Book description
Take the guesswork out of deploying, administering, and automating Active Directory. With hundreds of proven recipes, the updated edition of this popular cookbook provides quick, step-by-step solutions to common (and not so common) problems you might encounter when working with Microsoft’s network directory service.
This fourth edition includes troubleshooting recipes for Windows Server 2012, Windows 8, and Exchange 2013, based on valuable input from Windows administrators. You’ll also find quick solutions for the Lightweight Directory Access Protocol (LDAP), Active Directory Lightweight Directory Services (AD LDS), multi-master replication, DNS, Group Policy, and many other features.
- Manage new AD features, such as the Recycle Bin, Group Managed Service Accounts, and fine-grained password policies
- Work with AD from the command line and use Windows PowerShell to automate tasks
- Remove and create forests, domains, and trusts
- Create groups, modify group scope and type, and manage membership
- Delegate control, view and modify permissions, and handle Kerberos tickets
- Import and export data with LDAP Data Interchange Format (LDIF)
- Synchronize multiple directories and enforce data integrity within a single or multiple stores
- Back up AD, and perform authoritative and non-authoritative restores
Publisher resources
Table of contents
- Active Directory Cookbook
- Preface
- 1. Getting Started
-
2. Forests, Domains, and Trusts
- Introduction
- Creating a Forest
- Removing a Forest
- Creating a Domain
- Removing a Domain
- Removing an Orphaned Domain
- Finding the Domains in a Forest
- Finding the NetBIOS Name of a Domain
- Renaming a Domain
- Raising the Domain Functional Level to Windows Server 2012
- Raising the Functional Level of a Windows Server 2008 or 2008 R2 Forest
- Using AdPrep to Prepare a Domain or Forest for Windows Server 2012
- Determining Whether AdPrep Has Completed
- Checking Whether a Windows Domain Controller Can Be Upgraded to Windows Server 2003 or 2008
- Creating an External Trust
- Creating a Transitive Trust Between Two AD Forests
- Creating a Shortcut Trust Between Two AD Domains
- Creating a Trust to a Kerberos Realm
- Viewing the Trusts for a Domain
- Verifying a Trust
- Resetting a Trust
- Removing a Trust
- Enabling SID Filtering for a Trust
- Enabling Quarantine for a Trust
- Managing Selective Authentication for a Trust
- Finding Duplicate SIDs in a Domain
- Adding Additional Fields to Active Directory Users and Computers
-
3. Domain Controllers, Global Catalogs, and FSMOs
- Introduction
- Promoting a Server to a Domain Controller
- Promoting a Server to a Read-Only Domain Controller
- Performing a Two-Stage RODC Installation
- Modifying the Password Replication Policy
- Promoting a Server to a Windows Server 2012 Domain Controller from Media
- Demoting a Domain Controller
- Automating the Promotion or Demotion of a Domain Controller
- Troubleshooting Domain Controller Promotion or Demotion Problems
- Verifying the Promotion of a Domain Controller
- Removing an Unsuccessfully Demoted Domain Controller
- Renaming a Domain Controller
- Finding the Domain Controllers for a Domain
- Finding the Closest Domain Controller
- Finding a Domain Controller’s Site
- Moving a Domain Controller to a Different Site
- Finding the Services a Domain Controller Is Advertising
- Restoring a Deleted Domain Controller in Windows Server 2012
- Resetting the TCP/IP Stack on a Domain Controller
- Configuring a Domain Controller to Use an External Time Source
- Finding the Number of Logon Attempts Made Against a Domain Controller
- Enabling the /3GB Switch to Increase the LSASS Cache
- Enabling and Disabling the Global Catalog
- Determining Whether Global Catalog Promotion Is Complete
- Finding the Global Catalog Servers in a Forest
- Finding the Domain Controllers or Global Catalog Servers in a Site
- Finding Domain Controllers and Global Catalogs via DNS
- Changing the Preference for a Domain Controller
- Disabling the Global Catalog Requirement for User Logon
- Finding the FSMO Role Holders
- Transferring a FSMO Role
- Seizing a FSMO Role
- Finding the PDC Emulator FSMO Role Owner via DNS
-
4. Searching and Manipulating Objects
- Introduction
- Viewing the RootDSE
- Viewing the Attributes of an Object
- Counting Objects in Active Directory
- Using LDAP Controls
- Using a Fast or Concurrent Bind
- Connecting to an Object GUID
- Connecting to a Well-Known GUID
- Searching for Objects in a Domain
- Searching the Global Catalog
- Searching for a Large Number of Objects
- Searching with an Attribute-Scoped Query
- Searching with a Bitwise Filter
- Creating an Object
- Modifying an Object
- Modifying a Bit-Flag Attribute
- Dynamically Linking an Auxiliary Class
- Creating a Dynamic Object
- Refreshing a Dynamic Object
- Modifying the Default TTL Settings for Dynamic Objects
- Moving an Object to a Different OU or Container
- Moving an Object to a Different Domain
- Referencing an External Domain
- Renaming an Object
- Deleting an Object
- Deleting a Container That Has Child Objects
- Viewing the Created and Last-Modified Timestamp of an Object
- Modifying the Default LDAP Query Policy
- Exporting Objects to an LDIF File
- Importing Objects Using an LDIF File
- Exporting Objects to a CSV File
- Importing Objects Using PowerShell and a CSV File
-
5. Organizational Units
- Introduction
- Creating an OU
- Enumerating the OUs in a Domain
- Finding an OU
- Enumerating the Objects in an OU
- Deleting the Objects in an OU
- Deleting an OU
- Moving the Objects in an OU to a Different OU
- Moving an OU
- Renaming an OU
- Modifying an OU
- Determining Approximately How Many Child Objects an OU Has
- Delegating Control of an OU
- Assigning or Removing a Manager for an OU
- Linking a GPO to an OU
- Protecting an OU Against Accidental Deletion
-
6. Users
- Introduction
- Modifying the Default Display Name Used When Creating Users in ADUC or ADAC
- Creating a User
- Creating a Large Number of Users
- Creating an inetOrgPerson User
- Converting a user Object to an inetOrgPerson Object (or Vice Versa)
- Modifying an Attribute for Several Users at Once
- Deleting a User
- Setting a User’s Profile Attributes
- Moving a User
- Redirecting Users to an Alternative OU
- Renaming a User
- Copying a User
- Finding Locked-Out Users
- Unlocking a User
- Troubleshooting Account Lockout Problems
- Viewing the Domain-Wide Account Lockout and Password Policies
- Applying a Fine-Grained Password Policy to a User Object
- Viewing the Fine-Grained Password Policy That Is in Effect for a User Account
- Enabling and Disabling a User
- Finding Disabled Users
- Viewing a User’s Group Membership
- Removing All Group Memberships from a User
- Changing a User’s Primary Group
- Copying a User’s Group Membership to Another User
- Setting a User’s Password
- Preventing a User from Changing a Password
- Requiring a User to Change a Password at Next Logon
- Preventing a User’s Password from Expiring
- Finding Users Whose Passwords Are About to Expire
- Viewing the RODCs That Have Cached a User’s Password
- Setting a User’s Account Options (userAccountControl)
- Setting a User’s Account to Expire
- Determining a User’s Last Logon Time
- Finding Users Who Have Not Logged On Recently
- Viewing and Modifying a User’s Permitted Logon Hours
- Viewing a User’s Managed Objects
- Creating a UPN Suffix for a Forest
- Restoring a Deleted User
- Protecting a User Against Accidental Deletion
-
7. Groups
- Introduction
- Creating a Group
- Viewing the Permissions of a Group
- Viewing the Direct Members of a Group
- Viewing the Nested Members of a Group
- Adding and Removing Members of a Group
- Moving a Group Within a Domain
- Moving a Group to Another Domain
- Changing the Scope or Type of a Group
- Modifying Group Attributes
- Delegating Control for Managing Membership of a Group
- Resolving a Primary Group ID
- Enabling Universal Group Membership Caching
- Restoring a Deleted Group
- Protecting a Group Against Accidental Deletion
- Applying a Fine-Grained Password Policy to a Group Object
-
8. Computer Objects
- Introduction
- Creating a Computer
- Creating a Computer for a Specific User or Group
- Deleting a Computer
- Joining a Computer to a Domain
- Moving a Computer Within the Same Domain
- Moving a Computer to a New Domain
- Renaming a Computer
- Adding or Removing a Computer Account from a Group
- Testing the Secure Channel for a Computer
- Resetting a Computer Account
- Finding Inactive or Unused Computers
- Changing the Maximum Number of Computers a User Can Join to the Domain
- Modifying the Attributes of a computer Object
- Finding Computers with a Particular OS
- Binding to the Default Container for Computers
- Changing the Default Container for Computers
- Listing All the Computer Accounts in a Domain
- Identifying a Computer Role
- Protecting a Computer Against Accidental Deletion
- Viewing the RODCs That Have Cached a Computer’s Password
-
9. Group Policy Objects
- Introduction
- Finding the GPOs in a Domain
- Creating a GPO
- Copying a GPO
- Deleting a GPO
- Viewing the Settings of a GPO
- Modifying the Settings of a GPO
- Importing Settings into a GPO
- Creating a Migration Table
- Creating Custom Group Policy Settings
- Assigning Logon/Logoff and Startup/Shutdown Scripts in a GPO
- Installing Applications with a GPO
- Disabling the User or Computer Settings in a GPO
- Listing the Links for a GPO
- Creating a GPO Link to an OU
- Blocking Inheritance of GPOs on an OU
- Enforcing the Settings of a GPO Link
- Applying a Security Filter to a GPO
- Delegating Administration of GPOs
- Importing a Security Template
- Creating a WMI Filter
- Applying a WMI Filter to a GPO
- Configuring Loopback Processing for a GPO
- Backing Up a GPO
- Restoring a GPO
- Simulating the RSoP
- Viewing the RSoP
- Refreshing GPO Settings on a Computer
- Restoring a Default GPO
- Creating a Fine-Grained Password Policy
- Editing a Fine-Grained Password Policy
- Viewing the Effective PSO for a User
-
10. Schema
- Introduction
- Registering the Active Directory Schema MMC Snap-in
- Generating an OID to Use for a New Class or Attribute
- Extending the Schema
- Preparing the Schema for an Active Directory Upgrade
- Documenting Schema Extensions
- Adding a New Attribute
- Viewing an Attribute
- Adding a New Class
- Viewing a Class
- Indexing an Attribute
- Modifying the Attributes That Are Copied When Duplicating a User
- Modifying the Attributes Included with ANR
- Modifying the Set of Attributes Stored on a Global Catalog
- Finding Nonreplicated and Constructed Attributes
- Finding the Linked Attributes
- Finding the Structural, Auxiliary, Abstract, and 88 Classes
- Finding the Mandatory and Optional Attributes of a Class
- Modifying the Default Security of a Class
- Managing the Confidentiality Bit
- Adding an Attribute to the Read-Only Filtered Attribute Set (RO-FAS)
- Deactivating Classes and Attributes
- Redefining Classes and Attributes
- Reloading the Schema Cache
- Managing the Schema Master FSMO
-
11. Site Topology
- Introduction
- Creating a Site
- Listing Sites in a Domain
- Renaming a Site
- Deleting a Site
- Delegating Control of a Site
- Configuring Universal Group Caching for a Site
- Creating a Subnet
- Listing the Subnets
- Finding Missing Subnets
- Deleting a Subnet
- Changing a Subnet’s Site Assignment
- Creating a Site Link
- Finding the Site Links for a Site
- Modifying the Sites That Are Part of a Site Link
- Modifying the Cost for a Site Link
- Enabling Change Notification for a Site Link
- Modifying Replication Schedules
- Disabling Site Link Transitivity or Site Link Schedules
- Creating a Site Link Bridge
- Finding the Bridgehead Servers for a Site
- Setting a Preferred Bridgehead Server for a Site
- Listing the Servers
- Moving a Domain Controller to a Different Site
- Configuring a Domain Controller to Cover Multiple Sites
- Viewing the Site Coverage for a Domain Controller
- Disabling Automatic Site Coverage for a Domain Controller
- Finding the Site for a Client
- Forcing a Host into a Particular Site
- Creating a connection Object
- Listing the connection Objects for a Server
- Finding the ISTG for a Site
- Transferring the ISTG to Another Server
- Triggering the KCC
- Determining Whether the KCC Is Completing Successfully
- Disabling the KCC for a Site
- Changing the Interval at Which the KCC Runs
-
12. Replication
- Introduction
- Determining Whether Two Domain Controllers Are in Sync
- Viewing the Replication Status of Several Domain Controllers
- Viewing Unreplicated Changes Between Two Domain Controllers
- Forcing Replication from One Domain Controller to Another
- Enabling and Disabling Replication
- Changing the Intra-Site Replication Notification Interval
- Changing the Inter-Site Replication Interval
- Disabling Inter-Site Compression of Replication Traffic
- Checking for Potential Replication Problems
- Enabling Enhanced Logging of Replication Events
- Enabling Strict or Loose Replication Consistency
- Finding conflict Objects
- Finding Orphaned Objects
- Listing the Replication Partners for a DC
- Viewing Object Metadata
-
13. DNS and DHCP
- Introduction
- Creating a Forward Lookup Zone
- Creating a Reverse Lookup Zone
- Viewing a Server’s Zones
- Converting a Zone to an AD Integrated Zone
- Moving AD Integrated Zones into an Application Partition
- Configuring Zone Transfers
- Configuring Forwarding
- Configuring Conditional Forwarding
- Delegating Control of an Active Directory Integrated Zone
- Creating and Deleting Resource Records
- Querying Resource Records
- Modifying the DNS Server Configuration
- Scavenging Old Resource Records
- Clearing the DNS Cache
- Verifying That a Domain Controller Can Register Its Resource Records
- Enabling DNS Server Debug Logging
- Registering a Domain Controller’s Resource Records
- Deregistering a Domain Controller’s Resource Records
- Preventing a Domain Controller from Dynamically Registering All Resource Records
- Preventing a Domain Controller from Dynamically Registering Certain Resource Records
- Allowing Computers to Use a Domain Suffix That Is Different from Their AD Domain
- Authorizing a DHCP Server
- Restricting DHCP Administrators
-
14. Security and Authentication
- Introduction
- Enabling SSL/TLS
- Securing LDAP Traffic with SSL, TLS, or Signing
- Disabling LDAP Signing
- Enabling Anonymous LDAP Access
- Using the Delegation of Control Wizard
- Customizing the Delegation of Control Wizard
- Revoking Delegated Permissions
- Viewing the ACL for an Object
- Customizing the ACL Editor
- Viewing the Effective Permissions on an Object
- Configuring Permission Inheritance
- Changing the ACL of an Object
- Changing the Default ACL for an Object Class in the Schema
- Comparing the ACL of an Object to the Default Defined in the Schema
- Resetting an Object’s ACL to the Default Defined in the Schema
- Enabling Strong Domain Authentication
- Enabling List Object Access Mode
- Modifying the ACL on Administrator Accounts
- Viewing and Purging Your Kerberos Tickets
- Forcing Kerberos to Use TCP
- Modifying Kerberos Settings
- Viewing Access Tokens
- Creating a Claim Type
- Creating a Resource Property
- Configuring a Central Access Rule
- Creating a Central Access Policy
- Applying a Central Access Policy
- Enabling Domain Controller Support for Claims and Compound Authentication
- Enabling Claims for Devices in a Domain
-
15. Logging, Monitoring, and Quotas
- Introduction
- Enabling Diagnostics Logging
- Enabling NetLogon Logging
- Enabling GPO Client Logging
- Enabling Kerberos Logging
- Viewing DNS Server Performance Statistics
- Monitoring the Windows Time Service
- Enabling Inefficient and Expensive LDAP Query Logging
- Using the STATS Control to View LDAP Query Statistics
- Monitoring the Performance of Active Directory
- Using Perfmon Trace Logs to Monitor Active Directory
- Creating an Administrative Alert
- Emailing an Administrator on a Performance Alert
- Enabling Auditing of Directory Access
- Enabling Auditing of Registry Keys
- Creating a Quota
- Finding the Quotas Assigned to a Security Principal
- Changing How Tombstone Objects Count Against Quota Usage
- Setting the Default Quota for All Security Principals in a Partition
- Finding the Quota Usage for a Security Principal
-
16. Backup, Recovery, DIT Maintenance, and Deleted Objects
- Introduction
- Backing Up the Active Directory Database
- Creating an Active Directory Snapshot
- Mounting an Active Directory Snapshot
- Accessing Active Directory Snapshot Data
- Restarting a Domain Controller in Directory Services Repair Mode
- Resetting the Directory Services Repair Mode Administrator Password
- Performing a Nonauthoritative Restore
- Performing an Authoritative Restore of an Object or Subtree
- Performing a Complete Authoritative Restore
- Checking the DIT File’s Integrity
- Moving the DIT Files
- Repairing or Recovering the DIT
- Performing an Online Defrag Manually
- Performing a Database Recovery
- Creating a Reserve File
- Determining How Much Whitespace Is in the DIT
- Performing an Offline Defrag to Reclaim Space
- Changing the Garbage Collection Interval
- Logging the Number of Expired Tombstone Objects
- Determining the Size of the Active Directory Database
- Searching for Deleted Objects
- Undeleting a Single Object
- Undeleting a Container Object
- Modifying the Tombstone Lifetime for a Domain
-
17. Application Partitions
- Introduction
- Creating and Deleting an Application Partition
- Finding the Application Partitions in a Forest
- Adding or Removing a Replica Server for an Application Partition
- Finding the Replica Servers for an Application Partition
- Finding the Application Partitions Hosted by a Server
- Verifying Application Partitions Are Instantiated Correctly on a Server
- Setting the Replication Notification Delay for an Application Partition
- Setting the Reference Domain for an Application Partition
- Delegating Control of Managing an Application Partition
-
18. Active Directory Lightweight Directory Service
- Introduction
- Installing AD LDS
- Creating a New AD LDS Instance
- Creating a New Replica of an AD LDS Configuration Set
- Stopping and Starting an AD LDS Instance
- Changing the Ports Used by an AD LDS Instance
- Listing the AD LDS Instances Installed on a Computer
- Extending the AD LDS Schema
- Managing AD LDS Application Partitions
- Managing AD LDS Organizational Units
- Managing AD LDS Users
- Changing the Password for an AD LDS User
- Enabling and Disabling an AD LDS User
- Creating AD LDS Groups
- Managing AD LDS Group Memberships
- Viewing and Modifying AD LDS Object Attributes
- Importing Data into an AD LDS Instance
- Configuring Intra-Site Replication
- Forcing AD LDS Replication
- Managing AD LDS Replication Authentication
- Managing AD LDS Permissions
- Enabling Auditing of AD LDS Access
-
19. Active Directory Federation Services
- Introduction
- Installing AD FS Prerequisites
- Installing the AD FS Federation Service
- Configuring an LDAP Attribute Store
- Configuring a Microsoft SQL Server Attribute Store
- Creating Claim Descriptions
- Creating a Relying Party Trust
- Configuring a Claims Provider Trust
- Configuring an Alternate UPN Suffix
- Configuring AD FS 2.x and AD FS 1.x Interoperability
- Configuring Logging for AD FS
-
20. Microsoft Exchange Server 2013
- Introduction
- Exchange Server and Active Directory
- Exchange Server 2013 Architecture
- Finding Exchange Server Cmdlets
- Preparing Active Directory for Exchange
- Installing the First Exchange Server 2013 Server in an Organization
- Creating Unattended Installation Files for Exchange Server
- Installing Exchange Management Tools
- Stopping and Starting Exchange Server
- Mail-Enabling a User
- Mail-Disabling a User
- Mailbox-Enabling a User
- Deleting a User’s Mailbox
- Moving a Mailbox
- Viewing Mailbox Sizes and Message Counts
- Configuring Mailbox Limits
- Creating an Address List
- Creating a Database Availability Group
- Creating a Mailbox Database
- Enabling or Disabling Anti-Malware Scanning
- Enabling Message Tracking
-
21. Microsoft Forefront Identity Manager
- Introduction
- Creating a SQL Server Management Agent
- Creating an Active Directory Management Agent
- Setting Up a Metaverse Object Deletion Rule
- Setting Up a Simple Import Attribute Flow
- Setting Up a Simple Export Attribute Flow to Active Directory
- Defining an Advanced Import Attribute Flow
- Implementing an Advanced Attribute Flow Rules Extension
- Setting Up Advanced Export Attribute Flow in Active Directory
- Configuring a Run Profile to Do an Initial Load of Data from a SQL Server Management Agent
- Loading Initial SQL Server Database Data into FIM 2010 R2 Using a Run Profile
- Configuring a Run Profile to Load the Container Structure from Active Directory
- Loading the Initial Active Directory Container Structure into FIM 2010 R2 Using a Run Profile
- Setting Up a SQL Server Management Agent to Project Objects to the Metaverse
- Writing a Rules Extension to Provision User Objects
- Creating a Run Profile for Provisioning
- Executing the Provisioning Rule
- Creating a Run Profile to Export Objects from the AD MA to Active Directory
- Exporting Objects to Active Directory Using an Export Run Profile
- Creating a Run Profile Script
- Creating a Controlling Script
- Enabling Directory Synchronization from Active Directory to the HR Database
- Configuring a Run Profile to Load the telephoneNumber from Active Directory
- Loading telephoneNumber Changes from AD into FIM Using a Delta Import/Delta Sync Run Profile
- Exporting telephoneNumber Data to a SQL Server Database
- Using a SQL Server MA Export Run Profile to Export the telephoneNumber to a SQL Server Database
- Searching Data in the Connector Space
- Searching Data in the Metaverse
- Deleting Data in the Connector Space and Metaverse
- Extending Object Types to Include a New Attribute
- Previewing Changes to the FIM Configuration
- Committing Changes to Individual Identities Using the Commit Preview Feature
- Passing Data Between Rules Extensions Using Transaction Properties
- Using a Single Rules Extension to Affect Multiple Attribute Flows
- Flowing a Null Value to a Data Source
- Importing and Decoding the accountExpires Attribute
- Exporting and Encoding the accountExpires Attribute
- Index
- About the Authors
- Colophon
- Copyright
Product information
- Title: Active Directory Cookbook, 4th Edition
- Author(s):
- Release date: May 2013
- Publisher(s): O'Reilly Media, Inc.
- ISBN: 9781449361372
You might also like
book
Active Directory, 5th Edition
Organize your network resources by learning how to design, manage, and maintain Active Directory. Updated to …
book
Mastering Active Directory - Third Edition
Become an expert at managing enterprise identity infrastructure with Active Directory Domain Services 2022. Purchase of …
book
Mastering Active Directory
Become a master at managing enterprise identity infrastructure by leveraging Active Directory About This Book Manage …
book
Active Directory Administration Cookbook
Learn the intricacies of managing Azure AD and Azure AD Connect, as well as Active Directory …