This book is based on Windows 2000 Domain & Active Directory published in March 2001. It has been totally revised and adapted to conform to the Windows .NET Server 2003 environment and over 100 pages have been added. (From now on, all products of the Windows .NET Server 2003 family will be referred to as Windows .NET for short.) As a result, this book will be useful for those administrators who currently work with Windows 2000 domains and for those who are planning to deploy Active Directory on Windows .NET servers. For an administrator, the new version of Active Directory does not have any new principle features, and all options that are only available on Windows .NET servers are specifically described in the book. Therefore, an administrator can deal with any version of Active Directory domains and compare the working environment's features with those that were on the old platform.
Many books have already been published which cover Active Directory's goals, its advantages and disadvantages, strategies for developing Active Directory in a large corporate network, and other important questions that have not changed with the advent of Windows .NET. (However, this does not mean that the new version of Active Directory is not more mature, effective, and convenient for administrators than the initial version that appeared in Windows 2000!) In this book, the author has tried to take a look at the more practical problems that come up while using Active Directory. Even though the book may not offer an answer to all the problems that might arise, you will at least learn how to approach them.
One probably would not even consider repairing a defective car or a complex electronic device without special additional tools and facilities. Nonetheless, administrators who work with Active Directory often forget that the problems which come up in the process of working with Active Directory are also impossible to eliminate without the help of the appropriate tools and utilities. Most of the tools that you need for working with Active Directory (and that are looked at in this book) are furnished along with the system, and are found in the Windows Support Tools pack. This book is dedicated, to a large extent, to working with exactly these tools. A few tools and scripts from the Windows 2000 Server Resource Kit are also considered, since they work properly in the Windows .NET environment.
Besides, the author would like to turn administrators' attention to methods of program access to Active Directory, and in part to scripts that use the Active Directory Service Interfaces (ADSI). Scripts can be used to solve many administrative tasks, and you may use already written scripts after a minimal number of modifications to fit your needs. Creating scripts does not require you to be a highly qualified programmer — a fact which the author tried to get across in the last two chapters of the book.
This book is geared towards a relatively prepared reader, one who has already had some experience working with Windows 2000, and is familiar with the basic work methods and components of the system (e.g., with Microsoft Management Console snap-ins). However, information on these questions can easily be found in the Help system.
Below is a summary of each chapter.
Part I: Active Directory Fundamentals and Standards
Chapter 1, "LDAP Basics," covers one of the standards that make up the basis of Active Directory — the Lightweight Directory Access Protocol (LDAP).
In Chapter 2, "Active Directory Terminology and Concepts," relates the essential Active Directory concepts. The terms and concepts described in Chapter 1 and in this chapter will be widely used in the rest of this book; therefore, their knowledge will affect how the reader understands Active Directory operating mechanisms and topics described later in the other chapters. New Active Directory features offered by domain controllers running Windows .NET are also reviewed.
Chapter 3, "Domain Name System (DNS) as Main Naming Service," comprises Active Directory requirements of mandatory DNS service, as well as new DNS features introduced in Windows .NET.
Part II: Deploying Active Directory Domains
In Chapter 4, "Windows .NET DNS Server," the essential operations of installing, configuring, and verifying Windows 2000/.NET DNS Servers are considered. An example of interoperation between Active Directory and a legacy DNS infrastructure is discussed.
Chapter 5, "Installing Active Directory," tells you what you need to pay attention to before and during installation of Active Directory. Certain typical problems that you may encounter when deploying Active Directory forests (on Windows 2000 and Windows .NET domain controllers) are also examined.
Chapter 6, "Configuring and Troubleshooting Active Directory Domains," gives recommendations that you need to consider when deploying and troubleshooting Active Directory domains.
Part III: Administering Active Directory
In Chapter 7, "Domain Manipulation Tools," we will look at all standard snap-ins intended for administering Active Directory. To use them effectively (especially in the new, Windows .NET Server 2003, environment), the administrator must be aware of certain features and methods of working with them.
In Chapter 8, "Common Administrative Tasks," we will examine both typical administrative tasks — like working with user and network resources — and tasks specific to Active Directory domains, like delegating administrative control, managing FSMO roles, refreshing group policies, searching and recovering Active Directory, and others.
Part IV: Using System Utilities and Support Tools
The main task of Chapter 9, "General Characteristics and Purpose of System Tools," is to give the administrator an idea of what a certain utility is used for, and to help in choosing the tool to use for a specific task.
Described in Chapter 10, "Diagnosing and Maintaining Domain Controllers," are utilities that allow you to determine the health of a single domain controller and the integrity of the Active Directory database replica stored on it.
Chapter 11, "Verifying Network and Distributed Services," covers the utilities that allow you to diagnose problems that arise due to the fact that Active Directory is a distributed network database, that is, problems of connectivity between domain controllers, authentication, and replication.
Chapter 12, "Manipulating Active Directory Objects," looks at the utilities used for work with Active Directory logical objects — tools for searching directory for objects of various types and editing their attributes, utilities for exporting and importing objects, and tools used for manipulating workstations, domain controllers and trust relationships.
In Chapter 13, "Migration and Directory Reorganization Tools," those utilities intended for reorganizing domain trees and migration of objects between forests are examined.
The tools that allow you to view and manage access permissions on Active Directory objects are looked at in Chapter 14, "Security Tools".
Chapter 15, "Group Policy Tools" offers an examination of those utilities that allow you to test Group Policy Objects (GPOs) and determine the resulting security settings defined by group policies.
Part V: Program Access to Active Directory
Chapter 16, "Active Directory Service Interfaces (ADSI)," will acquaint administrators with ways to manage Active Directory programmatically. The difficult thing about working with the documentation on ADSI is that it is tough for a novice to find what he/she needs in the midst of such a huge amount of unfamiliar information. This chapter gives the reader an understanding of the basic concepts, which will be illustrated in the following chapter with examples.
Chapter 17, "Scripting Administrative Tasks," consists almost completely of program examples. It seems to me that the principles of programming with ADSI are easier to master when you have a specially designed example with commentary. After having understood these basic concepts, it will be much easier to work with documentation that describes in detail all of the interfaces and their methods and properties.
Part VI: Appendixes
The Appendixes include "must-see" and simply useful references to web resources; a list of registry keys and directory objects that allow you to "fine tune" Active Directory or manage its internal mechanisms; a table of ADSI interfaces supported by the main system providers and a list of all the functions implemented by the IADsTools ActiveX object, which are useful for developing administrative scripts.
The Glossary will help you find a short description of an unfamiliar term quickly, or to verify your understanding of this term.
The "How to …?" section is set up like a typical FAQ. In this section, you may find the solution you need for a specific problem faster than if you were to simply look through the table of contents or the Index.
For finding references to a certain utility or tool in the Index, use its file name. You can also find references to interfaces, methods, properties, attributes, enumerations, etc., the same way — under their names.
The author can be reached at ATchekmarev@msn.com. The listings included in this book can be found at http://www.alistpublishing.com.
Here are the conventions used in the book:
Names of administrative snap-ins and UI elements (such as menu, commands, pop-up windows, etc.) are in bold, for example, "the Active Directory Users and Computers snap-in" or "the Delegate Control command on the Action menu".
Names of Active Directory object attributes, ASDI interfaces, methods, and properties, are shown in italics, for example, objectSid.
Certain important words or new terms are also marked in italics.
If a long command or string displayed on the screen does not fit on one line in the book, the $$ symbol will be used. For example:
createusers LDAP://OU=Staff, DC=w2k, DC=dom cn: "User User01" samAccountName: user-ldap01 password:psw1
This means that the line shown should be considered as one, unbreakable line.
As you can see from the previous example, the mandatory elements of a command line — the command name and the parameters — are in bold in order to be more visible. The other elements of the command are specific to your environment and you should determine them.