www.it-ebooks.info
www.it-ebooks.info
Active Directory
www.it-ebooks.info
Other Microsoft .NET resources from O’Reilly
Related titles
Active Directory Cookbook

Learning Windows 2003
Windows Server Hacks

Windows Server 2003
Network Administration
Windows Server 2008: The
Definitive Guide
.NET Books
Resource Center
dotnet.oreilly.com is a complete catalog of O’Reilly’s books on
.NET and related technologies, including sample chapters and
code examples.
ONDotnet.com provides independent coverage of fundamental,
interoperable, and emerging Microsoft .NET programming and
web services technologies.
Conferences
O’Reilly & Associates bring diverse innovators together to nur-
ture the ideas that spark revolutionary industries. We specialize
in documenting the latest tools and systems, translating the
innovator’s knowledge into useful skills for those in the
trenches. Visit conferences.oreilly.com for our upcoming events.
Safari Bookshelf (safari.oreilly.com) is the premier online refer-
ence library for programmers and IT professionals. Conduct

searches across more than 1,000 books. Subscribers can zero in
on answers to time-critical questions in a matter of seconds.
Read the books on your Bookshelf from cover to cover or sim-
ply flip to the page you need. Try it today with a free trial.
,roadmap.net.18014 Page ii Thursday, November 13, 2008 2:49 PM
www.it-ebooks.info
FOURTH EDITION
Active Directory
Brian Desmond, Joe Richards, Robbie Allen, and Alistair
G. Lowe-Norris
Beijing
•
Cambridge
•
Farnham
•
Köln
•
Sebastopol
•
Taipei
•
Tokyo
www.it-ebooks.info
Active Directory, Fourth Edition
by Brian Desmond, Joe Richards, Robbie Allen, and Alistair G. Lowe-Norris
Copyright © 2009 O’Reilly Media. All rights reserved.
Printed in the United States of America.
Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472.
O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions

are also available for most titles (). For more information, contact our corporate/
institutional sales department: (800) 998-9938 or
Editors: John Osborn and Laurel Ruma
Production Editor: Loranah Dimant
Production Services: Appingo, Inc.
Indexer: Ellen Troutman Zaig
Cover Designer: Karen Montgomery
Interior Designer: David Futato
Illustrator: Jessamyn Read
Printing History:
January 2000: First Edition.
April 2003: Second Edition.
January 2006: Third Edition.
November 2008: Fourth Edition.
Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of
O’Reilly Media, Inc. Active Directory, the image of domestic cats, and related trade dress are trademarks
of O’Reilly Media, Inc.
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as
trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a
trademark claim, the designations have been printed in caps or initial caps.
While every precaution has been taken in the preparation of this book, the publisher and authors assume
no responsibility for errors or omissions, or for damages resulting from the use of the information con-
tained herein.
ISBN: 978-0-596-52059-5
[C]
1226607098
www.it-ebooks.info
Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Part I. Active Directory Basics

1. A Brief Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Evolution of the Microsoft NOS 4
Brief History of Directories 4
Windows NT Versus Active Directory 5
Windows 2000 Versus Windows Server 2003 10
Windows Server 2003 Versus Windows Server 2003 R2 12
Windows Server 2003 R2 Versus Windows Server 2008 14
Summary 15
2. Active Directory Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
How Objects Are Stored and Identified 17
Uniquely Identifying Objects 18
Building Blocks 20
Domains and Domain Trees 20
Forests 22
Organizational Units 24
Global Catalog 25
Flexible Single Master Operator (FSMO) 25
Time Synchronization in Active Directory 33
Domain and Forest Functional Levels 35
Groups 38
Summary 42
3. Naming Contexts and Application Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Domain Naming Context 46
Configuration Naming Context 47
Schema Naming Context 48
v
www.it-ebooks.info
Application Partitions 49
Storing Dynamic Data 51
Summary 52

4. Active Directory Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Structure of the Schema 54
X.500 and the OID Namespace 55
Attributes (attributeSchema Objects) 59
Dissecting an Example Active Directory Attribute 59
Attribute Properties 61
Attribute Syntax 61
System Flags 63
Schema FlagsEx 65
Search Flags 65
Property Sets and attributeSecurityGUID 73
Linked Attributes 74
Classes (classSchema Objects) 74
Object Class Category and Inheritance 74
Dissecting an Example Active Directory Class 78
Dynamically Linked Auxiliary Classes 82
Summary 84
5. Site Topology and Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Site Topology 85
Subnets 86
Sites 87
Site Links 89
Site Link Bridges 91
Connection Objects 92
Knowledge Consistency Checker (KCC) 92
Site and Replication Management Tools 93
How Replication Works 94
A Background to Metadata 94
How an Object’s Metadata Is Modified During Replication 101
The Replication of a Naming Context Between Two Servers 106

How Replication Conflicts Are Reconciled 112
Summary 115
6. Active Directory and DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
DNS Fundamentals 118
Zones 118
Resource Records 118
DDNS 119
vi | Table of Contents
www.it-ebooks.info
Global Names Zone 120
DC Locator 122
Resource Records Used by Active Directory 123
Overriding SRV Record Registration 126
Delegation Options 127
Not Delegating the AD DNS Zones 127
Delegating the AD DNS Zones 129
DNS for Standalone AD 130
Active Directory Integrated DNS 132
Replication Impact 135
Background Zone Loading 135
Using Application Partitions for DNS 136
Aging and Scavenging 137
Configuring Scavenging 137
Summary 140
7. Read-Only Domain Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Prerequisites 142
Password Replication Policies 143
Managing the Password Replication Policy 145
Managing RODC Theft 148
The Client Logon Process 149

Populating the Password Cache 154
RODCs and Write Requests 155
User Password Changes 155
Computer Account Password Changes 156
The lastLogonTimeStampAttribute 156
Last-Logon Statistics 157
Logon Success/Fail Information 157
NetLogon Secure Channel Updates 157
Replication Connection Objects 157
DNS Updates 157
The W32Time Service 160
Application Compatibility 162
RODC Placement Considerations 163
RODCs and Replication 164
Administrator Role Separation 164
Summary 167
8. Group Policy Primer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Capabilities of GPOs 170
Group Policy Storage 172
How Group Policies Work 176
Table of Contents | vii
www.it-ebooks.info
GPOs and Active Directory 176
Prioritizing the Application of Multiple Policies 178
Standard GPO Inheritance Rules in Organizational Units 181
Blocking Inheritance and Overriding the Block in Organizational Unit
GPOs 182
When Policies Apply 184
Combating Slowdown Due to Group Policy 186
Security Filtering and Group Policy Objects 188

Loopback Merge Mode and Loopback Replace Mode 189
WMI Filtering 193
Summary of Policy Options 193
Managing Group Policies 195
Using the Group Policy Management Console (GPMC) 196
Group Policy Modeling 197
Delegation and Change Control 198
Using Starter GPOs 202
Group Policy Backup and Restore 203
Scripting Group Policies 205
Troubleshooting Group Policy 206
Group Policy Results Wizard 206
Forcing Group Policy Updates 209
Enabling Extra Logging 209
Group Policy Diagnostic Best Practices Analyzer 210
Third-Party Troubleshooting Tools 210
Summary 210
9. Fine-Grained Password Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Understanding Password Setting Objects 211
Scenarios for Fine-Grained Password Policies 212
Defining Password Setting Objects 212
Creating Password Setting Objects 214
PSO Quick Start 214
Building a PSO from Scratch 214
Managing Password Settings Objects 220
Strategies for Controlling PSO Application 220
Managing PSO Application 221
Delegating Management of PSOs 224
Summary 225
viii | Table of Contents

www.it-ebooks.info
Part II. Designing an Active Directory Infrastructure
10. Designing the Namespace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
The Complexities of a Design 230
Where to Start 231
Overview of the Design Process 232
Domain Namespace Design 233
Objectives 233
Step 1: Decide on the Number of Domains 234
Step 2: Design and Name the Tree Structure 237
Step 3: Design the Workstation and Server-Naming Scheme 241
Design of the Internal Domain Structure 243
Step 4: Design the Hierarchy of Organizational Units 243
Step 5: Design the Users and Groups 248
Step 6: Design the Application Partition Structure 251
Other Design Considerations 252
Design Examples 253
TwoSiteCorp 253
RetailCorp 256
PetroCorp 257
Designing for the Real World 263
Identify the Number of Domains 263
Design to Help Business Plans and Budget Proposals 264
Recognizing Nirvana’s Problems 266
Summary 267
11. Creating a Site Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Intrasite and Intersite Topologies 269
The KCC 270
Automatic Intrasite Topology Generation by the KCC 271
Site Links: The Basic Building Blocks of Intersite Topologies 275

Site Link Bridges: The Second Building Blocks of Intersite Topologies 278
Designing Sites and Links for Replication 279
Step 1: Gather Background Data for Your Network 279
Step 2: Design the Sites 279
Step 3: Plan the Domain Controller Locations 280
Step 4: Decide How You Will Use the KCC to Your Advantage 282
Step 5: Create Site Links 282
Step 6: Create Site Link Bridges 283
Examples 284
TwoSiteCorp 284
RetailCorp 284
Table of Contents | ix
www.it-ebooks.info
PetroCorp 284
Additional Resources 288
Summary 289
12. Designing Organization-Wide Group Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Using GPOs to Help Design the Organizational Unit Structure 291
Identifying Areas of Policy 292
How GPOs Influenced a Real Organizational Unit Design 293
Guidelines for Designing GPOs 299
Summary 302
13. Active Directory Security: Permissions and Auditing . . . . . . . . . . . . . . . . . . . . . . . . 303
Permission Basics 304
Permission ACE 305
Property Sets, Validated Writes, and Extended Rights 306
Inherited Versus Explicit Permissions 307
Default Security Descriptors 308
Permission Lockdown 309
Confidentiality Bit 310

Protecting Objects from Accidental Deletion 312
Using the GUI to Examine Permissions 313
Reverting to the Default Permissions 318
Viewing the Effective Permissions for a User or Group 319
Using the Delegation of Control Wizard 320
Using the GUI to Examine Auditing 323
Designing Permission Schemes 324
The Five Golden Rules of Permissions Design 324
How to Plan Permissions 333
Bringing Order Out of Chaos 335
Designing Auditing Schemes 337
Implementing Auditing under Windows Server 2008 338
Tracking Last Interactive Logon Information 341
Real-World Examples 343
Hiding Specific Personal Details for All Users in an Organizational Unit
from a Group 343
Allowing Only a Specific Group of Users to Access a New Published
Resource 345
Restricting Everyone but HR from Viewing Social Security Numbers
with Confidential Access Capability 345
Summary 346
14. Designing and Implementing Schema Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Nominating Responsible People in Your Organization 348
x | Table of Contents
www.it-ebooks.info
Thinking of Changing the Schema 349
Designing the Data 349
To Change or Not to Change 350
The Global Picture 352
Creating Schema Extensions 353

Running the Schema Manager MMC for the First Time 354
The Schema Cache 355
The Schema Master FSMO 356
Using LDIF to Extend the Schema 357
Checks the System Makes When You Modify the Schema 359
Making Classes and Attributes Defunct 360
Summary 361
15. Backup, Recovery, and Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Backing Up Active Directory 363
Using the NT Backup Utility 365
Using Windows Server Backup 366
Restoring a Domain Controller 370
Restore from Replication 371
Restore from Backup 374
Install from Media 375
Restoring Active Directory 378
Non-Authoritative Restore 379
Partial Authoritative Restore 384
Complete Authoritative Restore 386
Working with Snapshots 387
FSMO Recovery 389
Restartable Directory Service 391
DIT Maintenance 393
Checking the Integrity of the DIT 394
Reclaiming Space 396
Changing the DS Restore Mode Admin Password 398
Summary 399
16. Upgrading to Windows Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
New Features in Windows Server 2003 402
Differences with Windows 2000 405

Functional Levels Explained 407
How to Raise the Functional Level 408
Preparing for ADPrep 410
ForestPrep 411
DomainPrep 412
Upgrade Process 414
Table of Contents | xi
www.it-ebooks.info
Inventory Domain Controllers 414
Inventory Clients 415
Trial Run 415
Prepare the Forest and Domains 416
Tweak Settings 417
Upgrade Domain Controllers 418
Post-Upgrade Tasks 418
Monitor 418
Raise Functional Levels 419
Start Implementing New Features 420
Summary 420
17. Upgrading to Windows Server 2003 R2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
New Active Directory Features in Windows Server 2003 Service Pack 1 422
Differences with Windows Server 2003 423
New Active Directory Features in Windows Server 2003 R2 424
Preparing for ADPrep 424
ForestPrep 425
Service Pack 1 Upgrade Process 426
R2 Upgrade Process 427
Prepare the Forest 427
Upgrade Domain Controllers 427
Summary 428

18. Upgrading to Windows Server 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
New Features in Windows Server 2008 429
Differences with Windows Server 2003 431
Preparing for ADPrep 432
ForestPrep 433
RODCPrep 434
DomainPrep 435
Windows Server 2008 Upgrade Process 435
Summary 436
19. Integrating Microsoft Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
A Quick Word about Exchange/AD Interaction 437
Preparing Active Directory for Exchange 438
Setup Prerequisites 438
PrepareLegacyExchangePermissions 439
PrepareSchema 440
PrepareAD 442
PrepareDomain 443
Active Directory Site Design and Domain Controller Placement 443
xii | Table of Contents
www.it-ebooks.info
Other Considerations 447
Mail-Enabling Objects 448
Using the Exchange Management Console 449
Using PowerShell 455
Summary 455
20. Active Directory Lightweight Directory Service (a.k.a. ADAM) . . . . . . . . . . . . . . . . . 457
ADAM Terms 458
Differences Between AD and ADAM V1.0 459
Standalone Application Service 459
Configurable LDAP Ports 460

No SRV Records 460
No Global Catalog 462
Top-Level Application Partition Object Classes 463
Group and User Scope 463
FSMOs 463
Schema 465
Service Account 465
Configuration/Schema Partition Names 465
Default Directory Security 466
User Principal Names 466
Authentication 466
ADAM R2 Updates 467
Users in the Configuration Partition 467
Password Reset/Change Chaining to Windows 467
Virtual List View (VLV) Searching 467
Confidentiality Bit 468
New and Updated Tools 468
Installation 468
Authentication 468
R2 ADAM for R2 Server Only 468
Active Directory Lightweight Directory Services Updates 468
GUI Tools 469
Availability on Server Core 469
Support for Install from Media 469
Support for Snapshots and the Database Mounting Tool 469
Support for Enhanced Auditing Features 469
AD LDS Installation 469
Installing Components 470
Installing a New ADAM Instance 470
Installing an ADAM Replica 478

Tools 482
ADAM ADSIEDIT 483
Table of Contents | xiii
www.it-ebooks.info
ADAM Schema Management 483
ADAM Install 483
ADAMSync 483
ADAM Uninstall 483
AD Schema Analyzer 483
CSVDE 484
DSACLS 484
DSDBUTIL 484
DSDiag 484
DSMgmt 484
LDIFDE 484
LDP 485
RepAdmin 485
ADAM Schema 485
Virtual List View (VLV) Index Support 486
Default Security Descriptors 487
Bindable Objects and Bindable Proxy Objects 487
Using ADAM 488
Creating Application Partitions 488
Creating Containers 489
Creating Users 490
Creating User Proxies 491
Renaming Users 492
Creating Groups 493
Adding Members to Groups 494
Removing Members from Groups 495

Deleting Objects 495
Deleting Application Partitions 496
Summary 497
Part III. Scripting Active Directory with ADSI, ADO, and WMI
21. Scripting with ADSI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
What Are All These Buzzwords? 501
ActiveX 501
Windows Scripting Host (WSH) 502
Active Server Pages (ASPs) 502
Active Directory Service Interface (ADSI) 502
ActiveX Data Objects (ADO) 504
Windows Management Instrumentation (WMI) 504
.NET and .NET Framework 504
Writing and Running Scripts 505
xiv | Table of Contents
www.it-ebooks.info
A Brief Primer on COM and WSH 505
How to Write Scripts 506
WSH File Formats 507
ADSI 508
Objects and Interfaces 508
Namespaces, ProgIDs, and ADsPath 510
Retrieving Objects 512
Simple Manipulation of ADSI Objects 516
Creating the OU 517
Creating the Users 518
Tearing Down What Was Created 519
Summary 520
22. IADs and the Property Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
The IADs Properties 521

Using IADs::Get and IADs::Put 522
The Property Cache 524
Be Careful 524
More Complexities of Property Access: IADs::GetEx and IADs::PutEx 526
Manipulating the Property Cache 529
Property Cache Mechanics 530
Adding Individual Values 530
Adding Sets of Values 532
Walking Through the Property Cache 533
Writing the Modifications 537
Walking the Property Cache: The Solution 539
Walking the Property Cache Using the Formal Schema Class Definition 542
Checking for Errors in VBScript 545
Summary 547
23. Using ADO for Searching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
The First Search 550
Step 1: Define the Constants and Variables 550
Step 2: Establish an ADO Database Connection 550
Step 3: Open the ADO Connection 551
Step 4: Execute the Query 551
Step 5: Navigate Through the Resultset 553
Step 6: Close the ADO Connection 554
The Entire Script for a Simple Search 554
Understanding Search Filters 555
Items Within a Filter 555
Connecting Filters 556
Optimizing Searches 558
Table of Contents | xv
www.it-ebooks.info
Efficient Searching 558

ObjectClass Versus ObjectCategory 559
Advanced Search Function: SearchAD 561
Summary 565
24. Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
Creating a Simple User Account 567
Creating a Full-Featured User Account 568
LDAP Provider 570
Creating Many User Accounts 575
Modifying Many User Accounts 578
Account Unlocker Utility 579
Creating a Group 582
Adding Members to a Group 583
Adding Many USER Groups to Groups 584
Evaluating Group Membership 585
Summary 586
25. Permissions and Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
How to Create an ACE Using ADSI 587
Trustee 591
AccessMask 592
AceType 595
AceFlags 596
Flags, ObjectType, and InheritedObjectType 597
A Simple ADSI Example 599
Discussion 600
A Complex ADSI Example 600
Discussion 603
Making Your Own ACEs 605
Creating Security Descriptors 606
Listing the Security Descriptor of an Object 610
Summary 618

26. Extending the Schema and the Active Directory Snap-ins . . . . . . . . . . . . . . . . . . . . 619
Modifying the Schema with ADSI 619
IADsClass and IADsProperty 619
Creating the Mycorp-LanguagesSpoken Attribute 620
Creating the FinanceUser class 621
Finding the Schema Container and Schema FSMO 624
Transferring the Schema FSMO Role 625
Forcing a Reload of the Schema Cache 626
Adding an Attribute to the Partial Attribute Set 627
xvi | Table of Contents
www.it-ebooks.info
Customizing the Active Directory Administrative Snap-ins 628
Display Specifiers 628
Property Pages 629
Context Menus 630
Icons 632
Display Names 632
Leaf or Container 633
Object Creation Wizard 633
Summary 634
27. Scripting with WMI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
Origins of WMI 636
WMI Architecture 636
CIMOM and CIM Repository 637
WMI Providers 637
Getting Started with WMI Scripting 638
Referencing an Object 638
Enumerating Objects of a Particular Class 639
Searching with WQL 640
Authentication with WMI 641

WMI Tools 642
WMI from a Command Line 642
WMI from the Web 642
WMI SDK 643
Scriptomatic Version 2.0; WMI Scripting Tool 643
Manipulating Services 643
Querying the Event Logs 646
Monitoring Trusts 649
Monitoring Replication 652
Summary 654
28. Scripting DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
DNS Provider Overview 655
Installing the DNS Provider 656
Managing DNS with the DNS Provider 656
Manipulating DNS Server Configuration 657
Listing a DNS Server’s Properties 659
Configuring a DNS server 660
Restarting the DNS Service 661
DNS Server Configuration Check Script 661
Creating and Manipulating Zones 663
Creating a Zone 665
Configuring a Zone 666
Table of Contents | xvii
www.it-ebooks.info
Listing the Zones on a Server 667
Creating and Manipulating Resource Records 667
Finding Resource Records in a Zone 670
Creating Resource Records 671
Summary 672
29. Programming the Directory with the .NET Framework . . . . . . . . . . . . . . . . . . . . . . 673

Why .NET? 673
Choosing a .NET Programming Language 674
Choosing a Development Tool 674
.NET IDE Options 675
.NET Development Without an IDE 675
.NET Framework Versions 675
Which .NET Framework Comes with Which OS? 676
Directory Programming Features by .NET Framework Release 677
Assemblies Versus Namespaces 677
Summary of Namespaces, Assemblies, and Framework Versions 678
Directory Services Programming Landscape 678
System.DirectoryServices Overview 679
System.DirectoryServices.ActiveDirectory Overview 682
System.DirectoryServices.Protocols Overview 683
System.DirectoryServices.AccountManagement Overview 684
.NET Directory Services Programming by Example 686
Connecting to the Directory 687
Searching the Directory 691
Basics of Modifying the Directory 693
Managing Users 696
Overriding SSL Server Certificate Verification with SDS.P 698
Summary 700
30. PowerShell Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
Exploring the PowerShell 701
Variables and Objects 701
Working with Quotes 702
Profiles 703
Working with the Pipeline 703
The $_ Expression 703
Pipeline by Example 704

Cmdlets 704
The Cmdlet Naming Scheme 705
Cmdlet Parameters 706
Working with Built-in Cmdlets 706
Managing the Environment 710
xviii | Table of Contents
www.it-ebooks.info
Formatting Output 711
Processing and Filtering Output 712
Importing Information 713
Exporting Information 715
Building PowerShell Scripts 716
Arguments 717
Functions 718
Error Handling 719
Flow Control 719
Using WMI 724
Summary 726
31. Scripting Active Directory with PowerShell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727
Becoming Familiar with .NET 727
DirectoryEntry 727
DirectorySearcher 728
Domain 728
Forest 729
DirectoryContext 729
DomainController 729
GlobalCatalog 730
ApplicationPartition 730
Understanding Client-Side Processing 730
Building the Lab Build Script 732

Setup 732
Creating Organizational Units 734
Creating User Accounts 735
Creating Computer Accounts 737
Creating Groups 737
Putting It All Together 738
Working with Forests and Domains 743
Gathering Forest Information 743
Gathering Domain Information 745
Understanding Group Policy 747
Group Policy Refresh Cmdlet 747
GPMC Cmdlets 748
Quest Cmdlets 750
Summary 753
32. Scripting Basic Exchange 2003 Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755
Notes on Managing Exchange 755
Exchange Management Tools 756
Mail-Enabling Versus Mailbox-Enabling 756
Table of Contents | xix
www.it-ebooks.info
Exchange Delegation 757
Mail-Enabling a User 759
Mail-Disabling a User 761
Creating and Mail-Enabling a Contact 761
Mail-Disabling a Contact 762
Mail-Enabling a Group (Distribution List) 763
Mail-Disabling a Group 764
Mailbox-Enabling a User 764
Mailbox-Disabling a User (Mailbox Deletion) 766
Purging a Disconnected Mailbox 767

Reconnecting a Disconnected Mailbox 768
Moving a Mailbox 769
Enumerating Disconnected Mailboxes 770
Viewing Mailbox Sizes and Message Counts 771
Viewing All Store Details of All Mailboxes on a Server 772
Dumping All Store Details of All Mailboxes on All Servers in Exchange Org 773
Summary 774
33. Scripting Basic Exchange 2007 Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777
Exchange Scripting Notes 777
The Departure of the Recipient Update Service 778
Mail-Enabling Versus Mailbox-Enabling 779
Exchange Cmdlet Primer 779
Managing Users 780
Mailbox-Enabling a User 780
Mailbox-Disabling a User 781
Mail-Enabling a User 781
Mail-Disabling a User 782
Viewing Mailbox Properties 782
Moving a User Mailbox 784
Provisioning Mailboxes Out-of-Band 785
Managing Groups 786
Mail-Enabling a Group 786
Mail-Disabling a Group 786
Managing Group Membership 787
Displaying Group Properties 788
Summary 789
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 791
xx | Table of Contents
www.it-ebooks.info
Preface

Active Directory is a common repository for information about objects that reside on
the network, such as users, groups, computers, printers, applications, and files. The
default Active Directory schema supports numerous attributes for each object class that
can be used to store a variety of information. Access Control Lists (ACLs) are also stored
with each object, which allows you to maintain permissions for who can access and
manage the object. Having a single source for this information makes it more accessible
and easier to manage; however, to accomplish this requires a significant amount of
knowledge on such topics as LDAP, Kerberos, DNS, multimaster replication, group
policies, and data partitioning, to name a few. This book will be your guide through
this maze of technologies, showing you how to deploy a scalable and reliable Active
Directory infrastructure.
Windows 2000 Active Directory has proven itself to be very solid in terms of features
and reliability, but after several years of real-world deployments, there was much room
for improvement. When Microsoft released Windows Server 2003, they focused on
security, manageability, and scalability enhancements. Windows Server 2003 R2 takes
this evolution further and combines Windows Server 2003 Service Pack 1 with some
feature packs, which makes Windows Server even more secure, manageable, and scal-
able and also adds considerable new functionality, such as a stand-alone LDAP server
service and increased Unix system integration functions right in the box.
Windows Server 2008 introduces some highly sought-after features to Active Directory.
At the top of the list for many administrators will be such features as read-only domain
controllers, support for Server Core, and fine-grained password policies. The list of new
features and major enhancements is lengthy, and we have taken the time to cover them
all in this book.
This book is a major update to the very successful third edition. All of the existing
chapters have been brought up to date with Windows Server 2008 changes, as well as
updates in concepts and approaches to managing Active Directory and script updates.
There are eight new chapters (Chapters 7, 9, 18, 19, 29, 30, 31, and 33) to explain
features or concepts not covered in the third edition. These chapters include in-depth
coverage of read-only domain controllers, fine-grained password policies, Windows

PowerShell, and Exchange 2007. We also cover programming Active Directory
xxi
www.it-ebooks.info
with .NET. While we have made updates to every chapter in this book, it is worthwhile
to highlight the major enhancements to Chapters 8, 13, and 15 that cover significant
Windows Server 2008 Active Directory changes.
This book describes Active Directory in depth, but not in the traditional way of going
through the graphical user interface screen by screen. Instead, the book sets out to tell
administrators how to design, manage, and maintain a small, medium, or enterprise
Active Directory infrastructure. To this end, the book is split up into three parts.
Part I introduces in general terms much of how Active Directory works, giving you a
thorough grounding in its concepts. Some of the topics include Active Directory rep-
lication, the schema, application partitions, group policies, interaction with DNS, do-
main controllers, and password policies.
In Part II, we describe in copious detail the issues around properly designing the
directory infrastructure. Topics include in-depth looks at designing the namespace,
creating a site topology, designing group policies, auditing, permissions, backup and
recovery, Active Directory Lightweight Directory Services, upgrading Active Directory,
and Microsoft Exchange.
Part III is all about managing Active Directory via automation with Active Directory
Service Interface (ADSI), ActiveX Data Objects (ADO), Windows Management In-
strumentation (WMI), PowerShell, and .NET. This section covers how to create and
manipulate users, groups, printers, and other objects that you may need in your
everyday management of Active Directory. It also describes in depth how you can utilize
the strengths of WMI, Windows PowerShell, and the .NET namespace
System.DirectoryServices to manage Active Directory programmatically via those
interfaces.
If you’re looking for in-depth coverage of how to use the MMC snap-ins or Resource
Kit tools, look elsewhere. However, if you want a book that lays bare the design and
management of an enterprise or departmental Active Directory, you need not look any

further.
Intended Audience
This book is intended for all Active Directory administrators, whether you manage a
single server or a global multinational with thousands of servers. Even if you have a
previous edition, you will find this fourth edition to be full of updates and corrections
and a worthy addition to your “good” bookshelf: the bookshelf next to your PC with
the books you really read that are all dog-eared with soda drink spills and pizza grease
on them. To get the most out of the book, you will probably find it useful to have a
server running Windows Server 2008 available so that you can check out various items
as we point them out.
xxii | Preface
www.it-ebooks.info
If you have no experience with VBScript, the scripting language we use in Part III, don’t
worry. The syntax is straightforward, and you should have no difficulty grasping the
principles of scripting with ADSI, ADO, and WMI. Likewise, the syntax we use in Part
III to cover .NET is straightforward, and for those looking to learn PowerShell, Chap-
ter 30 provides a jumpstart to the PowerShell language.
Contents of the Book
This book is split into three parts.
Part 1, Active Directory Basics
Chapter 1, A Brief Introduction
Reviews the evolution of the Microsoft NOS and some of the major features and
benefits of Active Directory.
Chapter 2, Active Directory Fundamentals
Provides a high-level look at how objects are stored in Active Directory and explains
some of the internal structures and concepts that it relies on.
Chapter 3, Naming Contexts and Application Partitions
Reviews the predefined Naming Contexts within Active Directory, what is con-
tained within each, and the purpose of Application Partitions.
Chapter 4, Active Directory Schema

Gives you information on how the blueprint for each object and each object’s
attributes are stored in Active Directory.
Chapter 5, Site Topology and Replication
Details how the actual replication process for data takes place between domain
controllers.
Chapter 6, Active Directory and DNS
Describes the importance of the Domain Name System (DNS) and what it is used
for within Active Directory.
Chapter 7, Read-Only Domain Controllers
Describes the deployment and operation of Read-Only Domain Controllers
(RODCs).
Chapter 8, Group Policy Primer
Gives you a detailed introduction to the capabilities of Group Policy Objects and
how to manage them.
Chapter 9, Fine-Grained Password Policies
Comprehensive coverage of how to design, implement, and manage fine-grained
password policies.
Preface | xxiii
www.it-ebooks.info