1

2
Foreword
I've been waiting for "The Year of the Directory" for 15 years, basically since "The Year of the
LAN," which, if I recall correctly, occurred in 1983, 1984, 1985, and briefly again in 1988. But
as I write this in 2003, there are very few enterprise networks that are not running a directory of
one sort or another. While I was patiently waiting at the front door, the directory slipped in the
back. I must have been napping on the couch.
The Year of the Directory never came, nor will it ever. Just as with TV, fax, LANs, cell phones,
and the Internet, we've experienced another sea change in communications and information
technology. But no one can point to the time when the change "happened." Ocean tides have a
well-defined schedule, but watershed technology changes are more like global warming. "Look,
Honey! The waves come right up to the front porch!" The IT industry has simply evolved over
time to assimilate yet another new technology, making our ability to communicate and compute
more seamless, more pervasive, and more affordable.
And that's sort of the point of directories: to make it possible for us to build larger, more
sophisticated networks that don't collapse under the weight of their own complexity. The first
commercial NOS with an integrated directory, Banyan's VINES, was a startling success in this
regard. At a time when most enterprise IT executives were just dimly aware that workgroup
LANs had utterly subverted their minicomputer and mainframe-based strategies, a relatively few
prescient CIOs had seen the future, building centrally managed, global PC networks based on
Banyan's distributed and replicated directory, StreetTalk.
I loved VINES and StreetTalk because they made it possible to operate distributed enterprise
networks with extremely low administrative costs. The VINES NOS provided competent file,
print, and communications on industry-standard server hardware. The StreetTalk directory
service added secure, distributed naming and authentication across the entire network. VINES
also came bundled with a directory-integrated email system that was a model of simplicity and
scalability. VINES administrators enjoyed all this with a low level of administrative overhead
that we can only appreciate in retrospect. Bringing up a new VINES server running both the

directory and email service amounted to loading the OS (27 floppies worth!), configuring the
NIC, and giving the server a name. Troubleshooting tools were mostly nonexistent because there
were mostly no troubles to shoot. And when there was a problem that we couldn't sort out using
the primitive tools we had, waving a dead chicken over the suspect server usually took care of it.
StreetTalk made VINES as close to a "set it and forget it" network as the industry has ever seen,
which is just what directories are supposed to do.
Banyan's 10-year lead in the enterprise network market evaporated in about 5 years, due to many
factors: inept marketing, the introduction of a competitive directory from Novell (NDS, now
called eDirectory), and ISV support that could only be described as hostile. Banyan's demise as a
NOS company was as ugly as it was inevitable.

3
The NOS directory market is now left to Novell's eDirectory and Microsoft's Active Directory.
eDirectory does well in many situations, but for building enterprise-scale, Windows-based
networks, Active Directory's dominance seems inevitable.
Now I'll admit to being a big fan of Microsoft's Active Directory. Active Directory is a
wonderfully sophisticated piece of software that performs well, scales up and scales out, and
does an outstanding job of integrating computers running earlier Windows operating systems
such as Windows NT 4.0 and Windows 98. I doubt that Microsoft has ever produced a piece of
software as reliable as Active Directory, particularly in its 1.0 version. I'd be really surprised if
there's an enterprise that can't implement Active Directory successfully.
But all that sophistication and performance requires a substantial amount of care and feeding.
Running a VINES network was like driving a 60s vintage VW Beetle: push, pull, left, right, and
the Bug did pretty much what you expected. Managing an Active Directory enterprise is more
like piloting a Lear jet. If you don't know how to use all those knobs and dials properly, you've
got a good chance of leaving a smoking crater in the ground.
A competent Active Directory administrator must have at least a passing understanding of a
handful of different technologies, including DNS, WINS, Kerberos, LDAP, and the Windows
operating system itself. And he must be able to perform more than a hundred different tasks
using more than 30 different utilities. Even if you've read the books and taken the classes,

becoming a skilled Active Directory administrator requires detailed knowledge of the ins and
outs of Active Directory. Although Active Directory simplifies the management of a large
network substantially, much of the administrative overhead has simply shifted to Active
Directory itself.
That's where the Active Directory Cookbook comes in. Robbie Allen has produced an
outstanding reference that spells out how to perform the hundred-plus tasks that an administrator
is likely to perform during the Active Directory lifecycle. The Active Directory Cookbook is
essentially a book of checklists for the professional Active Directory pilot. Each administrative
task includes background information, step-by-step instructions, and references to more detailed
information on Microsoft's web site. If you need to do something with Active Directory, Robbie
shows you how to do it with a minimum of fuss and bother.
I've known Robbie for several years, both as a first-string speaker for NetPro's Directory Experts
Conference and as a frequent contributor to Tony Murray's activedir.org mailing list. Robbie
brings a rare combination of skills and knowledge to the table. He has the rare ability to blend an
in-depth knowledge of how Active Directory actually works, hands-on understanding of what an
administrator needs to do (and not do!) to successfully deploy and run a large Active Directory
installation, and a Unix administrator's inbred desire to automate everything with scripts. So not
only does Robbie deliver a "how-to" for every Active Directory administrative task you're likely
to perform, he shows you how to automate it using a combination of VB Script, Perl, batch files,
and command-line utilities.
And that's what really excites me about this book. A catalog of step-by-step instructions for
common Active Directory administrative tasks would be useful by itself. But by providing a

4
programmatic solution for most of these tasks, Robbie has laid the groundwork for automating
most of your day-to-day Active Directory management tasks. And that brings you a step closer to
what you ultimately want: a network with the performance and sophistication of Windows and
Active Directory, and the simplicity of administration we haven't had since VINES and
StreetTalk. That would be a mighty powerful combination.
—Gil Kirkpatrick CTO, NetPro

[1]

[1]
Gil Kirkpatrick is the Chief Technology Officer at NetPro and the founder of the Directory Experts Conference. With a strategic combination of
software solutions, conferences, and web resources, NetPro is revolutionizing the way companies manage their directories and driving the availability and
performance of the world's networks. NetPro delivers the only comprehensive suite of solutions designed to manage network directory services for 24 x 7
availability throughout the directory lifecycle ().
Preface
In 1998 when I first became involved with the Microsoft Windows 2000 Joint Development
Program (JDP), there was very little data available on Active Directory. In the following months
and even after the initial release of Windows 2000, there were very few books or white papers to
help early adopters of Active Directory get started. And some of the information that had been
published was often inaccurate or misleading. Many early deployers had to learn by trial and
error. As time passed, more and more informative books were published, which helped fill the
information gap.
By the end of the second year of its release, there was an explosion of information on Active
Directory. Not only were there over 50 books published, but Microsoft also cleaned up their
documentation on MSDN () and their AD web site
( Now those sites have numerous white papers, many of which
could serve as mini booklets. Other web sites have popped up as well that contain a great deal of
information on Active Directory. With Windows Server 2003, Microsoft has taken their level of
documentation a step higher. Extensive information on Active Directory is available directly
from any Windows Server 2003 computer in the form of the Help and Support Center (available
from the Start Menu). So with all this data available on Active Directory in the form of published
books, white papers, web sites, and even from within the operating system, why would you want
to purchase this one?
In the summer of 2002, I was thumbing through the Perl Cookbook from O'Reilly, looking for
help with an automation script I was writing for Active Directory. It just so happened that there
was a recipe that addressed the specific task I was trying to perform. In Cookbook parlance, a
recipe provides instructions on how to solve a particular problem. I thought that since Active

Directory is such a task-oriented environment, the Cookbook approach might be a very good
format. After a little research, I found there were books (often multiple) on nearly every facet of
Active Directory, including introductory books, design guides, books that focused on migration,
programming books, and reference books. The one type of book I didn't see was a task-oriented
"how-to" book, which is exactly what the Cookbook format provides.
Based on my own experience, hours of research, and years of hanging out on Active Directory
newsgroups and mailing lists, I've compiled over 325 recipes that should answer the majority of

5
"How do I do X" questions one could pose about Active Directory. And just as in the Perl
community where the Perl Cookbook was a great addition that sells well even today, I believe
the Active Directory Cookbook will also be a great addition to any Active Directory library.
Who Should Read This Book?
As with many of the books in the Cookbook series, the Active Directory Cookbook can be useful
to anyone who has to deploy, administer, or automate Active Directory. This book can serve as a
great reference for those who have to work with Active Directory on a day-to-day basis. And
because of all the programming samples, this book can be really beneficial to programmers who
want to get a jumpstart on performing certain tasks in an application. For those without much
programming background, the VBScript and Perl solutions are straightforward and should be
pretty easy to follow and expand on.
The companion to this book, Active Directory, Second Edition from O'Reilly, is a great choice
for those wanting a thorough description of the core concepts behind Active Directory, how to
design an Active Directory infrastructure, and how to automate that infrastructure using Active
Directory Service Interfaces (ADSI) and Windows Management Instrumentation (WMI). Active
Directory, Second Edition does not describe how to accomplish every possible task within
Active Directory; that is the purpose of this book. These two books, along with the supplemental
information described in Recipe 1.5, should be sufficient to answer most questions you have
about Active Directory.
What's in This Book?
This book consists of 18 chapters. Here is a brief overview of each chapter:

• Chapter 1, sets the stage for the book by covering where you can find the tools used in
the book, VBScript and Perl issues to consider, and where to find additional information.
• Chapter 2, covers how to create and remove forests and domains, update the domain
mode or functional levels, create different types of trusts, and other administrative trust
tasks.
• Chapter 3, covers promoting and demoting domain controllers, finding domain
controllers, enabling the global catalog, and finding and managing Flexible Single Master
Operations (FSMO) roles.
• Chapter 4, covers the basics of searching Active Directory; creating, modifying, and
deleting objects; using LDAP controls; and importing and exporting data using LDAP
Data Interchange Format (LDIF) and comma-separated variable (CSV) files.
• Chapter 5, covers creating, moving, and deleting Organizational Units, and managing the
objects contained within them.
• Chapter 6, covers all aspects of managing user objects, including creating, renaming,
moving, resetting passwords, unlocking, modifying the profile attributes, and locating
users that have certain criteria (e.g., password is about to expire).
• Chapter 7, covers how to create groups, modify group scope, and type and manage
membership.

6
• Chapter 8, covers creating computers, joining computers to a domain, resetting computers,
and locating computers that match certain criteria (e.g., have been inactive for a number
of weeks).
• Chapter 9, covers how to create, modify, link, copy, import, back up, restore, and delete
GPOs using the Group Policy Management Console and scripting interface.
• Chapter 10, covers basic schema administration tasks, such as generating object
identifiers (OIDs) and schemaIDGUIDs, how to use LDIF to extend the schema, and how
to locate attributes or classes that match certain criteria (e.g., all attributes that are
indexed).
• Chapter 11, covers how to manage sites, subnets, site links, and connection objects.

• Chapter 12, covers how to trigger and disable the Knowledge Consistency Checker
(KCC), how to query metadata, force replication, and determine what changes have yet to
replicate between domain controllers.
• Chapter 13, covers creating zones and resource records, modifying DNS server
configuration, querying DNS, and customizing the resource records a domain controller
dynamically registers.
• Chapter 14, covers how to delegate control, view and modify permissions, view effective
permissions, and manage Kerberos tickets.
• Chapter 15, covers how to enable auditing, diagnostics, DNS, NetLogon, Kerberos and
GPO logging, obtain LDAP query statistics, and manage quotas.
• Chapter 16, covers how to back up Active Directory, perform authoritative and
nonauthoritative restores, check DIT file integrity, perform online and offline defrags,
and search for deleted objects.
• Chapter 17, covers creating and managing application partitions.
• Chapter 18, covers how to integrate Active Directory with various applications, services,
and programming languages.
Conventions Used in This Book
The following typographical conventions are used in this book:
Constant width
Indicates command-line elements, computer output, and code examples.
Constant width italic
Indicates placeholders (for which you substitute an actual name) in examples and in
registry keys
Constant width bold
Indicates user input
Italic

7
Introduces new terms and example URLs, commands, file extensions, filenames,
directory or folder names, and UNC pathnames


Indicates a tip, suggestion, or general note. For example, I'll tell you if you
need to use a particular version or if an operation requires certain
privileges.


Indicates a warning or caution. For example, I'll tell you if Active Directory
does not behave as you'd expect or if a particular operation has a negative
impact on performance.

We'd Like Your Feedback!
We at O'Reilly have tested and verified the information in this book to the best of our ability, but
mistakes and oversights do occur. Please let us know about errors you may find, as well as your
suggestions for future editions, by writing to:
O'Reilly & Associates, Inc.
1005 Gravenstein Highway North
Sebastopol, CA 95472
(800) 998-9938 (in the U.S. or Canada)
(707) 829-0515 (international or local)
(707) 829-0104 (fax)
We have a web page for the book, where we list errata, examples, or any additional information.
You can access this page at:

Examples can also be found at the author's web site:

To comment or ask technical questions about this book, send email to:

For more information about our books, conferences, software, Resource Centers, and the
O'Reilly Network, see our web site at:



8
Acknowledgments
The people at O'Reilly were a joy to work with. I would like to thank Robert Denn for helping
me get this book off the ground. I am especially grateful for Andy Oram's insightful and thought-
provoking feedback.
I was very fortunate to have an all-star group of technical reviewers. If there was ever a need to
assemble a panel of the top Active Directory experts, you would be hard pressed to find a more
knowledgeable group of guys. Here they are in alphabetical order:
Rick Kingslan () is a Senior Systems Engineer and Microsoft Windows Server
MVP. If you've ever posted a question to an Active Directory newsgroup or discussion forum,
odds are Rick participated in the thread. His uncanny ability to provide useful feedback on just
about any Active Directory problem helped ensure I covered all the angles with each recipe.
Gil Kirkpatrick () is the Executive Vice President & CTO of NetPro
( Gil is also the author of Active Directory Programming from
MacMillan. His extensive knowledge of the underpinnings of Active Directory helped clarify
several issues I did not address adequately the first time through.
Tony Murray () is the maintainer of the www.ActiveDir.org web site and
mailing list, which is one of the premier Active Directory discussion forums. The myriad of
questions posed to the list served as inspiration for this book. Tony's comments and suggestions
throughout the book helped tremendously.
Todd Myrick () has a unique perspective on Active Directory from his
experience inside the government. Todd contributed several "outside the box" ideas to the book
that only a creative person, such as he, could have done.
Joe Richards () is the creator of the web site, which
contains many must-have Active Directory tools, such as
adfind, unlock, and much more. Joe
is one of the most experienced Active Directory administrators and programmers I've met. He's
had to do most of the tasks in this book at one point or another, so his contributions were
significant.

Kevin Sullivan (
) is the Project Manager for Enterprise Directory
Management at Aelita. Kevin has as much experience with Active Directory as anyone you'll
find. He is a frequent contributor to Active Directory discussion forums, and he provided
numerous suggestions and clarifications throughout the book.
Last, but certainly not least, I would like to thank my wife Janet. Her love, support, and bright
smile are constant reminders of how lucky I am. Did I mention she cooks, too!

9
Chapter 1. Getting Started
Approach to the Book
Recipe 1.1. Where to Find the Tools

Recipe 1.2. Getting Familiar with LDIF
Recipe 1.3. Programming Notes
Recipe 1.4. Replaceable Text
Recipe 1.5. Where to Find More Information
Approach to the Book
If you are familiar with the O'Reilly Cookbook format that can be seen in other popular books,
such as the Perl Cookbook, Java Cookbook, and DNS and BIND Cookbook, then the layout of
this book will not be anything new to you. The book is composed of 18 chapters, each containing
10-30 recipes for performing a specific Active Directory task. Within each recipe are four
sections: problem, solution, discussion, and see also. The problem section briefly describes the
task the recipe focuses on. The solution section contains step-by-step instructions on how to
accomplish the task. The discussion section contains detailed information about the problem or
solution. The see also section contains references to additional sources of information that can be
useful if you still need more information after reading the discussion. The see also section may
reference other recipes, MS Knowledge Base (MS KB) ( articles,
or documentation from the Microsoft Developers Network (MSDN) ().
At Least Three Ways to Do It!

When I first began developing the content for the book, I struggled with how to capture the fact
that you can do things multiple ways with Active Directory. You may be familiar with the
famous Perl motto: There Is More Than One Way To Do It; well with Active Directory, there are
often At Least Three Ways To Do It. You can perform a task with a graphical user interface
(GUI), such as ADSI Edit, LDP, or the Active Directory Users and Computers snap-in; you can
use a command-line interface (CLI), such as the ds utilities (i.e., dsadd, dsmod, dsrm, dsquery,
dsget), nltest, netdom, or ldifde; and, finally, you can perform the same task using a scripting
language, such as VBScript or Perl.
Since people prefer different methods, and no one method is necessarily better than another, I
decided to write solutions to the recipes using one of each. That means instead of just a single
solution per recipe, I include up to three solutions using GUI, CLI, and programmatic examples.
That said, some recipes cannot be accomplished with one of the three methods or it is very
difficult to do so. In that case, only the applicable methods are covered.

10
In the GUI and CLI solutions, I use standard tools that are readily accessible. There are other
tools that I could have used, which would have made some of the tasks easier to accomplish, but
I wanted to make this book as useful as possible without requiring you to hunt down the tools I
use.
I also took this approach with the programmatic solutions; I use VBScript for the programming
language, primarily because it is widely used among Windows administrators and is the most
straightforward from a code perspective when using Active Directory Service Interface (ADSI)
and Windows Script Host (WSH). For those familiar with other languages, such as Visual Basic,
Perl and JScript, it is very easy to convert code from VBScript.
The downside to using VBScript is that it does not have all of the facilities necessary to
accomplish some complicated tasks. It is for this reason that I use Perl in a few recipes that
required a complicated programmatic solution. For those of you who wish that all of the
solutions were written with Perl instead of VBScript, you are in luck. On the book's web site, I've
posted companion Perl solutions for every recipe that had a VBScript solution. Go to
/> to download the code.

Windows 2000 Versus Windows Server 2003
Another challenge with writing this book is there are now two versions of Active Directory. The
initial version was released with Windows 2000 and recently, Microsoft released Windows
Server 2003, which provides a lot of updates and new features. Since Windows Server 2003
Active Directory is the latest and greatest version, and includes a lot of new tools that aren't
present in Windows 2000, I've decided to go with the approach of making everything work under
Windows Server 2003 Active Directory first, and Windows 2000 second. In fact, the majority of
the solutions will work with Windows 2000 unchanged. For the recipes or solutions that are
specific to a particular version, I include a note mentioning the version it is targeted for. Most
GUI and programmatic solutions will work with either version unchanged, but Microsoft
introduced several new CLIs with Windows Server 2003, most of which cannot be run on the
Windows 2000 operating system. Typically, you can still use these newer tools on a Windows
XP or Windows Server 2003 computer to manage Windows 2000 Active Directory.
Recipe 1.1 Where to Find the Tools
For the GUI and CLI solutions to mean much to you, you need access to the tools that are used in
the examples. For this reason, in the majority of cases and unless otherwise noted, I only used
tools that are part of the default operating system or available in the Resource Kit or Support
Tools. The Windows 2000 Server Resource Kit and Windows Server 2003 Resource Kit are
invaluable sources of information, along with providing numerous tools that aid administrators in
their daily tasks. More information on the Resource Kits can be found at the following web site:
/>. The Windows 2000 Support Tools, which is called
the Windows Support Tools in Windows Server 2003, contain many "must have" tools for
people that work with Active Directory. The Microsoft installer (MSI) for the Windows Support
Tools can be found on a Windows 2000 Server or Windows Server 2003 CD in the