Books & Videos

Table of Contents

  1. Chapter 1 Getting Started

    1. Approach to the Book

    2. Where to Find the Tools

    3. Getting Familiar with LDIF

    4. Programming Notes

    5. Replaceable Text

    6. Where to Find More Information

  2. Chapter 2 Forests, Domains, and Trusts

    1. Introduction

    2. Creating a Forest

    3. Removing a Forest

    4. Creating a Domain

    5. Removing a Domain

    6. Removing an Orphaned Domain

    7. Finding the Domains in a Forest

    8. Finding the NetBIOS Name of a Domain

    9. Renaming a Domain

    10. Raising the Domain Mode to Windows 2000 Native Mode

    11. Viewing and Raising the Functional Level of a Windows Server 2003 or 2008 Domain

    12. Raising the Functional Level of a Windows Server 2003 or 2008 Forest

    13. Using AdPrep to Prepare a Domain or Forest for Windows Server 2003 or 2008

    14. Determining Whether AdPrep Has Completed

    15. Checking If a Windows Domain Controller Can Be Upgraded to Windows Server 2003 or 2008

    16. Creating an External Trust

    17. Creating a Transitive Trust Between Two AD Forests

    18. Creating a Shortcut Trust Between Two AD Domains

    19. Creating a Trust to a Kerberos Realm

    20. Viewing the Trusts for a Domain

    21. Verifying a Trust

    22. Resetting a Trust

    23. Removing a Trust

    24. Enabling SID Filtering for a Trust

    25. Enabling Quarantine for a Trust

    26. Managing Selective Authentication for a Trust

    27. Finding Duplicate SIDs in a Domain

    28. Adding Additional Fields to Active Directory Users and Computers

  3. Chapter 3 Domain Controllers, Global Catalogs, and FSMOs

    1. Introduction

    2. Promoting a Domain Controller

    3. Promoting a Read-Only Domain Controller

    4. Performing a Two-Stage RODC Installation

    5. Modifying the Password Replication Policy

    6. Promoting a Windows Server 2003 Domain Controller from Media

    7. Promoting a Windows Server 2008 Domain Controller from Media

    8. Demoting a Domain Controller

    9. Automating the Promotion or Demotion of a Domain Controller

    10. Troubleshooting Domain Controller Promotion or Demotion Problems

    11. Verifying the Promotion of a Domain Controller

    12. Removing an Unsuccessfully Demoted Domain Controller

    13. Renaming a Domain Controller

    14. Finding the Domain Controllers for a Domain

    15. Finding the Closest Domain Controller

    16. Finding a Domain Controller’s Site

    17. Moving a Domain Controller to a Different Site

    18. Finding the Services a Domain Controller Is Advertising

    19. Restoring a Deleted Domain Controller

    20. Resetting the TCP/IP Stack on a Domain Controller

    21. Configuring a Domain Controller to Use an External Time Source

    22. Finding the Number of Logon Attempts Made Against a Domain Controller

    23. Enabling the /3GB Switch to Increase the LSASS Cache

    24. Cleaning Up Distributed Link Tracking Objects

    25. Enabling and Disabling the Global Catalog

    26. Determining Whether Global Catalog Promotion Is Complete

    27. Finding the Global Catalog Servers in a Forest

    28. Finding the Domain Controllers or Global Catalog Servers in a Site

    29. Finding Domain Controllers and Global Catalogs via DNS

    30. Changing the Preference for a Domain Controller

    31. Disabling the Global Catalog Requirement During a Domain Login

    32. Disabling the Global Catalog Requirement for Windows Server 2003 or Windows Server 2008

    33. Finding the FSMO Role Holders

    34. Transferring a FSMO Role

    35. Seizing a FSMO Role

    36. Finding the PDC Emulator FSMO Role Owner via DNS

    37. Finding the PDC Emulator FSMO Role Owner via WINS

  4. Chapter 4 Searching and Manipulating Objects

    1. Introduction

    2. Viewing the RootDSE

    3. Viewing the Attributes of an Object

    4. Counting Objects in Active Directory

    5. Using LDAP Controls

    6. Using a Fast or Concurrent Bind

    7. Connecting to an Object GUID

    8. Connecting to a Well-Known GUID

    9. Searching for Objects in a Domain

    10. Searching the Global Catalog

    11. Searching for a Large Number of Objects

    12. Searching with an Attribute-Scoped Query

    13. Searching with a Bitwise Filter

    14. Creating an Object

    15. Modifying an Object

    16. Modifying a Bit Flag Attribute

    17. Dynamically Linking an Auxiliary Class

    18. Creating a Dynamic Object

    19. Refreshing a Dynamic Object

    20. Modifying the Default TTL Settings for Dynamic Objects

    21. Moving an Object to a Different OU or Container

    22. Moving an Object to a Different Domain

    23. Referencing an External Domain

    24. Renaming an Object

    25. Deleting an Object

    26. Deleting a Container That Has Child Objects

    27. Viewing the Created and Last Modified Timestamp of an Object

    28. Modifying the Default LDAP Query Policy

    29. Exporting Objects to an LDIF File

    30. Importing Objects Using an LDIF File

    31. Exporting Objects to a CSV File

    32. Importing Objects Using a CSV File

  5. Chapter 5 Organizational Units

    1. Introduction

    2. Creating an OU

    3. Enumerating the OUs in a Domain

    4. Finding an OU

    5. Enumerating the Objects in an OU

    6. Deleting the Objects in an OU

    7. Deleting an OU

    8. Moving the Objects in an OU to a Different OU

    9. Moving an OU

    10. Renaming an OU

    11. Modifying an OU

    12. Determining Approximately How Many Child Objects an OU Has

    13. Delegating Control of an OU

    14. Assigning or Removing a Manager for an OU

    15. Linking a GPO to an OU

    16. Protecting an OU Against Accidental Deletion

  6. Chapter 6 Users

    1. Introduction

    2. Modifying the Default Display Name Used When Creating Users in ADUC

    3. Creating a User

    4. Creating a Large Number of Users

    5. Creating an inetOrgPerson User

    6. Converting a user Object to an inetOrgPerson Object (or Vice Versa)

    7. Modifying an Attribute for Several Users at Once

    8. Deleting a User

    9. Setting a User’s Profile Attributes

    10. Moving a User

    11. Redirecting Users to an Alternative OU

    12. Renaming a User

    13. Copying a User

    14. Finding Locked-Out Users

    15. Unlocking a User

    16. Troubleshooting Account Lockout Problems

    17. Viewing the Domain-Wide Account Lockout and Password Policies

    18. Applying a Fine-Grained Password Policy to a User Object

    19. Viewing the Fine-Grained Password Policy That Is in Effect for a User Account

    20. Enabling and Disabling a User

    21. Finding Disabled Users

    22. Viewing a User’s Group Membership

    23. Removing All Group Memberships from a User

    24. Changing a User’s Primary Group

    25. Copying a User’s Group Membership to Another User

    26. Setting a User’s Password

    27. Preventing a User from Changing a Password

    28. Requiring a User to Change a Password at Next Logon

    29. Preventing a User’s Password from Expiring

    30. Finding Users Whose Passwords Are About to Expire

    31. Viewing the RODCs That Have Cached a User’s Password

    32. Setting a User’s Account Options (userAccountControl)

    33. Setting a User’s Account to Expire

    34. Determining a User’s Last Logon Time

    35. Finding Users Who Have Not Logged On Recently

    36. Viewing and Modifying a User’s Permitted Logon Hours

    37. Viewing a User’s Managed Objects

    38. Creating a UPN Suffix for a Forest

    39. Restoring a Deleted User

    40. Protecting a User Against Accidental Deletion

  7. Chapter 7 Groups

    1. Introduction

    2. Creating a Group

    3. Viewing the Permissions of a Group

    4. Viewing the Direct Members of a Group

    5. Viewing the Nested Members of a Group

    6. Adding and Removing Members of a Group

    7. Moving a Group Within a Domain

    8. Moving a Group to Another Domain

    9. Changing the Scope or Type of a Group

    10. Modifying Group Attributes

    11. Creating a Dynamic Group

    12. Delegating Control for Managing Membership of a Group

    13. Resolving a Primary Group ID

    14. Enabling Universal Group Membership Caching

    15. Restoring a Deleted Group

    16. Protecting a Group Against Accidental Deletion

    17. Applying a Fine-Grained Password Policy to a Group Object

  8. Chapter 8 Computer Objects

    1. Introduction

    2. The Anatomy of a computer Object

    3. Creating a Computer

    4. Creating a Computer for a Specific User or Group

    5. Deleting a Computer

    6. Joining a Computer to a Domain

    7. Moving a Computer Within the Same Domain

    8. Moving a Computer to a New Domain

    9. Renaming a Computer

    10. Adding or Removing a Computer Account from a Group

    11. Testing the Secure Channel for a Computer

    12. Resetting a Computer Account

    13. Finding Inactive or Unused Computers

    14. Changing the Maximum Number of Computers a User Can Join to the Domain

    15. Modifying the Attributes of a computer Object

    16. Finding Computers with a Particular OS

    17. Binding to the Default Container for Computers

    18. Changing the Default Container for Computers

    19. Listing All the Computer Accounts in a Domain

    20. Identifying a Computer Role

    21. Protecting a Computer Against Accidental Deletion

    22. Viewing the RODCs That Have Cached a Computer’s Password

  9. Chapter 9 Group Policy Objects

    1. Introduction

    2. Finding the GPOs in a Domain

    3. Creating a GPO

    4. Copying a GPO

    5. Deleting a GPO

    6. Viewing the Settings of a GPO

    7. Modifying the Settings of a GPO

    8. Importing Settings into a GPO

    9. Creating a Migration Table

    10. Creating Custom Group Policy Settings

    11. Assigning Logon/Logoff and Startup/Shutdown Scripts in a GPO

    12. Installing Applications with a GPO

    13. Disabling the User or Computer Settings in a GPO

    14. Listing the Links for a GPO

    15. Creating a GPO Link to an OU

    16. Blocking Inheritance of GPOs on an OU

    17. Enforcing the Settings of a GPO Link

    18. Applying a Security Filter to a GPO

    19. Delegating Administration of GPOs

    20. Importing a Security Template

    21. Creating a WMI Filter

    22. Applying a WMI Filter to a GPO

    23. Configuring Loopback Processing for a GPO

    24. Backing Up a GPO

    25. Restoring a GPO

    26. Simulating the RSoP

    27. Viewing the RSoP

    28. Refreshing GPO Settings on a Computer

    29. Restoring a Default GPO

    30. Creating a Fine-Grained Password Policy

    31. Editing a Fine-Grained Password Policy

    32. Viewing the Effective PSO for a User

  10. Chapter 10 Schema

    1. Introduction

    2. Registering the Active Directory Schema MMC Snap-in

    3. Enabling Schema Updates

    4. Generating an OID to Use for a New Class or Attribute

    5. Extending the Schema

    6. Preparing the Schema for an Active Directory Upgrade

    7. Documenting Schema Extensions

    8. Adding a New Attribute

    9. Viewing an Attribute

    10. Adding a New Class

    11. Viewing a Class

    12. Indexing an Attribute

    13. Modifying the Attributes That Are Copied When Duplicating a User

    14. Adding Custom Information to ADUC

    15. Modifying the Attributes Included with ANR

    16. Modifying the Set of Attributes Stored on a Global Catalog

    17. Finding Nonreplicated and Constructed Attributes

    18. Finding the Linked Attributes

    19. Finding the Structural, Auxiliary, Abstract, and 88 Classes

    20. Finding the Mandatory and Optional Attributes of a Class

    21. Modifying the Default Security of a Class

    22. Managing the Confidentiality Bit

    23. Adding an Attribute to the Read-Only Filtered Attribute Set (RO-FAS)

    24. Deactivating Classes and Attributes

    25. Redefining Classes and Attributes

    26. Reloading the Schema Cache

    27. Managing the Schema Master FSMO

  11. Chapter 11 Site Topology

    1. Introduction

    2. Creating a Site

    3. Listing Sites in a Forest

    4. Renaming a Site

    5. Deleting a Site

    6. Delegating Control of a Site

    7. Configuring Universal Group Caching for a Site

    8. Creating a Subnet

    9. Listing the Subnets

    10. Finding Missing Subnets

    11. Deleting a Subnet

    12. Changing a Subnet’s Site Assignment

    13. Creating a Site Link

    14. Finding the Site Links for a Site

    15. Modifying the Sites That Are Part of a Site Link

    16. Modifying the Cost for a Site Link

    17. Enabling Change Notification for a Site Link

    18. Modifying Replication Schedules

    19. Disabling Site Link Transitivity or Site Link Schedules

    20. Creating a Site Link Bridge

    21. Finding the Bridgehead Servers for a Site

    22. Setting a Preferred Bridgehead Server for a Site

    23. Listing the Servers

    24. Moving a Domain Controller to a Different Site

    25. Configuring a Domain Controller to Cover Multiple Sites

    26. Viewing the Site Coverage for a Domain Controller

    27. Disabling Automatic Site Coverage for a Domain Controller

    28. Finding the Site for a Client

    29. Forcing a Host into a Particular Site

    30. Creating a Connection Object

    31. Listing the connection Objects for a Server

    32. Load-Balancing connection Objects

    33. Finding the ISTG for a Site

    34. Transferring the ISTG to Another Server

    35. Triggering the KCC

    36. Determining Whether the KCC Is Completing Successfully

    37. Disabling the KCC for a Site

    38. Changing the Interval at Which the KCC Runs

  12. Chapter 12 Replication

    1. Introduction

    2. Determining Whether Two Domain Controllers Are in Sync

    3. Viewing the Replication Status of Several Domain Controllers

    4. Viewing Unreplicated Changes Between Two Domain Controllers

    5. Forcing Replication from One Domain Controller to Another

    6. Enabling and Disabling Replication

    7. Changing the Intra-Site Replication Interval

    8. Changing the Intra-Site Notification Delay

    9. Changing the Inter-Site Replication Interval

    10. Disabling Inter-Site Compression of Replication Traffic

    11. Checking for Potential Replication Problems

    12. Enabling Enhanced Logging of Replication Events

    13. Enabling Strict or Loose Replication Consistency

    14. Finding Conflict Objects

    15. Finding Orphaned Objects

    16. Listing the Replication Partners for a DC

    17. Viewing Object Metadata

  13. Chapter 13 DNS and DHCP

    1. Introduction

    2. Creating a Forward Lookup Zone

    3. Creating a Reverse Lookup Zone

    4. Viewing a Server’s Zones

    5. Converting a Zone to an AD-Integrated Zone

    6. Moving AD-Integrated Zones into an Application Partition

    7. Configuring Zone Transfers

    8. Configuring Forwarding

    9. Delegating Control of an Active Directory Integrated Zone

    10. Creating and Deleting Resource Records

    11. Querying Resource Records

    12. Modifying the DNS Server Configuration

    13. Scavenging Old Resource Records

    14. Clearing the DNS Cache

    15. Verifying That a Domain Controller Can Register Its Resource Records

    16. Enabling DNS Server Debug Logging

    17. Registering a Domain Controller’s Resource Records

    18. Deregistering a Domain Controller’s Resource Records

    19. Preventing a Domain Controller from Dynamically Registering All Resource Records

    20. Preventing a Domain Controller from Dynamically Registering Certain Resource Records

    21. Allowing Computers to Use a Different Domain Suffix Than Their AD Domain

    22. Authorizing a DHCP Server

    23. Locating Unauthorized DHCP Servers

    24. Restricting DHCP Administrators

  14. Chapter 14 Security and Authentication

    1. Introduction

    2. Enabling SSL/TLS

    3. Encrypting LDAP Traffic with SSL, TLS, or Signing

    4. Disabling LDAP Signing or Encryption

    5. Enabling Anonymous LDAP Access

    6. Restricting Anonymous Access to Active Directory

    7. Using the Delegation of Control Wizard

    8. Customizing the Delegation of Control Wizard

    9. Revoking Delegated Permissions

    10. Viewing the ACL for an Object

    11. Customizing the ACL Editor

    12. Viewing the Effective Permissions on an Object

    13. Configuring Permission Inheritance

    14. Changing the ACL of an Object

    15. Changing the Default ACL for an Object Class in the Schema

    16. Comparing the ACL of an Object to the Default Defined in the Schema

    17. Resetting an Object’s ACL to the Default Defined in the Schema

    18. Preventing the LM Hash of a Password from Being Stored

    19. Enabling Strong Domain Authentication

    20. Enabling List Object Access Mode

    21. Modifying the ACL on Administrator Accounts

    22. Viewing and Purging Your Kerberos Tickets

    23. Forcing Kerberos to Use TCP

    24. Modifying Kerberos Settings

    25. Viewing Access Tokens

  15. Chapter 15 Logging, Monitoring, and Quotas

    1. Introduction

    2. Enabling Extended dcpromo Logging

    3. Enabling Diagnostics Logging

    4. Enabling NetLogon Logging

    5. Enabling GPO Client Logging

    6. Enabling Kerberos Logging

    7. Viewing DNS Server Performance Statistics

    8. Monitoring the File Replication Service

    9. Monitoring the Windows Time Service

    10. Enabling Inefficient and Expensive LDAP Query Logging

    11. Using the STATS Control to View LDAP Query Statistics

    12. Monitoring the Performance of AD

    13. Using Perfmon Trace Logs to Monitor AD

    14. Creating an Administrative Alert

    15. Emailing an Administrator on a Performance Alert

    16. Enabling Auditing of Directory Access

    17. Enabling Auditing of Registry Keys

    18. Creating a Quota

    19. Finding the Quotas Assigned to a Security Principal

    20. Changing How Tombstone Objects Count Against Quota Usage

    21. Setting the Default Quota for All Security Principals in a Partition

    22. Finding the Quota Usage for a Security Principal

  16. Chapter 16 Backup, Recovery, DIT Maintenance, and Deleted Objects

    1. Introduction

    2. Backing Up Active Directory in Windows 2000 and Windows Server 2003

    3. Backing Up Active Directory in Windows Server 2008

    4. Creating an Active Directory Snapshot

    5. Mounting an Active Directory Snapshot

    6. Accessing Active Directory Snapshot Data

    7. Restarting a Domain Controller in Directory Services Restore Mode

    8. Resetting the Directory Service Restore Mode Administrator Password

    9. Performing a Nonauthoritative Restore

    10. Performing an Authoritative Restore of an Object or Subtree

    11. Performing a Complete Authoritative Restore

    12. Checking the DIT File’s Integrity

    13. Moving the DIT Files

    14. Repairing or Recovering the DIT

    15. Performing an Online Defrag Manually

    16. Performing a Database Recovery

    17. Creating a Reserve File

    18. Determining How Much Whitespace Is in the DIT

    19. Performing an Offline Defrag to Reclaim Space

    20. Changing the Garbage Collection Interval

    21. Logging the Number of Expired Tombstone Objects

    22. Determining the Size of the Active Directory Database

    23. Searching for Deleted Objects

    24. Undeleting a Single Object

    25. Undeleting a Container Object

    26. Modifying the Tombstone Lifetime for a Domain

  17. Chapter 17 Application Partitions

    1. Introduction

    2. Creating and Deleting an Application Partition

    3. Finding the Application Partitions in a Forest

    4. Adding or Removing a Replica Server for an Application Partition

    5. Finding the Replica Servers for an Application Partition

    6. Finding the Application Partitions Hosted by a Server

    7. Verifying Application Partitions Are Instantiated on a Server Correctly

    8. Setting the Replication Notification Delay for an Application Partition

    9. Setting the Reference Domain for an Application Partition

    10. Delegating Control of Managing an Application Partition

  18. Chapter 18 Active Directory Application Mode and Active Directory Lightweight Directory Service

    1. Introduction

    2. Installing ADAM/AD LDS

    3. Creating a New ADAM/AD LDS Instance

    4. Creating a New Replica of an ADAM/AD LDS Configuration Set

    5. Stopping and Starting an ADAM/AD LDS Instance

    6. Changing the Ports Used by an ADAM/AD LDS Instance

    7. Listing the ADAM Instances Installed on a Computer

    8. Extending the ADAM/AD LDS Schema

    9. Managing ADAM/AD LDS Application Partitions

    10. Managing ADAM/AD LDS Organizational Units

    11. Managing ADAM Users

    12. Changing the Password for an ADAM or AD LDS User

    13. Enabling and Disabling an ADAM User

    14. Creating ADAM or AD LDS Groups

    15. Managing ADAM or AD LDS Group Memberships

    16. Viewing and Modifying ADAM Object Attributes

    17. Importing Data into an ADAM or AD LDS Instance

    18. Configuring Intra-site Replication

    19. Forcing ADAM/AD LDS Replication

    20. Managing AD LDS Replication Authentication

    21. Managing ADAM/AD LDS Permissions

    22. Enabling Auditing of AD LDS Access

  19. Chapter 19 Active Directory Federation Services

    1. Introduction

    2. Installing AD FS Prerequisites for Windows Server 2003 R2

    3. Installing AD FS Prerequisites for Windows Server 2008

    4. Installing the Federation Service in Windows Server 2003 R2

    5. Installing the Federation Service on Windows Server 2008

    6. Configuring an Active Directory Account Store

    7. Configuring an ADAM or AD LDS Account Store

    8. Creating Organizational Claims

    9. Creating an Account Partner

    10. Configuring a Resource Partner

    11. Configuring an Application

    12. Configuring a Forest Trust

    13. Configuring an Alternate UPN Suffix

    14. Configuring the AD FS Web Agent

    15. Enabling Logging for the AD FS Web Agent

  20. Chapter 20 Microsoft Exchange Server 2007 and Exchange Server 2003

    1. Introduction

    2. Exchange Server and Active Directory

    3. Exchange Server 2007 Architecture

    4. Exchange Administration Tools

    5. Preparing Active Directory for Exchange

    6. Installing the First Exchange Server in an Organization

    7. Creating Unattended Installation Files for Exchange Server

    8. Installing Exchange Management Tools

    9. Stopping and Starting Exchange Server

    10. Mail-Enabling a User

    11. Mail-Disabling a User

    12. Mailbox-Enabling a User

    13. Deleting a User’s Mailbox

    14. Moving a Mailbox

    15. Viewing Mailbox Sizes and Message Counts

    16. Configuring Mailbox Limits

    17. Creating an Address List

    18. Creating a Storage Group

    19. Creating a Mailbox Store

    20. Installing Anti-Spam Agents on the Hub Transport Servers

    21. Enabling Message Tracking

    22. Summary

  21. Chapter 21 Microsoft Identity Lifecycle Manager

    1. Introduction

    2. Creating the HR Database MA

    3. Creating an Active Directory MA

    4. Setting Up a Metaverse Object Deletion Rule

    5. Setting Up Simple Import Attribute Flow—HR Database MA

    6. Setting Up a Simple Export Attribute Flow to AD

    7. Defining an Advanced Import Attribute Flow—HR Database MA

    8. Implementing an Advanced Attribute Flow Rules Extension—HR Database MA

    9. Setting Up Advanced Export Attribute Flow in Active Directory

    10. Configuring a Run Profile to Do an Initial Load of Data from the HR Database MA

    11. Loading Initial HR Database Data into ILM Using a Run Profile

    12. Configuring a Run Profile to Load the Container Structure from AD

    13. Loading the Initial AD Container Structure into ILM Using a Run Profile

    14. Setting Up the HR Database MA to Project Objects to the Metaverse

    15. Writing a Rules Extension to Provision User Objects

    16. Creating a Run Profile for Provisioning

    17. Executing the Provisioning Rule

    18. Creating a Run Profile to Export Objects from the ADMA to Active Directory

    19. Exporting Objects to AD Using an Export Run Profile

    20. Testing Provisioning and Deprovisioning of User Accounts in AD

    21. Creating a Run Profile Script

    22. Creating a Controlling Script

    23. Enabling Directory Synchronization from AD to the HR Database

    24. Configuring a Run Profile to Load the telephoneNumber from AD

    25. Loading telephoneNumber Changes from AD into ILM Using a Delta Import and Delta Synchronization Run Profile

    26. Exporting telephoneNumber Data to the HR Database

    27. Using the HR Database MA Export Run Profile to Export the Telephone Number to the HR Database

    28. Searching Data in the Connector Space

    29. Searching Data in the Metaverse

    30. Deleting Data in the Connector Space and Metaverse

    31. Extending Object Types to Include a New Attribute

    32. Previewing Changes to the ILM Configuration

    33. Committing Changes to Individual Identities Using the Commit Preview Feature

    34. Passing Data Between Rules Extensions Using Transaction Properties

    35. Using a Single Rules Extension to Affect Multiple Attribute Flows

    36. Flowing a Null Value to a Data Source

    37. Contributing a UTCCodedTime Attribute in Active Directory

    38. Importing and Decoding the accountExpires Attribute

    39. Exporting and Encoding the accountExpires Attribute

  1. Colophon