www.it-ebooks.info www.it-ebooks.info Brian Desmond, Joe Richards, Robbie Allen, and Alistair G. Lowe-Norris Active Directory www.it-ebooks.info Active Directory by Brian Desmond, Joe Richards, Robbie Allen, and Alistair G. Lowe-Norris Copyright © 2013 Brian Desmond, Joe Richards, Robbie Allen, Alistair Lowe-Norris. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://my.safaribooksonline.com). For more information, contact our corporate/ institutional sales department: 800-998-9938 or corporate@oreilly.com. Editor: Rachel Roumeliotis Production Editor: Rachel Steely Copyeditor: Jasmine Kwityn Proofreader: Rachel Head Indexer: Bob Pfahler Cover Designer: Karen Montgomery Interior Designer: David Futato Illustrators: Robert Romano and Rebecca Demarest April 2013: Fifth Edition Revision History for the Fifth Edition: 2013-04-10: First release See http://oreilly.com/catalog/errata.csp?isbn=9781449320027 for release details. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc. Active Directory, the image of domestic cats, and related trade dress are trademarks of O’Reilly Media, Inc. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc., was aware of a trade‐ mark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. ISBN: 978-1-449-32002-7 [LSI] www.it-ebooks.info Table of Contents Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv 1. A Brief Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Evolution of the Microsoft NOS 2 A Brief History of Directories 2 Summary 3 2. Active Directory Fundamentals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 How Objects Are Stored and Identified 5 Uniquely Identifying Objects 6 Building Blocks 9 Domains and Domain Trees 9 Forests 11 Organizational Units 13 The Global Catalog 14 Flexible Single Master Operator (FSMO) Roles 14 Time Synchronization in Active Directory 22 Domain and Forest Functional Levels 24 Groups 27 Summary 31 3. Active Directory Management Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Management Tools 33 Active Directory Administrative Center 34 Active Directory Users and Computers 37 ADSI Edit 45 LDP 47 Customizing the Active Directory Administrative Snap-ins 52 Display Specifiers 53 iii www.it-ebooks.info Property Pages 54 Context Menus 54 Icons 56 Display Names 57 Object Creation Wizard 57 Active Directory PowerShell Module 58 Best Practices Analyzer 59 Active Directory-Based Machine Activation 61 Summary 61 4. Naming Contexts and Application Partitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Domain Naming Context 66 Configuration Naming Context 67 Schema Naming Context 67 Application Partitions 69 Storing Dynamic Data 71 Summary 72 5. Active Directory Schema. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Structure of the Schema 74 X.500 and the OID Namespace 75 Attributes (attributeSchema Objects) 79 Dissecting an Example Active Directory Attribute 80 Attribute Properties 81 Attribute Syntax 82 systemFlags 84 schemaFlagsEx 86 searchFlags 86 Property Sets and attributeSecurityGUID 94 Linked Attributes 94 MAPI IDs 95 Classes (classSchema Objects) 95 Object Class Category and Inheritance 96 Dissecting an Example Active Directory Class 99 Dynamically Linked Auxiliary Classes 103 Summary 105 6. Site Topology and Active Directory Replication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Site Topology 107 Site and Replication Management Tools 108 Subnets 108 Sites 114 iv | Table of Contents www.it-ebooks.info Site Links 116 Site Link Bridges 121 Connection Objects 121 Knowledge Consistency Checker 122 How Replication Works 123 A Background to Metadata 123 How an Object’s Metadata Is Modified During Replication 130 The Replication of a Naming Context Between Two Servers 135 How Replication Conflicts Are Reconciled 141 Common Replication Problems 144 Lingering Objects 145 USN Rollback 146 Summary 149 7. Searching Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 The Directory Information Tree 151 Database Structure 151 Searching the Database 155 Filter Operators 155 Connecting Filter Components 156 Search Bases 158 Modifying Behavior with LDAP Controls 159 Attribute Data Types 162 Dates and Times 162 Bit Masks 163 The In-Chain Matching Rule 164 Optimizing Searches 165 Efficient Searching 165 objectClass Versus objectCategory 167 Summary 168 8. Active Directory and DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 DNS Fundamentals 170 Zones 170 Resource Records 171 Client Lookup Process 171 Dynamic DNS 172 Global Names Zones 174 DNSSEC 175 How Does DNSSEC Work? 176 Configuring DNSSEC for Active Directory DNS 180 DC Locator 186 Table of Contents | v www.it-ebooks.info Resource Records Used by Active Directory 187 Overriding SRV Record Registration 191 Delegation Options 192 Not Delegating the AD DNS Zones 192 Delegating the AD DNS Zones 194 Active Directory-Integrated DNS 196 Replication Impact 198 Background Zone Loading 199 Using Application Partitions for DNS 199 Aging and Scavenging 201 Configuring Scavenging 201 Managing DNS with Windows PowerShell 203 Summary 204 9. Domain Controllers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Building Domain Controllers 205 Deploying with Server Manager 206 Using DCPromo on Earlier Versions of Windows 214 Automating the DC Build Process 214 Virtualization 216 When to Virtualize 216 Impact of Virtualization 217 Virtualization Safe Restore 220 Cloning Domain Controllers 222 Read-Only Domain Controllers 229 Prerequisites 231 Password Replication Policies 232 The Client Logon Process 238 RODCs and Write Requests 243 The W32Time Service 248 Application Compatibility 250 RODC Placement Considerations 252 Administrator Role Separation 253 Promoting an RODC 256 Summary 259 10. Authentication and Security Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Kerberos 261 User Logon 262 Service Access 264 Application Access 269 Logon and Service Access Summary 269 vi | Table of Contents www.it-ebooks.info Delegation and Protocol Transition 270 Authentication Mechanism Assurance 276 Managed Service Accounts 276 Preparing for Group Managed Service Accounts 277 Using Group Managed Service Accounts 277 Summary 281 11. Group Policy Primer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Capabilities of Group Policy Objects 284 Group Policy Storage 284 How Group Policies Work 289 GPOs and Active Directory 290 Prioritizing the Application of Multiple Policies 291 Standard GPO Inheritance Rules in Organizational Units 293 Blocking Inheritance and Overriding the Block in Organizational Unit GPOs 294 When Policies Apply 297 Combating Slowdown Due to Group Policy 298 Security Filtering and Group Policy Objects 301 Loopback Merge Mode and Loopback Replace Mode 303 Summarizing Group Policy Application 304 WMI Filtering 306 Group Policy 307 Managing Group Policies 308 Using the Group Policy Management Console 309 Using the Group Policy Management Editor 310 Group Policy Preferences 313 Running Scripts with Group Policy 318 Group Policy Modeling 320 Delegation and Change Control 322 Using Starter GPOs 325 Group Policy Backup and Restore 326 Scripting Group Policy 327 Troubleshooting Group Policy 329 Group Policy Infrastructure Status 329 Group Policy Results Wizard 330 Forcing Group Policy Updates 333 Enabling Extra Logging 334 Group Policy Diagnostic Best Practices Analyzer 336 Third-Party Troubleshooting Tools 336 Table of Contents | vii www.it-ebooks.info Summary 337 12. Fine-Grained Password Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 Understanding Password Settings Objects 339 Scenarios for Fine-Grained Password Policies 340 Defining Password Settings Objects 340 Creating Password Settings Objects 342 PSO Quick Start 342 Building a PSO from Scratch 342 Managing Password Settings Objects 346 Strategies for Controlling PSO Application 346 Managing PSO Application 347 Delegating Management of PSOs 352 Summary 353 13. Designing the Active Directory Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355 The Complexities of a Design 356 Where to Start 357 Overview of the Design Process 357 Domain Namespace Design 359 Objectives 359 Step 1: Decide on the Number of Domains 360 Step 2: Design and Name the Tree Structure 363 Design of the Internal Domain Structure 367 Step 3: Design the Hierarchy of Organizational Units 368 Step 4: Design the Workstation and Server Naming Conventions 372 Step 5: Plan for Users and Groups 373 Other Design Considerations 376 Design Examples 377 Tailspin Toys 377 Contoso College 383 Fabrikam 388 Recognizing Nirvana’s Problems 393 Summary 394 14. Creating a Site Topology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 Intrasite and Intersite Topologies 395 The KCC 396 Automatic Intrasite Topology Generation by the KCC 397 Site Links: The Basic Building Blocks of Intersite Topologies 401 Site Link Bridges: The Second Building Blocks of Intersite Topologies 404 Designing Sites and Links for Replication 405 viii | Table of Contents www.it-ebooks.info [...]... Windows Server 2012 Chapter 20, Active Directory Lightweight Directory Services Introduces Active Directory Lightweight Directory Services Chapter 21, Active Directory Federation Services Introduces Active Directory Federation Services Appendix A Starts off by providing some background information on the NET Framework and then dives into several examples using the System.DirectoryServices namespa‐ ces... and attributes in the Active Directory schema Chapter 18, Backup, Recovery, and Maintenance Describes how you can back up and restore Active Directory, from the entire di‐ rectory down to the object level Chapter 19, Upgrading Active Directory Discusses the features introduced in each version of Active Directory, followed by an outline of how you can upgrade your existing Active Directory infrastructure... features and benefits of Active Directory Chapter 2, Active Directory Fundamentals Provides a high-level look at how objects are stored in Active Directory and explains some of the internal structures and concepts that it relies on Chapter 3, Active Directory Management Tools Demonstrates how to use the various MMC snap-ins and management tools that are commonly used by Active Directory administrators... need to know to successfully support Active Directory as well as to design an effective Active Directory implementation Summary www.it-ebooks.info | 3 www.it-ebooks.info CHAPTER 2 Active Directory Fundamentals This chapter aims to bring you up to speed on the basic concepts and terminology used with Active Directory It is important to understand each feature of Active Directory before embarking on a design,... Partitions Reviews the predefined naming contexts within Active Directory, what is contained within each, and the purpose of application partitions Chapter 5, Active Directory Schema Describes how the blueprint for each object and each object’s attributes are stored in Active Directory xvi | Preface www.it-ebooks.info Chapter 6, Site Topology and Active Directory Replication Details how the actual replication... actual replication process for data takes place between domain controllers Chapter 7, Searching Active Directory Explains the LDAP query syntax used for gathering data from Active Directory Chapter 8, Active Directory and DNS Describes the importance of the Domain Name System and what it is used for within Active Directory Chapter 9, Domain Controllers Describes the deployment and operation of writable... Planning for Group Policy Explains how group policy objects function in Active Directory and how you can properly design an Active Directory structure to make the most effective use of these functions Chapter 16, Active Directory Security: Permissions and Auditing Describes how you can design effective security for all areas of your Active Directory infrastructure, both in terms of access to objects and their... approaches to managing Active Directory and script updates There are five new chapters (Chapter 3, Chapter 7, Chapter 10, Chapter 19, and Chap‐ ter 21) to explain features or concepts not covered in previous editions These chapters include in-depth coverage of management tools, LDAP query syntax, Kerberos, Active Directory Federation Services (ADFS), and more This book describes Active Directory in depth,... bare the design and management of an enterprise or departmental Active Directory, you need not look any further Intended Audience This book is intended for all Active Directory administrators, whether you manage a single server or a global multinational with thousands of servers Even if you have a previous edition, you will find this fifth edition to be full of updates and corrections and a worthy addition... Up Active Directory Using the NT Backup Utility Using Windows Server Backup Restoring a Domain Controller Restore from Replication Restore from Backup Install from Media Restoring Active Directory Nonauthoritative Restore Partial Authoritative Restore Complete Authoritative Restore x | Table of Contents www.it-ebooks.info 499 502 504 507 508 511 512 516 516 521 524 Working with Snapshots Active Directory . 2012. Chapter 20, Active Directory Lightweight Directory Services Introduces Active Directory Lightweight Directory Services. Chapter 21, Active Directory Federation Services Introduces Active Directory. enterprise Active Directory infrastructure. We begin in general terms with how Active Directory works, giving you a thorough grounding in its concepts. Some of the topics include Active Directory. the major features and benefits of Active Directory. Chapter 2, Active Directory Fundamentals Provides a high-level look at how objects are stored in Active Directory and explains some of the