Managing Enterprise Active Directory Services

Robbie Allen is a Systems Architect and Programmer for the Enterprise Management (EMAN) group within Cisco Systems' Information Technology department. Robbie is the lead architect for Cisco's Active Directory design and deployment and was a technical lead for the automation and deployment of Cisco's DNS and DHCP infrastructure. He is the co-author of Managing Enterprise Active Directory Services. Richard Puckett is a technical lead and developer inside of Cisco System's Enterprise Management (EMAN) group, and is the author of Windows NT: Automated Deployment and Customization (MTP, 1-57870-045-0) and co-author of Managing Enterprise Active Directory Services (AW, 0-672-32125-4). He is the principal developer of Cisco's Active Directory migration utility ("Immigrant"), which successfully migrated over 55,000 systems worldwide into Cisco's production Active Directory. Richard has spoken at conferences such as DECUS and Networld+Interop on a wide range of issues, such as Windows Automation, Security, and Directory Services. He is currently the Messaging and Information Security technical lead within EMAN. 0672321254AB07192002

Introduction.
I. ACTIVE DIRECTORY MANAGEMENT BASICS.

1. Active Directory Overview.


Directory Services and Active Directory.



Active Directory Benefits.



Unified Directory.



Fewer Sign-Ons.



Standards-Based.



Extensible Schema.



Scalable.



Multimaster Replication.



Granular Security model.



Group Policy.



Active Directory Challenges.



Political Challenges.



Complexity Issues.



User Migration Challenges.



Application Directory Migration Challenges.



Troubleshooting Challenges.



First Version Issues.



Summary.

2. Active Directory Management.


Management Focus.



Getting Down to Basics.



Management Philosophy.



Management Applications-Build Versus Buy.



Data-Inject Versus Enter.



Servers-Centralized Versus Distributed.



Administration-Centralized Versus Distributed.



Summary.

II. ACTIVE DIRECTORY MANAGEMENT INTERFACES.

3. Lightweight Directory Access Protocol (LDAP).


Overview.



LDAP as a Protocol.



LDAP as an API.



What LDAP Is Not.



LDAP's Role in Active Directory.



APIs.



C/C++.



Perl.



Visual Basic.



Java.



Tools.



LDAP Browser.



Active Directory Administration Tool (LDP).



LDIF Directory Exchange (LDIFDE).



Programming Basics.



Information and Naming Models.



Connecting, Binding, and Unbinding.



RootDSE.



Search Filters.



Searching.



Ambiguous Name Resolution.



Add, Modify, and Delete.



LDIF.



Advanced Features.



Controls.



Referrals.



Change Notification and DirSync.



Looking Ahead.



VLV support.



XML/DSML Support.



Additional Resources.



Books.



Web Sites.



RFCs.



Microsoft Documentation.

4. Active Directory Service Interfaces (ADSI).


Overview.



Why ADSI?



COM Architecture.



ADSI or LDAP?



APIs.



C/C++.



Visual Basic and VBScript.



Perl.



Java.



Tools.



ADSI Edit.



ADsVW.



DsBrowse.



ADQI.



DsSrch.



Programming Basics.



IADs Class.



Connecting and Binding.



Property Cache.



Enumeration.



Searching.



Add, Modify, and Delete Objects.



Advanced Topics.



Object Security.



Advanced Binding Methods.



Looking Ahead.



Write Capability with ADO.



Attribute Scoped Query (ASQ).



ADSI or WMI?



Additional Resources.



Books.



Web Sites.



Microsoft Documentation.

5. Windows Management Instrumentation (WMI).


Overview.



WBEM/CIM.



WMI.



WMI Architecture.



WMI's Role in Active Directory.



APIs.



C/C++.



Visual Basic/VBScript/Jscript/Perl.



Tools.



WMI Object Browser.



WMI CIM Studio.



WMI Control.



wbemdump.



Basics.



Namespace.



Monikers.



Enumeration.



Searching



Event Notification.



Looking Ahead.



New Providers.



DNS Provider.



Cross-Platform Client Access.



Universal Management Interface.



Additional Resources.



Books.



Web Sites.



Microsoft Documentation.

III. ACTIVE DIRECTORY MANAGEMENT COMPONENTS.

6. Windows NT Migration.


Migrating to Windows 2000.



A Word About Migrations.



The Dark Side of Migrations.



Possible Migration Issues.



Effective Migration Planning.



Seven Rules for a Successful Active Directory Implementation.



Some Final Words About Migrations to Windows 2000.



Client Migrations.



Managing Client Trust Relationships.



NetJoinDomain API.



Migrating User-Specific Settings.



Windows 2000 Profile Migration.



Additional Resources.



Books.



Web Sites.



Microsoft Documentation.

7. Directory Operations.


Overview.



Forests.



Trees.



Domains.



Trusts.



Naming Contexts.



Organizational Units.



Flexible Single Master of Operations (FSMO) Roles.



Tools.



netdom.



nltest.



netdiag.



dcdiag.



ntdsutil.



Active Directory MMC Snap-Ins.



Managing Domains.



Domain Objects.



Domain Controller Objects.



Managing Trusts.



Trust Objects.



Using netdom to Manage Trusts.



Managing Organizational Units (OUs).



OU Objects.



Programmatically Manipulating OUs.



Managing FSMOs.



Locating the FSMOs.



Transferring Roles.



Monitoring and Troubleshooting.



Server Promotion.



Server Demotion.



Domain Controller Services.



FSMO Availability.



Secure Channels.



File Management.



Restores.



Summary.



Additional Resources.



Books.



RFCs.



Microsoft Documentation.

8. Domain Name System (DNS).


Overview.



Microsoft DNS Server.



AD-Integrated Zones.



Tools.



DnsCmd.



DNS MMC Snap-In.



nslookup.



ipconfig.



Programmatically Managing DNS.



Programmatic Interfaces into DNS.



Querying DNS.



Resource Record Manipulation.



Zone and Server Configuration.



Monitoring and Troubleshooting.



DNS Service.



Resource Record Registration.



DNS Log



Event Log.



Performance Monitor.



DnsCmd Statistics.



Summary.



Additional Resources.



Books.



RFCs.



Web Sites.



Microsoft Documentation.

9. Site Topology and Replication


Overview.



Site Topology Management Issues.



Replication Management Issues.



Tools.



DsaStat.



Replication Diagnostics Tool (RepAdmin).



Replication Monitor (ReplMon).



Sites and Services MMC Snap-In.



Programmatically Managing Site Topology.



Site Objects.



Subnet Objects.



Site Link Objects.



Server Objects.



Programmatically Managing Replication.



Replication APIs.



Connection Objects.



Triggering the KCC.



Disabling the KCC.



Object Metadata.



Forcing Replication.



Viewing Replication Partners Information.



Monitoring and Troubleshooting.



Using RepAdmin.



Using Replication Monitor (ReplMon).



Event Log.



Performance Monitor.



Summary.



Additional Resources.



Books.



Web Sites.



Microsoft Documentation.

10. Schema.


Overview.



Schema Container and FSMO.



Classes.



Attributes.



Abstract Schema.



Tools.



Schema Mgmt MMC Snap-In.



LDIFDE.



Oidgen.



Uuidgen.



SchemaDoc.



Programmatically Managing the Schema.



Locating the Schema Container.



Finding the Schema FSMO.



Transferring the Schema FSMO.



Updating the Registry to Allow Schema Updates.



Querying the Abstract Schema with ADSI.



Querying the Abstract Schema with Perl.



Deleting Schema Objects.



Importing Schema Extensions Through LDIF Files.



Extending the Schema.



Extensions for Existing Versus New Objects.



Naming Convention.



Obtaining Object Identifiers.



Obtaining Globally Unique Identifiers.



Schema Extension Questionnaire.



Dealing with Vendors.



Steps to Extend the Schema.



Understanding the Schema Cache.



Programmatically Extending the Schema with LDIF Files.



Tracking Schema Extensions.



Summary.



Additional Resources.



Books.



RFCs.



Web Sites.



Microsoft Documentation.

11. Accounts (Users, Groups, Computers, and Printers).


Overview.



Business Logic.



Account Consistency and Ownership.



MetaDirectory.



Users.



Groups.



Computers.



Printers.



Managing Users, Groups, Computers, and Printers.



User Objects.



Group Objects.



Computer Objects.



Printer Objects.



Summary.



Additional Resources.



Books.



RFCs.



Web Sites.



Microsoft Documentation.

12. Security.


Overview.



Kerberos...Under the Hood.



Key Distribution Centers.



Three Message Exchanges.



Authentication Service Exchange (KRB_AS_REQ/REP).



Ticket-Granting Service Exchange (KRB_TGS_REQ/REP).



Client/Server Authentication Exchange (KRB_AP_REQ/REP).



Purging the Kerberos Ticket Cache.



Auditing for Security.



How Auditing Works.



Audit Policy Components.



Configuring the Audit Policy.



Some Parting Audit Recommendations.



Event Management.



Security Descriptor Definition Language (SDDL).



Microsoft's New Security Descriptor Management APIs.



Anatomy of an SDDL.



Advanced SDDL Functions.



Schema and Rights GUIDs in the Active Directory.



Identifying GUIDs.



Common-Sense Security Recommendations.



Active Directory Recommendations.



Domain Controller Recommendations.



Summary.



Additional Resources.



Books.



RFCs.



Web Sites.



Microsoft Documentation

13. Group Policy Objects (GPOs).


Overview.



Client-Side Extensions (CSEs) for Group Policy.



Tools.



GPOTOOL.



GPRESULT.



GPO API-Based Management.



GetAppliedGPOList.



GetGPOList.



Adding and Deleting Policy Links.



Summary.



Additional Resources.



Books.



Microsoft Documentation.

IV. APPENDIXES.

Appendix A. Active Directory References.


Finding More Information.



Active Directory Library.



Introduction/General.



Planning, Migration, and Deployment.



Programming.



Active Directory Toolbox.



Resource Kits.



Microsoft Platform Software Development Kit (SDK).



Active Directory Web.



Active Directory.



Microsoft.



Visual Basic/VBScript.



Perl.



Active Directory Application Vendors.



Aelita.



BindView.



FastLane.



Full Armor.



NetIQ.



NetPro.

Appendix B. Indexed, GC, and ANR Attributes.
Appendix C. LDAP Controls.
Appendix D. Group Policy Settings.
Index. 0672321254T04222002