Chapter 1 Getting Started
Approach to the Book
Where to Find the Tools
Getting Familiar with LDIF
Programming Notes
Replaceable Text
Where to Find More Information
Chapter 2 Forests, Domains, and Trusts
Introduction
Creating a Forest
Removing a Forest
Creating a Domain
Removing a Domain
Removing an Orphaned Domain
Finding the Domains in a Forest
Finding the NetBIOS Name of a Domain
Renaming a Domain
Changing the Mode of a Domain
Using ADPrep to Prepare a Domain or Forest for Windows Server 2003
Determining if ADPrep Has Completed
Checking Whether a Windows 2000 Domain Controller Can Be Upgraded to Windows Server 2003
Raising the Functional Level of a Windows Server 2003 Domain
Raising the Functional Level of a Windows Server 2003 Forest
Creating a Trust Between a Windows NT Domain and an AD Domain
Creating a Transitive Trust Between Two AD Forests
Creating a Shortcut Trust Between Two AD Domains
Creating a Trust to a Kerberos Realm
Viewing the Trusts for a Domain
Verifying a Trust
Resetting a Trust
Removing a Trust
Enabling SID Filtering for a Trust
Finding Duplicate SIDs in a Domain
Chapter 3 Domain Controllers, Global Catalogs, and FSMOs
Introduction
Promoting a Domain Controller
Promoting a Domain Controller from Media
Demoting a Domain Controller
Automating the Promotion or Demotion of a Domain Controller
Troubleshooting Domain Controller Promotion or Demotion Problems
Removing an Unsuccessfully Demoted Domain Controller
Renaming a Domain Controller
Finding the Domain Controllers for a Domain
Finding the Closest Domain Controller
Finding a Domain Controller’s Site
Moving a Domain Controller to a Different Site
Finding the Services a Domain Controller Is Advertising
Configuring a Domain Controller to Use an External Time Source
Finding the Number of Logon Attempts Made Against a Domain Controller
Enabling the /3GB Switch to Increase the LSASS Cache
Cleaning Up Distributed Link Tracking Objects
Enabling and Disabling the Global Catalog
Determining if Global Catalog Promotion Is Complete
Finding the Global Catalog Servers in a Forest
Finding the Domain Controllers or Global Catalog Servers in a Site
Finding Domain Controllers and Global Catalogs via DNS
Changing the Preference for a Domain Controller
Disabling the Global Catalog Requirement During a Windows 2000 Domain Login
Disabling the Global Catalog Requirement During a Windows 2003 Domain Login
Finding the FSMO Role Holders
Transferring a FSMO Role
Seizing a FSMO Role
Finding the PDC Emulator FSMO Role Owner via DNS
Chapter 4 Searching and Manipulating Objects
Introduction
Viewing the RootDSE
Viewing the Attributes of an Object
Using LDAP Controls
Using a Fast or Concurrent Bind
Searching for Objects in a Domain
Searching the Global Catalog
Searching for a Large Number of Objects
Searching with an Attribute-Scoped Query
Searching with a Bitwise Filter
Creating an Object
Modifying an Object
Modifying a Bit-Flag Attribute
Dynamically Linking an Auxiliary Class
Creating a Dynamic Object
Refreshing a Dynamic Object
Modifying the Default TTL Settings for Dynamic Objects
Moving an Object to a Different OU or Container
Moving an Object to a Different Domain
Renaming an Object
Deleting an Object
Deleting a Container That Has Child Objects
Viewing the Created and Last Modified Timestamp of an Object
Modifying the Default LDAP Query Policy
Exporting Objects to an LDIF File
Importing Objects Using an LDIF File
Exporting Objects to a CSV File
Importing Objects Using a CSV File
Chapter 5 Organizational Units
Introduction
Creating an OU
Enumerating the OUs in a Domain
Enumerating the Objects in an OU
Deleting the Objects in an OU
Deleting an OU
Moving the Objects in an OU to a Different OU
Moving an OU
Determining How Many Child Objects an OU Has
Delegating Control of an OU
Allowing OUs to Be Created Within Containers
Linking a GPO to an OU
Chapter 6 Users
Introduction
Creating a User
Creating a Large Number of Users
Creating an inetOrgPerson User
Modifying an Attribute for Several Users at Once
Moving a User
Renaming a User
Copying a User
Unlocking a User
Finding Locked Out Users
Troubleshooting Account Lockout Problems
Viewing the Account Lockout and Password Policies
Enabling and Disabling a User
Finding Disabled Users
Viewing a User’s Group Membership
Changing a User’s Primary Group
Transferring a User’s Group Membership to Another User
Setting a User’s Password
Setting a User’s Password via LDAP
Setting a User’s Password via Kerberos
Preventing a User from Changing His Password
Requiring a User to Change Her Password at Next Logon
Preventing a User’s Password from Expiring
Finding Users Whose Passwords Are About to Expire
Setting a User’s Account Options (userAccountControl)
Setting a User’s Account to Expire in the Future
Finding Users Whose AccountsAre About to Expire
Determining a User’s Last Logon Time
Finding Users Who Have Not Logged On Recently
Setting a User’s Profile Attributes
Viewing a User’s Managed Objects
Modifying the Default Display Name Used When Creating Users in ADUC
Creating a UPN Suffix for a Forest
Chapter 7 Groups
Introduction
Creating a Group
Viewing the Direct Members of a Group
Viewing the Nested Members of a Group
Adding and Removing Members of a Group
Moving a Group
Changing the Scope or Type of a Group
Delegating Control for Managing Membership of a Group
Resolving a Primary Group ID
Enabling Universal Group Membership Caching
Chapter 8 Computers
Introduction
Creating a Computer
Creating a Computer for a Specific User or Group
Joining a Computer to a Domain
Moving a Computer
Renaming a Computer
Testing the Secure Channel for a Computer
Resetting a Computer
Finding Inactive or Unused Computers
Changing the Maximum Number of Computers a User Can Join to the Domain
Finding Computers with a Particular OS
Binding to the Default Container for Computers
Changing the Default Container for Computers
Chapter 9 Group Policy Objects (GPOs)
Introduction
Finding the GPOs in a Domain
Creating a GPO
Copying a GPO
Deleting a GPO
Viewing the Settings of a GPO
Modifying the Settings of a GPO
Importing Settings into a GPO
Assigning Logon/Logoff and Startup/Shutdown Scripts in a GPO
Installing Applications with a GPO
Disabling the User or Computer Settings in a GPO
Listing the Links for GPO
Creating a GPO Link to an OU
Blocking Inheritance of GPOs on an OU
Applying a Security Filter to a GPO
Creating a WMI Filter
Applying a WMI Filter to a GPO
Backing Up a GPO
Restoring a GPO
Simulating the RSoP
Viewing the RSoP
Refreshing GPO Settings on a Computer
Restoring a Default GPO
Chapter 10 Schema
Introduction
Registering the Active Directory Schema MMC Snap-in
Enabling Schema Updates
Generating an OID to Use for a New Class or Attribute
Generating a GUID to Use for a New Class or Attribute
Extending the Schema
Documenting Schema Extensions
Adding a New Attribute
Viewing an Attribute
Adding a New Class
Viewing a Class
Indexing an Attribute
Modifying the Attributes That Are Copied When Duplicating a User
Modifying the Attributes Included with Ambiguous Name Resolution
Adding or Removing an Attribute in the Global Catalog
Finding the Nonreplicated and Constructed Attributes
Finding the Linked Attributes
Finding the Structural, Auxiliary, Abstract, and 88 Classes
Finding the Mandatory and Optional Attributes of a Class
Modifying the Default Security of a Class
Deactivating Classes and Attributes
Redefining Classes and Attributes
Reloading the Schema Cache
Chapter 11 Site Topology
Introduction
Creating a Site
Listing the Sites
Deleting a Site
Creating a Subnet
Listing the Subnets
Finding Missing Subnets
Creating a Site Link
Finding the Site Links for a Site
Modifying the Sites That Are Part of a Site Link
Modifying the Cost for a Site Link
Disabling Site Link Transitivity or Site Link Schedules
Creating a Site Link Bridge
Finding the Bridgehead Servers for a Site
Setting a Preferred Bridgehead Server for a Site
Listing the Servers
Moving a Domain Controller to a Different Site
Configuring a Domain Controller to Cover Multiple Sites
Viewing the Site Coverage for a Domain Controller
Disabling Automatic Site Coverage for a Domain Controller
Finding the Site for a Client
Forcing a Host to a Particular Site
Creating a Connection Object
Listing the Connection Objects for a Server
Load-Balancing Connection Objects
Finding the ISTG for a Site
Transferring the ISTG to Another Server
Triggering the KCC
Determining if the KCC Is Completing Successfully
Disabling the KCC for a Site
Changing the Interval at Which the KCC Runs
Chapter 12 Replication
Introduction
Determining if Two Domain Controllers Are in Sync
Viewing the Replication Status of Several Domain Controllers
Viewing Unreplicated Changes Between Two Domain Controllers
Forcing Replication from One Domain Controller to Another
Changing the Intra-Site Replication Interval
Changing the Inter-Site Replication Interval
Disabling Inter-Site Compression of Replication Traffic
Checking for Potential Replication Problems
Enabling Enhanced Logging of Replication Events
Enabling Strict or Loose Replication Consistency
Finding Conflict Objects
Viewing Object Metadata
Chapter 13 Domain Name System (DNS)
Introduction
Creating a Forward Lookup Zone
Creating a Reverse Lookup Zone
Viewing a Server’s Zones
Converting a Zone to an AD-Integrated Zone
Moving AD-Integrated Zones into an Application Partition
Delegating Control of a Zone
Creating and Deleting Resource Records
Querying Resource Records
Modifying the DNS Server Configuration
Scavenging Old Resource Records
Clearing the DNS Cache
Verifying That a Domain Controller Can Register Its Resource Records
Registering a Domain Controller’s Resource Records
Preventing a Domain Controller from Dynamically Registering All Resource Records
Preventing a Domain Controller from Dynamically Registering Certain Resource Records
Deregistering a Domain Controller’s Resource Records
Allowing Computers to Use a Different Domain Suffix from Their AD Domain
Chapter 14 Security and Authentication
Introduction
Enabling SSL/TLS
Encrypting LDAP Traffic with SSL, TLS, or Signing
Enabling Anonymous LDAP Access
Restricting Hosts from Performing LDAP Queries
Using the Delegation of Control Wizard
Customizing the Delegation of Control Wizard
Viewing the ACL for an Object
Customizing the ACL Editor
Viewing the Effective Permissions on an Object
Changing the ACL of an Object
Changing the Default ACL for an Object Class in the Schema
Comparing the ACL of an Object to the Default Defined in the Schema
Resetting an Object’s ACL to the Default Defined in the Schema
Preventing the LM Hash of a Password from Being Stored
Enabling List Object Access Mode
Modifying the ACL on Administrator Accounts
Viewing and Purging Your Kerberos Tickets
Forcing Kerberos to Use TCP
Modifying Kerberos Settings
Chapter 15 Logging, Monitoring, and Quotas
Introduction
Enabling Extended dcpromo Logging
Enabling Diagnostics Logging
Enabling NetLogon Logging
Enabling GPO Client Logging
Enabling Kerberos Logging
Enabling DNS Server Debug Logging
Viewing DNS Server Performance Statistics
Enabling Inefficient and Expensive LDAP Query Logging
Using the STATS Control to View LDAP Query Statistics
Using Perfmon to Monitor AD
Using Perfmon Trace Logs to Monitor AD
Enabling Auditing of Directory Access
Creating a Quota
Finding the Quotas Assigned to a Security Principal
Changing How Tombstone Objects Count Against Quota Usage
Setting the Default Quota for All Security Principals in a Partition
Finding the Quota Usage for a Security Principal
Chapter 16 Backup, Recovery, DIT Maintenance, and Deleted Objects
Introduction
Backing Up Active Directory
Restarting a Domain Controller in Directory Services Restore Mode
Resetting the Directory Service Restore Mode Administrator Password
Performing a Nonauthoritative Restore
Performing an Authoritative Restore of an Object or Subtree
Performing a Complete Authoritative Restore
Checking the DIT File’s Integrity
Moving the DIT Files
Repairing or Recovering the DIT
Performing an Online Defrag Manually
Determining How Much Whitespace Is in the DIT
Performing an Offline Defrag to Reclaim Space
Changing the Garbage Collection Interval
Logging the Number of Expired Tombstone Objects
Determining the Size of the Active Directory Database
Searching for Deleted Objects
Restoring a Deleted Object
Modifying the Tombstone Lifetime for a Domain
Chapter 17 Application Partitions
Introduction
Creating and Deleting an Application Partition
Finding the Application Partitions in a Forest
Adding or Removing a Replica Server for an Application Partition
Finding the Replica Servers for an Application Partition
Finding the Application Partitions Hosted by a Server
Verifying Application Partitions Are Instantiated on a Server Correctly
Setting the Replication Notification Delay for an Application Partition
Setting the Reference Domain for an Application Partition
Delegating Control of Managing an Application Partition
Chapter 18 Interoperability and Integration
Introduction
Accessing AD from a Non-Windows Platform
Programming with .NET
Programming with DSML
Programming with Perl
Programming with Java
Programming with Python
Integrating with MIT Kerberos
Integrating with Samba
Integrating with Apache
Replacing NIS
Using BIND for DNS
Authorizing a Microsoft DHCP Server
Using VMWare for Testing AD
Appendix Tool List
Colophon