www.it-ebooks.info www.it-ebooks.info Active Directory www.it-ebooks.info Other Microsoft .NET resources from O’Reilly Related titles Active Directory Cookbook Learning Windows 2003 Windows Server Hacks Windows Server 2003 Network Administration Windows Server 2008: The Definitive Guide .NET Books Resource Center dotnet.oreilly.com is a complete catalog of O’Reilly’s books on .NET and related technologies, including sample chapters and code examples. ONDotnet.com provides independent coverage of fundamental, interoperable, and emerging Microsoft .NET programming and web services technologies. Conferences O’Reilly & Associates bring diverse innovators together to nur- ture the ideas that spark revolutionary industries. We specialize in documenting the latest tools and systems, translating the innovator’s knowledge into useful skills for those in the trenches. Visit conferences.oreilly.com for our upcoming events. Safari Bookshelf (safari.oreilly.com) is the premier online refer- ence library for programmers and IT professionals. Conduct searches across more than 1,000 books. Subscribers can zero in on answers to time-critical questions in a matter of seconds. Read the books on your Bookshelf from cover to cover or sim- ply flip to the page you need. Try it today with a free trial. ,roadmap.net.18014 Page ii Thursday, November 13, 2008 2:49 PM www.it-ebooks.info FOURTH EDITION Active Directory Brian Desmond, Joe Richards, Robbie Allen, and Alistair G. Lowe-Norris Beijing • Cambridge • Farnham • Köln • Sebastopol • Taipei • Tokyo www.it-ebooks.info Active Directory, Fourth Edition by Brian Desmond, Joe Richards, Robbie Allen, and Alistair G. Lowe-Norris Copyright © 2009 O’Reilly Media. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://safari.oreilly.com). For more information, contact our corporate/ institutional sales department: (800) 998-9938 or corporate@oreilly.com. Editors: John Osborn and Laurel Ruma Production Editor: Loranah Dimant Production Services: Appingo, Inc. Indexer: Ellen Troutman Zaig Cover Designer: Karen Montgomery Interior Designer: David Futato Illustrator: Jessamyn Read Printing History: January 2000: First Edition. April 2003: Second Edition. January 2006: Third Edition. November 2008: Fourth Edition. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc. Active Directory, the image of domestic cats, and related trade dress are trademarks of O’Reilly Media, Inc. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information con- tained herein. ISBN: 978-0-596-52059-5 [C] 1226607098 www.it-ebooks.info Table of Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi Part I. Active Directory Basics 1. A Brief Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Evolution of the Microsoft NOS 4 Brief History of Directories 4 Windows NT Versus Active Directory 5 Windows 2000 Versus Windows Server 2003 10 Windows Server 2003 Versus Windows Server 2003 R2 12 Windows Server 2003 R2 Versus Windows Server 2008 14 Summary 15 2. Active Directory Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 How Objects Are Stored and Identified 17 Uniquely Identifying Objects 18 Building Blocks 20 Domains and Domain Trees 20 Forests 22 Organizational Units 24 Global Catalog 25 Flexible Single Master Operator (FSMO) 25 Time Synchronization in Active Directory 33 Domain and Forest Functional Levels 35 Groups 38 Summary 42 3. Naming Contexts and Application Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Domain Naming Context 46 Configuration Naming Context 47 Schema Naming Context 48 v www.it-ebooks.info Application Partitions 49 Storing Dynamic Data 51 Summary 52 4. Active Directory Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Structure of the Schema 54 X.500 and the OID Namespace 55 Attributes (attributeSchema Objects) 59 Dissecting an Example Active Directory Attribute 59 Attribute Properties 61 Attribute Syntax 61 System Flags 63 Schema FlagsEx 65 Search Flags 65 Property Sets and attributeSecurityGUID 73 Linked Attributes 74 Classes (classSchema Objects) 74 Object Class Category and Inheritance 74 Dissecting an Example Active Directory Class 78 Dynamically Linked Auxiliary Classes 82 Summary 84 5. Site Topology and Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Site Topology 85 Subnets 86 Sites 87 Site Links 89 Site Link Bridges 91 Connection Objects 92 Knowledge Consistency Checker (KCC) 92 Site and Replication Management Tools 93 How Replication Works 94 A Background to Metadata 94 How an Object’s Metadata Is Modified During Replication 101 The Replication of a Naming Context Between Two Servers 106 How Replication Conflicts Are Reconciled 112 Summary 115 6. Active Directory and DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 DNS Fundamentals 118 Zones 118 Resource Records 118 DDNS 119 vi | Table of Contents www.it-ebooks.info Global Names Zone 120 DC Locator 122 Resource Records Used by Active Directory 123 Overriding SRV Record Registration 126 Delegation Options 127 Not Delegating the AD DNS Zones 127 Delegating the AD DNS Zones 129 DNS for Standalone AD 130 Active Directory Integrated DNS 132 Replication Impact 135 Background Zone Loading 135 Using Application Partitions for DNS 136 Aging and Scavenging 137 Configuring Scavenging 137 Summary 140 7. Read-Only Domain Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Prerequisites 142 Password Replication Policies 143 Managing the Password Replication Policy 145 Managing RODC Theft 148 The Client Logon Process 149 Populating the Password Cache 154 RODCs and Write Requests 155 User Password Changes 155 Computer Account Password Changes 156 The lastLogonTimeStampAttribute 156 Last-Logon Statistics 157 Logon Success/Fail Information 157 NetLogon Secure Channel Updates 157 Replication Connection Objects 157 DNS Updates 157 The W32Time Service 160 Application Compatibility 162 RODC Placement Considerations 163 RODCs and Replication 164 Administrator Role Separation 164 Summary 167 8. Group Policy Primer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Capabilities of GPOs 170 Group Policy Storage 172 How Group Policies Work 176 Table of Contents | vii www.it-ebooks.info GPOs and Active Directory 176 Prioritizing the Application of Multiple Policies 178 Standard GPO Inheritance Rules in Organizational Units 181 Blocking Inheritance and Overriding the Block in Organizational Unit GPOs 182 When Policies Apply 184 Combating Slowdown Due to Group Policy 186 Security Filtering and Group Policy Objects 188 Loopback Merge Mode and Loopback Replace Mode 189 WMI Filtering 193 Summary of Policy Options 193 Managing Group Policies 195 Using the Group Policy Management Console (GPMC) 196 Group Policy Modeling 197 Delegation and Change Control 198 Using Starter GPOs 202 Group Policy Backup and Restore 203 Scripting Group Policies 205 Troubleshooting Group Policy 206 Group Policy Results Wizard 206 Forcing Group Policy Updates 209 Enabling Extra Logging 209 Group Policy Diagnostic Best Practices Analyzer 210 Third-Party Troubleshooting Tools 210 Summary 210 9. Fine-Grained Password Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Understanding Password Setting Objects 211 Scenarios for Fine-Grained Password Policies 212 Defining Password Setting Objects 212 Creating Password Setting Objects 214 PSO Quick Start 214 Building a PSO from Scratch 214 Managing Password Settings Objects 220 Strategies for Controlling PSO Application 220 Managing PSO Application 221 Delegating Management of PSOs 224 Summary 225 viii | Table of Contents www.it-ebooks.info [...]... Versions Directory Services Programming Landscape System.DirectoryServices Overview System.DirectoryServices.ActiveDirectory Overview System.DirectoryServices.Protocols Overview System.DirectoryServices.AccountManagement Overview NET Directory Services Programming by Example Connecting to the Directory Searching the Directory Basics of Modifying the Directory Managing Users Overriding SSL Server Certificate... creating a site topology, designing group policies, auditing, permissions, backup and recovery, Active Directory Lightweight Directory Services, upgrading Active Directory, and Microsoft Exchange Part III is all about managing Active Directory via automation with Active Directory Service Interface (ADSI), ActiveX Data Objects (ADO), Windows Management Instrumentation (WMI), PowerShell, and NET This... existing Active Directory to Windows Server 2003 R2 Chapter 18, Upgrading to Windows Server 2008 Outlines the process to upgrade your existing Active Directory to Windows Server 2008 Chapter 19, Integrating Microsoft Exchange Covers some of the important Active Directory- related issues when implementing Microsoft Exchange Chapter 20, Active Directory Lightweight Directory Service (a.k.a ADAM) Introduces Active. .. within Active Directory, what is contained within each, and the purpose of Application Partitions Chapter 4, Active Directory Schema Gives you information on how the blueprint for each object and each object’s attributes are stored in Active Directory Chapter 5, Site Topology and Replication Details how the actual replication process for data takes place between domain controllers Chapter 6, Active Directory. .. Organization-Wide Group Policies Explains how Group Policy Objects function in Active Directory and how you can properly design an Active Directory structure to make the most effective use of these functions Chapter 13, Active Directory Security: Permissions and Auditing Describes how you can design effective security for all areas of your Active Directory, in terms of both access to objects and their properties;... language Contents of the Book This book is split into three parts Part 1, Active Directory Basics Chapter 1, A Brief Introduction Reviews the evolution of the Microsoft NOS and some of the major features and benefits of Active Directory Chapter 2, Active Directory Fundamentals Provides a high-level look at how objects are stored in Active Directory and explains some of the internal structures and concepts... descriptor for any Active Directory object including proper constant names for all values, perfect for anyone looking to script Active Directory delegation and wanting to know what values should be set Chapter 26, Extending the Schema and the Active Directory Snap-ins Covers creation of new classes and attributes programmatically in the schema, and modification of the existing Active Directory snap-ins... Covers procedures for extending the classes and attributes in the Active Directory schema Chapter 15, Backup, Recovery, and Maintenance Describes how you can back up and restore Active Directory down to the object level or the entire directory Chapter 16, Upgrading to Windows Server 2003 Outlines how you can upgrade your existing Active Directory infrastructure to Windows Server 2003 Chapter 17, Upgrading... 487 487 488 488 489 490 491 492 493 494 495 495 496 497 Part III Scripting Active Directory with ADSI, ADO, and WMI 21 Scripting with ADSI 501 What Are All These Buzzwords? ActiveX Windows Scripting Host (WSH) Active Server Pages (ASPs) Active Directory Service Interface (ADSI) ActiveX Data Objects (ADO) Windows Management Instrumentation (WMI) NET and... Preparing Active Directory for Exchange Setup Prerequisites PrepareLegacyExchangePermissions PrepareSchema PrepareAD PrepareDomain Active Directory Site Design and Domain Controller Placement xii | Table of Contents 437 438 438 439 440 442 443 443 Other Considerations Mail-Enabling Objects Using the Exchange Management Console Using PowerShell Summary 447 448 449 455 455 20 Active Directory Lightweight Directory . Programming Landscape 678 System.DirectoryServices Overview 679 System.DirectoryServices.ActiveDirectory Overview 682 System.DirectoryServices.Protocols Overview 683 System.DirectoryServices.AccountManagement. 501 What Are All These Buzzwords? 501 ActiveX 501 Windows Scripting Host (WSH) 502 Active Server Pages (ASPs) 502 Active Directory Service Interface (ADSI) 502 ActiveX Data Objects (ADO) 504 Windows. PM www.it-ebooks.info FOURTH EDITION Active Directory Brian Desmond, Joe Richards, Robbie Allen, and Alistair G. Lowe-Norris Beijing • Cambridge • Farnham • Köln • Sebastopol • Taipei • Tokyo www.it-ebooks.info Active Directory,