Table of content | Active Directory Cookbook, 3rd Edition



•	Table of Contents
•	Index
•	Reviews
•	Examples
•	Reader Reviews
•	Errata

;

Active Directory Cookbook

By Robbie Allen

Publisher

: O'Reilly

Pub Date

: September 2003

ISBN

: 0-596-00464-8

Pages

: 622

Foreword

Preface

Who Should Read This Book?

What's in This Book?

Conventions Used in This Book

We'd Like Your Feedback!

Acknowledgments

Chapter 1. Getting Started

Approach to the Book

Recipe 1.1. Where to Find the Tools

Recipe 1.2. Getting Familiar with LDIF

Recipe 1.3. Programming Notes

Recipe 1.4. Replaceable Text

Recipe 1.5. Where to Find More Information

Chapter 2. Forests, Domains, and Trusts

Introduction

Recipe 2.1. Creating a Forest

Recipe 2.2. Removing a Forest

Recipe 2.3. Creating a Domain

Recipe 2.4. Removing a Domain

Recipe 2.5. Removing an Orphaned Domain

Recipe 2.6. Finding the Domains in a Forest

Recipe 2.7. Finding the NetBIOS Name of a Domain

Recipe 2.8. Renaming a Domain

Recipe 2.9. Changing the Mode of a Domain

Recipe 2.10. Using ADPrep to Prepare a Domain or Forest for Windows Server 2003

Recipe 2.11. Determining if ADPrep Has Completed

Recipe 2.12. Checking Whether a Windows 2000 Domain Controller Can Be Upgraded to Windows Server 2003

Recipe 2.13. Raising the Functional Level of a Windows Server 2003 Domain

Recipe 2.14. Raising the Functional Level of a Windows Server 2003 Forest

Recipe 2.15. Creating a Trust Between a Windows NT Domain and an AD Domain

Recipe 2.16. Creating a Transitive Trust Between Two AD Forests

Recipe 2.17. Creating a Shortcut Trust Between Two AD Domains

Recipe 2.18. Creating a Trust to a Kerberos Realm

Recipe 2.19. Viewing the Trusts for a Domain

Recipe 2.20. Verifying a Trust

Recipe 2.21. Resetting a Trust

Recipe 2.22. Removing a Trust

Recipe 2.23. Enabling SID Filtering for a Trust

Recipe 2.24. Finding Duplicate SIDs in a Domain

Chapter 3. Domain Controllers, Global Catalogs, and FSMOs

Introduction

Recipe 3.1. Promoting a Domain Controller

Recipe 3.2. Promoting a Domain Controller from Media

Recipe 3.3. Demoting a Domain Controller

Recipe 3.4. Automating the Promotion or Demotion of a Domain Controller

Recipe 3.5. Troubleshooting Domain Controller Promotion or Demotion Problems

Recipe 3.6. Removing an Unsuccessfully Demoted Domain Controller

Recipe 3.7. Renaming a Domain Controller

Recipe 3.8. Finding the Domain Controllers for a Domain

Recipe 3.9. Finding the Closest Domain Controller

Recipe 3.10. Finding a Domain Controller's Site

Recipe 3.11. Moving a Domain Controller to a Different Site

Recipe 3.12. Finding the Services a Domain Controller Is Advertising

Recipe 3.13. Configuring a Domain Controller to Use an External Time Source

Recipe 3.14. Finding the Number of Logon Attempts Made Against a Domain Controller

Recipe 3.15. Enabling the /3GB Switch to Increase the LSASS Cache

Recipe 3.16. Cleaning Up Distributed Link Tracking Objects

Recipe 3.17. Enabling and Disabling the Global Catalog

Recipe 3.18. Determining if Global Catalog Promotion Is Complete

Recipe 3.19. Finding the Global Catalog Servers in a Forest

Recipe 3.20. Finding the Domain Controllers or Global Catalog Servers in a Site

Recipe 3.21. Finding Domain Controllers and Global Catalogs via DNS

Recipe 3.22. Changing the Preference for a Domain Controller

Recipe 3.23. Disabling the Global Catalog Requirement During a Windows 2000 Domain Login

Recipe 3.24. Disabling the Global Catalog Requirement During a Windows 2003 Domain Login

Recipe 3.25. Finding the FSMO Role Holders

Recipe 3.26. Transferring a FSMO Role

Recipe 3.27. Seizing a FSMO Role

Recipe 3.28. Finding the PDC Emulator FSMO Role Owner via DNS

Chapter 4. Searching and Manipulating Objects

Introduction

Recipe 4.1. Viewing the RootDSE

Recipe 4.2. Viewing the Attributes of an Object

Recipe 4.3. Using LDAP Controls

Recipe 4.4. Using a Fast or Concurrent Bind

Recipe 4.5. Searching for Objects in a Domain

Recipe 4.6. Searching the Global Catalog

Recipe 4.7. Searching for a Large Number of Objects

Recipe 4.8. Searching with an Attribute-Scoped Query

Recipe 4.9. Searching with a Bitwise Filter

Recipe 4.10. Creating an Object

Recipe 4.11. Modifying an Object

Recipe 4.12. Modifying a Bit-Flag Attribute

Recipe 4.13. Dynamically Linking an Auxiliary Class

Recipe 4.14. Creating a Dynamic Object

Recipe 4.15. Refreshing a Dynamic Object

Recipe 4.16. Modifying the Default TTL Settings for Dynamic Objects

Recipe 4.17. Moving an Object to a Different OU or Container

Recipe 4.18. Moving an Object to a Different Domain

Recipe 4.19. Renaming an Object

Recipe 4.20. Deleting an Object

Recipe 4.21. Deleting a Container That Has Child Objects

Recipe 4.22. Viewing the Created and Last Modified Timestamp of an Object

Recipe 4.23. Modifying the Default LDAP Query Policy

Recipe 4.24. Exporting Objects to an LDIF File

Recipe 4.25. Importing Objects Using an LDIF File

Recipe 4.26. Exporting Objects to a CSV File

Recipe 4.27. Importing Objects Using a CSV File

Chapter 5. Organizational Units

Introduction

Recipe 5.1. Creating an OU

Recipe 5.2. Enumerating the OUs in a Domain

Recipe 5.3. Enumerating the Objects in an OU

Recipe 5.4. Deleting the Objects in an OU

Recipe 5.5. Deleting an OU

Recipe 5.6. Moving the Objects in an OU to a Different OU

Recipe 5.7. Moving an OU

Recipe 5.8. Determining How Many Child Objects an OU Has

Recipe 5.9. Delegating Control of an OU

Recipe 5.10. Allowing OUs to Be Created Within Containers

Recipe 5.11. Linking a GPO to an OU

Chapter 6. Users

Introduction

Recipe 6.1. Creating a User

Recipe 6.2. Creating a Large Number of Users

Recipe 6.3. Creating an inetOrgPerson User

Recipe 6.4. Modifying an Attribute for Several Users at Once

Recipe 6.5. Moving a User

Recipe 6.6. Renaming a User

Recipe 6.7. Copying a User

Recipe 6.8. Unlocking a User

Recipe 6.9. Finding Locked Out Users

Recipe 6.10. Troubleshooting Account Lockout Problems

Recipe 6.11. Viewing the Account Lockout and Password Policies

Recipe 6.12. Enabling and Disabling a User

Recipe 6.13. Finding Disabled Users

Recipe 6.14. Viewing a User's Group Membership

Recipe 6.15. Changing a User's Primary Group

Recipe 6.16. Transferring a User's Group Membership to Another User

Recipe 6.17. Setting a User's Password

Recipe 6.18. Setting a User's Password via LDAP

Recipe 6.19. Setting a User's Password via Kerberos

Recipe 6.20. Preventing a User from Changing His Password

Recipe 6.21. Requiring a User to Change Her Password at Next Logon

Recipe 6.22. Preventing a User's Password from Expiring

Recipe 6.23. Finding Users Whose Passwords Are About to Expire

Recipe 6.24. Setting a User's Account Options (userAccountControl)

Recipe 6.25. Setting a User's Account to Expire in the Future

Recipe 6.26. Finding Users Whose AccountsAre About to Expire

Recipe 6.27. Determining a User's Last Logon Time

Recipe 6.28. Finding Users Who Have Not Logged On Recently

Recipe 6.29. Setting a User's Profile Attributes

Recipe 6.30. Viewing a User's Managed Objects

Recipe 6.31. Modifying the Default Display Name Used When Creating Users in ADUC

Recipe 6.32. Creating a UPN Suffix for a Forest

Chapter 7. Groups

Introduction

Recipe 7.1. Creating a Group

Recipe 7.2. Viewing the Direct Members of a Group

Recipe 7.3. Viewing the Nested Members of a Group

Recipe 7.4. Adding and Removing Members of a Group

Recipe 7.5. Moving a Group

Recipe 7.6. Changing the Scope or Type of a Group

Recipe 7.7. Delegating Control for Managing Membership of a Group

Recipe 7.8. Resolving a Primary Group ID

Recipe 7.9. Enabling Universal Group Membership Caching

Chapter 8. Computers

Introduction

Recipe 8.1. Creating a Computer

Recipe 8.2. Creating a Computer for a Specific User or Group

Recipe 8.3. Joining a Computer to a Domain

Recipe 8.4. Moving a Computer

Recipe 8.5. Renaming a Computer

Recipe 8.6. Testing the Secure Channel for a Computer

Recipe 8.7. Resetting a Computer

Recipe 8.8. Finding Inactive or Unused Computers

Recipe 8.9. Changing the Maximum Number of Computers a User Can Join to the Domain

Recipe 8.10. Finding Computers with a Particular OS

Recipe 8.11. Binding to the Default Container for Computers

Recipe 8.12. Changing the Default Container for Computers

Chapter 9. Group Policy Objects (GPOs)

Introduction

Recipe 9.1. Finding the GPOs in a Domain

Recipe 9.2. Creating a GPO

Recipe 9.3. Copying a GPO

Recipe 9.4. Deleting a GPO

Recipe 9.5. Viewing the Settings of a GPO

Recipe 9.6. Modifying the Settings of a GPO

Recipe 9.7. Importing Settings into a GPO

Recipe 9.8. Assigning Logon/Logoff and Startup/Shutdown Scripts in a GPO

Recipe 9.9. Installing Applications with a GPO

Recipe 9.10. Disabling the User or Computer Settings in a GPO

Recipe 9.11. Listing the Links for GPO

Recipe 9.12. Creating a GPO Link to an OU

Recipe 9.13. Blocking Inheritance of GPOs on an OU

Recipe 9.14. Applying a Security Filter to a GPO

Recipe 9.15. Creating a WMI Filter

Recipe 9.16. Applying a WMI Filter to a GPO

Recipe 9.17. Backing Up a GPO

Recipe 9.18. Restoring a GPO

Recipe 9.19. Simulating the RSoP

Recipe 9.20. Viewing the RSoP

Recipe 9.21. Refreshing GPO Settings on a Computer

Recipe 9.22. Restoring a Default GPO

Chapter 10. Schema

Introduction

Recipe 10.1. Registering the Active Directory Schema MMC Snap-in

Recipe 10.2. Enabling Schema Updates

Recipe 10.3. Generating an OID to Use for a New Class or Attribute

Recipe 10.4. Generating a GUID to Use for a New Class or Attribute

Recipe 10.5. Extending the Schema

Recipe 10.6. Documenting Schema Extensions

Recipe 10.7. Adding a New Attribute

Recipe 10.8. Viewing an Attribute

Recipe 10.9. Adding a New Class

Recipe 10.10. Viewing a Class

Recipe 10.11. Indexing an Attribute

Recipe 10.12. Modifying the Attributes That Are Copied When Duplicating a User

Recipe 10.13. Modifying the Attributes Included with Ambiguous Name Resolution

Recipe 10.14. Adding or Removing an Attribute in the Global Catalog

Recipe 10.15. Finding the Nonreplicated and Constructed Attributes

Recipe 10.16. Finding the Linked Attributes

Recipe 10.17. Finding the Structural, Auxiliary, Abstract, and 88 Classes

Recipe 10.18. Finding the Mandatory and Optional Attributes of a Class

Recipe 10.19. Modifying the Default Security of a Class

Recipe 10.20. Deactivating Classes and Attributes

Recipe 10.21. Redefining Classes and Attributes

Recipe 10.22. Reloading the Schema Cache

Chapter 11. Site Topology

Introduction

Recipe 11.1. Creating a Site

Recipe 11.2. Listing the Sites

Recipe 11.3. Deleting a Site

Recipe 11.4. Creating a Subnet

Recipe 11.5. Listing the Subnets

Recipe 11.6. Finding Missing Subnets

Recipe 11.7. Creating a Site Link

Recipe 11.8. Finding the Site Links for a Site

Recipe 11.9. Modifying the Sites That Are Part of a Site Link

Recipe 11.10. Modifying the Cost for a Site Link

Recipe 11.11. Disabling Site Link Transitivity or Site Link Schedules

Recipe 11.12. Creating a Site Link Bridge

Recipe 11.13. Finding the Bridgehead Servers for a Site

Recipe 11.14. Setting a Preferred Bridgehead Server for a Site

Recipe 11.15. Listing the Servers

Recipe 11.16. Moving a Domain Controller to a Different Site

Recipe 11.17. Configuring a Domain Controller to Cover Multiple Sites

Recipe 11.18. Viewing the Site Coverage for a Domain Controller

Recipe 11.19. Disabling Automatic Site Coverage for a Domain Controller

Recipe 11.20. Finding the Site for a Client

Recipe 11.21. Forcing a Host to a Particular Site

Recipe 11.22. Creating a Connection Object

Recipe 11.23. Listing the Connection Objects for a Server

Recipe 11.24. Load-Balancing Connection Objects

Recipe 11.25. Finding the ISTG for a Site

Recipe 11.26. Transferring the ISTG to Another Server

Recipe 11.27. Triggering the KCC

Recipe 11.28. Determining if the KCC Is Completing Successfully

Recipe 11.29. Disabling the KCC for a Site

Recipe 11.30. Changing the Interval at Which the KCC Runs

Chapter 12. Replication

Introduction

Recipe 12.1. Determining if Two Domain Controllers Are in Sync

Recipe 12.2. Viewing the Replication Status of Several Domain Controllers

Recipe 12.3. Viewing Unreplicated Changes Between Two Domain Controllers

Recipe 12.4. Forcing Replication from One Domain Controller to Another

Recipe 12.5. Changing the Intra-Site Replication Interval

Recipe 12.6. Changing the Inter-Site Replication Interval

Recipe 12.7. Disabling Inter-Site Compression of Replication Traffic

Recipe 12.8. Checking for Potential Replication Problems

Recipe 12.9. Enabling Enhanced Logging of Replication Events

Recipe 12.10. Enabling Strict or Loose Replication Consistency

Recipe 12.11. Finding Conflict Objects

Recipe 12.12. Viewing Object Metadata

Chapter 13. Domain Name System (DNS)

Introduction

Recipe 13.1. Creating a Forward Lookup Zone

Recipe 13.2. Creating a Reverse Lookup Zone

Recipe 13.3. Viewing a Server's Zones

Recipe 13.4. Converting a Zone to an AD-Integrated Zone

Recipe 13.5. Moving AD-Integrated Zones into an Application Partition

Recipe 13.6. Delegating Control of a Zone

Recipe 13.7. Creating and Deleting Resource Records

Recipe 13.8. Querying Resource Records

Recipe 13.9. Modifying the DNS Server Configuration

Recipe 13.10. Scavenging Old Resource Records

Recipe 13.11. Clearing the DNS Cache

Recipe 13.12. Verifying That a Domain Controller Can Register Its Resource Records

Recipe 13.13. Registering a Domain Controller's Resource Records

Recipe 13.14. Preventing a Domain Controller from Dynamically Registering All Resource Records

Recipe 13.15. Preventing a Domain Controller from Dynamically Registering Certain Resource Records

Recipe 13.16. Deregistering a Domain Controller's Resource Records

Recipe 13.17. Allowing Computers to Use a Different Domain Suffix from Their AD Domain

Chapter 14. Security and Authentication

Introduction

Recipe 14.1. Enabling SSL/TLS

Recipe 14.2. Encrypting LDAP Traffic with SSL, TLS, or Signing

Recipe 14.3. Enabling Anonymous LDAP Access

Recipe 14.4. Restricting Hosts from Performing LDAP Queries

Recipe 14.5. Using the Delegation of Control Wizard

Recipe 14.6. Customizing the Delegation of Control Wizard

Recipe 14.7. Viewing the ACL for an Object

Recipe 14.8. Customizing the ACL Editor

Recipe 14.9. Viewing the Effective Permissions on an Object

Recipe 14.10. Changing the ACL of an Object

Recipe 14.11. Changing the Default ACL for an Object Class in the Schema

Recipe 14.12. Comparing the ACL of an Object to the Default Defined in the Schema

Recipe 14.13. Resetting an Object's ACL to the Default Defined in the Schema

Recipe 14.14. Preventing the LM Hash of a Password from Being Stored

Recipe 14.15. Enabling List Object Access Mode

Recipe 14.16. Modifying the ACL on Administrator Accounts

Recipe 14.17. Viewing and Purging Your Kerberos Tickets

Recipe 14.18. Forcing Kerberos to Use TCP

Recipe 14.19. Modifying Kerberos Settings

Chapter 15. Logging, Monitoring, and Quotas

Introduction

Recipe 15.1. Enabling Extended dcpromo Logging

Recipe 15.2. Enabling Diagnostics Logging

Recipe 15.3. Enabling NetLogon Logging

Recipe 15.4. Enabling GPO Client Logging

Recipe 15.5. Enabling Kerberos Logging

Recipe 15.6. Enabling DNS Server Debug Logging

Recipe 15.7. Viewing DNS Server Performance Statistics

Recipe 15.8. Enabling Inefficient and Expensive LDAP Query Logging

Recipe 15.9. Using the STATS Control to View LDAP Query Statistics

Recipe 15.10. Using Perfmon to Monitor AD

Recipe 15.11. Using Perfmon Trace Logs to Monitor AD

Recipe 15.12. Enabling Auditing of Directory Access

Recipe 15.13. Creating a Quota

Recipe 15.14. Finding the Quotas Assigned to a Security Principal

Recipe 15.15. Changing How Tombstone Objects Count Against Quota Usage

Recipe 15.16. Setting the Default Quota for All Security Principals in a Partition

Recipe 15.17. Finding the Quota Usage for a Security Principal

Chapter 16. Backup, Recovery, DIT Maintenance, and Deleted Objects

Introduction

Recipe 16.1. Backing Up Active Directory

Recipe 16.2. Restarting a Domain Controller in Directory Services Restore Mode

Recipe 16.3. Resetting the Directory Service Restore Mode Administrator Password

Recipe 16.4. Performing a Nonauthoritative Restore

Recipe 16.5. Performing an Authoritative Restore of an Object or Subtree

Recipe 16.6. Performing a Complete Authoritative Restore

Recipe 16.7. Checking the DIT File's Integrity

Recipe 16.8. Moving the DIT Files

Recipe 16.9. Repairing or Recovering the DIT

Recipe 16.10. Performing an Online Defrag Manually

Recipe 16.11. Determining How Much Whitespace Is in the DIT

Recipe 16.12. Performing an Offline Defrag to Reclaim Space

Recipe 16.13. Changing the Garbage Collection Interval

Recipe 16.14. Logging the Number of Expired Tombstone Objects

Recipe 16.15. Determining the Size of the Active Directory Database

Recipe 16.16. Searching for Deleted Objects

Recipe 16.17. Restoring a Deleted Object

Recipe 16.18. Modifying the Tombstone Lifetime for a Domain

Chapter 17. Application Partitions

Introduction

Recipe 17.1. Creating and Deleting an Application Partition

Recipe 17.2. Finding the Application Partitions in a Forest

Recipe 17.3. Adding or Removing a Replica Server for an Application Partition

Recipe 17.4. Finding the Replica Servers for an Application Partition

Recipe 17.5. Finding the Application Partitions Hosted by a Server

Recipe 17.6. Verifying Application Partitions Are Instantiated on a Server Correctly

Recipe 17.7. Setting the Replication Notification Delay for an Application Partition

Recipe 17.8. Setting the Reference Domain for an Application Partition

Recipe 17.9. Delegating Control of Managing an Application Partition

Chapter 18. Interoperability and Integration

Introduction

Recipe 18.1. Accessing AD from a Non-Windows Platform

Recipe 18.2. Programming with .NET

Recipe 18.3. Programming with DSML

Recipe 18.4. Programming with Perl

Recipe 18.5. Programming with Java

Recipe 18.6. Programming with Python

Recipe 18.7. Integrating with MIT Kerberos

Recipe 18.8. Integrating with Samba

Recipe 18.9. Integrating with Apache

Recipe 18.10. Replacing NIS

Recipe 18.11. Using BIND for DNS

Recipe 18.12. Authorizing a Microsoft DHCP Server

Recipe 18.13. Using VMWare for Testing AD

Appendix A. Tool List

ACL Diagnostics Command (acldiag.exe)

Active Directory Domains and Trusts Snap-in (domain.msc)

Active Directory Installation Wizard (dcpromo.exe)

Active Directory Load Balancer Command (adlb.exe)

Active Directory Schema Snap-in (schmmgmt.msc)

Active Directory Sites and Services (dssite.msc)

Active Directory Users and Computers Snap-in (dsa.msc)

AD Prep Utility (adprep.exe)

ADSI Edit (adsiedit.msc)

Audit Policy Command (auditpol.exe)

Backup Wizard (ntbackup.exe)

CSVDE Command (csvde.exe)

Default Domain Controller Security Policy Snap-in (dcpol.msc)

Default Domain Security Policy Snap-in (dompol.msc)

Default Group Policy Restore Command (dcgpofix.exe)

DNS Snap-in (dnsmgmt.msc)

DNSCmd Command (dnscmd.exe)

Domain Controller Diagnosis Command (dcdiag.exe)

DS ACL Command (dsacls.exe)

DS Add Command (dsadd.exe)

DS Get Command (dsget.exe)

DS Modify Command (dsmodify.exe)

DS Move Command (dsmove.exe)

DS Query Command (dsquery.exe)

DS Remove Command (dsrm.exe)

Enumprop Command (enumprop.exe)

Group Policy Management Console (gpmc.msc)

Group Policy Object Editor (gpedit.msc)

Group Policy Verification Tool (gpotool.exe)

Group Policy Results Command (gpresult.exe)

Group Policy Refresh Command (gpupdate.exe)

IP Configuration (ipconfig.exe)

Kerberos List (klist.exe)

Kerberos Tray (kerbtray.exe)

LDIFDE Command (ldifde.exe)

LDP (ldp.exe)

Move Tree Command (movetree.exe)

Netdom Command (netdom.exe)

Network Connectivity Tester (netdiag.exe)

NLTest Command (nltest.exe)

Nslookup Command (nslookup.exe)

NTDS Util Command (ntdsutil.exe)

OID Generator Command (oidgen.exe)

Redirect Default Computers Command (redircmp.exe)

Redirect Default Users Command (redirusr.exe)

Reg Command (reg.exe)

Registry Editor (regedit.exe)

Rename Domain Command (rendom.exe)

Replication Diagnostics Command (repadmin.exe)

Replication Monitor (replmon.exe)

Resultant Set of Policy Snap-in (rsop.msc)

SecEdit Command (secedit.exe)

Time Service (w32tm.exe)

Unlock (unlock.exe)

UUID Generator Command (uuidgen.exe)

WinNT32 Command (winnt32.exe)

Colophon

Index