Index
Page numbers in italics indicate illustrations.
A
–a parameter, 82
abstract classes, 303
AccessPointDN, 290, 312
access rights Permissions screen, 199, 200
account domains, upgrading from NT, 325
ACEs (access control entries), 149–50
ACLs (access control lists), 149. See also DACLs (discretionary access control lists); SACLs (system access control lists)
Active Directory Connector (ADC), 79, 341–42
Active Directory Domains And Trusts snap-in, 203, 229–32, 229, 266, 268
Active Directory Installation wizard, 193–202, 195, 327
Active Directory Schema snap-in, 203, 232–41, 233
attribute objects, 237–40
class objects, 233–37
loading, 232–33, 233
replicate attributes to Global Catalog, 240–41
Schema Master, 266–67
view object information, 240
Active Directory Sites And Services snap-in, 203, 219–29, 220, 260–61
Active Directory Users And Computers snap-in, 203, 206–19, 207
Add User button, 210
computers, adding, 211–12
Delegation Of Control wizard, 241–46
domain-based FSMO roles, 266, 268–69
Folder Redirection, 389–93
groups, adding, 213–14
managed computers check box, 210
moving objects, 217–19
object selection, 207
OUs adding, 214–15
printers, adding, 215–17
Properties sheet, 390, 391
shared folders, adding, 215–17
shortcut menus, 207
Software Installation and Maintenance, 394–98
user passwords, 209
users adding, 208–10
ADC (Active Directory Connector), 79, 341–42
adding
computers, 211–12
printers, 215–17
shared folders, 215–17
users, 208–10
additional sites, 130–31, 134
Add User button, 210
adminDisplayName, 299, 309
administration, 375–79. See also administrators; management
building blocks, 72–73
centralization, 6–8, 13, 71–72, 379
Change and Configuration Management, 377–79
delegation, 28–29, 73, 241–46
desktops, 261–65
Dfs (distributed file system), 412–24
domains, number required, 136
ease of, 14–15, 25–26, 71–73
IntelliMirror, 30–31, 379–98
multiple forests, 125–27
OUs (organizational units), 140–43, 369
parent/child domain structure, 127–28
remote access, 378
Remote OS Installation, 398–411
self-healing applications, 72
snap-in availability, 203
software, centralized, 379
standardization, 71–72
TCO (total cost of ownership), 376–77
without logging user off, 283–84
administrative boundaries, 45–47
Administrative Tools
Configure Your Server dialog box, 193–94, 194
display name of class used, 299
Distributed File System snap-in, 417–24
installing, 204–5
loading snap-ins, 206
locating, 203
administrators, 4–5
Enterprise Administrators group, 356
local passwords, 200
Schema Administrators group, 356
ADSI (Active Directory Service Interfaces), 15–16, 63, 74–75, 155
schema class creation, 308
Scripting, 351–52
advanced management, 190, 254–70
aliases, 94
APIs (application programming interfaces), 74–75
applications
ADSI, 74–75
APIs, 74–75
assigning vs. publishing, 385–87
automated distribution, 29–31
automatic fixes, 384–87
BDC-dependent, 328
DEAs, 29
directory enabled, 297
installation, 384–87
integration, 74–75
IntelliMirror, 30–31
interface, 14–16
schema, 74, 297
self-healing, 72
Windows Installer, 385
architecture
Global Catalog, 58–64
partitioning, 56–58
replication, 64–68
scalability, 55–70
A records, 106
AS (Authentication Service) Exchange, 159–63, 162
assigning software, 385–86
attribute ID, 309–10
attributes
adding, 235–36
adding to classes, 297–98
attributeSyntax, 289–90
creating, 298
default, 62
indexing, 315
inheritance, 304–5
isSingleValued, 314
multivalued, 314–15
objects, 59, 289
Properties sheet, 238, 239, 241, 241
schema, 61–62, 287–90, 314–16
security, 153–55
Top class, 296
attributeSchema class, 287, 289–96, 308–15
attributeSecurity GUID, 309
attributeSyntax attribute, 289–90, 309–14
auditing, SACL, 150
authentication, 31, 165
cross-link trusts, 45
Exchange Server, 343
Kerberos, 159–70, 162
mutual, 166–67
SSL/TLS, 181
user logons, 157–58
authoritative restore, 253–54, 278
authorization, 159–60
automated software distribution, 29–31
automatic population, 16–17
auxiliaryClass, 299
auxiliary classes, 299, 303–4, 304
B
Backup And Recovery Tools screen, 246–48, 246
backups, 29
Active Directory, 246–53
Dfs, 424
labels, 251
media options, 251
restoring backups, 253–54
scheduling, 251
System State data, 246–53
type selection, 250
upgrading from Windows NT, 326
users, 384
backward compatibility, 29
base directory information tree (DIT), 286, 295–96
base schema, 295–96
BDCs (Backup Domain Controllers)
applications, dependent, 328
mixed mode, 329
resource domain upgrades, 336
rollbacks, 330
RRAS Server, 332
security, 330
upgrading process, 326–28
benefits of Active Directory, 9
binary, reading, 228–29
BIOS, flash upgrade, 406
Boolean, 290, 311
booting
from CD, 187
remote (see Remote OS Installation)
bridgehead servers, 257–61, 258, 259
building blocks, 72–73
C
C programming language, LDAP, 75
cabling, security, 187–88
caching servers, 88
capacity, domain controllers, 146–47
CAs (Certificate Authorities), 173–75, 179–80. See also Microsoft Certificate Server
CaseExactString, 290, 312
CaseIgnoreString, 290, 313
catalogs, 47–52
catalog services, 58. See also Global Catalog
central definition of settings, 378
centralization, 13–14, 77–79
Active Directory Connectors, 79
domain controllers, 77
ease of administration, 71–72
schema, 79
single sign-on, 77, 78
technical specifications, 24–25
Certificate Authorities. See CAs (Certificate Authorities)
certificates. See digital certificates
Certificate Server. See Microsoft Certificate Server
Change and Configuration Management, 377–79
IntelliMirror, 379–98
map of features and benefits, 400
Remote OS Installation, 398–400
Change Mode button, 232
changes, postdeployment. See organizational changes
child domains, 38
classes, 88, 304
abstract, 303
adding attribute objects, 238–40
adding attributes, 235–36
ADSI, 308
assigning LDAP name, 234–35
assigning OIDs, 234–35
attributes, creating, 298
auxiliary, 303–4, 304
creation process, 307–8
deleting, 315–16
inheritance, 304–5
Lost-And-Found, 296
objectClassCategory, 303
parents, 299
schema, 287–88
creating, 297–98
deactivating, 315–16
modifying, 297–98
resurrecting, 316
structural, 303
subclasses, 298
system checks, 305–7
Top, 296
types, 303–4
classes, 88, 304
classSchema objects, 287–89, 291–95, 298, 303–4
Client Installation wizard, 403
ClonePrincipal, 335, 367–68
closed sets, 365–67
Cmd command, 276
cn, 298, 309–10
CNAME (canonical name) RRs, 94
collisions, 66
combination upgrade, 320, 324
command line, 270–84, 271
application menu, 271
clipboard, 272
Colors page, 274–75, 274
command history, 272
customizing, 271–75
Edit Options, 272
fonts, 273
function keys, 276
help, context sensitive, 277
keyboard shortcuts, 275–76
Layout page, 273–74, 273
LDIFDE utility, 282–83, 349–51
management, 190, 270–84
ntdsutil, 277–82
Options page, 272–73, 273
properties sheet, 272–74
runas utility, 283–84
saving settings, 272
screen buffer size, 274
shortcuts, 275–76
syntax, 277
utilities, 277–84
window size, 274
command prompt. See command line
compatibility, backwards, 29
compression, replication, 145
computers
adding to OUs or domains, 211–12
GPOs, 261–65
managed check box, 212
names, 83–85
computing, laws of, 6–9
configuration
namespaces, 287
parameters, 298, 309
Configuration container, 124, 143
connection agreements, 342–44
connections, replication, 145
consistency checks, 305–6
consolidation, 339
containers
access rights, 154–55
Configuration, 124, 143
costs of links, 226
Create New Dfs Root wizard, 418–21, 418–21
Create Or Join Forest screen, 196, 196
Create Time inheritance, 154–55
Create Tree Or Child Domain screen, 195, 196
cross-domain object references, 266
cross-link trusts, 44–45
CS (client/server) Exchange, 159, 161, 166–67, 166
CSPs (cryptographic service providers), 176–77
D
DACLs (discretionary access control lists), 73, 150–52
Database And Log Locations screen, 197, 198
databases, Active Directory. See also zone files
location, 31–36, 197
security, 155
db files. See zone files
DEAs (Directory-Enabled Applications), 29, 297
defaultHidingValue, 300
defaultObjectCategory, 299
defaultSecurityDescriptor, 300
delegation of administration, 73, 143, 241–46
Delegation Of Control wizard, 143, 241–46
DENs (Directory-Enabled Networks), 29–30
deployment, 193–202
description, 300, 309
desktop management, 261–65. See also IntelliMirror; Remote OS Installation
Dfs (distributed file system), 412–24
backups, 424
enabling technologies, 414
File Replication Services, 414
filing structure, 413
implementing, 415–24
limitations, 424
links, 415, 422–23
PKT, 414–15
replica, 415, 423
roots, 416–21, 417
security, 424
snap-in, 417–24
Windows NT 4.0, 414, 416
Windows 2000 Server, 416
DHCP (Dynamic Host Configuration Protocol)
Dynamic DNS, 98
Remote OS Installation, 401, 403, 409
digital certificates, 156, 170–79
authentication, 176–77
CA services, 174–78
certificate services, 174–75
creation, 176, 178
cryptographic service providers, 176–77
expiration, 174
fields, 174
issuance, 176
service operation, 178–79
digital envelopes, 172
digital post office, 172
digital signatures, 172–73
directories
catalog, 52
consolidation, 339
defined, 9–10
distribution, 51–52
non–Active Directory (see migration)
partitions (see partitioning)
replication, 51–52
simple example, 17–18
stores, 31–36, 33–35
Directory-Enabled Applications. See DEAs (Directory-Enabled Applications)
Directory-Enabled Networks. See DENs (Directory-Enabled Networks)
directory information tree. See DIT (directory information tree)
directory services
Administrator Password screen, 200, 200
advanced example, 18–19
applications interface, 14–16
centralization, 13–14
defined, 9–12
DNS, 10–11
enterprise class, 11–17
history, 3–5
multipurpose, 10–12
vs. relational databases, 21
need for, 5
Restore Mode, 200
scalability, 13
security, 14–15
WINS, 10
directory stores, 31–36, 33–35
DirectoryString, 290, 312
DirSync, 340, 348
discretionary access control lists. See DACLs (discretionary access control lists)
Discretionary Control, 142
distinguished names, 60
Distributed File System snap-in, 417–24
distribution, directory, 51–52
distribution list, 347
DIT (directory information tree), 286
attribute listing, 296
base classes, 295–96
DN, 290, 311
DNS (Domain Name Service), 10–11, 81–113
caching, 88–89
components, 87–99
concepts, 84–87
Configure DNS screen, 199, 199
domain controller location, 110–12
domain names, 360–61
domains, 86–87
Dynamic, 98–99
dynamic updates, 103
forwarders, 89–91
FQDN, 84, 86
full zone transfers, 96–97, 97
Global Catalog, 64
illegal characters, 85
incremental zone transfers, 98, 99
installing, 199, 199
integrated, 96, 112–13
iterative queries, 101–3, 102
Microsoft, 112–13
name resolution, 75, 87, 99–100
namespaces, 82–84, 86
New Domain screen, 196, 197
Notify, 98–99
publishing to, 103
recursive queries, 100–101, 101
registered names, 137–39
relative distinguished name, 84, 86
Remote OS Installation, 401
resolvers, 91
reverse name resolution, 87
root, 87
RRs (resource records), 82, 91–96
scalability, 24
secondary servers, 93
servers, 87–91
slaves, 90–91
Unicode characters, 85
Windows 2000, 140
zones, 87–88
DNWithBinary, 290
DNWithOctetString, 291, 312
DNWithString, 291, 314
domain controllers, 31–36, 34–35, 77. See also PDCs (Primary Domain Controllers)
Administrator Password screen, 200, 200
backups, 247
bridgehead servers, 257–59, 258, 259
capacity, 146–47
Configure DNS screen, 199, 199
Create Or Join Forest screen, 196, 196
Create Tree Or Child Domain screen, 195, 196
creating, 193–202
Database And Log Locations screen, 197, 198
Domain Controller Type screen, 194, 194
fault tolerance, 146
FSMO roles, 265–66
Global Catalog, 52, 62, 147–48, 266
KCC, 255–60
KDC, 44, 160–61
locating, 109–12
LSA (Local Security Authority), 155
move to new domain, 334
namespaces, 286–87
NetBIOS Domain Name screen, 197, 197
New Domain screen, 196, 197
partitioning, 56–57, 56
Permissions screen, 199, 200
planning, 146–48
promoting servers to, 32, 193–202
property version numbers, 66
queries, 50
recovery, 65
registration, 103–4
remote, 51
restoring, 253–54
schema, 286–87
security, 153, 205
server type designation, 105
Shared System Volume screen, 198, 198
site links, 147
upgrading from BDCs, 328
user accounts, 146
USNs, 68
Domain Controller Type screen, 194, 194
domain local groups, 121–23
Domain Name Service. See DNS (Domain Name Service)
Domain Naming Master, 69, 265–66, 268
domain partition namespaces, 287
domains, 37–53, 86–87
account, upgrading, 325
Active Directory Domains And Trusts snap-in, 229–32, 229
adding
children, 360
computers, 211–12
effects of, 58
to forests, 357, 362
groups, 213–14
OUs, 214–15
parents, 362
printers, 215–17
shared folders, 215–17
trusts, 230–31
users, 208–10
administrative requirements, 136
administrative rights, 46–47
cataloging, 47–52
changes, organizational, 359–68
child, 38, 360
directory distribution, 51–52
directory partitions, 47–50
DNS, 38–39
forests, 40, 124
General property page, 232, 232
GPOs, 127, 261–65
hierarchy, 38–40
Internet DNS name, 138–39
intranet vs. Internet distinction, 139
management submenu, ntdsutil, 278–79
maps for planning, 130–31, 132–34
merging, 362
MoveTree utility, 364–67
moving, 137, 361
multiple, reasons for, 135
multiple-site, 136, 144
naming, 38, 128, 137–40, 360–61
non-standard characters in names, 140
number of, 135
OUs, 46–47, 140–43
parent/child structure, 128
physical network topology, 130
planning, 119, 127–40
Property sheet, 232, 232
queries, 50
registered DNS names, 137–39
removing, 360
renaming, 362
replication traffic, 136
root, 38, 138–39
security, 152
SIDhistory, 362–64
SMTP links, 136
splitting, 362
stability, 119
structure, 35, 326
switching to native mode, 231–32
TGTs (ticket granting tickets), 135
transitive trust relationships, 230
trees, 39–40, 39, 41, 129, 129, 137
trusts, 40–45, 183–85
upgrading, 321–22, 325–26, 331
Windows 2000 DNS, 140
Windows NT, 137
Domains And Trusts snap-in, 203, 229, 229–32, 266, 268, 330
domainwide FSMO roles, 265
DSA (Directory Service Agent), 155
DsGetDcName(), 110
Dynamic DNS. See DNS (Domain Name Server), Dynamic
dynamic inheritance, 154
dynamic updates, 98, 103–4, 112
E
ease of administration, 14–15, 25–26, 71–73
e-mail distribution lists, 120
encryption
data, 187–88
Kerberos, 168
one-way hash, 163
PKI, 171
RRAS, 187
SSL/TLS, 181–82
engine, 21
Enterprise Administrators group, 124, 130, 356
enterprise class directory services, 11–17
enterprise solutions, 14–17
Entire Directory search, 125
Enumeration, 291, 314
Event Viewer snap-in, 276
Eventvwr command, 276
everyday management, 189–252
Exchange Server, migration from, 21, 340–47
5.5, 341–45
authentication, 343
configuration information, 347
connection agreements, 342–44
custom recipients, 347
deletions, 344
distribution list, 347
e-mail, 346–47
mailboxes, 344, 346
Platinum, 341–42, 345–47
policies, 343
recipient information, 346–47
replication, 342–43, 346
schema, 346–47
Service Pack 1, 341
Sites container, 347
synchronization, 340, 342
Explorer command shortcut, 276
exporting in LDAP format, 349–51
export objects, 282–83
F
failure recovery, 65
fault tolerance
domain controllers, 146
IntelliMirror, 384
root domains, 138
features, 28–31
fiber-optic cabling security, 188
files, ntdsutil submenu, 279
file servers, 412–24
floppy drive security, 186
Folder Redirection
enabling, 389–92
IntelliMirror, 382
forests, 40, 41, 50
add new domains, 357
changes, 356–59
Configuration container, 124
Create Or Join Forest screen, 196, 196
domains, 124
Enterprise Administrators group, 356
merging, 359
MoveTree utility, 364–67
moving
domains, 361
objects, 358
user accounts, 367–68
multiple, 126
number of, 125–27
planning, 119, 124–27
resource sharing, 358
root, upgrading from NT, 325
root domain installation, 359
Schema Administrators group, 356
security principals, 359
transitive trust relationships, 230
upgrade planning, 321
forestwide FSMO roles, 265
forwarders, 89–91, 90
FQDN (fully qualified domain name), 84, 85
FRS (File Replication Services)
Dfs (distributed file system), 414
upgrading from Windows NT, 331–32
FSMO (flexible single–master operation), 68–70
role holders, 68–69
submenu, ntdsutil, 280–81
FSMO roles
categories, 265
domain based, 265–66
locating, 265–66
managing, 265–70
seizing, 270
transferring, 269–70
Full Control, 142
fully qualified domain name. See FQDN (fully qualified domain name)
full zone transfers, 96–97, 97
function of Active Directory, 5
function keys, command line, 276
G
genealogy constraints, 294
GeneralizedTime, 291, 312
Global Catalog, 52, 58–64
ADSI, 63
housing, 62
namespace, 59
naming contexts, 61
objects, 59–60
operation, 62–64
replicate attributes to, 240–41
schema, 61–62
searches, 63–64
servers
domain controllers, 147–48
SRV RRs, 107–8
type designation, 105
universal groups, 122
global groups, 121
governsID, 298–99
GPOs (Group Policy objects), 261–65
boundaries, 127
create new, 395
Folder Redirection, 390–91
software deployment, 394–98
Group Policies, 261–65. See also GPOs (Group Policy objects)
domain trees, 129–30
IntelliMirror, 378, 382
OUs, 143, 371
property page, 263, 395, 395
Software Installation and Maintenance feature, 385
Group Policy snap-in, Folder Redirection, 391–92, 391
groups. See also Group Policies
adding, 213–14
built-in, 123–24
delegating control to, 241–46
domain local, 121–23
e-mail distribution lists, 120
Enterprise Administrators, 124, 130, 356
export objects, 282–83
global, 121, 123
GPOs, 261–65, 390–98
local, 121, 123
maximum number of members, 121
MoveTree utility, 365–67
moving to OUs, 336
naming, 213
native mode, 329
nesting, 121
non–security, 120
planning, 120–24
restructuring, 335–36
Schema Administrators, 124, 356
scope, 213
security, 120
software distribution, 394
stand-alone servers, 206
type selection, 213
universal, 122–23
GUIDs (globally unique identifiers), 105
Next
Visit Microsoft Press for more information on
Active Directory™ Services for Microsoft® Windows® 2000 Technical Reference
