Inside Active Directory

Sakari Kouti, M.S. (Tech), is a senior trainer and consultant for Sovelto, the leading training company in Finland. He started working with networks in 1986 and his articles have appeared in Windows NT Magazine (now Windows and .NET Magazine). Sakari was one of the first MCSEs in the world back in 1994. Mika Seitsonen is a senior trainer at Sovelto. His network experience spans more than ten years, and he was one of the first MCSE: Security on Microsoft Windows Server 2003 certified persons in the world. Mika was awarded MVP—Directory Services in 2004 and holds an M.S. (Tech) from University of Nottingham (U.K.) and Lappeenranta University of Technology (Finland).

Preface.
I. BACKGROUND SKILLS

1. Active Directory: The Big Picture.


Introduction to Active Directory.



A Brief Description.



The First Look at Active Directory.



History.



Active Directory Compared to Windows NT.



Active Directory Compared to NDS.



A Sample Company.



Basic Building Blocks.



Domain Controllers



Domains



Trust Relationships.



Organizational Units and Other Objects.



Groups.



Sites.



Replication.



Global Catalog.



Hierarchies.



Single Domain with No OU Structure.



OU Tree in a Single Domain.



Domain Trees.



Forest of Domain Trees.



DNS Integration.



Locating Computers and Services.



Dynamic DNS Updates.



Security and Policies.



Access Control.



Inheritance.



Delegation of Administration.



Group Policy.



Architecture.



Data Model.



The Schema.



Extending the Schema.



Container and Leaf Objects.



Partitions.



Naming Objects.



The X.500 Standards.



LDAP.



Physical Architecture.



ADSI.



Kerberos Authentication.



Public Key Infrastructure.



Other Features.



Virtual Containers.



Publishing.



Connecting to the Internet.



Active Directory's Current Limitations.



The Next Version of Active Directory.



Conclusion.

2. Installation of Windows 2000 and Active Directory.


Before You Installing Windows 2000.



Decisions That Cannot Be Reversed.



Dual Booting.



Requirements and Recommendations.



Preparation.



Installing Windows 2000.



Starting Installation.



The Setup Program.



The Setup Wizard.



Installing and Configuring a Network.



Finalizing the Setup.



Upgrading Your Operating System.



After You've Installed Windows 2000 Server.



Installing Windows 2000 Professional.



Installing Active Directory.



Requirements and Recommendations.



Creating Domains, Trees, and Forests.



The Installation Process.



After Active Directory Installation.



Automating Installation.



Automating Windows 2000 Installation.



Automating Active Directory Installation.



Troubleshooting Installation.



Incompatible Devices.



Problems with ACPI.



Incorrectly Detected Devices.



Problems with Active Directory Installation.



Recovery Options.



Uninstalling Windows 2000 and Active Directory.



Uninstalling Windows 2000.



Uninstalling Active Directory.



Conclusion.

II. CORE SKILLS.

3. Managing OUs, Users, and Groups.


Active Directory after Installation.



Predefined OUs and Other Containers.



Predefined Users.



Predefined Groups.



Predefined Computers Objects.



Changing the Domain Mode.



Administering OUs.



Features of Ous.



Managing Ous.



Planning Ous.



Administering Users and Contacts.



Creating Users.



Creating Contacts.



Setting User and Contact Properties.



Other Operations to Manage Users and Contacts.



Administering Computer Objects.



Creating Computer Objects.



Setting Computer Object Properties.



Other Operations to Manage Computer Objects.



Administering Groups.



Group Types.



Group Scopes.



Managing Groups.



Planning Groups.



Tips on Tools.



The Users and Computers Snap-In.



Alternative Means to Manage Users and Other Objects.



Conclusion.

4. Securing Active Directory.


Introduction to Windows 2000 Security.



Background for Active Directory Access Control.



Controlling Access.



Security Principals.



Well-Known Security Principals.



Managing Active Directory Permissions.



Permission Concepts.



Anatomy of ACL Editor Dialog Boxes.



Standard and Special Object Permissions.



Permissions for Object Properties.



Permissions in Applications.



Inheritance.



Ownership.



How Permissions Accumulate.



Deny Permissions and the Ordering of Permission Entries.



Permission Performance.



DSACLS.



AdminSDHolder Object



Delegation of Control Wizard.



Common Tasks.



Custom Tasks.



Default Permissions for Objects.



Sources of Default Permissions.



Common Features of Default Permissions.



Pre-Windows 2000 Compatible Access.



Listing Default Permissions.



Where Security Principals Have Permissions.



Changing Default ACLs.



Usage Scenarios for Active Directory Permissions.



General Practices.



Delegation Scenarios (To Make Changes).



User Scenarios (To See Properties).



Auditing Active Directory Access.



Adding Auditing Entries.



Turning On Auditing.



Viewing Audit Records.



Access Control Architecture.



Processes and User Accounts.



SIDs.



Access Tokens.



Security Descriptors.



User Rights.



User Rights Categories.



Fixed Rights.



Active Directory Permissions Instead of Rights.



Applying User Rights.



Conclusion.

5. Sites and Replication.


Concepts of the Physical Structure.



Why Replication.



Nature of Active Directory Replication.



Partitions and Replicas.



Overview of the Replication Process.



Overview of Replication Topologies.



Sites.



Overview of Intrasite and Intersite Replication.



Urgent Replication.



Nonreplicating Properties.



Global catalog.



Overview of Operations Masters.



Managing the Physical Structure.



Active Directory Objects for Sites and Replication.



The Big Pictures of the Objects.



The Sites and Services Snap-In.



Tasks in Managing the Physical Structure.



Using the Default-First-Site-Name Site.



Creating and Managing Subnet Objects.



Creating and Managing Site Objects.



Moving and Managing Server Objects.



Managing NTDS Settings.



Creating and Managing Site Links.



Managing Licensing Computers.



Removing Domain Controllers.



Monitoring and Diagnosing the Physical Structure.



Replication Permissions



Advanced Topics.



Intrasite Replication Topologies.



Intersite Replication Topologies.



Configuring SMTP Replication.



The Replication Process.



Time Synchronization.



Managing Operations Masters.



Conclusion.

6. Domains and Forests.


Domain Controller Placement.



Active Directory Network Traffic.



Determining the Placement of Directory Information.



Designing Domain and Forest.



Single or Multiple Domains and Forests.



Forest Planning Considerations.



Managing Domains and Forests.



Managing Trusts.



Moving Objects In a Forest.



Managing Groups and Permissions in a Forest.



Referrals and Cross-References.



Delegating Domain Installation.



LDAP and Searches.



LDAP Searches.



Search Tools.



Extended LDAP Controls.



LDAP Data Interchange Format.



Conclusion.

7. Group Policy.


Group Policy Concepts.



MMC Group Policy Snap-in.



NT 4 System Policy Compared to Windows 2000 Group Policy.



Group Policy Contents.



Computer versus User.



Software Settings.



Scripts.



Security Settings.



Administrative Templates.



Other Policies.



Group Policy Objects and Links.



Group Policy Objects.



Group Policy Links.



Scope of Group Policies.



Inheritance.



Processing Group Policy.



Processing Basics.



Slow Link Processing.



Loopback Processing.



Determining Effective Group Policies.



Managing Group Policies.



Group Policy Dialog Box.



Creating GPOs.



Editing GPOs.



Managing GPO Links.



Deleting GPOs.



Backing up Group Policy.



Delegating Management of GPOs.



Additional Tools.



Software Management with Group Policy.



Windows Installer.



Creating Windows Installer Packages.



Deploying Software with Group Policy.



Upgrading Applications.



Patching Applications.



Removing Applications.



Troubleshooting Group Policy.



Logging Group Policy Events.



Resource Kit Tools for Group Policy.



Group Policy Scenarios.



Advanced Topics.



Group Policy Synchronization.



Registry-Based Settings for Group Policy Processing.



Client-Side Extensions.



Registry Settings for Group Policy History.



Default permissions for GPOs.



Slow Link Detection Algorithm.



Conclusion.

III. ADVANCED SKILLS.

8. Active Directory Schema.


Overview of the Active Directory Data Model.



Classes, Objects, and Attributes.



Container and Leaf Objects.



Indexing and the Global Catalog.



Schema.



Role of the Schema.



Location of the Schema.



Inspecting the Schema with ADSI Edit.



Inspecting the Schema with the Schema Manager Snap-In.



Dumping the Schema to a Spreadsheet.



Subschema Subentry.



Schema Cache.



Constructed Attributes.



Classes.



Names and Identifiers.



Object Identifiers.



Structure and Containment Rules.



Class Inheritance.



Miscellaneous Characteristics of Classes.



Class Schema Object Property Pages.



Attributes and Syntaxes.



Names and Identifiers.



Syntax and Content Rules.



Searches.



Miscellaneous Characteristics for Attributes.



AttributeSchema Object Property Pages.



Conclusion.

9. Extending the Schema.


When and Why to Modify.



Guidelines.



What Data to Put in Active Directory.



Planning the Modifications.



Creating a Class.



Modifying a Class.



Creating an Attribute.



Modifying an Attribute.



Deactivating Classes and Attributes.



The Modification Process.



Order of Tasks.



The Means to Make Changes.



The Schema Manager Snap-in.



ADSI Edit.



LDIFDE.



CSVDE.



An Installation EXE File.



Some Gotchas in Changing the Schema.



Bringing the Extensions to the User Interface.



Where to Place the Objects.



Managing Permissions.



Creating and Displaying the Objects.



Display Specifiers.



Testing to Change the Displays.



Extending the User Class.



Planning the Extensions.



Implementing the Extensions.



Managing the Attribute Values.



Searching on the New Attributes.



Managing the Attribute Permissions.



Conclusion.

10. Administration Scripts: Concepts.


Getting Started.



The Script Execution Environment.



Launching WSH Scripts.



Controlling WSH Scripts.



Setting up the Development Environment.



VBScript Language.



Dissecting a Sample Script.



The First Sample (Normal).



The Second Sample (Short).



The Third Sample (Very Short).



ADSI Concepts.



Basic ADSI.



Basic COM.



The Property Cache.



ADSI Interfaces.



ADSI Syntaxes.



Additional Techniques.



Ways to Input and Output Information.



Using Executables from Scripts.



Using COM Components.



Using the Win32 API.



Debugging Scripts.



Including Script Lines from Another File.



Conclusion.

11. Administration Scripts: Examples.


ADSI Examples.



User Management.



List the Users of One Container.vbs.



List the Users of One Container to Excel.vbs.



List the Property Cache Contents.vbs.



List User Properties with Get.vbs.



List User Properties with Methods.vbs.



List the Account Options of a User.vbs.



Create a User with Minimum Attributes.vbs.



Create a User with More Attributes.vbs.



Create a User with a Batch File.bat.



Create a Home Folder for a User - ver 1.vbs.



Create a Home Folder for a User - ver 2.vbs.



Read User Information from Excel.xls.



Read User Information from Standard Input.vbs.



Schema Access.



Concepts.



Schema Sample Scripts.



List All Abstract Schema Objects.vbs.



List the Member Attributes of a Given Class.vbs.



List the Member Attributes of a Given Class to Excel.vbs.



Show Property Properties.vbs.



Container or Leaf.vbs.



List All Real Schema Objects.vbs.



List Indexed Attributes.vbs.



List ANR, Nonreplicated and Constructed Attributes.



List Global Catalog Attributes.vbs.



List All classSchemas to Excel.vbs.



List All attributeSchemas to Excel.vbs.



Create an Attribute and a Class.vbs.



Configuration Information.



List the Supported Namespaces.vbs.



List Attribute Display Names.vbs.



List the DC GUIDs.vbs.



List the rootDSE Property Cache.vbs.



List the GPO GUIDs.vbs.



List the Operations Masters.vbs.



List the Operations Masters with ADsFSMO.vbs.



List ADSystemInfo.vbs.



Access Control Lists.



Security Interfaces.



The Access Control List Sample Scripts.



List ACEs—Short.vbs.



List ACEs to Excel—Short.vbs.



List Binary GUIDs.vbs.



List ACEs—Long.vbs.



Add ACEs.vbs.



Add ACEs to a Folder.vbs.



OU, Group and Computer Management.



OU Management.



Group Management.



Create a Computer Object.vbs.



ADSI without Active Directory.



List Services.vbs.



List Users, Groups, and Print Queues.



List Shares.vbs.



Create a Share.vbs.



List WinNT Properties of User Class.vbs.



Create a User in a Workstation.vbs.



Additional Techniques.



Binding with Credentials.



Binding with WKGUIDs.



Binding to the Global Catalog.



List the Users of a Subtree.vbs.



Error Checking.vbs.



Scripts as Command-Line Tools.



Using ADO.



ADO Concepts.



Basic Example.vbs.



Basic Example with SQL.vbs.



Modifying Objects.vbs.



Multipartition Queries.



Additional Settings.



List Objects That Have Blocked ACL Inheritance.vbs.

Conclusion.
Bibliography
Index. 0201616211T11292001