and the numbers of tuna could increase if the guidelines of the International Commission for the Conservation of Atlantic Tuna (ICCAT), an intergovernmental fishing organization that oversees tuna, are followed. Matt Hutchinson was the production editor for Active Directory Cookbook for Windows Server 2003 & Windows 2000. Genevieve d'Entremont, Marlowe Shaeffer, and Darren Kelly provided quality control. Octal Publishing, Inc. provided production services.

Ellie Volckhausen designed the cover of this book, based on a series design by Edie Freedman. The cover image is a 19th-century engraving from the Dover Pictorial Archive. Emma Colby produced the cover layout with QuarkXPress 4.1 using Adobe's ITC Garamond font.

David Futato designedthe interior layout. This book was converted by Julie Hawks to FrameMaker 5.5.6 with a format conversion tool created by Erik Ray, Jason McIntosh, Neil Walls, and Mike Sierra that uses Perl and XML technologies. The text font is Linotype Birka; the heading font is Adobe Myriad Condensed; and the code font is LucasFont's TheSans Mono Condensed. The illustrations that appear in the book were produced by Robert Romano and Jessamyn Read using Macromedia FreeHand 9 and Adobe Photoshop 6. The tip and warning icons were drawn by Christopher Bing. This colophon was written by Reg Aubry.

Description

Table of Contents

Product Details

About the Author

Colophon

Recommended for You

Chapter 1 Getting Started

Approach to the Book

Where to Find the Tools

Getting Familiar with LDIF

Programming Notes

Replaceable Text

Where to Find More Information

Chapter 2 Forests, Domains, and Trusts

Introduction

Creating a Forest

Removing a Forest

Creating a Domain

Removing a Domain

Removing an Orphaned Domain

Finding the Domains in a Forest

Finding the NetBIOS Name of a Domain

Renaming a Domain

Changing the Mode of a Domain

Using ADPrep to Prepare a Domain or Forest for Windows Server 2003

Determining if ADPrep Has Completed

Checking Whether a Windows 2000 Domain Controller Can Be Upgraded to Windows Server 2003

Raising the Functional Level of a Windows Server 2003 Domain

Raising the Functional Level of a Windows Server 2003 Forest

Creating a Trust Between a Windows NT Domain and an AD Domain

Creating a Transitive Trust Between Two AD Forests

Creating a Shortcut Trust Between Two AD Domains

Creating a Trust to a Kerberos Realm

Viewing the Trusts for a Domain

Verifying a Trust

Resetting a Trust

Removing a Trust

Enabling SID Filtering for a Trust

Finding Duplicate SIDs in a Domain

Chapter 3 Domain Controllers, Global Catalogs, and FSMOs

Introduction

Promoting a Domain Controller

Promoting a Domain Controller from Media

Demoting a Domain Controller

Automating the Promotion or Demotion of a Domain Controller

Troubleshooting Domain Controller Promotion or Demotion Problems

Removing an Unsuccessfully Demoted Domain Controller

Renaming a Domain Controller

Finding the Domain Controllers for a Domain

Finding the Closest Domain Controller

Finding a Domain Controller’s Site

Moving a Domain Controller to a Different Site

Finding the Services a Domain Controller Is Advertising

Configuring a Domain Controller to Use an External Time Source

Finding the Number of Logon Attempts Made Against a Domain Controller

Enabling the /3GB Switch to Increase the LSASS Cache

Cleaning Up Distributed Link Tracking Objects

Enabling and Disabling the Global Catalog

Determining if Global Catalog Promotion Is Complete

Finding the Global Catalog Servers in a Forest

Finding the Domain Controllers or Global Catalog Servers in a Site

Finding Domain Controllers and Global Catalogs via DNS

Changing the Preference for a Domain Controller

Disabling the Global Catalog Requirement During a Windows 2000 Domain Login

Disabling the Global Catalog Requirement During a Windows 2003 Domain Login

Finding the FSMO Role Holders

Transferring a FSMO Role

Seizing a FSMO Role

Finding the PDC Emulator FSMO Role Owner via DNS

Chapter 4 Searching and Manipulating Objects

Introduction

Viewing the RootDSE

Viewing the Attributes of an Object

Using LDAP Controls

Using a Fast or Concurrent Bind

Searching for Objects in a Domain

Searching the Global Catalog

Searching for a Large Number of Objects

Searching with an Attribute-Scoped Query

Searching with a Bitwise Filter

Creating an Object

Modifying an Object

Modifying a Bit-Flag Attribute

Dynamically Linking an Auxiliary Class

Creating a Dynamic Object

Refreshing a Dynamic Object