1 2 Foreword I've been waiting for "The Year of the Directory" for 15 years, basically since "The Year of the LAN," which, if I recall correctly, occurred in 1983, 1984, 1985, and briefly again in 1988. But as I write this in 2003, there are very few enterprise networks that are not running a directory of one sort or another. While I was patiently waiting at the front door, the directory slipped in the back. I must have been napping on the couch. The Year of the Directory never came, nor will it ever. Just as with TV, fax, LANs, cell phones, and the Internet, we've experienced another sea change in communications and information technology. But no one can point to the time when the change "happened." Ocean tides have a well-defined schedule, but watershed technology changes are more like global warming. "Look, Honey! The waves come right up to the front porch!" The IT industry has simply evolved over time to assimilate yet another new technology, making our ability to communicate and compute more seamless, more pervasive, and more affordable. And that's sort of the point of directories: to make it possible for us to build larger, more sophisticated networks that don't collapse under the weight of their own complexity. The first commercial NOS with an integrated directory, Banyan's VINES, was a startling success in this regard. At a time when most enterprise IT executives were just dimly aware that workgroup LANs had utterly subverted their minicomputer and mainframe-based strategies, a relatively few prescient CIOs had seen the future, building centrally managed, global PC networks based on Banyan's distributed and replicated directory, StreetTalk. I loved VINES and StreetTalk because they made it possible to operate distributed enterprise networks with extremely low administrative costs. The VINES NOS provided competent file, print, and communications on industry-standard server hardware. The StreetTalk directory service added secure, distributed naming and authentication across the entire network. VINES also came bundled with a directory-integrated email system that was a model of simplicity and scalability. VINES administrators enjoyed all this with a low level of administrative overhead that we can only appreciate in retrospect. Bringing up a new VINES server running both the directory and email service amounted to loading the OS (27 floppies worth!), configuring the NIC, and giving the server a name. Troubleshooting tools were mostly nonexistent because there were mostly no troubles to shoot. And when there was a problem that we couldn't sort out using the primitive tools we had, waving a dead chicken over the suspect server usually took care of it. StreetTalk made VINES as close to a "set it and forget it" network as the industry has ever seen, which is just what directories are supposed to do. Banyan's 10-year lead in the enterprise network market evaporated in about 5 years, due to many factors: inept marketing, the introduction of a competitive directory from Novell (NDS, now called eDirectory), and ISV support that could only be described as hostile. Banyan's demise as a NOS company was as ugly as it was inevitable. 3 The NOS directory market is now left to Novell's eDirectory and Microsoft's Active Directory. eDirectory does well in many situations, but for building enterprise-scale, Windows-based networks, Active Directory's dominance seems inevitable. Now I'll admit to being a big fan of Microsoft's Active Directory. Active Directory is a wonderfully sophisticated piece of software that performs well, scales up and scales out, and does an outstanding job of integrating computers running earlier Windows operating systems such as Windows NT 4.0 and Windows 98. I doubt that Microsoft has ever produced a piece of software as reliable as Active Directory, particularly in its 1.0 version. I'd be really surprised if there's an enterprise that can't implement Active Directory successfully. But all that sophistication and performance requires a substantial amount of care and feeding. Running a VINES network was like driving a 60s vintage VW Beetle: push, pull, left, right, and the Bug did pretty much what you expected. Managing an Active Directory enterprise is more like piloting a Lear jet. If you don't know how to use all those knobs and dials properly, you've got a good chance of leaving a smoking crater in the ground. A competent Active Directory administrator must have at least a passing understanding of a handful of different technologies, including DNS, WINS, Kerberos, LDAP, and the Windows operating system itself. And he must be able to perform more than a hundred different tasks using more than 30 different utilities. Even if you've read the books and taken the classes, becoming a skilled Active Directory administrator requires detailed knowledge of the ins and outs of Active Directory. Although Active Directory simplifies the management of a large network substantially, much of the administrative overhead has simply shifted to Active Directory itself. That's where the Active Directory Cookbook comes in. Robbie Allen has produced an outstanding reference that spells out how to perform the hundred-plus tasks that an administrator is likely to perform during the Active Directory lifecycle. The Active Directory Cookbook is essentially a book of checklists for the professional Active Directory pilot. Each administrative task includes background information, step-by-step instructions, and references to more detailed information on Microsoft's web site. If you need to do something with Active Directory, Robbie shows you how to do it with a minimum of fuss and bother. I've known Robbie for several years, both as a first-string speaker for NetPro's Directory Experts Conference and as a frequent contributor to Tony Murray's activedir.org mailing list. Robbie brings a rare combination of skills and knowledge to the table. He has the rare ability to blend an in-depth knowledge of how Active Directory actually works, hands-on understanding of what an administrator needs to do (and not do!) to successfully deploy and run a large Active Directory installation, and a Unix administrator's inbred desire to automate everything with scripts. So not only does Robbie deliver a "how-to" for every Active Directory administrative task you're likely to perform, he shows you how to automate it using a combination of VB Script, Perl, batch files, and command-line utilities. And that's what really excites me about this book. A catalog of step-by-step instructions for common Active Directory administrative tasks would be useful by itself. But by providing a 4 programmatic solution for most of these tasks, Robbie has laid the groundwork for automating most of your day-to-day Active Directory management tasks. And that brings you a step closer to what you ultimately want: a network with the performance and sophistication of Windows and Active Directory, and the simplicity of administration we haven't had since VINES and StreetTalk. That would be a mighty powerful combination. —Gil Kirkpatrick CTO, NetPro [1] [1] Gil Kirkpatrick is the Chief Technology Officer at NetPro and the founder of the Directory Experts Conference. With a strategic combination of software solutions, conferences, and web resources, NetPro is revolutionizing the way companies manage their directories and driving the availability and performance of the world's networks. NetPro delivers the only comprehensive suite of solutions designed to manage network directory services for 24 x 7 availability throughout the directory lifecycle (http://www.netpro.com). Preface In 1998 when I first became involved with the Microsoft Windows 2000 Joint Development Program (JDP), there was very little data available on Active Directory. In the following months and even after the initial release of Windows 2000, there were very few books or white papers to help early adopters of Active Directory get started. And some of the information that had been published was often inaccurate or misleading. Many early deployers had to learn by trial and error. As time passed, more and more informative books were published, which helped fill the information gap. By the end of the second year of its release, there was an explosion of information on Active Directory. Not only were there over 50 books published, but Microsoft also cleaned up their documentation on MSDN (http://msdn.microsoft.com) and their AD web site (http://www.microsoft.com/ad/). Now those sites have numerous white papers, many of which could serve as mini booklets. Other web sites have popped up as well that contain a great deal of information on Active Directory. With Windows Server 2003, Microsoft has taken their level of documentation a step higher. Extensive information on Active Directory is available directly from any Windows Server 2003 computer in the form of the Help and Support Center (available from the Start Menu). So with all this data available on Active Directory in the form of published books, white papers, web sites, and even from within the operating system, why would you want to purchase this one? In the summer of 2002, I was thumbing through the Perl Cookbook from O'Reilly, looking for help with an automation script I was writing for Active Directory. It just so happened that there was a recipe that addressed the specific task I was trying to perform. In Cookbook parlance, a recipe provides instructions on how to solve a particular problem. I thought that since Active Directory is such a task-oriented environment, the Cookbook approach might be a very good format. After a little research, I found there were books (often multiple) on nearly every facet of Active Directory, including introductory books, design guides, books that focused on migration, programming books, and reference books. The one type of book I didn't see was a task-oriented "how-to" book, which is exactly what the Cookbook format provides. Based on my own experience, hours of research, and years of hanging out on Active Directory newsgroups and mailing lists, I've compiled over 325 recipes that should answer the majority of 5 "How do I do X" questions one could pose about Active Directory. And just as in the Perl community where the Perl Cookbook was a great addition that sells well even today, I believe the Active Directory Cookbook will also be a great addition to any Active Directory library. Who Should Read This Book? As with many of the books in the Cookbook series, the Active Directory Cookbook can be useful to anyone who has to deploy, administer, or automate Active Directory. This book can serve as a great reference for those who have to work with Active Directory on a day-to-day basis. And because of all the programming samples, this book can be really beneficial to programmers who want to get a jumpstart on performing certain tasks in an application. For those without much programming background, the VBScript and Perl solutions are straightforward and should be pretty easy to follow and expand on. The companion to this book, Active Directory, Second Edition from O'Reilly, is a great choice for those wanting a thorough description of the core concepts behind Active Directory, how to design an Active Directory infrastructure, and how to automate that infrastructure using Active Directory Service Interfaces (ADSI) and Windows Management Instrumentation (WMI). Active Directory, Second Edition does not describe how to accomplish every possible task within Active Directory; that is the purpose of this book. These two books, along with the supplemental information described in Recipe 1.5, should be sufficient to answer most questions you have about Active Directory. What's in This Book? This book consists of 18 chapters. Here is a brief overview of each chapter: • Chapter 1, sets the stage for the book by covering where you can find the tools used in the book, VBScript and Perl issues to consider, and where to find additional information. • Chapter 2, covers how to create and remove forests and domains, update the domain mode or functional levels, create different types of trusts, and other administrative trust tasks. • Chapter 3, covers promoting and demoting domain controllers, finding domain controllers, enabling the global catalog, and finding and managing Flexible Single Master Operations (FSMO) roles. • Chapter 4, covers the basics of searching Active Directory; creating, modifying, and deleting objects; using LDAP controls; and importing and exporting data using LDAP Data Interchange Format (LDIF) and comma-separated variable (CSV) files. • Chapter 5, covers creating, moving, and deleting Organizational Units, and managing the objects contained within them. • Chapter 6, covers all aspects of managing user objects, including creating, renaming, moving, resetting passwords, unlocking, modifying the profile attributes, and locating users that have certain criteria (e.g., password is about to expire). • Chapter 7, covers how to create groups, modify group scope, and type and manage membership. 6 • Chapter 8, covers creating computers, joining computers to a domain, resetting computers, and locating computers that match certain criteria (e.g., have been inactive for a number of weeks). • Chapter 9, covers how to create, modify, link, copy, import, back up, restore, and delete GPOs using the Group Policy Management Console and scripting interface. • Chapter 10, covers basic schema administration tasks, such as generating object identifiers (OIDs) and schemaIDGUIDs, how to use LDIF to extend the schema, and how to locate attributes or classes that match certain criteria (e.g., all attributes that are indexed). • Chapter 11, covers how to manage sites, subnets, site links, and connection objects. • Chapter 12, covers how to trigger and disable the Knowledge Consistency Checker (KCC), how to query metadata, force replication, and determine what changes have yet to replicate between domain controllers. • Chapter 13, covers creating zones and resource records, modifying DNS server configuration, querying DNS, and customizing the resource records a domain controller dynamically registers. • Chapter 14, covers how to delegate control, view and modify permissions, view effective permissions, and manage Kerberos tickets. • Chapter 15, covers how to enable auditing, diagnostics, DNS, NetLogon, Kerberos and GPO logging, obtain LDAP query statistics, and manage quotas. • Chapter 16, covers how to back up Active Directory, perform authoritative and nonauthoritative restores, check DIT file integrity, perform online and offline defrags, and search for deleted objects. • Chapter 17, covers creating and managing application partitions. • Chapter 18, covers how to integrate Active Directory with various applications, services, and programming languages. Conventions Used in This Book The following typographical conventions are used in this book: Constant width Indicates command-line elements, computer output, and code examples. Constant width italic Indicates placeholders (for which you substitute an actual name) in examples and in registry keys Constant width bold Indicates user input Italic 7 Introduces new terms and example URLs, commands, file extensions, filenames, directory or folder names, and UNC pathnames Indicates a tip, suggestion, or general note. For example, I'll tell you if you need to use a particular version or if an operation requires certain privileges. Indicates a warning or caution. For example, I'll tell you if Active Directory does not behave as you'd expect or if a particular operation has a negative impact on performance. We'd Like Your Feedback! We at O'Reilly have tested and verified the information in this book to the best of our ability, but mistakes and oversights do occur. Please let us know about errors you may find, as well as your suggestions for future editions, by writing to: O'Reilly & Associates, Inc. 1005 Gravenstein Highway North Sebastopol, CA 95472 (800) 998-9938 (in the U.S. or Canada) (707) 829-0515 (international or local) (707) 829-0104 (fax) We have a web page for the book, where we list errata, examples, or any additional information. You can access this page at: http://www.oreilly.com/catalog/activedckbk Examples can also be found at the author's web site: http://www.rallenhome.com/books/adcookbook/code.html To comment or ask technical questions about this book, send email to: bookquestions@oreilly.com For more information about our books, conferences, software, Resource Centers, and the O'Reilly Network, see our web site at: http://www.oreilly.com 8 Acknowledgments The people at O'Reilly were a joy to work with. I would like to thank Robert Denn for helping me get this book off the ground. I am especially grateful for Andy Oram's insightful and thought- provoking feedback. I was very fortunate to have an all-star group of technical reviewers. If there was ever a need to assemble a panel of the top Active Directory experts, you would be hard pressed to find a more knowledgeable group of guys. Here they are in alphabetical order: Rick Kingslan (rkingsla@cox.net) is a Senior Systems Engineer and Microsoft Windows Server MVP. If you've ever posted a question to an Active Directory newsgroup or discussion forum, odds are Rick participated in the thread. His uncanny ability to provide useful feedback on just about any Active Directory problem helped ensure I covered all the angles with each recipe. Gil Kirkpatrick (gilk@netpro.com) is the Executive Vice President & CTO of NetPro (http://www.netpro.com/). Gil is also the author of Active Directory Programming from MacMillan. His extensive knowledge of the underpinnings of Active Directory helped clarify several issues I did not address adequately the first time through. Tony Murray (tony@activedir.org) is the maintainer of the www.ActiveDir.org web site and mailing list, which is one of the premier Active Directory discussion forums. The myriad of questions posed to the list served as inspiration for this book. Tony's comments and suggestions throughout the book helped tremendously. Todd Myrick (myrickt@mail.nih.gov) has a unique perspective on Active Directory from his experience inside the government. Todd contributed several "outside the box" ideas to the book that only a creative person, such as he, could have done. Joe Richards (joe@joeware.net) is the creator of the http://www.joeware.net/ web site, which contains many must-have Active Directory tools, such as adfind, unlock, and much more. Joe is one of the most experienced Active Directory administrators and programmers I've met. He's had to do most of the tasks in this book at one point or another, so his contributions were significant. Kevin Sullivan (ksullivan@aelita.com ) is the Project Manager for Enterprise Directory Management at Aelita. Kevin has as much experience with Active Directory as anyone you'll find. He is a frequent contributor to Active Directory discussion forums, and he provided numerous suggestions and clarifications throughout the book. Last, but certainly not least, I would like to thank my wife Janet. Her love, support, and bright smile are constant reminders of how lucky I am. Did I mention she cooks, too! 9 Chapter 1. Getting Started Approach to the Book Recipe 1.1. Where to Find the Tools Recipe 1.2. Getting Familiar with LDIF Recipe 1.3. Programming Notes Recipe 1.4. Replaceable Text Recipe 1.5. Where to Find More Information Approach to the Book If you are familiar with the O'Reilly Cookbook format that can be seen in other popular books, such as the Perl Cookbook, Java Cookbook, and DNS and BIND Cookbook, then the layout of this book will not be anything new to you. The book is composed of 18 chapters, each containing 10-30 recipes for performing a specific Active Directory task. Within each recipe are four sections: problem, solution, discussion, and see also. The problem section briefly describes the task the recipe focuses on. The solution section contains step-by-step instructions on how to accomplish the task. The discussion section contains detailed information about the problem or solution. The see also section contains references to additional sources of information that can be useful if you still need more information after reading the discussion. The see also section may reference other recipes, MS Knowledge Base (MS KB) (http://support.microsoft.com/) articles, or documentation from the Microsoft Developers Network (MSDN) (http://msdn.microsoft.com). At Least Three Ways to Do It! When I first began developing the content for the book, I struggled with how to capture the fact that you can do things multiple ways with Active Directory. You may be familiar with the famous Perl motto: There Is More Than One Way To Do It; well with Active Directory, there are often At Least Three Ways To Do It. You can perform a task with a graphical user interface (GUI), such as ADSI Edit, LDP, or the Active Directory Users and Computers snap-in; you can use a command-line interface (CLI), such as the ds utilities (i.e., dsadd, dsmod, dsrm, dsquery, dsget), nltest, netdom, or ldifde; and, finally, you can perform the same task using a scripting language, such as VBScript or Perl. Since people prefer different methods, and no one method is necessarily better than another, I decided to write solutions to the recipes using one of each. That means instead of just a single solution per recipe, I include up to three solutions using GUI, CLI, and programmatic examples. That said, some recipes cannot be accomplished with one of the three methods or it is very difficult to do so. In that case, only the applicable methods are covered. 10 In the GUI and CLI solutions, I use standard tools that are readily accessible. There are other tools that I could have used, which would have made some of the tasks easier to accomplish, but I wanted to make this book as useful as possible without requiring you to hunt down the tools I use. I also took this approach with the programmatic solutions; I use VBScript for the programming language, primarily because it is widely used among Windows administrators and is the most straightforward from a code perspective when using Active Directory Service Interface (ADSI) and Windows Script Host (WSH). For those familiar with other languages, such as Visual Basic, Perl and JScript, it is very easy to convert code from VBScript. The downside to using VBScript is that it does not have all of the facilities necessary to accomplish some complicated tasks. It is for this reason that I use Perl in a few recipes that required a complicated programmatic solution. For those of you who wish that all of the solutions were written with Perl instead of VBScript, you are in luck. On the book's web site, I've posted companion Perl solutions for every recipe that had a VBScript solution. Go to http://www.rallenhome.com/books/adcookbook/code.html to download the code. Windows 2000 Versus Windows Server 2003 Another challenge with writing this book is there are now two versions of Active Directory. The initial version was released with Windows 2000 and recently, Microsoft released Windows Server 2003, which provides a lot of updates and new features. Since Windows Server 2003 Active Directory is the latest and greatest version, and includes a lot of new tools that aren't present in Windows 2000, I've decided to go with the approach of making everything work under Windows Server 2003 Active Directory first, and Windows 2000 second. In fact, the majority of the solutions will work with Windows 2000 unchanged. For the recipes or solutions that are specific to a particular version, I include a note mentioning the version it is targeted for. Most GUI and programmatic solutions will work with either version unchanged, but Microsoft introduced several new CLIs with Windows Server 2003, most of which cannot be run on the Windows 2000 operating system. Typically, you can still use these newer tools on a Windows XP or Windows Server 2003 computer to manage Windows 2000 Active Directory. Recipe 1.1 Where to Find the Tools For the GUI and CLI solutions to mean much to you, you need access to the tools that are used in the examples. For this reason, in the majority of cases and unless otherwise noted, I only used tools that are part of the default operating system or available in the Resource Kit or Support Tools. The Windows 2000 Server Resource Kit and Windows Server 2003 Resource Kit are invaluable sources of information, along with providing numerous tools that aid administrators in their daily tasks. More information on the Resource Kits can be found at the following web site: http://www.microsoft.com/windows/reskits/ . The Windows 2000 Support Tools, which is called the Windows Support Tools in Windows Server 2003, contain many "must have" tools for people that work with Active Directory. The Microsoft installer (MSI) for the Windows Support Tools can be found on a Windows 2000 Server or Windows Server 2003 CD in the . the Active Directory lifecycle. The Active Directory Cookbook is essentially a book of checklists for the professional Active Directory pilot. Each administrative task includes background information,. a great deal of information on Active Directory. With Windows Server 2003, Microsoft has taken their level of documentation a step higher. Extensive information on Active Directory is available. in Windows Server 2003, contain many "must have" tools for people that work with Active Directory. The Microsoft installer (MSI) for the Windows Support Tools can be found on a Windows