Active Directory Cookbook
Active Directory Cookbook, Second Edition By Robbie Allen, Laura E. Hunter
June 2006
Pages: 991

| Table of Contents | Index | Sample Chapter | Colophon

Table of Contents

  1. Chapter 1 Getting Started

    1. Approach to the Book

    2. Where to Find the Tools

    3. Getting Familiar with LDIF

    4. Programming Notes

    5. Replaceable Text

    6. Where to Find More Information

  2. Chapter 2 Forests, Domains, and Trusts

    1. Introduction

    2. Creating a Forest

    3. Removing a Forest

    4. Creating a Domain

    5. Removing a Domain

    6. Removing an Orphaned Domain

    7. Finding the Domains in a Forest

    8. Finding the NetBIOS Name of a Domain

    9. Renaming a Domain

    10. Raising the Domain Functional Level to Windows 2000 Native Mode

    11. Raising the Functional Level of a Windows Server 2003 Domain

    12. Raising the Functional Level of a Windows Server 2003 Forest

    13. Using AdPrep to Prepare a Domain or Forest for Windows Server 2003

    14. Determining WhetherAdPrep Has Completed

    15. Checking Whether a Windows 2000 Domain Controller Can Be Upgraded to Windows Server 2003

    16. Creating an External Trust

    17. Creating a Transitive Trust Between Two AD Forests

    18. Creating a Shortcut Trust Between Two AD Domains

    19. Creating a Trust to a Kerberos Realm

    20. Viewing the Trusts for a Domain

    21. Verifying a Trust

    22. Resetting a Trust

    23. Removing a Trust

    24. Enabling SID Filtering for a Trust

    25. Enabling Quarantine for a Trust

    26. Managing Selective Authentication for a Trust

    27. Finding Duplicate SIDs in a Domain

    28. Adding Additional Fields to Active Directory Users and Computers

  3. Chapter 3 Domain Controllers, Global Catalogs, and FSMOs

    1. Introduction

    2. Promoting a Domain Controller

    3. Promoting a Domain Controller from Media

    4. Verifying the Promotion of a Domain Controller

    5. Demoting a Domain Controller

    6. Automating the Promotion or Demotion of a Domain Controller

    7. Troubleshooting Domain Controller Promotion or Demotion Problems

    8. Removing an Unsuccessfully Demoted Domain Controller

    9. Renaming a Domain Controller

    10. Creating an NT 4.0 BDC Object

    11. Finding the Domain Controllers for a Domain

    12. Finding the Closest Domain Controller

    13. Finding a Domain Controller's Site

    14. Moving a Domain Controller to a Different Site

    15. Finding the Services a Domain Controller Is Advertising

    16. Restoring a Deleted Domain Controller

    17. Resetting the TCP/IP Stack on a Domain Controller

    18. Configuring a Domain Controller to Use an External Time Source

    19. Finding the Number of Logon Attempts Made Against a Domain Controller

    20. Enabling the /3GB Switch to Increase the LSASS Cache

    21. Enabling the /PAE switch to Increase the Amount of Addressable RAM

    22. Cleaning Up Distributed Link Tracking Objects

    23. Enabling and Disabling the Global Catalog

    24. Determining Whether Global Catalog Promotion Is Complete

    25. Finding the Global Catalog Servers in a Forest

    26. Finding the Domain Controllers or Global Catalog Servers in a Site

    27. Finding Domain Controllers and Global Catalogs via DNS

    28. Changing the Preference for a Domain Controller

    29. Disabling the Global Catalog Requirement During a Windows 2000 or Windows Server 2003 Domain Login

    30. Enabling Universal Group Caching in Windows Server 2003

    31. Finding the FSMO Role Holders

    32. Transferring a FSMO Role

    33. Seizing a FSMO Role

    34. Finding the PDC Emulator FSMO Role Owner via DNS

    35. Finding the PDC Emulator FSMO Role Owner via WINS

  4. Chapter 4 Searching and Manipulating Objects

    1. Introduction

    2. Viewing the RootDSE

    3. Viewing the Attributes of an Object

    4. Counting Objects in Active Directory

    5. Using LDAP Controls

    6. Using a Fast or Concurrent Bind

    7. Connecting to an Object GUID

    8. Connecting to a Well-Known GUID

    9. Searching for Objects in a Domain

    10. Searching the Global Catalog

    11. Searching for a Large Number of Objects

    12. Searching with an Attribute-Scoped Query

    13. Searching with a Bitwise Filter

    14. Creating an Object

    15. Modifying an Object

    16. Modifying a Bit Flag Attribute

    17. Dynamically Linking an Auxiliary Class

    18. Creating a Dynamic Object

    19. Refreshing a Dynamic Object

    20. Modifying the Default TTL Settings for Dynamic Objects.

    21. Moving an Object to a Different OU or Container

    22. Moving an Object to a Different Domain

    23. Referencing an External Domain

    24. Renaming an Object

    25. Deleting an Object

    26. Deleting a Container That Has Child Objects

    27. Viewing the Created and Last Modified Timestamp of an Object

    28. Modifying the Default LDAP Query Policy

    29. Exporting Objects to an LDIF File

    30. Importing Objects Using an LDIF File

    31. Exporting Objects to a CSV File

    32. Importing Objects Using a CSV File

  5. Chapter 5 Organizational Units

    1. Introduction

    2. Creating an OU

    3. Enumerating the OUs in a Domain

    4. Finding an OU

    5. Enumerating the Objects in an OU

    6. Deleting the Objects in an OU

    7. Deleting an OU

    8. Moving the Objects in an OU to a Different OU

    9. Moving an OU

    10. Renaming an OU

    11. Modifying an OU

    12. Determining Approximately How Many Child Objects an OU Has

    13. Delegating Control of an OU

    14. Assigning or Removing a Manager for an OU

    15. Allowing OUs to Be Created Within Containers

    16. Linking a GPO to an OU

  6. Chapter 6 Users

    1. Introduction

    2. Modifying the Default Display Name Used When Creating Users in ADUC

    3. Creating a User

    4. Creating a Large Number of Users

    5. Creating an inetOrgPerson User

    6. Converting a user Object to an inetOrgPerson Object (or Vice Versa)

    7. Modifying an Attribute for Several Users at Once

    8. Setting a User's Profile Attributes

    9. Moving a User

    10. Redirecting Users to an Alternative OU

    11. Renaming a User

    12. Copying a User

    13. Finding Locked Out Users

    14. Unlocking a User

    15. Troubleshooting Account Lockout Problems

    16. Viewing the Account Lockout and Password Policies

    17. Enabling and Disabling a User

    18. Finding Disabled Users

    19. Viewing a User's Group Membership

    20. Removing All Group Memberships from a User

    21. Changing a User's Primary Group

    22. Transferring a User's Group Membership to Another User

    23. Setting a User's Password

    24. Setting a User's Password via LDAP

    25. Setting a User's Password from Unix

    26. Preventing a User from Changing Her Password

    27. Requiring a User to Change His Password at Next Logon

    28. Preventing a User's Password from Expiring

    29. Finding Users Whose Passwords Are About to Expire

    30. Setting a User's Account Options (userAccountControl)

    31. Setting a User's Account to Expire

    32. Finding Users Whose Accounts Are About to Expire

    33. Determining a User's Last Logon Time

    34. Finding Users Who Have Not Logged On Recently

    35. Viewing a User's Permitted Logon Hours

    36. Viewing a User's Managed Objects

    37. Creating a UPN Suffix for a Forest

  7. Chapter 7 Groups

    1. Introduction

    2. Creating a Group

    3. Viewing the Permissions of a Group

    4. Viewing the Direct Members of a Group

    5. Viewing the Nested Members of a Group

    6. Adding and Removing Members of a Group

    7. Moving a Group Within a Domain

    8. Moving a Group to Another Domain

    9. Changing the Scope or Type of a Group

    10. Modifying Group Attributes

    11. Creating a Dynamic Group

    12. Delegating Control for Managing Membership of a Group

    13. Resolving a Primary Group ID

    14. Enabling Universal Group Membership Caching

    15. Restoring a Deleted Group

  8. Chapter 8 Computers

    1. Introduction

    2. Creating a Computer

    3. Creating a Computer for a Specific User or Group

    4. Joining a Computer to a Domain

    5. Moving a Computer Within the Same Domain

    6. Moving a Computer to a New Domain

    7. Renaming a Computer

    8. Add or Remove a Computer Account from a Group

    9. Testing the Secure Channel for a Computer

    10. Resetting a Computer Account

    11. Finding Inactive or Unused Computers

    12. Changing the Maximum Number of Computers a User Can Join to the Domain

    13. Modifying the Attributes of a Computer Object

    14. Finding Computers with a Particular OS

    15. Binding to the Default Container for Computers

    16. Changing the Default Container for Computers

    17. Listing All the Computer Accounts in a Domain

    18. Identifying a Computer Role

  9. Chapter 9 Printers and Shared Folders

    1. Introduction

    2. Installing the Print Server Role

    3. Creating a Printer Filter

    4. Managing Printer Drivers

    5. Deploying Printers Through Group Policy

    6. Publishing Printers in Active Directory

    7. Installing the File Server Resource Manager

    8. Managing Disk Quota Templates

    9. Managing Disk Quotas

    10. Managing Auto-Quotas

    11. Modifying Quota Settings

    12. Defining File Groups

    13. Managing File-Screen Templates

    14. Managing File Screens

    15. Managing File-Screen Exceptions

    16. Configuring File Server Reporting

    17. Managing File Server Options

  10. Chapter 10 Group Policy Objects

    1. Introduction

    2. Finding the GPOs in a Domain

    3. Creating a GPO

    4. Copying a GPO

    5. Deleting a GPO

    6. Viewing the Settings of a GPO

    7. Modifying the Settings of a GPO

    8. Importing Settings into a GPO

    9. Creating a Migration Table

    10. Creating Custom Group Policy Settings

    11. Assigning Logon/Logoff and Startup/Shutdown Scripts in a GPO

    12. Installing Applications with a GPO

    13. Disabling the User or Computer Settings in a GPO

    14. Listing the Links for a GPO

    15. Creating a GPO Link to an OU

    16. Blocking Inheritance of GPOs on an OU

    17. Enforcing the Settings of a GPO Link

    18. Applying a Security Filter to a GPO

    19. Delegating Administration of GPOs

    20. Importing a Security Template

    21. Creating a WMI Filter

    22. Applying a WMI Filter to a GPO

    23. Configuring Loopback Processing for a GPO

    24. Backing Up a GPO

    25. Restoring a GPO

    26. Simulating the RSoP

    27. Viewing the RSoP

    28. Refreshing GPO Settings on a Computer

    29. Restoring a Default GPO

  11. Chapter 11 Schema

    1. Introduction

    2. Registering the Active Directory Schema MMC Snap-in

    3. Enabling Schema Updates

    4. Generating an OID to Use for a New Class or Attribute

    5. Generating a GUID to Use for a New Class or Attribute

    6. Extending the Schema

    7. Preparing the Schema for Upgrade

    8. Documenting Schema Extensions

    9. Adding a New Attribute

    10. Viewing an Attribute

    11. Adding a New Class

    12. Viewing a Class

    13. Indexing an Attribute

    14. Modifying the Attributes That Are Copied When Duplicating a User

    15. Adding Custom Information to ADUC

    16. Modifying the Attributes Included with ANR

    17. Modifying the Set of Attributes Stored on a Global Catalog

    18. Finding the Nonreplicated and Constructed Attributes

    19. Finding the Linked Attributes

    20. Finding the Structural, Auxiliary, Abstract, and 88 Classes

    21. Finding the Mandatory and Optional Attributes of a Class

    22. Modifying the Default Security of a Class

    23. Managing the Confidentiality Bit

    24. Deactivating Classes and Attributes

    25. Redefining Classes and Attributes

    26. Reloading the Schema Cache

    27. Managing the Schema Master FSMO

  12. Chapter 12 Site Topology

    1. Introduction

    2. Creating a Site

    3. Listing the Sites

    4. Renaming a Site

    5. Deleting a Site

    6. Delegating Control of a Site

    7. Configuring Universal Group Caching for a Site

    8. Creating a Subnet

    9. Listing the Subnets

    10. Finding Missing Subnets

    11. Deleting a Subnet

    12. Changing a Subnet's Site Assignment

    13. Creating a Site Link

    14. Finding the Site Links for a Site

    15. Modifying the Sites That Are Part of a Site Link

    16. Modifying the Cost for a Site Link

    17. Enabling Change Notification for a Site Link

    18. Modifying Replication Schedules

    19. Disabling Site Link Transitivity or Site Link Schedules

    20. Creating a Site Link Bridge

    21. Finding the Bridgehead Servers for a Site

    22. Setting a Preferred Bridgehead Server for a Site

    23. Listing the Servers

    24. Moving a Domain Controller to a Different Site

    25. Configuring a Domain Controller to Cover Multiple Sites

    26. Viewing the Site Coverage for a Domain Controller

    27. Disabling Automatic Site Coverage for a Domain Controller

    28. Finding the Site for a Client

    29. Forcing a Host into a Particular Site

    30. Creating a Connection Object

    31. Listing the Connection Objects for a Server

    32. Load-Balancing Connection Objects

    33. Finding the ISTG for a Site

    34. Transferring the ISTG to Another Server

    35. Triggering the KCC

    36. Determining Whether the KCC Is Completing Successfully

    37. Disabling the KCC for a Site

    38. Changing the Interval at Which the KCC Runs

  13. Chapter 13 Replication

    1. Introduction

    2. Determining Whether Two Domain Controllers Are in Sync

    3. Viewing the Replication Status of Several Domain Controllers

    4. Viewing Unreplicated Changes Between Two Domain Controllers

    5. Forcing Replication from One Domain Controller to Another

    6. Enabling and Disabling Replication

    7. Changing the Intra-Site Replication Interval

    8. Changing the Intra-Site Notification Delay

    9. Changing the Inter-Site Replication Interval

    10. Disabling Inter-Site Compression of Replication Traffic

    11. Checking for Potential Replication Problems

    12. Enabling Enhanced Logging of Replication Events

    13. Enabling Strict or Loose Replication Consistency

    14. Finding Conflict Objects

    15. Finding Orphaned Objects

    16. Listing the Replication Partners for a DC

    17. Viewing Object Metadata

  14. Chapter 14 DNS and DHCP

    1. Introduction

    2. Creating a Forward Lookup Zone

    3. Creating a Reverse Lookup Zone

    4. Viewing a Server's Zones

    5. Converting a Zone to an AD-Integrated Zone

    6. Moving AD-Integrated Zones into an Application Partition

    7. Configuring Zone Transfers

    8. Configuring Forwarding

    9. Delegating Control of a Zone

    10. Creating and Deleting Resource Records

    11. Querying Resource Records

    12. Modifying the DNS Server Configuration

    13. Scavenging Old Resource Records

    14. Clearing the DNS Cache

    15. Verifying That a Domain Controller Can Register Its Resource Records

    16. Enabling DNS Server Debug Logging

    17. Registering a Domain Controller's Resource Records

    18. Deregistering a Domain Controller's Resource Records

    19. Preventing a Domain Controller from Dynamically Registering All Resource Records

    20. Preventing a Domain Controller from Dynamically Registering Certain Resource Records

    21. Allowing Computers to Use a Different Domain Suffix from Their AD Domain

    22. Authorizing a DHCP Server

    23. Locating Unauthorized DHCP Servers

    24. Restricting DHCP Administrators

  15. Chapter 15 Security and Authentication

    1. Introduction

    2. Enabling SSL/TLS

    3. Encrypting LDAP Traffic with SSL, TLS, or Signing

    4. Disabling LDAP Signing or Encryption

    5. Enabling Anonymous LDAP Access

    6. Restricting Hosts from Performing LDAP Queries

    7. Restricting Anonymous Access to Active Directory

    8. Using the Delegation of Control Wizard

    9. Customizing the Delegation of Control Wizard

    10. Revoking Delegated Permissions

    11. Viewing the ACL for an Object

    12. Customizing the ACL Editor

    13. Viewing the Effective Permissions on an Object

    14. Configuring Permission Inheritance

    15. Changing the ACL of an Object

    16. Changing the Default ACL for an Object Class in the Schema

    17. Comparing the ACL of an Object to the Default Defined in the Schema

    18. Resetting an Object's ACL to the Default Defined in the Schema

    19. Preventing the LM Hash of a Password from Being Stored

    20. Enabling Strong Domain Authentication

    21. Enabling List Object Access Mode

    22. Modifying the ACL on Administrator Accounts

    23. Viewing and Purging Your Kerberos Tickets

    24. Forcing Kerberos to Use TCP

    25. Modifying Kerberos Settings

    26. Viewing Access Tokens

  16. Chapter 16 Logging, Monitoring, and Quotas

    1. Introduction

    2. Enabling Extended dcpromo Logging

    3. Enabling Diagnostics Logging

    4. Enabling NetLogon Logging

    5. Enabling GPO Client Logging

    6. Enabling Kerberos Logging

    7. Viewing DNS Server Performance Statistics

    8. Monitoring the File Replication Service

    9. Monitoring the Windows Time Service

    10. Enabling Inefficient and Expensive LDAP Query Logging

    11. Using the STATS Control to View LDAP Query Statistics

    12. Using Perfmon to Monitor AD

    13. Using Perfmon Trace Logs to Monitor AD

    14. Creating an Administrative Alert

    15. Emailing an Administrator on a Performance Alert

    16. Enabling Auditing of Directory Access

    17. Enabling Auditing of Registry Keys

    18. Creating a Quota

    19. Finding the Quotas Assigned to a Security Principal

    20. Changing How Tombstone Objects Count Against Quota Usage

    21. Setting the Default Quota for All Security Principals in a Partition

    22. Finding the Quota Usage for a Security Principal

  17. Chapter 17 Backup, Recovery, DIT Maintenance, and Deleted Objects

    1. Introduction

    2. Backing Up Active Directory

    3. Restarting a Domain Controller in Directory Services Restore Mode

    4. Resetting the Directory Service Restore Mode Administrator Password

    5. Performing a Nonauthoritative Restore

    6. Performing an Authoritative Restore of an Object or Subtree

    7. Performing a Complete Authoritative Restore

    8. Checking the DIT File's Integrity

    9. Moving the DIT Files

    10. Repairing or Recovering the DIT

    11. Performing an Online Defrag Manually

    12. Performing a Database Recovery

    13. Creating a Reserve File

    14. Determining How Much Whitespace Is in the DIT

    15. Performing an Offline Defrag to Reclaim Space

    16. Changing the Garbage Collection Interval

    17. Logging the Number of Expired Tombstone Objects

    18. Determining the Size of the Active Directory Database

    19. Searching for Deleted Objects

    20. Undeleting a Single Object

    21. Undeleting a Container Object

    22. Modifying the Tombstone Lifetime for a Domain

  18. Chapter 18 Application Partitions

    1. Introduction

    2. Creating and Deleting an Application Partition

    3. Finding the Application Partitions in a Forest

    4. Adding or Removing a Replica Server for an Application Partition

    5. Finding the Replica Servers for an Application Partition

    6. Finding the Application Partitions Hosted by a Server

    7. Verifying Application Partitions Are Instantiated on a Server Correctly

    8. Setting the Replication Notification Delay for an Application Partition

    9. Setting the Reference Domain for an Application Partition

    10. Delegating Control of Managing an Application Partition

  19. Chapter 19 Active Directory Application Mode

    1. Introduction

    2. Installing ADAM

    3. Creating a New ADAM Instance

    4. Creating a New Replica of an ADAM Configuration Set

    5. Stopping and Starting an ADAM Instance

    6. Changing the Ports Used by an ADAM Instance

    7. Listing the ADAM Instances Installed on a Computer

    8. Extending the ADAM Schema

    9. Managing ADAM Application Partitions

    10. Managing ADAM Organizational Units

    11. Managing ADAM Users

    12. Changing the Password for an ADAM User

    13. Enabling and Disabling an ADAM User

    14. Managing ADAM Groups

    15. Managing ADAM Group Memberships

    16. Viewing and Modifying ADAM Object Attributes

    17. Importing Data into an ADAM Instance

    18. Configuring Intrasite Replication

    19. Forcing ADAM Replication

    20. Managing ADAM Permissions

  20. Chapter 20 Interoperability and Integration

    1. Introduction

    2. Accessing AD from a Non-Windows Platform

    3. Programming with .NET

    4. Programming with DSML

    5. Programming with Perl

    6. Programming with Java

    7. Programming with Python

    8. Integrating with MIT Kerberos

    9. Integrating with Samba

    10. Integrating with Apache

    11. Integrating with Novell Netware

    12. Integrating with Macintosh

    13. Replacing the Network Information Service

    14. Using BIND for DNS

    15. Integrating Down-level Windows Clients

    16. Using VMWare for Testing AD

    17. Using Virtual Server in an Active Directory Environment

  21. Chapter 21 Active Directory Federation Services

    1. Introduction

    2. Installing ADFS Prerequisites

    3. Installing the Federation Service

    4. Configuring an Active Directory Account Store

    5. Configuring an ADAM Account Store

    6. Configuring an Account Partner

    7. Configuring a Resource Partner

    8. Creating a Claim Type

    9. Configuring an Application

    10. Configuring a Forest Trust

    11. Configuring an Alternate UPN Suffix

    12. Configuring the ADFS Web Agent

    13. Enabling Logging for the ADFS Web Agent

  22. Chapter 22 Exchange Server 2003

    1. Introduction

    2. Preparing Active Directory for Exchange

    3. Installing the First Exchange Server

    4. Installing Additional Exchange Servers

    5. Installing an Exchange Service Pack

    6. Creating Unattended Installation Files for Exchange and Exchange Service Pack Installations

    7. Installing Exchange Management Tools

    8. Delegating Exchange for the First Time

    9. Stopping and Starting Exchange Server

    10. Mail-Enabling a User

    11. Mail-Disabling a User

    12. Mailbox-Enabling a User

    13. Deleting a User's Mailbox

    14. Purging a Deleted Mailbox

    15. Reconnecting a Deleted Mailbox

    16. Enumerating Disconnected Mailboxes

    17. Moving a Mailbox

    18. Viewing Mailbox Sizes and Message Counts

    19. Configuring Mailbox Limits

    20. Mail-Enabling a Contact

    21. Mail-Disabling a Contact

    22. Creating a Mail-Enabled Distribution List

    23. Creating a Query-Based Distribution List

    24. Creating an Address List

    25. Creating a Recipient Policy

    26. Creating a Storage Group

    27. Creating a Mailbox Store

    28. Moving the Exchange Transaction Logs

    29. Listing Domain Controllers and Global Catalog Servers Used by an Exchange Server

    30. Mounting and Dismounting Mailbox Stores

    31. Enabling Message Tracking

  23. Chapter 23 Microsoft Identity Integration Server

    1. Introduction

    2. Creating the HR Database MA

    3. Creating an Active Directory MA

    4. Setting Up a Metaverse Object Deletion Rule

    5. Setting Up Simple Import Attribute Flow—HR Database MA

    6. Setting Up a Simple Export Attribute Flow to AD

    7. Defining an Advanced Import Attribute Flow—HR Database MA

    8. Implementing an Advanced Attribute Flow Rules Extension—HR Database MA

    9. Setting Up Advanced Export Attribute Flow in Active Directory

    10. Configuring a Run Profile to Do an Initial Load of Data from the HR Database MA

    11. Loading Initial HR Database Data into MIIS Using a Run Profile

    12. Configuring a Run Profile to Load the Container Structure from AD

    13. Loading the Initial AD Container Structure into MIIS Using a Run Profile

    14. Setting Up the HR Database MA to Project Objects to the Metaverse

    15. Writing a Rules Extension to Provision User Objects to the ADMA from Objects in the HR Database MA

    16. Creating a Run Profile for Provisioning

    17. Executing the Provisioning Rule

    18. Creating a Run Profile to Export Objects from the ADMA to Active Directory

    19. Exporting Objects to AD Using an Export Run Profile

    20. Testing Provisioning and De-Provisioning of User Accounts in AD

    21. Creating a Run Profile Script

    22. Creating a Controlling Script

    23. Enabling Directory Synchronization from AD to the HR Database

    24. Configuring a Run Profile to Load the telephoneNumber from AD

    25. Loading telephoneNumber Changes from AD into MIIS Using a Delta Import and Delta Synchronization Run Profile

    26. Exporting telephoneNumber Data to the HR Database

    27. Using the HR Database MA Export Run Profile to Export the Telephone Number to the HR Database

    28. Searching Data in the Connector Space

    29. Searching Data in the Metaverse

    30. Deleting Data in the Connector Space and Metaverse

  1. Colophon

Return to Active Directory Cookbook