| Acknowledgments | x |
| Introduction | xi |
| PART I UNDERSTANDING ACTIVE DIRECTORY SERVICES | |
| CHAPTER 1 Understanding Directory Services | 3 |
| Network History and the Need for Directory Services | 3 |
| The Growth of Networks | 4 |
| The Expansion of the Enterprise Network | 4 |
| Administration Needs in the Small Company | 5 |
| The Laws of Computing | 6 |
| Metcalfe’s Law | 7 |
| Moore’s Law | 7 |
| Murphy’s Law | 9 |
| The Directory Defined | 9 |
| What Is a Directory? | 10 |
| What Is a Directory Service? | 10 |
| The Enterprise Directory Service Shopping List | 12 |
| Enterprise Directory Service Requirements | 13 |
| How Active Directory Services Meets Enterprise Directory Service Requirements | 14 |
| Real-Life Directory Examples | 17 |
| The Simple Directory Example | 17 |
| The Advanced Directory Service Example | 18 |
| Directory Service vs. Relational Database | 21 |
| Conclusion | 21 |
| CHAPTER 2 Active Directory Services as a Directory Service Implementation | 23 |
| Active Directory Technical Specifications | 24 |
| Centralization and Scalability | 24 |
| Ease of Administration | 25 |
| Security | 26 |
| Interoperability and Standardization | 27 |
| Active Directory Features | 28 |
| Administration Delegation | 28 |
| Automated Software Distribution | 29 |
| Backup Services | 29 |
| Backward Compatibility | 29 |
| DEA Platform | 29 |
| DEN Platform | 29 |
| IntelliMirror | 30 |
| Printer Search Capabilities | 31 |
| Required Authentication Mechanism | 31 |
| Where Is Active Directory Services? | 31 |
| Departure from the Windows NT 4 Approach | 32 |
| Conclusion | 36 |
| CHAPTER 3 Windows 2000 Domains and Active Directory Services | 37 |
| Windows 2000 Domains | 37 |
| The Domain Hierarchy | 38 |
| Administrative Boundaries | 45 |
| Active Directory Services Interaction | 47 |
| Emulating the Domain Hierarchy | 47 |
| Cataloging the Domain (the Directory Partition) | 47 |
| Cataloging the Enterprise (the Global Catalog) | 52 |
| Conclusions | 52 |
| CHAPTER 4 Active Directory Services Scalability Architecture | 55 |
| The Importance of Scalability | 55 |
| Partitioning Approach | 56 |
| Catalog Services (the Global Catalog) | 58 |
| Namespace | 59 |
| Object | 59 |
| Naming Context | 61 |
| Schema | 61 |
| How the Global Catalog Operates | 62 |
| Replication | 64 |
| Replication Process Overview | 65 |
| Failure Recovery | 65 |
| Resolving Collisions | 66 |
| Reducing Network Traffic | 66 |
| FSMO Roles | 68 |
| Conclusion | 70 |
| CHAPTER 5 More Active Directory Services Architecture | 71 |
| Achieving Ease of Administration | 71 |
| Easing Administration with Centralization | 72 |
| Easing Administration with Standards Compliance | 72 |
| Administration Building Blocks | 72 |
| Achieving Security | 73 |
| Achieving Application Integration | 74 |
| Schema Extensibility | 74 |
| Application Interfaces | 74 |
| Achieving Standardization and Openness | 75 |
| Achieving Centralization | 77 |
| Centralized Administrative Interface | 77 |
| Single Sign-on | 77 |
| Active Directory Connectors | 79 |
| Extensible Schema | 79 |
| CHAPTER 6 Active Directory Services and DNS | 81 |
| Understanding DNS | 82 |
| Computer Names, Host Names, FQDNs, and Relative Distinguished Names | 83 |
| DNS Concepts | 84 |
| DNS Components | 87 |
| DNS Name-Resolution Operations | 99 |
| Recursive Queries | 100 |
| Iterative Queries | 101 |
| How Active Directory Services Uses DNS | 103 |
| Domain Controller Registration | 103 |
| SRV Resource Record Registration | 104 |
| Locating a Domain Controller | 109 |
| Integrating DNS with Active Directory Services | 112 |
| PART II DEPLOYING ACTIVE DIRECTORY SERVICES | |
| CHAPTER 7 Planning an Active Directory Services Deployment | 117 |
| Overview of Planning Decisions | 118 |
| Components of Your Active Directory Services Plan | 118 |
| Understanding Windows 2000 Groups | 120 |
| Noteworthy Built-In Windows 2000 Groups | 123 |
| Active Directory Services Planning Recommendations | 124 |
| Planning the Forest | 124 |
| Planning Domains | 127 |
| Planning Organizational Units | 140 |
| Planning Sites: Getting Tight with the Network | 143 |
| Conclusions | 148 |
| CHAPTER 8 Active Directory Services and Security | 149 |
| Windows 2000 Security | 149 |
| Windows 2000 Security Primitives | 149 |
| Security Implementation vs. Security Protocols | 151 |
| Active Directory Security | 152 |
| Object and Attribute Security | 153 |
| Directory Database Security | 155 |
| Understanding the Windows 2000 Security Infrastructure | 156 |
| Logon, Authentication, and Authorization | 157 |
| Understanding the Kerberos Protocol | 159 |
| Understanding Public Key Infrastructure | 170 |
| Understanding SSL/TLS | 181 |
| Security and Active Directory Deployments | 183 |
| Security and Domain Trusts | 183 |
| Physical Security | 185 |
| CHAPTER 9 Managing Active Directory Services | 189 |
| Everyday Management | 190 |
| Mapping Windows NT Tasks to Windows 2000 Interfaces | 192 |
| Promoting Windows 2000 Servers to Domain Controllers | 193 |
| Using Active Directory Services Snap-Ins | 203 |
| Delegating Administration | 241 |
| Performing Active Directory Services Backups and Restores | 246 |
| Advanced Management | 254 |
| Managing Replication Strategies | 255 |
| Windows 2000 Group Policy | 261 |
| Managing FSMO Roles | 265 |
| Command-Line Management | 270 |
| Getting the Most out of the Command Line | 271 |
| Active Directory Services Command-Line Utilities | 277 |
| Conclusion | 284 |
| CHAPTER 10 Working with the Active Directory Services Schema | 285 |
| Understanding the Schema | 285 |
| The Schema Namespace | 286 |
| Content and Structure Enforcement | 287 |
| Object Interaction Clarified | 291 |
| The Base Schema | 295 |
| Base DIT Class Listing | 295 |
| Base DIT Class Hierarchy | 295 |
| Base DIT Attribute Listing | 296 |
| Extending the Schema | 297 |
| classSchema Configuration Parameters | 298 |
| Creating New Schema Class Objects | 300 |
| attributeSchema Object Configuration Parameters | 308 |
| Creating New Schema Attribute Objects | 314 |
| Deactivating Classes and Attributes | 315 |
| Resurrecting Classes and Attributes | 316 |
| The Schema Cache | 316 |
| Conclusion | 317 |
| CHAPTER 11 Upgrading to Active Directory Services | 319 |
| Understanding Your Upgrade Options | 320 |
| Upgrade or Restructure: Choosing the Right Path | 321 |
| Upgrading from a Windows NT Environment | 324 |
| The Upgrade Process | 324 |
| Upgrading Additional Domains | 331 |
| Transitioning LAN Manager Replication to File Replication Services (FRS) | 331 |
| Transitioning Routing and Remote Access Service (RRAS) Servers | 332 |
| Restructuring a Windows NT Environment | 333 |
| Understanding Restructuring | 333 |
| Transitioning Resource Domains into OUs | 336 |
| Conclusion | 337 |
| CHAPTER 12 Migrating to Active Directory Services | 339 |
| Migrating from Novell NDS | 340 |
| Migrating from Exchange Server | 340 |
| Active Directory Services and Exchange Server 5.5 | 341 |
| Authentication Methods and Their Security | 343 |
| Integration of Exchange Server Platinum and Active Directory Services | 345 |
| Migrating from Other Directory Services | 348 |
| DirSync | 348 |
| The LDIFDE Command-Line Utility | 349 |
| ADSI Scripting | 351 |
| Conclusions | 352 |
| CHAPTER 13 Making Postdeployment Organizational Changes | 355 |
| Making Forest Changes | 356 |
| What You Can Change | 357 |
| What You Cannot Change | 359 |
| Making Domain Changes | 359 |
| What You Can Change | 360 |
| What You Cannot Change | 361 |
| Understanding SIDhistory | 362 |
| Using MoveTree | 364 |
| Using ClonePrincipal | 367 |
| Making OU Changes | 368 |
| What You Can Change | 368 |
| What You Cannot Do with OUs | 371 |
| Making Site Changes | 372 |
| What You Can Do with Sites | 372 |
| Conclusions | 373 |
| CHAPTER 14 Administratively Leveraging Active Directory Services | 375 |
| Managing Change | 376 |
| What Change and Configuration Management Enables | 377 |
| Using IntelliMirror | 379 |
| Technologies That Enable IntelliMirror | 382 |
| User Data Management | 383 |
| Software Installation and Maintenance | 384 |
| User Settings Management | 387 |
| Implementing IntelliMirror | 388 |
| Life Without IntelliMirror | 398 |
| Using Remote OS Installation | 398 |
| Technologies That Enable Remote OS Installation | 400 |
| Implementing Remote OS Installation | 402 |
| Living Without Remote OS Installation | 411 |
| Using Distributed File System | 412 |
| Technologies That Enable Dfs | 414 |
| Dfs Technical Details | 414 |
| Implementing Dfs | 415 |
| Conclusions | 424 |
| PART III APPENDIXES | |
| APPENDIX A Windows 2000 DIT Classes | 429 |
| APPENDIX B Base DIT Class Hierarchy | 431 |
| APPENDIX C Windows 2000 Base DIT attributeSchema Objects | 435 |
| Index | 445 |
