Active Directory Cookbook 9781449361426

Table of contents :
Cover
Jacket
Title Page
Special Upgrade Offer
Preface
Who Should Read This Book?
What’s in This Book?
Conventions Used in This Book
Using Code Examples
Safari® Books Online
How to Contact Us
Acknowledgments
Chapter 1. Getting Started
Approach to the Book
Where to Find the Tools
Getting Familiar with LDIF
Replaceable Text
Where to Find More Information
Chapter 2. Forests, Domains, and Trusts
Introduction
Creating a Forest
Removing a Forest
Creating a Domain
Removing a Domain
Removing an Orphaned Domain
Finding the Domains in a Forest
Finding the NetBIOS Name of a Domain
Renaming a Domain
Raising the Domain Functional Level to Windows Server 2012
Raising the Functional Level of a Windows Server 2008 or 2008 R2 Forest
Using AdPrep to Prepare a Domain or Forest for Windows Server 2012
Determining Whether AdPrep Has Completed
Checking Whether a Windows Domain Controller Can Be Upgraded to Windows Server 2003 or 2008
Creating an External Trust
Creating a Transitive Trust Between Two AD Forests
Creating a Shortcut Trust Between Two AD Domains
Creating a Trust to a Kerberos Realm
Viewing the Trusts for a Domain
Verifying a Trust
Resetting a Trust
Removing a Trust
Enabling SID Filtering for a Trust
Enabling Quarantine for a Trust
Managing Selective Authentication for a Trust
Finding Duplicate SIDs in a Domain
Adding Additional Fields to Active Directory Users and Computers
Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
Introduction
Promoting a Server to a Domain Controller
Promoting a Server to a Read-Only Domain Controller
Performing a Two-Stage RODC Installation
Modifying the Password Replication Policy
Promoting a Server to a Windows Server 2012 Domain Controller from Media
Demoting a Domain Controller
Automating the Promotion or Demotion of a Domain Controller
Troubleshooting Domain Controller Promotion or Demotion Problems
Verifying the Promotion of a Domain Controller
Removing an Unsuccessfully Demoted Domain Controller
Renaming a Domain Controller
Finding the Domain Controllers for a Domain
Finding the Closest Domain Controller
Finding a Domain Controller’s Site
Moving a Domain Controller to a Different Site
Finding the Services a Domain Controller Is Advertising
Restoring a Deleted Domain Controller in Windows Server 2012
Resetting the TCP/IP Stack on a Domain Controller
Configuring a Domain Controller to Use an External Time Source
Finding the Number of Logon Attempts Made Against a Domain Controller
Enabling the /3GB Switch to Increase the LSASS Cache
Enabling and Disabling the Global Catalog
Determining Whether Global Catalog Promotion Is Complete
Finding the Global Catalog Servers in a Forest
Finding the Domain Controllers or Global Catalog Servers in a Site
Finding Domain Controllers and Global Catalogs via DNS
Changing the Preference for a Domain Controller
Disabling the Global Catalog Requirement for User Logon
Finding the FSMO Role Holders
Transferring a FSMO Role
Seizing a FSMO Role
Finding the PDC Emulator FSMO Role Owner via DNS
Chapter 4. Searching and Manipulating Objects
Introduction
Viewing the RootDSE
Viewing the Attributes of an Object
Counting Objects in Active Directory
Using LDAP Controls
Using a Fast or Concurrent Bind
Connecting to an Object GUID
Connecting to a Well-Known GUID
Searching for Objects in a Domain
Searching the Global Catalog
Searching for a Large Number of Objects
Searching with an Attribute-Scoped Query
Searching with a Bitwise Filter
Creating an Object
Modifying an Object
Modifying a Bit-Flag Attribute
Dynamically Linking an Auxiliary Class
Creating a Dynamic Object
Refreshing a Dynamic Object
Modifying the Default TTL Settings for Dynamic Objects
Moving an Object to a Different OU or Container
Moving an Object to a Different Domain
Referencing an External Domain
Renaming an Object
Deleting an Object
Deleting a Container That Has Child Objects
Viewing the Created and Last-Modified Timestamp of an Object
Modifying the Default LDAP Query Policy
Exporting Objects to an LDIF File
Importing Objects Using an LDIF File
Exporting Objects to a CSV File
Importing Objects Using PowerShell and a CSV File
Chapter 5. Organizational Units
Introduction
Creating an OU
Enumerating the OUs in a Domain
Finding an OU
Enumerating the Objects in an OU
Deleting the Objects in an OU
Deleting an OU
Moving the Objects in an OU to a Different OU
Moving an OU
Renaming an OU
Modifying an OU
Determining Approximately How Many Child Objects an OU Has
Delegating Control of an OU
Assigning or Removing a Manager for an OU
Linking a GPO to an OU
Protecting an OU Against Accidental Deletion
Chapter 6. Users
Introduction
Modifying the Default Display Name Used When Creating Users in ADUC or ADAC
Creating a User
Creating a Large Number of Users
Creating an inetOrgPerson User
Converting a user Object to an inetOrgPerson Object (or Vice Versa)
Modifying an Attribute for Several Users at Once
Deleting a User
Setting a User’s Profile Attributes
Moving a User
Redirecting Users to an Alternative OU
Renaming a User
Copying a User
Finding Locked-Out Users
Unlocking a User
Troubleshooting Account Lockout Problems
Viewing the Domain-Wide Account Lockout and Password Policies
Applying a Fine-Grained Password Policy to a User Object
Viewing the Fine-Grained Password Policy That Is in Effect for a User Account
Enabling and Disabling a User
Finding Disabled Users
Viewing a User’s Group Membership
Removing All Group Memberships from a User
Changing a User’s Primary Group
Copying a User’s Group Membership to Another User
Setting a User’s Password
Preventing a User from Changing a Password
Requiring a User to Change a Password at Next Logon
Preventing a User’s Password from Expiring
Finding Users Whose Passwords Are About to Expire
Viewing the RODCs That Have Cached a User’s Password
Setting a User’s Account Options (userAccountControl)
Setting a User’s Account to Expire
Determining a User’s Last Logon Time
Finding Users Who Have Not Logged On Recently
Viewing and Modifying a User’s Permitted Logon Hours
Viewing a User’s Managed Objects
Creating a UPN Suffix for a Forest
Restoring a Deleted User
Protecting a User Against Accidental Deletion
Chapter 7. Groups
Introduction
Creating a Group
Viewing the Permissions of a Group
Viewing the Direct Members of a Group
Viewing the Nested Members of a Group
Adding and Removing Members of a Group
Moving a Group Within a Domain
Moving a Group to Another Domain
Changing the Scope or Type of a Group
Modifying Group Attributes
Delegating Control for Managing Membership of a Group
Resolving a Primary Group ID
Enabling Universal Group Membership Caching
Restoring a Deleted Group
Protecting a Group Against Accidental Deletion
Applying a Fine-Grained Password Policy to a Group Object
Chapter 8. Computer Objects
Introduction
Creating a Computer
Creating a Computer for a Specific User or Group
Deleting a Computer
Joining a Computer to a Domain
Moving a Computer Within the Same Domain
Moving a Computer to a New Domain
Renaming a Computer
Adding or Removing a Computer Account from a Group
Testing the Secure Channel for a Computer
Resetting a Computer Account
Finding Inactive or Unused Computers
Changing the Maximum Number of Computers a User Can Join to the Domain
Modifying the Attributes of a computer Object
Finding Computers with a Particular OS
Binding to the Default Container for Computers
Changing the Default Container for Computers
Listing All the Computer Accounts in a Domain
Identifying a Computer Role
Protecting a Computer Against Accidental Deletion
Viewing the RODCs That Have Cached a Computer’s Password
Chapter 9. Group Policy Objects
Introduction
Finding the GPOs in a Domain
Creating a GPO
Copying a GPO
Deleting a GPO
Viewing the Settings of a GPO
Modifying the Settings of a GPO
Importing Settings into a GPO
Creating a Migration Table
Creating Custom Group Policy Settings
Assigning Logon/Logoff and Startup/Shutdown Scripts in a GPO
Installing Applications with a GPO
Disabling the User or Computer Settings in a GPO
Listing the Links for a GPO
Creating a GPO Link to an OU
Blocking Inheritance of GPOs on an OU
Enforcing the Settings of a GPO Link
Applying a Security Filter to a GPO
Delegating Administration of GPOs
Importing a Security Template
Creating a WMI Filter
Applying a WMI Filter to a GPO
Configuring Loopback Processing for a GPO
Backing Up a GPO
Restoring a GPO
Simulating the RSoP
Viewing the RSoP
Refreshing GPO Settings on a Computer
Restoring a Default GPO
Creating a Fine-Grained Password Policy
Editing a Fine-Grained Password Policy
Viewing the Effective PSO for a User
Chapter 10. Schema
Introduction
Registering the Active Directory Schema MMC Snap-in
Generating an OID to Use for a New Class or Attribute
Extending the Schema
Preparing the Schema for an Active Directory Upgrade
Documenting Schema Extensions
Adding a New Attribute
Viewing an Attribute
Adding a New Class
Viewing a Class
Indexing an Attribute
Modifying the Attributes That Are Copied When Duplicating a User
Modifying the Attributes Included with ANR
Modifying the Set of Attributes Stored on a Global Catalog
Finding Nonreplicated and Constructed Attributes
Finding the Linked Attributes
Finding the Structural, Auxiliary, Abstract, and 88 Classes
Finding the Mandatory and Optional Attributes of a Class
Modifying the Default Security of a Class
Managing the Confidentiality Bit
Adding an Attribute to the Read-Only Filtered Attribute Set (RO-FAS)
Deactivating Classes and Attributes
Redefining Classes and Attributes
Reloading the Schema Cache
Managing the Schema Master FSMO
Chapter 11. Site Topology
Introduction
Creating a Site
Listing Sites in a Domain
Renaming a Site
Deleting a Site
Delegating Control of a Site
Configuring Universal Group Caching for a Site
Creating a Subnet
Listing the Subnets
Finding Missing Subnets
Deleting a Subnet
Changing a Subnet’s Site Assignment
Creating a Site Link
Finding the Site Links for a Site
Modifying the Sites That Are Part of a Site Link
Modifying the Cost for a Site Link
Enabling Change Notification for a Site Link
Modifying Replication Schedules
Disabling Site Link Transitivity or Site Link Schedules
Creating a Site Link Bridge
Finding the Bridgehead Servers for a Site
Setting a Preferred Bridgehead Server for a Site
Listing the Servers
Moving a Domain Controller to a Different Site
Configuring a Domain Controller to Cover Multiple Sites
Viewing the Site Coverage for a Domain Controller
Disabling Automatic Site Coverage for a Domain Controller
Finding the Site for a Client
Forcing a Host into a Particular Site
Creating a connection Object
Listing the connection Objects for a Server
Finding the ISTG for a Site
Transferring the ISTG to Another Server
Triggering the KCC
Determining Whether the KCC Is Completing Successfully
Disabling the KCC for a Site
Changing the Interval at Which the KCC Runs
Chapter 12. Replication
Introduction
Determining Whether Two Domain Controllers Are in Sync
Viewing the Replication Status of Several Domain Controllers
Viewing Unreplicated Changes Between Two Domain Controllers
Forcing Replication from One Domain Controller to Another
Enabling and Disabling Replication
Changing the Intra-Site Replication Notification Interval
Changing the Inter-Site Replication Interval
Disabling Inter-Site Compression of Replication Traffic
Checking for Potential Replication Problems
Enabling Enhanced Logging of Replication Events
Enabling Strict or Loose Replication Consistency
Finding conflict Objects
Finding Orphaned Objects
Listing the Replication Partners for a DC
Viewing Object Metadata
Chapter 13. DNS and DHCP
Introduction
Creating a Forward Lookup Zone
Creating a Reverse Lookup Zone
Viewing a Server’s Zones
Converting a Zone to an AD Integrated Zone
Moving AD Integrated Zones into an Application Partition
Configuring Zone Transfers
Configuring Forwarding
Configuring Conditional Forwarding
Delegating Control of an Active Directory Integrated Zone
Creating and Deleting Resource Records
Querying Resource Records
Modifying the DNS Server Configuration
Scavenging Old Resource Records
Clearing the DNS Cache
Verifying That a Domain Controller Can Register Its Resource Records
Enabling DNS Server Debug Logging
Registering a Domain Controller’s Resource Records
Deregistering a Domain Controller’s Resource Records
Preventing a Domain Controller from Dynamically Registering All Resource Records
Preventing a Domain Controller from Dynamically Registering Certain Resource Records
Allowing Computers to Use a Domain Suffix That Is Different from Their AD Domain
Authorizing a DHCP Server
Restricting DHCP Administrators
Chapter 14. Security and Authentication
Introduction
Enabling SSL/TLS
Securing LDAP Traffic with SSL, TLS, or Signing
Disabling LDAP Signing
Enabling Anonymous LDAP Access
Using the Delegation of Control Wizard
Customizing the Delegation of Control Wizard
Revoking Delegated Permissions
Viewing the ACL for an Object
Customizing the ACL Editor
Viewing the Effective Permissions on an Object
Configuring Permission Inheritance
Changing the ACL of an Object
Changing the Default ACL for an Object Class in the Schema
Comparing the ACL of an Object to the Default Defined in the Schema
Resetting an Object’s ACL to the Default Defined in the Schema
Enabling Strong Domain Authentication
Enabling List Object Access Mode
Modifying the ACL on Administrator Accounts
Viewing and Purging Your Kerberos Tickets
Forcing Kerberos to Use TCP
Modifying Kerberos Settings
Viewing Access Tokens
Creating a Claim Type
Creating a Resource Property
Configuring a Central Access Rule
Creating a Central Access Policy
Applying a Central Access Policy
Enabling Domain Controller Support for Claims and Compound Authentication
Enabling Claims for Devices in a Domain
Chapter 15. Logging, Monitoring, and Quotas
Introduction
Enabling Diagnostics Logging
Enabling NetLogon Logging
Enabling GPO Client Logging
Enabling Kerberos Logging
Viewing DNS Server Performance Statistics
Monitoring the Windows Time Service
Enabling Inefficient and Expensive LDAP Query Logging
Using the STATS Control to View LDAP Query Statistics
Monitoring the Performance of Active Directory
Using Perfmon Trace Logs to Monitor Active Directory
Creating an Administrative Alert
Emailing an Administrator on a Performance Alert
Enabling Auditing of Directory Access
Enabling Auditing of Registry Keys
Creating a Quota
Finding the Quotas Assigned to a Security Principal
Changing How Tombstone Objects Count Against Quota Usage
Setting the Default Quota for All Security Principals in a Partition
Finding the Quota Usage for a Security Principal
Chapter 16. Backup, Recovery, DIT Maintenance, and Deleted Objects
Introduction
Backing Up the Active Directory Database
Creating an Active Directory Snapshot
Mounting an Active Directory Snapshot
Accessing Active Directory Snapshot Data
Restarting a Domain Controller in Directory Services Repair Mode
Resetting the Directory Services Repair Mode Administrator Password
Performing a Nonauthoritative Restore
Performing an Authoritative Restore of an Object or Subtree
Performing a Complete Authoritative Restore
Checking the DIT File’s Integrity
Moving the DIT Files
Repairing or Recovering the DIT
Performing an Online Defrag Manually
Performing a Database Recovery
Creating a Reserve File
Determining How Much Whitespace Is in the DIT
Performing an Offline Defrag to Reclaim Space
Changing the Garbage Collection Interval
Logging the Number of Expired Tombstone Objects
Determining the Size of the Active Directory Database
Searching for Deleted Objects
Undeleting a Single Object
Undeleting a Container Object
Modifying the Tombstone Lifetime for a Domain
Chapter 17. Application Partitions
Introduction
Creating and Deleting an Application Partition
Finding the Application Partitions in a Forest
Adding or Removing a Replica Server for an Application Partition
Finding the Replica Servers for an Application Partition
Finding the Application Partitions Hosted by a Server
Verifying Application Partitions Are Instantiated Correctly on a Server
Setting the Replication Notification Delay for an Application Partition
Setting the Reference Domain for an Application Partition
Delegating Control of Managing an Application Partition
Chapter 18. Active Directory Lightweight Directory Service
Introduction
Installing AD LDS
Creating a New AD LDS Instance
Creating a New Replica of an AD LDS Configuration Set
Stopping and Starting an AD LDS Instance
Changing the Ports Used by an AD LDS Instance
Listing the AD LDS Instances Installed on a Computer
Extending the AD LDS Schema
Managing AD LDS Application Partitions
Managing AD LDS Organizational Units
Managing AD LDS Users
Changing the Password for an AD LDS User
Enabling and Disabling an AD LDS User
Creating AD LDS Groups
Managing AD LDS Group Memberships
Viewing and Modifying AD LDS Object Attributes
Importing Data into an AD LDS Instance
Configuring Intra-Site Replication
Forcing AD LDS Replication
Managing AD LDS Replication Authentication
Managing AD LDS Permissions
Enabling Auditing of AD LDS Access
Chapter 19. Active Directory Federation Services
Introduction
Installing AD FS Prerequisites
Installing the AD FS Federation Service
Configuring an LDAP Attribute Store
Configuring a Microsoft SQL Server Attribute Store
Creating Claim Descriptions
Creating a Relying Party Trust
Configuring a Claims Provider Trust
Configuring an Alternate UPN Suffix
Configuring AD FS 2.x and AD FS 1.x Interoperability
Configuring Logging for AD FS
Chapter 20. Microsoft Exchange Server 2013
Introduction
Exchange Server and Active Directory
Exchange Server 2013 Architecture
Finding Exchange Server Cmdlets
Preparing Active Directory for Exchange
Installing the First Exchange Server 2013 Server in an Organization
Creating Unattended Installation Files for Exchange Server
Installing Exchange Management Tools
Stopping and Starting Exchange Server
Mail-Enabling a User
Mail-Disabling a User
Mailbox-Enabling a User
Deleting a User’s Mailbox
Moving a Mailbox
Viewing Mailbox Sizes and Message Counts
Configuring Mailbox Limits
Creating an Address List
Creating a Database Availability Group
Creating a Mailbox Database
Enabling or Disabling Anti-Malware Scanning
Enabling Message Tracking
Chapter 21. Microsoft Forefront Identity Manager
Introduction
Creating a SQL Server Management Agent
Creating an Active Directory Management Agent
Setting Up a Metaverse Object Deletion Rule
Setting Up a Simple Import Attribute Flow
Setting Up a Simple Export Attribute Flow to Active Directory
Defining an Advanced Import Attribute Flow
Implementing an Advanced Attribute Flow Rules Extension
Setting Up Advanced Export Attribute Flow in Active Directory
Configuring a Run Profile to Do an Initial Load of Data from a SQL Server Management Agent
Loading Initial SQL Server Database Data into FIM 2010 R2 Using a Run Profile
Configuring a Run Profile to Load the Container Structure from Active Directory
Loading the Initial Active Directory Container Structure into FIM 2010 R2 Using a Run Profile
Setting Up a SQL Server Management Agent to Project Objects to the Metaverse
Writing a Rules Extension to Provision User Objects
Creating a Run Profile for Provisioning
Executing the Provisioning Rule
Creating a Run Profile to Export Objects from the AD MA to Active Directory
Exporting Objects to Active Directory Using an Export Run Profile
Creating a Run Profile Script
Creating a Controlling Script
Enabling Directory Synchronization from Active Directory to the HR Database
Configuring a Run Profile to Load the telephoneNumber from Active Directory
Loading telephoneNumber Changes from AD into FIM Using a Delta Import/Delta Sync Run Profile
Exporting telephoneNumber Data to a SQL Server Database
Using a SQL Server MA Export Run Profile to Export the telephoneNumber to a SQL Server Database
Searching Data in the Connector Space
Searching Data in the Metaverse
Deleting Data in the Connector Space and Metaverse
Extending Object Types to Include a New Attribute
Previewing Changes to the FIM Configuration
Committing Changes to Individual Identities Using the Commit Preview Feature
Passing Data Between Rules Extensions Using Transaction Properties
Using a Single Rules Extension to Affect Multiple Attribute Flows
Flowing a Null Value to a Data Source
Importing and Decoding the accountExpires Attribute
Exporting and Encoding the accountExpires Attribute
Index
Special Upgrade Offer