active directory 4th edition

501 Active Directory Service Interface ADSI 502 Windows Management Instrumentation WMI 504... Windows Server 2008 introduces some highly sought-after features to Active Directory.. While

Active Directory

Other Microsoft NET resources from O’Reilly

Related titles Active Directory Cookbook

Learning Windows 2003Windows Server Hacks

Windows Server 2003Network AdministrationWindows Server 2008: TheDefinitive Guide

.NET Books Resource Center

dotnet.oreilly.com is a complete catalog of O’Reilly’s books on

.NETand related technologies, including sample chapters andcode examples

ONDotnet.com provides independent coverage of fundamental,

interoperable, and emerging Microsoft NETprogramming andweb services technologies

Conferences O’Reilly & Associates bring diverse innovators together to

nur-ture the ideas that spark revolutionary industries We specialize

in documenting the latest tools and systems, translating theinnovator’s knowledge into useful skills for those in the

trenches Visit conferences.oreilly.com for our upcoming events Safari Bookshelf (safari.oreilly.com) is the premier online refer-

ence library for programmers and ITprofessionals Conductsearches across more than 1,000 books Subscribers can zero in

on answers to time-critical questions in a matter of seconds.Read the books on your Bookshelf from cover to cover or sim-ply flip to the page you need Try it today with a free trial

FOURTH EDITION

Active Directory

Brian Desmond, Joe Richards, Robbie Allen, and Alistair

G Lowe-Norris

Active Directory, Fourth Edition

by Brian Desmond, Joe Richards, Robbie Allen, and Alistair G Lowe-Norris

Copyright © 2009 O’Reilly Media All rights reserved.

Printed in the United States of America.

Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472 O’Reilly books may be purchased for educational, business, or sales promotional use Online editions

are also available for most titles (http://safari.oreilly.com) For more information, contact our corporate/ institutional sales department: (800) 998-9938 or corporate@oreilly.com.

Editors: John Osborn and Laurel Ruma

Production Editor: Loranah Dimant

Production Services: Appingo, Inc.

Indexer: Ellen Troutman Zaig

Cover Designer: Karen Montgomery

Interior Designer: David Futato

Illustrator: Jessamyn Read

Printing History:

January 2000: First Edition

April 2003: Second Edition

January 2006: Third Edition

November 2008: Fourth Edition

Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of

O’Reilly Media, Inc Active Directory, the image of domestic cats, and related trade dress are trademarks

of O’Reilly Media, Inc.

Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks Where those designations appear in this book, and O’Reilly Media, Inc was aware of a trademark claim, the designations have been printed in caps or initial caps.

While every precaution has been taken in the preparation of this book, the publisher and authors assume

no responsibility for errors or omissions, or for damages resulting from the use of the information tained herein.

con-ISBN: 978-0-596-52059-5

[C]

Table of Contents

Preface xxi Part I Active Directory Basics

1 A Brief Introduction 3

Windows Server 2003 Versus Windows Server 2003 R2 12Windows Server 2003 R2 Versus Windows Server 2008 14

2 Active Directory Fundamentals 17

Time Synchronization in Active Directory 33

3 Naming Contexts and Application Partitions 43

Application Partitions 49

4 Active Directory Schema 53

Dissecting an Example Active Directory Attribute 59

Dissecting an Example Active Directory Class 78

How an Object’s Metadata Is Modified During Replication 101The Replication of a Naming Context Between Two Servers 106How Replication Conflicts Are Reconciled 112

Global Names Zone 120

Resource Records Used by Active Directory 123

7 Read-Only Domain Controllers 141

Managing the Password Replication Policy 145

8 Group Policy Primer 169

GPOs and Active Directory 176Prioritizing the Application of Multiple Policies 178Standard GPO Inheritance Rules in Organizational Units 181Blocking Inheritance and Overriding the Block in Organizational Unit

Security Filtering and Group Policy Objects 188Loopback Merge Mode and Loopback Replace Mode 189

Using the Group Policy Management Console (GPMC) 196

Group Policy Diagnostic Best Practices Analyzer 210

9 Fine-Grained Password Policies 211

Scenarios for Fine-Grained Password Policies 212

Strategies for Controlling PSO Application 220

Part II Designing an Active Directory Infrastructure

10 Designing the Namespace 229

Step 1: Decide on the Number of Domains 234Step 2: Design and Name the Tree Structure 237Step 3: Design the Workstation and Server-Naming Scheme 241

Step 4: Design the Hierarchy of Organizational Units 243

Step 6: Design the Application Partition Structure 251

Design to Help Business Plans and Budget Proposals 264

11 Creating a Site Topology 269

Automatic Intrasite Topology Generation by the KCC 271Site Links: The Basic Building Blocks of Intersite Topologies 275Site Link Bridges: The Second Building Blocks of Intersite Topologies 278Designing Sites and Links for Replication 279Step 1: Gather Background Data for Your Network 279

Step 3: Plan the Domain Controller Locations 280Step 4: Decide How You Will Use the KCC to Your Advantage 282

PetroCorp 284

12 Designing Organization-Wide Group Policies 291

Using GPOs to Help Design the Organizational Unit Structure 291

How GPOs Influenced a Real Organizational Unit Design 293

13 Active Directory Security: Permissions and Auditing 303

Property Sets, Validated Writes, and Extended Rights 306

Protecting Objects from Accidental Deletion 312

Viewing the Effective Permissions for a User or Group 319

The Five Golden Rules of Permissions Design 324

Implementing Auditing under Windows Server 2008 338Tracking Last Interactive Logon Information 341

Restricting Everyone but HR from Viewing Social Security Numbers

14 Designing and Implementing Schema Extensions 347

Nominating Responsible People in Your Organization 348

Thinking of Changing the Schema 349

Running the Schema Manager MMC for the First Time 354

Checks the System Makes When You Modify the Schema 359

15 Backup, Recovery, and Maintenance 363

16 Upgrading to Windows Server 2003 401

Inventory Domain Controllers 414

17 Upgrading to Windows Server 2003 R2 421

New Active Directory Features in Windows Server 2003 Service Pack 1 422

New Active Directory Features in Windows Server 2003 R2 424

18 Upgrading to Windows Server 2008 429

19 Integrating Microsoft Exchange 437

A Quick Word about Exchange/AD Interaction 437

Top-Level Application Partition Object Classes 463

Password Reset/Change Chaining to Windows 467

Active Directory Lightweight Directory Services Updates 468

Support for Snapshots and the Database Mounting Tool 469

ADAM Schema Management 483

Bindable Objects and Bindable Proxy Objects 487

Part III Scripting Active Directory with ADSI, ADO, and WMI

21 Scripting with ADSI 501

Active Directory Service Interface (ADSI) 502

Windows Management Instrumentation (WMI) 504

A Brief Primer on COM and WSH 505

22 IADs and the Property Cache 521

More Complexities of Property Access: IADs::GetEx and IADs::PutEx 526

Walking the Property Cache: The Solution 539Walking the Property Cache Using the Formal Schema Class Definition 542

23 Using ADO for Searching 549

Step 1: Define the Constants and Variables 550Step 2: Establish an ADO Database Connection 550

Efficient Searching 558

24 Users and Groups 567

25 Permissions and Auditing 587

Flags, ObjectType, and InheritedObjectType 597

Listing the Security Descriptor of an Object 610

26 Extending the Schema and the Active Directory Snap-ins 619

Creating the Mycorp-LanguagesSpoken Attribute 620

Finding the Schema Container and Schema FSMO 624

Adding an Attribute to the Partial Attribute Set 627

Customizing the Active Directory Administrative Snap-ins 628

Listing the Zones on a Server 667Creating and Manipulating Resource Records 667

29 Programming the Directory with the NET Framework 673

Which NET Framework Comes with Which OS? 676Directory Programming Features by NET Framework Release 677

Summary of Namespaces, Assemblies, and Framework Versions 678

System.DirectoryServices.ActiveDirectory Overview 682System.DirectoryServices.Protocols Overview 683System.DirectoryServices.AccountManagement Overview 684.NET Directory Services Programming by Example 686

Overriding SSL Server Certificate Verification with SDS.P 698

30 PowerShell Basics 701

31 Scripting Active Directory with PowerShell 727

32 Scripting Basic Exchange 2003 Tasks 755

Mailbox-Disabling a User (Mailbox Deletion) 766

Viewing All Store Details of All Mailboxes on a Server 772Dumping All Store Details of All Mailboxes on All Servers in Exchange Org 773

33 Scripting Basic Exchange 2007 Tasks 777

The Departure of the Recipient Update Service 778

Index 791

Active Directory is a common repository for information about objects that reside onthe network, such as users, groups, computers, printers, applications, and files Thedefault Active Directory schema supports numerous attributes for each object class thatcan be used to store a variety of information Access Control Lists (ACLs) are also storedwith each object, which allows you to maintain permissions for who can access andmanage the object Having a single source for this information makes it more accessibleand easier to manage; however, to accomplish this requires a significant amount ofknowledge on such topics as LDAP, Kerberos, DNS, multimaster replication, grouppolicies, and data partitioning, to name a few This book will be your guide throughthis maze of technologies, showing you how to deploy a scalable and reliable ActiveDirectory infrastructure

Windows 2000 Active Directory has proven itself to be very solid in terms of featuresand reliability, but after several years of real-world deployments, there was much roomfor improvement When Microsoft released Windows Server 2003, they focused onsecurity, manageability, and scalability enhancements Windows Server 2003 R2 takesthis evolution further and combines Windows Server 2003 Service Pack 1 with somefeature packs, which makes Windows Server even more secure, manageable, and scal-able and also adds considerable new functionality, such as a stand-alone LDAP serverservice and increased Unix system integration functions right in the box

Windows Server 2008 introduces some highly sought-after features to Active Directory

At the top of the list for many administrators will be such features as read-only domaincontrollers, support for Server Core, and fine-grained password policies The list of newfeatures and major enhancements is lengthy, and we have taken the time to cover themall in this book

This book is a major update to the very successful third edition All of the existingchapters have been brought up to date with Windows Server 2008 changes, as well asupdates in concepts and approaches to managing Active Directory and script updates.There are eight new chapters (Chapters 7, 9, 18, 19, 29, 30, 31, and 33) to explainfeatures or concepts not covered in the third edition These chapters include in-depthcoverage of read-only domain controllers, fine-grained password policies, WindowsPowerShell, and Exchange 2007 We also cover programming Active Directory

with NET While we have made updates to every chapter in this book, it is worthwhile

to highlight the major enhancements to Chapters 8, 13, and 15 that cover significantWindows Server 2008 Active Directory changes

This book describes Active Directory in depth, but not in the traditional way of goingthrough the graphical user interface screen by screen Instead, the book sets out to telladministrators how to design, manage, and maintain a small, medium, or enterpriseActive Directory infrastructure To this end, the book is split up into three parts.Part I introduces in general terms much of how Active Directory works, giving you athorough grounding in its concepts Some of the topics include Active Directory rep-lication, the schema, application partitions, group policies, interaction with DNS, do-main controllers, and password policies

In Part II, we describe in copious detail the issues around properly designing thedirectory infrastructure Topics include in-depth looks at designing the namespace,creating a site topology, designing group policies, auditing, permissions, backup andrecovery, Active Directory Lightweight Directory Services, upgrading Active Directory,and Microsoft Exchange

Part III is all about managing Active Directory via automation with Active DirectoryService Interface (ADSI), ActiveX Data Objects (ADO), Windows Management In-strumentation (WMI), PowerShell, and NET This section covers how to create andmanipulate users, groups, printers, and other objects that you may need in youreveryday management of Active Directory It also describes in depth how you can utilizethe strengths of WMI, Windows PowerShell, and the NET namespace

System.DirectoryServices to manage Active Directory programmatically via thoseinterfaces

If you’re looking for in-depth coverage of how to use the MMC snap-ins or ResourceKit tools, look elsewhere However, if you want a book that lays bare the design andmanagement of an enterprise or departmental Active Directory, you need not look anyfurther

Intended Audience

This book is intended for all Active Directory administrators, whether you manage asingle server or a global multinational with thousands of servers Even if you have aprevious edition, you will find this fourth edition to be full of updates and correctionsand a worthy addition to your “good” bookshelf: the bookshelf next to your PC withthe books you really read that are all dog-eared with soda drink spills and pizza grease

on them To get the most out of the book, you will probably find it useful to have aserver running Windows Server 2008 available so that you can check out various items

as we point them out

If you have no experience with VBScript, the scripting language we use in Part III, don’tworry The syntax is straightforward, and you should have no difficulty grasping theprinciples of scripting with ADSI, ADO, and WMI Likewise, the syntax we use in PartIII to cover NET is straightforward, and for those looking to learn PowerShell, Chap-ter 30 provides a jumpstart to the PowerShell language.

Contents of the Book

This book is split into three parts

Part 1, Active Directory Basics

Chapter 1, A Brief Introduction

Reviews the evolution of the Microsoft NOS and some of the major features andbenefits of Active Directory

Chapter 2, Active Directory Fundamentals

Provides a high-level look at how objects are stored in Active Directory and explainssome of the internal structures and concepts that it relies on

Chapter 3, Naming Contexts and Application Partitions

Reviews the predefined Naming Contexts within Active Directory, what is tained within each, and the purpose of Application Partitions

con-Chapter 4, Active Directory Schema

Gives you information on how the blueprint for each object and each object’sattributes are stored in Active Directory

Chapter 5, Site Topology and Replication

Details how the actual replication process for data takes place between domaincontrollers

Chapter 6, Active Directory and DNS

Describes the importance of the Domain Name System (DNS) and what it is usedfor within Active Directory

Chapter 7, Read-Only Domain Controllers

Describes the deployment and operation of Read-Only Domain Controllers(RODCs)

Chapter 8, Group Policy Primer

Gives you a detailed introduction to the capabilities of Group Policy Objects andhow to manage them

Chapter 9, Fine-Grained Password Policies

Comprehensive coverage of how to design, implement, and manage fine-grainedpassword policies

Part 2, Designing an Active Directory Infrastructure

Chapter 10, Designing the Namespace

Introduces the steps and techniques involved in properly preparing a design thatreduces the number of domains and increases administrative control through theuse of Organizational Units

Chapter 11, Creating a Site Topology

Shows you how to design a representation of your physical infrastructure withinActive Directory to gain very fine-grained control over intrasite and intersitereplication

Chapter 12, Designing Organization-Wide Group Policies

Explains how Group Policy Objects function in Active Directory and how you canproperly design an Active Directory structure to make the most effective use ofthese functions

Chapter 13, Active Directory Security: Permissions and Auditing

Describes how you can design effective security for all areas of your Active tory, in terms of both access to objects and their properties; includes information

Direc-on how to design effective security access logging in any areas you choose

Chapter 14, Designing and Implementing Schema Extensions

Covers procedures for extending the classes and attributes in the Active Directoryschema

Chapter 15, Backup, Recovery, and Maintenance

Describes how you can back up and restore Active Directory down to the objectlevel or the entire directory

Chapter 16, Upgrading to Windows Server 2003

Outlines how you can upgrade your existing Active Directory infrastructure toWindows Server 2003

Chapter 17, Upgrading to Windows Server 2003 R2

Outlines the process to upgrade your existing Active Directory to Windows Server

2003 R2

Chapter 18, Upgrading to Windows Server 2008

Outlines the process to upgrade your existing Active Directory to Windows Server2008

Chapter 19, Integrating Microsoft Exchange

Covers some of the important Active Directory-related issues when implementingMicrosoft Exchange

Chapter 20, Active Directory Lightweight Directory Service (a.k.a ADAM)

Introduces Active Directory Lightweight Directory Service (AD LDS, formerlyADAM)

Part 3, Scripting Active Directory with ADSI, ADO, and WMI

Chapter 21, Scripting with ADSI

Introduces ADSI scripting by leading you through a series of step-by-step examples

Chapter 22, IADs and the Property Cache

Delves into the concept of the property cache used extensively by ADSI and showsyou how to properly manipulate any attribute of any object within it

Chapter 23, Using ADO for Searching

Demonstrates how to make use of a technology normally reserved for databasesand now extended to allow rapid searching for objects in Active Directory

Chapter 24, Users and Groups

Gives you the lowdown on how to rapidly create users and groups, giving themwhatever attributes you desire

Chapter 25, Permissions and Auditing

Describes how each object contains its own list of permissions and auditing entriesthat governs how it can be accessed and how access is logged The chapter thendetails how you can create and manipulate permission and auditing entries as youchoose It closes with a complete script to enumerate the entire security descriptorfor any Active Directory object including proper constant names for all values,perfect for anyone looking to script Active Directory delegation and wanting toknow what values should be set

Chapter 26, Extending the Schema and the Active Directory Snap-ins

Covers creation of new classes and attributes programmatically in the schema, andmodification of the existing Active Directory snap-ins to perform additional cus-tomized functions

Chapter 27, Scripting with WMI

Gives a quick overview of WMI and goes through several examples for managing

a system, including services, the registry, and the event log Accessing AD withWMI is also covered, along with the TrustMon and Replication WMI Providers

Chapter 28, Scripting DNS

Describes how to manipulate DNS server configuration, zones, and resource cords with the WMI DNS Provider

re-Chapter 29, Programming the Directory with the NET Framework

Starts off by providing some background information on the NET Framework andthen dives into several examples using the System.DirectoryServices namespaceswith VB.NET

Chapter 30, PowerShell Basics

Provides a jumpstart to Windows PowerShell and a quick reference for PowerShellscripting concepts

Chapter 31, Scripting Active Directory with PowerShell

Describes how to manage and manipulate Active Directory using WindowsPowerShell

Chapter 32, Scripting Basic Exchange 2003 Tasks

Tackles common Active Directory-related user and group management tasks forMicrosoft Exchange 2000/2003

Chapter 33, Scripting Basic Exchange 2007 Tasks

Tackles common Active Directory-related tasks for Microsoft Exchange 2007 usingWindows PowerShell

Conventions Used in This Book

The following typographical conventions are used in this book:

Constant width

Indicates command-line elements, computer output, and code examples

Constant width italic

Indicates variables in examples and registry keys

Constant width bold

Indicates user input

Italic

Introduces new terms and indicates URLs, commands, file extensions, filenames,directory or folder names, and UNC pathnames

Indicates a tip, suggestion, or general note For example, we’ll tell you

if you need to use a particular version or if an operation requires certain

privileges.

Indicates a warning or caution For example, we’ll tell you if Active

Directory does not behave as you’d expect or if a particular operation

has a negative impact on performance.

Using Code Examples

This book is here to help you get your job done In general, you may use the code inthis book in your programs and documentation You do not need to contact us forpermission unless you’re reproducing a significant portion of the code For example,writing a program that uses several chunks of code from this book does not require

permission Selling or distributing a CD-ROM of examples from O’Reilly books does

require permission Answering a question by citing this book and quoting example

code does not require permission Incorporating a significant amount of example code

from this book into your product’s documentation does require permission.

We appreciate, but do not require, attribution An attribution usually includes the title,

author, publisher, and ISBN For example: “Active Directory, Fourth Edition, by Brian

Desmond, Robbie Allen, Joe Richards, and Alistair G Lowe-Norris Copyright 2009O’Reilly Media, Inc., 9780596520595.”

If you feel your use of code examples falls outside fair use or the permission given above,

feel free to contact us at permissions@oreilly.com.

Safari® Books Online

When you see a Safari® Books Online icon on the cover of your favoritetechnology book, that means the book is available online through theO’Reilly Network Safari Bookshelf

Safari offers a solution that’s better than e-books It’s a virtual library that lets you easilysearch thousands of top tech books, cut and paste code samples, download chapters,and find quick answers when you need the most accurate, current information Try it

for free at http://safari.oreilly.com.

How to Contact Us

We have tested and verified the information in this book to the best of our ability, butyou might find that features have changed (or even that we have made mistakes!) Pleaselet us know about any errors you find, as well as your suggestions for future editions,

by writing to:

O’Reilly Media, Inc

1005 Gravenstein Highway North

For the Fourth Edition (Brian)

I wouldn’t be here if it weren’t for the fine folks at O’Reilly who decided to entrust thisproject to me Special thanks to my editor Laurel Ruma who made this a very smoothrunning adventure Joe, Robbie, and Alistair have of course provided an excellentfoundation, which made this project so much easier I would not have been able to getthis done in the time I did without their hard work

There are numerous individuals whose contributions to the depth and accuracy of thecontent in this edition are irreplaceable Without their help, this book would not bewhat it is:

• PowerShell guru Brandon Shell and NET expert Joe Kaplan contributed the finecontent in this book on these important topics

• Technical reviewers Joe Richards, Michael B Smith, and Guido Grillenmeier,thank you for the comments, corrections, and invaluable feedback Guido, thankyou for voluntarily taking the time out of your day and vacation to provide yourexpertise

• Special thanks to Eric Kotz, unofficial reviewer Your feedback from the perspective

of an Active Directory beginner brought clarity to the chapters you read

• Thank you to Microsoft experts James McColl, Siddharth Bhai, Dmitri Gavrilov,Eric Fleischman, and Stephanie Cheung for your help with the details that madethis book what it is!

• Darren Mar-Elia (C-GPO), your feedback on the Group Policy chapters wasinstrumental

• Dean Wells, your crucial assistance in decrypting English phraseology is priceless,and of course thanks for your help in consistently transforming complex technicalcontent to plain English

• Susan Bradley, Small Business Server Diva, your contributions were critical

• Jorge de Almeida Pinto (Princess), thank you for the last minute contributions toour list of new Active Directory features in Windows Server 2008

• James Manning and Ted Kolvoord, thank you for the last minute reviews of thePowerShell chapters!

John Tanner, thanks for all your help behind the scenes making this project successful.Matt Wagner at Fresh Books, your assistance and expertise in handling the businessend of this project was key

Patrick Sheren and Scott Weyandt, thank you for the opportunity you gave me just fouryears ago I would not be where I am today if it weren’t for the three years we spentworking together And yes, you too, Kurt

To the special people in my life who are always trying to get me to explain what I doall day, you have provided the impetus for this project.

To my readers, I had a lot of fun on this project, and I hope you have as much funreading this book as I had writing it

For the Third Edition (Joe)

I want to thank Robbie Allen for my introduction into the world of book writing andfor putting up with my often-grumpy responses to silly issues we encountered on thisproject Truly, I wouldn’t have worked on this book had it not been for Robbie; if I didnot say it before, I am happy I had the opportunity to have this experience—thank you.Thanks to Alistair for the first edition I recall being involved with the decision to mi-grate a company of 200k+ users to Windows 2000 and realizing that I knew nothingabout Active Directory (AD) other than it was supposed to be “super-cool” and fixed

everything that was broken in NT “The Cat Book,” the only book on AD around at

the time, prepared me with the essential concepts and ideas to get started After fiveyears, I am happy to be able to give back some of what I have learned to that very samebook

Thanks to the folks who had the onerous task of finding the mistakes I was lucky tohave very knowledgeable reviewers who spent a lot of time reading every word (old andnew) and bluntly telling me the issues To Hunter Colman and Stuart Fuller: you guyswere afraid you wouldn’t add value You were completely wrong; you added a lot ofvalue To Lee Flight: thanks for reviewing another edition of this book; your commentswere invaluable To Laura Hunter: I will never look at a comma the same way again;you helped the structure and flow immensely To Ulf B Simon-Weidner: your com-ments and ideas were a great help Finally, thanks to Dean Wells, a great source ofinformation, fear, and humorous English phrases Dean couldn’t review everything but

he happily helped me out when I asked He spent at least 90 minutes on the phone onenight just discussing changes that needed to be made to a few pages of Chapter 5 All

of these guys (and gal) are extremely knowledgeable, opinionated, and professional Itwas an honor having them tell me what was screwed up Thanks to my friend VernRottman for being an “unofficial” reviewer and running interference for me when Iworked with him

Thanks to the Microsoft Directory Service Developers: because of you, we have a

“super-cool” DS P.S AD/AM rocks Thanks to Dmitri Gavrilov for going above andbeyond by responding to my unsolicited emails Thanks to Stuart Kwan (of the OttawaKwan Clan) for being one of the most insanely energetic speakers and, at the same time,actually listening to what we thought was wrong and working to get corrections I amthrilled that someday I will be able to run DCs without IE loaded May your energizerbattery never run out of juice Thanks to Brett Shirley for telling me to correct stuff inChapter 13 and writing the most brilliant parts of REPADMIN and being a killer JETBlue (ESE) dev Thanks to Eric Fleischman for answering all the random AD questions

from myself as well as everyone else at all hours of the day and night Your answers,comments, thoughts, and insight into the actual questions themselves are all greatlyappreciated.

Thanks to the activedir.org listserv crowd Hands down, that list is the best Active

Directory (and often Exchange) resource outside of Microsoft It has helped me a lot.Thanks to my family, great people I love without bound Yes, Dawn, even you.And last but not least, thanks to my guardian angel, Di She put up with a lot of gripingfrom me, as well as the loss of my companionship for most of the summer as I sat inthe corner typing away Through it all, she always had a smile on her face and waswilling to burn a grilled cheese sandwich for me as needed She never once reminded

me that I said I would tile the kitchen floor this summer I’ll start tiling next week, onlythree months late…

For the Second Edition (Robbie)

I would like to thank the people at O’Reilly for giving me the opportunity to work onthis book Special thanks goes to Robert Denn, who was a great editor to work with

I would like to thank Alistair Lowe-Norris for providing such a solid foundation in thefirst edition While there was a lot of new material to include, much of the information

in the first edition was still pertinent and useful He deserves a lot of credit since thefirst edition was done before Windows 2000 had even been released to the public, andthere was virtually no information on Active Directory available

Thanks to Alistair, Mitch Tulloch, and Paul Turcotte for providing very insightfulfeedback during the review process Their comments rounded out the rough edges inthe book

And no acknowledgments section would be complete without recognition to my nificant other, Janet She was supportive during the many late nights and weekends Ispent writing I appreciate everything she does for me

sig-For the First Edition (Alistair)

Many people have encouraged me in the writing of this book, principally Vicky ders, my partner, friend, and fountain of useful information, who has been a pinnacle

Laun-of understanding during all the late nights and early mornings Without you my lifewould not be complete

My parents, Pauline and Peter Norris, also have encouraged me at every step of theway; many thanks to you both

For keeping me sane, my thanks go to my good friend Keith Cooper, a natural polymath,superb scientist, and original skeptic; to Steve Joint for keeping my enthusiasm forMicrosoft in check; to Dave and Sue Peace for “Tuesdays,” and the ability to look

interested in what I was saying and how the book was going no matter how uninterestedthey must have felt; and to Mike Felmeri for his interest in this book and his eagerness

to read an early draft

I had a lot of help from my colleagues at Leicester University To Lee Flight, a truenetworking guru without peer, many thanks for all the discussions, arguments, sug-gestions, and solutions I’ll remember forever how one morning very early you took thefirst draft of my 11-chapter book and spread it all over the floor to produce the 21chapters that now constitute the book It’s so much better for it Chris Heaton gavemany years of dedicated and enjoyable teamwork; you have my thanks Brian Kerr,who came onto the fast-moving train at high speed, managed to hold on tight throughall the twists and turns along the way, and then finally took over the helm Thanks toPaul Crow for his remarkable work on the Windows 2000 client rollout and GPOs atLeicester And thanks to Phil Beesley, Carl Nelson, Paul Youngman, and Peter Burnhamfor all the discussions and arguments along the way A special thank you goes to WendyFerguson for our chats over the past few years

To the Cormyr crew: Paul Burke, for his in-depth knowledge across all aspects of nology and databases in particular, who really is without peer, and thanks for being soeager to read the book that you were daft enough to take it on your honeymoon; SimonWilliams for discussions on enterprise infrastructure consulting and practices, how youcan’t get the staff these days, and everything else under the sun that came up; RichardLang for acting as a sounding board for the most complex parts of replication internals,

tech-as I struggled to make sense of what wtech-as going on; Jtech-ason Norton for his constant ability

to cheer me up; Mark Newell for his gadgets and Ian Harcombe for his wit, two of thebest analyst programmers that I’ve ever met; and finally, Paul “Vaguely” Buxton forsimply being himself Many thanks to you all

To Allan Kelly, another analyst programmer par excellence, for various discussions that

he probably doesn’t remember but that helped in a number of ways

At Microsoft: Walter Dickson for his insightful ability to get right to the root of anyproblem, his constant accessibility via email and phone, and his desire to make surethat any job is done to the best of its ability; Bob Wells for his personal enthusiasm andinterest in what I was doing; Daniel Turner for his help, enthusiasm, and key role ingetting Leicester University involved in the Windows 2000 RDP; Oliver Bell for actuallygetting Leicester University accepted on the Windows 2000 RDP and taking a chance

by allocating free consultancy time to the project; Brad Tipp, whose enthusiasm andability galvanized me into action at the U.K Professional Developers Conference in1997; Julius Davies for various discussions and, among other things, telling me howthe auditing and permissions aspects of Active Directory had all changed just after Ifinished the chapter; Karl Noakes, Steve Douglas, Jonathan Phillips, Stuart Hudman,Stuart Okin, Nick McGrath, and Alan Bennett for various discussions

To Tony Lees, director of Avantek Computer Ltd., for being attentive, thoughtful, andthe best all-round salesman I have ever met—many thanks for taking the time to getLeicester University onto the Windows 2000 RDP.

Thanks to Amit D Chaudhary and Cricket Liu for reviewing parts of the book

I also would like to thank everyone at O’Reilly, especially my editor Robert Denn forhis encouragement, patience, and keen desire to get this book crafted properly

PART I

Active Directory Basics

CHAPTER 1

A Brief Introduction

Active Directory (AD) is Microsoft’s network operating system (NOS), built on top ofWindows 2000, Windows Server 2003, and now Windows Server 2008 It enablesadministrators to manage enterprise-wide information efficiently from a central repo-sitory that can be globally distributed Once information about users and groups, com-puters and printers, and applications and services has been added to Active Directory,

it can be made available for use throughout the entire enterprise to as many or as fewpeople as you like The structure of the information can match the structure of yourorganization, and your users can query Active Directory to find the location of a printer

or the email address of a colleague With Organizational Units, you can delegate controland management of the data however you see fit If you are like most organizations,you may have a significant amount of data (e.g., thousands of employees or computers)

It may seem intimidating if you are faced with importing all of this data into ActiveDirectory and managing it, but fortunately, Microsoft has some very robust yet easy-to-use Application Programming Interfaces (APIs) to help facilitate programmatic datamanagement

This book is a comprehensive introduction to Active Directory with a broad scope InPart I, we cover many of the basic concepts of Active Directory to give you a goodgrounding in some of the fundamentals that every administrator should understand

In Part II, we focus on various design issues and methodologies, to enable you to mapyour organization’s business requirements into your Active Directory infrastructure.Getting the design right the first time around is critical to a successful implementation,but it can be extremely difficult if you have no experience deploying Active Directory

In Part III, we cover in detailed management of Active Directory programmaticallythrough scripts based on Active Directory Service Interface (ADSI), ActiveX Data Ob-jects (ADO), Windows Management Instrumentation (WMI), the NET Framework,and Windows PowerShell No matter how good your design is, unless you can automateyour environment, problems will creep in, causing decreased uniformity and reliability

Before moving on to some of the basic components within Active Directory, we willtake a moment to review how Microsoft came to the point of implementing a Light-weight Directory Access Protocol (LDAP)-based directory service to support their NOSenvironment.

Evolution of the Microsoft NOS

Network operating system, or “NOS,” is the term used to describe a networked ronment in which various types of resources, such as user, group, and computeraccounts, are stored in a central repository that is controlled by administrators andaccessible to end users Typically, a NOS environment is comprised of one or moreservers that provide NOS services, such as authentication, authorization, and accountmanipulation, and multiple end users that access those services

envi-Microsoft’s first integrated NOS environment became available in 1990 with the release

of Windows NT 3.0, which combined many features of the LAN Manager protocolsand of the OS/2 operating system The NT NOS slowly evolved over the next eightyears until Active Directory was first released in beta form in 1997

Under Windows NT, the “domain” concept was introduced, providing a way to groupresources based on administrative and security boundaries NT domains are flat struc-tures limited to about 40,000 objects (users, groups, and computers) For large organ-izations, this limitation imposed superficial boundaries on the design of the domainstructure Often, domains were geographically limited as well because the replication

of data between domain controllers (i.e., servers providing the NOS services to endusers) performed poorly over high-latency or low-bandwidth links Another significantproblem with the NT NOS was delegation of administration, which typically tended

to be an all-or-nothing matter at the domain level

Microsoft was well aware of these limitations and needed to re-architect their NOSmodel into something that would be much more scalable and flexible For that reason,they looked to LDAP-based directory services as a possible solution

Brief History of Directories

In general terms, a directory service is a repository of network, application, or NOS

information that is useful to multiple applications or users Under this definition, theWindows NT NOS is a type of directory service In fact, there are many different types

of directories, including Internet white pages, email systems, and even the DomainName System (DNS) Although each of these systems has characteristics of a directoryservice, X.500 and the Lightweight Directory Access Protocol (LDAP) define thestandards for how a true directory service is implemented and accessed

In 1988, the International Telecommunication Union (ITU) and International ization of Standardization (ISO) teamed up to develop a series of standards around

Organ-directory services, which has come to be known as X.500 While X.500 proved to be agood model for structuring a directory and provided a lot of functionality aroundadvanced operations and security, it was difficult to implement clients that could utilize

it One reason is that X.500 is based on the OSI (Open System Interconnection) protocolstack instead of TCP/IP, which had become the standard for the Internet The X.500Directory Access Protocol (DAP) was very complex and implemented many featuresmost clients never needed This prevented large-scale adoption It is for this reason that

a group headed by the University of Michigan started work on a “lightweight” X.500access protocol that would make X.500 easier to utilize

The first version of the Lightweight Directory Access Protocol (LDAP) was released in

1993 as Request for Comments (RFC) 1487* but due to the absence of many featuresprovided by X.500, it never really took off It wasn’t until LDAPv2 was released in 1995

as RFC 1777 that LDAP started to gain popularity Prior to LDAPv2, the primary use

of LDAP was as a gateway between X.500 servers Simplified clients would interfacewith the LDAP gateway, which would translate the requests and submit them to theX.500 server The University of Michigan team thought that if LDAP could providemost of the functionality necessary to most clients, they could remove the middleman(the gateway) and develop an LDAP-enabled directory server This directory servercould use many of the concepts from X.500, including the data model, but would leaveout all the overhead resulting from the numerous features it implemented Thus, thefirst LDAP directory server was released in late 1995 by the University of Michiganteam, and it turned into the basis for many future directory servers

In 1997, the last major update to the LDAP specification, LDAPv3, was described inRFC 2251 It provided several new features and made LDAP robust enough and ex-tensible enough to be suitable for most vendors to implement Since then, companiessuch as Netscape, Sun, Novell, IBM, OpenLDAP Foundation, and Microsoft have de-veloped LDAP-based directory servers Most recently, RFC 3377 was released, whichlists all of the major LDAP RFCs For a Microsoft whitepaper on their LDAPv3 imple-

mentation and conformance, see http://www.microsoft.com/windowsserver2003/te

chinfo/overview/ldapcomp.mspx.

Windows NT Versus Active Directory

As we mentioned earlier, Windows NT and Active Directory both provide directoryservices to clients Although both share some common concepts, such as SecurityIdentifiers (SIDs) to identify security principals, they are very different from a feature,scalability, and functionality point of view Table 1-1 contains a comparison of featuresbetween Windows NT and Active Directory

* You can look up the text of this RFC at http//www.ietf.org/rfc.html,

Table 1-1 A comparison between Windows NT and Active Directory

Windows NT Active Directory

Single-master replication is used, from the Primary

Domain Controller (PDC) master to the Backup

Do-main Controller (BDC) subordinates.

Multimaster replication is used between all domain controllers.

Domain is the smallest unit of partitioning Naming Contexts are the smallest units of partitioning.

System policies can be used locally on machines or

set at the domain level. Group policies can be managed centrally and used by clients throughoutthe forest based on domain, site, or Organizational Unit (OU) criteria Data cannot be stored hierarchically within a

domain.

Data can be stored in a hierarchical manner using OUs.

Domain is the smallest unit of security delegation

and administration. A property of an object is the smallest unit of security delegation/administration Domain is a policy, replication, and security

boundary. Domain is a policy and replication boundary Forest is the security boundary.NetBIOS and WINS are used for name resolution DNS is used for name resolution WINS may be required for applications or

legacy clients.

Object is the smallest unit of replication Attribute is the smallest unit of replication In Windows Server 2003 Active

Directory and above, some attributes replicate on a per-value basis (such

as the member attribute of group objects).

Maximum recommended database size for the

Se-curity Accounts Manager (SAM) is 40 MB. Recommended maximum database size for Active Directory is 16 TB.Maximum effective number of users is 40,000 (if

you accept the recommended 40 MB maximum). The maximum number of objects per forest is in the tens of millions.Microsoft has tested to 1 billion users; for more information see http://

technet.microsoft.com/en-us/library/cc756101.aspx.

Four domain models (single, single-master,

multimaster, complete-trust) are required to solve

per-domain admin-boundary and user-limit

problems.

No domain models required as the complete-trust model is implemented One-way trusts with external domains, forests, and UNIX Kerberos realms can be implemented manually.

Schema is not extensible Schema is fully extensible.

Data can only be accessed through a Microsoft API Data can be accessed through a Microsoft API or through LDAP, which is

the standard protocol used by directories, applications, and clients that want to access directory data Allows for cross-platform data access and management.

First, Windows NT Primary Domain Controllers and Backup Domain Controllers havebeen replaced by Active Directory Domain Controllers It is possible under Active Di-rectory to promote member servers to Domain Controllers (DCs) and demote DCs toordinary member servers, all without needing a reinstallation of the operating system;this was not the case under Windows NT If you want to make a member server a DC,

you can promote it using the dcpromo.exe wizard Dcpromo asks you a number of

questions, such as whether you are creating the first domain in a domain tree or joining