Active Directory ™ Bible 4762-3 FM.f.qc 10/25/00 4:31 PM Page i 4762-3 FM.f.qc 10/25/00 4:31 PM Page ii Active Directory ™ Bible Curt Simmons IDG Books Worldwide, Inc. An International Data Group Company Foster City, CA ✦ Chicago, IL ✦ Indianapolis, IN ✦ New York, NY 4762-3 FM.f.qc 10/25/00 4:31 PM Page iii Active Directory ™ Bible Published by IDG Books Worldwide, Inc. An International Data Group Company 919 E. Hillsdale Blvd., Suite 400 Foster City, CA 94404 www.idgbooks.com (IDG Books Worldwide Web site) Copyright © 2001 IDG Books Worldwide, Inc. All rights reserved. No part of this book, including interior design, cover design, and icons, may be reproduced or transmitted in any form, by any means (electronic, photocopying, recording, or otherwise) without the prior written permission of the publisher. ISBN: 0-7645-4762-3 Printed in the United States of America 10 9 8 7 6 5 4 3 2 1 1B/RU/RR/QQ/FC Distributed in the United States by IDG Books Worldwide, Inc. Distributed by CDG Books Canada Inc. for Canada; by Transworld Publishers Limited in the United Kingdom; by IDG Norge Books for Norway; by IDG Sweden Books for Sweden; by IDG Books Australia Publishing Corporation Pty. Ltd. for Australia and New Zealand; by TransQuest Publishers Pte Ltd. for Singapore, Malaysia, Thailand, Indonesia, and Hong Kong; by Gotop Information Inc. for Taiwan; by ICG Muse, Inc. for Japan; by Intersoft for South Africa; by Eyrolles for France; by International Thomson Publishing for Germany, Austria, and Switzerland; by Distribuidora Cuspide for Argentina; by LR International for Brazil; by Galileo Libros for Chile; by Ediciones ZETA S.C.R. Ltda. for Peru; by WS Computer Publishing Corporation, Inc., for the Philippines; by Contemporanea de Ediciones for Venezuela; by Express Computer Distributors for the Caribbean and West Indies; by Micronesia Media Distributor, Inc. for Micronesia; by Chips Computadoras S.A. de C.V. for Mexico; by Editorial Norma de Panama S.A. for Panama; by American Bookshops for Finland. For general information on IDG Books Worldwide’s books in the U.S., please call our Consumer Customer Service department at 800-762-2974. For reseller information, including discounts and premium sales, please call our Reseller Customer Service department at 800-434-3422. For information on where to purchase IDG Books Worldwide’s books outside the U.S., please contact our International Sales department at 317-572-3993 or fax 317-572-4002. For consumer information on foreign language translations, please contact our Customer Service department at 800-434-3422, fax 317-572-4002, or e-mail rights@idgbooks.com. For information on licensing foreign or domestic rights, please phone +1-650-653-7098. For sales inquiries and special prices for bulk quantities, please contact our Order Services department at 800-434-3422 or write to the address above. For information on using IDG Books Worldwide’s books in the classroom or for ordering examination copies, please contact our Educational Sales department at 800-434-2086 or fax 317-572-4005. For press review copies, author interviews, or other publicity information, please contact our Public Relations department at 650-653-7000 or fax 650-653-7500. For authorization to photocopy items for corporate, personal, or educational use, please contact Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, or fax 978-750-4470. Library of Congress Cataloging-in-Publication Data Simmons, Curt, 1968- Active directory bible / Curt Simmons. p. cm. ISBN 0-7645-4762-3 (alk. paper) 1. Directory services (Computer network technology) 2. Microsoft Windows (Computer file) I. Title. TK5105.595 .S55 2000 005.7'1369 dc21 00-046159 CIP LIMIT OF LIABILITY/DISCLAIMER OF W ARRANTY: THE PUBLISHER AND AUTHOR HAVE USED THEIR BEST EFFORTS IN PREPARING THIS BOOK. THE PUBLISHER AND AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS BOOK AND SPECIFICALLY DISCLAIM ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. THERE ARE NO WARRANTIES WHICH EXTEND BEYOND THE DESCRIPTIONS CONTAINED IN THIS PARAGRAPH. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES REPRESENTATIVES OR WRITTEN SALES MATERIALS. THE ACCURACY AND COMPLETENESS OF THE INFORMATION PROVIDED HEREIN AND THE OPINIONS STATED HEREIN ARE NOT GUARANTEED OR WARRANTED TO PRODUCE ANY PARTICULAR RESULTS, AND THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY INDIVIDUAL. NEITHER THE PUBLISHER NOR AUTHOR SHALL BE LIABLE FOR ANY LOSS OF PROFIT OR ANY OTHER COMMERCIAL DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR OTHER DAMAGES. Trademarks: All brand names and product names used in this book are trade names, service marks, trademarks, or registered trademarks of their respective owners. IDG Books Worldwide is not associated with any product or vendor mentioned in this book. is a registered trademark or trademark under exclusive license to IDG Books Worldwide, Inc. from International Data Group, Inc. in the United States and/or other countries. 4762-3 FM.f.qc 10/25/00 4:31 PM Page iv Eleventh Annual Computer Press Awards 1995 Tenth Annual Computer Press Awards 1994 Eighth Annual Computer Press Awards 1992 Ninth Annual Computer Press Awards 1993 IDG is the world’s leading IT media, research and exposition company. Founded in 1964, IDG had 1997 revenues of $2.05 billion and has more than 9,000 employees worldwide. IDG offers the widest range of media options that reach IT buyers in 75 countries representing 95% of worldwide IT spending. IDG’s diverse product and services portfolio spans six key areas including print publishing, online publishing, expositions and conferences, market research, education and training, and global marketing services. More than 90 million people read one or more of IDG’s 290 magazines and newspapers, including IDG’s leading global brands — Computerworld, PC World, Network World, Macworld and the Channel World family of publications. IDG Books Worldwide is one of the fastest-growing computer book publishers in the world, with more than 700 titles in 36 languages. The “ For Dummies ® ” series alone has more than 50 million copies in print. IDG offers online users the largest network of technology-specific Web sites around the world through IDG.net (http://www.idg.net), which comprises more than 225 targeted Web sites in 55 countries worldwide. International Data Corporation (IDC) is the world’s largest provider of information technology data, analysis and consulting, with research centers in over 41 countries and more than 400 research analysts worldwide. IDG World Expo is a leading producer of more than 168 globally branded conferences and expositions in 35 countries including E3 (Electronic Entertainment Expo), Macworld Expo, ComNet, Windows World Expo, ICE (Internet Commerce Expo), Agenda, DEMO, and Spotlight. IDG’s training subsidiary, ExecuTrain, is the world’s largest computer training company, with more than 230 locations worldwide and 785 training courses. IDG Marketing Services helps industry-leading IT companies build international brand recognition by developing global integrated marketing programs via IDG’s print, online and exposition products worldwide. Further information about the company can be found at www.idg.com. 1/26/00 Welcome to the world of IDG Books Worldwide. IDG Books Worldwide, Inc., is a subsidiary of International Data Group, the world’s largest publisher of computer-related information and the leading global provider of information services on information technology. IDG was founded more than 30 years ago by Patrick J. McGovern and now employs more than 9,000 people worldwide. IDG publishes more than 290 computer publications in over 75 countries. More than 90 million people read one or more IDG publications each month. Launched in 1990, IDG Books Worldwide is today the #1 publisher of best-selling computer books in the United States. We are proud to have received eight awards from the Computer Press Association in recognition of editorial excellence and three from Computer Currents’ First Annual Readers’ Choice Awards. Our best- selling For Dummies ® series has more than 50 million copies in print with translations in 31 languages. IDG Books Worldwide, through a joint venture with IDG’s Hi-Tech Beijing, became the first U.S. publisher to publish a computer book in the People’s Republic of China. In record time, IDG Books Worldwide has become the first choice for millions of readers around the world who want to learn how to better manage their businesses. Our mission is simple: Every one of our books is designed to bring extra value and skill-building instructions to the reader. Our books are written by experts who understand and care about our readers. The knowledge base of our editorial staff comes from years of experience in publishing, education, and journalism — experience we use to produce books to carry us into the new millennium. In short, we care about books, so we attract the best people. We devote special attention to details such as audience, interior design, use of icons, and illustrations. And because we use an efficient process of authoring, editing, and desktop publishing our books electronically, we can spend more time ensuring superior content and less time on the technicalities of making books. You can count on our commitment to deliver high-quality books at competitive prices on topics you want to read about. At IDG Books Worldwide, we continue in the IDG tradition of delivering quality for more than 30 years. You’ll find no better book on a subject than one from IDG Books Worldwide. John Kilcullen Chairman and CEO IDG Books Worldwide, Inc. 4762-3 FM.f.qc 10/25/00 4:31 PM Page v Credits Acquisitions Editor Judy Brief Project Editor Amanda Munz Technical Editor Jim Kelly Copy Editor Kevin Kent Project Coordinator Marcos Vergara Graphics and Production Specialists Bob Bihlmayer Jude Levinson Michael Lewis Victor Pérez-Varela Ramses Ramirez Quality Control Technician Dina F Quan Permissions Editor Carmen Krikorian Media Development Specialists Brock Bigard Angela D. Denny Media Development Coordinator Marisa Pearman Illustrators Gabriele McCann Shelley Norris Karl Brandt Proofreading and Indexing York Production Services Cover Illustration Lawrence Huck 4762-3 FM.f.qc 10/25/00 4:31 PM Page vi About the Author Curt Simmons, MCSE, MCT, CTT, is a freelance author and technical trainer focus- ing on Microsoft operating systems and networking solutions. Curt is the author of almost a dozen high-level technical books on Microsoft products, including Master Active Directory Visually and MCSE Windows 2000 Server For Dummies. He has been working closely with Windows 2000 and the Active Directory since Beta 1. Curt lives with his wife and daughter in a small town outside of Dallas, Texas. You can reach him at curt_simmons@hotmail.com or at http://curtsimmons.hypermart.net. 4762-3 FM.f.qc 10/25/00 4:31 PM Page vii 4762-3 FM.f.qc 10/25/00 4:31 PM Page viii Preface T he Active Directory Bible is your comprehensive resource for planning, installing, configuring, and managing the Microsoft Active Directory. The Active Directory, which is the core networking technology in Windows 2000, provides advanced direc- tory service features that makes your network—regardless of its size—easier to manage and use. Welcome to the World of Active Directory You have heard plenty of things about the Active Directory. Some say the Active Directory is the best product Microsoft has ever produced—some say the Active Directory is still a baby that has a lot of maturing to do. No matter your position, we can all agree that the Active Directory is Microsoft’s flagship product at the moment and that the Active Directory is here to stay. The Active Directory is the foundational networking component in Windows 2000. The Active Directory completely revamps Microsoft networking from the days of NT and brings Windows networking to a hierarchical, directory service model. This model modernizes NT and paves the way for the future. With the Active Directory, you have more manageability, more support for network resources, standardized naming, and excellent query capabilities. In short, the Active Directory opens an entire new world for Windows. Before I get too carried away with the details (which you can jump into in Chap- ter 1) and before I sound like I’m singing Microsoft’s praises, let me just answer two questions I am asked quite frequently. The first is simply, “Do you like the Active Directory?” The answer is—yes, I do. Quite a bit, actually. The second question is, “Is the Active Directory perfect?” I usually smile and shake my head because you already know the answer. No—the Active Directory is not perfect, and there are some serious design issues Microsoft will need to address in the future. But in Microsoft’s defense, I will say that the first release of the Active Directory is awfully good—and when you see the potential a live directory service can bring to a network, I think you will agree. If you are reading this book, you are likely one of two people. First, you’re a newcomer to Windows 2000. Perhaps you have joined the ranks of the technical professionals in search of a better career, and you know that Windows 2000 is a wise move. If that is you—you have come to right place. This book is all you need to learn all about the Active Directory and the technologies that make it tick. 4762-3 FM.f.qc 10/25/00 4:31 PM Page ix x Preface Second, you may be a systems administrator—someone who has a place in design- ing an Active Directory implementation and in keeping everything running after it is in place. You have a lot of work to do, and you need a resource that helps you meet your goals quickly. You have come to the right place as well. The Active Directory Bible is a comprehensive look at this new directory service. You’ll learn how to plan, install, configure, manage, and integrate other technolo- gies with the Active Directory with this book. How to Read This Book (Don’t Skip This Part!) By now, I have read more than a few Active Directory books, white papers, and other Microsoft documentation. One of my biggest complaints with these resources is the problem with organization. The Active Directory is often difficult to explain because you need to know about points A, B, and C at the same time before understanding D. Likewise, you can’t explain C without A, and you can’t understand B without know- ing about D you get the picture. The problem is that the Active Directory is built on a number of components that all play an equal role, so structuring a book or document so that it makes sense is not easy. I have worked very hard on this book to present a logical, chapter-by-chapter approach to the Active Directory. If you are already familiar with the Active Directory, you can turn straight to the chapter you need and get started. If you are new to the Active Directory, read each chapter in order. I have tried to make the book as sequential as possible so all of this will be easier to understand. Along the way, you’ll find many useful step-by-step instructions and sidebars to give you additional explanations. Be sure to read these as you learn all about Active Directory. A Little about This Book’s Structure This book is divided into four parts. The following sections give you an overview of what you will find in each part. Part I: Planning an Active Directory Deployment In Part I, you learn about the Active Directory technology and conceptual framework, and then you jump right into Active Directory planning. The planning process is extremely important, and this part teaches you all about the Active Directory names- pace, constructing forests and trees, developing an OU plan, upgrading and migrating to the Active Directory, and planning Active Directory sites and replication. 4762-3 FM.f.qc 10/25/00 4:31 PM Page x [...]... Part I: Planning an Active Directory Deployment 1 Chapter 1: Introduction to Active Directory Technology and Deployment Planning 3 Chapter 2: The Active Directory Namespace 19 Chapter 3: Planning an Active Directory Structure 35 Chapter 4: Upgrading and Migrating to the Active Directory 61 Chapter 5: Planning Active Directory Sites ... xiii Part I: Planning an Active Directory Deployment 1 Chapter 1: Introduction to Active Directory Technology and Deployment Planning 3 What Is a Directory? 3 What Is a Directory Service? 4 What Does the Active Directory Do? 4 Active Directory Logical Structure ... Active Directory 61 Upgrading to the Active Directory Upgrading NT to 2000 Getting ready to upgrade the PDC to 2000 Using the Active Directory Sizer Considering domain consolidation Migrating to the Active Directory 61 62 63 64 65 77 Chapter 5: Planning Active Directory. .. the Active Directory What Is a Directory? You’ve heard all the marketing hoopla You’ve heard the competitor’s complaints However, with all the excitement (and lack of excitement), I think I can safely say that the Active Directory is a permanent part of Windows 2000 (and beyond) ✦ ✦ ✦ ✦ In This Chapter Exploring directory services Examining the Active Directory s features Understanding the Active Directory s... group to ensure that changes are processed appropriately The Active Directory Schema I’ve mentioned the Active Directory schema in Table 1-1 The Active Directory schema is a complete collection, or schematic, of Active Directory objects and attributes and the classes to which objects belong The schema determines what can be stored in the Active Directory, where it belongs in the database, and what attributes... Enter directory services The goal of directory services is to bring order to both big and small networks Directory services provide a streamlined approach to network and resource discovery With a directory, users can perform search queries and find network information quickly and easily The Active Directory is Microsoft’s answer to the directory services needs of today’s networks What Does the Active Directory. .. Directory Do? The Active Directory is a directory service — it provides a number of different services relating to the organized storage of network resources The following points highlight some of the Active Directory s features: 4762-3 ch01.f.qc 10/25/00 2:41 PM Page 5 Chapter 1 ✦ Introduction to Active Directory Technology and Deployment Planning ✦ Organized Approach — The Active Directory brings... The Active Directory solves this problem because it is built on a hierarchy where information can be managed at different levels Active Directory Logical Structure To begin the exploration of the Active Directory, I want to take a look at its logical structure In order to effectively plan, implement, and administer the Active Directory, this logical structure will need to become second nature The Active. .. you cannot implement the Active Directory without DNS, and all Active Directory names are DNS names The Active Directory is also a fully compliant LDAP directory service To understand why this is important, you need to understand a few things about LDAP LDAP is based on the Directory Access Protocol (DAP), which was an implementation of X.500 networks X.500 is a very broad directory service that is... Resources 191 Chapter 11: Implementing Active Directory Security Features 211 Part III: Active Directory Management 233 Chapter 12: Maintaining the Active Directory 235 Chapter 13: Managing Active Directory Replication 259 Chapter 14: Active Directory Schema 285 Part IV: Integrating Supporting . viii Preface T he Active Directory Bible is your comprehensive resource for planning, installing, configuring, and managing the Microsoft Active Directory. The Active Directory, which. Active Directory ™ Bible 4762-3 FM.f.qc 10/25/00 4:31 PM Page i 4762-3 FM.f.qc 10/25/00 4:31 PM Page ii Active Directory ™ Bible Curt Simmons IDG