Active Directory Cookbook
Active Directory Cookbook By Robbie Allen
September 2003
Pages: 622

| Table of Contents | Index | Sample Chapter | Colophon

Table of Contents

  1. Chapter 1 Getting Started

    1. Approach to the Book

    2. Where to Find the Tools

    3. Getting Familiar with LDIF

    4. Programming Notes

    5. Replaceable Text

    6. Where to Find More Information

  2. Chapter 2 Forests, Domains, and Trusts

    1. Introduction

    2. Creating a Forest

    3. Removing a Forest

    4. Creating a Domain

    5. Removing a Domain

    6. Removing an Orphaned Domain

    7. Finding the Domains in a Forest

    8. Finding the NetBIOS Name of a Domain

    9. Renaming a Domain

    10. Changing the Mode of a Domain

    11. Using ADPrep to Prepare a Domain or Forest for Windows Server 2003

    12. Determining if ADPrep Has Completed

    13. Checking Whether a Windows 2000 Domain Controller Can Be Upgraded to Windows Server 2003

    14. Raising the Functional Level of a Windows Server 2003 Domain

    15. Raising the Functional Level of a Windows Server 2003 Forest

    16. Creating a Trust Between a Windows NT Domain and an AD Domain

    17. Creating a Transitive Trust Between Two AD Forests

    18. Creating a Shortcut Trust Between Two AD Domains

    19. Creating a Trust to a Kerberos Realm

    20. Viewing the Trusts for a Domain

    21. Verifying a Trust

    22. Resetting a Trust

    23. Removing a Trust

    24. Enabling SID Filtering for a Trust

    25. Finding Duplicate SIDs in a Domain

  3. Chapter 3 Domain Controllers, Global Catalogs, and FSMOs

    1. Introduction

    2. Promoting a Domain Controller

    3. Promoting a Domain Controller from Media

    4. Demoting a Domain Controller

    5. Automating the Promotion or Demotion of a Domain Controller

    6. Troubleshooting Domain Controller Promotion or Demotion Problems

    7. Removing an Unsuccessfully Demoted Domain Controller

    8. Renaming a Domain Controller

    9. Finding the Domain Controllers for a Domain

    10. Finding the Closest Domain Controller

    11. Finding a Domain Controller's Site

    12. Moving a Domain Controller to a Different Site

    13. Finding the Services a Domain Controller Is Advertising

    14. Configuring a Domain Controller to Use an External Time Source

    15. Finding the Number of Logon Attempts Made Against a Domain Controller

    16. Enabling the /3GB Switch to Increase the LSASS Cache

    17. Cleaning Up Distributed Link Tracking Objects

    18. Enabling and Disabling the Global Catalog

    19. Determining if Global Catalog Promotion Is Complete

    20. Finding the Global Catalog Servers in a Forest

    21. Finding the Domain Controllers or Global Catalog Servers in a Site

    22. Finding Domain Controllers and Global Catalogs via DNS

    23. Changing the Preference for a Domain Controller

    24. Disabling the Global Catalog Requirement During a Windows 2000 Domain Login

    25. Disabling the Global Catalog Requirement During a Windows 2003 Domain Login

    26. Finding the FSMO Role Holders

    27. Transferring a FSMO Role

    28. Seizing a FSMO Role

    29. Finding the PDC Emulator FSMO Role Owner via DNS

  4. Chapter 4 Searching and Manipulating Objects

    1. Introduction

    2. Viewing the RootDSE

    3. Viewing the Attributes of an Object

    4. Using LDAP Controls

    5. Using a Fast or Concurrent Bind

    6. Searching for Objects in a Domain

    7. Searching the Global Catalog

    8. Searching for a Large Number of Objects

    9. Searching with an Attribute-Scoped Query

    10. Searching with a Bitwise Filter

    11. Creating an Object

    12. Modifying an Object

    13. Modifying a Bit-Flag Attribute

    14. Dynamically Linking an Auxiliary Class

    15. Creating a Dynamic Object

    16. Refreshing a Dynamic Object

    17. Modifying the Default TTL Settings for Dynamic Objects

    18. Moving an Object to a Different OU or Container

    19. Moving an Object to a Different Domain

    20. Renaming an Object

    21. Deleting an Object

    22. Deleting a Container That Has Child Objects

    23. Viewing the Created and Last Modified Timestamp of an Object

    24. Modifying the Default LDAP Query Policy

    25. Exporting Objects to an LDIF File

    26. Importing Objects Using an LDIF File

    27. Exporting Objects to a CSV File

    28. Importing Objects Using a CSV File

  5. Chapter 5 Organizational Units

    1. Introduction

    2. Creating an OU

    3. Enumerating the OUs in a Domain

    4. Enumerating the Objects in an OU

    5. Deleting the Objects in an OU

    6. Deleting an OU

    7. Moving the Objects in an OU to a Different OU

    8. Moving an OU

    9. Determining How Many Child Objects an OU Has

    10. Delegating Control of an OU

    11. Allowing OUs to Be Created Within Containers

    12. Linking a GPO to an OU

  6. Chapter 6 Users

    1. Introduction

    2. Creating a User

    3. Creating a Large Number of Users

    4. Creating an inetOrgPerson User

    5. Modifying an Attribute for Several Users at Once

    6. Moving a User

    7. Renaming a User

    8. Copying a User

    9. Unlocking a User

    10. Finding Locked Out Users

    11. Troubleshooting Account Lockout Problems

    12. Viewing the Account Lockout and Password Policies

    13. Enabling and Disabling a User

    14. Finding Disabled Users

    15. Viewing a User's Group Membership

    16. Changing a User's Primary Group

    17. Transferring a User's Group Membership to Another User

    18. Setting a User's Password

    19. Setting a User's Password via LDAP

    20. Setting a User's Password via Kerberos

    21. Preventing a User from Changing His Password

    22. Requiring a User to Change Her Password at Next Logon

    23. Preventing a User's Password from Expiring

    24. Finding Users Whose Passwords Are About to Expire

    25. Setting a User's Account Options (userAccountControl)

    26. Setting a User's Account to Expire in the Future

    27. Finding Users Whose AccountsAre About to Expire

    28. Determining a User's Last Logon Time

    29. Finding Users Who Have Not Logged On Recently

    30. Setting a User's Profile Attributes

    31. Viewing a User's Managed Objects

    32. Modifying the Default Display Name Used When Creating Users in ADUC

    33. Creating a UPN Suffix for a Forest

  7. Chapter 7 Groups

    1. Introduction

    2. Creating a Group

    3. Viewing the Direct Members of a Group

    4. Viewing the Nested Members of a Group

    5. Adding and Removing Members of a Group

    6. Moving a Group

    7. Changing the Scope or Type of a Group

    8. Delegating Control for Managing Membership of a Group

    9. Resolving a Primary Group ID

    10. Enabling Universal Group Membership Caching

  8. Chapter 8 Computers

    1. Introduction

    2. Creating a Computer

    3. Creating a Computer for a Specific User or Group

    4. Joining a Computer to a Domain

    5. Moving a Computer

    6. Renaming a Computer

    7. Testing the Secure Channel for a Computer

    8. Resetting a Computer

    9. Finding Inactive or Unused Computers

    10. Changing the Maximum Number of Computers a User Can Join to the Domain

    11. Finding Computers with a Particular OS

    12. Binding to the Default Container for Computers

    13. Changing the Default Container for Computers

  9. Chapter 9 Group Policy Objects (GPOs)

    1. Introduction

    2. Finding the GPOs in a Domain

    3. Creating a GPO

    4. Copying a GPO

    5. Deleting a GPO

    6. Viewing the Settings of a GPO

    7. Modifying the Settings of a GPO

    8. Importing Settings into a GPO

    9. Assigning Logon/Logoff and Startup/Shutdown Scripts in a GPO

    10. Installing Applications with a GPO

    11. Disabling the User or Computer Settings in a GPO

    12. Listing the Links for GPO

    13. Creating a GPO Link to an OU

    14. Blocking Inheritance of GPOs on an OU

    15. Applying a Security Filter to a GPO

    16. Creating a WMI Filter

    17. Applying a WMI Filter to a GPO

    18. Backing Up a GPO

    19. Restoring a GPO

    20. Simulating the RSoP

    21. Viewing the RSoP

    22. Refreshing GPO Settings on a Computer

    23. Restoring a Default GPO

  10. Chapter 10 Schema

    1. Introduction

    2. Registering the Active Directory Schema MMC Snap-in

    3. Enabling Schema Updates

    4. Generating an OID to Use for a New Class or Attribute

    5. Generating a GUID to Use for a New Class or Attribute

    6. Extending the Schema

    7. Documenting Schema Extensions

    8. Adding a New Attribute

    9. Viewing an Attribute

    10. Adding a New Class

    11. Viewing a Class

    12. Indexing an Attribute

    13. Modifying the Attributes That Are Copied When Duplicating a User

    14. Modifying the Attributes Included with Ambiguous Name Resolution

    15. Adding or Removing an Attribute in the Global Catalog

    16. Finding the Nonreplicated and Constructed Attributes

    17. Finding the Linked Attributes

    18. Finding the Structural, Auxiliary, Abstract, and 88 Classes

    19. Finding the Mandatory and Optional Attributes of a Class

    20. Modifying the Default Security of a Class

    21. Deactivating Classes and Attributes

    22. Redefining Classes and Attributes

    23. Reloading the Schema Cache

  11. Chapter 11 Site Topology

    1. Introduction

    2. Creating a Site

    3. Listing the Sites

    4. Deleting a Site

    5. Creating a Subnet

    6. Listing the Subnets

    7. Finding Missing Subnets

    8. Creating a Site Link

    9. Finding the Site Links for a Site

    10. Modifying the Sites That Are Part of a Site Link

    11. Modifying the Cost for a Site Link

    12. Disabling Site Link Transitivity or Site Link Schedules

    13. Creating a Site Link Bridge

    14. Finding the Bridgehead Servers for a Site

    15. Setting a Preferred Bridgehead Server for a Site

    16. Listing the Servers

    17. Moving a Domain Controller to a Different Site

    18. Configuring a Domain Controller to Cover Multiple Sites

    19. Viewing the Site Coverage for a Domain Controller

    20. Disabling Automatic Site Coverage for a Domain Controller

    21. Finding the Site for a Client

    22. Forcing a Host to a Particular Site

    23. Creating a Connection Object

    24. Listing the Connection Objects for a Server

    25. Load-Balancing Connection Objects

    26. Finding the ISTG for a Site

    27. Transferring the ISTG to Another Server

    28. Triggering the KCC

    29. Determining if the KCC Is Completing Successfully

    30. Disabling the KCC for a Site

    31. Changing the Interval at Which the KCC Runs

  12. Chapter 12 Replication

    1. Introduction

    2. Determining if Two Domain Controllers Are in Sync

    3. Viewing the Replication Status of Several Domain Controllers

    4. Viewing Unreplicated Changes Between Two Domain Controllers

    5. Forcing Replication from One Domain Controller to Another

    6. Changing the Intra-Site Replication Interval

    7. Changing the Inter-Site Replication Interval

    8. Disabling Inter-Site Compression of Replication Traffic

    9. Checking for Potential Replication Problems

    10. Enabling Enhanced Logging of Replication Events

    11. Enabling Strict or Loose Replication Consistency

    12. Finding Conflict Objects

    13. Viewing Object Metadata

  13. Chapter 13 Domain Name System (DNS)

    1. Introduction

    2. Creating a Forward Lookup Zone

    3. Creating a Reverse Lookup Zone

    4. Viewing a Server's Zones

    5. Converting a Zone to an AD-Integrated Zone

    6. Moving AD-Integrated Zones into an Application Partition

    7. Delegating Control of a Zone

    8. Creating and Deleting Resource Records

    9. Querying Resource Records

    10. Modifying the DNS Server Configuration

    11. Scavenging Old Resource Records

    12. Clearing the DNS Cache

    13. Verifying That a Domain Controller Can Register Its Resource Records

    14. Registering a Domain Controller's Resource Records

    15. Preventing a Domain Controller from Dynamically Registering All Resource Records

    16. Preventing a Domain Controller from Dynamically Registering Certain Resource Records

    17. Deregistering a Domain Controller's Resource Records

    18. Allowing Computers to Use a Different Domain Suffix from Their AD Domain

  14. Chapter 14 Security and Authentication

    1. Introduction

    2. Enabling SSL/TLS

    3. Encrypting LDAP Traffic with SSL, TLS, or Signing

    4. Enabling Anonymous LDAP Access

    5. Restricting Hosts from Performing LDAP Queries

    6. Using the Delegation of Control Wizard

    7. Customizing the Delegation of Control Wizard

    8. Viewing the ACL for an Object

    9. Customizing the ACL Editor

    10. Viewing the Effective Permissions on an Object

    11. Changing the ACL of an Object

    12. Changing the Default ACL for an Object Class in the Schema

    13. Comparing the ACL of an Object to the Default Defined in the Schema

    14. Resetting an Object's ACL to the Default Defined in the Schema

    15. Preventing the LM Hash of a Password from Being Stored

    16. Enabling List Object Access Mode

    17. Modifying the ACL on Administrator Accounts

    18. Viewing and Purging Your Kerberos Tickets

    19. Forcing Kerberos to Use TCP

    20. Modifying Kerberos Settings

  15. Chapter 15 Logging, Monitoring, and Quotas

    1. Introduction

    2. Enabling Extended dcpromo Logging

    3. Enabling Diagnostics Logging

    4. Enabling NetLogon Logging

    5. Enabling GPO Client Logging

    6. Enabling Kerberos Logging

    7. Enabling DNS Server Debug Logging

    8. Viewing DNS Server Performance Statistics

    9. Enabling Inefficient and Expensive LDAP Query Logging

    10. Using the STATS Control to View LDAP Query Statistics

    11. Using Perfmon to Monitor AD

    12. Using Perfmon Trace Logs to Monitor AD

    13. Enabling Auditing of Directory Access

    14. Creating a Quota

    15. Finding the Quotas Assigned to a Security Principal

    16. Changing How Tombstone Objects Count Against Quota Usage

    17. Setting the Default Quota for All Security Principals in a Partition

    18. Finding the Quota Usage for a Security Principal

  16. Chapter 16 Backup, Recovery, DIT Maintenance, and Deleted Objects

    1. Introduction

    2. Backing Up Active Directory

    3. Restarting a Domain Controller in Directory Services Restore Mode

    4. Resetting the Directory Service Restore Mode Administrator Password

    5. Performing a Nonauthoritative Restore

    6. Performing an Authoritative Restore of an Object or Subtree

    7. Performing a Complete Authoritative Restore

    8. Checking the DIT File's Integrity

    9. Moving the DIT Files

    10. Repairing or Recovering the DIT

    11. Performing an Online Defrag Manually

    12. Determining How Much Whitespace Is in the DIT

    13. Performing an Offline Defrag to Reclaim Space

    14. Changing the Garbage Collection Interval

    15. Logging the Number of Expired Tombstone Objects

    16. Determining the Size of the Active Directory Database

    17. Searching for Deleted Objects

    18. Restoring a Deleted Object

    19. Modifying the Tombstone Lifetime for a Domain

  17. Chapter 17 Application Partitions

    1. Introduction

    2. Creating and Deleting an Application Partition

    3. Finding the Application Partitions in a Forest

    4. Adding or Removing a Replica Server for an Application Partition

    5. Finding the Replica Servers for an Application Partition

    6. Finding the Application Partitions Hosted by a Server

    7. Verifying Application Partitions Are Instantiated on a Server Correctly

    8. Setting the Replication Notification Delay for an Application Partition

    9. Setting the Reference Domain for an Application Partition

    10. Delegating Control of Managing an Application Partition

  18. Chapter 18 Interoperability and Integration

    1. Introduction

    2. Accessing AD from a Non-Windows Platform

    3. Programming with .NET

    4. Programming with DSML

    5. Programming with Perl

    6. Programming with Java

    7. Programming with Python

    8. Integrating with MIT Kerberos

    9. Integrating with Samba

    10. Integrating with Apache

    11. Replacing NIS

    12. Using BIND for DNS

    13. Authorizing a Microsoft DHCP Server

    14. Using VMWare for Testing AD

  1. Appendix A Tool List

  2. Colophon

Return to Active Directory Cookbook