Home > Store

Inside Active Directory: A System Administrator's Guide

Add To My Wish List

Inside Active Directory: A System Administrator's Guide

By Sakari Kouti, Mika Seitsonen
Published Dec 13, 2001 by Addison-Wesley Professional.

Book

Sorry, this book is no longer in print.

Not for Sale

Description

Extras

Sample Content

Updates

More Information

Description

Copyright 2002
Edition: 1st

Book
ISBN-10: 0-201-61621-1
ISBN-13: 978-0-201-61621-7

Detailed and thorough, this administrator's guide provides practical strategies for managing Active Directory, the cornerstone technology within Windows 2000 distributed networks. This book covers design, architecture, topology, deployment, and management issues, and provides thorough instructions for efficiently administering the entire network operating environment.

Inside Active Directory: A System Administrator's Guide begins with an overview and covers Active Directory's core features before moving on to document more advanced, specialized skills. This book provides a solid understanding of Active Directory fundamentals, demonstrating how it is used to store and access data, and how it uses industry standards, such as LDAP and other directory protocols. Numerous diagrams and tables appear throughout the book to help readers better comprehend the sometimes-complex technologies involved in migrating to Windows 2000 from Windows NT or other platforms.

This practical guide documents Active Directory extensively, with detailed coverage of the following:

The big picture - background, building blocks, hierarchies, DNS integration, security, architecture, and other features.

How to efficiently install Active Directory, and how to automate and troubleshoot the process.

Planning and management of OUs, users, and groups.

Security features, including permission architecture and management, as well as permission usage scenarios.

Sites and replication - concepts, planning, management, topologies, processes, and diagnostics.

How to plan and manage domains and forests, and how to perform various LDAP searches.

Group Policy features, including architecture, planning, management, and diagnostics.

A detailed drill-down to the schema, and practical strategies and examples for extending it.

Administration scripts - from concepts and basic techniques to advanced script management of Active Directory, including more than fifty sample scripts.

Anyone working with Active Directory will find this book indispensable. Readers new to Windows network administration will gain a solid grasp of the fundamentals. Administrators experienced in NT, UNIX, Netware, and other systems will learn how to adapt their skills to Active Directory. Experienced Windows 2000 professionals will pick up advanced techniques, and developers will benefit from the architectural explanations.

Inside Active Directory is the most practical and comprehensive resource available for planning, implementing, and managing an Active Directory network.

0201616211B11272001



Extras

Web Resources

Click below for Web Resources related to this title:
Author's Web Site



Sample Content

Online Sample Chapters

Active Directory Schema

Managing OUs, Users, and Groups in Active Directory

Downloadable Sample Chapter

Click below for Sample Chapter related to this title:
koutich03.pdf

koutich08.pdf

Preface.

I. BACKGROUND SKILLS

1. Active Directory: The Big Picture.

Introduction to Active Directory.

A Brief Description.

The First Look at Active Directory.

History.

Active Directory Compared to Windows NT.

Active Directory Compared to NDS.

A Sample Company.

Basic Building Blocks.

Domain Controllers

Domains

Trust Relationships.

Organizational Units and Other Objects.

Groups.

Sites.

Replication.

Global Catalog.

Hierarchies.

Single Domain with No OU Structure.

OU Tree in a Single Domain.

Domain Trees.

Forest of Domain Trees.

DNS Integration.

Locating Computers and Services.

Dynamic DNS Updates.

Security and Policies.

Access Control.

Inheritance.

Delegation of Administration.

Group Policy.

Architecture.

Data Model.

The Schema.

Extending the Schema.

Container and Leaf Objects.

Partitions.

Naming Objects.

The X.500 Standards.

LDAP.

Physical Architecture.

ADSI.

Kerberos Authentication.

Public Key Infrastructure.

Other Features.

Virtual Containers.

Publishing.

Connecting to the Internet.

Active Directory's Current Limitations.

The Next Version of Active Directory.

Conclusion.

2. Installation of Windows 2000 and Active Directory.

Before You Installing Windows 2000.

Decisions That Cannot Be Reversed.

Dual Booting.

Requirements and Recommendations.

Preparation.

Installing Windows 2000.

Starting Installation.

The Setup Program.

The Setup Wizard.

Installing and Configuring a Network.

Finalizing the Setup.

Upgrading Your Operating System.

After You've Installed Windows 2000 Server.

Installing Windows 2000 Professional.

Installing Active Directory.

Requirements and Recommendations.

Creating Domains, Trees, and Forests.

The Installation Process.

After Active Directory Installation.

Automating Installation.

Automating Windows 2000 Installation.

Automating Active Directory Installation.

Troubleshooting Installation.

Incompatible Devices.

Problems with ACPI.

Incorrectly Detected Devices.

Problems with Active Directory Installation.

Recovery Options.

Uninstalling Windows 2000 and Active Directory.

Uninstalling Windows 2000.

Uninstalling Active Directory.

Conclusion.

II. CORE SKILLS.

3. Managing OUs, Users, and Groups.

Active Directory after Installation.

Predefined OUs and Other Containers.

Predefined Users.

Predefined Groups.

Predefined Computers Objects.

Changing the Domain Mode.

Administering OUs.

Features of Ous.

Managing Ous.

Planning Ous.

Administering Users and Contacts.

Creating Users.

Creating Contacts.

Setting User and Contact Properties.

Other Operations to Manage Users and Contacts.

Administering Computer Objects.

Creating Computer Objects.

Setting Computer Object Properties.

Other Operations to Manage Computer Objects.

Administering Groups.

Group Types.

Group Scopes.

Managing Groups.

Planning Groups.

Tips on Tools.

The Users and Computers Snap-In.

Alternative Means to Manage Users and Other Objects.

Conclusion.

4. Securing Active Directory.

Introduction to Windows 2000 Security.

Background for Active Directory Access Control.

Controlling Access.

Security Principals.

Well-Known Security Principals.

Managing Active Directory Permissions.

Permission Concepts.

Anatomy of ACL Editor Dialog Boxes.

Standard and Special Object Permissions.

Permissions for Object Properties.

Permissions in Applications.

Inheritance.

Ownership.

How Permissions Accumulate.

Deny Permissions and the Ordering of Permission Entries.

Permission Performance.

DSACLS.

AdminSDHolder Object

Delegation of Control Wizard.

Common Tasks.

Custom Tasks.

Default Permissions for Objects.

Sources of Default Permissions.

Common Features of Default Permissions.

Pre-Windows 2000 Compatible Access.

Listing Default Permissions.

Where Security Principals Have Permissions.

Changing Default ACLs.

Usage Scenarios for Active Directory Permissions.

General Practices.

Delegation Scenarios (To Make Changes).

User Scenarios (To See Properties).

Auditing Active Directory Access.

Adding Auditing Entries.

Turning On Auditing.

Viewing Audit Records.

Access Control Architecture.

Processes and User Accounts.

SIDs.

Access Tokens.

Security Descriptors.

User Rights.

User Rights Categories.

Fixed Rights.

Active Directory Permissions Instead of Rights.

Applying User Rights.

Conclusion.

5. Sites and Replication.

Concepts of the Physical Structure.

Why Replication.

Nature of Active Directory Replication.

Partitions and Replicas.

Overview of the Replication Process.

Overview of Replication Topologies.

Sites.

Overview of Intrasite and Intersite Replication.

Urgent Replication.

Nonreplicating Properties.

Global catalog.

Overview of Operations Masters.

Managing the Physical Structure.

Active Directory Objects for Sites and Replication.

The Big Pictures of the Objects.

The Sites and Services Snap-In.

Tasks in Managing the Physical Structure.

Using the Default-First-Site-Name Site.

Creating and Managing Subnet Objects.

Creating and Managing Site Objects.

Moving and Managing Server Objects.

Managing NTDS Settings.

Creating and Managing Site Links.

Managing Licensing Computers.

Removing Domain Controllers.

Monitoring and Diagnosing the Physical Structure.

Replication Permissions

Advanced Topics.

Intrasite Replication Topologies.

Intersite Replication Topologies.

Configuring SMTP Replication.

The Replication Process.

Time Synchronization.

Managing Operations Masters.

Conclusion.

6. Domains and Forests.

Domain Controller Placement.

Active Directory Network Traffic.

Determining the Placement of Directory Information.

Designing Domain and Forest.

Single or Multiple Domains and Forests.

Forest Planning Considerations.

Managing Domains and Forests.

Managing Trusts.

Moving Objects In a Forest.

Managing Groups and Permissions in a Forest.

Referrals and Cross-References.

Delegating Domain Installation.

LDAP and Searches.

LDAP Searches.

Search Tools.

Extended LDAP Controls.

LDAP Data Interchange Format.

Conclusion.

7. Group Policy.

Group Policy Concepts.

MMC Group Policy Snap-in.

NT 4 System Policy Compared to Windows 2000 Group Policy.

Group Policy Contents.

Computer versus User.

Software Settings.

Scripts.

Security Settings.

Administrative Templates.

Other Policies.

Group Policy Objects and Links.

Group Policy Objects.

Group Policy Links.

Scope of Group Policies.

Inheritance.

Processing Group Policy.

Processing Basics.

Slow Link Processing.

Loopback Processing.

Determining Effective Group Policies.

Managing Group Policies.

Group Policy Dialog Box.

Creating GPOs.

Editing GPOs.

Managing GPO Links.

Deleting GPOs.

Backing up Group Policy.

Delegating Management of GPOs.

Additional Tools.

Software Management with Group Policy.

Windows Installer.

Creating Windows Installer Packages.

Deploying Software with Group Policy.

Upgrading Applications.

Patching Applications.

Removing Applications.

Troubleshooting Group Policy.

Logging Group Policy Events.

Resource Kit Tools for Group Policy.

Group Policy Scenarios.

Advanced Topics.

Group Policy Synchronization.

Registry-Based Settings for Group Policy Processing.

Client-Side Extensions.

Registry Settings for Group Policy History.

Default permissions for GPOs.

Slow Link Detection Algorithm.

Conclusion.

III. ADVANCED SKILLS.

8. Active Directory Schema.

Overview of the Active Directory Data Model.

Classes, Objects, and Attributes.

Container and Leaf Objects.

Indexing and the Global Catalog.

Schema.

Role of the Schema.

Location of the Schema.

Inspecting the Schema with ADSI Edit.

Inspecting the Schema with the Schema Manager Snap-In.

Dumping the Schema to a Spreadsheet.

Subschema Subentry.

Schema Cache.

Constructed Attributes.

Classes.

Names and Identifiers.

Object Identifiers.

Structure and Containment Rules.

Class Inheritance.

Miscellaneous Characteristics of Classes.

Class Schema Object Property Pages.

Attributes and Syntaxes.

Names and Identifiers.

Syntax and Content Rules.

Searches.

Miscellaneous Characteristics for Attributes.

AttributeSchema Object Property Pages.

Conclusion.

9. Extending the Schema.

When and Why to Modify.

Guidelines.

What Data to Put in Active Directory.

Planning the Modifications.

Creating a Class.

Modifying a Class.

Creating an Attribute.

Modifying an Attribute.

Deactivating Classes and Attributes.

The Modification Process.

Order of Tasks.

The Means to Make Changes.

The Schema Manager Snap-in.

ADSI Edit.

LDIFDE.

CSVDE.

An Installation EXE File.

Some Gotchas in Changing the Schema.

Bringing the Extensions to the User Interface.

Where to Place the Objects.

Managing Permissions.

Creating and Displaying the Objects.

Display Specifiers.

Testing to Change the Displays.

Extending the User Class.

Planning the Extensions.

Implementing the Extensions.

Managing the Attribute Values.

Searching on the New Attributes.

Managing the Attribute Permissions.

Conclusion.

10. Administration Scripts: Concepts.

Getting Started.

The Script Execution Environment.

Launching WSH Scripts.

Controlling WSH Scripts.

Setting up the Development Environment.

VBScript Language.

Dissecting a Sample Script.

The First Sample (Normal).

The Second Sample (Short).

The Third Sample (Very Short).

ADSI Concepts.

Basic ADSI.

Basic COM.

The Property Cache.

ADSI Interfaces.

ADSI Syntaxes.

Additional Techniques.

Ways to Input and Output Information.

Using Executables from Scripts.

Using COM Components.

Using the Win32 API.

Debugging Scripts.

Including Script Lines from Another File.

Conclusion.

11. Administration Scripts: Examples.

ADSI Examples.

User Management.

List the Users of One Container.vbs.

List the Users of One Container to Excel.vbs.

List the Property Cache Contents.vbs.

List User Properties with Get.vbs.

List User Properties with Methods.vbs.

List the Account Options of a User.vbs.

Create a User with Minimum Attributes.vbs.

Create a User with More Attributes.vbs.

Create a User with a Batch File.bat.

Create a Home Folder for a User - ver 1.vbs.

Create a Home Folder for a User - ver 2.vbs.

Read User Information from Excel.xls.

Read User Information from Standard Input.vbs.

Schema Access.

Concepts.

Schema Sample Scripts.

List All Abstract Schema Objects.vbs.

List the Member Attributes of a Given Class.vbs.

List the Member Attributes of a Given Class to Excel.vbs.

Show Property Properties.vbs.

Container or Leaf.vbs.

List All Real Schema Objects.vbs.

List Indexed Attributes.vbs.

List ANR, Nonreplicated and Constructed Attributes.

List Global Catalog Attributes.vbs.

List All classSchemas to Excel.vbs.

List All attributeSchemas to Excel.vbs.

Create an Attribute and a Class.vbs.

Configuration Information.

List the Supported Namespaces.vbs.

List Attribute Display Names.vbs.

List the DC GUIDs.vbs.

List the rootDSE Property Cache.vbs.

List the GPO GUIDs.vbs.

List the Operations Masters.vbs.

List the Operations Masters with ADsFSMO.vbs.

List ADSystemInfo.vbs.

Access Control Lists.

Security Interfaces.

The Access Control List Sample Scripts.

List ACEs—Short.vbs.

List ACEs to Excel—Short.vbs.

List Binary GUIDs.vbs.

List ACEs—Long.vbs.

Add ACEs.vbs.

Add ACEs to a Folder.vbs.

OU, Group and Computer Management.

OU Management.

Group Management.

Create a Computer Object.vbs.

ADSI without Active Directory.

List Services.vbs.

List Users, Groups, and Print Queues.

List Shares.vbs.

Create a Share.vbs.

List WinNT Properties of User Class.vbs.

Create a User in a Workstation.vbs.

Additional Techniques.

Binding with Credentials.

Binding with WKGUIDs.

Binding to the Global Catalog.

List the Users of a Subtree.vbs.

Error Checking.vbs.

Scripts as Command-Line Tools.

Using ADO.

ADO Concepts.

Basic Example.vbs.

Basic Example with SQL.vbs.

Modifying Objects.vbs.

Multipartition Queries.

Additional Settings.

List Objects That Have Blocked ACL Inheritance.vbs.

Conclusion.
Bibliography
Index. 0201616211T11292001

Preface

During the seven years that Windows NT was sold before Windows 2000 shipped, administrators didn't need to learn practically anything new, at least about the core operating system features. User and group management, domains and domain models, and resource management had been the same in all Windows NT versions.

With the introduction of Windows 2000 and Active Directory, that all changed. There is a huge difference in managing Windows networks over the old NT administration model. Therefore, Active Directory will require quite a lot of study on the part of NT professionals.

Despite some administrative wizards in the user interface and the new Microsoft Management Console (MMC) administration interface, implementing and administering Active Directory requires probably more learning, testing, piloting, and planning than Windows NT required.

ABOUT THIS BOOK

This book is an implementer and administrator's guide to Active Directory. Throughout the book, you will learn the workings, architecture, administration, and planning of Active Directory. Depending on your needs, however, you don't have to read this book from cover to cover, as we describe later in this preface.

The following list evaluates the appropriateness of this book for a number of potential audiences.

A current NT professional. You are the target audience for this book. However, you may want to browse relatively fast through the introductory pages that we have in the beginning of many chapters.
A current NetWare or UNIX professional. Prior knowledge of Windows NT is not required to successfully learn from this book. Your earlier networking skills will most likely enable you to pick up each topic quite fast. However, you probably shouldn't skip any introductory topics.
A network operating systems novice. Because we tend to start each chapter with the very basics, at least in theory you can use this book to effectively learn Active Directory. Obviously, you need to invest more time reading than an experienced IT professional. You should also have a test PC that you can use to try out the different tasks and experiments that the book describes.
A current Windows 2000 professional. Even if you are already familiar with Active Directory, we trust that you will learn more than a few things from this book.
A developer. This book is an administrator's guide and not a programmer's guide. However, the book contains more architectural topics than the average book for an administrator, so you may find this book valuable to you in addition to a programmer's guide.

For all target audiences, it is possible that you are not interested in all the advanced topics in this book, so you are free to skip any of them.

We believe that this book has the following strengths.

We present well-thought-out diagrams that help you easily comprehend the various key concepts and other topics related to Active Directory.
At worst, a book just shows screen shots and shortly explains what is already evident from the user interface or the online Help. In contrast, this book contains thorough and accurate information on the topics it covers.
We claim that this book contains very few errors.
Even though this book is not a reference guide, we present many extensive reference tables.
If you install Active Directory on a test PC, you can try out most of the tasks and experiments described in this book, whether they are written to be walkthroughs or not.

We have divided the book into three parts.

Part I: Background Skills (Chapters 1 and 2) gives the big picture of Active Directory so you can successfully plan and implement an Active Directory network. This part also discusses the installation of Windows 2000 and Active Directory.
Part II: Core Skills (Chapters 3 through 7) describes the concepts, planning, and administration of both the physical and the logical structure of Active Directory. The topics presented in this part include user and group management, access control, and Group Policy. Even though Part III covers advanced skills, most chapters in this part discuss related advanced topics.
Part III: Advanced Skills (Chapters 8 through 11) looks at advanced techniques, including the schema and scripting. Along with these topics we also uncover many aspects of Active Directory architecture. You can probably live without the information in these chapters, but by reading them you can greatly deepen your knowledge and understanding of Active Directory and make use of it when implementing and administering Active Directory networks.

We'll now present a short summary of each chapter. Mika wrote Chapter 2 and Chapter 7, and Sakari wrote the remaining chapters.

Chapter 1: Active Directory: The Big Picture

Before going into detail, we give you a general picture of Active Directory. After you learn the concepts introduced in this chapter, you can freely skip some later chapters that you might not be interested in. However, we encourage you to browse through the table of contents of any such chapter to make sure that you are not going to unintentionally miss anything important.

Chapter 2: Installation of Windows 2000 and Active Directory

In this chapter, we explain how to install both Windows 2000 and Active Directory. We also describe the post-installation tasks, as well as how to automate and troubleshoot installation.

Chapter 3: Managing OUs, Users, and Groups

Once you have an Active Directory domain up and running, one obvious task is to create a user account for each user and plan how to enhance user administration by using groups and organizational units (OUs). This chapter looks at managing OUs, users, contacts, groups, and computer objects, and covers some related topics.

Chapter 4: Securing Active Directory

Active Directory has an access control mechanism that enables you to define who can read or modify what information in Active Directory. In this chapter, we explain the concepts and architecture of access control, as well as how to manage permissions in various scenarios.

Chapter 5: Sites and Replication

For Active Directory to work efficiently when your network spans multiple geographic locations, you must plan and implement the physical structure and define it in Active Directory itself. In this chapter, we describe the concepts, management, and advanced topics of the physical structure. Some of the content is also relevant for a company with just one site.

Chapter 6: Domains and Forests

Active Directory has several levels of hierarchies that you can use to implement an effective logical structure for your company network. In this chapter, we discuss whether you should use one or many domains and one or many forests, and how you should plan and manage that logical structure. We also revisit the physical structure, because it somewhat overlaps with the logical structure. In addition, we explain the anatomy of LDAP searches.

Chapter 7: Group Policy

Active Directory has an extensive management architecture called "Group Policy." You can use Group Policy to manage user desktops and server settings, as we describe in this chapter. You learn the architecture, inheritance, and processing of Group Policy in this chapter.

Chapter 8: Active Directory Schema

This chapter examines the Active Directory data model and how it is enforced by the rules of the schema. After reading this chapter, you'll better understand how Active Directory works behind the scenes and you'll also gain knowledge that you can use if you are going to extend the schema.

Chapter 9: Extending the Schema

One of Active Directory's advantages over Windows NT is that you can extend Active Directory schema, either to accommodate directory-enabled applications or for some administrative purpose. In this chapter, we explain the considerations for extensions and describe the process itself.

Chapter 10: Administration Scripts: Concepts

By downloading scripts from the Internet or writing your own scripts and executing them you can greatly enhance and automate administration. In this chapter we explain how to get started with technologies such as Windows Script Host (WSH), VBScript, and Active Directory Service Interfaces (ADSI).

Chapter 11: Administration Scripts: Examples

In this chapter, we present over 50 sample scripts along with their explanations. Outputs of many of the scripts provide some architectural information about Active Directory and you can run those scripts without understanding what they do on each line. Therefore, you can use these scripts not only for various administrative tasks, but also to gain more knowledge about Active Directory. This chapter also introduces some additional scripting concepts, such as ActiveX Data Objects (ADO), between the sample scripts.

0201616211P11272001

Index

' (apostrophe), 717, 894

* (asterisk), 458, 485, 719

\ (backslash), 483

: (colon), 499

, (comma), 718

. (decimal point), 718

. (dot), 452

" (double quotes), 718, 724

= (equal sign), 499

/ (forward slash), 499

- (hyphen), 500

< (less-than sign), 499

+ (plus sign), 499, 719

# (pound sign), 499

; (semicolon), 617

[] (square brackets), 237

_ (underscore), 719

169.254.xx, 87

Abandon operation of LDAP, 52
Abstract schema objects, 801-806. See also Subschema object
Access (Microsoft), 53
Access control. See also ACEs (access control entries); ACLs (access control lists): architecture, 280-296; background for, 206-212; basic description of, 36-37; delegation and, 282-283; impersonation and, 282-283; security principals and, 207-212
Access tokens: basic description of, 175-176, 287-288; universal groups and, 196
Account(s): basic description of, 123; disabling, 163, 172; Group Policies and, 511; options, listing, 784-788; policies, 511; resetting, 172-173
Account Operators group, 129
Account Restrictions property set, 235
Account tab, 144, 149-154, 232
ACEs (access control entries), 36, 214. See also Access control; ACLs (access control lists): adding, 39, 848-856; basic description of, 219, 288-289; contents of, 289-292; fields of, 290-291; Group Policies and, 554; inheritance and, 240, 851; listing, 834-837, 839-846; order of, 850-851; schema and, 617-618
ACL Editor. See also ACLs (access control lists): basic description of, 212; dialog boxes, anatomy of, 215-222; DSSec.Dat and, 237, 239; procedures for using, 213; setting permissions with, 222-251; SIDs and, 286; viewing permissions with, 260
ACLDiag, 250
ACLs (access control lists). See also Access control; ACEs (access control entries); ACL Editor; DACL (discretionary access control list): administration scripts and, 832-856; default, changing, 267
ACPI (Advanced Configuration and Power Interface): installation and, 74, 110; problems with, 110
Active Directory: brief description of, 4-6; building blocks of, 16-26; current limitations of, 61; directory face of, 4; enterprise services face of, 4; first look at, 7-8; history of, 7-8; installation of, 67, 93-105, 109-111; introduction to, 4-16; as a loosely-consistent database, 308-310; NDS and, comparison of, 13-15, 63; next version of, 64-65; requirements/recommendations, 93-94; Restore Mode, 97; three faces of, 5-6; uninstalling, 113, 115-117; what data to put in, 645-646; Windows NT and, comparison of, 11-13; Windows NT face of, 4
ADC (Active Directory Connector), 310
Add ACEs to a Folder.vbs, 854-856
Add ACEs.vbs, 846-854
Add Members to a Group option, 192
Add operation of LDAPv3, 52
Add/Remove applet, 85, 102, 558, 560
Address Book, 9, 425, 635
Address tab, 144
Administration. See also Administration scripts: delegation of, 12, 19, 39, 141, 268, 269-276; duplicate, as a cost of adding additional domains, 437; units of, using multiple domains because of, 434-435
Administration script(s): as command-line tools, 706-708, 884-887; concepts, 697-758; configuration information and, 822-832; debugging, 755-759; development environment for, 712-715; examples of, 761-794, 804-805; execution environment for, 698-703; file types, 703; help files and, 713-714; killing, 710-711; property caches and, 730-750, 767-772; schema and, 801-822; settings, 708-710; testing, 704-705
Administrative groups. See also Groups: in forests, 466-467; predefined, 128-133, 466-467
Administrative templates, 515-519
Administrative view to a forest, 446
Administrator account, 126, 259, 261-263
Administrators group: AdminSDHolder object and, 251; basic description of, 129; ownership and, 243-244
AdminSDHolder object, 251
ADMT (Microsoft Active Directory Migration Tool), 463
ADO (Microsoft ActiveX Data Objects): administration scripts and, 699, 700, 703, 888, 904; ADSI and, 55-56, 888-890; basic description of, 888; Basic Example.vbs, 893-896; Basic Example with SQL.vbs, 896-897; concepts, 888; mechanics, 890-891; using, 888-903
ADsFMO component, 754, 830-831
ADSI (Active Directory Service Interfaces), 54-56, 123, 888-890: without the Active Directory, 862-870; administration scripts and, 700, 713-714; concepts, 721-752; examples, 724-725, 761-763; help files, 713-714; interface, 702-703, 736-839; operations, 724; paths, 725-726; properties and, 735-736; Resource Kit, 754; syntax, 749-753
ADSI Edit, 174, 201-202: basic description of, 488-489; creating new attributes with, 669-670; inspecting schema with, 588-591; renaming objects and, 239
ADSizer (Active Directory Sizer), 420
ADsSecurity component, 754, 830-831
Aggregate object, 596
Aliases (built-in local security groups), 286
Alias objects, 63
Allchin, Jim, 10
ANR (Ambiguous Name Resolution), 226, 635-637, 639, 642, 654, 655, 813
ANSI (American National Standards Institute), 606, 607
Answer files, 106-107
APIPA (Automatic Private Internet Protocol Addressing), 87
APIs (application program interfaces): ADSI (Active Directory Service Interfaces) API, 54-56; GetGPOList API, 538-539; LDAP C API, 425, 490, 702; user rights and, 297; Win32 API, 755
APM (Advanced Power Management), 74
Application(s). See also Software: data, storing, 59; deployment, 508-509; patching, 561; permissions in, 240-243; published versus assigned, 560; removing, 509, 562; self-repairing, 558; upgrading, 561
Application tab, 711
Architecture: access control, 280-296; ADSI and, 54-56; basic description of, 41-58; container objects and, 43-44; data models and, 41-42; LDAP and, 49-52; objects and, 43-47; partitions and, 44-45; physical, 51-54; schema and, 42-43; X.500 standard and, 47-49
Arguments: basic description of, 718-719; command-line arguments (options) in scripts, 754, 805; optional, 719
ASCII (American Standard Code for Information Interchange), 483, 687
ASN.1 (Abstract Syntax Notation One), 606
ASP (Microsoft Active Server Pages), 701, 756
ATTRIB command, 114
Attribute(s). See also Properties: ANR, 813-814; basic description of, 622-631; bit-field, 635; constructed, 599, 813-814; creating, 652-655, 661, 664-666, 669-670, 818-823; deactivating, 656-659; inspecting, 589-590; linked, 627-629; listing, 805-807; mandatory, 42, 582, 583, 612, 803; miscellaneous characteristics for, 637; modifying, 655-656, 664-666; multivalued, 582, 634; names, 591-592; nonreplicated, 813-814; optional, 42, 582, 583, 612, 803; permissions for, 677, 696; planning new, 660; reactivating, 659; schema and, 582-583; searching on new, 694-696; single-valued, 582; syntax, 583; tombstone, 401-402; use of the term, 41; values, managing, 693-694
attributeSchema objects, 585, 622-637, 637-639, 817-818
Attributes tab, 621-622
Auditing: basic description of, 204, 276-280; entries, adding, 276-278; Group Policies and, 512-513; records, viewing, 279-280; turning on, 278-279
Authentication: basic description of, 204; cross-forest, 65; Kerberos and, 56; mutual, 56
Automatic Certificate Request settings, 514

Backup Operators group: basic description of, 129; user rights and, 296
Base: DNs, 494; objects, 469, 479; schema, 582, 584, 635-636
Base64 encoding, 499
BATCH command, 114
Batch files: administration scripts and, 701, 793-794; creating, 687-688; creating users with, 793-794; testing, 687-688
BDCs (backup domain controllers): domain modes and, 133; PDC emulator and, 406, 411; replication and, 25, 310
Binary GUIDs, 837-839. See also GUIDs (globally unique identifiers)
BIND (Berkeley Internet Name Domain), 34, 94
Bindery (of Netware 3), 9, 723
Binding: with credentials, 870-872; early, 721; to the GC, 876-877; late, 721; strings, 726-727; with WKGUIDs, 872-876
Bind operation of LDAPv3, 52
BindView bv-Admin, 463
BIOS (Basic Input/Output System), 74, 83, 109
Bit(s): ACE AccessMask, 290-291; ACE AceType, 292, 293; ACE Flags, 292; connection object, 385; -fields, 290-291, 635; least-significant, 291; site link, 385
Bitwise AND, 485
Bitwise OR, 485
Blackcomb, 65
Boolean values, 483
Bootable CDs, 108-109
BOOTDISK folder, 76
Boot partition, 69
Breakpoints, 759
Bridgehead servers, 315, 371-374
Browser service, 406, 518, 519
Browsers, encryption for, 57
Building Enterprise Active Directory Services--Notes from the Field, 420
Builtin container, 124, 126-130

C (high-level language), 54, 680: administration scripts and, 701, 702; compilers, 701
C++ (high-level language), 54, 680: administration scripts and, 701, 702; compilers, 701
CA Unicenter, 509
Cache: property. See Property cache.; schema. See Schema cache.
CACLS command, 793, 794, 795, 796, 797
"Cairo," 10-11
CAL (client access license), 70
Canonical names, 46
Carriage return/linefeed character pair, 719-720
CAs (certificate authorities), 57-58, 92: Group Policies and, 514; SMTP replication and, 386
Case-sensitivity, 718
Catalog Services, 26
CCM (Change and Configuration Management), 503
CD/CHDIR command, 114
CDO (Collaborative Data Objects), 700
CDs (compact discs), bootable, 108-109
Certificate Export Wizard, 116
Certificates, exporting, 116
Change notification, 320, 384-385
Channels, secure, 457
Characters: ASCII, 483, 687; carriage return/linefeed, 719-720
number of, in passwords, 530: Unicode, 34, 483, 516; unsafe, 499
CHKDSK command, 114
Class(es): ADSI and, 54-46; attributes of, inspecting, 589-590; basic description of, 599-622; categories of, 612; creating, 647-650, 661, 666-669; deactivating, 656-659; derived, 610; extended rights for, 227-229; identifiers, 600, 603; identifiers (CLSIDs), 682, 683, 684, 709; miscellaneous characteristics of, 612-618; modifying, 650-652, 666-669; names, 600, 603; objects of specific, creating/deleting, 229; planning new, 660; reactivating, 659; schema and, 582-583
classSchema objects, 585, 599-622, 815-817
Clean Install option, 80
Client(s): access license (CAL), 70; access tokens, 287; extensions, 512; LDAP referrals to, 469; -server applications, connection points for, 59; -side extensions (CSEs), 504, 538, 571-573, 575; slow link detection and, 576-578; traffic, 420-421, 425
ClonePrincipal tool, 463
CLS command, 114
CLSIDs. See Class(es)--identifiers (CLSIDs)
CMDTOOL.vbs, 885-887
CNs (common names): basic description of, 46; renaming objects and, 239
Collisions, 398-401
COM (Component Object Model), 54-56, 699: basic description of, 728-730; components, using, 753-755; connection points and, 59; files, registering, 559
COM+, 559
Comdex, 10
Command-line: CScript options, 706-708; parameters, 465. See also Arguments; redirection of output, 707, 773, 799-800; tools, 111, 112, 173, 250, 353, 355-356, 458, 462, 498, 550, 762, 794, 884-887
Compare operation of LDAPv3, 52
Compilers, 701
Complete trust areas, 441-443
Components: COM, 755-757; homemade, 753; installation of, 85-87; using, 753-755
Computer(s). See also Computer accounts; Computer objects: licensing, 351-352; locating, 35; managing, 173, 856-858; objects, predefined, 133; registering, 91; renaming, 173-174
Computer accounts: disabling, 172; resetting, 172-173
Computer object(s): administering, 164-174; creating, 166-168; creating with a script, 861-864; deleting, 172; Group Policies and, 507-508; moving, 172; properties, 168-171
Computers container, 124
Concurrency control, 661, 675
Configuration: information, handling, 59, 822-832; partition, 44, 311, 313, 362
Connection object(s): creating/managing, 380-384; explanation of, 326, 327-331, 358-359; properties, 899; replication and, 358-359
Consistency checks, 650
Constant(s): administration scripts and, 718-719; basic description of, 718; definitions, 758; intrinsic, 719; names, 718
Contact(s): administering, 142-164; creating, 148; deleting, 162-163; home pages of, opening, 164; moving, 162; properties, setting, 148-157; renaming, 162; sending e-mail to, 164
Container(s): basic description of, 123-125; classes, 583-585; objects, 43-44, 583-585; predefined, 123-125
Containment rules (of schema classes), 607-610
Context menus, adding scripts to, 693-694
Continuation references in LDAP, 487-488
Control Panel, 85, 558. See also Add/Remove applet
Controls dialog box, 497
Control statements, 719
Convergence of Active Directory information, 309
COPY command, 114
Create a Computer Object.vbs, 859-862
Create a Group.vbs, 858
Create a Home Folder for a User - Ver 1.vbs, 794-796
Create a Home Folder for a User - Ver 2.vbs, 796-797
Create a Share.vbs, 867
Create a User in a Workstation.vbs, 869-870
Create a User with a Batch File.bat, 793-794
Create a User with Minimum Attributes.vbs, 788-790
Create a User with More Attributes.vbs, 790-793
Create Object dialog box, 677-678
Credentials, binding with, 870-872
Cross-reference(s): basic description of, 469-473; external, creating, 470-473; objects, 469-470
CScript, 690, 703-705, 711
CSEs (client-side extensions), 504, 538, 571-573, 575
CSVDE, 202, 662, 663, 674
CTLs (certificate trust lists), 514
Current context, 63

DACL (discretionary access control list), 36, 214, 288-289, 290. See also ACLs (access control lists)
Dampening, propagation, 388
DAP (Directory Access Protocol), 48-49
Data model, 41-42
Data types: administration scripts and, 734-735; handling special, 734-735
Date and time settings, 87. See also time
DB layer, 52-53
DCDiag, 458-459
DCE (Distributed Computing Environment), 452
DCOM, 559
DCPromo, 16-17, 352, 354, 473, 476-477, 586, 673: command, 93, 115
Deactivation, of classes, 656-659
DEAs (directory-enabled applications), 5, 43, 59, 642, 659-662
Debugging: administration scripts, 755-759; with extra output commands, 755-756; mode, 112
Default Domain Controllers Policy, 511
Default permissions. See also Permissions: basic description of, 258-267; listing, 260-265; sources of, 259
DEL/DELETE command, 114
Delegating: basic description of, 19, 39, 269-270; domain controller installation, 476-478; domain installation, 473-478; management of GPOs, 554-557
Delegation (relating to authentication), 282-284
Delegation of Control Wizard, 39, 212: basic description of, 251-258; common tasks completed with, 252-256; custom tasks completed with, 256-258; customizing list of common tasks, 254-256; support tools and, 250
DelegWiz.Inf, 254-256
Delete operation of LDAPv3, 52
Deleted objects, listing, 495-497
Deleting: contacts, 162-163; GPOs, 552-553; groups, 194, 861; objects, 172, 229, 857; OUs, 857; users, 162-163
DEN (directory-enabled networking), 5
Deploying software, with Group Policies, 559-561
Description property, 140
Device Manager, 110
Devices: incompatible, 110; incorrectly detected, 110
DFS (Windows 2000 Distributed File System), 23, 315-316, 341, 559-561
DHCP (Dynamic Host Configuration Protocol): DNS updates and, 35-36; Group Policies and, 538; installation and, 70, 87, 90; RIS and, 520
Dial-in tab, 144, 155-156
DIR command, 114
Directories: history of, 9; information about, determining the placement of, 426-432
Directory-enabled applications (DEAs), 5, 43, 59, 642, 659-662
Directory-enabled networking (DEN), 5
Directory service, 4, 9, 11, 42, 47, 142, 310, 585, 723-724
Directory Services Restore Mode option, 112
DISABLE command, 114
Disk images, duplicating, 107-108
DISKPART command, 114
DISP (Directory Information Shadowing Protocol), 48
Display name property, 147
Display specifiers, 682-685
Distributed Systems Guide, 354-355
Distribution groups, 174. See also Groups
DLLs (Dynamic Link Libraries), 557, 573, 684, 898
DMZ (demilitarized zone), 60-61
DNs (distinguished names), 407, 466: base, 494; basic description of, 45-47; features recommended for, 94; LDAP and, 46, 485, 494; LDIF and, 498, 501
DNS (Domain Name Service). See also Domain names: Group Policies and, 550; host names, 84; host records, 476; installation and, 70, 84-90, 93-105, 110-111, 117; integration, 34-36; namespaces, 17, 31, 32-33; -related tasks, after installation, 102-105; RIS and, 520; root domain, removing, 102; servers, requesting IP addresses from, 35; updates, dynamic, 35-36; virtual containers and, 58; zones, 61
DnsAdmins group, 132
DnsUpdateProxy group, 132
DNS Zones, 34, 60-61, 94, 102-105, 117, 425, 450
Domain(s). See also Domain controllers; Domain names: adding workstations to, 302; basic description of, 17, 62; choosing, 200; cost of additional, 437-438; creating, 94-95; designing, 432-452; forest root, 95, 448-452; installation, delegation of, 473-478; local groups, 21-22; looking at single, 429-430; managing, 452-478; master browser, 406; mode, changing, 133-135; placement of directory information and, 426-432; single, OU trees in, 29-30; single, with no OU structure, 27-28; trees, 30-33; using multiple, 433-438; using single, advantages of, 433-438
Domain Admins group, 131, 243-244, 251, 261-264
Domain Computers group, 131
Domain controller(s). See also Domains: additional, cost of, 437; basic description of, 6, 16-17; choosing, 200; default assignments for, 299-302; installing, 65, 476-478; logon rights and, 298; operations master (OMDCs), 408, 410-411, 413-414, 415; originating, 390; placement of, 419-502; placement of directory information and, 426-432; privileges and, 28; promoting, to be GC servers, 346-347; removing, 352-354; targeting, for Group Policy operations, 547-548; USNs and, 390
Domain Controllers container, 124
Domain Controllers group, 131
Domain Guests group, 131
Domain names. See also Domains: basic description of, 31-32
Domain naming master, 405
Domain Password & Lockout Policies property set, 231
Domains and Trusts snap-in, 454
Domain Users group, 131, 134
DOS (Disk Operating System), 77, 78. See also MS-DOS
DOSNET.INF, 106
Drivers, installation using alternate, 81-83
DSAs (Directory System Agents), 49, 51, 53
DSClient (Directory Service Client), 702
DSP (Directory System Protocol), 48
DSSec.Dat, 237-239, 257, 677
Dual booting, 70-73
Dynamic disks, 92
Dynamic DNS, 35-36
Dynamic updates, enabling, 102-103. See also Updates

ECMAScript, 702
EditPlus, 712, 713, 763
EFS (Encrypting File System), 47, 514. See also Encryption
E-mail: encryption, 57; sending, to groups, 194; sending, to users and contacts, 164; systems, history of, 9
Empty lines, 718
Enable Boot Logging option, 112
ENABLE command, 114
Enable VGA Mode option, 112
Encryption. See also EFS (Encrypting File System): e-mail, 57; installation and, 92; TCP/IP traffic, 57; Web browser traffic, 57
Enterprise Admins group, 98, 131, 259, 261
Error(s): categories, 880; checking, 879-884; levels, 765; mechanics, 879-880
Error Checking.vbs, 879-884
Escape sequences, 483
ESE (Extensible Storage Engine), 52-53
ESENT.DLL, 51
Event(s): Group Policies and, 562-565; logs, 513, 562-565
Excel (Microsoft): ACEs and, 834-837; administration scripts and, 701, 766-767, 797-798, 807-809, 815-818; importing text files into, 595-596; table of default permissions, 260
Exchange (Microsoft), 9, 43, 53, 142, 143, 310, 431, 444, 605, 723
EXIT command, 114
Extended operation of LDAPv3, 52
Extended rights, adding, 293-294
Extensible matching rules, 485
EXTRACT command, 114

FastLane Developers, 701
FastLane Migrator, 463
FAT (file allocation table), 71, 73, 81
FAT32, 71, 81
Fault tolerance, 308
FAZAM 2000 RFV (Reduced Functionality Version) tool, 551, 554, 570
File system(s). See also NTFS (Windows NT File System): DFS (Windows 2000 Distributed File System), 23, 315-316, 341, 559-561; EFS (Encrypting File System), 47, 514; policies, 514; supported by Windows 2000, 72-73
Filters, 200-201, 592, 616, 889, 901-903
Find command, 762
Find dialog box, 488, 695
FindStr command, 762
Firewalls, 60
First name property, 147
FIXBOOT command, 114
FIXMBR command, 71, 114
flatName property, 453
Folder(s): adding ACEs to, 854-856; creating, 794-797; home, 794-797; redirection policies, 520
Foreign security principals, 124, 462
ForeignSecurityPrincipals container, 124, 462
Forest(s). See also Forest root domains: authentication and, 65; changes to, 62; configurations, number of, 440; creating, 94-95; designing, 432-452; managing, 452-478; managing groups and permissions in, 466-469; moving groups in, 464-465; moving objects in, 462-466; permission assignments in, 468-469; planning considerations for, 445-452; predefined administrative groups in, 466-467; testing schema modifications in, 660, 685-690; three faces of, 445-446; trusts, 65, 441-443; using multiple, 433-444; using single, 438-445
Forest root domains, 95, 448-452. See also Forests: empty, 449-450; nonempty, 450-451
FORMAT command, 114
Forwarding addresses, configuring, 102
Forward lookup zones, creating, 102-103
FRS (Windows 2000 File Replication System), 23, 53, 315
FSMOs (flexible single-master operations), 25, 324, 404. See also Operations master(s)
FullArmor.com, 570
Full Control permission, 273
Full name property, 147
Function(s): basic description of, 718-719; conversion, 719

Garbage collector, 402
Gates, Bill, 10
GCs. See Global Catalogs
General Information property set, 231-232, 483
General tab, 144, 170, 195, 232
GetGPOList API, 538-539
GetSID, 286-287
Global Catalogs, 64, 115, 196: attributes and, 814-815; basic description of, 26; binding to, 876-877; indexing and, 585; LDAP searches and, 486; multipartition queries and, 899; number of, 440-441; replication and, 323, 364, 375-378; servers for, placement of, 431-432; servers for, promoting domain controllers to, 346-347
Global groups, 21-22. See also groups
GPC (Group Policy container), 523-524, 567
GPOs (Group Policy Objects): assigning, 40-41, 124; basic description of, 40, 522-528; creating, 548-550; default permissions for, 575-576; delegated, creating MMC consoles for, 555-556; deleting, 552-553; editing, 550-551; listing, 827-828; management of, delegating, 554-557
GPT (Group Policy templates), 524, 525, 567
GPT.INI, 524, 525
Group(s): administering, 174-200; built-in, 128-130, 184; creating, 186-187; deleting, 194, 861; distribution of, 20, 174; filtering Group Policies with, 532-534; global, 21-22; listing, 865; local, 128-130, 184; managing, 121-202, 466-469, 856-859; membership, 64, 188-192, 468-469; moving, 194, 464-465; nesting, 21-22; planning, 194-200; predefined, 127-133; primary, for users, 192-193; properties of, setting, 193-194; renaming, 194; restricted, 513; scope, 21-22, 177-184, 187-188; security, 21, 174; sending e-mail to, 194; strategies for, 197-200; types of, 174-177, 187-188; universal, 196-197; usage, example of, 180-181; in the Users container, 130-133
Group Policies: administrative templates and, 515-519; administration of, delegating, 272-273; advanced topics, 571-578; backing up, 553-554; basic description of, 39-41, 204, 503-578; concepts for, 503-507; CSEs and, 504, 571-573; deploying software with, 559-561; effective, determining, 539-546; event logs and, 513, 562-565; filtering, with groups, 532-534; folder redirection and, 520; forcing, 532; inheritance, 529, 534; links to, 528-529; local, 511-513; loopback processing, 536-537; managing, 546-557; operations for, targeting domain controllers for, 547-548; permissions and, 272-273; preference, 517-518; processing, 534-546; redeploying, 509; registry settings for, 573-575; Resource Kit tools for, 566-571; restricted groups and, 513; RIS and, 520-521; security settings and, 510; slow link detection algorithm and, 576-578; software management with, 557-562; troubleshooting, 562-571; version number for, 524-526; Windows NT 4 system policy and, comparison of, 505-506
Group Policy dialog box, 528-529, 546-548, 551-552
Group Policy Migration tool, 566, 569-570
Group Policy Reference, 570
Group Policy Results tool, 539, 566-567
Group Policy Scenarios tool, 571
Group Policy tab, 522, 525, 549, 553, 555
Group Policy Verification tool, 567-569
Guests group, 129, 259
GUIDGen, 648, 653, 679
GUIDs (globally unique identifiers), 167-168, 407: ACEs and, 292-293, 295; basic description of, 292-293; binary, 837-839; cloning objects between forests and, 444; converting, with regular expressions, 845-846; database, 389, 394-395, 398; Group Policies and, 504, 522, 525, 527; listing, 824-828, 837, 839; replication and, 357-358, 375, 389; schema and, 648, 653, 679-680; server, 389, 395

Hardware: abstraction layer (HAL), 83; compatibility, with Windows 2000 Server, 74-75
HCL (Hardware Compatibility List), 74
Hello.vbs, 704
HELP command, 114
Help files, 713-714
Hierarchies, 27-34
High encryption pack, 92
High-watermark vectors, 394-395
Home: folders, creating, 794-797; pages, opening, 164
HTML (HyperText Markup Language), 757

IADsContainer interface, 741-743
IADsGroup interface, 748-749
IADS interface, 739-742
IADsTools, 754
IADsUser interface, 743-748
IBM (International Business Machines), 8-9
ICANN (Internet Corporation for Assigned Names and Numbers), 61, 605, 607
IDE (integrated development environment), 700
IEAK (Internet Explorer Administration Kit), 517, 521. See also Internet Explorer browser (Microsoft)
IIS (Microsoft Internet Information Server), 85, 86, 93: administration scripts and, 701, 756; ADSI and, 54; debugging and, 756; replication and, 387
Impersonation: basic description of, 56, 282-283; Kerberos and, 56; tokens, 287
InetOrgPerson class, 65
Infinite loops, 710-711
Informational properties of users and contacts, 156-158
Infrastructure master, 25, 229, 324, 334, 407-408, 829. See also Operations masters
Inheritance, 600, 602, 610-612: basic description of, 37-38; blocking, 531-533; Delegation of Control Wizard and, 252; dynamic, 240-243; Group Policies and, 529-534; static, 37-38, 240-243
Installation: Active Directory, 67-68, 93-105, 109-111, 122-135; answer files and, 106-107; automating, 105-109; from CDs, 80; Clean Install option for, 80; configuring forwarding addresses after, 102; creating domains, trees, and forests during, 94-95; creating forward lookup zones after, 102-103; creating reverse lookup zones after, 104; decisions to make before, 68-76, 94-95; defining date and time settings during, 87; disk duplication and, 107-108; domain controller, 65, 476-478; dual booting, 70-73; enabling dynamic updates after, 102-103; EXE files for, schema and, 674-675; finalizing, 89; from networks, 80-81; partitions, selecting, 83; preparation for, 74-76; recovery options and, 111-113; removing DNS root domains after, 102; reversing, 113-117; starting, 76-79; steps to take after, 90-92, 100-101; troubleshooting, 110-113; using alternative drivers, 81-83; verifying, 100-101; Windows 2000 Server, 68-93
InstallShield, 559
Instantiation, of classes, 582
Integers, 483, 485, 486
Integrity, referential, 629
IntelliMirror (Microsoft), 503
Interdomain communications, cost of, 437
Internet: connecting to, 59-61; directories, 9; routers, 60
Internet Explorer browser (Microsoft): Administration Kit (IEAK), 517, 521; debugging and, 756; Group Policies and, 521
IP (Internet Protocol), 35, 605. See also IPSec (IP Security): Group Policies and, 514-515; installation and, 70, 87, 88, 90; replication and, 368, 378, 387
IPSec (IP Security), 387, 514-515. See also IP (Internet Protocol)
IRQ (Interrupt) settings, 110
ISAM (Indexed Sequential Access Method), 53
ISDN (Integrated Services Digital Network), 370
ISM (Intersite Messaging) service, 25, 387
ISO (International Organization for Standardization), 47-49, 605-606
ISTG (inter-site topology generator), 366-367, 370-374, 380-381
ITU (International Telecommunications Union), 47-49, 605-606

JScript, 509

KCC (Knowledge Consistency Checker), 314, 327, 330, 343, 347, 353, 357-365
KDCs (key distribution centers), 56
Kerberos, 56-57, 420, 435, 437-438, 444: Cairo and, 10; Group Policies and, 511, 539; synchronization services and, 25; trusts and, 452
Keyboard settings, 81
Knowledge Base. See Microsoft Knowledge Base
Kouti.com, 260, 714, 759

Language Options dialog box, 81
Language settings, during installation, 81, 84
LAN Manager, 8-9, 512, 732: access tokens and, 287; NET commands and, 202
LANs (local area networks): loose consistency and, 6; replication and, 309, 315, 317; schema and, 655; as sites, 23
Last Known Good Configuration option, 111, 112
Latency, 309, 342
LAYOUT.INF, 106
LDAP (Lightweight Directory Access Protocol): ADSI and, 54; ANR and, 635; Base64 encoding and, 499; basic description of, 6, 49-52; binding strings, 725-726; C API, 425, 490, 702; Cairo and, 11; client traffic, 425; continuation references and, 487-488; controls, extended, 495-497; Data Interchange Format (LDIF), 498-501; data model, 581-585; domain names and, 31; Group Policies and, 564; the history of directories and, 10; NCs and, 308; property lists and, 480-481; referrals, to clients, 469; schema and, 611, 616, 622-626, 645-646, 652; searches, 473-501, 893-894; setting properties for OUs and, 139-140; version 3 operations, 51-52
LDIF (LDAP Data Interchange Format), 498-501. See also LDIFDE (LDIF Directory Exchange)
LDIFDE (LDIF Directory Exchange), 202, 489, 498-499, 598, 660: creating/modifying objects with, 670-674; schema and, 662, 663, 664, 670-674
LDP tool, 490-494
Leaf: classes, 583-585; objects, 43-44, 583-585
Least-significant bit, 291
LGPO (Local GPO), 504, 527-528, 557
Linear regression analysis, 422
Lines: cutting long, 719; including, from another file, 758-759; indenting, 719
Link(s): bridges, 321, 378-380; costs of, 369-371; creating/managing, 348-351; disabling parts of, 551-552; replication topology and, 367-369; tables, 53; WANs as, 23
Linked attributes, 627-629
Linux, 472-473
List ACEs--Long.vbs, 839-846
List ACEs--Short.vbs, 834
List ACEs to Excel - Short.vbs, 834-837
List ADSystemInfo.vbs, 831-833
List All Abstract Schema Objects.vbs, 806
List All attributeSchemas to Excel.vbs, 817-818
List All Real Schema Objects.vbs, 811-812
List Attribute Display Names.vbs, 823-824
List Binary GUIDs.vbs, 837-839
List Indexed Attributes.vbs, 812-813
List Global Catalog Attributes.vbs, 814-815
List Objects That Have Blocked ACL Inheritance.vbs, 901-903
List Services.vbs, 863-865
List Shares.vbs, 865-867
LISTSVC command, 114
List the Account Options of a User.vbs, 784-788
List the DC GUIDs.vbs, 824-826
List the GPO GUIDs.vbs, 827-828
List the Member Attributes of a Given Class to Excel.vbs, 805-807
List the Member Attributes of a Given Class.vbs, 805-806
List the Operations Masters.vbs, 828-830
List the Operations Masters with ADsFSMO.vbs, 830-831
List the Property Cache Contents.vbs, 767-772
List the rootDSE Property Cache.vbs, 826-827
List the Supported Namespaces.vbs, 822-823
List the Users of One Container to Excel.vbs, 766-767
List the Users of One Container.vbs, 764-766
List User Properties with Get.vbs, 772-779
List User Properties with Methods.vbs, 779-784
List WinNT Properties of User Class.vbs, 868-869
Load balancing, 308
Local GPO, 504, 527-528
Local policies, 511-513
LocalSystem account, 211, 282, 283, 284
Location tab, 171
Logging. See also Auditing: events, 562-565; detailed, 564-565
Logoff scripts, 509
Logon. See also Access control; Authentication: GCs and, 64; Group Policies and, 509-510; Information property set, 235; rights, 297-298; smart card, 440, 661; traffic, 420-421
Loopback Adapter (Microsoft), 94
Loopback processing, 536-539
Loops, 710-711
Loose consistency, 6, 308-310
LSA (Local Security Authority), 51, 322

MAKEBOOT command, 76
Managed By property, 140
Managed By tab, 195
Manual refresh, of Group Policies, 536
MAP command, 114
MBR (master boot record), 71
MD/MKDIR command, 114
Member Of tab, 144, 149, 188, 192, 232
Member servers: basic description of, 88; modifying user rights for, 305-306
Members tab, 188, 190-191
Menu(s): adding scripts to, 693-694; definitions, adding, 686-687
Merge mode, 536-537
Metadata replication, 391-394
MicroHouse ImageCast, 108
Microsoft Access, 53
Microsoft Active Directory. See Active Directory
Microsoft Active Directory Migration Tool (ADMT), 463
Microsoft Active Server Pages (ASP), 701, 756
Microsoft ActiveX Data Objects (ADO). See ADO
Microsoft Excel: ACEs and, 832-837; administration scripts and, 701, 766-767, 797-798, 807-809, 815-818; importing text files into, 595-596; table of default permissions, 260
Microsoft Exchange, 53
Microsoft IntelliMirror, 503
Microsoft Internet Explorer browser. See Internet Explorer browser (Microsoft)
Microsoft Internet Information Server (IIS). See IIS (Microsoft Internet Information Server)
Microsoft Knowledge Base, 249, 353, 380, 501, 511
Microsoft Loopback Adapter, 94
Microsoft Management Console (MMC), 504-505, 547-548, 550-551, 555-556
Microsoft Metadirectory Services (MMS), 310
Microsoft Office, 754
Microsoft Platform SDK (Software Development Kit), 617
Microsoft Script Debugger, 85, 86, 756-757
Microsoft Software Installer (MSI), 557, 559
Microsoft System Management Server, 509
Microsoft Visual Basic for Applications (VBA), 701
Microsoft Visual Basic Scripting Edition (VBScript): ADSI and, 54; basic description of, 698, 702, 715-721; COM components and, 753-754; Editor, 713; Group Policies and, 509; schema and, 663; scripts, creating/testing, 688-690; scripts, sample, 716-721
Microsoft Visual Studio Installer, 559
Microsoft Windows Internet Naming Service (WINS), 36, 53, 70, 88
Microsoft Windows NT: Active Directory and, comparison of, 11-13; Cairo and, 10-11; domains, using multiple domains because of, 436; history of, 8-9; properties, listing, 870-871; system policy, 505-506
Microsoft Windows NT Directory Service (NTDS), 257, 327, 330-332, 341-347, 353-354, 380-381, 411, 415
Microsoft Windows NT File System (NTFS). See NTFS (Microsoft Windows NT File System)
Microsoft Windows NT LAN Manager (NTLM), 56, 512
Microsoft Windows 2000 Server: answer files and, 106-107; components, installation of, 85-87; dual booting, 70-73; hardware compatibility with, 74-75; history of, 10-11; installation, 68-76, 80-92, 105-107; Professional, 92-93; requirements/recommendations, 74; Resource Kit, 255, 566-571; server upgrades, 837-90; uninstalling, 113-117
Microsoft Windows Update Corporate Web site, 91
Mixed mode, 133-135, 177-180
MMC (Microsoft Management Console), 593, 504-505, 547-548, 550-551, 555-556
MMC Group Policy extension, 547-548
MMC Group Policy snap-in, 504-505
MMS (Microsoft Metadirectory Services), 310
Modify DN operation of LDAPv3, 52
Modifying Objects.vbs, 897-898
ModifyLDAP.vbs, 344
Modify operation of LDAPv3, 52
MORE command, 114
MoveTree tool: basic description of, 462-466; moving groups and, 464-465; options, 465-466
MS-DOS, 8, 80-81. See also DOS (Disk Operating System)
MSI (Microsoft Software Installer), 557, 559
Multilanguage version, 84
My Network Places, 8, 518

Namespaces, listing, 822-823
Namespace view to a forest, 446
NAT (network address translation), 102
Native mode, 133-135, 181-184
NCs (naming contexts), 308
NDS (Novell Directory Services): Active Directory and, comparison of, 13-15, 63; dynamic inheritance and, 38; the history of directories and, 9; introduction of, 11; partitions and, 62
NetBIOS: Browser service, 518; installation and, 84, 95, 100; names, 36, 59-60, 84, 95; ports, 59-60; trusts and, 453, 455
NET commands, 202
NetDom tool, 173, 454, 456, 458, 464
NetIQ Domain Migration Administrator, 463
Netlogon service, 102
NET TIME, 403-404
NetWare (Novell): Active Directory and, comparison of, 13-15, 63; ADSI and, 54; Catalog Services, 26; the history of directories and, 9
Network(s): installing/configuring, 87-88; installing Windows 2000 Server from, 80-81; operating systems, previous Microsoft, 8-9; traffic, measuring, 420-425
Network Identification tab, 173
Network Monitor, 85, 474
NLTest tool, 173, 454, 456, 458-459
No Override option, 532
Nortel Networks, 11
Northern Telecom. See Nortel Networks
Norton Ghost, 108
Notepad, 54, 109, 510, 545, 687, 704, 713
Notification, change, 320, 384-385
Novell NetWare. See NetWare (Novell)
NTDS (Microsoft Windows NT Directory Service), 257, 327, 330-332, 341-347, 353-354, 380-381, 411, 415
NTDSA.DLL, 51
NTDSUtil tool, 344, 412, 473-475
NTFS (Microsoft Windows NT File System): folder redirection and, 520; Group Policies and, 557; installation and, 68-69, 71-73, 81, 83, 89-90, 93, 97; permissions and, 36-37, 214; SIDs and, 284
NTLM (Microsoft Windows NT LAN Manager), 56, 512
NTRights command, 304-306
NtSecurityDescriptor property, 206-207, 289
Null sessions, 210

Object(s): administering, 164-174; base, 469, 479; basic description of, 4; that block ACL Inheritance.vbs, 901-903; creating, 166-168, 229, 680-681; deleting, 172, 229, 859; displaying, 680-681; extended rights for, 227-229; finding, 200; listing, 495-497, 805, 811-812, 901-903; moving, 172; names, 45-47, 238-239, 626-629; predefined, 133; properties of, setting, 149-157, 168-171; renaming, 238-239; schema and, 582-583, 626-629, 676-690; tables, 52-53; where to place new, 676-690
Object tab, 143
ObjectType field, 292-293, 294
Octet strings, 483
OIDGEN tool, 606-607
OIDs (object identifiers), 485, 486: base, 606-607; basic description of, 603-607; obtaining, 606-607, 660; schema and, 603, 660-661, 691
OLE automation: data types, 749-752; explanation of, 723
OMDCs (operations master domain controllers), 408, 410-411, 413-414, 415
Open Group, 452, 629
Operating System tab, 170
Operations master(s), 26, 324: changing, 829-830; failures, 413-414; listing, 828-831; managing, 404-416; placement of, 408-411; roles, transferring, 411-412
Oracle, 55
Organizational units (OUs), 27-34, 135-142: adding users of, to a Group.vbs, 859; administration scripts and, 856-857, 859; basic description of, 19-20; creating, 138, 857; deleting, 140-141, 857; features of, 136-137; managing, 121-202, 856-857; moving, 140-141; planning, 141-142; predefined, 123-125; properties for, setting, 138-140; renaming, 140-141
Organization tab, 144
Originating updates, 388. See also Updates
Orphan containers, 463
OS/2 (IBM), 8-9
OSI (Open Systems Interconnection) directory services, 48-49
OUs (organizational units). See Organizational units (OUs); OU trees
OU trees. See also Organizational units (OUs): delegating, without blocking, 272; delegating, with possible blocking, 270-271; permissions and, 270-272; roots of, 452; in single domains, 39-40
Ownership, 243-245

Packages: customizable installation, 558; non-MSI, deploying, 560-561; patches for, 509; upgrades for, 509
Parameters, ADO command object, 899-901
Parent domains: basic description of, 30; domain trees and, 30-31
Partition(s): administration scripts and, 896-899; basic description of, 44-45; configuration, 310-311; creating, 62; enterprise, 310-311; installation and, 81, 83; merging, 62; replication and, 310-312, 362-363, 374-375; schema and, 310-311; selecting, 83; topologies of several, 374-375; types, 311; Whistler and, 65
Passfilt.dll, 511
Passprop.exe, 511
Password(s): administrator, 97; age, maximum, 530; creating users and, 145; forcing complex, 511; installation and, 97; minimum number of characters in, 530; policies, 435; resetting, 164
Patches, 509
Paths, to abstract schema objects, retrieving, 803-804
PDC emulator, 406-407. See also PDCs (Primary Domain Controllers)
PDCs (Primary Domain Controllers). See also PDC emulator: installation and, 837; replication and, 25, 310; time convergence and, 403
Permission(s): accumulation of, 245-246; administration scripts and, 852-854; in applications, 240-243; attribute, 677, 696; basic description of, 36-37; concepts, 213-215; cross-object, 274-275; default, 212, 258-267, 575-576; delegation scenarios for, 269-275; denying, 246-249; entries, ordering of, 246-249; in forests, 466-469; general practices using, 268-269; generic, 854-856; handling, with the ACL Editor, 212, 215-229; inheritance and, 214, 240-243, 259; list object, 224-227; managing, 212-251, 466-469, 677-679; object, 214, 222-239; ownership and, 243-245; performance and, 249-250; property, 214, 229-239; property set, 230-236; replication and, 356; security principals and, 265-267; special, 36, 213, 222-229; standard, 36, 213, 222-229; usage scenarios for, 267-276; using, instead of rights, 301-302
Personal Information property set, 232-233
Phantoms, 407, 408, 409
Phone and Mail Options property set, 231
Physical structure. See also Physical architecture: concepts, 308-324; diagnosing, 354-356; managing, 325-356; monitoring, 354-356
Physical architecture, 51-54. See also Physical structure
PINs (personal identification numbers), 58
PKI (public key infrastructure), 47-48, 57-58, 204, 442, 514
Plug and Play, 83
Policies. See Group Policies
PowerQuest: Drive Image, 108; Partition Magic, 69, 115
Pre-Windows 2000 Compatible Access group, 97, 130, 260
Preference, use of the term, 517
Primalscript, 713
Primary access tokens, 287. See also Access tokens
Print Operators group, 129
Print queues, listing, 865
Processes tab, 711
Processing: loopback, 536-539; Group Policies, 534-546; periodic, 535; slow link, 536
Profile tab, 144, 154-155
Propagation dampening, 388
Properties. See also Attributes; Property cache; Property sets: delegating administration of informational, 275-276; informational, 142-144, 164, 791; listing, 772-784, 868-869; mandatory, 41; multivalued, 41, 737-738; nonreplicating, 322-323; optional, 41; significant, 142-144, 164, 791; single-valued, 41, 737-738; syntax of, 41
Property cache: administration scripts and, 730-736, 767-772; contents of, listing, 770-772; interfaces, 669-770; special data types and, 734-735; ways to read and write, 732-733
Property lists, 480-481
Property pages of schema objects, 618-622, 637-639
Property sets, 230-236, 294-296, 677-679
Protocols (listed by name). See also LDAP (Lightweight Directory Access Protocol); SMTP (Simple Mail Transfer Protocol): DAP (Directory Access Protocol), 48-49; DHCP (Dynamic Host Configuration Protocol), 35-36, 70, 87, 90, 520, 538; DISP (Directory Information Shadowing Protocol), 48; DSP (Directory System Protocol), 48; IP (Internet Protocol), 35, 70, 87, 88, 90, 368, 378, 387, 514-515, 605; SNTP (Simple Network Time Protocol), 403; TCP (Transmission Control Protocol), 490; TCP/IP (Transmission Control Protocol/Internet Protocol), 23, 57, 59, 70, 87, 93-94, 97
Public Information property set, 232
Published Certificates tab, 142, 144
Publishing, basic description of, 58-59

QGrep command, 762
Queries, multipartition, 896-899

RAID drivers, 81
RAM (random-access memory). See also Caches: access tokens and, 175; administration scripts and, 700; installation and, 75, 81, 93; loading DLLs in, 51; schema cache and, 597-599
RAS and IAS Servers group, 132
RCP, 59, 287
RCP Server, 287
RDNs (relative distinguished names): basic description of, 46-47; renaming objects and, 238-239; NDS and, 63
RD/RMDIR command, 115
Read User Information from Excel.xls, 797-798
Read User Information from Standard Input.vbs, 799-801
Recovery Console: basic description of, 112-113; FIXMBR command, 71; starting, 113; using, 113
Recovery options: basic description of, 111-113; Safe Mode and, 111-112
RepAdmin command, 355, 391, 398, 416, 746, 768
References: continuation, 487-488; cross-, 469-473
Referential integrity, 629
Referrals, 469-473, 486, 898-899
RegEdit, 562
RegEdt32, 562-565, 662
Regional settings, 84
Registry: administration scripts and, 704-705, 708-710; Group Policies and, 514, 538, 543, 562-565, 571, 573-575; schema and, 662; tattooing, 506
Regular expressions, converting GUIDs with, 845-846
Relationship tab, 620
Remote Administration mode, 85
Remote Install tab, 171
REN/RENAME command, 115
RepAdmin command, 398
Replace mode, 536-537
Replicas. See also Replication: basic description of, 44, 310-312; partial, 364; partitions and, 310-312
Replicated updates, 388
Replication. See also Replicas: Active Directory objects for, 325-331; advanced topics, 357-364; basic description of, 24-26, 307-419; change notification and, 320, 384-385; collisions and, 398-401; connection objects and, 358-359; global catalogs and, 323; Group Policies and, 547; high-watermark vectors and, 394-395; intersite, 319-321, 364-386; intrasite, 319-321, 357-364; latency, 309, 342; managing the physical structure with, 325-356; metadata, 391-394; multimaster, 25, 309; nature of, 308-310; nonreplicating properties and, 322-323; operation masters and, 324, 404-416; partitions and, 310-312, 362-363, 374-375; PDC emulator and, 406-407; permissions and, 356; reasons to use, 308; reciprocal, 384; removing domain controllers and, 352-354; rings, 357-361; scheduled, 320-321; schema and, 662, 675; server objects and, 341-343; single-master, 25, 310; site link bridges and, 321; SMTP, configuring, 386-387; subnet objects and, 339-340; test environments, 332-333; time synchronization and, 402-404; tombstones and, 401-402; topologies, 314-315; traffic, 421-425; transitive nature of, 319; units of, 17, 435-436; up-to-date vectors and, 395-398; urgent, 321-322
Replication Monitor tool, 569
Replicator group, 130
Reverse lookup zones, 104
RFCs (requests for comments): downloading RFC documents, 35; RFC 977, 35; RFCs 1034-1036, 95; RFC 1278, 633; RFC 1487, 10, 49; RFC 1510, 56; RFC 1769, 403; RFC 1777, 10, 49; RFC 1995, 94; RFC 2052, 95; RFC 2078, 104; RFC 2136, 35, 94; RFC 2137, 104; RFC 2251, 10, 49, 488; RFC 2798, 65; RFC 2849, 489, 498, 501, 876; RFCs related to LDAPv3, 50-51
RID MASTER, 405-406
RIDs (relative IDs), 285, 324, 405-406, 413-414
Rights: extending, 227-229; using permissions instead of, 301-302
RIS (Remote Installation Services), 39, 503: creating computer objects and, 166-168; Group Policies and, 520-521, 573
Root domains: basic description of, 30; domain trees and, 30-31; forest, 95, 448-452; removing, 102
RootDSE, 451, 495, 598, 727-728, 826-827
Root object, 479
RPC (remote procedure call), 348, 378, 383: domain controller placement and, 423; replication and, 24

SACLs (system access control lists): basic description of, 36, 288-289; Group Policies and, 512, 513
Safe Mode, 111-112
Safe Mode with Command Prompt option, 112
Safe Mode with Networking option, 112
Schema: administration scripts and, 801-822; ADSI and, 54; basic description of, 42-44, 581-640; cache, 597-599; containment rules, 607-610; content rules, 629-634; disabling modifications to, 661; dumping, to spreadsheets, 594-596; extending, 43, 641-696; GC and, 585; inspecting, 588-594; location of, 585-592; masters, 405, 660-662; modification of, 642-659; number of, 438; objects, 616-617; permissions and, 677-679; physical location of, 586; replication, 675; role of, 585; searches and, 634-637; structure rules, 607-610; sub-, subentries, 596-597; syntax, 622-631; updates, forcing, 662
Schema Admins group, 131, 259, 661
Schema cache: explanation of, 597-598; update of, 228, 598-599, 661, 662, 672; update with a script, 819, 821
Schema container, 586
Schema Manager snap-in, 592-594, 620, 662, 663: basic description of, 664-674; creating/modifying attributes with, 664-666; creating/modifying classes with, 666-669
Schema master, 405
Script(s): adding, to context menus, 693-694; as command-line tools, 706-708, 884-887; concepts, 697-758; configuration information and, 822-832; debugging, 755-759; development environment for, 712-715; editors, 712-713; examples of, 761-794, 804-805; execution environment for, 699-703; file types, 703; Group Policies and, 509-510; help files and, 713-714; killing, 710-711; property caches and, 730-750, 767-772; schema access, 801-822; settings, 708-710; testing, 704-705
Script Debugger (Microsoft), 85, 86, 756-757
Script tab, 709
SCSI (Small Computer Systems Interface), 81
SDCheck, 250
SDDL (Security Descriptor Definition Language), 617-618: default ACLs and, 267; definition of acronyms in, 255; schema and, 613, 617-618
SDs (security descriptors), 36, 288-296
Search(es): with ADO, 891; with LDAP, 52, 473-501, 893-894; multidomain, 486; on new attributes, 694-696; options, as command object parameters, 899-901; schema and, 634-637; specifying values for, 484-486; strings, 893-894; tools, 488-494
Search Options dialog box, 497
Secedit command, 510
Security Configuration and Analysis Snap-in, 510
Security Configuration Toolset, 510
Security tab, 143
Security Templates snap-in, 510-511
Server(s): bridgehead, 315, 371-374; GUIDs, 389, 395; member, 88, 305-306; objects, moving/managing, 341-343; stand-alone, 88
Server Operators group, 129
Service packs, 80
Services, listing, 863-865
Session Manager, 287
Session tickets, 56
SET command, 115
Setup. See also Installation: finalizing, 89; Wizard, 92-93
Setup Manager Wizard, 106-107
Shortcut trusts, 31
ShowInAdvancedViewOnly attribute, 613-616
Show Property Properties.vbs, 809-810
SIDs (security IDs): ACEs and, 288-292; basic description of, 283-287; deleting users and, 162; foreignSecurityPrincipal object and, 462; installation and, 108; MoveTree tool and, 463; RID master and, 405-406
Single sign-on, 204
Site(s). See also Site links: Active Directory objects for, 325-331; administering, 337-338; basic description of, 23; coverage, 318; Default-First-Site-Name, using, 338-339; objects, creating/managing, 340-341; placement of directory information and, 426-432; replication and, 307-419; setting up multiple, 334-337; setting up single, 333-334
Site link(s): bridges, 321, 378-380; costs of, 369-371; creating/managing, 348-351; replication topology and, 367-369; WANs as, 23
Sites and Services snap-in, 331-333
SLDs (second-level domains), 452
Slow link detection algorithm, 576-578
Smart cards, 57, 440, 661
SMARTDRIVE command, 78
SMTP (Simple Mail Transfer Protocol), 326-327, 330, 348-350, 378, 382-383: domain controller placement and, 423; replication and, 24-25, 386-387, 436; schema and, 601
SNTP (Simple Network Time Protocol), 403
Software. See also Applications: deploying, 559-561; managing, 557-562
Spreadsheets, 594-596
SQL (Structured Query Language), 894-895
SQL Server, 52, 55
SRM (security reference monitor), 246
SRV records, 34, 93, 102
Stamps, 391, 398
Stand-alone servers, 88
Statistically unique numbers, 285
Strings: binding, 725-726; octet, 483; search, 893-894
Structure rules (of schema classes), 607-610
Subnet objects, creating/managing, 339-340
Subschema object. See Abstract schema objects
SUPPORT folder, 74
Switchboard, 9
Switches, 78-79
Synchronization services, 25
Syntax: ADSI, 749-752; choices, 629-634; highlighting, 712; rules, 629-634
SYSOC.INF, 85
SYSOCMGR command, 85
SysPrep (System Preparation Tool), 108
System account, 282. See also LocalSystem account
System container, 674
System Management Server (Microsoft), 509
System partition, 69
System Policy, 40, 505-506
SYSTEMROOT command, 115
System services, 513
System State, 553-554
SysVol (System Volume) folder, 68-69

Task Manager, 704, 711, 756, 864
Task Scheduler, 210, 700, 711
TCO (total cost of ownership), 503
TCP (Transmission Control Protocol), 490. See also TCP/IP (Transmission Control Protocol/Internet Protocol)
TCP/IP (Transmission Control Protocol/Internet Protocol). See also TCP (Transmission Control Protocol): connecting to the Internet and, 59; installation and, 70, 87, 93-94, 97; site functions and, 23; traffic encryption, 57
Telephones tab, 144
Templates: administrative, 515-519; basic description of, 204; Group Policy, 524, 525, 567; security, 41, 204, 510-511
Terminal Services, 85, 87, 93, 476
Testing: batch files, 687-688; environments, 332-333; schema modifications, in forests, 660, 685-690; scripts, 688-690
TGT (ticket-granting ticket), 56, 435
Time: convergence hierarchy, 403; GMT/UTC, 390, 485, 689; services, controlling, 403-404; settings during installation, 87; -stamps, 390; strings, generalized, 485; synchronization, 402-404; target, 404
TLDs (top-level domains), 452
Tombstones, 401-402
Topologies: intersite, 64-65, 364-386; intrasite, 357-364; replication, 314-315, 357-386
Transactions, 52
Transitivity, of replication, 319
Tree(s): creating, 94-95; deleting OUs in, 140-141; moving OUs in, 140-141; renaming OUs in, 140-141; root domain, 451
Troubleshooting: Group Policies, 562-571; installation, 110-113
Trust(s): basic description of, 17-18; bidirectional, 18-19, 30, 453, 455, 462; computer, 441-443; creating explicit, 460-462; managing, 452-562; shortcut, 31, 446-447; transitive, 18-19; tree root, 33; trusted domain objects and, 452-454; verifying, 457-459; viewing, 454-457
TrustAttributes property, 454
TrustDirection property, 453
Trustees, defining, 852
TrustPartner property, 453
Trust view to a forest, 446
TXTSETUP.SIF, 106
TYPE command, 115

UDF (Uniqueness Database File), 106
UltraEdit, 713
Unbind operation of LDAPv3, 52
Unicode character set, 34, 483, 516
UNINST.TXT, 117
United Nations, 47
Universal groups, 21-22
University of Michigan, 10
UNIX, 34-35, 192, 629
Unsolicited Notification operation of LDAPv3, 52
Updates. See also USNs (update sequence numbers): DNS, 35-36; dynamic, 35-36, 102-104; forcing, 662; schema, 662; schema cache, 598-599
Upgrades, 89-90, 509
UPNs (user principal names): basic description of, 46-47, 440; domain controller placement and, 431; locating user objects via, 440; smart card logons and, 440; suffixes for, 148, 440
UPS (uninterruptible power supply), 74, 92
Up-to-date vectors, 395-398
U.S. Department of Defense, 605
User(s): accounts, disabling, 163; accounts, options for, listing, 784-788; administering, 142-164; class, extending, 690-696; copying, 160-161; creating, 145-148, 788-794, 869-870; deleting, 162-163; domain modes and, 134; editing multiple, 65; groups, predefined, 468; home pages of, opening, 164; informational properties of, 156-157; information, reading, 797-801; listing, 764-767, 865, 877-878; managing, 121-202, 764-822; moving, 162, 857; objects, properties of, setting, 149-157; predefined, 125-126; primary groups for, setting, 192-193; properties of, listing, 772-784; properties of, setting, 148-157; renaming, 162; sending e-mail to, 164
User interface: bringing schema extensions to, 676-690; creating objects for, 680-681; where to place new objects in, 676-690
User logon name property, 147
User rights: applying, 303-305; assigning, 302; basic description of, 296-306; modifying, for domain controllers, 304-306; normal privileges, 299-300
Users and Computers snap-in, 92, 140, 160, 200-202: auditing and, 280; basic description of, 200-201, 489; changing group types in, 188; CN=Configuration object and, 586; creating groups with, 186-187; creating user objects with, 582; display of editable properties in, 236; installation and, 92; predefined groups in, 130-133; user property pages of, 236-237; viewing default permissions with, 259
Users container, 124, 126-133
U.S. Naval Observatory, 403
USNs (update sequence numbers), 25, 392-395. See also Updates: basic description of, 313-314, 389-391; high-watermark vectors and, 394-395; local, 390; originating, 390; timestamps and, 390; up-to-date vectors and, 395-398; version numbers and, 390
UUIDGen, 648, 653, 679

V.34 modems, 47
Value(s): attribute, managing, 693-694; specifying, for LDAP searches, 484-486; string, 718
Variable(s): administration scripts and, 718; names, 718
VBA (Microsoft Visual Basic for Applications), 701
VBScript (Microsoft): ADSI and, 54; basic description of, 698, 702, 715-721; COM components and, 753-754; Editor, 713; Group Policies and, 509; schema and, 663; scripts, creating/testing, 688-690; scripts, sample, 716-721
Vectors, 394-395
Verbose mode, 489-490
VeriSign, 57
Veritas WinInstall2000, 559
VINES, 9
Virtual containers, 58
Virtual private networks (VPNs), 155
Visual Basic, 680, 701, 702
Visual Studio Installer (Microsoft), 559
VMware, 73
VMware Workstation, 73
VPNs (virtual private networks), 155

WANs (wide-area networks), 23, 436: bandwidth and, 425; domain controller placement and, 427-432; Group Policies and, 547; hierarchies and, 27, 29; installation and, 109; replication and, 24, 308-309, 315, 318, 334, 338, 368, 370; schema and, 654, 655
Web Information property set, 235
Well-known security principals, 209-212
Whistler, 64-65
WhoWhere, 9
Win32 API, 755
Windows Installer, 557-562
Windows NT (Microsoft): Active Directory and, comparison of, 11-13; Cairo and, 10-11; domains, using multiple domains because of, 436; history of, 8-9; properties, listing, 870-871; system policy, 505-506
Windows 2000 Server (Microsoft): answer files and, 106-107; components, installation of, 85-87; dual booting, 70-73; hardware compatibility with, 74-75; history of, 10-11; installation, 68-76, 80-92, 105-107; requirements/recommendations, 74; Resource Kit, 255, 566-571; server upgrades, 837-90; uninstalling, 113-117
Windows.NET Server, 64-65, 231, 347, 539, 643, 655
Windows 2000 Professional, 92-93
Windows Update Corporate Web site, 91
Windows XP, 64, 539, 578
WinEdit, 715
WINNT command, 78-81
WINNT folder, 68-69
WINNT32 command, 78, 80, 81
WINNT32.EXE, 73
WINS (Microsoft Windows Internet Naming Service), 36, 53, 70, 88
WinSock, 59
Wise for Windows Installer, 559
WKGUIDs, 874-878
WMI (Windows Management Instrumentation), 754-755
Workstations, 302, 305-306, 869-870
World Telecommunication Standardization Conference, 48
WScript, 680, 703-705, 711
WSH (Windows Script Host), 202, 509, 699-742
W32Time, 403
W32TM, 403-404

X.500 standard, 10, 44, 47-49, 606, 613, 629
X.509 certificates, 48, 57, 86. See also PKI (public key infrastructure)
XLNT, 703
XML (Extensible Markup Language), 703, 758, 759
XOM (XAPIA X/Open Object Management) syntax, 629

Yahoo!, 9

Zap files, 560-561, 562
Zones. See DNS Zones 

Updates

Submit Errata



More Information



InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Privacy Notice

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
Such marketing is consistent with applicable law and Pearson's legal obligations.
Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

As required by law.
With the consent of the individual (or their parent, if the individual is a minor)
In response to a subpoena, court order or legal process, to the extent permitted or required by law
To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
To investigate or address actual or suspected fraud or other illegal activities
To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020

Email Address

Inside Active Directory: A System Administrator's Guide

Book

Description

Extras

Web Resources

Sample Content

Online Sample Chapters

Downloadable Sample Chapter

Table of Contents

Preface

ABOUT THIS BOOK

Chapter 1: Active Directory: The Big Picture

Chapter 2: Installation of Windows 2000 and Active Directory

Chapter 3: Managing OUs, Users, and Groups

Chapter 4: Securing Active Directory

Chapter 5: Sites and Replication

Chapter 6: Domains and Forests

Chapter 7: Group Policy

Chapter 8: Active Directory Schema

Chapter 9: Extending the Schema

Chapter 10: Administration Scripts: Concepts

Chapter 11: Administration Scripts: Examples

Index

Updates

Submit Errata

More Information

InformIT Promotional Mailings & Special Offers

Overview

Collection and Use of Information

Questions and Inquiries

Online Store

Surveys

Contests and Drawings

Newsletters

Service Announcements

Customer Service

Other Collection and Use of Information

Application and System Logs

Web Analytics

Cookies and Related Technologies

Do Not Track

Security

Children

Marketing

Correcting/Updating Personal Information

Choice/Opt-out

Sale of Personal Information

Supplemental Privacy Statement for California Residents

Sharing and Disclosure

Links

Requests and Contact

Changes to this Privacy Notice

Other Things You Might Like