Inside Active Directory
A book by Sakari Kouti and Mika Seitsonen

Intro
Preface
Contents
Smart Index
Index
Scripts
Tables
Wordlist
Errata
Authors

 

 

Index (1st Edition, AD2000)

 

' (apostrophe), 717, 894

* (asterisk), 458, 485, 719

\ (backslash), 483

: (colon), 499

, (comma), 718

. (decimal point), 718

. (dot), 452

" (double quotes), 718, 724

= (equal sign), 499

/ (forward slash), 499

- (hyphen), 500

< (less-than sign), 499

+ (plus sign), 499, 719

# (pound sign), 499

; (semicolon), 617

[] (square brackets), 237

_ (underscore), 719

 

169.254.xx, 87

A

Abandon operation of LDAP, 52

Abstract schema objects, 801–806. See also Subschema object

Access (Microsoft), 53

Access control. See also ACEs (access control entries); ACLs (access control
        lists)

    architecture, 280–296

    background for, 206–212

    basic description of, 36–37

    delegation and, 282–283

    impersonation and, 282–283

    security principals and, 207–212

Access tokens

    basic description of, 175–176, 287–288

    universal groups and, 196

Account(s)

    basic description of, 123

    disabling, 163, 172

    Group Policies and, 511

    options, listing, 784–788

    policies, 511

    resetting, 172–173

Account Operators group, 129

Account Restrictions property set, 235

Account tab, 144, 149–154, 232

ACEs (access control entries), 36, 214. See also Access control; ACLs (access
        control lists)

    adding, 39, 848–856

    basic description of, 219, 288–289

    contents of, 289–292

    fields of, 290–291

    Group Policies and, 554

    inheritance and, 240, 851

    listing, 834–837, 839–846

    order of, 850–851

    schema and, 617–618

ACL Editor. See also ACLs (access control lists)

    basic description of, 212

    dialog boxes, anatomy of, 215–222

    DSSec.Dat and, 237, 239

    procedures for using, 213

    setting permissions with, 222–251

    SIDs and, 286

    viewing permissions with, 260

ACLDiag, 250

ACLs (access control lists). See also Access control; ACEs (access control
        entries); ACL Editor; DACL (discretionary access control list)

    administration scripts and, 832–856

    default, changing, 267

ACPI (Advanced Configuration and Power Interface)

    installation and, 74, 110

    problems with, 110

Active Directory

    brief description of, 4–6

    building blocks of, 16–26

    current limitations of, 61

    directory face of, 4

    enterprise services face of, 4

    first look at, 7–8

    history of, 7–8

    installation of, 67, 93–105, 109–111

    introduction to, 4–16

    as a loosely-consistent database, 308–310

    NDS and, comparison of, 13–15, 63

    next version of, 64–65

    requirements/recommendations, 93–94

    Restore Mode, 97

    three faces of, 5–6

    uninstalling, 113, 115–117

    what data to put in, 645–646

    Windows NT and, comparison of, 11–13

    Windows NT face of, 4

ADC (Active Directory Connector), 310

Add ACEs to a Folder.vbs, 854–856

Add ACEs.vbs, 846–854

Add Members to a Group option, 192

Add operation of LDAPv3, 52

Add/Remove applet, 85, 102, 558, 560

Address Book, 9, 425, 635

Address tab, 144

Administration. See also Administration scripts

    delegation of, 12, 19, 39, 141, 268, 269–276

    duplicate, as a cost of adding additional domains, 437

    units of, using multiple domains because of, 434–435

Administration script(s)

    as command-line tools, 706–708, 884–887

    concepts, 697–758

    configuration information and, 822–832

    debugging, 755–759

    development environment for, 712–715

    examples of, 761–794, 804–805

    execution environment for, 698–703

    file types, 703

    help files and, 713–714

    killing, 710–711

    property caches and, 730–750, 767–772

    schema and, 801–822

    settings, 708–710

    testing, 704–705

Administrative groups. See also Groups

    in forests, 466–467

    predefined, 128–133, 466–467

Administrative templates, 515–519

Administrative view to a forest, 446

Administrator account, 126, 259, 261–263

Administrators group

    AdminSDHolder object and, 251

    basic description of, 129

    ownership and, 243–244

AdminSDHolder object, 251

ADMT (Microsoft Active Directory Migration Tool), 463

ADO (Microsoft ActiveX Data Objects)

    administration scripts and, 699, 700, 703, 888, 904

    ADSI and, 55–56, 888–890

    basic description of, 888

    Basic Example.vbs, 893–896

    Basic Example with SQL.vbs, 896–897

    concepts, 888

    mechanics, 890–891

    using, 888–903

ADsFMO component, 754, 830–831

ADSI (Active Directory Service Interfaces), 54–56, 123, 888–890

    without the Active Directory, 862–870

    administration scripts and, 700, 713–714

    concepts, 721–752

    examples, 724–725, 761–763

    help files, 713–714

    interface, 702–703, 736–839

    operations, 724

    paths, 725–726

    properties and, 735–736

    Resource Kit, 754

    syntax, 749–753

ADSI Edit, 174, 201–202

    basic description of, 488–489

    creating new attributes with, 669–670

    inspecting schema with, 588–591

    renaming objects and, 239

ADSizer (Active Directory Sizer), 420

ADsSecurity component, 754, 830–831

Aggregate object, 596

Aliases (built-in local security groups), 286

Alias objects, 63

Allchin, Jim, 10

ANR (Ambiguous Name Resolution), 226, 635–637, 639, 642, 654, 655, 813

ANSI (American National Standards Institute), 606, 607

Answer files, 106–107

APIPA (Automatic Private Internet Protocol Addressing), 87

APIs (application program interfaces)

    ADSI (Active Directory Service Interfaces) API, 54–56

    GetGPOList API, 538–539

    LDAP C API, 425, 490, 702

    user rights and, 297

    Win32 API, 755

APM (Advanced Power Management), 74

Application(s). See also Software

    data, storing, 59

    deployment, 508–509

    patching, 561

    permissions in, 240–243

    published versus assigned, 560

    removing, 509, 562

    self-repairing, 558

    upgrading, 561

Application tab, 711

Architecture

    access control, 280–296

    ADSI and, 54–56

    basic description of, 41–58

    container objects and, 43–44

    data models and, 41–42

    LDAP and, 49–52

    objects and, 43–47

    partitions and, 44–45

    physical, 51–54

    schema and, 42–43

    X.500 standard and, 47–49

Arguments

    basic description of, 718–719

    command-line arguments (options) in scripts, 754, 805

    optional, 719

ASCII (American Standard Code for Information Interchange), 483, 687

ASN.1 (Abstract Syntax Notation One), 606

ASP (Microsoft Active Server Pages), 701, 756

ATTRIB command, 114

Attribute(s). See also Properties

    ANR, 813–814

    basic description of, 622–631

    bit-field, 635

    constructed, 599, 813–814

    creating, 652–655, 661, 664–666, 669–670, 818–823

    deactivating, 656–659

    inspecting, 589–590

    linked, 627–629

    listing, 805–807

    mandatory, 42, 582, 583, 612, 803

    miscellaneous characteristics for, 637

    modifying, 655–656, 664–666

    multivalued, 582, 634

    names, 591–592

    nonreplicated, 813–814

    optional, 42, 582, 583, 612, 803

    permissions for, 677, 696

    planning new, 660

    reactivating, 659

    schema and, 582–583

    searching on new, 694–696

    single-valued, 582

    syntax, 583

    tombstone, 401–402

    use of the term, 41

    values, managing, 693–694

attributeSchema objects, 585, 622–637, 637–639, 817–818

Attributes tab, 621–622

Auditing

    basic description of, 204, 276–280

    entries, adding, 276–278

    Group Policies and, 512–513

    records, viewing, 279–280

    turning on, 278–279

Authentication

    basic description of, 204

    cross-forest, 65

    Kerberos and, 56

    mutual, 56

Automatic Certificate Request settings, 514

B

Backup Operators group

    basic description of, 129

    user rights and, 296

Base

    DNs, 494

    objects, 469, 479

    schema, 582, 584, 635–636

Base64 encoding, 499

BATCH command, 114

Batch files

    administration scripts and, 701, 793–794

    creating, 687–688

    creating users with, 793–794

    testing, 687–688

BDCs (backup domain controllers)

    domain modes and, 133

    PDC emulator and, 406, 411

    replication and, 25, 310

Binary GUIDs, 837–839. See also GUIDs (globally unique identifiers)

BIND (Berkeley Internet Name Domain), 34, 94

Bindery (of Netware 3), 9, 723

Binding

    with credentials, 870–872

    early, 721

    to the GC, 876–877

    late, 721

    strings, 726–727

    with WKGUIDs, 872–876

Bind operation of LDAPv3, 52

BindView bv-Admin, 463

BIOS (Basic Input/Output System), 74, 83, 109

Bit(s)

    ACE AccessMask, 290–291

    ACE AceType, 292, 293

    ACE Flags, 292

    connection object, 385

    -fields, 290–291, 635

    least-significant, 291

    site link, 385

Bitwise AND, 485

Bitwise OR, 485

Blackcomb, 65

Boolean values, 483

Bootable CDs, 108–109

BOOTDISK folder, 76

Boot partition, 69

Breakpoints, 759

Bridgehead servers, 315, 371–374

Browser service, 406, 518, 519

Browsers, encryption for, 57

Building Enterprise Active Directory Services—Notes from the Field, 420

Builtin container, 124, 126–130

C

C (high-level language), 54, 680

    administration scripts and, 701, 702

    compilers, 701

C++ (high-level language), 54, 680

    administration scripts and, 701, 702

    compilers, 701

CA Unicenter, 509

Cache

    property. See Property cache.

    schema. See Schema cache.

CACLS command, 793, 794, 795, 796, 797

“Cairo,” 10–11

CAL (client access license), 70

Canonical names, 46

Carriage return/linefeed character pair, 719–720

CAs (certificate authorities), 57–58, 92

    Group Policies and, 514

    SMTP replication and, 386

Case-sensitivity, 718

Catalog Services, 26

CCM (Change and Configuration Management), 503

CD/CHDIR command, 114

CDO (Collaborative Data Objects), 700

CDs (compact discs), bootable, 108–109

Certificate Export Wizard, 116

Certificates, exporting, 116

Change notification, 320, 384–385

Channels, secure, 457

Characters

    ASCII, 483, 687

    carriage return/linefeed, 719–720

number of, in passwords, 530

    Unicode, 34, 483, 516

    unsafe, 499

CHKDSK command, 114

Class(es)

    ADSI and, 54–46

    attributes of, inspecting, 589–590

    basic description of, 599–622

    categories of, 612

    creating, 647–650, 661, 666–669

    deactivating, 656–659

    derived, 610

    extended rights for, 227–229

    identifiers, 600, 603

    identifiers (CLSIDs), 682, 683, 684, 709

    miscellaneous characteristics of, 612–618

    modifying, 650–652, 666–669

    names, 600, 603

    objects of specific, creating/deleting, 229

    planning new, 660

    reactivating, 659

    schema and, 582–583

classSchema objects, 585, 599–622, 815–817

Clean Install option, 80

Client(s)

    access license (CAL), 70

    access tokens, 287

    extensions, 512

    LDAP referrals to, 469

    -server applications, connection points for, 59

    -side extensions (CSEs), 504, 538, 571–573, 575

    slow link detection and, 576–578

    traffic, 420–421, 425

ClonePrincipal tool, 463

CLS command, 114

CLSIDs. See Class(es)—identifiers (CLSIDs)

CMDTOOL.vbs, 885–887

CNs (common names)

    basic description of, 46

    renaming objects and, 239

Collisions, 398–401

COM (Component Object Model), 54–56, 699

    basic description of, 728–730

    components, using, 753–755

    connection points and, 59

    files, registering, 559

COM+, 559

Comdex, 10

Command-line

    CScript options, 706–708

    parameters, 465. See also Arguments

    redirection of output, 707, 773, 799–800

    tools, 111, 112, 173, 250, 353, 355–356, 458, 462, 498, 550, 762, 794,
        884–887

Compare operation of LDAPv3, 52

Compilers, 701

Complete trust areas, 441–443

Components

    COM, 755–757

    homemade, 753

    installation of, 85–87

    using, 753–755

Computer(s). See also Computer accounts; Computer objects

    licensing, 351–352

    locating, 35

    managing, 173, 856–858

    objects, predefined, 133

    registering, 91

    renaming, 173–174

Computer accounts

    disabling, 172

    resetting, 172–173

Computer object(s)

    administering, 164–174

    creating, 166–168

    creating with a script, 861–864

    deleting, 172

    Group Policies and, 507–508

    moving, 172

    properties, 168–171

Computers container, 124

Concurrency control, 661, 675

Configuration

    information, handling, 59, 822–832

    partition, 44, 311, 313, 362

Connection object(s)

    creating/managing, 380–384

    explanation of, 326, 327–331, 358–359

    properties, 899

    replication and, 358–359

Consistency checks, 650

Constant(s)

    administration scripts and, 718–719

    basic description of, 718

    definitions, 758

    intrinsic, 719

    names, 718

Contact(s)

    administering, 142–164

    creating, 148

    deleting, 162–163

    home pages of, opening, 164

    moving, 162

    properties, setting, 148–157

    renaming, 162

    sending e-mail to, 164

Container(s)

    basic description of, 123–125

    classes, 583–585

    objects, 43–44, 583–585

    predefined, 123–125

Containment rules (of schema classes), 607–610

Context menus, adding scripts to, 693–694

Continuation references in LDAP, 487–488

Control Panel, 85, 558. See also Add/Remove applet

Controls dialog box, 497

Control statements, 719

Convergence of Active Directory information, 309

COPY command, 114

Create a Computer Object.vbs, 859–862

Create a Group.vbs, 858

Create a Home Folder for a User - Ver 1.vbs, 794–796

Create a Home Folder for a User - Ver 2.vbs, 796–797

Create a Share.vbs, 867

Create a User in a Workstation.vbs, 869–870

Create a User with a Batch File.bat, 793–794

Create a User with Minimum Attributes.vbs, 788–790

Create a User with More Attributes.vbs, 790–793

Create Object dialog box, 677–678

Credentials, binding with, 870–872

Cross-reference(s)

    basic description of, 469–473

    external, creating, 470–473

    objects, 469–470

CScript, 690, 703–705, 711

CSEs (client-side extensions), 504, 538, 571–573, 575

CSVDE, 202, 662, 663, 674

CTLs (certificate trust lists), 514

Current context, 63

D

DACL (discretionary access control list), 36, 214, 288–289, 290. See also ACLs
    (access control lists)

Dampening, propagation, 388

DAP (Directory Access Protocol), 48–49

Data model, 41–42

Data types

    administration scripts and, 734–735

    handling special, 734–735

Date and time settings, 87. See also time

DB layer, 52–53

DCDiag, 458–459

DCE (Distributed Computing Environment), 452

DCOM, 559

DCPromo, 16–17, 352, 354, 473, 476–477, 586, 673

    command, 93, 115

Deactivation, of classes, 656–659

DEAs (directory-enabled applications), 5, 43, 59, 642, 659–662

Debugging

    administration scripts, 755–759

    with extra output commands, 755–756

    mode, 112

Default Domain Controllers Policy, 511

Default permissions. See also Permissions

    basic description of, 258–267

    listing, 260–265

    sources of, 259

DEL/DELETE command, 114

Delegating

    basic description of, 19, 39, 269–270

    domain controller installation, 476–478

    domain installation, 473–478

    management of GPOs, 554–557

Delegation (relating to authentication), 282–284

Delegation of Control Wizard, 39, 212

    basic description of, 251–258

    common tasks completed with, 252–256

    custom tasks completed with, 256–258

    customizing list of common tasks, 254–256

    support tools and, 250

DelegWiz.Inf, 254–256

Delete operation of LDAPv3, 52

Deleted objects, listing, 495–497

Deleting  

    contacts, 162–163

    GPOs, 552–553

    groups, 194, 861

    objects, 172, 229, 857

    OUs, 857

    users, 162–163

DEN (directory-enabled networking), 5

Deploying software, with Group Policies, 559–561

Description property, 140

Device Manager, 110

Devices

    incompatible, 110

    incorrectly detected, 110

DFS (Windows 2000 Distributed File System), 23, 315–316, 341, 559–561

DHCP (Dynamic Host Configuration Protocol)

    DNS updates and, 35–36

    Group Policies and, 538

    installation and, 70, 87, 90

    RIS and, 520

Dial-in tab, 144, 155–156

DIR command, 114

Directories

    history of, 9

    information about, determining the placement of, 426–432

Directory-enabled applications (DEAs), 5, 43, 59, 642, 659–662

Directory-enabled networking (DEN), 5

Directory service, 4, 9, 11, 42, 47, 142, 310, 585, 723–724

Directory Services Restore Mode option, 112

DISABLE command, 114

Disk images, duplicating, 107–108

DISKPART command, 114

DISP (Directory Information Shadowing Protocol), 48

Display name property, 147

Display specifiers, 682–685

Distributed Systems Guide, 354–355

Distribution groups, 174. See also Groups

DLLs (Dynamic Link Libraries), 557, 573, 684, 898

DMZ (demilitarized zone), 60–61

DNs (distinguished names), 407, 466

    base, 494

    basic description of, 45–47

    features recommended for, 94

    LDAP and, 46, 485, 494

    LDIF and, 498, 501

DNS (Domain Name Service). See also Domain names

    Group Policies and, 550

    host names, 84

    host records, 476

    installation and, 70, 84–90, 93–105, 110–111, 117

    integration, 34–36

    namespaces, 17, 31, 32–33

    -related tasks, after installation, 102–105

    RIS and, 520

    root domain, removing, 102

    servers, requesting IP addresses from, 35

    updates, dynamic, 35–36

    virtual containers and, 58

    zones, 61

DnsAdmins group, 132

DnsUpdateProxy group, 132

DNS Zones, 34, 60–61, 94, 102–105, 117, 425, 450

Domain(s). See also Domain controllers; Domain names

    adding workstations to, 302

    basic description of, 17, 62

    choosing, 200

    cost of additional, 437–438

    creating, 94–95

    designing, 432–452

    forest root, 95, 448–452

    installation, delegation of, 473–478

    local groups, 21–22

    looking at single, 429–430

    managing, 452–478

    master browser, 406

    mode, changing, 133–135

    placement of directory information and, 426–432

    single, OU trees in, 29–30

    single, with no OU structure, 27–28

    trees, 30–33

    using multiple, 433–438

    using single, advantages of, 433–438

Domain Admins group, 131, 243–244, 251, 261–264

Domain Computers group, 131

Domain controller(s). See also Domains

    additional, cost of, 437

    basic description of, 6, 16–17

    choosing, 200

    default assignments for, 299–302

    installing, 65, 476–478

    logon rights and, 298

    operations master (OMDCs), 408, 410–411, 413–414, 415

    originating, 390

    placement of, 419–502

    placement of directory information and, 426–432

    privileges and, 28

    promoting, to be GC servers, 346–347

    removing, 352–354

    targeting, for Group Policy operations, 547–548

    USNs and, 390

Domain Controllers container, 124

Domain Controllers group, 131

Domain Guests group, 131

Domain names. See also Domains

    basic description of, 31–32

Domain naming master, 405

Domain Password & Lockout Policies property set, 231

Domains and Trusts snap-in, 454

Domain Users group, 131, 134

DOS (Disk Operating System), 77, 78. See also MS-DOS

DOSNET.INF, 106

Drivers, installation using alternate, 81–83

DSAs (Directory System Agents), 49, 51, 53

DSClient (Directory Service Client), 702

DSP (Directory System Protocol), 48

DSSec.Dat, 237–239, 257, 677

Dual booting, 70–73

Dynamic disks, 92

Dynamic DNS, 35–36

Dynamic updates, enabling, 102–103. See also Updates

E

ECMAScript, 702

EditPlus, 712, 713, 763

EFS (Encrypting File System), 47, 514. See also Encryption

E-mail

    encryption, 57

    sending, to groups, 194

    sending, to users and contacts, 164

    systems, history of, 9

Empty lines, 718

Enable Boot Logging option, 112

ENABLE command, 114

Enable VGA Mode option, 112

Encryption. See also EFS (Encrypting File System)

    e-mail, 57

    installation and, 92

    TCP/IP traffic, 57

    Web browser traffic, 57

Enterprise Admins group, 98, 131, 259, 261

Error(s)

    categories, 880

    checking, 879–884

    levels, 765

    mechanics, 879–880

Error Checking.vbs, 879–884

Escape sequences, 483

ESE (Extensible Storage Engine), 52–53

ESENT.DLL, 51

Event(s)

    Group Policies and, 562–565

    logs, 513, 562–565

Excel (Microsoft)

    ACEs and, 834–837

    administration scripts and, 701, 766–767, 797–798, 807–809, 815–818

    importing text files into, 595–596

    table of default permissions, 260

Exchange (Microsoft), 9, 43, 53, 142, 143, 310, 431, 444, 605, 723

EXIT command, 114

Extended operation of LDAPv3, 52

Extended rights, adding, 293–294

Extensible matching rules, 485

EXTRACT command, 114

F

FastLane Developers, 701

FastLane Migrator, 463

FAT (file allocation table), 71, 73, 81

FAT32, 71, 81

Fault tolerance, 308

FAZAM 2000 RFV (Reduced Functionality Version) tool, 551, 554, 570

File system(s). See also NTFS (Windows NT File System)

    DFS (Windows 2000 Distributed File System), 23, 315–316, 341, 559–561

    EFS (Encrypting File System), 47, 514

    policies, 514

    supported by Windows 2000, 72–73

Filters, 200–201, 592, 616, 889, 901–903

Find command, 762

Find dialog box, 488, 695

FindStr command, 762

Firewalls, 60

First name property, 147

FIXBOOT command, 114

FIXMBR command, 71, 114

flatName property, 453

Folder(s)

    adding ACEs to, 854–856

    creating, 794–797

    home, 794–797

    redirection policies, 520

Foreign security principals, 124, 462

ForeignSecurityPrincipals container, 124, 462

Forest(s). See also Forest root domains

    authentication and, 65

    changes to, 62

    configurations, number of, 440

    creating, 94–95

    designing, 432–452

    managing, 452–478

    managing groups and permissions in, 466–469

    moving groups in, 464–465

    moving objects in, 462–466

    permission assignments in, 468–469

    planning considerations for, 445–452

    predefined administrative groups in, 466–467

    testing schema modifications in, 660, 685–690

    three faces of, 445–446

    trusts, 65, 441–443

    using multiple, 433–444

    using single, 438–445

Forest root domains, 95, 448–452. See also Forests

    empty, 449–450

    nonempty, 450–451

FORMAT command, 114

Forwarding addresses, configuring, 102

Forward lookup zones, creating, 102–103

FRS (Windows 2000 File Replication System), 23, 53, 315

FSMOs (flexible single-master operations), 25, 324, 404. See also Operations
    master(s)

FullArmor.com, 570

Full Control permission, 273

Full name property, 147

Function(s)

    basic description of, 718–719

    conversion, 719

G

Garbage collector, 402

Gates, Bill, 10

GCs. See Global Catalogs

General Information property set, 231–232, 483

General tab, 144, 170, 195, 232

GetGPOList API, 538–539

GetSID, 286–287

Global Catalogs, 64, 115, 196

    attributes and, 814–815

    basic description of, 26

    binding to, 876–877

    indexing and, 585

    LDAP searches and, 486

    multipartition queries and, 899

    number of, 440–441

    replication and, 323, 364, 375–378

    servers for, placement of, 431–432

    servers for, promoting domain controllers to, 346–347

Global groups, 21–22. See also groups

GPC (Group Policy container), 523–524, 567

GPOs (Group Policy Objects)

    assigning, 40–41, 124

    basic description of, 40, 522–528

    creating, 548–550

    default permissions for, 575–576

    delegated, creating MMC consoles for, 555–556

    deleting, 552–553

    editing, 550–551

    listing, 827–828

    management of, delegating, 554–557

GPT (Group Policy templates), 524, 525, 567

GPT.INI, 524, 525

Group(s)

    administering, 174–200

    built-in, 128–130, 184

    creating, 186–187

    deleting, 194, 861

    distribution of, 20, 174

    filtering Group Policies with, 532–534

    global, 21–22

    listing, 865

    local, 128–130, 184

    managing, 121–202, 466–469, 856–859

    membership, 64, 188–192, 468–469

    moving, 194, 464–465

    nesting, 21–22

    planning, 194–200

    predefined, 127–133

    primary, for users, 192–193

    properties of, setting, 193–194

    renaming, 194

    restricted, 513

    scope, 21–22, 177–184, 187–188

    security, 21, 174

    sending e-mail to, 194

    strategies for, 197–200

    types of, 174–177, 187–188

    universal, 196–197

    usage, example of, 180–181

    in the Users container, 130–133

Group Policies

    administrative templates and, 515–519

    administration of, delegating, 272–273

    advanced topics, 571–578

    backing up, 553–554

    basic description of, 39–41, 204, 503–578

    concepts for, 503–507

    CSEs and, 504, 571–573

    deploying software with, 559–561

    effective, determining, 539–546

    event logs and, 513, 562–565

    filtering, with groups, 532–534

    folder redirection and, 520

    forcing, 532

    inheritance, 529, 534

    links to, 528–529

    local, 511–513

    loopback processing, 536–537

    managing, 546–557

    operations for, targeting domain controllers for, 547–548

    permissions and, 272–273

    preference, 517–518

    processing, 534–546

    redeploying, 509

    registry settings for, 573–575

    Resource Kit tools for, 566–571

    restricted groups and, 513

    RIS and, 520–521

    security settings and, 510

    slow link detection algorithm and, 576–578

    software management with, 557–562

    troubleshooting, 562–571

    version number for, 524–526

    Windows NT 4 system policy and, comparison of, 505–506

Group Policy dialog box, 528–529, 546–548, 551–552

Group Policy Migration tool, 566, 569–570

Group Policy Reference, 570

Group Policy Results tool, 539, 566–567

Group Policy Scenarios tool, 571

Group Policy tab, 522, 525, 549, 553, 555

Group Policy Verification tool, 567–569

Guests group, 129, 259

GUIDGen, 648, 653, 679

GUIDs (globally unique identifiers), 167–168, 407

    ACEs and, 292–293, 295

    basic description of, 292–293

    binary, 837–839

    cloning objects between forests and, 444

    converting, with regular expressions, 845–846

    database, 389, 394–395, 398

    Group Policies and, 504, 522, 525, 527

    listing, 824–828, 837, 839

    replication and, 357–358, 375, 389

    schema and, 648, 653, 679–680

    server, 389, 395

H

Hardware

    abstraction layer (HAL), 83

    compatibility, with Windows 2000 Server, 74–75

HCL (Hardware Compatibility List), 74

Hello.vbs, 704

HELP command, 114

Help files, 713–714

Hierarchies, 27–34

High encryption pack, 92

High-watermark vectors, 394–395

Home

    folders, creating, 794–797

    pages, opening, 164

HTML (HyperText Markup Language), 757

I

IADsContainer interface, 741–743

IADsGroup interface, 748–749

IADS interface, 739–742

IADsTools, 754

IADsUser interface, 743–748

IBM (International Business Machines), 8–9

ICANN (Internet Corporation for Assigned Names and Numbers), 61, 605, 607

IDE (integrated development environment), 700

IEAK (Internet Explorer Administration Kit), 517, 521. See also Internet Explorer
    browser (Microsoft)

IIS (Microsoft Internet Information Server), 85, 86, 93

    administration scripts and, 701, 756

    ADSI and, 54

    debugging and, 756

    replication and, 387

Impersonation

    basic description of, 56, 282–283

    Kerberos and, 56

    tokens, 287

InetOrgPerson class, 65

Infinite loops, 710–711

Informational properties of users and contacts,
156–158

Infrastructure master, 25, 229, 324, 334, 407–408, 829. See also Operations
    masters

Inheritance, 600, 602, 610–612

    basic description of, 37–38

    blocking, 531–533

    Delegation of Control Wizard and, 252

    dynamic, 240–243

    Group Policies and, 529–534

    static, 37–38, 240–243

Installation

    Active Directory, 67–68, 93–105, 109–111, 122–135

    answer files and, 106–107

    automating, 105–109

    from CDs, 80

    Clean Install option for, 80

    configuring forwarding addresses after, 102

    creating domains, trees, and forests during, 94–95

    creating forward lookup zones after, 102–103

    creating reverse lookup zones after, 104

    decisions to make before, 68–76, 94–95

    defining date and time settings during, 87

    disk duplication and, 107–108

    domain controller, 65, 476–478

    dual booting, 70–73

    enabling dynamic updates after, 102–103

    EXE files for, schema and, 674–675

    finalizing, 89

    from networks, 80–81

    partitions, selecting, 83

    preparation for, 74–76

    recovery options and, 111–113

    removing DNS root domains after, 102

    reversing, 113–117

    starting, 76–79

    steps to take after, 90–92, 100–101

    troubleshooting, 110–113

    using alternative drivers, 81–83

    verifying, 100–101

    Windows 2000 Server, 68–93

InstallShield, 559

Instantiation, of classes, 582

Integers, 483, 485, 486

Integrity, referential, 629

IntelliMirror (Microsoft), 503

Interdomain communications, cost of, 437

Internet

    connecting to, 59–61

    directories, 9

    routers, 60

Internet Explorer browser (Microsoft)

    Administration Kit (IEAK), 517, 521

    debugging and, 756

    Group Policies and, 521

IP (Internet Protocol), 35, 605. See also IPSec (IP Security)

    Group Policies and, 514–515

    installation and, 70, 87, 88, 90

    replication and, 368, 378, 387

IPSec (IP Security), 387, 514–515. See also IP (Internet Protocol)

IRQ (Interrupt) settings, 110

ISAM (Indexed Sequential Access Method), 53

ISDN (Integrated Services Digital Network), 370

ISM (Intersite Messaging) service, 25, 387

ISO (International Organization for Standardization), 47–49, 605–606

ISTG (inter-site topology generator), 366–367, 370–374, 380–381

ITU (International Telecommunications Union), 47–49, 605–606

J

JScript, 509

K

KCC (Knowledge Consistency Checker), 314, 327, 330, 343, 347, 353, 357–365

KDCs (key distribution centers), 56

Kerberos, 56–57, 420, 435, 437–438, 444

    Cairo and, 10

    Group Policies and, 511, 539

    synchronization services and, 25

    trusts and, 452

Keyboard settings, 81

Knowledge Base. See Microsoft Knowledge Base

Kouti.com, 260, 714, 759

L

Language Options dialog box, 81

Language settings, during installation, 81, 84

LAN Manager, 8–9, 512, 732

    access tokens and, 287

    NET commands and, 202

LANs (local area networks)

    loose consistency and, 6

    replication and, 309, 315, 317

    schema and, 655

    as sites, 23

Last Known Good Configuration option, 111, 112

Latency, 309, 342

LAYOUT.INF, 106

LDAP (Lightweight Directory Access Protocol)

    ADSI and, 54

    ANR and, 635

    Base64 encoding and, 499

    basic description of, 6, 49–52

    binding strings, 725–726

    C API, 425, 490, 702

    Cairo and, 11

    client traffic, 425

    continuation references and, 487–488

    controls, extended, 495–497

    Data Interchange Format (LDIF), 498–501

    data model, 581–585

    domain names and, 31

    Group Policies and, 564

    the history of directories and, 10

    NCs and, 308

    property lists and, 480–481

    referrals, to clients, 469

    schema and, 611, 616, 622–626, 645–646, 652

    searches, 473–501, 893–894

    setting properties for OUs and, 139–140

    version 3 operations, 51–52

LDIF (LDAP Data Interchange Format), 498–501. See also LDIFDE (LDIF Directory
    Exchange)

LDIFDE (LDIF Directory Exchange), 202, 489, 498–499, 598, 660

    creating/modifying objects with, 670–674

    schema and, 662, 663, 664, 670–674

LDP tool, 490–494

Leaf

    classes, 583–585

    objects, 43–44, 583–585

Least-significant bit, 291

LGPO (Local GPO), 504, 527–528, 557

Linear regression analysis, 422

Lines

    cutting long, 719

    including, from another file, 758–759

    indenting, 719

Link(s)

    bridges, 321, 378–380

    costs of, 369–371

    creating/managing, 348–351

    disabling parts of, 551–552

    replication topology and, 367–369

    tables, 53

    WANs as, 23

Linked attributes, 627–629

Linux, 472–473

List ACEs—Long.vbs, 839–846

List ACEs—Short.vbs, 834

List ACEs to Excel - Short.vbs, 834–837

List ADSystemInfo.vbs, 831–833

List All Abstract Schema Objects.vbs, 806

List All attributeSchemas to Excel.vbs, 817–818

List All Real Schema Objects.vbs, 811–812

List Attribute Display Names.vbs, 823–824

List Binary GUIDs.vbs, 837–839

List Indexed Attributes.vbs, 812–813

List Global Catalog Attributes.vbs, 814–815

List Objects That Have Blocked ACL Inheritance.vbs, 901–903

List Services.vbs, 863–865

List Shares.vbs, 865–867

LISTSVC command, 114

List the Account Options of a User.vbs, 784–788

List the DC GUIDs.vbs, 824–826

List the GPO GUIDs.vbs, 827–828

List the Member Attributes of a Given Class to Excel.vbs, 805–807

List the Member Attributes of a Given Class.vbs, 805–806

List the Operations Masters.vbs, 828–830

List the Operations Masters with ADsFSMO.vbs, 830–831

List the Property Cache Contents.vbs, 767–772

List the rootDSE Property Cache.vbs, 826–827

List the Supported Namespaces.vbs, 822–823

List the Users of One Container to Excel.vbs, 766–767

List the Users of One Container.vbs, 764–766

List User Properties with Get.vbs, 772–779

List User Properties with Methods.vbs, 779–784

List WinNT Properties of User Class.vbs, 868–869

Load balancing, 308

Local GPO, 504, 527–528

Local policies, 511–513

LocalSystem account, 211, 282, 283, 284

Location tab, 171

Logging. See also Auditing

    events, 562–565

    detailed, 564–565

Logoff scripts, 509

Logon. See also Access control; Authentication

    GCs and, 64

    Group Policies and, 509–510

    Information property set, 235

    rights, 297–298

    smart card, 440, 661

    traffic, 420–421

Loopback Adapter (Microsoft), 94

Loopback processing, 536–539

Loops, 710–711

Loose consistency, 6, 308–310

LSA (Local Security Authority), 51, 322

M

MAKEBOOT command, 76

Managed By property, 140

Managed By tab, 195

Manual refresh, of Group Policies, 536

MAP command, 114

MBR (master boot record), 71

MD/MKDIR command, 114

Member Of tab, 144, 149, 188, 192, 232

Member servers

    basic description of, 88

    modifying user rights for, 305–306

Members tab, 188, 190–191

Menu(s)

    adding scripts to, 693–694

    definitions, adding, 686–687

Merge mode, 536–537

Metadata replication, 391–394

MicroHouse ImageCast, 108

Microsoft Access, 53

Microsoft Active Directory. See Active Directory

Microsoft Active Directory Migration Tool (ADMT), 463

Microsoft Active Server Pages (ASP), 701, 756

Microsoft ActiveX Data Objects (ADO). See ADO

Microsoft Excel

    ACEs and, 832–837

    administration scripts and, 701, 766–767, 797–798, 807–809, 815–818

    importing text files into, 595–596

    table of default permissions, 260

Microsoft Exchange, 53

Microsoft IntelliMirror, 503

Microsoft Internet Explorer browser. See Internet Explorer browser (Microsoft)

Microsoft Internet Information Server (IIS). See IIS (Microsoft Internet
    Information Server)

Microsoft Knowledge Base, 249, 353, 380, 501, 511

Microsoft Loopback Adapter, 94

Microsoft Management Console (MMC), 504–505, 547–548, 550–551, 555–556

Microsoft Metadirectory Services (MMS), 310

Microsoft Office, 754

Microsoft Platform SDK (Software Development Kit), 617

Microsoft Script Debugger, 85, 86, 756–757

Microsoft Software Installer (MSI), 557, 559

Microsoft System Management Server, 509

Microsoft Visual Basic for Applications (VBA), 701

Microsoft Visual Basic Scripting Edition (VBScript)

    ADSI and, 54

    basic description of, 698, 702, 715–721

    COM components and, 753–754

    Editor, 713

    Group Policies and, 509

    schema and, 663

    scripts, creating/testing, 688–690

    scripts, sample, 716–721

Microsoft Visual Studio Installer, 559

Microsoft Windows Internet Naming Service (WINS), 36, 53, 70, 88

Microsoft Windows NT

    Active Directory and, comparison of, 11–13

    Cairo and, 10–11

    domains, using multiple domains because of, 436

    history of, 8–9

    properties, listing, 870–871

    system policy, 505–506

Microsoft Windows NT Directory Service (NTDS), 257, 327, 330–332, 341–347,
    353–354, 380–381, 411, 415

Microsoft Windows NT File System (NTFS). See NTFS (Microsoft Windows NT File
    System)

Microsoft Windows NT LAN Manager (NTLM), 56, 512

Microsoft Windows 2000 Server

    answer files and, 106–107

    components, installation of, 85–87

    dual booting, 70–73

    hardware compatibility with, 74–75

    history of, 10–11

    installation, 68–76, 80–92, 105–107

    Professional, 92–93

    requirements/recommendations, 74

    Resource Kit, 255, 566–571

    server upgrades, 837–90

    uninstalling, 113–117

Microsoft Windows Update Corporate Web site, 91

Mixed mode, 133–135, 177–180

MMC (Microsoft Management Console), 593, 504–505, 547–548, 550–551,
    555–556

MMC Group Policy extension, 547–548

MMC Group Policy snap-in, 504–505

MMS (Microsoft Metadirectory Services), 310

Modify DN operation of LDAPv3, 52

Modifying Objects.vbs, 897–898

ModifyLDAP.vbs, 344

Modify operation of LDAPv3, 52

MORE command, 114

MoveTree tool

    basic description of, 462–466

    moving groups and, 464–465

    options, 465–466

MS-DOS, 8, 80–81. See also DOS (Disk Operating System)

MSI (Microsoft Software Installer), 557, 559

Multilanguage version, 84

My Network Places, 8, 518

N

Namespaces, listing, 822–823

Namespace view to a forest, 446

NAT (network address translation), 102

Native mode, 133–135, 181–184

NCs (naming contexts), 308

NDS (Novell Directory Services)

    Active Directory and, comparison of, 13–15, 63

    dynamic inheritance and, 38

    the history of directories and, 9

    introduction of, 11

    partitions and, 62

NetBIOS

    Browser service, 518

    installation and, 84, 95, 100

    names, 36, 59–60, 84, 95

    ports, 59–60

    trusts and, 453, 455

NET commands, 202

NetDom tool, 173, 454, 456, 458, 464

NetIQ Domain Migration Administrator, 463

Netlogon service, 102

NET TIME, 403–404

NetWare (Novell)

    Active Directory and, comparison of, 13–15, 63

    ADSI and, 54

    Catalog Services, 26

    the history of directories and, 9

Network(s)

    installing/configuring, 87–88

    installing Windows 2000 Server from, 80–81

    operating systems, previous Microsoft, 8–9

    traffic, measuring, 420–425

Network Identification tab, 173

Network Monitor, 85, 474

NLTest tool, 173, 454, 456, 458–459

No Override option, 532

Nortel Networks, 11

Northern Telecom. See Nortel Networks

Norton Ghost, 108

Notepad, 54, 109, 510, 545, 687, 704, 713

Notification, change, 320, 384–385

Novell NetWare. See NetWare (Novell)

NTDS (Microsoft Windows NT Directory Service), 257, 327, 330–332, 341–347,
    353–354, 380–381, 411, 415

NTDSA.DLL, 51

NTDSUtil tool, 344, 412, 473–475

NTFS (Microsoft Windows NT File System)

    folder redirection and, 520

    Group Policies and, 557

    installation and, 68–69, 71–73, 81, 83, 89–90, 93, 97

    permissions and, 36–37, 214

    SIDs and, 284

NTLM (Microsoft Windows NT LAN Manager), 56, 512

NTRights command, 304–306

NtSecurityDescriptor property, 206–207, 289

Null sessions, 210

O

Object(s)

    administering, 164–174

    base, 469, 479

    basic description of, 4

    that block ACL Inheritance.vbs, 901–903

    creating, 166–168, 229, 680–681

    deleting, 172, 229, 859

    displaying, 680–681

    extended rights for, 227–229

    finding, 200

    listing, 495–497, 805, 811–812, 901–903

    moving, 172

    names, 45–47, 238–239, 626–629

    predefined, 133

    properties of, setting, 149–157, 168–171

    renaming, 238–239

    schema and, 582–583, 626–629, 676–690

    tables, 52–53

    where to place new, 676–690

Object tab, 143

ObjectType field, 292–293, 294

Octet strings, 483

OIDGEN tool, 606–607

OIDs (object identifiers), 485, 486

    base, 606–607

    basic description of, 603–607

    obtaining, 606–607, 660

    schema and, 603, 660–661, 691

OLE automation

    data types, 749–752

    explanation of, 723

OMDCs (operations master domain controllers), 408, 410–411, 413–414, 415

Open Group, 452, 629

Operating System tab, 170

Operations master(s), 26, 324

    changing, 829–830

    failures, 413–414

    listing, 828–831

    managing, 404–416

    placement of, 408–411

    roles, transferring, 411–412

Oracle, 55

Organizational units (OUs), 27–34, 135–142

    adding users of, to a Group.vbs, 859

    administration scripts and, 856–857, 859

    basic description of, 19–20

    creating, 138, 857

    deleting, 140–141, 857

    features of, 136–137

    managing, 121–202, 856–857

    moving, 140–141

    planning, 141–142

    predefined, 123–125

    properties for, setting, 138–140

    renaming, 140–141

Organization tab, 144

Originating updates, 388. See also Updates

Orphan containers, 463

OS/2 (IBM), 8–9

OSI (Open Systems Interconnection) directory services, 48–49

OUs (organizational units). See Organizational units (OUs); OU trees

OU trees. See also Organizational units (OUs)

    delegating, without blocking, 272

    delegating, with possible blocking, 270–271

    permissions and, 270–272

    roots of, 452

    in single domains, 39–40

Ownership, 243–245

P

Packages

    customizable installation, 558

    non-MSI, deploying, 560–561

    patches for, 509

    upgrades for, 509

Parameters, ADO command object, 899–901

Parent domains

    basic description of, 30

    domain trees and, 30–31

Partition(s)

    administration scripts and, 896–899

    basic description of, 44–45

    configuration, 310–311

    creating, 62

    enterprise, 310–311

    installation and, 81, 83

    merging, 62

    replication and, 310–312, 362–363, 374–375

    schema and, 310–311

    selecting, 83

    topologies of several, 374–375

    types, 311

    Whistler and, 65

Passfilt.dll, 511

Passprop.exe, 511

Password(s)

    administrator, 97

    age, maximum, 530

    creating users and, 145

    forcing complex, 511

    installation and, 97

    minimum number of characters in, 530

    policies, 435

    resetting, 164

Patches, 509

Paths, to abstract schema objects, retrieving, 803–804

PDC emulator, 406–407. See also PDCs (Primary Domain Controllers)

PDCs (Primary Domain Controllers). See also PDC emulator

    installation and, 837

    replication and, 25, 310

    time convergence and, 403

Permission(s)

    accumulation of, 245–246

    administration scripts and, 852–854

    in applications, 240–243

    attribute, 677, 696

    basic description of, 36–37

    concepts, 213–215

    cross-object, 274–275

    default, 212, 258–267, 575–576

    delegation scenarios for, 269–275

    denying, 246–249

    entries, ordering of, 246–249

    in forests, 466–469

    general practices using, 268–269

    generic, 854–856

    handling, with the ACL Editor, 212, 215–229

    inheritance and, 214, 240–243, 259

    list object, 224–227

    managing, 212–251, 466–469, 677–679

    object, 214, 222–239

    ownership and, 243–245

    performance and, 249–250

    property, 214, 229–239

    property set, 230–236

    replication and, 356

    security principals and, 265–267

    special, 36, 213, 222–229

    standard, 36, 213, 222–229

    usage scenarios for, 267–276

    using, instead of rights, 301–302

Personal Information property set, 232–233

Phantoms, 407, 408, 409

Phone and Mail Options property set, 231

Physical structure. See also Physical architecture

    concepts, 308–324

    diagnosing, 354–356

    managing, 325–356

    monitoring, 354–356

Physical architecture, 51–54. See also Physical structure

PINs (personal identification numbers), 58

PKI (public key infrastructure), 47–48, 57–58, 204, 442, 514

Plug and Play, 83

Policies. See Group Policies

PowerQuest

    Drive Image, 108

    Partition Magic, 69, 115

Pre-Windows 2000 Compatible Access group, 97, 130, 260

Preference, use of the term, 517

Primalscript, 713

Primary access tokens, 287. See also Access tokens

Print Operators group, 129

Print queues, listing, 865

Processes tab, 711

Processing

    loopback, 536–539

    Group Policies, 534–546

    periodic, 535

    slow link, 536

Profile tab, 144, 154–155

Propagation dampening, 388

Properties. See also Attributes; Property cache; Property sets

    delegating administration of informational, 275–276

    informational, 142–144, 164, 791

    listing, 772–784, 868–869

    mandatory, 41

    multivalued, 41, 737–738

    nonreplicating, 322–323

    optional, 41

    significant, 142–144, 164, 791

    single-valued, 41, 737–738

    syntax of, 41

Property cache

    administration scripts and, 730–736, 767–772

    contents of, listing, 770–772

    interfaces, 669–770

    special data types and, 734–735

    ways to read and write, 732–733

Property lists, 480–481

Property pages of schema objects, 618–622, 637–639

Property sets, 230–236, 294–296, 677–679

Protocols (listed by name). See also LDAP (Lightweight Directory Access Protocol); SMTP (Simple Mail Transfer Protocol)

    DAP (Directory Access Protocol), 48–49

    DHCP (Dynamic Host Configuration Protocol), 35–36, 70, 87, 90, 520, 538

    DISP (Directory Information Shadowing Protocol), 48

    DSP (Directory System Protocol), 48

    IP (Internet Protocol), 35, 70, 87, 88, 90, 368, 378, 387, 514–515, 605

    SNTP (Simple Network Time Protocol), 403

    TCP (Transmission Control Protocol), 490

    TCP/IP (Transmission Control Protocol/Internet Protocol), 23, 57, 59, 70, 87,
        93–94, 97

Public Information property set, 232

Published Certificates tab, 142, 144

Publishing, basic description of, 58–59

Q

QGrep command, 762

Queries, multipartition, 896–899

R

RAID drivers, 81

RAM (random-access memory). See also Caches

    access tokens and, 175

    administration scripts and, 700

    installation and, 75, 81, 93

    loading DLLs in, 51

    schema cache and, 597–599

RAS and IAS Servers group, 132

RCP, 59, 287

RCP Server, 287

RDNs (relative distinguished names)

    basic description of, 46–47

    renaming objects and, 238–239

    NDS and, 63

RD/RMDIR command, 115

Read User Information from Excel.xls, 797–798

Read User Information from Standard Input.vbs, 799–801

Recovery Console

    basic description of, 112–113

    FIXMBR command, 71

    starting, 113

    using, 113

Recovery options

    basic description of, 111–113

    Safe Mode and, 111–112

RepAdmin command, 355, 391, 398, 416, 746, 768

References

    continuation, 487–488

    cross-, 469–473

Referential integrity, 629

Referrals, 469–473, 486, 898–899

RegEdit, 562

RegEdt32, 562–565, 662

Regional settings, 84

Registry

    administration scripts and, 704–705, 708–710

    Group Policies and, 514, 538, 543, 562–565, 571, 573–575

    schema and, 662

    tattooing, 506

Regular expressions, converting GUIDs with, 845–846

Relationship tab, 620

Remote Administration mode, 85

Remote Install tab, 171

REN/RENAME command, 115

RepAdmin command, 398

Replace mode, 536–537

Replicas. See also Replication

    basic description of, 44, 310–312

    partial, 364

    partitions and, 310–312

Replicated updates, 388

Replication. See also Replicas

    Active Directory objects for, 325–331

    advanced topics, 357–364

    basic description of, 24–26, 307–419

    change notification and, 320, 384–385

    collisions and, 398–401

    connection objects and, 358–359

    global catalogs and, 323

    Group Policies and, 547

    high-watermark vectors and, 394–395

    intersite, 319–321, 364–386

    intrasite, 319–321, 357–364

    latency, 309, 342

    managing the physical structure with, 325–356

    metadata, 391–394

    multimaster, 25, 309

    nature of, 308–310

    nonreplicating properties and, 322–323

    operation masters and, 324, 404–416

    partitions and, 310–312, 362–363, 374–375

    PDC emulator and, 406–407

    permissions and, 356

    reasons to use, 308

    reciprocal, 384

    removing domain controllers and, 352–354

    rings, 357–361

    scheduled, 320–321

    schema and, 662, 675

    server objects and, 341–343

    single-master, 25, 310

    site link bridges and, 321

    SMTP, configuring, 386–387

    subnet objects and, 339–340

    test environments, 332–333

    time synchronization and, 402–404

    tombstones and, 401–402

    topologies, 314–315

    traffic, 421–425

    transitive nature of, 319

    units of, 17, 435–436

    up-to-date vectors and, 395–398

    urgent, 321–322

Replication Monitor tool, 569

Replicator group, 130

Reverse lookup zones, 104

RFCs (requests for comments)

    downloading RFC documents, 35

    RFC 977, 35

    RFCs 1034–1036, 95

    RFC 1278, 633

    RFC 1487, 10, 49

    RFC 1510, 56

    RFC 1769, 403

    RFC 1777, 10, 49

    RFC 1995, 94

    RFC 2052, 95

    RFC 2078, 104

    RFC 2136, 35, 94

    RFC 2137, 104

    RFC 2251, 10, 49, 488

    RFC 2798, 65

    RFC 2849, 489, 498, 501, 876

    RFCs related to LDAPv3, 50–51

RID MASTER, 405–406

RIDs (relative IDs), 285, 324, 405–406, 413–414

Rights

    extending, 227–229

    using permissions instead of, 301–302

RIS (Remote Installation Services), 39, 503

    creating computer objects and, 166–168

    Group Policies and, 520–521, 573

Root domains

    basic description of, 30

    domain trees and, 30–31

    forest, 95, 448–452

    removing, 102

RootDSE, 451, 495, 598, 727–728, 826–827

Root object, 479

RPC (remote procedure call), 348, 378, 383

    domain controller placement and, 423

    replication and, 24

S

SACLs (system access control lists)

    basic description of, 36, 288–289

    Group Policies and, 512, 513

Safe Mode, 111–112

Safe Mode with Command Prompt option, 112

Safe Mode with Networking option, 112

Schema

    administration scripts and, 801–822

    ADSI and, 54

    basic description of, 42–44, 581–640

    cache, 597–599

    containment rules, 607–610

    content rules, 629–634

    disabling modifications to, 661

     dumping, to spreadsheets, 594–596

    extending, 43, 641–696

    GC and, 585

    inspecting, 588–594

    location of, 585–592

    masters, 405, 660–662

    modification of, 642–659

    number of, 438

    objects, 616–617

    permissions and, 677–679

    physical location of, 586

    replication, 675

    role of, 585

    searches and, 634–637

    structure rules, 607–610

    sub-, subentries, 596–597

    syntax, 622–631

    updates, forcing, 662

Schema Admins group, 131, 259, 661

Schema cache

    explanation of, 597–598

    update of, 228, 598–599, 661, 662, 672

    update with a script, 819, 821

Schema container, 586

Schema Manager snap-in, 592–594, 620, 662, 663

    basic description of, 664–674

    creating/modifying attributes with, 664–666

    creating/modifying classes with, 666–669

Schema master, 405

Script(s)

    adding, to context menus, 693–694

    as command-line tools, 706–708, 884–887

    concepts, 697–758

    configuration information and, 822–832

    debugging, 755–759

    development environment for, 712–715

    editors, 712–713

    examples of, 761–794, 804–805

    execution environment for, 699–703

    file types, 703

    Group Policies and, 509–510

    help files and, 713–714

    killing, 710–711

    property caches and, 730–750, 767–772

    schema access, 801–822

    settings, 708–710

    testing, 704–705

Script Debugger (Microsoft), 85, 86, 756–757

Script tab, 709

SCSI (Small Computer Systems Interface), 81

SDCheck, 250

SDDL (Security Descriptor Definition Language), 617–618

    default ACLs and, 267

    definition of acronyms in, 255

    schema and, 613, 617–618

SDs (security descriptors), 36, 288–296

Search(es)

    with ADO, 891

    with LDAP, 52, 473–501, 893–894

    multidomain, 486

    on new attributes, 694–696

    options, as command object parameters, 899–901

    schema and, 634–637

    specifying values for, 484–486

    strings, 893–894

    tools, 488–494

Search Options dialog box, 497

Secedit command, 510

Security Configuration and Analysis Snap-in, 510

Security Configuration Toolset, 510

Security tab, 143

Security Templates snap-in, 510–511

Server(s)

    bridgehead, 315, 371–374

    GUIDs, 389, 395

    member, 88, 305–306

    objects, moving/managing, 341–343

    stand-alone, 88

Server Operators group, 129

Service packs, 80

Services, listing, 863–865

Session Manager, 287

Session tickets, 56

SET command, 115

Setup. See also Installation

    finalizing, 89

    Wizard, 92–93

Setup Manager Wizard, 106–107

Shortcut trusts, 31

ShowInAdvancedViewOnly attribute, 613–616

Show Property Properties.vbs, 809–810

SIDs (security IDs)

    ACEs and, 288–292

    basic description of, 283–287

    deleting users and, 162

    foreignSecurityPrincipal object and, 462

    installation and, 108

    MoveTree tool and, 463

    RID master and, 405–406

Single sign-on, 204

Site(s). See also Site links

    Active Directory objects for, 325–331

    administering, 337–338

    basic description of, 23

    coverage, 318

    Default-First-Site-Name, using, 338–339

    objects, creating/managing, 340–341

    placement of directory information and, 426–432

    replication and, 307–419

    setting up multiple, 334–337

    setting up single, 333–334

Site link(s)

    bridges, 321, 378–380

    costs of, 369–371

    creating/managing, 348–351

    replication topology and, 367–369

    WANs as, 23

Sites and Services snap-in, 331–333

SLDs (second-level domains), 452

Slow link detection algorithm, 576–578

Smart cards, 57, 440, 661

SMARTDRIVE command, 78

SMTP (Simple Mail Transfer Protocol), 326–327, 330, 348–350, 378, 382–383

    domain controller placement and, 423

    replication and, 24–25, 386–387, 436

    schema and, 601

SNTP (Simple Network Time Protocol), 403

Software. See also Applications

    deploying, 559–561

    managing, 557–562

Spreadsheets, 594–596

SQL (Structured Query Language), 894–895

SQL Server, 52, 55

SRM (security reference monitor), 246

SRV records, 34, 93, 102

Stamps, 391, 398

Stand-alone servers, 88

Statistically unique numbers, 285

Strings

    binding, 725–726

    octet, 483

    search, 893–894

Structure rules (of schema classes), 607–610

Subnet objects, creating/managing, 339–340

Subschema object. See Abstract schema objects

SUPPORT folder, 74

Switchboard, 9

Switches, 78–79

Synchronization services, 25

Syntax

    ADSI, 749–752

    choices, 629–634

    highlighting, 712

    rules, 629–634

SYSOC.INF, 85

SYSOCMGR command, 85

SysPrep (System Preparation Tool), 108

System account, 282. See also LocalSystem account

System container, 674

System Management Server (Microsoft), 509

System partition, 69

System Policy, 40, 505–506

SYSTEMROOT command, 115

System services, 513

System State, 553–554

SysVol (System Volume) folder, 68–69

T

Task Manager, 704, 711, 756, 864

Task Scheduler, 210, 700, 711

TCO (total cost of ownership), 503

TCP (Transmission Control Protocol), 490. See also TCP/IP (Transmission Control Protocol/Internet Protocol)

TCP/IP (Transmission Control Protocol/Internet Protocol). See also TCP
       
(Transmission Control Protocol)

    connecting to the Internet and, 59

    installation and, 70, 87, 93–94, 97

    site functions and, 23

    traffic encryption, 57

Telephones tab, 144

Templates

    administrative, 515–519

    basic description of, 204

    Group Policy, 524, 525, 567

    security, 41, 204, 510–511

Terminal Services, 85, 87, 93, 476

Testing

    batch files, 687–688

    environments, 332–333

    schema modifications, in forests, 660, 685–690

    scripts, 688–690

TGT (ticket-granting ticket), 56, 435

Time

    convergence hierarchy, 403

    GMT/UTC, 390, 485, 689

    services, controlling, 403–404

    settings during installation, 87

    -stamps, 390

    strings, generalized, 485

    synchronization, 402–404

    target, 404

TLDs (top-level domains), 452

Tombstones, 401–402

Topologies

    intersite, 64–65, 364–386

    intrasite, 357–364

    replication, 314–315, 357–386

Transactions, 52

Transitivity, of replication, 319

Tree(s)

    creating, 94–95

    deleting OUs in, 140–141

    moving OUs in, 140–141

    renaming OUs in, 140–141

    root domain, 451

Troubleshooting

    Group Policies, 562–571

    installation, 110–113

Trust(s)

    basic description of, 17–18

    bidirectional, 18–19, 30, 453, 455, 462

    computer, 441–443

    creating explicit, 460–462

    managing, 452–562

    shortcut, 31, 446–447

    transitive, 18–19

    tree root, 33

    trusted domain objects and, 452–454

    verifying, 457–459

    viewing, 454–457

TrustAttributes property, 454

TrustDirection property, 453

Trustees, defining, 852

TrustPartner property, 453

Trust view to a forest, 446

TXTSETUP.SIF, 106

TYPE command, 115

U

UDF (Uniqueness Database File), 106

UltraEdit, 713

Unbind operation of LDAPv3, 52

Unicode character set, 34, 483, 516

UNINST.TXT, 117

United Nations, 47

Universal groups, 21–22

University of Michigan, 10

UNIX, 34–35, 192, 629

Unsolicited Notification operation of LDAPv3, 52

Updates. See also USNs (update sequence numbers)

    DNS, 35–36

    dynamic, 35–36, 102–104

    forcing, 662

    schema, 662

    schema cache, 598–599

Upgrades, 89–90, 509

UPNs (user principal names)

    basic description of, 46–47, 440

    domain controller placement and, 431

    locating user objects via, 440

    smart card logons and, 440

    suffixes for, 148, 440

UPS (uninterruptible power supply), 74, 92

Up-to-date vectors, 395–398

U.S. Department of Defense, 605

User(s)

    accounts, disabling, 163

    accounts, options for, listing, 784–788

    administering, 142–164

    class, extending, 690–696

    copying, 160–161

    creating, 145–148, 788–794, 869–870

    deleting, 162–163

    domain modes and, 134

    editing multiple, 65

    groups, predefined, 468

    home pages of, opening, 164

    informational properties of, 156–157

    information, reading, 797–801

    listing, 764–767, 865, 877–878

    managing, 121–202, 764–822

    moving, 162, 857

    objects, properties of, setting, 149–157

    predefined, 125–126

    primary groups for, setting, 192–193

    properties of, listing, 772–784

    properties of, setting, 148–157

    renaming, 162

    sending e-mail to, 164

User interface

    bringing schema extensions to, 676–690

    creating objects for, 680–681

    where to place new objects in, 676–690

User logon name property, 147

User rights

    applying, 303–305

    assigning, 302

User rights (cont.)

    basic description of, 296–306

    modifying, for domain controllers, 304–306

    normal privileges, 299–300

Users and Computers snap-in, 92, 140, 160, 200–202

    auditing and, 280

    basic description of, 200–201, 489

    changing group types in, 188

    CN=Configuration object and, 586

    creating groups with, 186–187

    creating user objects with, 582

    display of editable properties in, 236

    installation and, 92

    predefined groups in, 130–133

    user property pages of, 236–237

    viewing default permissions with, 259

Users container, 124, 126–133

U.S. Naval Observatory, 403

USNs (update sequence numbers), 25, 392–395. See also Updates

    basic description of, 313–314, 389–391

    high-watermark vectors and, 394–395

    local, 390

    originating, 390

    timestamps and, 390

    up-to-date vectors and, 395–398

    version numbers and, 390

UUIDGen, 648, 653, 679

V

V.34 modems, 47

Value(s)

    attribute, managing, 693–694

    specifying, for LDAP searches, 484–486

    string, 718

Variable(s)

    administration scripts and, 718

    names, 718

VBA (Microsoft Visual Basic for Applications), 701

VBScript (Microsoft)

    ADSI and, 54

    basic description of, 698, 702, 715–721

    COM components and, 753–754

    Editor, 713

    Group Policies and, 509

    schema and, 663

    scripts, creating/testing, 688–690

    scripts, sample, 716–721

Vectors, 394–395

Verbose mode, 489–490

VeriSign, 57

Veritas WinInstall2000, 559

VINES, 9

Virtual containers, 58

Virtual private networks (VPNs), 155

Visual Basic, 680, 701, 702

Visual Studio Installer (Microsoft), 559

VMware, 73

VMware Workstation, 73

VPNs (virtual private networks), 155

W

WANs (wide-area networks), 23, 436

    bandwidth and, 425

    domain controller placement and, 427–432

    Group Policies and, 547

    hierarchies and, 27, 29

    installation and, 109

    replication and, 24, 308–309, 315, 318, 334, 338, 368, 370

    schema and, 654, 655

Web Information property set, 235

Well-known security principals, 209–212

Whistler, 64–65

WhoWhere, 9

Win32 API, 755

Windows Installer, 557–562

Windows NT (Microsoft)

    Active Directory and, comparison of, 11–13

    Cairo and, 10–11

    domains, using multiple domains because of, 436

    history of, 8–9

    properties, listing, 870–871

    system policy, 505–506

Windows 2000 Server (Microsoft)

    answer files and, 106–107

    components, installation of, 85–87

    dual booting, 70–73

    hardware compatibility with, 74–75

    history of, 10–11

    installation, 68–76, 80–92, 105–107

    requirements/recommendations, 74

    Resource Kit, 255, 566–571

    server upgrades, 837–90

    uninstalling, 113–117

Windows.NET Server, 64–65, 231, 347, 539, 643, 655

Windows 2000 Professional, 92–93

Windows Update Corporate Web site, 91

Windows XP, 64, 539, 578

WinEdit, 715

WINNT command, 78–81

WINNT folder, 68–69

WINNT32 command, 78, 80, 81

WINNT32.EXE, 73

WINS (Microsoft Windows Internet Naming Service), 36, 53, 70, 88

WinSock, 59

Wise for Windows Installer, 559

WKGUIDs, 874–878

WMI (Windows Management Instrumentation), 754–755

Workstations, 302, 305–306, 869–870

World Telecommunication Standardization Conference, 48

WScript, 680, 703–705, 711

WSH (Windows Script Host), 202, 509, 699–742

W32Time, 403

W32TM, 403–404

X

X.500 standard, 10, 44, 47–49, 606, 613, 629

X.509 certificates, 48, 57, 86. See also PKI (public key infrastructure)

XLNT, 703

XML (Extensible Markup Language), 703, 758, 759

XOM (XAPIA X/Open Object Management) syntax, 629

Y

Yahoo!, 9

Z

Zap files, 560–561, 562

Zones. See DNS Zones

 
Last modified 07/22/07