| List of Tables | xii |
| Dedications | xiii |
| Acknowledgments | xiv |
| Introduction | xv |
| PART I Windows Server 2003 Active Directory Overview | |
| 1 Active Directory Concepts | 3 |
| The Evolution of Microsoft Directory Services | 3 |
| LAN Manager for OS/2 and MS-DOS | 4 |
| Windows NT and SAM | 4 |
| Windows 2000 and Active Directory | 6 |
| Windows Server 2003 Domains and Active Directory | 7 |
| Active Directory Open Standards | 8 |
| X.500 Hierarchies | 8 |
| Lightweight Directory Access Protocol (LDAP) | 10 |
| Key Features and Benefits of Active Directory | 12 |
| Centralized Directory | 12 |
| Single Sign-On | 12 |
| Delegated Administration | 12 |
| Common Management Interface | 13 |
| Integrated Security | 13 |
| Scalability | 13 |
| What's New in Windows Server 2003 Active Directory | 14 |
| Active Directory Users And Computers Improvements | 14 |
| Levels of Functionality | 14 |
| Domain Rename | 15 |
| Application Directory Partitions | 15 |
| Additional Domain Controller Installed from Backup Media | 15 |
| Deactivation of Schema Objects | 16 |
| Disabling Compression of Replication Traffic Between Different Sites | 16 |
| Global Catalog Not Required for Logon | 16 |
| Group Membership Replication Improvements | 16 |
| Object Picker UI Improvements | 17 |
| Lingering Object Removal Mechanism | 17 |
| inetOrgPerson Support | 17 |
| Summary | 17 |
| 2 Active Directory Components | 19 |
| Active Directory Physical Structure | 19 |
| The Directory Data Store | 19 |
| Domain Controllers | 20 |
| Global Catalog Servers | 20 |
| Operations Masters | 23 |
| Transferring Operations Master Roles | 25 |
| The Schema | 26 |
| Active Directory Logical Structure | 31 |
| Active Directory Partitions | 32 |
| Domains | 36 |
| Domain Trees | 37 |
| Forests | 38 |
| Trusts | 39 |
| Sites | 43 |
| Organizational Units | 46 |
| Summary | 48 |
| 3 Active Directory and Domain Name System | 49 |
| DNS Overview | 49 |
| Hierarchical Namespace | 50 |
| Distributed Database | 51 |
| Name Resolution Process | 51 |
| Resource Records | 52 |
| DNS Domains, Zones, and Servers | 54 |
| DNS and Windows Server 2003 Active Directory | 61 |
| DNS Locator Service | 61 |
| Active Directory Integrated Zones | 66 |
| DNS Enhancements | 69 |
| Summary | 75 |
| 4 Active Directory Replication and Sites | 77 |
| Active Directory Replication Model | 77 |
| Replication Enhancements in Windows Server 2003 Active Directory | 79 |
| Intrasite and Intersite Replication | 80 |
| Intrasite Replication | 81 |
| Intersite Replication | 82 |
| Replication Latency | 83 |
| Urgent Replication | 83 |
| Replication Topology Generation | 84 |
| Knowledge Consistency Checker | 84 |
| Connection Objects | 85 |
| Intrasite Replication Topology | 86 |
| Global Catalog Replication | 91 |
| Intersite Replication Topology | 93 |
| Replication Process | 95 |
| Update Types | 96 |
| Replicating Changes | 96 |
| Configuring Intersite Replication | 102 |
| Creating Additional Sites | 103 |
| Site Links | 103 |
| Site Link Bridges | 105 |
| Replication Transport Protocols | 106 |
| Configuring Bridgehead Servers | 107 |
| Monitoring and Troubleshooting Replication | 108 |
| Summary | 110 |
| PART II IMPLEMENTING WINDOWS SERVER 2003 ACTIVE DIRECTORY | |
| 5 Designing the Active Directory Structure | 113 |
| Designing the Forest Structure | 113 |
| Forests and Active Directory Design | 114 |
| Single or Multiple Forests | 116 |
| Defining Forest Ownership | 119 |
| Forest Change Control Policies | 120 |
| Designing the Domain Structure | 121 |
| Domains and Active Directory Design | 121 |
| Determining the Number of Domains | 121 |
| Designing the Forest Root Domain | 124 |
| Designing Domain Hierarchies | 125 |
| Domain Trees and Trusts | 128 |
| Changing the Domain Hierarchy | 129 |
| Defining Domain Ownership | 130 |
| Designing the DNS Infrastructure | 131 |
| Examining the Existing DNS Infrastructure | 131 |
| Namespace Design | 132 |
| Designing the Organizational Unit Structure | 143 |
| Organizational Units and Active Directory Design | 143 |
| Designing an OU Structure | 144 |
| Creating an OU Design | 146 |
| Designing the Site Topology | 149 |
| Sites and Active Directory Design | 149 |
| Networking Infrastructure and Site Design | 150 |
| Creating a Site Design | 150 |
| Designing Server Locations | 153 |
| Summary | 158 |
| 6 Installing Active Directory | 159 |
| Prerequisites for Installing Active Directory | 159 |
| Hard Disk | 160 |
| Network Connectivity | 160 |
| DNS | 161 |
| Administrative Permissions | 163 |
| Active Directory Installation Options | 163 |
| Configure Your Server Wizard | 163 |
| Active Directory Installation Wizard (Dcpromo.exe) | 164 |
| Unattended Installation | 165 |
| Using the Configure Your Server Wizard | 165 |
| Using the Active Directory Installation Wizard | 167 |
| Operating System Compatibility | 168 |
| Domain and Domain Controller Types | 169 |
| Naming the Domain | 171 |
| File Locations | 172 |
| Verify or Install a DNS Server | 173 |
| Selecting Default Permissions for User and Group Objects | 175 |
| Completing the Installation | 176 |
| Performing an Unattended Installation | 178 |
| Installing Active Directory from Restored Backup Files | 179 |
| Removing Active Directory | 180 |
| Removing Additional Domain Controllers | 182 |
| Removing the Last Domain Controller | 183 |
| Unattended Removal of Active Directory | 184 |
| Summary | 184 |
| 7 Migrating to Active Directory | 185 |
| Migration Paths | 186 |
| The Domain Upgrade Migration Path | 187 |
| The Domain Restructure Migration Path | 189 |
| The Upgrade-Then-Restructure Migration Path | 191 |
| Determining Your Migration Path | 192 |
| Migration Path Decision Criteria | 192 |
| Choosing the Domain Upgrade Path | 193 |
| Choosing the Domain Restructure Path | 195 |
| Choosing the Upgrade-Then-Restructure Path | 197 |
| Preparing for Migration to Active Directory | 198 |
| Planning the Migration | 198 |
| Testing the Migration Plan | 204 |
| Conducting a Pilot Migration | 204 |
| Upgrading the Domain | 205 |
| Upgrading from Windows NT Server 4 | 205 |
| Upgrading from Windows 2000 Server | 213 |
| Restructuring the Domain | 215 |
| Creating the Pristine Forest | 217 |
| Migrating Account Domains | 222 |
| Migrating Resource Domains | 226 |
| Upgrading then Restructuring | 231 |
| Configuring Interforest Trusts | 232 |
| Summary | 236 |
| PART III Administering Windows Server 2003 Active Directory | |
| 8 Active Directory Security | 239 |
| Active Directory Security Basics | 239 |
| Security Principals | 240 |
| Access Control Lists | 240 |
| Access Tokens | 241 |
| Authentication | 241 |
| Authorization | 242 |
| Kerberos Security | 242 |
| Introduction to Kerberos | 243 |
| Kerberos Authentication | 245 |
| Delegation of Authentication | 251 |
| Configuring Kerberos in Windows Server 2003 | 253 |
| Integration with Public Key Infrastructure | 254 |
| Integration with Smart Cards | 257 |
| Interoperability with Other Kerberos Systems | 258 |
| NTLM Security | 260 |
| Summary | 260 |
| 9 Delegating the Administration of Active Directory | 261 |
| Active Directory Object Permissions | 261 |
| Standard Permissions | 262 |
| Special Permissions | 264 |
| Permissions Inheritance | 268 |
| Effective Permissions | 270 |
| Ownership of Active Directory Objects | 273 |
| Auditing the Use of Administrative Permissions | 274 |
| Delegating Administrative Tasks | 276 |
| Customized Tools for Delegated Administration | 280 |
| Customizing the Microsoft Management Console | 280 |
| Creating a Taskpad for Administration | 281 |
| Planning for the Delegation of Administration | 282 |
| Summary | 283 |
| 10 Managing Active Directory Objects | 285 |
| Managing Users | 285 |
| User Objects | 285 |
| inetOrgPerson Objects | 290 |
| Contact Accounts | 291 |
| Managing Groups | 292 |
| Group Types | 292 |
| Group Scope | 293 |
| Creating a Security Group Design | 296 |
| Managing Computers | 299 |
| Managing Printer Objects | 301 |
| Publishing Printers in Active Directory | 301 |
| Managing Published Shared Folders | 304 |
| Windows Server 2003 Active Directory Administration Enhancements | 305 |
| Summary | 306 |
| 11 Introduction to Group Policies | 307 |
| Group Policy Overview | 308 |
| Implementing Group Policies | 311 |
| Creating GPOs | 312 |
| Administering Group Policy Objects | 313 |
| Group Policy Inheritance and Application | 314 |
| Modifying the Default Application of Group Policies | 316 |
| Group Policy Processing | 321 |
| Delegating Administration of GPOs | 326 |
| Implementing Group Policies Between Domains and Forests | 327 |
| Group Policy Management Tools | 328 |
| RSoP Tool | 328 |
| GPResult | 329 |
| GPUpdate | 330 |
| Group Policy Management Console | 330 |
| Group Policy Design | 332 |
| Summary | 333 |
| 12 Using Group Policies to Manage Software | 335 |
| Windows Installer Technology | 336 |
| Creating a .msi file | 336 |
| Deploying Software Using Group Policies | 337 |
| Deploying Applications | 338 |
| Using Group Policies to Distribute Non-Windows Installer Applications | 341 |
| Configuring Software Package Properties | 343 |
| Setting the Default Software Installation Properties | 345 |
| Installing Customized Software Packages | 345 |
| Updating an Existing Software Package | 347 |
| Managing Software Categories | 349 |
| Configuring File Extension Activation | 350 |
| Removing Software Using Group Policies | 351 |
| Using Group Policies to Configure Windows Installer | 352 |
| Planning for Software Distribution Using Group Policies | 354 |
| Limitations to Using Group Policies to Manage Software | 357 |
| Summary | 359 |
| 13 Using Group Policies to Manage Computers | 361 |
| Desktop Management Using Group Policies | 362 |
| Managing User Data and Profile Settings | 364 |
| Managing User Profiles | 364 |
| Folder Redirection | 368 |
| Configuring Security Settings with Group Policies | 372 |
| Configuring Domain-Level Security Policies | 372 |
| Configuring Other Security Settings | 377 |
| Software Restriction Policies | 379 |
| Security Templates | 382 |
| Administrative Templates | 385 |
| Using Scripts to Manage the User Environment | 389 |
| Summary | 391 |
| PART IV Maintaining Windows Server 2003 Active Directory | |
| 14 Monitoring and Maintaining Active Directory | 395 |
| Monitoring Active Directory | 395 |
| Why Monitor Active Directory? | 396 |
| How to Monitor Active Directory | 398 |
| What to Monitor | 410 |
| Active Directory Database Maintenance | 411 |
| Garbage Collection | 411 |
| Online Defragmentation | 413 |
| Offline Defragmentation of the Active Directory Database | 414 |
| Managing the Active Directory Database Using Ntdsutil | 415 |
| Summary | 417 |
| 15 Disaster Recovery | 419 |
| Planning for a Disaster | 419 |
| Active Directory Data Storage | 420 |
| Backing Up Active Directory | 423 |
| Restoring Active Directory | 424 |
| Restoring Active Directory by Creating a New Domain Controller | 425 |
| Performing a Nonauthoritative Restore | 429 |
| Performing an Authoritative Restore | 431 |
| Restoring Sysvol Information | 433 |
| Restoring Operations Masters and Global Catalog Servers | 435 |
| Summary | 440 |
| INDEX | 441 |
