Tài liệu Active Directory Cookbook

Copyright
Foreword
Preface
Who Should Read This Book?
What's in This Book?
Conventions Used in This Book
We'd Like Your Feedback!
Acknowledgments

Chapter 1. Getting Started
Approach to the Book
Recipe 1.1. Where to Find the Tools
Recipe 1.2. Getting Familiar with LDIF
Recipe 1.3. Programming Notes
Recipe 1.4. Replaceable Text
Recipe 1.5. Where to Find More Information

Chapter 2. Forests, Domains, and Trusts
Introduction
Recipe 2.1. Creating a Forest
Recipe 2.2. Removing a Forest
Recipe 2.3. Creating a Domain
Recipe 2.4. Removing a Domain
Recipe 2.5. Removing an Orphaned Domain
Recipe 2.6. Finding the Domains in a Forest
Recipe 2.7. Finding the NetBIOS Name of a Domain
Recipe 2.8. Renaming a Domain
Recipe 2.9. Changing the Mode of a Domain
Recipe 2.10. Using ADPrep to Prepare a Domain or Forest for Windows Server 2003
Recipe 2.11. Determining if ADPrep Has Completed
Recipe 2.12. Checking Whether a Windows 2000 Domain Controller Can Be Upgraded to Windows Server 2003
Recipe 2.13. Raising the Functional Level of a Windows Server 2003 Domain
Recipe 2.14. Raising the Functional Level of a Windows Server 2003 Forest
Recipe 2.15. Creating a Trust Between a Windows NT Domain and an AD Domain
Recipe 2.16. Creating a Transitive Trust Between Two AD Forests
Recipe 2.17. Creating a Shortcut Trust Between Two AD Domains
Recipe 2.18. Creating a Trust to a Kerberos Realm
Recipe 2.19. Viewing the Trusts for a Domain
Recipe 2.20. Verifying a Trust
Recipe 2.21. Resetting a Trust
Recipe 2.22. Removing a Trust
Recipe 2.23. Enabling SID Filtering for a Trust
Recipe 2.24. Finding Duplicate SIDs in a Domain

Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
Introduction
Recipe 3.1. Promoting a Domain Controller
Recipe 3.2. Promoting a Domain Controller from Media
Recipe 3.3. Demoting a Domain Controller
Recipe 3.4. Automating the Promotion or Demotion of a Domain Controller
Recipe 3.5. Troubleshooting Domain Controller Promotion or Demotion Problems
Recipe 3.6. Removing an Unsuccessfully Demoted Domain Controller
Recipe 3.7. Renaming a Domain Controller
Recipe 3.8. Finding the Domain Controllers for a Domain
Recipe 3.9. Finding the Closest Domain Controller
Recipe 3.10. Finding a Domain Controller's Site
Recipe 3.11. Moving a Domain Controller to a Different Site
Recipe 3.12. Finding the Services a Domain Controller Is Advertising
Recipe 3.13. Configuring a Domain Controller to Use an External Time Source
Recipe 3.14. Finding the Number of Logon Attempts Made Against a Domain Controller
Recipe 3.15. Enabling the /3GB Switch to Increase the LSASS Cache
Recipe 3.16. Cleaning Up Distributed Link Tracking Objects
Recipe 3.17. Enabling and Disabling the Global Catalog
Recipe 3.18. Determining if Global Catalog Promotion Is Complete
Recipe 3.19. Finding the Global Catalog Servers in a Forest
Recipe 3.20. Finding the Domain Controllers or Global Catalog Servers in a Site
Recipe 3.21. Finding Domain Controllers and Global Catalogs via DNS
Recipe 3.22. Changing the Preference for a Domain Controller
Recipe 3.23. Disabling the Global Catalog Requirement During a Windows 2000 Domain Login
Recipe 3.24. Disabling the Global Catalog Requirement During a Windows 2003 Domain Login
Recipe 3.25. Finding the FSMO Role Holders
Recipe 3.26. Transferring a FSMO Role
Recipe 3.27. Seizing a FSMO Role
Recipe 3.28. Finding the PDC Emulator FSMO Role Owner via DNS

Chapter 4. Searching and Manipulating Objects
Introduction
Recipe 4.1. Viewing the RootDSE
Recipe 4.2. Viewing the Attributes of an Object
Recipe 4.3. Using LDAP Controls
Recipe 4.4. Using a Fast or Concurrent Bind
Recipe 4.5. Searching for Objects in a Domain
Recipe 4.6. Searching the Global Catalog
Recipe 4.7. Searching for a Large Number of Objects
Recipe 4.8. Searching with an Attribute-Scoped Query
Recipe 4.9. Searching with a Bitwise Filter
Recipe 4.10. Creating an Object
Recipe 4.11. Modifying an Object
Recipe 4.12. Modifying a Bit-Flag Attribute
Recipe 4.13. Dynamically Linking an Auxiliary Class
Recipe 4.14. Creating a Dynamic Object
Recipe 4.15. Refreshing a Dynamic Object
Recipe 4.16. Modifying the Default TTL Settings for Dynamic Objects
Recipe 4.17. Moving an Object to a Different OU or Container
Recipe 4.18. Moving an Object to a Different Domain
Recipe 4.19. Renaming an Object
Recipe 4.20. Deleting an Object
Recipe 4.21. Deleting a Container That Has Child Objects
Recipe 4.22. Viewing the Created and Last Modified Timestamp of an Object
Recipe 4.23. Modifying the Default LDAP Query Policy
Recipe 4.24. Exporting Objects to an LDIF File
Recipe 4.25. Importing Objects Using an LDIF File
Recipe 4.26. Exporting Objects to a CSV File
Recipe 4.27. Importing Objects Using a CSV File

Chapter 5. Organizational Units
Introduction
Recipe 5.1. Creating an OU
Recipe 5.2. Enumerating the OUs in a Domain
Recipe 5.3. Enumerating the Objects in an OU
Recipe 5.4. Deleting the Objects in an OU
Recipe 5.5. Deleting an OU
Recipe 5.6. Moving the Objects in an OU to a Different OU
Recipe 5.7. Moving an OU
Recipe 5.8. Determining How Many Child Objects an OU Has
Recipe 5.9. Delegating Control of an OU
Recipe 5.10. Allowing OUs to Be Created Within Containers
Recipe 5.11. Linking a GPO to an OU

Chapter 6. Users
Introduction
Recipe 6.1. Creating a User
Recipe 6.2. Creating a Large Number of Users
Recipe 6.3. Creating an inetOrgPerson User
Recipe 6.4. Modifying an Attribute for Several Users at Once
Recipe 6.5. Moving a User
Recipe 6.6. Renaming a User
Recipe 6.7. Copying a User
Recipe 6.8. Unlocking a User
Recipe 6.9. Finding Locked Out Users
Recipe 6.10. Troubleshooting Account Lockout Problems
Recipe 6.11. Viewing the Account Lockout and Password Policies
Recipe 6.12. Enabling and Disabling a User
Recipe 6.13. Finding Disabled Users
Recipe 6.14. Viewing a User's Group Membership
Recipe 6.15. Changing a User's Primary Group
Recipe 6.16. Transferring a User's Group Membership to Another User
Recipe 6.17. Setting a User's Password
Recipe 6.18. Setting a User's Password via LDAP
Recipe 6.19. Setting a User's Password via Kerberos
Recipe 6.20. Preventing a User from Changing His Password
Recipe 6.21. Requiring a User to Change Her Password at Next Logon
Recipe 6.22. Preventing a User's Password from Expiring
Recipe 6.23. Finding Users Whose Passwords Are About to Expire
Recipe 6.24. Setting a User's Account Options (userAccountControl)
Recipe 6.25. Setting a User's Account to Expire in the Future
Recipe 6.26. Finding Users Whose AccountsAre About to Expire
Recipe 6.27. Determining a User's Last Logon Time
Recipe 6.28. Finding Users Who Have Not Logged On Recently
Recipe 6.29. Setting a User's Profile Attributes
Recipe 6.30. Viewing a User's Managed Objects
Recipe 6.31. Modifying the Default Display Name Used When Creating Users in ADUC
Recipe 6.32. Creating a UPN Suffix for a Forest

Chapter 7. Groups
Introduction
Recipe 7.1. Creating a Group
Recipe 7.2. Viewing the Direct Members of a Group
Recipe 7.3. Viewing the Nested Members of a Group
Recipe 7.4. Adding and Removing Members of a Group
Recipe 7.5. Moving a Group
Recipe 7.6. Changing the Scope or Type of a Group
Recipe 7.7. Delegating Control for Managing Membership of a Group
Recipe 7.8. Resolving a Primary Group ID
Recipe 7.9. Enabling Universal Group Membership Caching

Chapter 8. Computers
Introduction
Recipe 8.1. Creating a Computer
Recipe 8.2. Creating a Computer for a Specific User or Group
Recipe 8.3. Joining a Computer to a Domain
Recipe 8.4. Moving a Computer
Recipe 8.5. Renaming a Computer
Recipe 8.6. Testing the Secure Channel for a Computer
Recipe 8.7. Resetting a Computer
Recipe 8.8. Finding Inactive or Unused Computers
Recipe 8.9. Changing the Maximum Number of Computers a User Can Join to the Domain
Recipe 8.10. Finding Computers with a Particular OS
Recipe 8.11. Binding to the Default Container for Computers
Recipe 8.12. Changing the Default Container for Computers

Chapter 9. Group Policy Objects (GPOs)
Introduction
Recipe 9.1. Finding the GPOs in a Domain
Recipe 9.2. Creating a GPO
Recipe 9.3. Copying a GPO
Recipe 9.4. Deleting a GPO
Recipe 9.5. Viewing the Settings of a GPO
Recipe 9.6. Modifying the Settings of a GPO
Recipe 9.7. Importing Settings into a GPO
Recipe 9.8. Assigning Logon/Logoff and Startup/Shutdown Scripts in a GPO
Recipe 9.9. Installing Applications with a GPO
Recipe 9.10. Disabling the User or Computer Settings in a GPO
Recipe 9.11. Listing the Links for GPO
Recipe 9.12. Creating a GPO Link to an OU
Recipe 9.13. Blocking Inheritance of GPOs on an OU
Recipe 9.14. Applying a Security Filter to a GPO
Recipe 9.15. Creating a WMI Filter
Recipe 9.16. Applying a WMI Filter to a GPO
Recipe 9.17. Backing Up a GPO
Recipe 9.18. Restoring a GPO
Recipe 9.19. Simulating the RSoP
Recipe 9.20. Viewing the RSoP
Recipe 9.21. Refreshing GPO Settings on a Computer
Recipe 9.22. Restoring a Default GPO

Chapter 10. Schema
Introduction
Recipe 10.1. Registering the Active Directory Schema MMC Snap-in
Recipe 10.2. Enabling Schema Updates
Recipe 10.3. Generating an OID to Use for a New Class or Attribute
Recipe 10.4. Generating a GUID to Use for a New Class or Attribute
Recipe 10.5. Extending the Schema
Recipe 10.6. Documenting Schema Extensions
Recipe 10.7. Adding a New Attribute
Recipe 10.8. Viewing an Attribute
Recipe 10.9. Adding a New Class
Recipe 10.10. Viewing a Class
Recipe 10.11. Indexing an Attribute
Recipe 10.12. Modifying the Attributes That Are Copied When Duplicating a User
Recipe 10.13. Modifying the Attributes Included with Ambiguous Name Resolution
Recipe 10.14. Adding or Removing an Attribute in the Global Catalog
Recipe 10.15. Finding the Nonreplicated and Constructed Attributes
Recipe 10.16. Finding the Linked Attributes
Recipe 10.17. Finding the Structural, Auxiliary, Abstract, and 88 Classes
Recipe 10.18. Finding the Mandatory and Optional Attributes of a Class
Recipe 10.19. Modifying the Default Security of a Class
Recipe 10.20. Deactivating Classes and Attributes
Recipe 10.21. Redefining Classes and Attributes
Recipe 10.22. Reloading the Schema Cache

Chapter 11. Site Topology
Introduction
Recipe 11.1. Creating a Site
Recipe 11.2. Listing the Sites
Recipe 11.3. Deleting a Site
Recipe 11.4. Creating a Subnet
Recipe 11.5. Listing the Subnets
Recipe 11.6. Finding Missing Subnets
Recipe 11.7. Creating a Site Link
Recipe 11.8. Finding the Site Links for a Site
Recipe 11.9. Modifying the Sites That Are Part of a Site Link
Recipe 11.10. Modifying the Cost for a Site Link
Recipe 11.11. Disabling Site Link Transitivity or Site Link Schedules
Recipe 11.12. Creating a Site Link Bridge
Recipe 11.13. Finding the Bridgehead Servers for a Site
Recipe 11.14. Setting a Preferred Bridgehead Server for a Site
Recipe 11.15. Listing the Servers
Recipe 11.16. Moving a Domain Controller to a Different Site
Recipe 11.17. Configuring a Domain Controller to Cover Multiple Sites
Recipe 11.18. Viewing the Site Coverage for a Domain Controller
Recipe 11.19. Disabling Automatic Site Coverage for a Domain Controller
Recipe 11.20. Finding the Site for a Client
Recipe 11.21. Forcing a Host to a Particular Site
Recipe 11.22. Creating a Connection Object
Recipe 11.23. Listing the Connection Objects for a Server
Recipe 11.24. Load-Balancing Connection Objects
Recipe 11.25. Finding the ISTG for a Site
Recipe 11.26. Transferring the ISTG to Another Server
Recipe 11.27. Triggering the KCC
Recipe 11.28. Determining if the KCC Is Completing Successfully
Recipe 11.29. Disabling the KCC for a Site
Recipe 11.30. Changing the Interval at Which the KCC Runs

Chapter 12. Replication
Introduction
Recipe 12.1. Determining if Two Domain Controllers Are in Sync
Recipe 12.2. Viewing the Replication Status of Several Domain Controllers
Recipe 12.3. Viewing Unreplicated Changes Between Two Domain Controllers
Recipe 12.4. Forcing Replication from One Domain Controller to Another
Recipe 12.5. Changing the Intra-Site Replication Interval
Recipe 12.6. Changing the Inter-Site Replication Interval
Recipe 12.7. Disabling Inter-Site Compression of Replication Traffic
Recipe 12.8. Checking for Potential Replication Problems
Recipe 12.9. Enabling Enhanced Logging of Replication Events
Recipe 12.10. Enabling Strict or Loose Replication Consistency
Recipe 12.11. Finding Conflict Objects
Recipe 12.12. Viewing Object Metadata

Chapter 13. Domain Name System (DNS)
Introduction
Recipe 13.1. Creating a Forward Lookup Zone
Recipe 13.2. Creating a Reverse Lookup Zone
Recipe 13.3. Viewing a Server's Zones
Recipe 13.4. Converting a Zone to an AD-Integrated Zone
Recipe 13.5. Moving AD-Integrated Zones into an Application Partition
Recipe 13.6. Delegating Control of a Zone
Recipe 13.7. Creating and Deleting Resource Records
Recipe 13.8. Querying Resource Records
Recipe 13.9. Modifying the DNS Server Configuration
Recipe 13.10. Scavenging Old Resource Records
Recipe 13.11. Clearing the DNS Cache
Recipe 13.12. Verifying That a Domain Controller Can Register Its Resource Records
Recipe 13.13. Registering a Domain Controller's Resource Records
Recipe 13.14. Preventing a Domain Controller from Dynamically Registering All Resource Records
Recipe 13.15. Preventing a Domain Controller from Dynamically Registering Certain Resource Records
Recipe 13.16. Deregistering a Domain Controller's Resource Records
Recipe 13.17. Allowing Computers to Use a Different Domain Suffix from Their AD Domain

Chapter 14. Security and Authentication
Introduction
Recipe 14.1. Enabling SSL/TLS
Recipe 14.2. Encrypting LDAP Traffic with SSL, TLS, or Signing
Recipe 14.3. Enabling Anonymous LDAP Access
Recipe 14.4. Restricting Hosts from Performing LDAP Queries
Recipe 14.5. Using the Delegation of Control Wizard
Recipe 14.6. Customizing the Delegation of Control Wizard
Recipe 14.7. Viewing the ACL for an Object
Recipe 14.8. Customizing the ACL Editor
Recipe 14.9. Viewing the Effective Permissions on an Object
Recipe 14.10. Changing the ACL of an Object
Recipe 14.11. Changing the Default ACL for an Object Class in the Schema
Recipe 14.12. Comparing the ACL of an Object to the Default Defined in the Schema
Recipe 14.13. Resetting an Object's ACL to the Default Defined in the Schema
Recipe 14.14. Preventing the LM Hash of a Password from Being Stored
Recipe 14.15. Enabling List Object Access Mode
Recipe 14.16. Modifying the ACL on Administrator Accounts
Recipe 14.17. Viewing and Purging Your Kerberos Tickets
Recipe 14.18. Forcing Kerberos to Use TCP
Recipe 14.19. Modifying Kerberos Settings

Chapter 15. Logging, Monitoring, and Quotas
Introduction
Recipe 15.1. Enabling Extended dcpromo Logging
Recipe 15.2. Enabling Diagnostics Logging
Recipe 15.3. Enabling NetLogon Logging
Recipe 15.4. Enabling GPO Client Logging
Recipe 15.5. Enabling Kerberos Logging
Recipe 15.6. Enabling DNS Server Debug Logging
Recipe 15.7. Viewing DNS Server Performance Statistics
Recipe 15.8. Enabling Inefficient and Expensive LDAP Query Logging
Recipe 15.9. Using the STATS Control to View LDAP Query Statistics
Recipe 15.10. Using Perfmon to Monitor AD
Recipe 15.11. Using Perfmon Trace Logs to Monitor AD
Recipe 15.12. Enabling Auditing of Directory Access
Recipe 15.13. Creating a Quota
Recipe 15.14. Finding the Quotas Assigned to a Security Principal
Recipe 15.15. Changing How Tombstone Objects Count Against Quota Usage
Recipe 15.16. Setting the Default Quota for All Security Principals in a Partition
Recipe 15.17. Finding the Quota Usage for a Security Principal

Chapter 16. Backup, Recovery, DIT Maintenance, and Deleted Objects
Introduction
Recipe 16.1. Backing Up Active Directory
Recipe 16.2. Restarting a Domain Controller in Directory Services Restore Mode
Recipe 16.3. Resetting the Directory Service Restore Mode Administrator Password
Recipe 16.4. Performing a Nonauthoritative Restore
Recipe 16.5. Performing an Authoritative Restore of an Object or Subtree
Recipe 16.6. Performing a Complete Authoritative Restore
Recipe 16.7. Checking the DIT File's Integrity
Recipe 16.8. Moving the DIT Files
Recipe 16.9. Repairing or Recovering the DIT
Recipe 16.10. Performing an Online Defrag Manually
Recipe 16.11. Determining How Much Whitespace Is in the DIT
Recipe 16.12. Performing an Offline Defrag to Reclaim Space
Recipe 16.13. Changing the Garbage Collection Interval
Recipe 16.14. Logging the Number of Expired Tombstone Objects
Recipe 16.15. Determining the Size of the Active Directory Database
Recipe 16.16. Searching for Deleted Objects
Recipe 16.17. Restoring a Deleted Object
Recipe 16.18. Modifying the Tombstone Lifetime for a Domain

Chapter 17. Application Partitions
Introduction
Recipe 17.1. Creating and Deleting an Application Partition
Recipe 17.2. Finding the Application Partitions in a Forest
Recipe 17.3. Adding or Removing a Replica Server for an Application Partition
Recipe 17.4. Finding the Replica Servers for an Application Partition
Recipe 17.5. Finding the Application Partitions Hosted by a Server
Recipe 17.6. Verifying Application Partitions Are Instantiated on a Server Correctly
Recipe 17.7. Setting the Replication Notification Delay for an Application Partition
Recipe 17.8. Setting the Reference Domain for an Application Partition
Recipe 17.9. Delegating Control of Managing an Application Partition

Chapter 18. Interoperability and Integration
Introduction
Recipe 18.1. Accessing AD from a Non-Windows Platform
Recipe 18.2. Programming with .NET
Recipe 18.3. Programming with DSML
Recipe 18.4. Programming with Perl
Recipe 18.5. Programming with Java
Recipe 18.6. Programming with Python
Recipe 18.7. Integrating with MIT Kerberos
Recipe 18.8. Integrating with Samba
Recipe 18.9. Integrating with Apache
Recipe 18.10. Replacing NIS
Recipe 18.11. Using BIND for DNS
Recipe 18.12. Authorizing a Microsoft DHCP Server
Recipe 18.13. Using VMWare for Testing AD

Appendix A. Tool List
ACL Diagnostics Command (acldiag.exe)
Active Directory Domains and Trusts Snap-in (domain.msc)
Active Directory Installation Wizard (dcpromo.exe)
Active Directory Load Balancer Command (adlb.exe)
Active Directory Schema Snap-in (schmmgmt.msc)
Active Directory Sites and Services (dssite.msc)
Active Directory Users and Computers Snap-in (dsa.msc)
AD Prep Utility (adprep.exe)
ADSI Edit (adsiedit.msc)
Audit Policy Command (auditpol.exe)
Backup Wizard (ntbackup.exe)
CSVDE Command (csvde.exe)
Default Domain Controller Security Policy Snap-in (dcpol.msc)
Default Domain Security Policy Snap-in (dompol.msc)
Default Group Policy Restore Command (dcgpofix.exe)
DNS Snap-in (dnsmgmt.msc)
DNSCmd Command (dnscmd.exe)
Domain Controller Diagnosis Command (dcdiag.exe)
DS ACL Command (dsacls.exe)
DS Add Command (dsadd.exe)
DS Get Command (dsget.exe)
DS Modify Command (dsmodify.exe)
DS Move Command (dsmove.exe)
DS Query Command (dsquery.exe)
DS Remove Command (dsrm.exe)
Enumprop Command (enumprop.exe)
Group Policy Management Console (gpmc.msc)
Group Policy Object Editor (gpedit.msc)
Group Policy Verification Tool (gpotool.exe)
Group Policy Results Command (gpresult.exe)
Group Policy Refresh Command (gpupdate.exe)
IP Configuration (ipconfig.exe)
Kerberos List (klist.exe)
Kerberos Tray (kerbtray.exe)
LDIFDE Command (ldifde.exe)
LDP (ldp.exe)
Move Tree Command (movetree.exe)
Netdom Command (netdom.exe)
Network Connectivity Tester (netdiag.exe)
NLTest Command (nltest.exe)
Nslookup Command (nslookup.exe)
NTDS Util Command (ntdsutil.exe)
OID Generator Command (oidgen.exe)
Redirect Default Computers Command (redircmp.exe)
Redirect Default Users Command (redirusr.exe)
Reg Command (reg.exe)
Registry Editor (regedit.exe)
Rename Domain Command (rendom.exe)
Replication Diagnostics Command (repadmin.exe)
Replication Monitor (replmon.exe)
Resultant Set of Policy Snap-in (rsop.msc)
SecEdit Command (secedit.exe)
Time Service (w32tm.exe)
Unlock (unlock.exe)
UUID Generator Command (uuidgen.exe)
WinNT32 Command (winnt32.exe)

Colophon
Index