Organize your network resources by learning how to design, manage, and maintain Active Directory. Updated to cover Windows Server 2012, the fifth edition of this bestselling guide gives you a thorough grounding of Microsoft's network directory service by explaining concepts in an easy-to-understand, narrative style.
You'll negotiate a maze of technologies for deploying a scalable and reliable AD infrastructure, with new chapters on management tools, searching the AD database, authentication and security protocols, and Active Directory Federation Services (ADFS). This book provides real-world scenarios let you apply what you've learned--ideal whether you're a network administrator for a small business or a multinational enterprise.
- Upgrade Active Directory to Windows Server 2012
- Learn the fundamentals, such as how AD stores objects
- Use the AD Administrative Center and other management tools
- Learn to administer AD with Windows PowerShell
- Search and gather AD data, using the LDAP query syntax
- Understand how Group Policy functions
- Tackle designing a new Active Directory forest
- Examine the Kerberos security protocol
- Learn AD Federation Services
- Get a detailed look at the AD replication process
- Explore AD Lightweight Directory Services
Ideal for administrators, IT professionals, project managers, and programmers alike, Active Directory is not only for people getting started with AD, it's also for experienced users who need to stay up-to-date with the latest AD features in Windows Server 2012. It is no wonder this guide is the bestselling AD resource available.
✦ Table of Contents
Copyright
Table of Contents
Preface
Intended Audience
Contents of the Book
Conventions Used in This Book
Using Code Examples
Safari® Books Online
How to Contact Us
Acknowledgments
For the Fourth and Fifth Editions (Brian)
For the Third Edition (Joe)
For the Second Edition (Robbie)
For the First Edition (Alistair)
Chapter 1. A Brief Introduction
Evolution of the Microsoft NOS
A Brief History of Directories
Summary
Chapter 2. Active Directory Fundamentals
How Objects Are Stored and Identified
Uniquely Identifying Objects
Building Blocks
Domains and Domain Trees
Forests
Organizational Units
The Global Catalog
Flexible Single Master Operator (FSMO) Roles
Time Synchronization in Active Directory
Domain and Forest Functional Levels
Groups
Summary
Chapter 3. Active Directory Management Tools
Management Tools
Active Directory Administrative Center
Active Directory Users and Computers
ADSI Edit
LDP
Customizing the Active Directory Administrative Snap-ins
Display Specifiers
Property Pages
Context Menus
Icons
Display Names
Object Creation Wizard
Active Directory PowerShell Module
Best Practices Analyzer
Active Directory-Based Machine Activation
Summary
Chapter 4. Naming Contexts and Application Partitions
Domain Naming Context
Configuration Naming Context
Schema Naming Context
Application Partitions
Storing Dynamic Data
Summary
Chapter 5. Active Directory Schema
Structure of the Schema
X.500 and the OID Namespace
Attributes (attributeSchema Objects)
Dissecting an Example Active Directory Attribute
Attribute Properties
Attribute Syntax
systemFlags
schemaFlagsEx
searchFlags
Property Sets and attributeSecurityGUID
Linked Attributes
MAPI IDs
Classes (classSchema Objects)
Object Class Category and Inheritance
Dissecting an Example Active Directory Class
Dynamically Linked Auxiliary Classes
Summary
Chapter 6. Site Topology and Active Directory Replication
Site Topology
Site and Replication Management Tools
Subnets
Sites
Site Links
Site Link Bridges
Connection Objects
Knowledge Consistency Checker
How Replication Works
A Background to Metadata
How an Object’s Metadata Is Modified During Replication
The Replication of a Naming Context Between Two Servers
How Replication Conflicts Are Reconciled
Common Replication Problems
Lingering Objects
USN Rollback
Summary
Chapter 7. Searching Active Directory
The Directory Information Tree
Database Structure
Searching the Database
Filter Operators
Connecting Filter Components
Search Bases
Modifying Behavior with LDAP Controls
Attribute Data Types
Dates and Times
Bit Masks
The In-Chain Matching Rule
Optimizing Searches
Efficient Searching
objectClass Versus objectCategory
Summary
Chapter 8. Active Directory and DNS
DNS Fundamentals
Zones
Resource Records
Client Lookup Process
Dynamic DNS
Global Names Zones
DNSSEC
How Does DNSSEC Work?
Configuring DNSSEC for Active Directory DNS
DC Locator
Resource Records Used by Active Directory
Overriding SRV Record Registration
Delegation Options
Not Delegating the AD DNS Zones
Delegating the AD DNS Zones
Active Directory-Integrated DNS
Replication Impact
Background Zone Loading
Using Application Partitions for DNS
Aging and Scavenging
Configuring Scavenging
Managing DNS with Windows PowerShell
Summary
Chapter 9. Domain Controllers
Building Domain Controllers
Deploying with Server Manager
Using DCPromo on Earlier Versions of Windows
Automating the DC Build Process
Virtualization
When to Virtualize
Impact of Virtualization
Virtualization Safe Restore
Cloning Domain Controllers
Read-Only Domain Controllers
Prerequisites
Password Replication Policies
The Client Logon Process
RODCs and Write Requests
The W32Time Service
Application Compatibility
RODC Placement Considerations
Administrator Role Separation
Promoting an RODC
Summary
Chapter 10. Authentication and Security Protocols
Kerberos
User Logon
Service Access
Application Access
Logon and Service Access Summary
Delegation and Protocol Transition
Authentication Mechanism Assurance
Managed Service Accounts
Preparing for Group Managed Service Accounts
Using Group Managed Service Accounts
Summary
Chapter 11. Group Policy Primer
Capabilities of Group Policy Objects
Group Policy Storage
How Group Policies Work
GPOs and Active Directory
Prioritizing the Application of Multiple Policies
Standard GPO Inheritance Rules in Organizational Units
Blocking Inheritance and Overriding the Block in Organizational Unit GPOs
When Policies Apply
Combating Slowdown Due to Group Policy
Security Filtering and Group Policy Objects
Loopback Merge Mode and Loopback Replace Mode
Summarizing Group Policy Application
WMI Filtering
Group Policy
Managing Group Policies
Using the Group Policy Management Console
Using the Group Policy Management Editor
Group Policy Preferences
Running Scripts with Group Policy
Group Policy Modeling
Delegation and Change Control
Using Starter GPOs
Group Policy Backup and Restore
Scripting Group Policy
Troubleshooting Group Policy
Group Policy Infrastructure Status
Group Policy Results Wizard
Forcing Group Policy Updates
Enabling Extra Logging
Group Policy Diagnostic Best Practices Analyzer
Third-Party Troubleshooting Tools
Summary
Chapter 12. Fine-Grained Password Policies
Understanding Password Settings Objects
Scenarios for Fine-Grained Password Policies
Defining Password Settings Objects
Creating Password Settings Objects
PSO Quick Start
Building a PSO from Scratch
Managing Password Settings Objects
Strategies for Controlling PSO Application
Managing PSO Application
Delegating Management of PSOs
Summary
Chapter 13. Designing the Active Directory Structure
The Complexities of a Design
Where to Start
Overview of the Design Process
Domain Namespace Design
Objectives
Step 1: Decide on the Number of Domains
Step 2: Design and Name the Tree Structure
Design of the Internal Domain Structure
Step 3: Design the Hierarchy of Organizational Units
Step 4: Design the Workstation and Server Naming Conventions
Step 5: Plan for Users and Groups
Other Design Considerations
Design Examples
Tailspin Toys
Contoso College
Fabrikam
Recognizing Nirvana’s Problems
Summary
Chapter 14. Creating a Site Topology
Intrasite and Intersite Topologies
The KCC
Automatic Intrasite Topology Generation by the KCC
Site Links: The Basic Building Blocks of Intersite Topologies
Site Link Bridges: The Second Building Blocks of Intersite Topologies
Designing Sites and Links for Replication
Step 1: Gather Background Data for Your Network
Step 2: Plan the Domain Controller Locations
Step 3: Design the Sites
Step 4: Create Site Links
Step 5: Create Site Link Bridges
Design Examples
Tailspin Toys
Contoso College
Fabrikam
Additional Resources
Summary
Chapter 15. Planning for Group Policy
Using GPOs to Help Design the Organizational Unit Structure
Identifying Areas of Policy
Guidelines for Designing GPOs
Design Examples
Tailspin Toys
Contoso College
Fabrikam
Summary
Chapter 16. Active Directory Security: Permissions and Auditing
Permission Basics
Permission ACEs
Property Sets, Validated Writes, and Extended Rights
Inherited Versus Explicit Permissions
Default Security Descriptors
Permission Lockdown
The Confidentiality Bit
Protecting Objects from Accidental Deletion
Using the GUI to Examine Permissions
Reverting to the Default Permissions
Viewing the Effective Permissions for a User or Group
Using the Delegation of Control Wizard
Using the GUI to Examine Auditing
Designing Permissions Schemes
The Five Golden Rules of Permissions Design
How to Plan Permissions
Bringing Order out of Chaos
Designing Auditing Schemes
Implementing Auditing
Tracking Last Interactive Logon Information
Real-World Active Directory Delegation Examples
Hiding Specific Personal Details for All Users in an Organizational Unit from a Group
Allowing Only a Specific Group of Users to Access a New Published Resource
Restricting Everyone but HR from Viewing National/Regional ID Numbers with the Confidential Bit
The AdminSDHolder Process
Dynamic Access Control
Configuring Active Directory for DAC
Using DAC on the File Server
Summary
Chapter 17. Designing and Implementing Schema Extensions
Nominating Responsible People in Your Organization
Thinking of Changing the Schema
Designing the Data
To Change or Not to Change
The Global Picture
Creating Schema Extensions
Running the AD Schema Management MMC Snap-in for the First Time
The Schema Cache
The Schema Master FSMO
Using LDIF to Extend the Schema
Checks the System Makes When You Modify the Schema
Making Classes and Attributes Defunct
Mitigating a Schema Conflict
Summary
Chapter 18. Backup, Recovery, and Maintenance
Backing Up Active Directory
Using the NT Backup Utility
Using Windows Server Backup
Restoring a Domain Controller
Restore from Replication
Restore from Backup
Install from Media
Restoring Active Directory
Nonauthoritative Restore
Partial Authoritative Restore
Complete Authoritative Restore
Working with Snapshots
Active Directory Recycle Bin
Deleted Object Lifecycle
Enabling the Recycle Bin
Undeleting Objects
FSMO Recovery
Restartable Directory Service
DIT Maintenance
Checking the Integrity of the DIT
Reclaiming Space
Changing the DS Restore Mode Admin Password
Summary
Chapter 19. Upgrading Active Directory
Active Directory Versions
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Functional Levels
Raising the Functional Level
Functional Level Rollback
Beginning the Upgrade
Known Issues
Summary
Chapter 20. Active Directory Lightweight Directory Services
Common Uses for AD LDS
AD LDS Terms
Differences Between AD and AD LDS
Standalone Application Service
Configurable LDAP Ports
No SRV Records
No Global Catalog
Top-Level Application Partition Object Classes
Group and User Scope
FSMOs
Schema
Service Account
Configuration/Schema Partition Names
Default Directory Security
User Principal Names
Authentication
Users in the Configuration Partition
New and Updated Tools
AD LDS Installation
Installing the Server Role
Installing a New AD LDS Instance
Installing an AD LDS Replica
Enabling the Recycle Bin
Tools
ADAM Install
ADAM Sync
ADAM Uninstall
AD Schema Analyzer
AD Schema MMC Snap-in
ADSI Edit
dsdbutil
dsmgmt
ldifde
LDP
repadmin
The AD LDS Schema
Default Security Descriptors
Bindable Objects and Bindable Proxy Objects
Using AD LDS
Creating Application Partitions
Creating Containers
Creating Users
Creating User Proxies
Renaming Users
Creating Groups
Adding Members to Groups
Removing Members from Groups
Deleting Objects
Deleting Application Partitions
Controlling Access to Objects and Attributes
Summary
Chapter 21. Active Directory Federation Services
Introduction to Federated Identity
How It Works
SAML
WS-Federation
Understanding ADFS Components
The Configuration Database
Federation Servers
Federation Server Proxies
ADFS Topologies
Deploying ADFS
Federation Servers
Federation Server Proxies
Relying Party Trusts
Claims Rules and the Claims Pipeline
The Pipeline
Creating and Sending Claims Through the Pipeline
Customizing ADFS
Forms-Based Logon Pages
Attribute Stores
Troubleshooting ADFS
Event Logs
Fiddler
Summary
Appendix A. Programming the Directory with the .NET Framework
Choosing a .NET Programming Language
Choosing a Development Tool
.NET IDE Options
.NET Development Without an IDE
.NET Framework Versions
Which .NET Framework Comes with Which OS?
Directory Programming Features by .NET Framework Release
Assemblies Versus Namespaces
Summary of Namespaces, Assemblies, and Framework Versions
Directory Services Programming Landscape
System.DirectoryServices Overview
System.DirectoryServices.ActiveDirectory Overview
System.DirectoryServices.Protocols Overview
System.DirectoryServices.AccountManagement Overview
.NET Directory Services Programming by Example
Connecting to the Directory
Searching the Directory
Basics of Modifying the Directory
Managing Users
Overriding SSL Server Certificate Verification with SDS.P
Summary
Index
About the Authors