Foreword |
|
xvii | |
Preface |
|
xxi | |
|
|
1 | (12) |
|
|
2 | (2) |
|
Getting Familiar with LDIF |
|
|
4 | (1) |
|
|
5 | (4) |
|
|
9 | (1) |
|
Where to Find More Information |
|
|
10 | (3) |
|
Forests, Domains, and Trusts |
|
|
13 | (40) |
|
|
17 | (1) |
|
|
18 | (1) |
|
|
19 | (1) |
|
|
20 | (2) |
|
Removing an Orphaned Domain |
|
|
22 | (1) |
|
Finding the Domains in a Forest |
|
|
23 | (2) |
|
Finding the NetBIOS Name of a Domain |
|
|
25 | (1) |
|
|
26 | (1) |
|
Changing the Mode of a Domain |
|
|
27 | (2) |
|
Using ADPrep to Prepare a Domain or Forest for Windows Server 2003 |
|
|
29 | (1) |
|
Determining if ADPrep Has Completed |
|
|
30 | (2) |
|
Checking Whether a Windows 2000 Domain Controller Can Be Upgraded to Windows Server 2003 |
|
|
32 | (1) |
|
Raising the Functional Level of a Windows Server 2003 Domain |
|
|
33 | (2) |
|
Raising the Functional Level of a Windows Server 2003 Forest |
|
|
35 | (3) |
|
Creating a Trust Between a Windows NT Domain and an AD Domain |
|
|
38 | (1) |
|
Creating a Transitive Trust Between Two AD Forests |
|
|
39 | (2) |
|
Creating a Shortcut Trust Between Two AD Domains |
|
|
41 | (1) |
|
Creating a Trust to a Kerberos Realm |
|
|
42 | (2) |
|
Viewing the Trusts for a Domain |
|
|
44 | (2) |
|
|
46 | (2) |
|
|
48 | (2) |
|
|
50 | (1) |
|
Enabling SID Filtering for a Trust |
|
|
51 | (1) |
|
Finding Duplicate SIDs in a Domain |
|
|
51 | (2) |
|
Domain Controllers, Global Catalogs, and FSMOs |
|
|
53 | (41) |
|
Promoting a Domain Controller |
|
|
55 | (1) |
|
Promoting a Domain Controller from Media |
|
|
55 | (2) |
|
Demoting a Domain Controller |
|
|
57 | (1) |
|
Automating the Promotion or Demotion of a Domain Controller |
|
|
58 | (1) |
|
Troubleshooting Domain Controller Promotion or Demotion Problems |
|
|
59 | (1) |
|
Removing an Unsuccessfully Demoted Domain Controller |
|
|
60 | (3) |
|
Renaming a Domain Controller |
|
|
63 | (1) |
|
Finding the Domain Controllers for a Domain |
|
|
64 | (1) |
|
Finding the Closest Domain Controller |
|
|
65 | (2) |
|
Finding a Domain Controller's Site |
|
|
67 | (1) |
|
Moving a Domain Controller to a Different Site |
|
|
68 | (3) |
|
Finding the Services a Domain Controller Is Advertising |
|
|
71 | (1) |
|
Configuring a Domain Controller to Use an External Time Source |
|
|
72 | (1) |
|
Finding the Number of Logon Attempts Made Against a Domain Controller |
|
|
73 | (1) |
|
Enabling the /3GB Switch to Increase the LSASS Cache |
|
|
74 | (1) |
|
Cleaning Up Distributed Link Tracking Objects |
|
|
75 | (1) |
|
Enabling and Disabling the Global Catalog |
|
|
76 | (2) |
|
Determining if Global Catalog Promotion Is Complete |
|
|
78 | (1) |
|
Finding the Global Catalog Servers in a Forest |
|
|
79 | (1) |
|
Finding the Domain Controllers or Global Catalog Servers in a Site |
|
|
80 | (2) |
|
Finding Domain Controllers and Global Catalogs via DNS |
|
|
82 | (1) |
|
Changing the Preference for a Domain Controller |
|
|
83 | (2) |
|
Disabling the Global Catalog Requirement During a Windows 2000 Domain Login |
|
|
85 | (1) |
|
Disabling the Global Catalog Requirement During a Windows 2003 Domain Login |
|
|
86 | (1) |
|
Finding the FSMO Role Holders |
|
|
87 | (2) |
|
|
89 | (2) |
|
|
91 | (1) |
|
Finding the PDC Emulator FSMO Role Owner via DNS |
|
|
92 | (2) |
|
Searching and Manipulating Objects |
|
|
94 | (52) |
|
|
95 | (3) |
|
Viewing the Attributes of an Object |
|
|
98 | (3) |
|
|
101 | (3) |
|
Using a Fast or Concurrent Bind |
|
|
104 | (1) |
|
Searching for Objects in a Domain |
|
|
105 | (3) |
|
Searching the Global Catalog |
|
|
108 | (2) |
|
Searching for a Large Number of Objects |
|
|
110 | (2) |
|
Searching with an Attribute-Scoped Query |
|
|
112 | (2) |
|
Searching with a Bitwise Filter |
|
|
114 | (2) |
|
|
116 | (2) |
|
|
118 | (3) |
|
Modifying a Bit-Flag Attribute |
|
|
121 | (2) |
|
Dynamically Linking an Auxiliary Class |
|
|
123 | (2) |
|
Creating a Dynamic Object |
|
|
125 | (1) |
|
Refreshing a Dynamic Object |
|
|
126 | (2) |
|
Modifying the Default TTL Settings for Dynamic Objects |
|
|
128 | (2) |
|
Moving an Object to a Different OU or Container |
|
|
130 | (2) |
|
Moving an Object to a Different Domain |
|
|
132 | (1) |
|
|
133 | (2) |
|
|
135 | (1) |
|
Deleting a Container That Has Child Objects |
|
|
136 | (1) |
|
Viewing the Created and Last Modified Timestamp of an Object |
|
|
137 | (2) |
|
Modifying the Default LDAP Query Policy |
|
|
139 | (2) |
|
Exporting Objects to an LDIF File |
|
|
141 | (1) |
|
Importing Objects Using an LDIF File |
|
|
142 | (2) |
|
Exporting Objects to a CSV File |
|
|
144 | (1) |
|
Importing Objects Using a CSV File |
|
|
144 | (2) |
|
|
146 | (17) |
|
|
147 | (1) |
|
Enumerating the OUs in a Domain |
|
|
148 | (2) |
|
Enumerating the Objects in an OU |
|
|
150 | (1) |
|
Deleting the Objects in an OU |
|
|
151 | (1) |
|
|
152 | (2) |
|
Moving the Objects in an OU to a Different OU |
|
|
154 | (1) |
|
|
155 | (1) |
|
Determining How Many Child Objects an OU Has |
|
|
156 | (2) |
|
Delegating Control of an OU |
|
|
158 | (1) |
|
Allowing OUs to Be Created Within Containers |
|
|
159 | (1) |
|
|
160 | (3) |
|
|
163 | (54) |
|
|
164 | (2) |
|
Creating a Large Number of Users |
|
|
166 | (1) |
|
Creating an inetOrgPerson User |
|
|
167 | (2) |
|
Modifying an Attribute for Several Users at Once |
|
|
169 | (2) |
|
|
171 | (1) |
|
|
172 | (1) |
|
|
173 | (2) |
|
|
175 | (1) |
|
|
176 | (1) |
|
Troubleshooting Account Lockout Problems |
|
|
177 | (2) |
|
Viewing the Account Lockout and Password Policies |
|
|
179 | (3) |
|
Enabling and Disabling a User |
|
|
182 | (2) |
|
|
184 | (1) |
|
Viewing a User's Group Membership |
|
|
185 | (2) |
|
Changing a User's Primary Group |
|
|
187 | (2) |
|
Transferring a User's Group Membership to Another User |
|
|
189 | (2) |
|
Setting a User's Password |
|
|
191 | (1) |
|
Setting a User's Password via LDAP |
|
|
192 | (1) |
|
Setting a User's Password via Kerberos |
|
|
193 | (1) |
|
Preventing a User from Changing His Password |
|
|
193 | (2) |
|
Requiring a User to Change Her Password at Next Logon |
|
|
195 | (1) |
|
Preventing a User's Password from Expiring |
|
|
196 | (1) |
|
Finding Users Whose Passwords Are About to Expire |
|
|
197 | (4) |
|
Setting a User's Account Options (userAccountControl) |
|
|
201 | (2) |
|
Setting a User's Account to Expire in the Future |
|
|
203 | (2) |
|
Finding Users Whose Accounts Are About to Expire |
|
|
205 | (2) |
|
Determining a User's Last Logon Time |
|
|
207 | (2) |
|
Finding Users Who Have Not Logged On Recently |
|
|
209 | (2) |
|
Setting a User's Profile Attributes |
|
|
211 | (1) |
|
Viewing a User's Managed Objects |
|
|
212 | (1) |
|
Modifying the Default Display Name Used When Creating Users in ADUC |
|
|
213 | (2) |
|
Creating a UPN Suffix for a Forest |
|
|
215 | (2) |
|
|
217 | (16) |
|
|
218 | (2) |
|
Viewing the Direct Members of a Group |
|
|
220 | (1) |
|
Viewing the Nested Members of a Group |
|
|
221 | (1) |
|
Adding and Removing Members of a Group |
|
|
222 | (2) |
|
|
224 | (1) |
|
Changing the Scope or Type of a Group |
|
|
225 | (1) |
|
Delegating Control for Managing Membership of a Group |
|
|
226 | (2) |
|
Resolving a Primary Group ID |
|
|
228 | (3) |
|
Enabling Universal Group Membership Caching |
|
|
231 | (2) |
|
|
233 | (28) |
|
|
234 | (2) |
|
Creating a Computer for a Specific User or Group |
|
|
236 | (5) |
|
Joining a Computer to a Domain |
|
|
241 | (3) |
|
|
244 | (1) |
|
|
245 | (2) |
|
Testing the Secure Channel for a Computer |
|
|
247 | (1) |
|
|
248 | (1) |
|
Finding Inactive or Unused Computers |
|
|
249 | (4) |
|
Changing the Maximum Number of Computers a User Can Join to the Domain |
|
|
253 | (1) |
|
Finding Computers with a Particular OS |
|
|
254 | (2) |
|
Binding to the Default Container for Computers |
|
|
256 | (2) |
|
Changing the Default Container for Computers |
|
|
258 | (3) |
|
Group Policy Objects (GPOs) |
|
|
261 | (40) |
|
Finding the GPOs in a Domain |
|
|
263 | (1) |
|
|
264 | (1) |
|
|
265 | (3) |
|
|
268 | (1) |
|
Viewing the Settings of a GPO |
|
|
269 | (3) |
|
Modifying the Settings of a GPO |
|
|
272 | (1) |
|
Importing Settings into a GPO |
|
|
272 | (3) |
|
Assigning Logon/Logoff and Startup/Shutdown Scripts in a GPO |
|
|
275 | (1) |
|
Installing Applications with a GPO |
|
|
276 | (1) |
|
Disabling the User or Computer Settings in a GPO |
|
|
277 | (2) |
|
Listing the Links for GPO |
|
|
279 | (2) |
|
Creating a GPO Link to an OU |
|
|
281 | (2) |
|
Blocking Inheritance of GPOs on an OU |
|
|
283 | (2) |
|
Applying a Security Filter to a GPO |
|
|
285 | (3) |
|
|
288 | (1) |
|
Applying a WMI Filter to a GPO |
|
|
289 | (2) |
|
|
291 | (3) |
|
|
294 | (2) |
|
|
296 | (1) |
|
|
297 | (2) |
|
Refreshing GPO Settings on a Computer |
|
|
299 | (1) |
|
|
299 | (2) |
|
|
301 | (39) |
|
Registering the Active Directory Schema MMC Snap-in |
|
|
303 | (1) |
|
|
304 | (2) |
|
Generating an OID to Use for a New Class or Attribute |
|
|
306 | (1) |
|
Generating a GUID to Use for a New Class or Attribute |
|
|
307 | (1) |
|
|
308 | (1) |
|
Documenting Schema Extensions |
|
|
309 | (1) |
|
|
310 | (3) |
|
|
313 | (2) |
|
|
315 | (2) |
|
|
317 | (1) |
|
|
318 | (2) |
|
Modifying the Attributes That Are Copied When Duplicating a User |
|
|
320 | (2) |
|
Modifying the Attributes Included with Ambiguous Name Resolution |
|
|
322 | (2) |
|
Adding or Removing an Attribute in the Global Catalog |
|
|
324 | (2) |
|
Finding the Nonreplicated and Constructed Attributes |
|
|
326 | (3) |
|
Finding the Linked Attributes |
|
|
329 | (1) |
|
Finding the Structural, Auxiliary, Abstract, and 88 Classes |
|
|
330 | (2) |
|
Finding the Mandatory and Optional Attributes of a Class |
|
|
332 | (2) |
|
Modifying the Default Security of a Class |
|
|
334 | (1) |
|
Deactivating Classes and Attributes |
|
|
335 | (1) |
|
Redefining Classes and Attributes |
|
|
336 | (1) |
|
Reloading the Schema Cache |
|
|
337 | (3) |
|
|
340 | (44) |
|
|
343 | (2) |
|
|
345 | (1) |
|
|
346 | (1) |
|
|
347 | (2) |
|
|
349 | (1) |
|
|
350 | (2) |
|
|
352 | (1) |
|
Finding the Site Links for a Site |
|
|
353 | (2) |
|
Modifying the Sites That Are Part of a Site Link |
|
|
355 | (1) |
|
Modifying the Cost for a Site Link |
|
|
356 | (1) |
|
Disabling Site Link Transitivity or Site Link Schedules |
|
|
357 | (2) |
|
Creating a Site Link Bridge |
|
|
359 | (2) |
|
Finding the Bridgehead Servers for a Site |
|
|
361 | (1) |
|
Setting a Preferred Bridgehead Server for a Site |
|
|
362 | (2) |
|
|
364 | (1) |
|
Moving a Domain Controller to a Different Site |
|
|
365 | (1) |
|
Configuring a Domain Controller to Cover Multiple Sites |
|
|
366 | (2) |
|
Viewing the Site Coverage for a Domain Controller |
|
|
368 | (1) |
|
Disabling Automatic Site Coverage for a Domain Controller |
|
|
368 | (1) |
|
Finding the Site for a Client |
|
|
369 | (1) |
|
Forcing a Host to a Particular Site |
|
|
370 | (2) |
|
Creating a Connection Object |
|
|
372 | (1) |
|
Listing the Connection Objects for a Server |
|
|
373 | (1) |
|
Load-Balancing Connection Objects |
|
|
374 | (1) |
|
Finding the ISTG for a Site |
|
|
375 | (1) |
|
Transferring the ISTG to Another Server |
|
|
376 | (2) |
|
|
378 | (1) |
|
Determining if the KCC Is Completing Successfully |
|
|
379 | (1) |
|
Disabling the KCC for a Site |
|
|
380 | (2) |
|
Changing the Interval at Which the KCC Runs |
|
|
382 | (2) |
|
|
384 | (18) |
|
Determining if Two Domain Controllers Are in Sync |
|
|
384 | (2) |
|
Viewing the Replication Status of Several Domain Controllers |
|
|
386 | (1) |
|
Viewing Unreplicated Changes Between Two Domain Controllers |
|
|
386 | (4) |
|
Forcing Replication from One Domain Controller to Another |
|
|
390 | (1) |
|
Changing the Intra-Site Replication Interval |
|
|
391 | (2) |
|
Changing the Intersite Replication Interval |
|
|
393 | (1) |
|
Disabling Inter-Site Compression of Replication Traffic |
|
|
394 | (1) |
|
Checking for Potential Replication Problems |
|
|
395 | (1) |
|
Enabling Enhanced Logging of Replication Events |
|
|
395 | (1) |
|
Enabling Strict or Loose Replication Consistency |
|
|
396 | (1) |
|
|
397 | (2) |
|
|
399 | (3) |
|
|
402 | (30) |
|
Creating a Forward Lookup Zone |
|
|
404 | (1) |
|
Creating a Reverse Lookup Zone |
|
|
405 | (1) |
|
|
406 | (2) |
|
Converting a Zone to an AD-Integrated Zone |
|
|
408 | (1) |
|
Moving AD-Integrated Zones into an Application Partition |
|
|
409 | (2) |
|
Delegating Control of a Zone |
|
|
411 | (2) |
|
Creating and Deleting Resource Records |
|
|
413 | (2) |
|
Querying Resource Records |
|
|
415 | (2) |
|
Modifying the DNS Server Configuration |
|
|
417 | (1) |
|
Scavenging Old Resource Records |
|
|
418 | (2) |
|
|
420 | (2) |
|
Verifying That a Domain Controller Can Register Its Resource Records |
|
|
422 | (1) |
|
Registering a Domain Controller's Resource Records |
|
|
423 | (1) |
|
Preventing a Domain Controller from Dynamically Registering All Resource Records |
|
|
424 | (2) |
|
Preventing a Domain Controller from Dynamically Registering Certain Resource Records |
|
|
426 | (3) |
|
Deregistering a Domain Controller's Resource Records |
|
|
429 | (1) |
|
Allowing Computers to Use a Different Domain Suffix from Their AD Domain |
|
|
429 | (3) |
|
Security and Authentication |
|
|
432 | (26) |
|
|
433 | (1) |
|
Encrypting LDAP Traffic with SSL, TLS, or Signing |
|
|
434 | (2) |
|
Enabling Anonymous LDAP Access |
|
|
436 | (2) |
|
Restricting Hosts from Performing LDAP Queries |
|
|
438 | (1) |
|
Using the Delegation of Control Wizard |
|
|
439 | (1) |
|
Customizing the Delegation of Control Wizard |
|
|
440 | (3) |
|
Viewing the ACL for an Object |
|
|
443 | (1) |
|
Customizing the ACL Editor |
|
|
444 | (1) |
|
Viewing the Effective Permissions on an Object |
|
|
445 | (1) |
|
Changing the ACL of an Object |
|
|
446 | (1) |
|
Changing the Default ACL for an Object Class in the Schema |
|
|
447 | (1) |
|
Comparing the ACL of an Object to the Default Defined in the Schema |
|
|
448 | (1) |
|
Resetting an Object's ACL to the Default Defined in the Schema |
|
|
448 | (1) |
|
Preventing the LM Hash of a Password from Being Stored |
|
|
449 | (1) |
|
Enabling List Object Access Mode |
|
|
450 | (2) |
|
Modifying the ACL on Administrator Accounts |
|
|
452 | (1) |
|
Viewing and Purging Your Kerberos Tickets |
|
|
453 | (2) |
|
Forcing Kerberos to Use TCP |
|
|
455 | (1) |
|
Modifying Kerberos Settings |
|
|
456 | (2) |
|
Logging, Monitoring, and Quotas |
|
|
458 | (33) |
|
Enabling Extended dcpromo Logging |
|
|
459 | (2) |
|
Enabling Diagnostics Logging |
|
|
461 | (2) |
|
Enabling NetLogon Logging |
|
|
463 | (1) |
|
Enabling GPO Client Logging |
|
|
464 | (1) |
|
Enabling Kerberos Logging |
|
|
465 | (2) |
|
Enabling DNS Server Debug Logging |
|
|
467 | (2) |
|
Viewing DNS Server Performance Statistics |
|
|
469 | (3) |
|
Enabling Inefficient and Expensive LDAP Query Logging |
|
|
472 | (2) |
|
Using the STATS Control to View LDAP Query Statistics |
|
|
474 | (2) |
|
Using Perfmon to Monitor AD |
|
|
476 | (2) |
|
Using Perfmon Trace Logs to Monitor AD |
|
|
478 | (3) |
|
Enabling Auditing of Directory Access |
|
|
481 | (1) |
|
|
482 | (2) |
|
Finding the Quotas Assigned to a Security Principal |
|
|
484 | (1) |
|
Changing How Tombstone Objects Count Against Quota Usage |
|
|
485 | (2) |
|
Setting the Default Quota for All Security Principals in a Partition |
|
|
487 | (1) |
|
Finding the Quota Usage for a Security Principal |
|
|
488 | (3) |
|
Backup, Recovery, DIT Maintenance, and Deleted Objects |
|
|
491 | (26) |
|
Backing Up Active Directory |
|
|
493 | (1) |
|
Restarting a Domain Controller in Directory Services Restore Mode |
|
|
494 | (2) |
|
Resetting the Directory Service Restore Mode Administrator Password |
|
|
496 | (1) |
|
Performing a Nonauthoritative Restore |
|
|
497 | (1) |
|
Performing an Authoritative Restore of an Object or Subtree |
|
|
498 | (2) |
|
Performing a Complete Authoritative Restore |
|
|
500 | (1) |
|
Checking the DIT File's Integrity |
|
|
501 | (1) |
|
|
502 | (1) |
|
Repairing or Recovering the DIT |
|
|
502 | (1) |
|
Performing an Online Defrag Manually |
|
|
503 | (2) |
|
Determining How Much Whitespace Is in the DIT |
|
|
505 | (1) |
|
Performing an Offline Defrag to Reclaim Space |
|
|
506 | (2) |
|
Changing the Garbage Collection Interval |
|
|
508 | (1) |
|
Logging the Number of Expired Tombstone Objects |
|
|
509 | (2) |
|
Determining the Size of the Active Directory Database |
|
|
511 | (1) |
|
Searching for Deleted Objects |
|
|
512 | (1) |
|
Restoring a Deleted Object |
|
|
513 | (2) |
|
Modifying the Tombstone Lifetime for a Domain |
|
|
515 | (2) |
|
|
517 | (22) |
|
Creating and Deleting an Application Partition |
|
|
518 | (3) |
|
Finding the Application Partitions in a Forest |
|
|
521 | (2) |
|
Adding or Removing a Replica Server for an Application Partition |
|
|
523 | (2) |
|
Finding the Replica Servers for an Application Partition |
|
|
525 | (2) |
|
Finding the Application Partitions Hosted by a Server |
|
|
527 | (2) |
|
Verifying Application Partitions Are Instantiated on a Server Correctly |
|
|
529 | (1) |
|
Setting the Replication Notification Delay for an Application Partition |
|
|
530 | (2) |
|
Setting the Reference Domain for an Application Partition |
|
|
532 | (2) |
|
Delegating Control of Managing an Application Partition |
|
|
534 | (5) |
|
Interoperability and Integration |
|
|
539 | (18) |
|
Accessing AD from a Non-Windows Platform |
|
|
539 | (1) |
|
|
540 | (2) |
|
|
542 | (1) |
|
|
543 | (1) |
|
|
544 | (2) |
|
|
546 | (1) |
|
Integrating with MIT Kerberos |
|
|
547 | (1) |
|
|
548 | (1) |
|
|
549 | (1) |
|
|
550 | (1) |
|
|
551 | (1) |
|
Authorizing a Microsoft DHCP Server |
|
|
552 | (1) |
|
Using VMWare for Testing AD |
|
|
553 | (4) |
Appendix: Tool List |
|
557 | (18) |
Index |
|
575 | |