See more Amazon Details

Contents Listing

Foreword

Preface

1. Getting Started

      1.1 Where to Find the Tools

      1.2 Getting Familiar with LDIF

      1.3 Programming Notes

      1.4 Replaceable Text

      1.5 Where to Find More Information

2. Forests, Domains, and Trusts

      2.1 Creating a Forest

      2.2 Removing a Forest

      2.3 Creating a Domain

      2.4 Removing a Domain

      2.5 Removing an Orphaned Domain

      2.6 Finding the Domains in a Forest

      2.7 Finding the NetBIOS Name of a Domain

      2.8 Renaming a Domain

      2.9 Changing the Mode of a Domain

      2.10 Using ADPrep to Prepare a Domain or Forest for Windows Server 2003

      2.11 Determining if ADPrep Has Completed

      2.12 Checking Whether a Windows 2000 Domain Controller Can Be Upgraded to Windows Server 2003

      2.13 Raising the Functional Level of a Windows Server 2003 Domain

      2.14 Raising the Functional Level of a Windows Server 2003 Forest

      2.15 Creating a Trust Between a Windows NT Domain and an AD Domain

      2.16 Creating a Transitive Trust Between Two AD Forests

      2.17 Creating a Shortcut Trust Between Two AD Domains

      2.18 Creating a Trust to a Kerberos Realm

      2.19 Viewing the Trusts for a Domain

      2.20 Verifying a Trust

      2.21 Resetting a Trust

      2.22 Removing a Trust

      2.23 Enabling SID Filtering for a Trust

      2.24 Finding Duplicate SIDs in a Domain

3. Domain Controllers, Global Catalogs, and FSMOs

      3.1 Promoting a Domain Controller

      3.2 Promoting a Domain Controller from Media

      3.3 Demoting a Domain Controller

      3.4 Automating the Promotion or Demotion of a Domain Controller

      3.5 Troubleshooting Domain Controller Promotion or Demotion Problems

      3.6 Removing an Unsuccessfully Demoted Domain Controller

      3.7 Renaming a Domain Controller

      3.8 Finding the Domain Controllers for a Domain

      3.9 Finding the Closest Domain Controller

      3.10 Finding a Domain Controller's Site

      3.11 Moving a Domain Controller to a Different Site

      3.12 Finding the Services a Domain Controller Is Advertising

      3.13 Configuring a Domain Controller to Use an External Time Source

      3.14 Finding the Number of Logon Attempts Made Against a Domain Controller

      3.15 Enabling the /3GB Switch to Increase the LSASS Cache

      3.16 Cleaning Up Distributed Link Tracking Objects

      3.17 Enabling and Disabling the Global Catalog

      3.18 Determining if Global Catalog Promotion Is Complete

      3.19 Finding the Global Catalog Servers in a Forest

      3.20 Finding the Domain Controllers or Global Catalog Servers in a Site

      3.21 Finding Domain Controllers and Global Catalogs via DNS

      3.22 Changing the Preference for a Domain Controller

      3.23 Disabling the Global Catalog Requirement During a Windows 2000 Domain Login

      3.24 Disabling the Global Catalog Requirement During a Windows 2003 Domain Login

      3.25 Finding the FSMO Role Holders

      3.26 Transferring a FSMO Role

      3.27 Seizing a FSMO Role

      3.28 Finding the PDC Emulator FSMO Role Owner via DNS

4. Searching and Manipulating Objects

      4.1 Viewing the RootDSE

      4.2 Viewing the Attributes of an Object

      4.3 Using LDAP Controls

      4.4 Using a Fast or Concurrent Bind

      4.5 Searching for Objects in a Domain

      4.6 Searching the Global Catalog

      4.7 Searching for a Large Number of Objects

      4.8 Searching with an Attribute-Scoped Query

      4.9 Searching with a Bitwise Filter

      4.10 Creating an Object

      4.11 Modifying an Object

      4.12 Modifying a Bit-Flag Attribute

      4.13 Dynamically Linking an Auxiliary Class

      4.14 Creating a Dynamic Object

      4.15 Refreshing a Dynamic Object

      4.16 Modifying the Default TTL Settings for Dynamic Objects

      4.17 Moving an Object to a Different OU or Container

      4.18 Moving an Object to a Different Domain

      4.19 Renaming an Object

      4.20 Deleting an Object

      4.21 Deleting a Container That Has Child Objects

      4.22 Viewing the Created and Last Modified Timestamp of an Object

      4.23 Modifying the Default LDAP Query Policy

      4.24 Exporting Objects to an LDIF File

      4.25 Importing Objects Using an LDIF File

      4.26 Exporting Objects to a CSV File

      4.27 Importing Objects Using a CSV File

5. Organizational Units

      5.1 Creating an OU

      5.2 Enumerating the OUs in a Domain

      5.3 Enumerating the Objects in an OU

      5.4 Deleting the Objects in an OU

      5.5 Deleting an OU

      5.6 Moving the Objects in an OU to a Different OU

      5.7 Moving an OU

      5.8 Determining How Many Child Objects an OU Has

      5.9 Delegating Control of an OU

      5.10 Allowing OUs to Be Created Within Containers

      5.11 Linking a GPO to an OU

6. Users

      6.1 Creating a User

      6.2 Creating a Large Number of Users

      6.3 Creating an inetOrgPerson User

      6.4 Modifying an Attribute for Several Users at Once

      6.5 Moving a User

      6.6 Renaming a User

      6.7 Copying a User

      6.8 Unlocking a User

      6.9 Finding Locked Out Users

      6.10 Troubleshooting Account Lockout Problems

      6.11 Viewing the Account Lockout and Password Policies

      6.12 Enabling and Disabling a User

      6.13 Finding Disabled Users

      6.14 Viewing a User's Group Membership

      6.15 Changing a User's Primary Group

      6.16 Transferring a User's Group Membership to Another User

      6.17 Setting a User's Password

      6.18 Setting a User's Password via LDAP

      6.19 Setting a User's Password via Kerberos

      6.20 Preventing a User from Changing His Password

      6.21 Requiring a User to Change Her Password at Next Logon

      6.22 Preventing a User's Password from Expiring

      6.23 Finding Users Whose Passwords Are About to Expire

      6.24 Setting a User's Account Options (userAccountControl)

      6.25 Setting a User's Account to Expire in the Future

      6.26 Finding Users Whose Accounts Are About to Expire

      6.27 Determining a User's Last Logon Time

      6.28 Finding Users Who Have Not Logged On Recently

      6.29 Setting a User's Profile Attributes

      6.30 Viewing a User's Managed Objects

      6.31 Modifying the Default Display Name Used When Creating Users in ADUC

      6.32 Creating a UPN Suffix for a Forest

7. Groups

      7.1 Creating a Group

      7.2 Viewing the Direct Members of a Group

      7.3 Viewing the Nested Members of a Group

      7.4 Adding and Removing Members of a Group

      7.5 Moving a Group

      7.6 Changing the Scope or Type of a Group

      7.7 Delegating Control for Managing Membership of a Group

      7.8 Resolving a Primary Group ID

      7.9 Enabling Universal Group Membership Caching

8. Computers

      8.1 Creating a Computer

      8.2 Creating a Computer for a Specific User or Group

      8.3 Joining a Computer to a Domain

      8.4 Moving a Computer

      8.5 Renaming a Computer

      8.6 Testing the Secure Channel for a Computer

      8.7 Resetting a Computer

      8.8 Finding Inactive or Unused Computers

      8.9 Changing the Maximum Number of Computers a User Can Join to the Domain

      8.10 Finding Computers with a Particular OS

      8.11 Binding to the Default Container for Computers

      8.12 Changing the Default Container for Computers

9. Group Policy Objects (GPOs)

      9.1 Finding the GPOs in a Domain

      9.2 Creating a GPO

      9.3 Copying a GPO

      9.4 Deleting a GPO

      9.5 Viewing the Settings of a GPO

      9.6 Modifying the Settings of a GPO

      9.7 Importing Settings into a GPO

      9.8 Assigning Logon/Logoff and Startup/Shutdown Scripts in a GPO

      9.9 Installing Applications with a GPO

      9.10 Disabling the User or Computer Settings in a GPO

      9.11 Listing the Links for GPO

      9.12 Creating a GPO Link to an OU

      9.13 Blocking Inheritance of GPOs on an OU

      9.14 Applying a Security Filter to a GPO

      9.15 Creating a WMI Filter

      9.16 Applying a WMI Filter to a GPO

      9.17 Backing Up a GPO

      9.18 Restoring a GPO

      9.19 Simulating the RSoP

      9.20 Viewing the RSoP

      9.21 Refreshing GPO Settings on a Computer

      9.22 Restoring a Default GPO

10. Schema

      10.1 Registering the Active Directory Schema MMC Snap-in

      10.2 Enabling Schema Updates

      10.3 Generating an OID to Use for a New Class or Attribute

      10.4 Generating a GUID to Use for a New Class or Attribute

      10.5 Extending the Schema

      10.6 Documenting Schema Extensions

      10.7 Adding a New Attribute

      10.8 Viewing an Attribute

      10.9 Adding a New Class

      10.10 Viewing a Class

      10.11 Indexing an Attribute

      10.12 Modifying the Attributes That Are Copied When Duplicating a User

      10.13 Modifying the Attributes Included with Ambiguous Name Resolution

      10.14 Adding or Removing an Attribute in the Global Catalog

      10.15 Finding the Nonreplicated and Constructed Attributes

      10.16 Finding the Linked Attributes

      10.17 Finding the Structural, Auxiliary, Abstract, and 88 Classes

      10.18 Finding the Mandatory and Optional Attributes of a Class

      10.19 Modifying the Default Security of a Class

      10.20 Deactivating Classes and Attributes

      10.21 Redefining Classes and Attributes

      10.22 Reloading the Schema Cache

11. Site Topology

      11.1 Creating a Site

      11.2 Listing the Sites

      11.3 Deleting a Site

      11.4 Creating a Subnet

      11.5 Listing the Subnets

      11.6 Finding Missing Subnets

      11.7 Creating a Site Link

      11.8 Finding the Site Links for a Site

      11.9 Modifying the Sites That Are Part of a Site Link

      11.10 Modifying the Cost for a Site Link

      11.11 Disabling Site Link Transitivity or Site Link Schedules

      11.12 Creating a Site Link Bridge

      11.13 Finding the Bridgehead Servers for a Site

      11.14 Setting a Preferred Bridgehead Server for a Site

      11.15 Listing the Servers

      11.16 Moving a Domain Controller to a Different Site

      11.17 Configuring a Domain Controller to Cover Multiple Sites

      11.18 Viewing the Site Coverage for a Domain Controller

      11.19 Disabling Automatic Site Coverage for a Domain Controller

      11.20 Finding the Site for a Client

      11.21 Forcing a Host to a Particular Site

      11.22 Creating a Connection Object

      11.23 Listing the Connection Objects for a Server

      11.24 Load-Balancing Connection Objects

      11.25 Finding the ISTG for a Site

      11.26 Transferring the ISTG to Another Server

      11.27 Triggering the KCC

      11.28 Determining if the KCC Is Completing Successfully

      11.29 Disabling the KCC for a Site

      11.30 Changing the Interval at Which the KCC Runs

12. Replication

      12.1 Determining if Two Domain Controllers Are in Sync

      12.2 Viewing the Replication Status of Several Domain Controllers

      12.3 Viewing Unreplicated Changes Between Two Domain Controllers

      12.4 Forcing Replication from One Domain Controller to Another

      12.5 Changing the Intra-Site Replication Interval

      12.6 Changing the Intersite Replication Interval

      12.7 Disabling Inter-Site Compression of Replication Traffic

      12.8 Checking for Potential Replication Problems

      12.9 Enabling Enhanced Logging of Replication Events

      12.10 Enabling Strict or Loose Replication Consistency

      12.11 Finding Conflict Objects

      12.12 Viewing Object Metadata

13. Domain Name System (DNS)

      13.1 Creating a Forward Lookup Zone

      13.2 Creating a Reverse Lookup Zone

      13.3 Viewing a Server's Zones

      13.4 Converting a Zone to an AD-Integrated Zone

      13.5 Moving AD-Integrated Zones into an Application Partition

      13.6 Delegating Control of a Zone

      13.7 Creating and Deleting Resource Records

      13.8 Querying Resource Records

      13.9 Modifying the DNS Server Configuration

      13.10 Scavenging Old Resource Records

      13.11 Clearing the DNS Cache

      13.12 Verifying That a Domain Controller Can Register Its Resource Records

      13.13 Registering a Domain Controller's Resource Records

      13.14 Preventing a Domain Controller from Dynamically Registering All Resource Records

      13.15 Preventing a Domain Controller from Dynamically Registering Certain Resource Records

      13.16 Deregistering a Domain Controller's Resource Records

      13.17 Allowing Computers to Use a Different Domain Suffix from Their AD Domain

14. Security and Authentication

      14.1 Enabling SSL/TLS

      14.2 Encrypting LDAP Traffic with SSL, TLS, or Signing

      14.3 Enabling Anonymous LDAP Access

      14.4 Restricting Hosts from Performing LDAP Queries

      14.5 Using the Delegation of Control Wizard

      14.6 Customizing the Delegation of Control Wizard

      14.7 Viewing the ACL for an Object

      14.8 Customizing the ACL Editor

      14.9 Viewing the Effective Permissions on an Object

      14.10 Changing the ACL of an Object

      14.11 Changing the Default ACL for an Object Class in the Schema

      14.12 Comparing the ACL of an Object to the Default Defined in the Schema

      14.13 Resetting an Object's ACL to the Default Defined in the Schema

      14.14 Preventing the LM Hash of a Password from Being Stored

      14.15 Enabling List Object Access Mode

      14.16 Modifying the ACL on Administrator Accounts

      14.17 Viewing and Purging Your Kerberos Tickets

      14.18 Forcing Kerberos to Use TCP

      14.19 Modifying Kerberos Settings

15. Logging, Monitoring, and Quotas

      15.1 Enabling Extended dcpromo Logging

      15.2 Enabling Diagnostics Logging

      15.3 Enabling NetLogon Logging

      15.4 Enabling GPO Client Logging

      15.5 Enabling Kerberos Logging

      15.6 Enabling DNS Server Debug Logging

      15.7 Viewing DNS Server Performance Statistics

      15.8 Enabling Inefficient and Expensive LDAP Query Logging

      15.9 Using the STATS Control to View LDAP Query Statistics

      15.10 Using Perfmon to Monitor AD

      15.11 Using Perfmon Trace Logs to Monitor AD

      15.12 Enabling Auditing of Directory Access

      15.13 Creating a Quota

      15.14 Finding the Quotas Assigned to a Security Principal

      15.15 Changing How Tombstone Objects Count Against Quota Usage

      15.16 Setting the Default Quota for All Security Principals in a Partition

      15.17 Finding the Quota Usage for a Security Principal

16. Backup, Recovery, DIT Maintenance, and Deleted Objects

      16.1 Backing Up Active Directory

      16.2 Restarting a Domain Controller in Directory Services Restore Mode

      16.3 Resetting the Directory Service Restore Mode Administrator Password

      16.4 Performing a Nonauthoritative Restore

      16.5 Performing an Authoritative Restore of an Object or Subtree

      16.6 Performing a Complete Authoritative Restore

      16.7 Checking the DIT File's Integrity

      16.8 Moving the DIT Files

      16.9 Repairing or Recovering the DIT

      16.10 Performing an Online Defrag Manually

      16.11 Determining How Much Whitespace Is in the DIT

      16.12 Performing an Offline Defrag to Reclaim Space

      16.13 Changing the Garbage Collection Interval

      16.14 Logging the Number of Expired Tombstone Objects

      16.15 Determining the Size of the Active Directory Database

      16.16 Searching for Deleted Objects

      16.17 Restoring a Deleted Object

      16.18 Modifying the Tombstone Lifetime for a Domain

17. Application Partitions

      17.1 Creating and Deleting an Application Partition

      17.2 Finding the Application Partitions in a Forest

      17.3 Adding or Removing a Replica Server for an Application Partition

      17.4 Finding the Replica Servers for an Application Partition

      17.5 Finding the Application Partitions Hosted by a Server

      17.6 Verifying Application Partitions Are Instantiated on a Server Correctly

      17.7 Setting the Replication Notification Delay for an Application Partition

      17.8 Setting the Reference Domain for an Application Partition

      17.9 Delegating Control of Managing an Application Partition

18. Interoperability and Integration

      18.1 Accessing AD from a Non-Windows Platform

      18.2 Programming with .NET

      18.3 Programming with DSML

      18.4 Programming with Perl

      18.5 Programming with Java

      18.6 Programming with Python

      18.7 Integrating with MIT Kerberos

      18.8 Integrating with Samba

      18.9 Integrating with Apache

      18.10 Replacing NIS

      18.11 Using BIND for DNS

      18.12 Authorizing a Microsoft DHCP Server

      18.13 Using VMWare for Testing AD

Appendix: Tool List

Index