Tables of Contents for Active Directory Cookbook

ISBN.nu

search for books and compare prices

Chapter/Section Title

Page #

Page Count

Foreword

xvii

Preface

xxi

Getting Started

Where to Find the Tools

Getting Familiar with LDIF

Programming Notes

Replaceable Text

Where to Find More Information

Forests, Domains, and Trusts

Creating a Forest

Removing a Forest

Creating a Domain

Removing a Domain

Removing an Orphaned Domain

Finding the Domains in a Forest

Finding the NetBIOS Name of a Domain

Renaming a Domain

Changing the Mode of a Domain

Using ADPrep to Prepare a Domain or Forest for Windows Server 2003

Determining if ADPrep Has Completed

Checking Whether a Windows 2000 Domain Controller Can Be Upgraded to Windows Server 2003

Raising the Functional Level of a Windows Server 2003 Domain

Raising the Functional Level of a Windows Server 2003 Forest

Creating a Trust Between a Windows NT Domain and an AD Domain

Creating a Transitive Trust Between Two AD Forests

Creating a Shortcut Trust Between Two AD Domains

Creating a Trust to a Kerberos Realm

Viewing the Trusts for a Domain

Verifying a Trust

Resetting a Trust

Removing a Trust

Enabling SID Filtering for a Trust

Finding Duplicate SIDs in a Domain

Domain Controllers, Global Catalogs, and FSMOs

Promoting a Domain Controller

Promoting a Domain Controller from Media

Demoting a Domain Controller

Automating the Promotion or Demotion of a Domain Controller

Troubleshooting Domain Controller Promotion or Demotion Problems

Removing an Unsuccessfully Demoted Domain Controller

Renaming a Domain Controller

Finding the Domain Controllers for a Domain

Finding the Closest Domain Controller

Finding a Domain Controller's Site

Moving a Domain Controller to a Different Site

Finding the Services a Domain Controller Is Advertising

Configuring a Domain Controller to Use an External Time Source

Finding the Number of Logon Attempts Made Against a Domain Controller

Enabling the /3GB Switch to Increase the LSASS Cache

Cleaning Up Distributed Link Tracking Objects

Enabling and Disabling the Global Catalog

Determining if Global Catalog Promotion Is Complete

Finding the Global Catalog Servers in a Forest

Finding the Domain Controllers or Global Catalog Servers in a Site

Finding Domain Controllers and Global Catalogs via DNS

Changing the Preference for a Domain Controller

Disabling the Global Catalog Requirement During a Windows 2000 Domain Login

Disabling the Global Catalog Requirement During a Windows 2003 Domain Login

Finding the FSMO Role Holders

Transferring a FSMO Role

Seizing a FSMO Role

Finding the PDC Emulator FSMO Role Owner via DNS

Searching and Manipulating Objects

Viewing the RootDSE

Viewing the Attributes of an Object

Using LDAP Controls

101

Using a Fast or Concurrent Bind

104

Searching for Objects in a Domain

105

Searching the Global Catalog

108

Searching for a Large Number of Objects

110

Searching with an Attribute-Scoped Query

112

Searching with a Bitwise Filter

114

Creating an Object

116

Modifying an Object

118

Modifying a Bit-Flag Attribute

121

Dynamically Linking an Auxiliary Class

123

Creating a Dynamic Object

125

Refreshing a Dynamic Object

126

Modifying the Default TTL Settings for Dynamic Objects

128

Moving an Object to a Different OU or Container

130

Moving an Object to a Different Domain

132

Renaming an Object

133

Deleting an Object

135

Deleting a Container That Has Child Objects

136

Viewing the Created and Last Modified Timestamp of an Object

137

Modifying the Default LDAP Query Policy

139

Exporting Objects to an LDIF File

141

Importing Objects Using an LDIF File

142

Exporting Objects to a CSV File

144

Importing Objects Using a CSV File

144

Organizational Units

146

Creating an OU

147

Enumerating the OUs in a Domain

148

Enumerating the Objects in an OU

150

Deleting the Objects in an OU

151

Deleting an OU

152

Moving the Objects in an OU to a Different OU

154

Moving an OU

155

Determining How Many Child Objects an OU Has

156

Delegating Control of an OU

158

Allowing OUs to Be Created Within Containers

159

Linking a GPO to an OU

160

Users

163

Creating a User

164

Creating a Large Number of Users

166

Creating an inetOrgPerson User

167

Modifying an Attribute for Several Users at Once

169

Moving a User

171

Renaming a User

172

Copying a User

173

Unlocking a User

175

Finding Locked Out Users

176

Troubleshooting Account Lockout Problems

177

Viewing the Account Lockout and Password Policies

179

Enabling and Disabling a User

182

Finding Disabled Users

184

Viewing a User's Group Membership

185

Changing a User's Primary Group

187

Transferring a User's Group Membership to Another User

189

Setting a User's Password

191

Setting a User's Password via LDAP

192

Setting a User's Password via Kerberos

193

Preventing a User from Changing His Password

193

Requiring a User to Change Her Password at Next Logon

195

Preventing a User's Password from Expiring

196

Finding Users Whose Passwords Are About to Expire

197

Setting a User's Account Options (userAccountControl)

201

Setting a User's Account to Expire in the Future

203

Finding Users Whose Accounts Are About to Expire

205

Determining a User's Last Logon Time

207

Finding Users Who Have Not Logged On Recently

209

Setting a User's Profile Attributes

211

Viewing a User's Managed Objects

212

Modifying the Default Display Name Used When Creating Users in ADUC

213

Creating a UPN Suffix for a Forest

215

Groups

217

Creating a Group

218

Viewing the Direct Members of a Group

220

Viewing the Nested Members of a Group

221

Adding and Removing Members of a Group

222

Moving a Group

224

Changing the Scope or Type of a Group

225

Delegating Control for Managing Membership of a Group

226

Resolving a Primary Group ID

228

Enabling Universal Group Membership Caching

231

Computers

233

Creating a Computer

234

Creating a Computer for a Specific User or Group

236

Joining a Computer to a Domain

241

Moving a Computer

244

Renaming a Computer

245

Testing the Secure Channel for a Computer

247

Resetting a Computer

248

Finding Inactive or Unused Computers

249

Changing the Maximum Number of Computers a User Can Join to the Domain

253

Finding Computers with a Particular OS

254

Binding to the Default Container for Computers

256

Changing the Default Container for Computers

258

Group Policy Objects (GPOs)

261

Finding the GPOs in a Domain

263

Creating a GPO

264

Copying a GPO

265

Deleting a GPO

268

Viewing the Settings of a GPO

269

Modifying the Settings of a GPO

272

Importing Settings into a GPO

272

Assigning Logon/Logoff and Startup/Shutdown Scripts in a GPO

275

Installing Applications with a GPO

276

Disabling the User or Computer Settings in a GPO

277

Listing the Links for GPO

279

Creating a GPO Link to an OU

281

Blocking Inheritance of GPOs on an OU

283

Applying a Security Filter to a GPO

285

Creating a WMI Filter

288

Applying a WMI Filter to a GPO

289

Backing Up a GPO

291

Restoring a GPO

294

Simulating the RSoP

296

Viewing the RSoP

297

Refreshing GPO Settings on a Computer

299

Restoring a Default GPO

299

Schema

301

Registering the Active Directory Schema MMC Snap-in

303

Enabling Schema Updates

304

Generating an OID to Use for a New Class or Attribute

306

Generating a GUID to Use for a New Class or Attribute

307

Extending the Schema

308

Documenting Schema Extensions

309

Adding a New Attribute

310

Viewing an Attribute

313

Adding a New Class

315

Viewing a Class

317

Indexing an Attribute

318

Modifying the Attributes That Are Copied When Duplicating a User

320

Modifying the Attributes Included with Ambiguous Name Resolution

322

Adding or Removing an Attribute in the Global Catalog

324

Finding the Nonreplicated and Constructed Attributes

326

Finding the Linked Attributes

329

Finding the Structural, Auxiliary, Abstract, and 88 Classes

330

Finding the Mandatory and Optional Attributes of a Class

332

Modifying the Default Security of a Class

334

Deactivating Classes and Attributes

335

Redefining Classes and Attributes

336

Reloading the Schema Cache

337

Site Topology

340

Creating a Site

343

Listing the Sites

345

Deleting a Site

346

Creating a Subnet

347

Listing the Subnets

349

Finding Missing Subnets

350

Creating a Site Link

352

Finding the Site Links for a Site

353

Modifying the Sites That Are Part of a Site Link

355

Modifying the Cost for a Site Link

356

Disabling Site Link Transitivity or Site Link Schedules

357

Creating a Site Link Bridge

359

Finding the Bridgehead Servers for a Site

361

Setting a Preferred Bridgehead Server for a Site

362

Listing the Servers

364

Moving a Domain Controller to a Different Site

365

Configuring a Domain Controller to Cover Multiple Sites

366

Viewing the Site Coverage for a Domain Controller

368

Disabling Automatic Site Coverage for a Domain Controller

368

Finding the Site for a Client

369

Forcing a Host to a Particular Site

370

Creating a Connection Object

372

Listing the Connection Objects for a Server

373

Load-Balancing Connection Objects

374

Finding the ISTG for a Site

375

Transferring the ISTG to Another Server

376

Triggering the KCC

378

Determining if the KCC Is Completing Successfully

379

Disabling the KCC for a Site

380

Changing the Interval at Which the KCC Runs

382

Replication

384

Determining if Two Domain Controllers Are in Sync

384

Viewing the Replication Status of Several Domain Controllers

386

Viewing Unreplicated Changes Between Two Domain Controllers

386

Forcing Replication from One Domain Controller to Another

390

Changing the Intra-Site Replication Interval

391

Changing the Intersite Replication Interval

393

Disabling Inter-Site Compression of Replication Traffic

394

Checking for Potential Replication Problems

395

Enabling Enhanced Logging of Replication Events

395

Enabling Strict or Loose Replication Consistency

396

Finding Conflict Objects

397

Viewing Object Metadata

399

Domain Name System (DNS)

402

Creating a Forward Lookup Zone

404

Creating a Reverse Lookup Zone

405

Viewing a Server's Zones

406

Converting a Zone to an AD-Integrated Zone

408

Moving AD-Integrated Zones into an Application Partition

409

Delegating Control of a Zone

411

Creating and Deleting Resource Records

413

Querying Resource Records

415

Modifying the DNS Server Configuration

417

Scavenging Old Resource Records

418

Clearing the DNS Cache

420

Verifying That a Domain Controller Can Register Its Resource Records

422

Registering a Domain Controller's Resource Records

423

Preventing a Domain Controller from Dynamically Registering All Resource Records

424

Preventing a Domain Controller from Dynamically Registering Certain Resource Records

426

Deregistering a Domain Controller's Resource Records

429

Allowing Computers to Use a Different Domain Suffix from Their AD Domain

429

Security and Authentication

432

Enabling SSL/TLS

433

Encrypting LDAP Traffic with SSL, TLS, or Signing

434

Enabling Anonymous LDAP Access

436

Restricting Hosts from Performing LDAP Queries

438

Using the Delegation of Control Wizard

439

Customizing the Delegation of Control Wizard

440

Viewing the ACL for an Object

443

Customizing the ACL Editor

444

Viewing the Effective Permissions on an Object

445

Changing the ACL of an Object

446

Changing the Default ACL for an Object Class in the Schema

447

Comparing the ACL of an Object to the Default Defined in the Schema

448

Resetting an Object's ACL to the Default Defined in the Schema

448

Preventing the LM Hash of a Password from Being Stored

449

Enabling List Object Access Mode

450

Modifying the ACL on Administrator Accounts

452

Viewing and Purging Your Kerberos Tickets

453

Forcing Kerberos to Use TCP

455

Modifying Kerberos Settings

456

Logging, Monitoring, and Quotas

458

Enabling Extended dcpromo Logging

459

Enabling Diagnostics Logging

461

Enabling NetLogon Logging

463

Enabling GPO Client Logging

464

Enabling Kerberos Logging

465

Enabling DNS Server Debug Logging

467

Viewing DNS Server Performance Statistics

469

Enabling Inefficient and Expensive LDAP Query Logging

472

Using the STATS Control to View LDAP Query Statistics

474

Using Perfmon to Monitor AD

476

Using Perfmon Trace Logs to Monitor AD

478

Enabling Auditing of Directory Access

481

Creating a Quota

482

Finding the Quotas Assigned to a Security Principal

484

Changing How Tombstone Objects Count Against Quota Usage

485

Setting the Default Quota for All Security Principals in a Partition

487

Finding the Quota Usage for a Security Principal

488

Backup, Recovery, DIT Maintenance, and Deleted Objects

491

Backing Up Active Directory

493

Restarting a Domain Controller in Directory Services Restore Mode

494

Resetting the Directory Service Restore Mode Administrator Password

496

Performing a Nonauthoritative Restore

497

Performing an Authoritative Restore of an Object or Subtree

498

Performing a Complete Authoritative Restore

500

Checking the DIT File's Integrity

501

Moving the DIT Files

502

Repairing or Recovering the DIT

502

Performing an Online Defrag Manually

503

Determining How Much Whitespace Is in the DIT

505

Performing an Offline Defrag to Reclaim Space

506

Changing the Garbage Collection Interval

508

Logging the Number of Expired Tombstone Objects

509

Determining the Size of the Active Directory Database

511

Searching for Deleted Objects

512

Restoring a Deleted Object

513

Modifying the Tombstone Lifetime for a Domain

515

Application Partitions

517

Creating and Deleting an Application Partition

518

Finding the Application Partitions in a Forest

521

Adding or Removing a Replica Server for an Application Partition

523

Finding the Replica Servers for an Application Partition

525

Finding the Application Partitions Hosted by a Server

527

Verifying Application Partitions Are Instantiated on a Server Correctly

529

Setting the Replication Notification Delay for an Application Partition

530

Setting the Reference Domain for an Application Partition

532

Delegating Control of Managing an Application Partition

534

Interoperability and Integration

539

Accessing AD from a Non-Windows Platform

539

Programming with .NET

540

Programming with DSML

542

Programming with Perl

543

Programming with Java

544

Programming with Python

546

Integrating with MIT Kerberos

547

Integrating with Samba

548

Integrating with Apache

549

Replacing NIS

550

Using BIND for DNS

551

Authorizing a Microsoft DHCP Server

552

Using VMWare for Testing AD

553

Appendix: Tool List

557

Index

575