Table of Contents
Preface
1. Getting Started
1.1 Where to Find the Tools
1.2 Getting Familiar with LDIF
1.3 Programming Notes
1.4 Replaceable Text
1.5 Where to Find More Information
2. Forests, Domains, and Trusts
2.1 Creating a Forest
2.2 Removing a Forest
2.3 Creating a Domain
2.4 Removing a Domain
2.5 Removing an Orphaned Domain
2.6 Finding the Domains in a Forest
2.7 Finding the NetBIOS Name of a Domain
2.8 Renaming a Domain
2.9 Raising the Domain Functional Level to Windows 2000 Native Mode
2.10 Raising the Functional Level of a Windows Server 2003 Domain
2.11 Raising the Functional Level of a Windows Server 2003 Forest
2.12 Using AdPrep to Prepare a Domain or Forest for Windows Server 2003
2.13 Determining WhetherAdPrep Has Completed
2.14 Checking Whether a Windows 2000 Domain Controller Can Be Upgraded to Windows Server 2003
2.15 Creating an External Trust
2.16 Creating a Transitive Trust Between Two AD Forests
2.17 Creating a Shortcut Trust Between Two AD Domains
2.18 Creating a Trust to a Kerberos Realm
2.19 Viewing the Trusts for a Domain
2.20 Verifying a Trust
2.21 Resetting a Trust
2.22 Removing a Trust
2.23 Enabling SID Filtering for a Trust
2.24 Enabling Quarantine for a Trust
2.25 Managing Selective Authentication for a Trust
2.26 Finding Duplicate SIDs in a Domain
2.27 Adding Additional Fields to Active Directory Users and Computers
3. Domain Controllers, Global Catalogs, and FSMOs
3.1 Promoting a Domain Controller
3.2 Promoting a Domain Controller from Media
3.3 Verifying the Promotion of a Domain Controller
3.4 Demoting a Domain Controller
3.5 Automating the Promotion or Demotion of a Domain Controller
3.6 Troubleshooting Domain Controller Promotion or Demotion Problems
3.7 Removing an Unsuccessfully Demoted Domain Controller
3.8 Renaming a Domain Controller
3.9 Creating an NT 4.0 BDC Object
3.10 Finding the Domain Controllers for a Domain
3.11 Finding the Closest Domain Controller
3.12 Finding a Domain Controller's Site
3.13 Moving a Domain Controller to a Different Site
3.14 Finding the Services a Domain Controller Is Advertising
3.15 Restoring a Deleted Domain Controller
3.16 Resetting the TCP/IP Stack on a Domain Controller
3.17 Configuring a Domain Controller to Use an External Time Source
3.18 Finding the Number of Logon Attempts Made Against a Domain Controller
3.19 Enabling the /3GB Switch to Increase the LSASS Cache
3.20 Enabling the /PAE switch to Increase the Amount of Addressable RAM
3.21 Cleaning Up Distributed Link Tracking Objects
3.22 Enabling and Disabling the Global Catalog
3.23 Determining Whether Global Catalog Promotion Is Complete
3.24 Finding the Global Catalog Servers in a Forest
3.25 Finding the Domain Controllers or Global Catalog Servers in a Site
3.26 Finding Domain Controllers and Global Catalogs via DNS
3.27 Changing the Preference for a Domain Controller
3.28 Disabling the Global Catalog Requirement During a Windows 2000 or
Windows Server 2003 Domain Login
3.29 Enabling Universal Group Caching in Windows Server 2003
3.30 Finding the FSMO Role Holders
3.31 Transferring a FSMO Role
3.32 Seizing a FSMO Role
3.33 Finding the PDC Emulator FSMO Role Owner via DNS
3.34 Finding the PDC Emulator FSMO Role Owner via WINS
4. Searching and Manipulating Objects
4.1 Viewing the RootDSE
4.2 Viewing the Attributes of an Object
4.3 Counting Objects in Active Directory
4.4 Using LDAP Controls
4.5 Using a Fast or Concurrent Bind
4.6 Connecting to an Object GUID
4.7 Connecting to a Well-Known GUID
4.8 Searching for Objects in a Domain
4.9 Searching the Global Catalog
4.10 Searching for a Large Number of Objects
4.11 Searching with an Attribute-Scoped Query
4.12 Searching with a Bitwise Filter
4.13 Creating an Object
4.14 Modifying an Object
4.15 Modifying a Bit Flag Attribute
4.16 Dynamically Linking an Auxiliary Class
4.17 Creating a Dynamic Object
4.18 Refreshing a Dynamic Object
4.19 Modifying the Default TTL Settings for Dynamic Objects
4.20 Moving an Object to a Different OU or Container
4.21 Moving an Object to a Different Domain
4.22 Referencing an External Domain
4.23 Renaming an Object
4.24 Deleting an Object
4.25 Deleting a Container That Has Child Objects
4.26 Viewing the Created and Last Modified Timestamp of an Object
4.27 Modifying the Default LDAP Query Policy
4.28 Exporting Objects to an LDIF File
4.29 Importing Objects Using an LDIF File
4.30 Exporting Objects to a CSV File
4.31 Importing Objects Using a CSV File
5. Organizational Units
5.1 Creating an OU
5.2 Enumerating the OUs in a Domain
5.3 Finding an OU
5.4 Enumerating the Objects in an OU
5.5 Deleting the Objects in an OU
5.6 Deleting an OU
5.7 Moving the Objects in an OU to a Different OU
5.8 Moving an OU
5.9 Renaming an OU
5.10 Modifying an OU
5.11 Determining Approximately How Many Child Objects an OU Has
5.12 Delegating Control of an OU
5.13 Assigning or Removing a Manager for an OU
5.14 Allowing OUs to Be Created Within Containers
5.15 Linking a GPO to an OU
6. Users
6.1 Modifying the Default Display Name Used When Creating Users in ADUC
6.2 Creating a User
6.3 Creating a Large Number of Users
6.4 Creating an inetOrgPerson User
6.5 Converting a user Object to an inetOrgPerson Object (or Vice Versa)
6.6 Modifying an Attribute for Several Users at Once
6.7 Setting a User's Profile Attributes
6.8 Moving a User
6.9 Redirecting Users to an Alternative OU
6.10 Renaming a User
6.11 Copying a User
6.12 Finding Locked Out Users
6.13 Unlocking a User
6.14 Troubleshooting Account Lockout Problems
6.15 Viewing the Account Lockout and Password Policies
6.16 Enabling and Disabling a User
6.17 Finding Disabled Users
6.18 Viewing a User's Group Membership
6.19 Removing All Group Memberships from a User
6.20 Changing a User's Primary Group
6.21 Transferring a User's Group Membership to Another User
6.22 Setting a User's Password
6.23 Setting a User's Password via LDAP
6.24 Setting a User's Password from Unix
6.25 Preventing a User from Changing Her Password
6.26 Requiring a User to Change His Password at Next Logon
6.27 Preventing a User's Password from Expiring
6.28 Finding Users Whose Passwords Are About to Expire
6.29 Setting a User's Account Options (userAccountControl)
6.30 Setting a User's Account to Expire
6.31 Finding Users Whose Accounts Are About to Expire
6.32 Determining a User's Last Logon Time
6.33 Finding Users Who Have Not Logged On Recently
6.34 Viewing a User's Permitted Logon Hours
6.35 Viewing a User's Managed Objects
6.36 Creating a UPN Suffix for a Forest
7. Groups
7.1 Creating a Group
7.2 Viewing the Permissions of a Group
7.3 Viewing the Direct Members of a Group
7.4 Viewing the Nested Members of a Group
7.5 Adding and Removing Members of a Group
7.6 Moving a Group Within a Domain
7.7 Moving a Group to Another Domain
7.8 Changing the Scope or Type of a Group
7.9 Modifying Group Attributes
7.10 Creating a Dynamic Group
7.11 Delegating Control for Managing Membership of a Group
7.12 Resolving a Primary Group ID
7.13 Enabling Universal Group Membership Caching
7.14 Restoring a Deleted Group
8. Computers
8.1 Creating a Computer
8.2 Creating a Computer for a Specific User or Group
8.3 Joining a Computer to a Domain
8.4 Moving a Computer Within the Same Domain
8.5 Moving a Computer to a New Domain
8.6 Renaming a Computer
8.7 Add or Remove a Computer Account from a Group
8.8 Testing the Secure Channel for a Computer
8.9 Resetting a Computer Account
8.10 Finding Inactive or Unused Computers
8.11 Changing the Maximum Number of Computers a User Can Join to the Domain
8.12 Modifying the Attributes of a Computer Object
8.13 Finding Computers with a Particular OS
8.14 Binding to the Default Container for Computers
8.15 Changing the Default Container for Computers
8.16 Listing All the Computer Accounts in a Domain
8.17 Identifying a Computer Role
9. Printers and Shared Folders
9.1 Installing the Print Server Role
9.2 Creating a Printer Filter
9.3 Managing Printer Drivers
9.4 Deploying Printers Through Group Policy
9.5 Publishing Printers in Active Directory
9.6 Installing the File Server Resource Manager
9.7 Managing Disk Quota Templates
9.8 Managing Disk Quotas
9.9 Managing Auto-Quotas
9.10 Modifying Quota Settings
9.11 Defining File Groups
9.12 Managing File-Screen Templates
9.13 Managing File Screens
9.14 Managing File-Screen Exceptions
9.15 Configuring File Server Reporting
9.16 Managing File Server Options
10. Group Policy Objects
10.1 Finding the GPOs in a Domain
10.2 Creating a GPO
10.3 Copying a GPO
10.4 Deleting a GPO
10.5 Viewing the Settings of a GPO
10.6 Modifying the Settings of a GPO
10.7 Importing Settings into a GPO
10.8 Creating a Migration Table
10.9 Creating Custom Group Policy Settings
10.10 Assigning Logon/Logoff and Startup/Shutdown Scripts in a GPO
10.11 Installing Applications with a GPO
10.12 Disabling the User or Computer Settings in a GPO
10.13 Listing the Links for a GPO
10.14 Creating a GPO Link to an OU
10.15 Blocking Inheritance of GPOs on an OU
10.16 Enforcing the Settings of a GPO Link
10.17 Applying a Security Filter to a GPO
10.18 Delegating Administration of GPOs
10.19 Importing a Security Template
10.20 Creating a WMI Filter
10.21 Applying a WMI Filter to a GPO
10.22 Configuring Loopback Processing for a GPO
10.23 Backing Up a GPO
10.24 Restoring a GPO
10.25 Simulating the RSoP
10.26 Viewing the RSoP
10.27 Refreshing GPO Settings on a Computer
10.28 Restoring a Default GPO
11. Schema
11.1 Registering the Active Directory Schema MMC Snap-in
11.2 Enabling Schema Updates
11.3 Generating an OID to Use for a New Class or Attribute
11.4 Generating a GUID to Use for a New Class or Attribute
11.5 Extending the Schema
11.6 Preparing the Schema for Upgrade
11.7 Documenting Schema Extensions
11.8 Adding a New Attribute
11.9 Viewing an Attribute
11.10 Adding a New Class
11.11 Viewing a Class
11.12 Indexing an Attribute
11.13 Modifying the Attributes That Are Copied When Duplicating a User
11.14 Adding Custom Information to ADUC
11.15 Modifying the Attributes Included with ANR
11.16 Modifying the Set of Attributes Stored on a Global Catalog
11.17 Finding the Nonreplicated and Constructed Attributes
11.18 Finding the Linked Attributes
11.19 Finding the Structural, Auxiliary, Abstract, and 88 Classes
11.20 Finding the Mandatory and Optional Attributes of a Class
11.21 Modifying the Default Security of a Class
11.22 Managing the Confidentiality Bit
11.23 Deactivating Classes and Attributes
11.24 Redefining Classes and Attributes
11.25 Reloading the Schema Cache
11.26 Managing the Schema Master FSMO
12. Site Topology
12.1 Creating a Site
12.2 Listing the Sites
12.3 Renaming a Site
12.4 Deleting a Site
12.5 Delegating Control of a Site
12.6 Configuring Universal Group Caching for a Site
12.7 Creating a Subnet
12.8 Listing the Subnets
12.9 Finding Missing Subnets
12.10 Deleting a Subnet
12.11 Changing a Subnet's Site Assignment
12.12 Creating a Site Link
12.13 Finding the Site Links for a Site
12.14 Modifying the Sites That Are Part of a Site Link
12.15 Modifying the Cost for a Site Link
12.16 Enabling Change Notification for a Site Link
12.17 Modifying Replication Schedules
12.18 Disabling Site Link Transitivity or Site Link Schedules
12.19 Creating a Site Link Bridge
12.20 Finding the Bridgehead Servers for a Site
12.21 Setting a Preferred Bridgehead Server for a Site
12.22 Listing the Servers
12.23 Moving a Domain Controller to a Different Site
12.24 Configuring a Domain Controller to Cover Multiple Sites
12.25 Viewing the Site Coverage for a Domain Controller
12.26 Disabling Automatic Site Coverage for a Domain Controller
12.27 Finding the Site for a Client
12.28 Forcing a Host into a Particular Site
12.29 Creating a Connection Object
12.30 Listing the Connection Objects for a Server
12.31 Load-Balancing Connection Objects
12.32 Finding the ISTG for a Site
12.33 Transferring the ISTG to Another Server
12.34 Triggering the KCC
12.35 Determining Whether the KCC Is Completing Successfully
12.36 Disabling the KCC for a Site
12.37 Changing the Interval at Which the KCC Runs
13. Replication
13.1 Determining Whether Two Domain Controllers Are in Sync
13.2 Viewing the Replication Status of Several Domain Controllers
13.3 Viewing Unreplicated Changes Between Two Domain Controllers
13.4 Forcing Replication from One Domain Controller to Another
13.5 Enabling and Disabling Replication
13.6 Changing the Intra-Site Replication Interval
13.7 Changing the Intra-Site Notification Delay
13.8 Changing the Inter-Site Replication Interval
13.9 Disabling Inter-Site Compression of Replication Traffic
13.10 Checking for Potential Replication Problems
13.11 Enabling Enhanced Logging of Replication Events
13.12 Enabling Strict or Loose Replication Consistency
13.13 Finding Conflict Objects
13.14 Finding Orphaned Objects
13.15 Listing the Replication Partners for a DC
13.16 Viewing Object Metadata
14. DNS and DHCP
14.1 Creating a Forward Lookup Zone
14.2 Creating a Reverse Lookup Zone
14.3 Viewing a Server's Zones
14.4 Converting a Zone to an AD-Integrated Zone
14.5 Moving AD-Integrated Zones into an Application Partition
14.6 Configuring Zone Transfers
14.7 Configuring Forwarding
14.8 Delegating Control of a Zone
14.9 Creating and Deleting Resource Records
14.10 Querying Resource Records
14.11 Modifying the DNS Server Configuration
14.12 Scavenging Old Resource Records
14.13 Clearing the DNS Cache
14.14 Verifying That a Domain Controller Can Register Its Resource Records
14.15 Enabling DNS Server Debug Logging
14.16 Registering a Domain Controller's Resource Records
14.17 Deregistering a Domain Controller's Resource Records
14.18 Preventing a Domain Controller from Dynamically Registering All Resource Records
14.19 Preventing a Domain Controller from Dynamically Registering Certain Resource Records
14.20 Allowing Computers to Use a Different Domain Suffix from Their AD Domain
14.21 Authorizing a DHCP Server
14.22 Locating Unauthorized DHCP Servers
14.23 Restricting DHCP Administrators
15. Security and Authentication
15.1 Enabling SSL/TLS
15.2 Encrypting LDAP Traffic with SSL, TLS, or Signing
15.3 Disabling LDAP Signing or Encryption
15.4 Enabling Anonymous LDAP Access
15.5 Restricting Hosts from Performing LDAP Queries
15.6 Restricting Anonymous Access to Active Directory
15.7 Using the Delegation of Control Wizard
15.8 Customizing the Delegation of Control Wizard
15.9 Revoking Delegated Permissions
15.10 Viewing the ACL for an Object
15.11 Customizing the ACL Editor
15.12 Viewing the Effective Permissions on an Object
15.13 Configuring Permission Inheritance
15.14 Changing the ACL of an Object
15.15 Changing the Default ACL for an Object Class in the Schema
15.16 Comparing the ACL of an Object to the Default Defined in the Schema
15.17 Resetting an Object's ACL to the Default Defined in the Schema
15.18 Preventing the LM Hash of a Password from Being Stored
15.19 Enabling Strong Domain Authentication
15.20 Enabling List Object Access Mode
15.21 Modifying the ACL on Administrator Accounts
15.22 Viewing and Purging Your Kerberos Tickets
15.23 Forcing Kerberos to Use TCP
15.24 Modifying Kerberos Settings
15.25 Viewing Access Tokens
16. Logging, Monitoring, and Quotas
16.1 Enabling Extended dcpromo Logging
16.2 Enabling Diagnostics Logging
16.3 Enabling NetLogon Logging
16.4 Enabling GPO Client Logging
16.5 Enabling Kerberos Logging
16.6 Viewing DNS Server Performance Statistics
16.7 Monitoring the File Replication Service
16.8 Monitoring the Windows Time Service
16.9 Enabling Inefficient and Expensive LDAP Query Logging
16.10 Using the STATS Control to View LDAP Query Statistics
16.11 Using Perfmon to Monitor AD
16.12 Using Perfmon Trace Logs to Monitor AD
16.13 Creating an Administrative Alert
16.14 Emailing an Administrator on a Performance Alert
16.15 Enabling Auditing of Directory Access
16.16 Enabling Auditing of Registry Keys
16.17 Creating a Quota
16.18 Finding the Quotas Assigned to a Security Principal
16.19 Changing How Tombstone Objects Count Against Quota Usage
16.20 Setting the Default Quota for All Security Principals in a Partition
16.21 Finding the Quota Usage for a Security Principal
17. Backup, Recovery, DIT Maintenance, and Deleted Objects
17.1 Backing Up Active Directory
17.2 Restarting a Domain Controller in Directory Services Restore Mode
17.3 Resetting the Directory Service Restore Mode Administrator Password
17.4 Performing a Nonauthoritative Restore
17.5 Performing an Authoritative Restore of an Object or Subtree
17.6 Performing a Complete Authoritative Restore
17.7 Checking the DIT File's Integrity
17.8 Moving the DIT Files
17.9 Repairing or Recovering the DIT
17.10 Performing an Online Defrag Manually
17.11 Performing a Database Recovery
17.12 Creating a Reserve File
17.13 Determining How Much Whitespace Is in the DIT
17.14 Performing an Offline Defrag to Reclaim Space
17.15 Changing the Garbage Collection Interval
17.16 Logging the Number of Expired Tombstone Objects
17.17 Determining the Size of the Active Directory Database
17.18 Searching for Deleted Objects
17.19 Undeleting a Single Object
17.20 Undeleting a Container Object
17.21 Modifying the Tombstone Lifetime for a Domain
18. Application Partitions
18.1 Creating and Deleting an Application Partition
18.2 Finding the Application Partitions in a Forest
18.3 Adding or Removing a Replica Server for an Application Partition
18.4 Finding the Replica Servers for an Application Partition
18.5 Finding the Application Partitions Hosted by a Server
18.6 Verifying Application Partitions Are Instantiated on a Server Correctly
18.7 Setting the Replication Notification Delay for an Application Partition
18.8 Setting the Reference Domain for an Application Partition
18.9 Delegating Control of Managing an Application Partition
19. Active Directory Application Mode
19.1 Installing ADAM
19.2 Creating a New ADAM Instance
19.3 Creating a New Replica of an ADAM Configuration Set
19.4 Stopping and Starting an ADAM Instance
19.5 Changing the Ports Used by an ADAM Instance
19.6 Listing the ADAM Instances Installed on a Computer
19.7 Extending the ADAM Schema
19.8 Managing ADAM Application Partitions
19.9 Managing ADAM Organizational Units
19.10 Managing ADAM Users
19.11 Changing the Password for an ADAM User
19.12 Enabling and Disabling an ADAM User
19.13 Managing ADAM Groups
19.14 Managing ADAM Group Memberships
19.15 Viewing and Modifying ADAM Object Attributes
19.16 Importing Data into an ADAM Instance
19.17 Configuring Intrasite Replication
19.18 Forcing ADAM Replication
19.19 Managing ADAM Permissions
20. Interoperability and Integration
20.1 Accessing AD from a Non-Windows Platform
20.2 Programming with .NET
20.3 Programming with DSML
20.4 Programming with Perl
20.5 Programming with Java
20.6 Programming with Python
20.7 Integrating with MIT Kerberos
20.8 Integrating with Samba
20.9 Integrating with Apache
20.10 Integrating with Novell Netware
20.11 Integrating with Macintosh
20.12 Replacing the Network Information Service
20.13 Using BIND for DNS
20.14 Integrating Down-level Windows Clients
20.15 Using VMWare for Testing AD
20.16 Using Virtual Server in an Active Directory Environment
21. Active Directory Federation Services
21.1 Installing ADFS Prerequisites
21.2 Installing the Federation Service
21.3 Configuring an Active Directory Account Store
21.4 Configuring an ADAM Account Store
21.5 Configuring an Account Partner
21.6 Configuring a Resource Partner
21.7 Creating a Claim Type
21.8 Configuring an Application
21.9 Configuring a Forest Trust
21.10 Configuring an Alternate UPN Suffix
21.11 Configuring the ADFS Web Agent
21.12 Enabling Logging for the ADFS Web Agent
22. Exchange Server 2003
22.1 Preparing Active Directory for Exchange
22.2 Installing the First Exchange Server
22.3 Installing Additional Exchange Servers
22.4 Installing an Exchange Service Pack
22.5 Creating Unattended Installation Files for Exchange and Exchange Service Pack Installations
22.6 Installing Exchange Management Tools
22.7 Delegating Exchange for the First Time
22.8 Stopping and Starting Exchange Server
22.9 Mail-Enabling a User
22.10 Mail-Disabling a User
22.11 Mailbox-Enabling a User
22.12 Deleting a User's Mailbox
22.13 Purging a Deleted Mailbox
22.14 Reconnecting a Deleted Mailbox
22.15 Enumerating Disconnected Mailboxes
22.16 Moving a Mailbox
22.17 Viewing Mailbox Sizes and Message Counts
22.18 Configuring Mailbox Limits
22.19 Mail-Enabling a Contact
22.20 Mail-Disabling a Contact
22.21 Creating a Mail-Enabled Distribution List
22.22 Creating a Query-Based Distribution List
22.23 Creating an Address List
22.24 Creating a Recipient Policy
22.25 Creating a Storage Group
22.26 Creating a Mailbox Store
22.27 Moving the Exchange Transaction Logs
22.28 Listing Domain Controllers and Global Catalog Servers Used by an Exchange Server
22.29 Mounting and Dismounting Mailbox Stores
22.30 Enabling Message Tracking
23. Microsoft Identity Integration Server
23.1 Creating the HR Database MA
23.2 Creating an Active Directory MA
23.3 Setting Up a Metaverse Object Deletion Rule
23.4 Setting Up Simple Import Attribute Flow-HR Database MA
23.5 Setting Up a Simple Export Attribute Flow to AD
23.6 Defining an Advanced Import Attribute Flow-HR Database MA
23.7 Implementing an Advanced Attribute Flow Rules Extension-HR Database MA
23.8 Setting Up Advanced Export Attribute Flow in Active Directory
23.9 Configuring a Run Profile to Do an Initial Load of Data from the HR Database MA
23.10 Loading Initial HR Database Data into MIIS Using a Run Profile
23.11 Configuring a Run Profile to Load the Container Structure from AD
23.12 Loading the Initial AD Container Structure into MIIS Using a Run Profile
23.13 Setting Up the HR Database MA to Project Objects to the Metaverse
23.14 Writing a Rules Extension to Provision User Objects to the ADMA from
Objects in the HR Database MA
23.15 Creating a Run Profile for Provisioning
23.16 Executing the Provisioning Rule
23.17 Creating a Run Profile to Export Objects from the ADMA to Active Directory
23.18 Exporting Objects to AD Using an Export Run Profile
23.19 Testing Provisioning and De-Provisioning of User Accounts in AD
23.20 Creating a Run Profile Script
23.21 Creating a Controlling Script
23.22 Enabling Directory Synchronization from AD to the HR Database
23.23 Configuring a Run Profile to Load the telephoneNumber from AD
23.24 Loading telephoneNumber Changes from AD into MIIS Using a Delta Import
and Delta Synchronization Run Profile
23.25 Exporting telephoneNumber Data to the HR Database
23.26 Using the HR Database MA Export Run Profile to Export the Telephone Number to the HR Database
23.27 Searching Data in the Connector Space
23.28 Searching Data in the Metaverse
23.29 Deleting Data in the Connector Space and Metaverse
Index
|
|
