Home > Store

Inside Active Directory: A System Administrator's Guide

Register your product to gain access to bonus material or receive a coupon.

Inside Active Directory: A System Administrator's Guide

Premium Website

  • Sorry, this book is no longer in print.
Not for Sale

Description

  • Copyright 2002
  • Edition: 1st
  • Premium Website
  • ISBN-10: 0-201-61621-1
  • ISBN-13: 978-0-201-61621-7

Detailed and thorough, this administrator's guide provides practical strategies for managing Active Directory, the cornerstone technology within Windows 2000 distributed networks. This book covers design, architecture, topology, deployment, and management issues, and provides thorough instructions for efficiently administering the entire network operating environment.

Inside Active Directory: A System Administrator's Guide begins with an overview and covers Active Directory's core features before moving on to document more advanced, specialized skills. This book provides a solid understanding of Active Directory fundamentals, demonstrating how it is used to store and access data, and how it uses industry standards, such as LDAP and other directory protocols. Numerous diagrams and tables appear throughout the book to help readers better comprehend the sometimes-complex technologies involved in migrating to Windows 2000 from Windows NT or other platforms.

This practical guide documents Active Directory extensively, with detailed coverage of the following:

  • The big picture - background, building blocks, hierarchies, DNS integration, security, architecture, and other features.
  • How to efficiently install Active Directory, and how to automate and troubleshoot the process.
  • Planning and management of OUs, users, and groups.
  • Security features, including permission architecture and management, as well as permission usage scenarios.
  • Sites and replication - concepts, planning, management, topologies, processes, and diagnostics.
  • How to plan and manage domains and forests, and how to perform various LDAP searches.
  • Group Policy features, including architecture, planning, management, and diagnostics.
  • A detailed drill-down to the schema, and practical strategies and examples for extending it.
  • Administration scripts - from concepts and basic techniques to advanced script management of Active Directory, including more than fifty sample scripts.
  • Anyone working with Active Directory will find this book indispensable. Readers new to Windows network administration will gain a solid grasp of the fundamentals. Administrators experienced in NT, UNIX, Netware, and other systems will learn how to adapt their skills to Active Directory. Experienced Windows 2000 professionals will pick up advanced techniques, and developers will benefit from the architectural explanations.

    Inside Active Directory is the most practical and comprehensive resource available for planning, implementing, and managing an Active Directory network.



    0201616211B11272001

    Extras

    Web Resources

    Click below for Web Resources related to this title:
    Author's Web Site

    Sample Content

    Online Sample Chapters

    Active Directory Schema

    Managing OUs, Users, and Groups in Active Directory

    Downloadable Sample Chapter

    Click below for Sample Chapter related to this title:
    koutich03.pdf

    koutich08.pdf

    Table of Contents



    Preface.

    I. BACKGROUND SKILLS

    1. Active Directory: The Big Picture.

    Introduction to Active Directory.

    A Brief Description.

    The First Look at Active Directory.

    History.

    Active Directory Compared to Windows NT.

    Active Directory Compared to NDS.

    A Sample Company.

    Basic Building Blocks.

    Domain Controllers

    Domains

    Trust Relationships.

    Organizational Units and Other Objects.

    Groups.

    Sites.

    Replication.

    Global Catalog.

    Hierarchies.

    Single Domain with No OU Structure.

    OU Tree in a Single Domain.

    Domain Trees.

    Forest of Domain Trees.

    DNS Integration.

    Locating Computers and Services.

    Dynamic DNS Updates.

    Security and Policies.

    Access Control.

    Inheritance.

    Delegation of Administration.

    Group Policy.

    Architecture.

    Data Model.

    The Schema.

    Extending the Schema.

    Container and Leaf Objects.

    Partitions.

    Naming Objects.

    The X.500 Standards.

    LDAP.

    Physical Architecture.

    ADSI.

    Kerberos Authentication.

    Public Key Infrastructure.

    Other Features.

    Virtual Containers.

    Publishing.

    Connecting to the Internet.

    Active Directory's Current Limitations.

    The Next Version of Active Directory.

    Conclusion.

    2. Installation of Windows 2000 and Active Directory.

    Before You Installing Windows 2000.

    Decisions That Cannot Be Reversed.

    Dual Booting.

    Requirements and Recommendations.

    Preparation.

    Installing Windows 2000.

    Starting Installation.

    The Setup Program.

    The Setup Wizard.

    Installing and Configuring a Network.

    Finalizing the Setup.

    Upgrading Your Operating System.

    After You've Installed Windows 2000 Server.

    Installing Windows 2000 Professional.

    Installing Active Directory.

    Requirements and Recommendations.

    Creating Domains, Trees, and Forests.

    The Installation Process.

    After Active Directory Installation.

    Automating Installation.

    Automating Windows 2000 Installation.

    Automating Active Directory Installation.

    Troubleshooting Installation.

    Incompatible Devices.

    Problems with ACPI.

    Incorrectly Detected Devices.

    Problems with Active Directory Installation.

    Recovery Options.

    Uninstalling Windows 2000 and Active Directory.

    Uninstalling Windows 2000.

    Uninstalling Active Directory.

    Conclusion.

    II. CORE SKILLS.

    3. Managing OUs, Users, and Groups.

    Active Directory after Installation.

    Predefined OUs and Other Containers.

    Predefined Users.

    Predefined Groups.

    Predefined Computers Objects.

    Changing the Domain Mode.

    Administering OUs.

    Features of Ous.

    Managing Ous.

    Planning Ous.

    Administering Users and Contacts.

    Creating Users.

    Creating Contacts.

    Setting User and Contact Properties.

    Other Operations to Manage Users and Contacts.

    Administering Computer Objects.

    Creating Computer Objects.

    Setting Computer Object Properties.

    Other Operations to Manage Computer Objects.

    Administering Groups.

    Group Types.

    Group Scopes.

    Managing Groups.

    Planning Groups.

    Tips on Tools.

    The Users and Computers Snap-In.

    Alternative Means to Manage Users and Other Objects.

    Conclusion.

    4. Securing Active Directory.

    Introduction to Windows 2000 Security.

    Background for Active Directory Access Control.

    Controlling Access.

    Security Principals.

    Well-Known Security Principals.

    Managing Active Directory Permissions.

    Permission Concepts.

    Anatomy of ACL Editor Dialog Boxes.

    Standard and Special Object Permissions.

    Permissions for Object Properties.

    Permissions in Applications.

    Inheritance.

    Ownership.

    How Permissions Accumulate.

    Deny Permissions and the Ordering of Permission Entries.

    Permission Performance.

    DSACLS.

    AdminSDHolder Object

    Delegation of Control Wizard.

    Common Tasks.

    Custom Tasks.

    Default Permissions for Objects.

    Sources of Default Permissions.

    Common Features of Default Permissions.

    Pre-Windows 2000 Compatible Access.

    Listing Default Permissions.

    Where Security Principals Have Permissions.

    Changing Default ACLs.

    Usage Scenarios for Active Directory Permissions.

    General Practices.

    Delegation Scenarios (To Make Changes).

    User Scenarios (To See Properties).

    Auditing Active Directory Access.

    Adding Auditing Entries.

    Turning On Auditing.

    Viewing Audit Records.

    Access Control Architecture.

    Processes and User Accounts.

    SIDs.

    Access Tokens.

    Security Descriptors.

    User Rights.

    User Rights Categories.

    Fixed Rights.

    Active Directory Permissions Instead of Rights.

    Applying User Rights.

    Conclusion.

    5. Sites and Replication.

    Concepts of the Physical Structure.

    Why Replication.

    Nature of Active Directory Replication.

    Partitions and Replicas.

    Overview of the Replication Process.

    Overview of Replication Topologies.

    Sites.

    Overview of Intrasite and Intersite Replication.

    Urgent Replication.

    Nonreplicating Properties.

    Global catalog.

    Overview of Operations Masters.

    Managing the Physical Structure.

    Active Directory Objects for Sites and Replication.

    The Big Pictures of the Objects.

    The Sites and Services Snap-In.

    Tasks in Managing the Physical Structure.

    Using the Default-First-Site-Name Site.

    Creating and Managing Subnet Objects.

    Creating and Managing Site Objects.

    Moving and Managing Server Objects.

    Managing NTDS Settings.

    Creating and Managing Site Links.

    Managing Licensing Computers.

    Removing Domain Controllers.

    Monitoring and Diagnosing the Physical Structure.

    Replication Permissions

    Advanced Topics.

    Intrasite Replication Topologies.

    Intersite Replication Topologies.

    Configuring SMTP Replication.

    The Replication Process.

    Time Synchronization.

    Managing Operations Masters.

    Conclusion.

    6. Domains and Forests.

    Domain Controller Placement.

    Active Directory Network Traffic.

    Determining the Placement of Directory Information.

    Designing Domain and Forest.

    Single or Multiple Domains and Forests.

    Forest Planning Considerations.

    Managing Domains and Forests.

    Managing Trusts.

    Moving Objects In a Forest.

    Managing Groups and Permissions in a Forest.

    Referrals and Cross-References.

    Delegating Domain Installation.

    LDAP and Searches.

    LDAP Searches.

    Search Tools.

    Extended LDAP Controls.

    LDAP Data Interchange Format.

    Conclusion.

    7. Group Policy.

    Group Policy Concepts.

    MMC Group Policy Snap-in.

    NT 4 System Policy Compared to Windows 2000 Group Policy.

    Group Policy Contents.

    Computer versus User.

    Software Settings.

    Scripts.

    Security Settings.

    Administrative Templates.

    Other Policies.

    Group Policy Objects and Links.

    Group Policy Objects.

    Group Policy Links.

    Scope of Group Policies.

    Inheritance.

    Processing Group Policy.

    Processing Basics.

    Slow Link Processing.

    Loopback Processing.

    Determining Effective Group Policies.

    Managing Group Policies.

    Group Policy Dialog Box.

    Creating GPOs.

    Editing GPOs.

    Managing GPO Links.

    Deleting GPOs.

    Backing up Group Policy.

    Delegating Management of GPOs.

    Additional Tools.

    Software Management with Group Policy.

    Windows Installer.

    Creating Windows Installer Packages.

    Deploying Software with Group Policy.

    Upgrading Applications.

    Patching Applications.

    Removing Applications.

    Troubleshooting Group Policy.

    Logging Group Policy Events.

    Resource Kit Tools for Group Policy.

    Group Policy Scenarios.

    Advanced Topics.

    Group Policy Synchronization.

    Registry-Based Settings for Group Policy Processing.

    Client-Side Extensions.

    Registry Settings for Group Policy History.

    Default permissions for GPOs.

    Slow Link Detection Algorithm.

    Conclusion.

    III. ADVANCED SKILLS.

    8. Active Directory Schema.

    Overview of the Active Directory Data Model.

    Classes, Objects, and Attributes.

    Container and Leaf Objects.

    Indexing and the Global Catalog.

    Schema.

    Role of the Schema.

    Location of the Schema.

    Inspecting the Schema with ADSI Edit.

    Inspecting the Schema with the Schema Manager Snap-In.

    Dumping the Schema to a Spreadsheet.

    Subschema Subentry.

    Schema Cache.

    Constructed Attributes.

    Classes.

    Names and Identifiers.

    Object Identifiers.

    Structure and Containment Rules.

    Class Inheritance.

    Miscellaneous Characteristics of Classes.

    Class Schema Object Property Pages.

    Attributes and Syntaxes.

    Names and Identifiers.

    Syntax and Content Rules.

    Searches.

    Miscellaneous Characteristics for Attributes.

    AttributeSchema Object Property Pages.

    Conclusion.

    9. Extending the Schema.

    When and Why to Modify.

    Guidelines.

    What Data to Put in Active Directory.

    Planning the Modifications.

    Creating a Class.

    Modifying a Class.

    Creating an Attribute.

    Modifying an Attribute.

    Deactivating Classes and Attributes.

    The Modification Process.

    Order of Tasks.

    The Means to Make Changes.

    The Schema Manager Snap-in.

    ADSI Edit.

    LDIFDE.

    CSVDE.

    An Installation EXE File.

    Some Gotchas in Changing the Schema.

    Bringing the Extensions to the User Interface.

    Where to Place the Objects.

    Managing Permissions.

    Creating and Displaying the Objects.

    Display Specifiers.

    Testing to Change the Displays.

    Extending the User Class.

    Planning the Extensions.

    Implementing the Extensions.

    Managing the Attribute Values.

    Searching on the New Attributes.

    Managing the Attribute Permissions.

    Conclusion.

    10. Administration Scripts: Concepts.

    Getting Started.

    The Script Execution Environment.

    Launching WSH Scripts.

    Controlling WSH Scripts.

    Setting up the Development Environment.

    VBScript Language.

    Dissecting a Sample Script.

    The First Sample (Normal).

    The Second Sample (Short).

    The Third Sample (Very Short).

    ADSI Concepts.

    Basic ADSI.

    Basic COM.

    The Property Cache.

    ADSI Interfaces.

    ADSI Syntaxes.

    Additional Techniques.

    Ways to Input and Output Information.

    Using Executables from Scripts.

    Using COM Components.

    Using the Win32 API.

    Debugging Scripts.

    Including Script Lines from Another File.

    Conclusion.

    11. Administration Scripts: Examples.

    ADSI Examples.

    User Management.

    List the Users of One Container.vbs.

    List the Users of One Container to Excel.vbs.

    List the Property Cache Contents.vbs.

    List User Properties with Get.vbs.

    List User Properties with Methods.vbs.

    List the Account Options of a User.vbs.

    Create a User with Minimum Attributes.vbs.

    Create a User with More Attributes.vbs.

    Create a User with a Batch File.bat.

    Create a Home Folder for a User - ver 1.vbs.

    Create a Home Folder for a User - ver 2.vbs.

    Read User Information from Excel.xls.

    Read User Information from Standard Input.vbs.

    Schema Access.

    Concepts.

    Schema Sample Scripts.

    List All Abstract Schema Objects.vbs.

    List the Member Attributes of a Given Class.vbs.

    List the Member Attributes of a Given Class to Excel.vbs.

    Show Property Properties.vbs.

    Container or Leaf.vbs.

    List All Real Schema Objects.vbs.

    List Indexed Attributes.vbs.

    List ANR, Nonreplicated and Constructed Attributes.

    List Global Catalog Attributes.vbs.

    List All classSchemas to Excel.vbs.

    List All attributeSchemas to Excel.vbs.

    Create an Attribute and a Class.vbs.

    Configuration Information.

    List the Supported Namespaces.vbs.

    List Attribute Display Names.vbs.

    List the DC GUIDs.vbs.

    List the rootDSE Property Cache.vbs.

    List the GPO GUIDs.vbs.

    List the Operations Masters.vbs.

    List the Operations Masters with ADsFSMO.vbs.

    List ADSystemInfo.vbs.

    Access Control Lists.

    Security Interfaces.

    The Access Control List Sample Scripts.

    List ACEs—Short.vbs.

    List ACEs to Excel—Short.vbs.

    List Binary GUIDs.vbs.

    List ACEs—Long.vbs.

    Add ACEs.vbs.

    Add ACEs to a Folder.vbs.

    OU, Group and Computer Management.

    OU Management.

    Group Management.

    Create a Computer Object.vbs.

    ADSI without Active Directory.

    List Services.vbs.

    List Users, Groups, and Print Queues.

    List Shares.vbs.

    Create a Share.vbs.

    List WinNT Properties of User Class.vbs.

    Create a User in a Workstation.vbs.

    Additional Techniques.

    Binding with Credentials.

    Binding with WKGUIDs.

    Binding to the Global Catalog.

    List the Users of a Subtree.vbs.

    Error Checking.vbs.

    Scripts as Command-Line Tools.

    Using ADO.

    ADO Concepts.

    Basic Example.vbs.

    Basic Example with SQL.vbs.

    Modifying Objects.vbs.

    Multipartition Queries.

    Additional Settings.

    List Objects That Have Blocked ACL Inheritance.vbs.

    Conclusion.
    Bibliography
    Index. 0201616211T11292001

    Preface

    During the seven years that Windows NT was sold before Windows 2000 shipped, administrators didn't need to learn practically anything new, at least about the core operating system features. User and group management, domains and domain models, and resource management had been the same in all Windows NT versions.

    With the introduction of Windows 2000 and Active Directory, that all changed. There is a huge difference in managing Windows networks over the old NT administration model. Therefore, Active Directory will require quite a lot of study on the part of NT professionals.

    Despite some administrative wizards in the user interface and the new Microsoft Management Console (MMC) administration interface, implementing and administering Active Directory requires probably more learning, testing, piloting, and planning than Windows NT required.

    ABOUT THIS BOOK

    This book is an implementer and administrator's guide to Active Directory. Throughout the book, you will learn the workings, architecture, administration, and planning of Active Directory. Depending on your needs, however, you don't have to read this book from cover to cover, as we describe later in this preface.

    The following list evaluates the appropriateness of this book for a number of potential audiences.

    • A current NT professional. You are the target audience for this book. However, you may want to browse relatively fast through the introductory pages that we have in the beginning of many chapters.
    • A current NetWare or UNIX professional. Prior knowledge of Windows NT is not required to successfully learn from this book. Your earlier networking skills will most likely enable you to pick up each topic quite fast. However, you probably shouldn't skip any introductory topics.
    • A network operating systems novice. Because we tend to start each chapter with the very basics, at least in theory you can use this book to effectively learn Active Directory. Obviously, you need to invest more time reading than an experienced IT professional. You should also have a test PC that you can use to try out the different tasks and experiments that the book describes.
    • A current Windows 2000 professional. Even if you are already familiar with Active Directory, we trust that you will learn more than a few things from this book.
    • A developer. This book is an administrator's guide and not a programmer's guide. However, the book contains more architectural topics than the average book for an administrator, so you may find this book valuable to you in addition to a programmer's guide.

    For all target audiences, it is possible that you are not interested in all the advanced topics in this book, so you are free to skip any of them.

    We believe that this book has the following strengths.

    • We present well-thought-out diagrams that help you easily comprehend the various key concepts and other topics related to Active Directory.
    • At worst, a book just shows screen shots and shortly explains what is already evident from the user interface or the online Help. In contrast, this book contains thorough and accurate information on the topics it covers.
    • We claim that this book contains very few errors.
    • Even though this book is not a reference guide, we present many extensive reference tables.
    • If you install Active Directory on a test PC, you can try out most of the tasks and experiments described in this book, whether they are written to be walkthroughs or not.

    We have divided the book into three parts.

    • Part I: Background Skills (Chapters 1 and 2) gives the big picture of Active Directory so you can successfully plan and implement an Active Directory network. This part also discusses the installation of Windows 2000 and Active Directory.
    • Part II: Core Skills (Chapters 3 through 7) describes the concepts, planning, and administration of both the physical and the logical structure of Active Directory. The topics presented in this part include user and group management, access control, and Group Policy. Even though Part III covers advanced skills, most chapters in this part discuss related advanced topics.
    • Part III: Advanced Skills (Chapters 8 through 11) looks at advanced techniques, including the schema and scripting. Along with these topics we also uncover many aspects of Active Directory architecture. You can probably live without the information in these chapters, but by reading them you can greatly deepen your knowledge and understanding of Active Directory and make use of it when implementing and administering Active Directory networks.

    We'll now present a short summary of each chapter. Mika wrote Chapter 2 and Chapter 7, and Sakari wrote the remaining chapters.

    Chapter 1: Active Directory: The Big Picture

    Before going into detail, we give you a general picture of Active Directory. After you learn the concepts introduced in this chapter, you can freely skip some later chapters that you might not be interested in. However, we encourage you to browse through the table of contents of any such chapter to make sure that you are not going to unintentionally miss anything important.

    Chapter 2: Installation of Windows 2000 and Active Directory

    In this chapter, we explain how to install both Windows 2000 and Active Directory. We also describe the post-installation tasks, as well as how to automate and troubleshoot installation.

    Chapter 3: Managing OUs, Users, and Groups

    Once you have an Active Directory domain up and running, one obvious task is to create a user account for each user and plan how to enhance user administration by using groups and organizational units (OUs). This chapter looks at managing OUs, users, contacts, groups, and computer objects, and covers some related topics.

    Chapter 4: Securing Active Directory

    Active Directory has an access control mechanism that enables you to define who can read or modify what information in Active Directory. In this chapter, we explain the concepts and architecture of access control, as well as how to manage permissions in various scenarios.

    Chapter 5: Sites and Replication

    For Active Directory to work efficiently when your network spans multiple geographic locations, you must plan and implement the physical structure and define it in Active Directory itself. In this chapter, we describe the concepts, management, and advanced topics of the physical structure. Some of the content is also relevant for a company with just one site.

    Chapter 6: Domains and Forests

    Active Directory has several levels of hierarchies that you can use to implement an effective logical structure for your company network. In this chapter, we discuss whether you should use one or many domains and one or many forests, and how you should plan and manage that logical structure. We also revisit the physical structure, because it somewhat overlaps with the logical structure. In addition, we explain the anatomy of LDAP searches.

    Chapter 7: Group Policy

    Active Directory has an extensive management architecture called "Group Policy." You can use Group Policy to manage user desktops and server settings, as we describe in this chapter. You learn the architecture, inheritance, and processing of Group Policy in this chapter.

    Chapter 8: Active Directory Schema

    This chapter examines the Active Directory data model and how it is enforced by the rules of the schema. After reading this chapter, you'll better understand how Active Directory works behind the scenes and you'll also gain knowledge that you can use if you are going to extend the schema.

    Chapter 9: Extending the Schema

    One of Active Directory's advantages over Windows NT is that you can extend Active Directory schema, either to accommodate directory-enabled applications or for some administrative purpose. In this chapter, we explain the considerations for extensions and describe the process itself.

    Chapter 10: Administration Scripts: Concepts

    By downloading scripts from the Internet or writing your own scripts and executing them you can greatly enhance and automate administration. In this chapter we explain how to get started with technologies such as Windows Script Host (WSH), VBScript, and Active Directory Service Interfaces (ADSI).

    Chapter 11: Administration Scripts: Examples

    In this chapter, we present over 50 sample scripts along with their explanations. Outputs of many of the scripts provide some architectural information about Active Directory and you can run those scripts without understanding what they do on each line. Therefore, you can use these scripts not only for various administrative tasks, but also to gain more knowledge about Active Directory. This chapter also introduces some additional scripting concepts, such as ActiveX Data Objects (ADO), between the sample scripts.



    0201616211P11272001

    Index

    ' (apostrophe), 717, 894
    * (asterisk), 458, 485, 719
    \ (backslash), 483
    : (colon), 499
    , (comma), 718
    . (decimal point), 718
    . (dot), 452
    " (double quotes), 718, 724
    = (equal sign), 499
    / (forward slash), 499
    - (hyphen), 500
    < (less-than sign), 499
    + (plus sign), 499, 719
    # (pound sign), 499
    ; (semicolon), 617
    [] (square brackets), 237
    _ (underscore), 719
    169.254.xx, 87

    A

    Abandon operation of LDAP, 52
    Abstract schema objects, 801-806. See also Subschema object
    Access (Microsoft), 53
    Access control. See also ACEs (access control entries); ACLs (access control lists)
    architecture, 280-296
    background for, 206-212
    basic description of, 36-37
    delegation and, 282-283
    impersonation and, 282-283
    security principals and, 207-212
    Access tokens
    basic description of, 175-176, 287-288
    universal groups and, 196
    Account(s)
    basic description of, 123
    disabling, 163, 172
    Group Policies and, 511
    options, listing, 784-788
    policies, 511
    resetting, 172-173
    Account Operators group, 129
    Account Restrictions property set, 235
    Account tab, 144, 149-154, 232
    ACEs (access control entries), 36, 214. See also Access control; ACLs (access control lists)
    adding, 39, 848-856
    basic description of, 219, 288-289
    contents of, 289-292
    fields of, 290-291
    Group Policies and, 554
    inheritance and, 240, 851
    listing, 834-837, 839-846
    order of, 850-851
    schema and, 617-618
    ACL Editor. See also ACLs (access control lists)
    basic description of, 212
    dialog boxes, anatomy of, 215-222
    DSSec.Dat and, 237, 239
    procedures for using, 213
    setting permissions with, 222-251
    SIDs and, 286
    viewing permissions with, 260
    ACLDiag, 250
    ACLs (access control lists). See also Access control; ACEs (access control entries); ACL Editor; DACL (discretionary access control list)
    administration scripts and, 832-856
    default, changing, 267
    ACPI (Advanced Configuration and Power Interface)
    installation and, 74, 110
    problems with, 110
    Active Directory
    brief description of, 4-6
    building blocks of, 16-26
    current limitations of, 61
    directory face of, 4
    enterprise services face of, 4
    first look at, 7-8
    history of, 7-8
    installation of, 67, 93-105, 109-111
    introduction to, 4-16
    as a loosely-consistent database, 308-310
    NDS and, comparison of, 13-15, 63
    next version of, 64-65
    requirements/recommendations, 93-94
    Restore Mode, 97
    three faces of, 5-6
    uninstalling, 113, 115-117
    what data to put in, 645-646
    Windows NT and, comparison of, 11-13
    Windows NT face of, 4
    ADC (Active Directory Connector), 310
    Add ACEs to a Folder.vbs, 854-856
    Add ACEs.vbs, 846-854
    Add Members to a Group option, 192
    Add operation of LDAPv3, 52
    Add/Remove applet, 85, 102, 558, 560
    Address Book, 9, 425, 635
    Address tab, 144
    Administration. See also Administration scripts
    delegation of, 12, 19, 39, 141, 268, 269-276
    duplicate, as a cost of adding additional domains, 437
    units of, using multiple domains because of, 434-435
    Administration script(s)
    as command-line tools, 706-708, 884-887
    concepts, 697-758
    configuration information and, 822-832
    debugging, 755-759
    development environment for, 712-715
    examples of, 761-794, 804-805
    execution environment for, 698-703
    file types, 703
    help files and, 713-714
    killing, 710-711
    property caches and, 730-750, 767-772
    schema and, 801-822
    settings, 708-710
    testing, 704-705
    Administrative groups. See also Groups
    in forests, 466-467
    predefined, 128-133, 466-467
    Administrative templates, 515-519
    Administrative view to a forest, 446
    Administrator account, 126, 259, 261-263
    Administrators group
    AdminSDHolder object and, 251
    basic description of, 129
    ownership and, 243-244
    AdminSDHolder object, 251
    ADMT (Microsoft Active Directory Migration Tool), 463
    ADO (Microsoft ActiveX Data Objects)
    administration scripts and, 699, 700, 703, 888, 904
    ADSI and, 55-56, 888-890
    basic description of, 888
    Basic Example.vbs, 893-896
    Basic Example with SQL.vbs, 896-897
    concepts, 888
    mechanics, 890-891
    using, 888-903
    ADsFMO component, 754, 830-831
    ADSI (Active Directory Service Interfaces), 54-56, 123, 888-890
    without the Active Directory, 862-870
    administration scripts and, 700, 713-714
    concepts, 721-752
    examples, 724-725, 761-763
    help files, 713-714
    interface, 702-703, 736-839
    operations, 724
    paths, 725-726
    properties and, 735-736
    Resource Kit, 754
    syntax, 749-753
    ADSI Edit, 174, 201-202
    basic description of, 488-489
    creating new attributes with, 669-670
    inspecting schema with, 588-591
    renaming objects and, 239
    ADSizer (Active Directory Sizer), 420
    ADsSecurity component, 754, 830-831
    Aggregate object, 596
    Aliases (built-in local security groups), 286
    Alias objects, 63
    Allchin, Jim, 10
    ANR (Ambiguous Name Resolution), 226, 635-637, 639, 642, 654, 655, 813
    ANSI (American National Standards Institute), 606, 607
    Answer files, 106-107
    APIPA (Automatic Private Internet Protocol Addressing), 87
    APIs (application program interfaces)
    ADSI (Active Directory Service Interfaces) API, 54-56
    GetGPOList API, 538-539
    LDAP C API, 425, 490, 702
    user rights and, 297
    Win32 API, 755
    APM (Advanced Power Management), 74
    Application(s). See also Software
    data, storing, 59
    deployment, 508-509
    patching, 561
    permissions in, 240-243
    published versus assigned, 560
    removing, 509, 562
    self-repairing, 558
    upgrading, 561
    Application tab, 711
    Architecture
    access control, 280-296
    ADSI and, 54-56
    basic description of, 41-58
    container objects and, 43-44
    data models and, 41-42
    LDAP and, 49-52
    objects and, 43-47
    partitions and, 44-45
    physical, 51-54
    schema and, 42-43
    X.500 standard and, 47-49
    Arguments
    basic description of, 718-719
    command-line arguments (options) in scripts, 754, 805
    optional, 719
    ASCII (American Standard Code for Information Interchange), 483, 687
    ASN.1 (Abstract Syntax Notation One), 606
    ASP (Microsoft Active Server Pages), 701, 756
    ATTRIB command, 114
    Attribute(s). See also Properties
    ANR, 813-814
    basic description of, 622-631
    bit-field, 635
    constructed, 599, 813-814
    creating, 652-655, 661, 664-666, 669-670, 818-823
    deactivating, 656-659
    inspecting, 589-590
    linked, 627-629
    listing, 805-807
    mandatory, 42, 582, 583, 612, 803
    miscellaneous characteristics for, 637
    modifying, 655-656, 664-666
    multivalued, 582, 634
    names, 591-592
    nonreplicated, 813-814
    optional, 42, 582, 583, 612, 803
    permissions for, 677, 696
    planning new, 660
    reactivating, 659
    schema and, 582-583
    searching on new, 694-696
    single-valued, 582
    syntax, 583
    tombstone, 401-402
    use of the term, 41
    values, managing, 693-694
    attributeSchema objects, 585, 622-637, 637-639, 817-818
    Attributes tab, 621-622
    Auditing
    basic description of, 204, 276-280
    entries, adding, 276-278
    Group Policies and, 512-513
    records, viewing, 279-280
    turning on, 278-279
    Authentication
    basic description of, 204
    cross-forest, 65
    Kerberos and, 56
    mutual, 56
    Automatic Certificate Request settings, 514

    B

    Backup Operators group
    basic description of, 129
    user rights and, 296
    Base
    DNs, 494
    objects, 469, 479
    schema, 582, 584, 635-636
    Base64 encoding, 499
    BATCH command, 114
    Batch files
    administration scripts and, 701, 793-794
    creating, 687-688
    creating users with, 793-794
    testing, 687-688
    BDCs (backup domain controllers)
    domain modes and, 133
    PDC emulator and, 406, 411
    replication and, 25, 310
    Binary GUIDs, 837-839. See also GUIDs (globally unique identifiers)
    BIND (Berkeley Internet Name Domain), 34, 94
    Bindery (of Netware 3), 9, 723
    Binding
    with credentials, 870-872
    early, 721
    to the GC, 876-877
    late, 721
    strings, 726-727
    with WKGUIDs, 872-876
    Bind operation of LDAPv3, 52
    BindView bv-Admin, 463
    BIOS (Basic Input/Output System), 74, 83, 109
    Bit(s)
    ACE AccessMask, 290-291
    ACE AceType, 292, 293
    ACE Flags, 292
    connection object, 385
    -fields, 290-291, 635
    least-significant, 291
    site link, 385
    Bitwise AND, 485
    Bitwise OR, 485
    Blackcomb, 65
    Boolean values, 483
    Bootable CDs, 108-109
    BOOTDISK folder, 76
    Boot partition, 69
    Breakpoints, 759
    Bridgehead servers, 315, 371-374
    Browser service, 406, 518, 519
    Browsers, encryption for, 57
    Building Enterprise Active Directory Services--Notes from the Field, 420
    Builtin container, 124, 126-130

    C

    C (high-level language), 54, 680
    administration scripts and, 701, 702
    compilers, 701
    C++ (high-level language), 54, 680
    administration scripts and, 701, 702
    compilers, 701
    CA Unicenter, 509
    Cache
    property. See Property cache.
    schema. See Schema cache.
    CACLS command, 793, 794, 795, 796, 797
    "Cairo," 10-11
    CAL (client access license), 70
    Canonical names, 46
    Carriage return/linefeed character pair, 719-720
    CAs (certificate authorities), 57-58, 92
    Group Policies and, 514
    SMTP replication and, 386
    Case-sensitivity, 718
    Catalog Services, 26
    CCM (Change and Configuration Management), 503
    CD/CHDIR command, 114
    CDO (Collaborative Data Objects), 700
    CDs (compact discs), bootable, 108-109
    Certificate Export Wizard, 116
    Certificates, exporting, 116
    Change notification, 320, 384-385
    Channels, secure, 457
    Characters
    ASCII, 483, 687
    carriage return/linefeed, 719-720
    number of, in passwords, 530
    Unicode, 34, 483, 516
    unsafe, 499
    CHKDSK command, 114
    Class(es)
    ADSI and, 54-46
    attributes of, inspecting, 589-590
    basic description of, 599-622
    categories of, 612
    creating, 647-650, 661, 666-669
    deactivating, 656-659
    derived, 610
    extended rights for, 227-229
    identifiers, 600, 603
    identifiers (CLSIDs), 682, 683, 684, 709
    miscellaneous characteristics of, 612-618
    modifying, 650-652, 666-669
    names, 600, 603
    objects of specific, creating/deleting, 229
    planning new, 660
    reactivating, 659
    schema and, 582-583
    classSchema objects, 585, 599-622, 815-817
    Clean Install option, 80
    Client(s)
    access license (CAL), 70
    access tokens, 287
    extensions, 512
    LDAP referrals to, 469
    -server applications, connection points for, 59
    -side extensions (CSEs), 504, 538, 571-573, 575
    slow link detection and, 576-578
    traffic, 420-421, 425
    ClonePrincipal tool, 463
    CLS command, 114
    CLSIDs. See Class(es)--identifiers (CLSIDs)
    CMDTOOL.vbs, 885-887
    CNs (common names)
    basic description of, 46
    renaming objects and, 239
    Collisions, 398-401
    COM (Component Object Model), 54-56, 699
    basic description of, 728-730
    components, using, 753-755
    connection points and, 59
    files, registering, 559
    COM+, 559
    Comdex, 10
    Command-line
    CScript options, 706-708
    parameters, 465. See also Arguments
    redirection of output, 707, 773, 799-800
    tools, 111, 112, 173, 250, 353, 355-356, 458, 462, 498, 550, 762, 794, 884-887
    Compare operation of LDAPv3, 52
    Compilers, 701
    Complete trust areas, 441-443
    Components
    COM, 755-757
    homemade, 753
    installation of, 85-87
    using, 753-755
    Computer(s). See also Computer accounts; Computer objects
    licensing, 351-352
    locating, 35
    managing, 173, 856-858
    objects, predefined, 133
    registering, 91
    renaming, 173-174
    Computer accounts
    disabling, 172
    resetting, 172-173
    Computer object(s)
    administering, 164-174
    creating, 166-168
    creating with a script, 861-864
    deleting, 172
    Group Policies and, 507-508
    moving, 172
    properties, 168-171
    Computers container, 124
    Concurrency control, 661, 675
    Configuration
    information, handling, 59, 822-832
    partition, 44, 311, 313, 362
    Connection object(s)
    creating/managing, 380-384
    explanation of, 326, 327-331, 358-359
    properties, 899
    replication and, 358-359
    Consistency checks, 650
    Constant(s)
    administration scripts and, 718-719
    basic description of, 718
    definitions, 758
    intrinsic, 719
    names, 718
    Contact(s)
    administering, 142-164
    creating, 148
    deleting, 162-163
    home pages of, opening, 164
    moving, 162
    properties, setting, 148-157
    renaming, 162
    sending e-mail to, 164
    Container(s)
    basic description of, 123-125
    classes, 583-585
    objects, 43-44, 583-585
    predefined, 123-125
    Containment rules (of schema classes), 607-610
    Context menus, adding scripts to, 693-694
    Continuation references in LDAP, 487-488
    Control Panel, 85, 558. See also Add/Remove applet
    Controls dialog box, 497
    Control statements, 719
    Convergence of Active Directory information, 309
    COPY command, 114
    Create a Computer Object.vbs, 859-862
    Create a Group.vbs, 858
    Create a Home Folder for a User - Ver 1.vbs, 794-796
    Create a Home Folder for a User - Ver 2.vbs, 796-797
    Create a Share.vbs, 867
    Create a User in a Workstation.vbs, 869-870
    Create a User with a Batch File.bat, 793-794
    Create a User with Minimum Attributes.vbs, 788-790
    Create a User with More Attributes.vbs, 790-793
    Create Object dialog box, 677-678
    Credentials, binding with, 870-872
    Cross-reference(s)
    basic description of, 469-473
    external, creating, 470-473
    objects, 469-470
    CScript, 690, 703-705, 711
    CSEs (client-side extensions), 504, 538, 571-573, 575
    CSVDE, 202, 662, 663, 674
    CTLs (certificate trust lists), 514
    Current context, 63

    D

    DACL (discretionary access control list), 36, 214, 288-289, 290. See also ACLs (access control lists)
    Dampening, propagation, 388
    DAP (Directory Access Protocol), 48-49
    Data model, 41-42
    Data types
    administration scripts and, 734-735
    handling special, 734-735
    Date and time settings, 87. See also time
    DB layer, 52-53
    DCDiag, 458-459
    DCE (Distributed Computing Environment), 452
    DCOM, 559
    DCPromo, 16-17, 352, 354, 473, 476-477, 586, 673
    command, 93, 115
    Deactivation, of classes, 656-659
    DEAs (directory-enabled applications), 5, 43, 59, 642, 659-662
    Debugging
    administration scripts, 755-759
    with extra output commands, 755-756
    mode, 112
    Default Domain Controllers Policy, 511
    Default permissions. See also Permissions
    basic description of, 258-267
    listing, 260-265
    sources of, 259
    DEL/DELETE command, 114
    Delegating
    basic description of, 19, 39, 269-270
    domain controller installation, 476-478
    domain installation, 473-478
    management of GPOs, 554-557
    Delegation (relating to authentication), 282-284
    Delegation of Control Wizard, 39, 212
    basic description of, 251-258
    common tasks completed with, 252-256
    custom tasks completed with, 256-258
    customizing list of common tasks, 254-256
    support tools and, 250
    DelegWiz.Inf, 254-256
    Delete operation of LDAPv3, 52
    Deleted objects, listing, 495-497
    Deleting
    contacts, 162-163
    GPOs, 552-553
    groups, 194, 861
    objects, 172, 229, 857
    OUs, 857
    users, 162-163
    DEN (directory-enabled networking), 5
    Deploying software, with Group Policies, 559-561
    Description property, 140
    Device Manager, 110
    Devices
    incompatible, 110
    incorrectly detected, 110
    DFS (Windows 2000 Distributed File System), 23, 315-316, 341, 559-561
    DHCP (Dynamic Host Configuration Protocol)
    DNS updates and, 35-36
    Group Policies and, 538
    installation and, 70, 87, 90
    RIS and, 520
    Dial-in tab, 144, 155-156
    DIR command, 114
    Directories
    history of, 9
    information about, determining the placement of, 426-432
    Directory-enabled applications (DEAs), 5, 43, 59, 642, 659-662
    Directory-enabled networking (DEN), 5
    Directory service, 4, 9, 11, 42, 47, 142, 310, 585, 723-724
    Directory Services Restore Mode option, 112
    DISABLE command, 114
    Disk images, duplicating, 107-108
    DISKPART command, 114
    DISP (Directory Information Shadowing Protocol), 48
    Display name property, 147
    Display specifiers, 682-685
    Distributed Systems Guide, 354-355
    Distribution groups, 174. See also Groups
    DLLs (Dynamic Link Libraries), 557, 573, 684, 898
    DMZ (demilitarized zone), 60-61
    DNs (distinguished names), 407, 466
    base, 494
    basic description of, 45-47
    features recommended for, 94
    LDAP and, 46, 485, 494
    LDIF and, 498, 501
    DNS (Domain Name Service). See also Domain names
    Group Policies and, 550
    host names, 84
    host records, 476
    installation and, 70, 84-90, 93-105, 110-111, 117
    integration, 34-36
    namespaces, 17, 31, 32-33
    -related tasks, after installation, 102-105
    RIS and, 520
    root domain, removing, 102
    servers, requesting IP addresses from, 35
    updates, dynamic, 35-36
    virtual containers and, 58
    zones, 61
    DnsAdmins group, 132
    DnsUpdateProxy group, 132
    DNS Zones, 34, 60-61, 94, 102-105, 117, 425, 450
    Domain(s). See also Domain controllers; Domain names
    adding workstations to, 302
    basic description of, 17, 62
    choosing, 200
    cost of additional, 437-438
    creating, 94-95
    designing, 432-452
    forest root, 95, 448-452
    installation, delegation of, 473-478
    local groups, 21-22
    looking at single, 429-430
    managing, 452-478
    master browser, 406
    mode, changing, 133-135
    placement of directory information and, 426-432
    single, OU trees in, 29-30
    single, with no OU structure, 27-28
    trees, 30-33
    using multiple, 433-438
    using single, advantages of, 433-438
    Domain Admins group, 131, 243-244, 251, 261-264
    Domain Computers group, 131
    Domain controller(s). See also Domains
    additional, cost of, 437
    basic description of, 6, 16-17
    choosing, 200
    default assignments for, 299-302
    installing, 65, 476-478
    logon rights and, 298
    operations master (OMDCs), 408, 410-411, 413-414, 415
    originating, 390
    placement of, 419-502
    placement of directory information and, 426-432
    privileges and, 28
    promoting, to be GC servers, 346-347
    removing, 352-354
    targeting, for Group Policy operations, 547-548
    USNs and, 390
    Domain Controllers container, 124
    Domain Controllers group, 131
    Domain Guests group, 131
    Domain names. See also Domains
    basic description of, 31-32
    Domain naming master, 405
    Domain Password & Lockout Policies property set, 231
    Domains and Trusts snap-in, 454
    Domain Users group, 131, 134
    DOS (Disk Operating System), 77, 78. See also MS-DOS
    DOSNET.INF, 106
    Drivers, installation using alternate, 81-83
    DSAs (Directory System Agents), 49, 51, 53
    DSClient (Directory Service Client), 702
    DSP (Directory System Protocol), 48
    DSSec.Dat, 237-239, 257, 677
    Dual booting, 70-73
    Dynamic disks, 92
    Dynamic DNS, 35-36
    Dynamic updates, enabling, 102-103. See also Updates

    E

    ECMAScript, 702
    EditPlus, 712, 713, 763
    EFS (Encrypting File System), 47, 514. See also Encryption
    E-mail
    encryption, 57
    sending, to groups, 194
    sending, to users and contacts, 164
    systems, history of, 9
    Empty lines, 718
    Enable Boot Logging option, 112
    ENABLE command, 114
    Enable VGA Mode option, 112
    Encryption. See also EFS (Encrypting File System)
    e-mail, 57
    installation and, 92
    TCP/IP traffic, 57
    Web browser traffic, 57
    Enterprise Admins group, 98, 131, 259, 261
    Error(s)
    categories, 880
    checking, 879-884
    levels, 765
    mechanics, 879-880
    Error Checking.vbs, 879-884
    Escape sequences, 483
    ESE (Extensible Storage Engine), 52-53
    ESENT.DLL, 51
    Event(s)
    Group Policies and, 562-565
    logs, 513, 562-565
    Excel (Microsoft)
    ACEs and, 834-837
    administration scripts and, 701, 766-767, 797-798, 807-809, 815-818
    importing text files into, 595-596
    table of default permissions, 260
    Exchange (Microsoft), 9, 43, 53, 142, 143, 310, 431, 444, 605, 723
    EXIT command, 114
    Extended operation of LDAPv3, 52
    Extended rights, adding, 293-294
    Extensible matching rules, 485
    EXTRACT command, 114

    F

    FastLane Developers, 701
    FastLane Migrator, 463
    FAT (file allocation table), 71, 73, 81
    FAT32, 71, 81
    Fault tolerance, 308
    FAZAM 2000 RFV (Reduced Functionality Version) tool, 551, 554, 570
    File system(s). See also NTFS (Windows NT File System)
    DFS (Windows 2000 Distributed File System), 23, 315-316, 341, 559-561
    EFS (Encrypting File System), 47, 514
    policies, 514
    supported by Windows 2000, 72-73
    Filters, 200-201, 592, 616, 889, 901-903
    Find command, 762
    Find dialog box, 488, 695
    FindStr command, 762
    Firewalls, 60
    First name property, 147
    FIXBOOT command, 114
    FIXMBR command, 71, 114
    flatName property, 453
    Folder(s)
    adding ACEs to, 854-856
    creating, 794-797
    home, 794-797
    redirection policies, 520
    Foreign security principals, 124, 462
    ForeignSecurityPrincipals container, 124, 462
    Forest(s). See also Forest root domains
    authentication and, 65
    changes to, 62
    configurations, number of, 440
    creating, 94-95
    designing, 432-452
    managing, 452-478
    managing groups and permissions in, 466-469
    moving groups in, 464-465
    moving objects in, 462-466
    permission assignments in, 468-469
    planning considerations for, 445-452
    predefined administrative groups in, 466-467
    testing schema modifications in, 660, 685-690
    three faces of, 445-446
    trusts, 65, 441-443
    using multiple, 433-444
    using single, 438-445
    Forest root domains, 95, 448-452. See also Forests
    empty, 449-450
    nonempty, 450-451
    FORMAT command, 114
    Forwarding addresses, configuring, 102
    Forward lookup zones, creating, 102-103
    FRS (Windows 2000 File Replication System), 23, 53, 315
    FSMOs (flexible single-master operations), 25, 324, 404. See also Operations master(s)
    FullArmor.com, 570
    Full Control permission, 273
    Full name property, 147
    Function(s)
    basic description of, 718-719
    conversion, 719

    G

    Garbage collector, 402
    Gates, Bill, 10
    GCs. See Global Catalogs
    General Information property set, 231-232, 483
    General tab, 144, 170, 195, 232
    GetGPOList API, 538-539
    GetSID, 286-287
    Global Catalogs, 64, 115, 196
    attributes and, 814-815
    basic description of, 26
    binding to, 876-877
    indexing and, 585
    LDAP searches and, 486
    multipartition queries and, 899
    number of, 440-441
    replication and, 323, 364, 375-378
    servers for, placement of, 431-432
    servers for, promoting domain controllers to, 346-347
    Global groups, 21-22. See also groups
    GPC (Group Policy container), 523-524, 567
    GPOs (Group Policy Objects)
    assigning, 40-41, 124
    basic description of, 40, 522-528
    creating, 548-550
    default permissions for, 575-576
    delegated, creating MMC consoles for, 555-556
    deleting, 552-553
    editing, 550-551
    listing, 827-828
    management of, delegating, 554-557
    GPT (Group Policy templates), 524, 525, 567
    GPT.INI, 524, 525
    Group(s)
    administering, 174-200
    built-in, 128-130, 184
    creating, 186-187
    deleting, 194, 861
    distribution of, 20, 174
    filtering Group Policies with, 532-534
    global, 21-22
    listing, 865
    local, 128-130, 184
    managing, 121-202, 466-469, 856-859
    membership, 64, 188-192, 468-469
    moving, 194, 464-465
    nesting, 21-22
    planning, 194-200
    predefined, 127-133
    primary, for users, 192-193
    properties of, setting, 193-194
    renaming, 194
    restricted, 513
    scope, 21-22, 177-184, 187-188
    security, 21, 174
    sending e-mail to, 194
    strategies for, 197-200
    types of, 174-177, 187-188
    universal, 196-197
    usage, example of, 180-181
    in the Users container, 130-133
    Group Policies
    administrative templates and, 515-519
    administration of, delegating, 272-273
    advanced topics, 571-578
    backing up, 553-554
    basic description of, 39-41, 204, 503-578
    concepts for, 503-507
    CSEs and, 504, 571-573
    deploying software with, 559-561
    effective, determining, 539-546
    event logs and, 513, 562-565
    filtering, with groups, 532-534
    folder redirection and, 520
    forcing, 532
    inheritance, 529, 534
    links to, 528-529
    local, 511-513
    loopback processing, 536-537
    managing, 546-557
    operations for, targeting domain controllers for, 547-548
    permissions and, 272-273
    preference, 517-518
    processing, 534-546
    redeploying, 509
    registry settings for, 573-575
    Resource Kit tools for, 566-571
    restricted groups and, 513
    RIS and, 520-521
    security settings and, 510
    slow link detection algorithm and, 576-578
    software management with, 557-562
    troubleshooting, 562-571
    version number for, 524-526
    Windows NT 4 system policy and, comparison of, 505-506
    Group Policy dialog box, 528-529, 546-548, 551-552
    Group Policy Migration tool, 566, 569-570
    Group Policy Reference, 570
    Group Policy Results tool, 539, 566-567
    Group Policy Scenarios tool, 571
    Group Policy tab, 522, 525, 549, 553, 555
    Group Policy Verification tool, 567-569
    Guests group, 129, 259
    GUIDGen, 648, 653, 679
    GUIDs (globally unique identifiers), 167-168, 407
    ACEs and, 292-293, 295
    basic description of, 292-293
    binary, 837-839
    cloning objects between forests and, 444
    converting, with regular expressions, 845-846
    database, 389, 394-395, 398
    Group Policies and, 504, 522, 525, 527
    listing, 824-828, 837, 839
    replication and, 357-358, 375, 389
    schema and, 648, 653, 679-680
    server, 389, 395

    H

    Hardware
    abstraction layer (HAL), 83
    compatibility, with Windows 2000 Server, 74-75
    HCL (Hardware Compatibility List), 74
    Hello.vbs, 704
    HELP command, 114
    Help files, 713-714
    Hierarchies, 27-34
    High encryption pack, 92
    High-watermark vectors, 394-395
    Home
    folders, creating, 794-797
    pages, opening, 164
    HTML (HyperText Markup Language), 757

    I

    IADsContainer interface, 741-743
    IADsGroup interface, 748-749
    IADS interface, 739-742
    IADsTools, 754
    IADsUser interface, 743-748
    IBM (International Business Machines), 8-9
    ICANN (Internet Corporation for Assigned Names and Numbers), 61, 605, 607
    IDE (integrated development environment), 700
    IEAK (Internet Explorer Administration Kit), 517, 521. See also Internet Explorer browser (Microsoft)
    IIS (Microsoft Internet Information Server), 85, 86, 93
    administration scripts and, 701, 756
    ADSI and, 54
    debugging and, 756
    replication and, 387
    Impersonation
    basic description of, 56, 282-283
    Kerberos and, 56
    tokens, 287
    InetOrgPerson class, 65
    Infinite loops, 710-711
    Informational properties of users and contacts, 156-158
    Infrastructure master, 25, 229, 324, 334, 407-408, 829. See also Operations masters
    Inheritance, 600, 602, 610-612
    basic description of, 37-38
    blocking, 531-533
    Delegation of Control Wizard and, 252
    dynamic, 240-243
    Group Policies and, 529-534
    static, 37-38, 240-243
    Installation
    Active Directory, 67-68, 93-105, 109-111, 122-135
    answer files and, 106-107
    automating, 105-109
    from CDs, 80
    Clean Install option for, 80
    configuring forwarding addresses after, 102
    creating domains, trees, and forests during, 94-95
    creating forward lookup zones after, 102-103
    creating reverse lookup zones after, 104
    decisions to make before, 68-76, 94-95
    defining date and time settings during, 87
    disk duplication and, 107-108
    domain controller, 65, 476-478
    dual booting, 70-73
    enabling dynamic updates after, 102-103
    EXE files for, schema and, 674-675
    finalizing, 89
    from networks, 80-81
    partitions, selecting, 83
    preparation for, 74-76
    recovery options and, 111-113
    removing DNS root domains after, 102
    reversing, 113-117
    starting, 76-79
    steps to take after, 90-92, 100-101
    troubleshooting, 110-113
    using alternative drivers, 81-83
    verifying, 100-101
    Windows 2000 Server, 68-93
    InstallShield, 559
    Instantiation, of classes, 582
    Integers, 483, 485, 486
    Integrity, referential, 629
    IntelliMirror (Microsoft), 503
    Interdomain communications, cost of, 437
    Internet
    connecting to, 59-61
    directories, 9
    routers, 60
    Internet Explorer browser (Microsoft)
    Administration Kit (IEAK), 517, 521
    debugging and, 756
    Group Policies and, 521
    IP (Internet Protocol), 35, 605. See also IPSec (IP Security)
    Group Policies and, 514-515
    installation and, 70, 87, 88, 90
    replication and, 368, 378, 387
    IPSec (IP Security), 387, 514-515. See also IP (Internet Protocol)
    IRQ (Interrupt) settings, 110
    ISAM (Indexed Sequential Access Method), 53
    ISDN (Integrated Services Digital Network), 370
    ISM (Intersite Messaging) service, 25, 387
    ISO (International Organization for Standardization), 47-49, 605-606
    ISTG (inter-site topology generator), 366-367, 370-374, 380-381
    ITU (International Telecommunications Union), 47-49, 605-606

    J

    JScript, 509

    K

    KCC (Knowledge Consistency Checker), 314, 327, 330, 343, 347, 353, 357-365
    KDCs (key distribution centers), 56
    Kerberos, 56-57, 420, 435, 437-438, 444
    Cairo and, 10
    Group Policies and, 511, 539
    synchronization services and, 25
    trusts and, 452
    Keyboard settings, 81
    Knowledge Base. See Microsoft Knowledge Base
    Kouti.com, 260, 714, 759

    L

    Language Options dialog box, 81
    Language settings, during installation, 81, 84
    LAN Manager, 8-9, 512, 732
    access tokens and, 287
    NET commands and, 202
    LANs (local area networks)
    loose consistency and, 6
    replication and, 309, 315, 317
    schema and, 655
    as sites, 23
    Last Known Good Configuration option, 111, 112
    Latency, 309, 342
    LAYOUT.INF, 106
    LDAP (Lightweight Directory Access Protocol)
    ADSI and, 54
    ANR and, 635
    Base64 encoding and, 499
    basic description of, 6, 49-52
    binding strings, 725-726
    C API, 425, 490, 702
    Cairo and, 11
    client traffic, 425
    continuation references and, 487-488
    controls, extended, 495-497
    Data Interchange Format (LDIF), 498-501
    data model, 581-585
    domain names and, 31
    Group Policies and, 564
    the history of directories and, 10
    NCs and, 308
    property lists and, 480-481
    referrals, to clients, 469
    schema and, 611, 616, 622-626, 645-646, 652
    searches, 473-501, 893-894
    setting properties for OUs and, 139-140
    version 3 operations, 51-52
    LDIF (LDAP Data Interchange Format), 498-501. See also LDIFDE (LDIF Directory Exchange)
    LDIFDE (LDIF Directory Exchange), 202, 489, 498-499, 598, 660
    creating/modifying objects with, 670-674
    schema and, 662, 663, 664, 670-674
    LDP tool, 490-494
    Leaf
    classes, 583-585
    objects, 43-44, 583-585
    Least-significant bit, 291
    LGPO (Local GPO), 504, 527-528, 557
    Linear regression analysis, 422
    Lines
    cutting long, 719
    including, from another file, 758-759
    indenting, 719
    Link(s)
    bridges, 321, 378-380
    costs of, 369-371
    creating/managing, 348-351
    disabling parts of, 551-552
    replication topology and, 367-369
    tables, 53
    WANs as, 23
    Linked attributes, 627-629
    Linux, 472-473
    List ACEs--Long.vbs, 839-846
    List ACEs--Short.vbs, 834
    List ACEs to Excel - Short.vbs, 834-837
    List ADSystemInfo.vbs, 831-833
    List All Abstract Schema Objects.vbs, 806
    List All attributeSchemas to Excel.vbs, 817-818
    List All Real Schema Objects.vbs, 811-812
    List Attribute Display Names.vbs, 823-824
    List Binary GUIDs.vbs, 837-839
    List Indexed Attributes.vbs, 812-813
    List Global Catalog Attributes.vbs, 814-815
    List Objects That Have Blocked ACL Inheritance.vbs, 901-903
    List Services.vbs, 863-865
    List Shares.vbs, 865-867
    LISTSVC command, 114
    List the Account Options of a User.vbs, 784-788
    List the DC GUIDs.vbs, 824-826
    List the GPO GUIDs.vbs, 827-828
    List the Member Attributes of a Given Class to Excel.vbs, 805-807
    List the Member Attributes of a Given Class.vbs, 805-806
    List the Operations Masters.vbs, 828-830
    List the Operations Masters with ADsFSMO.vbs, 830-831
    List the Property Cache Contents.vbs, 767-772
    List the rootDSE Property Cache.vbs, 826-827
    List the Supported Namespaces.vbs, 822-823
    List the Users of One Container to Excel.vbs, 766-767
    List the Users of One Container.vbs, 764-766
    List User Properties with Get.vbs, 772-779
    List User Properties with Methods.vbs, 779-784
    List WinNT Properties of User Class.vbs, 868-869
    Load balancing, 308
    Local GPO, 504, 527-528
    Local policies, 511-513
    LocalSystem account, 211, 282, 283, 284
    Location tab, 171
    Logging. See also Auditing
    events, 562-565
    detailed, 564-565
    Logoff scripts, 509
    Logon. See also Access control; Authentication
    GCs and, 64
    Group Policies and, 509-510
    Information property set, 235
    rights, 297-298
    smart card, 440, 661
    traffic, 420-421
    Loopback Adapter (Microsoft), 94
    Loopback processing, 536-539
    Loops, 710-711
    Loose consistency, 6, 308-310
    LSA (Local Security Authority), 51, 322

    M

    MAKEBOOT command, 76
    Managed By property, 140
    Managed By tab, 195
    Manual refresh, of Group Policies, 536
    MAP command, 114
    MBR (master boot record), 71
    MD/MKDIR command, 114
    Member Of tab, 144, 149, 188, 192, 232
    Member servers
    basic description of, 88
    modifying user rights for, 305-306
    Members tab, 188, 190-191
    Menu(s)
    adding scripts to, 693-694
    definitions, adding, 686-687
    Merge mode, 536-537
    Metadata replication, 391-394
    MicroHouse ImageCast, 108
    Microsoft Access, 53
    Microsoft Active Directory. See Active Directory
    Microsoft Active Directory Migration Tool (ADMT), 463
    Microsoft Active Server Pages (ASP), 701, 756
    Microsoft ActiveX Data Objects (ADO). See ADO
    Microsoft Excel
    ACEs and, 832-837
    administration scripts and, 701, 766-767, 797-798, 807-809, 815-818
    importing text files into, 595-596
    table of default permissions, 260
    Microsoft Exchange, 53
    Microsoft IntelliMirror, 503
    Microsoft Internet Explorer browser. See Internet Explorer browser (Microsoft)
    Microsoft Internet Information Server (IIS). See IIS (Microsoft Internet Information Server)
    Microsoft Knowledge Base, 249, 353, 380, 501, 511
    Microsoft Loopback Adapter, 94
    Microsoft Management Console (MMC), 504-505, 547-548, 550-551, 555-556
    Microsoft Metadirectory Services (MMS), 310
    Microsoft Office, 754
    Microsoft Platform SDK (Software Development Kit), 617
    Microsoft Script Debugger, 85, 86, 756-757
    Microsoft Software Installer (MSI), 557, 559
    Microsoft System Management Server, 509
    Microsoft Visual Basic for Applications (VBA), 701
    Microsoft Visual Basic Scripting Edition (VBScript)
    ADSI and, 54
    basic description of, 698, 702, 715-721
    COM components and, 753-754
    Editor, 713
    Group Policies and, 509
    schema and, 663
    scripts, creating/testing, 688-690
    scripts, sample, 716-721
    Microsoft Visual Studio Installer, 559
    Microsoft Windows Internet Naming Service (WINS), 36, 53, 70, 88
    Microsoft Windows NT
    Active Directory and, comparison of, 11-13
    Cairo and, 10-11
    domains, using multiple domains because of, 436
    history of, 8-9
    properties, listing, 870-871
    system policy, 505-506
    Microsoft Windows NT Directory Service (NTDS), 257, 327, 330-332, 341-347, 353-354, 380-381, 411, 415
    Microsoft Windows NT File System (NTFS). See NTFS (Microsoft Windows NT File System)
    Microsoft Windows NT LAN Manager (NTLM), 56, 512
    Microsoft Windows 2000 Server
    answer files and, 106-107
    components, installation of, 85-87
    dual booting, 70-73
    hardware compatibility with, 74-75
    history of, 10-11
    installation, 68-76, 80-92, 105-107
    Professional, 92-93
    requirements/recommendations, 74
    Resource Kit, 255, 566-571
    server upgrades, 837-90
    uninstalling, 113-117
    Microsoft Windows Update Corporate Web site, 91
    Mixed mode, 133-135, 177-180
    MMC (Microsoft Management Console), 593, 504-505, 547-548, 550-551, 555-556
    MMC Group Policy extension, 547-548
    MMC Group Policy snap-in, 504-505
    MMS (Microsoft Metadirectory Services), 310
    Modify DN operation of LDAPv3, 52
    Modifying Objects.vbs, 897-898
    ModifyLDAP.vbs, 344
    Modify operation of LDAPv3, 52
    MORE command, 114
    MoveTree tool
    basic description of, 462-466
    moving groups and, 464-465
    options, 465-466
    MS-DOS, 8, 80-81. See also DOS (Disk Operating System)
    MSI (Microsoft Software Installer), 557, 559
    Multilanguage version, 84
    My Network Places, 8, 518

    N

    Namespaces, listing, 822-823
    Namespace view to a forest, 446
    NAT (network address translation), 102
    Native mode, 133-135, 181-184
    NCs (naming contexts), 308
    NDS (Novell Directory Services)
    Active Directory and, comparison of, 13-15, 63
    dynamic inheritance and, 38
    the history of directories and, 9
    introduction of, 11
    partitions and, 62
    NetBIOS
    Browser service, 518
    installation and, 84, 95, 100
    names, 36, 59-60, 84, 95
    ports, 59-60
    trusts and, 453, 455
    NET commands, 202
    NetDom tool, 173, 454, 456, 458, 464
    NetIQ Domain Migration Administrator, 463
    Netlogon service, 102
    NET TIME, 403-404
    NetWare (Novell)
    Active Directory and, comparison of, 13-15, 63
    ADSI and, 54
    Catalog Services, 26
    the history of directories and, 9
    Network(s)
    installing/configuring, 87-88
    installing Windows 2000 Server from, 80-81
    operating systems, previous Microsoft, 8-9
    traffic, measuring, 420-425
    Network Identification tab, 173
    Network Monitor, 85, 474
    NLTest tool, 173, 454, 456, 458-459
    No Override option, 532
    Nortel Networks, 11
    Northern Telecom. See Nortel Networks
    Norton Ghost, 108
    Notepad, 54, 109, 510, 545, 687, 704, 713
    Notification, change, 320, 384-385
    Novell NetWare. See NetWare (Novell)
    NTDS (Microsoft Windows NT Directory Service), 257, 327, 330-332, 341-347, 353-354, 380-381, 411, 415
    NTDSA.DLL, 51
    NTDSUtil tool, 344, 412, 473-475
    NTFS (Microsoft Windows NT File System)
    folder redirection and, 520
    Group Policies and, 557
    installation and, 68-69, 71-73, 81, 83, 89-90, 93, 97
    permissions and, 36-37, 214
    SIDs and, 284
    NTLM (Microsoft Windows NT LAN Manager), 56, 512
    NTRights command, 304-306
    NtSecurityDescriptor property, 206-207, 289
    Null sessions, 210

    O

    Object(s)
    administering, 164-174
    base, 469, 479
    basic description of, 4
    that block ACL Inheritance.vbs, 901-903
    creating, 166-168, 229, 680-681
    deleting, 172, 229, 859
    displaying, 680-681
    extended rights for, 227-229
    finding, 200
    listing, 495-497, 805, 811-812, 901-903
    moving, 172
    names, 45-47, 238-239, 626-629
    predefined, 133
    properties of, setting, 149-157, 168-171
    renaming, 238-239
    schema and, 582-583, 626-629, 676-690
    tables, 52-53
    where to place new, 676-690
    Object tab, 143
    ObjectType field, 292-293, 294
    Octet strings, 483
    OIDGEN tool, 606-607
    OIDs (object identifiers), 485, 486
    base, 606-607
    basic description of, 603-607
    obtaining, 606-607, 660
    schema and, 603, 660-661, 691
    OLE automation
    data types, 749-752
    explanation of, 723
    OMDCs (operations master domain controllers), 408, 410-411, 413-414, 415
    Open Group, 452, 629
    Operating System tab, 170
    Operations master(s), 26, 324
    changing, 829-830
    failures, 413-414
    listing, 828-831
    managing, 404-416
    placement of, 408-411
    roles, transferring, 411-412
    Oracle, 55
    Organizational units (OUs), 27-34, 135-142
    adding users of, to a Group.vbs, 859
    administration scripts and, 856-857, 859
    basic description of, 19-20
    creating, 138, 857
    deleting, 140-141, 857
    features of, 136-137
    managing, 121-202, 856-857
    moving, 140-141
    planning, 141-142
    predefined, 123-125
    properties for, setting, 138-140
    renaming, 140-141
    Organization tab, 144
    Originating updates, 388. See also Updates
    Orphan containers, 463
    OS/2 (IBM), 8-9
    OSI (Open Systems Interconnection) directory services, 48-49
    OUs (organizational units). See Organizational units (OUs); OU trees
    OU trees. See also Organizational units (OUs)
    delegating, without blocking, 272
    delegating, with possible blocking, 270-271
    permissions and, 270-272
    roots of, 452
    in single domains, 39-40
    Ownership, 243-245

    P

    Packages
    customizable installation, 558
    non-MSI, deploying, 560-561
    patches for, 509
    upgrades for, 509
    Parameters, ADO command object, 899-901
    Parent domains
    basic description of, 30
    domain trees and, 30-31
    Partition(s)
    administration scripts and, 896-899
    basic description of, 44-45
    configuration, 310-311
    creating, 62
    enterprise, 310-311
    installation and, 81, 83
    merging, 62
    replication and, 310-312, 362-363, 374-375
    schema and, 310-311
    selecting, 83
    topologies of several, 374-375
    types, 311
    Whistler and, 65
    Passfilt.dll, 511
    Passprop.exe, 511
    Password(s)
    administrator, 97
    age, maximum, 530
    creating users and, 145
    forcing complex, 511
    installation and, 97
    minimum number of characters in, 530
    policies, 435
    resetting, 164
    Patches, 509
    Paths, to abstract schema objects, retrieving, 803-804
    PDC emulator, 406-407. See also PDCs (Primary Domain Controllers)
    PDCs (Primary Domain Controllers). See also PDC emulator
    installation and, 837
    replication and, 25, 310
    time convergence and, 403
    Permission(s)
    accumulation of, 245-246
    administration scripts and, 852-854
    in applications, 240-243
    attribute, 677, 696
    basic description of, 36-37
    concepts, 213-215
    cross-object, 274-275
    default, 212, 258-267, 575-576
    delegation scenarios for, 269-275
    denying, 246-249
    entries, ordering of, 246-249
    in forests, 466-469
    general practices using, 268-269
    generic, 854-856
    handling, with the ACL Editor, 212, 215-229
    inheritance and, 214, 240-243, 259
    list object, 224-227
    managing, 212-251, 466-469, 677-679
    object, 214, 222-239
    ownership and, 243-245
    performance and, 249-250
    property, 214, 229-239
    property set, 230-236
    replication and, 356
    security principals and, 265-267
    special, 36, 213, 222-229
    standard, 36, 213, 222-229
    usage scenarios for, 267-276
    using, instead of rights, 301-302
    Personal Information property set, 232-233
    Phantoms, 407, 408, 409
    Phone and Mail Options property set, 231
    Physical structure. See also Physical architecture
    concepts, 308-324
    diagnosing, 354-356
    managing, 325-356
    monitoring, 354-356
    Physical architecture, 51-54. See also Physical structure
    PINs (personal identification numbers), 58
    PKI (public key infrastructure), 47-48, 57-58, 204, 442, 514
    Plug and Play, 83
    Policies. See Group Policies
    PowerQuest
    Drive Image, 108
    Partition Magic, 69, 115
    Pre-Windows 2000 Compatible Access group, 97, 130, 260
    Preference, use of the term, 517
    Primalscript, 713
    Primary access tokens, 287. See also Access tokens
    Print Operators group, 129
    Print queues, listing, 865
    Processes tab, 711
    Processing
    loopback, 536-539
    Group Policies, 534-546
    periodic, 535
    slow link, 536
    Profile tab, 144, 154-155
    Propagation dampening, 388
    Properties. See also Attributes; Property cache; Property sets
    delegating administration of informational, 275-276
    informational, 142-144, 164, 791
    listing, 772-784, 868-869
    mandatory, 41
    multivalued, 41, 737-738
    nonreplicating, 322-323
    optional, 41
    significant, 142-144, 164, 791
    single-valued, 41, 737-738
    syntax of, 41
    Property cache
    administration scripts and, 730-736, 767-772
    contents of, listing, 770-772
    interfaces, 669-770
    special data types and, 734-735
    ways to read and write, 732-733
    Property lists, 480-481
    Property pages of schema objects, 618-622, 637-639
    Property sets, 230-236, 294-296, 677-679
    Protocols (listed by name). See also LDAP (Lightweight Directory Access Protocol); SMTP (Simple Mail Transfer Protocol)
    DAP (Directory Access Protocol), 48-49
    DHCP (Dynamic Host Configuration Protocol), 35-36, 70, 87, 90, 520, 538
    DISP (Directory Information Shadowing Protocol), 48
    DSP (Directory System Protocol), 48
    IP (Internet Protocol), 35, 70, 87, 88, 90, 368, 378, 387, 514-515, 605
    SNTP (Simple Network Time Protocol), 403
    TCP (Transmission Control Protocol), 490
    TCP/IP (Transmission Control Protocol/Internet Protocol), 23, 57, 59, 70, 87, 93-94, 97
    Public Information property set, 232
    Published Certificates tab, 142, 144
    Publishing, basic description of, 58-59

    Q

    QGrep command, 762
    Queries, multipartition, 896-899

    R

    RAID drivers, 81
    RAM (random-access memory). See also Caches
    access tokens and, 175
    administration scripts and, 700
    installation and, 75, 81, 93
    loading DLLs in, 51
    schema cache and, 597-599
    RAS and IAS Servers group, 132
    RCP, 59, 287
    RCP Server, 287
    RDNs (relative distinguished names)
    basic description of, 46-47
    renaming objects and, 238-239
    NDS and, 63
    RD/RMDIR command, 115
    Read User Information from Excel.xls, 797-798
    Read User Information from Standard Input.vbs, 799-801
    Recovery Console
    basic description of, 112-113
    FIXMBR command, 71
    starting, 113
    using, 113
    Recovery options
    basic description of, 111-113
    Safe Mode and, 111-112
    RepAdmin command, 355, 391, 398, 416, 746, 768
    References
    continuation, 487-488
    cross-, 469-473
    Referential integrity, 629
    Referrals, 469-473, 486, 898-899
    RegEdit, 562
    RegEdt32, 562-565, 662
    Regional settings, 84
    Registry
    administration scripts and, 704-705, 708-710
    Group Policies and, 514, 538, 543, 562-565, 571, 573-575
    schema and, 662
    tattooing, 506
    Regular expressions, converting GUIDs with, 845-846
    Relationship tab, 620
    Remote Administration mode, 85
    Remote Install tab, 171
    REN/RENAME command, 115
    RepAdmin command, 398
    Replace mode, 536-537
    Replicas. See also Replication
    basic description of, 44, 310-312
    partial, 364
    partitions and, 310-312
    Replicated updates, 388
    Replication. See also Replicas
    Active Directory objects for, 325-331
    advanced topics, 357-364
    basic description of, 24-26, 307-419
    change notification and, 320, 384-385
    collisions and, 398-401
    connection objects and, 358-359
    global catalogs and, 323
    Group Policies and, 547
    high-watermark vectors and, 394-395
    intersite, 319-321, 364-386
    intrasite, 319-321, 357-364
    latency, 309, 342
    managing the physical structure with, 325-356
    metadata, 391-394
    multimaster, 25, 309
    nature of, 308-310
    nonreplicating properties and, 322-323
    operation masters and, 324, 404-416
    partitions and, 310-312, 362-363, 374-375
    PDC emulator and, 406-407
    permissions and, 356
    reasons to use, 308
    reciprocal, 384
    removing domain controllers and, 352-354
    rings, 357-361
    scheduled, 320-321
    schema and, 662, 675
    server objects and, 341-343
    single-master, 25, 310
    site link bridges and, 321
    SMTP, configuring, 386-387
    subnet objects and, 339-340
    test environments, 332-333
    time synchronization and, 402-404
    tombstones and, 401-402
    topologies, 314-315
    traffic, 421-425
    transitive nature of, 319
    units of, 17, 435-436
    up-to-date vectors and, 395-398
    urgent, 321-322
    Replication Monitor tool, 569
    Replicator group, 130
    Reverse lookup zones, 104
    RFCs (requests for comments)
    downloading RFC documents, 35
    RFC 977, 35
    RFCs 1034-1036, 95
    RFC 1278, 633
    RFC 1487, 10, 49
    RFC 1510, 56
    RFC 1769, 403
    RFC 1777, 10, 49
    RFC 1995, 94
    RFC 2052, 95
    RFC 2078, 104
    RFC 2136, 35, 94
    RFC 2137, 104
    RFC 2251, 10, 49, 488
    RFC 2798, 65
    RFC 2849, 489, 498, 501, 876
    RFCs related to LDAPv3, 50-51
    RID MASTER, 405-406
    RIDs (relative IDs), 285, 324, 405-406, 413-414
    Rights
    extending, 227-229
    using permissions instead of, 301-302
    RIS (Remote Installation Services), 39, 503
    creating computer objects and, 166-168
    Group Policies and, 520-521, 573
    Root domains
    basic description of, 30
    domain trees and, 30-31
    forest, 95, 448-452
    removing, 102
    RootDSE, 451, 495, 598, 727-728, 826-827
    Root object, 479
    RPC (remote procedure call), 348, 378, 383
    domain controller placement and, 423
    replication and, 24

    S

    SACLs (system access control lists)
    basic description of, 36, 288-289
    Group Policies and, 512, 513
    Safe Mode, 111-112
    Safe Mode with Command Prompt option, 112
    Safe Mode with Networking option, 112
    Schema
    administration scripts and, 801-822
    ADSI and, 54
    basic description of, 42-44, 581-640
    cache, 597-599
    containment rules, 607-610
    content rules, 629-634
    disabling modifications to, 661
    dumping, to spreadsheets, 594-596
    extending, 43, 641-696
    GC and, 585
    inspecting, 588-594
    location of, 585-592
    masters, 405, 660-662
    modification of, 642-659
    number of, 438
    objects, 616-617
    permissions and, 677-679
    physical location of, 586
    replication, 675
    role of, 585
    searches and, 634-637
    structure rules, 607-610
    sub-, subentries, 596-597
    syntax, 622-631
    updates, forcing, 662
    Schema Admins group, 131, 259, 661
    Schema cache
    explanation of, 597-598
    update of, 228, 598-599, 661, 662, 672
    update with a script, 819, 821
    Schema container, 586
    Schema Manager snap-in, 592-594, 620, 662, 663
    basic description of, 664-674
    creating/modifying attributes with, 664-666
    creating/modifying classes with, 666-669
    Schema master, 405
    Script(s)
    adding, to context menus, 693-694
    as command-line tools, 706-708, 884-887
    concepts, 697-758
    configuration information and, 822-832
    debugging, 755-759
    development environment for, 712-715
    editors, 712-713
    examples of, 761-794, 804-805
    execution environment for, 699-703
    file types, 703
    Group Policies and, 509-510
    help files and, 713-714
    killing, 710-711
    property caches and, 730-750, 767-772
    schema access, 801-822
    settings, 708-710
    testing, 704-705
    Script Debugger (Microsoft), 85, 86, 756-757
    Script tab, 709
    SCSI (Small Computer Systems Interface), 81
    SDCheck, 250
    SDDL (Security Descriptor Definition Language), 617-618
    default ACLs and, 267
    definition of acronyms in, 255
    schema and, 613, 617-618
    SDs (security descriptors), 36, 288-296
    Search(es)
    with ADO, 891
    with LDAP, 52, 473-501, 893-894
    multidomain, 486
    on new attributes, 694-696
    options, as command object parameters, 899-901
    schema and, 634-637
    specifying values for, 484-486
    strings, 893-894
    tools, 488-494
    Search Options dialog box, 497
    Secedit command, 510
    Security Configuration and Analysis Snap-in, 510
    Security Configuration Toolset, 510
    Security tab, 143
    Security Templates snap-in, 510-511
    Server(s)
    bridgehead, 315, 371-374
    GUIDs, 389, 395
    member, 88, 305-306
    objects, moving/managing, 341-343
    stand-alone, 88
    Server Operators group, 129
    Service packs, 80
    Services, listing, 863-865
    Session Manager, 287
    Session tickets, 56
    SET command, 115
    Setup. See also Installation
    finalizing, 89
    Wizard, 92-93
    Setup Manager Wizard, 106-107
    Shortcut trusts, 31
    ShowInAdvancedViewOnly attribute, 613-616
    Show Property Properties.vbs, 809-810
    SIDs (security IDs)
    ACEs and, 288-292
    basic description of, 283-287
    deleting users and, 162
    foreignSecurityPrincipal object and, 462
    installation and, 108
    MoveTree tool and, 463
    RID master and, 405-406
    Single sign-on, 204
    Site(s). See also Site links
    Active Directory objects for, 325-331
    administering, 337-338
    basic description of, 23
    coverage, 318
    Default-First-Site-Name, using, 338-339
    objects, creating/managing, 340-341
    placement of directory information and, 426-432
    replication and, 307-419
    setting up multiple, 334-337
    setting up single, 333-334
    Site link(s)
    bridges, 321, 378-380
    costs of, 369-371
    creating/managing, 348-351
    replication topology and, 367-369
    WANs as, 23
    Sites and Services snap-in, 331-333
    SLDs (second-level domains), 452
    Slow link detection algorithm, 576-578
    Smart cards, 57, 440, 661
    SMARTDRIVE command, 78
    SMTP (Simple Mail Transfer Protocol), 326-327, 330, 348-350, 378, 382-383
    domain controller placement and, 423
    replication and, 24-25, 386-387, 436
    schema and, 601
    SNTP (Simple Network Time Protocol), 403
    Software. See also Applications
    deploying, 559-561
    managing, 557-562
    Spreadsheets, 594-596
    SQL (Structured Query Language), 894-895
    SQL Server, 52, 55
    SRM (security reference monitor), 246
    SRV records, 34, 93, 102
    Stamps, 391, 398
    Stand-alone servers, 88
    Statistically unique numbers, 285
    Strings
    binding, 725-726
    octet, 483
    search, 893-894
    Structure rules (of schema classes), 607-610
    Subnet objects, creating/managing, 339-340
    Subschema object. See Abstract schema objects
    SUPPORT folder, 74
    Switchboard, 9
    Switches, 78-79
    Synchronization services, 25
    Syntax
    ADSI, 749-752
    choices, 629-634
    highlighting, 712
    rules, 629-634
    SYSOC.INF, 85
    SYSOCMGR command, 85
    SysPrep (System Preparation Tool), 108
    System account, 282. See also LocalSystem account
    System container, 674
    System Management Server (Microsoft), 509
    System partition, 69
    System Policy, 40, 505-506
    SYSTEMROOT command, 115
    System services, 513
    System State, 553-554
    SysVol (System Volume) folder, 68-69

    T

    Task Manager, 704, 711, 756, 864
    Task Scheduler, 210, 700, 711
    TCO (total cost of ownership), 503
    TCP (Transmission Control Protocol), 490. See also TCP/IP (Transmission Control Protocol/Internet Protocol)
    TCP/IP (Transmission Control Protocol/Internet Protocol). See also TCP (Transmission Control Protocol)
    connecting to the Internet and, 59
    installation and, 70, 87, 93-94, 97
    site functions and, 23
    traffic encryption, 57
    Telephones tab, 144
    Templates
    administrative, 515-519
    basic description of, 204
    Group Policy, 524, 525, 567
    security, 41, 204, 510-511
    Terminal Services, 85, 87, 93, 476
    Testing
    batch files, 687-688
    environments, 332-333
    schema modifications, in forests, 660, 685-690
    scripts, 688-690
    TGT (ticket-granting ticket), 56, 435
    Time
    convergence hierarchy, 403
    GMT/UTC, 390, 485, 689
    services, controlling, 403-404
    settings during installation, 87
    -stamps, 390
    strings, generalized, 485
    synchronization, 402-404
    target, 404
    TLDs (top-level domains), 452
    Tombstones, 401-402
    Topologies
    intersite, 64-65, 364-386
    intrasite, 357-364
    replication, 314-315, 357-386
    Transactions, 52
    Transitivity, of replication, 319
    Tree(s)
    creating, 94-95
    deleting OUs in, 140-141
    moving OUs in, 140-141
    renaming OUs in, 140-141
    root domain, 451
    Troubleshooting
    Group Policies, 562-571
    installation, 110-113
    Trust(s)
    basic description of, 17-18
    bidirectional, 18-19, 30, 453, 455, 462
    computer, 441-443
    creating explicit, 460-462
    managing, 452-562
    shortcut, 31, 446-447
    transitive, 18-19
    tree root, 33
    trusted domain objects and, 452-454
    verifying, 457-459
    viewing, 454-457
    TrustAttributes property, 454
    TrustDirection property, 453
    Trustees, defining, 852
    TrustPartner property, 453
    Trust view to a forest, 446
    TXTSETUP.SIF, 106
    TYPE command, 115

    U

    UDF (Uniqueness Database File), 106
    UltraEdit, 713
    Unbind operation of LDAPv3, 52
    Unicode character set, 34, 483, 516
    UNINST.TXT, 117
    United Nations, 47
    Universal groups, 21-22
    University of Michigan, 10
    UNIX, 34-35, 192, 629
    Unsolicited Notification operation of LDAPv3, 52
    Updates. See also USNs (update sequence numbers)
    DNS, 35-36
    dynamic, 35-36, 102-104
    forcing, 662
    schema, 662
    schema cache, 598-599
    Upgrades, 89-90, 509
    UPNs (user principal names)
    basic description of, 46-47, 440
    domain controller placement and, 431
    locating user objects via, 440
    smart card logons and, 440
    suffixes for, 148, 440
    UPS (uninterruptible power supply), 74, 92
    Up-to-date vectors, 395-398
    U.S. Department of Defense, 605
    User(s)
    accounts, disabling, 163
    accounts, options for, listing, 784-788
    administering, 142-164
    class, extending, 690-696
    copying, 160-161
    creating, 145-148, 788-794, 869-870
    deleting, 162-163
    domain modes and, 134
    editing multiple, 65
    groups, predefined, 468
    home pages of, opening, 164
    informational properties of, 156-157
    information, reading, 797-801
    listing, 764-767, 865, 877-878
    managing, 121-202, 764-822
    moving, 162, 857
    objects, properties of, setting, 149-157
    predefined, 125-126
    primary groups for, setting, 192-193
    properties of, listing, 772-784
    properties of, setting, 148-157
    renaming, 162
    sending e-mail to, 164
    User interface
    bringing schema extensions to, 676-690
    creating objects for, 680-681
    where to place new objects in, 676-690
    User logon name property, 147
    User rights
    applying, 303-305
    assigning, 302
    basic description of, 296-306
    modifying, for domain controllers, 304-306
    normal privileges, 299-300
    Users and Computers snap-in, 92, 140, 160, 200-202
    auditing and, 280
    basic description of, 200-201, 489
    changing group types in, 188
    CN=Configuration object and, 586
    creating groups with, 186-187
    creating user objects with, 582
    display of editable properties in, 236
    installation and, 92
    predefined groups in, 130-133
    user property pages of, 236-237
    viewing default permissions with, 259
    Users container, 124, 126-133
    U.S. Naval Observatory, 403
    USNs (update sequence numbers), 25, 392-395. See also Updates
    basic description of, 313-314, 389-391
    high-watermark vectors and, 394-395
    local, 390
    originating, 390
    timestamps and, 390
    up-to-date vectors and, 395-398
    version numbers and, 390
    UUIDGen, 648, 653, 679

    V

    V.34 modems, 47
    Value(s)
    attribute, managing, 693-694
    specifying, for LDAP searches, 484-486
    string, 718
    Variable(s)
    administration scripts and, 718
    names, 718
    VBA (Microsoft Visual Basic for Applications), 701
    VBScript (Microsoft)
    ADSI and, 54
    basic description of, 698, 702, 715-721
    COM components and, 753-754
    Editor, 713
    Group Policies and, 509
    schema and, 663
    scripts, creating/testing, 688-690
    scripts, sample, 716-721
    Vectors, 394-395
    Verbose mode, 489-490
    VeriSign, 57
    Veritas WinInstall2000, 559
    VINES, 9
    Virtual containers, 58
    Virtual private networks (VPNs), 155
    Visual Basic, 680, 701, 702
    Visual Studio Installer (Microsoft), 559
    VMware, 73
    VMware Workstation, 73
    VPNs (virtual private networks), 155

    W

    WANs (wide-area networks), 23, 436
    bandwidth and, 425
    domain controller placement and, 427-432
    Group Policies and, 547
    hierarchies and, 27, 29
    installation and, 109
    replication and, 24, 308-309, 315, 318, 334, 338, 368, 370
    schema and, 654, 655
    Web Information property set, 235
    Well-known security principals, 209-212
    Whistler, 64-65
    WhoWhere, 9
    Win32 API, 755
    Windows Installer, 557-562
    Windows NT (Microsoft)
    Active Directory and, comparison of, 11-13
    Cairo and, 10-11
    domains, using multiple domains because of, 436
    history of, 8-9
    properties, listing, 870-871
    system policy, 505-506
    Windows 2000 Server (Microsoft)
    answer files and, 106-107
    components, installation of, 85-87
    dual booting, 70-73
    hardware compatibility with, 74-75
    history of, 10-11
    installation, 68-76, 80-92, 105-107
    requirements/recommendations, 74
    Resource Kit, 255, 566-571
    server upgrades, 837-90
    uninstalling, 113-117
    Windows.NET Server, 64-65, 231, 347, 539, 643, 655
    Windows 2000 Professional, 92-93
    Windows Update Corporate Web site, 91
    Windows XP, 64, 539, 578
    WinEdit, 715
    WINNT command, 78-81
    WINNT folder, 68-69
    WINNT32 command, 78, 80, 81
    WINNT32.EXE, 73
    WINS (Microsoft Windows Internet Naming Service), 36, 53, 70, 88
    WinSock, 59
    Wise for Windows Installer, 559
    WKGUIDs, 874-878
    WMI (Windows Management Instrumentation), 754-755
    Workstations, 302, 305-306, 869-870
    World Telecommunication Standardization Conference, 48
    WScript, 680, 703-705, 711
    WSH (Windows Script Host), 202, 509, 699-742
    W32Time, 403
    W32TM, 403-404

    X

    X.500 standard, 10, 44, 47-49, 606, 613, 629
    X.509 certificates, 48, 57, 86. See also PKI (public key infrastructure)
    XLNT, 703
    XML (Extensible Markup Language), 703, 758, 759
    XOM (XAPIA X/Open Object Management) syntax, 629

    Y

    Yahoo!, 9

    Z

    Zap files, 560-561, 562
    Zones. See DNS Zones

    Updates

    Submit Errata

    More Information

    Unlimited one-month access with your purchase
    Free Safari Membership