false
Active Directory Services for Microsoft Windows 2000 Technical Reference by David Iseminger
BUY IT NEW
- Limited Time Offer! Everyone receives the Member Price on books.
See Details - This item is currently out of stock.
- Add To List uiAction=GetAllLists&page=List&pageType=list&ean=9780735606241&productCode=BK&maxCount=100&threshold=3
Product Details
- Pub. Date: February 2000
- Publisher: Microsoft Press
- Format: Paperback, 656pp
- Series: Microsoft Technical Reference Series
- ISBN-13: 9780735606241
- ISBN: 0735606242
Synopsis
Provides a hands-on explanation, reference, and practical roadmap into distributed directory-based computer with Windows 2000 Server.
More Reviews and RecommendationsBiography
David Iseminger is a member of the Windows NT Performance Group at Microsoft Corporation. As a self-taught computer professional Mr. Iseminger has absorbed countless computer books during his trench-lines education, reading each with an eye toward comparative analysis-a by-product of his double degree in Comparative Literature and English from the University of Washington. David''s expertise inoperating system performance has been on Windows NT RAS and its remote access competitors, routing, industry-wide and Internet-wide networking protocols and new Windows NT technology. Part of his ongoing analysis includes market trends in the above areas, and how such trends impact Windows NT.
From the Publisher
Windows 2000 Server delivers a hierarchical, extensible, standards-based directory service known as Active Directory. It enables users to store, find, or update data about objects such as users, files, applications or printers in one central location, instead of in multiple directories across the network. Active Directory Services for Microsoft Windows 2000 Technical Reference is the Active Directory bible for the enterprise IT department. It covers the how and the why of this powerful new directory system, and includes hands-on design and deployment information.
- Provides an explanation, reference, and practical roadmap into distributed, directory-based computing with Windows 2000 Server.
- Focuses on practical, hands-on design and deployment information, rather than a high-level approach
- Provides information necessary to plan for and deploy Windows 2000 Server by making the paradigm shift to the next-generation directory-services model of Active Directory.
- Provides an architectural background for directory services deployment, describes sample programs and scripts for directory-enabled applications, and shows how to implement a directory structure on existing Windows NT Server systems.
Product Details
- Pub. Date: February 2000
- Publisher: Microsoft Press
- Format: Paperback, 656pp
- Series: Microsoft Technical Reference Series
- ISBN-13: 9780735606241
- ISBN: 0735606242
Table of Contents
Page numbers in italics indicate illustrations.
A
-a parameter, 82
abstract classes, 303
AccessPointDN, 290, 312
access rights Permissions screen, 199, 200
account domains, upgrading from NT, 325
ACEs (access control entries), 149-50
ACLs (access control lists), 149. See also DACLs (discretionary access control lists); SACLs (system access control lists)
Active Directory Connector (ADC), 79, 341-42
Active Directory Domains And Trusts snap-in, 203, 229-32, 229, 266, 268
Active Directory Installation wizard, 193-202, 195, 327
Active Directory Schema snap-in, 203, 232-41, 233
attribute objects, 237-40
class objects, 233-37
loading, 232-33, 233
replicate attributes to Global Catalog, 240-41
Schema Master, 266-67
view object information, 240
Active Directory Sites And Services snap-in, 203, 219-29, 220, 260-61
Active Directory Users And Computers snap-in, 203, 206-19, 207
Add User button, 210
computers, adding, 211-12
Delegation Of Control wizard, 241-46
domain-based FSMO roles, 266, 268-69
Folder Redirection, 389-93
groups, adding, 213-14
managed computers check box, 210
moving objects, 217-19
object selection, 207
OUs adding, 214-15
printers, adding, 215-17
Properties sheet, 390, 391
shared folders, adding, 215-17
shortcut menus, 207
Software Installation and Maintenance, 394-98
user passwords, 209
users adding, 208-10
ADC (Active Directory Connector), 79, 341-42
adding
computers, 211-12
printers, 215-17
shared folders, 215-17
users, 208-10
additional sites, 130-31, 134
Add User button, 210
adminDisplayName, 299, 309
administration, 375-79. See also administrators; management
building blocks, 72-73
centralization, 6-8, 13, 71-72, 379
Change and Configuration Management, 377-79
delegation, 28-29, 73, 241-46
desktops, 261-65
Dfs (distributed file system), 412-24
domains, number required, 136
ease of, 14-15, 25-26, 71-73
IntelliMirror, 30-31, 379-98
multiple forests, 125-27
OUs (organizational units), 140-43, 369
parent/child domain structure, 127-28
remote access, 378
Remote OS Installation, 398-411
self-healing applications, 72
snap-in availability, 203
software, centralized, 379
standardization, 71-72
TCO (total cost of ownership), 376-77
without logging user off, 283-84
administrative boundaries, 45-47
Administrative Tools
Configure Your Server dialog box, 193-94, 194
display name of class used, 299
Distributed File System snap-in, 417-24
installing, 204-5
loading snap-ins, 206
locating, 203
administrators, 4-5
Enterprise Administrators group, 356
local passwords, 200
Schema Administrators group, 356
ADSI (Active Directory Service Interfaces), 15-16, 63, 74-75, 155
schema class creation, 308
Scripting, 351-52
advanced management, 190, 254-70
aliases, 94
APIs (application programming interfaces), 74-75
applications
ADSI, 74-75
APIs, 74-75
assigning vs. publishing, 385-87
automated distribution, 29-31
automatic fixes, 384-87
BDC-dependent, 328
DEAs, 29
directory enabled, 297
installation, 384-87
integration, 74-75
IntelliMirror, 30-31
interface, 14-16
schema, 74, 297
self-healing, 72
Windows Installer, 385
architecture
Global Catalog, 58-64
partitioning, 56-58
replication, 64-68
scalability, 55-70
A records, 106
AS (Authentication Service) Exchange, 159-63, 162
assigning software, 385-86
attribute ID, 309-10
attributes
adding, 235-36
adding to classes, 297-98
attributeSyntax, 289-90
creating, 298
default, 62
indexing, 315
inheritance, 304-5
isSingleValued, 314
multivalued, 314-15
objects, 59, 289
Properties sheet, 238, 239, 241, 241
schema, 61-62, 287-90, 314-16
security, 153-55
Top class, 296
attributeSchema class, 287, 289-96, 308-15
attributeSecurity GUID, 309
attributeSyntax attribute, 289-90, 309-14
auditing, SACL, 150
authentication, 31, 165
cross-link trusts, 45
Exchange Server, 343
Kerberos, 159-70, 162
mutual, 166-67
SSL/TLS, 181
user logons, 157-58
authoritative restore, 253-54, 278
authorization, 159-60
automated software distribution, 29-31
automatic population, 16-17
auxiliaryClass, 299
auxiliary classes, 299, 303-4, 304
B
Backup And Recovery Tools screen, 246-48, 246
backups, 29
Active Directory, 246-53
Dfs, 424
labels, 251
media options, 251
restoring backups, 253-54
scheduling, 251
System State data, 246-53
type selection, 250
upgrading from Windows NT, 326
users, 384
backward compatibility, 29
base directory information tree (DIT), 286, 295-96
base schema, 295-96
BDCs (Backup Domain Controllers)
applications, dependent, 328
mixed mode, 329
resource domain upgrades, 336
rollbacks, 330
RRAS Server, 332
security, 330
upgrading process, 326-28
benefits of Active Directory, 9
binary, reading, 228-29
BIOS, flash upgrade, 406
Boolean, 290, 311
booting
from CD, 187
remote (see Remote OS Installation)
bridgehead servers, 257-61, 258, 259
building blocks, 72-73
C
C programming language, LDAP, 75
cabling, security, 187-88
caching servers, 88
capacity, domain controllers, 146-47
CAs (Certificate Authorities), 173-75, 179-80. See also Microsoft Certificate Server
CaseExactString, 290, 312
CaseIgnoreString, 290, 313
catalogs, 47-52
catalog services, 58. See also Global Catalog
central definition of settings, 378
centralization, 13-14, 77-79
Active Directory Connectors, 79
domain controllers, 77
ease of administration, 71-72
schema, 79
single sign-on, 77, 78
technical specifications, 24-25
Certificate Authorities. See CAs (Certificate Authorities)
certificates. See digital certificates
Certificate Server. See Microsoft Certificate Server
Change and Configuration Management, 377-79
IntelliMirror, 379-98
map of features and benefits, 400
Remote OS Installation, 398-400
Change Mode button, 232
changes, postdeployment. See organizational changes
child domains, 38
classes, 88, 304
abstract, 303
adding attribute objects, 238-40
adding attributes, 235-36
ADSI, 308
assigning LDAP name, 234-35
assigning OIDs, 234-35
attributes, creating, 298
auxiliary, 303-4, 304
creation process, 307-8
deleting, 315-16
inheritance, 304-5
Lost-And-Found, 296
objectClassCategory, 303
parents, 299
schema, 287-88
creating, 297-98
deactivating, 315-16
modifying, 297-98
resurrecting, 316
structural, 303
subclasses, 298
system checks, 305-7
Top, 296
types, 303-4
classes, 88, 304
classSchema objects, 287-89, 291-95, 298, 303-4
Client Installation wizard, 403
ClonePrincipal, 335, 367-68
closed sets, 365-67
Cmd command, 276
cn, 298, 309-10
CNAME (canonical name) RRs, 94
collisions, 66
combination upgrade, 320, 324
command line, 270-84, 271
application menu, 271
clipboard, 272
Colors page, 274-75, 274
command history, 272
customizing, 271-75
Edit Options, 272
fonts, 273
function keys, 276
help, context sensitive, 277
keyboard shortcuts, 275-76
Layout page, 273-74, 273
LDIFDE utility, 282-83, 349-51
management, 190, 270-84
ntdsutil, 277-82
Options page, 272-73, 273
properties sheet, 272-74
runas utility, 283-84
saving settings, 272
screen buffer size, 274
shortcuts, 275-76
syntax, 277
utilities, 277-84
window size, 274
command prompt. See command line
compatibility, backwards, 29
compression, replication, 145
computers
adding to OUs or domains, 211-12
GPOs, 261-65
managed check box, 212
names, 83-85
computing, laws of, 6-9
configuration
namespaces, 287
parameters, 298, 309
Configuration container, 124, 143
connection agreements, 342-44
connections, replication, 145
consistency checks, 305-6
consolidation, 339
containers
access rights, 154-55
Configuration, 124, 143
costs of links, 226
Create New Dfs Root wizard, 418-21, 418-21
Create Or Join Forest screen, 196, 196
Create Time inheritance, 154-55
Create Tree Or Child Domain screen, 195, 196
cross-domain object references, 266
cross-link trusts, 44-45
CS (client/server) Exchange, 159, 161, 166-67, 166
CSPs (cryptographic service providers), 176-77
D
DACLs (discretionary access control lists), 73, 150-52
Database And Log Locations screen, 197, 198
databases, Active Directory. See also zone files
location, 31-36, 197
security, 155
db files. See zone files
DEAs (Directory-Enabled Applications), 29, 297
defaultHidingValue, 300
defaultObjectCategory, 299
defaultSecurityDescriptor, 300
delegation of administration, 73, 143, 241-46
Delegation Of Control wizard, 143, 241-46
DENs (Directory-Enabled Networks), 29-30
deployment, 193-202
description, 300, 309
desktop management, 261-65. See also IntelliMirror; Remote OS Installation
Dfs (distributed file system), 412-24
backups, 424
enabling technologies, 414
File Replication Services, 414
filing structure, 413
implementing, 415-24
limitations, 424
links, 415, 422-23
PKT, 414-15
replica, 415, 423
roots, 416-21, 417
security, 424
snap-in, 417-24
Windows NT 4.0, 414, 416
Windows 2000 Server, 416
DHCP (Dynamic Host Configuration Protocol)
Dynamic DNS, 98
Remote OS Installation, 401, 403, 409
digital certificates, 156, 170-79
authentication, 176-77
CA services, 174-78
certificate services, 174-75
creation, 176, 178
cryptographic service providers, 176-77
expiration, 174
fields, 174
issuance, 176
service operation, 178-79
digital envelopes, 172
digital post office, 172
digital signatures, 172-73
directories
catalog, 52
consolidation, 339
defined, 9-10
distribution, 51-52
non-Active Directory (see migration)
partitions (see partitioning)
replication, 51-52
simple example, 17-18
stores, 31-36, 33-35
Directory-Enabled Applications. See DEAs (Directory-Enabled Applications)
Directory-Enabled Networks. See DENs (Directory-Enabled Networks)
directory information tree. See DIT (directory information tree)
directory services
Administrator Password screen, 200, 200
advanced example, 18-19
applications interface, 14-16
centralization, 13-14
defined, 9-12
DNS, 10-11
enterprise class, 11-17
history, 3-5
multipurpose, 10-12
vs. relational databases, 21
need for, 5
Restore Mode, 200
scalability, 13
security, 14-15
WINS, 10
directory stores, 31-36, 33-35
DirectoryString, 290, 312
DirSync, 340, 348
discretionary access control lists. See DACLs (discretionary access control lists)
Discretionary Control, 142
distinguished names, 60
Distributed File System snap-in, 417-24
distribution, directory, 51-52
distribution list, 347
DIT (directory information tree), 286
attribute listing, 296
base classes, 295-96
DN, 290, 311
DNS (Domain Name Service), 10-11, 81-113
caching, 88-89
components, 87-99
concepts, 84-87
Configure DNS screen, 199, 199
domain controller location, 110-12
domain names, 360-61
domains, 86-87
Dynamic, 98-99
dynamic updates, 103
forwarders, 89-91
FQDN, 84, 86
full zone transfers, 96-97, 97
Global Catalog, 64
illegal characters, 85
incremental zone transfers, 98, 99
installing, 199, 199
integrated, 96, 112-13
iterative queries, 101-3, 102
Microsoft, 112-13
name resolution, 75, 87, 99-100
namespaces, 82-84, 86
New Domain screen, 196, 197
Notify, 98-99
publishing to, 103
recursive queries, 100-101, 101
registered names, 137-39
relative distinguished name, 84, 86
Remote OS Installation, 401
resolvers, 91
reverse name resolution, 87
root, 87
RRs (resource records), 82, 91-96
scalability, 24
secondary servers, 93
servers, 87-91
slaves, 90-91
Unicode characters, 85
Windows 2000, 140
zones, 87-88
DNWithBinary, 290
DNWithOctetString, 291, 312
DNWithString, 291, 314
domain controllers, 31-36, 34-35, 77. See also PDCs (Primary Domain Controllers)
Administrator Password screen, 200, 200
backups, 247
bridgehead servers, 257-59, 258, 259
capacity, 146-47
Configure DNS screen, 199, 199
Create Or Join Forest screen, 196, 196
Create Tree Or Child Domain screen, 195, 196
creating, 193-202
Database And Log Locations screen, 197, 198
Domain Controller Type screen, 194, 194
fault tolerance, 146
FSMO roles, 265-66
Global Catalog, 52, 62, 147-48, 266
KCC, 255-60
KDC, 44, 160-61
locating, 109-12
LSA (Local Security Authority), 155
move to new domain, 334
namespaces, 286-87
NetBIOS Domain Name screen, 197, 197
New Domain screen, 196, 197
partitioning, 56-57, 56
Permissions screen, 199, 200
planning, 146-48
promoting servers to, 32, 193-202
property version numbers, 66
queries, 50
recovery, 65
registration, 103-4
remote, 51
restoring, 253-54
schema, 286-87
security, 153, 205
server type designation, 105
Shared System Volume screen, 198, 198
site links, 147
upgrading from BDCs, 328
user accounts, 146
USNs, 68
Domain Controller Type screen, 194, 194
domain local groups, 121-23
Domain Name Service. See DNS (Domain Name Service)
Domain Naming Master, 69, 265-66, 268
domain partition namespaces, 287
domains, 37-53, 86-87
account, upgrading, 325
Active Directory Domains And Trusts snap-in, 229-32, 229
adding
children, 360
computers, 211-12
effects of, 58
to forests, 357, 362
groups, 213-14
OUs, 214-15
parents, 362
printers, 215-17
shared folders, 215-17
trusts, 230-31
users, 208-10
administrative requirements, 136
administrative rights, 46-47
cataloging, 47-52
changes, organizational, 359-68
child, 38, 360
directory distribution, 51-52
directory partitions, 47-50
DNS, 38-39
forests, 40, 124
General property page, 232, 232
GPOs, 127, 261-65
hierarchy, 38-40
Internet DNS name, 138-39
intranet vs. Internet distinction, 139
management submenu, ntdsutil, 278-79
maps for planning, 130-31, 132-34
merging, 362
MoveTree utility, 364-67
moving, 137, 361
multiple, reasons for, 135
multiple-site, 136, 144
naming, 38, 128, 137-40, 360-61
non-standard characters in names, 140
number of, 135
OUs, 46-47, 140-43
parent/child structure, 128
physical network topology, 130
planning, 119, 127-40
Property sheet, 232, 232
queries, 50
registered DNS names, 137-39
removing, 360
renaming, 362
replication traffic, 136
root, 38, 138-39
security, 152
SIDhistory, 362-64
SMTP links, 136
splitting, 362
stability, 119
structure, 35, 326
switching to native mode, 231-32
TGTs (ticket granting tickets), 135
transitive trust relationships, 230
trees, 39-40, 39, 41, 129, 129, 137
trusts, 40-45, 183-85
upgrading, 321-22, 325-26, 331
Windows 2000 DNS, 140
Windows NT, 137
Domains And Trusts snap-in, 203, 229, 229-32, 266, 268, 330
domainwide FSMO roles, 265
DSA (Directory Service Agent), 155
DsGetDcName(), 110
Dynamic DNS. See DNS (Domain Name Server), Dynamic
dynamic inheritance, 154
dynamic updates, 98, 103-4, 112
E
ease of administration, 14-15, 25-26, 71-73
e-mail distribution lists, 120
encryption
data, 187-88
Kerberos, 168
one-way hash, 163
PKI, 171
RRAS, 187
SSL/TLS, 181-82
engine, 21
Enterprise Administrators group, 124, 130, 356
enterprise class directory services, 11-17
enterprise solutions, 14-17
Entire Directory search, 125
Enumeration, 291, 314
Event Viewer snap-in, 276
Eventvwr command, 276
everyday management, 189-252
Exchange Server, migration from, 21, 340-47
5.5, 341-45
authentication, 343
configuration information, 347
connection agreements, 342-44
custom recipients, 347
deletions, 344
distribution list, 347
e-mail, 346-47
mailboxes, 344, 346
Platinum, 341-42, 345-47
policies, 343
recipient information, 346-47
replication, 342-43, 346
schema, 346-47
Service Pack 1, 341
Sites container, 347
synchronization, 340, 342
Explorer command shortcut, 276
exporting in LDAP format, 349-51
export objects, 282-83
F
failure recovery, 65
fault tolerance
domain controllers, 146
IntelliMirror, 384
root domains, 138
features, 28-31
fiber-optic cabling security, 188
files, ntdsutil submenu, 279
file servers, 412-24
floppy drive security, 186
Folder Redirection
enabling, 389-92
IntelliMirror, 382
forests, 40, 41, 50
add new domains, 357
changes, 356-59
Configuration container, 124
Create Or Join Forest screen, 196, 196
domains, 124
Enterprise Administrators group, 356
merging, 359
MoveTree utility, 364-67
moving
domains, 361
objects, 358
user accounts, 367-68
multiple, 126
number of, 125-27
planning, 119, 124-27
resource sharing, 358
root, upgrading from NT, 325
root domain installation, 359
Schema Administrators group, 356
security principals, 359
transitive trust relationships, 230
upgrade planning, 321
forestwide FSMO roles, 265
forwarders, 89-91, 90
FQDN (fully qualified domain name), 84, 85
FRS (File Replication Services)
Dfs (distributed file system), 414
upgrading from Windows NT, 331-32
FSMO (flexible single-master operation), 68-70
role holders, 68-69
submenu, ntdsutil, 280-81
FSMO roles
categories, 265
domain based, 265-66
locating, 265-66
managing, 265-70
seizing, 270
transferring, 269-70
Full Control, 142
fully qualified domain name. See FQDN (fully qualified domain name)
full zone transfers, 96-97, 97
function of Active Directory, 5
function keys, command line, 276
G
genealogy constraints, 294
GeneralizedTime, 291, 312
Global Catalog, 52, 58-64
ADSI, 63
housing, 62
namespace, 59
naming contexts, 61
objects, 59-60
operation, 62-64
replicate attributes to, 240-41
schema, 61-62
searches, 63-64
servers
domain controllers, 147-48
SRV RRs, 107-8
type designation, 105
universal groups, 122
global groups, 121
governsID, 298-99
GPOs (Group Policy objects), 261-65
boundaries, 127
create new, 395
Folder Redirection, 390-91
software deployment, 394-98
Group Policies, 261-65. See also GPOs (Group Policy objects)
domain trees, 129-30
IntelliMirror, 378, 382
OUs, 143, 371
property page, 263, 395, 395
Software Installation and Maintenance feature, 385
Group Policy snap-in, Folder Redirection, 391-92, 391
groups. See also Group Policies
adding, 213-14
built-in, 123-24
delegating control to, 241-46
domain local, 121-23
e-mail distribution lists, 120
Enterprise Administrators, 124, 130, 356
export objects, 282-83
global, 121, 123
GPOs, 261-65, 390-98
local, 121, 123
maximum number of members, 121
MoveTree utility, 365-67
moving to OUs, 336
naming, 213
native mode, 329
nesting, 121
non-security, 120
planning, 120-24
restructuring, 335-36
Schema Administrators, 124, 356
scope, 213
security, 120
software distribution, 394
stand-alone servers, 206
type selection, 213
universal, 122-23
GUIDs (globally unique identifiers), 105
H
hardware security, physical, 185-88
hierarchical namespaces, 86
history of networks and servers, 3-5
host files, 82
host names, 84
HTTP (Hypertext Transfer Protocol), 72
I
IA5String, 291, 312
IDAPDisplayName, 309-10
images, OS, 410-11
impersonation, 155
importing from LDAP format, 349-51
import objects, 282-83
incremental zone transfers, 98, 99
indexing attributes, 315
information repository, 32
Infrastructure Master, 69, 265-66
inheritance, 73, 304-5
Installation wizard, 193-202, 195, 327, 357
installing
applications, 384-87
DNS, 199, 199
service packs, 384-87
software, 380
updates, 379
Windows 2000 OS, 379, 398-99
Instance-Type attribute, 296
Integer, 291, 311
INTEGER8, 291, 311
IntelliMirror, 30-31, 328, 379-98, 381
assigning vs. publishing, 385-87
benefits of, 378-79
cost/benefits, 388
enabling technologies, 382-83
fault tolerance, 384
Folder Redirection, 382, 389-93
Group Policy, 378, 382
implementing, 388-98
non-Windows 2000 clients, 388
Offline Folders, 383
roaming users, 382
Software Installation and Maintenance, 380, 384-87, 393-98
starting, 381
User Data Management, 380, 383-84, 389-93
User Settings Management, 380, 387-88, 398
Windows Installer, 385
Internet
domains, 139
Protocol, 82
security, 170-81
interoperability, 27-28
Inter-Site Transports folder, 222
intranet domains, 139
IP (Internet Protocol), 82
IP addresses, binary, 228-29
IP subnets, 220-26
isDefunct, 300, 309, 315
isMemberOfPartialReplicaSet, 310
ISO naming registration authority, 301-2
isSingleValued, 309-10, 314
IXFR (incremental zone transfer request), 98
K
KCC (Knowledge Consistency Checker), 226, 256-61
KDC (Key Distribution Center), 44, 159-65, 161
implementation, 168
trusts, 184
Kerberos, 156, 159-70
AS Exchange, 159-63, 162
authenticators, 165
CS Exchange, 159, 161, 166-67, 166
customizing, 169-70
encryption, 168
features, 168-69
implementation, 168
KDCs, 106, 108-9, 159-65
keys, 159-63
realms, 168
standards implemented, 167-68
TGS Exchange, 159, 161, 163-65, 164
TGTs, 161-63
ticket property settings, 169
trusts, 183-85
keyboard shortcuts, command line, 275-76
keys
long-term, 161
Microsoft Certificate Server, 177-78
physical protection, 185
PKI, 171
SSL/TLS, 182
Knowledge Consistency Checker. See KCC (Knowledge Consistency Checker)
L
languages (computer) supported, 28
LAN Manager Replication Service (LMRepl), 331-32
laptops, Remote OS Installation, 406
LDAP (Lightweight Directory Access Protocol), 15-16, 75
domain controllers, 104
IDAPDisplayName, 299
migrating compliant directories, 349-51
SRV RRs, 106-7
standardization, 27, 75-76
LDIF. See LDIFDE utility
LDIFDE utility, 282-83, 349-51
linkID, 309
links, site, 120, 131, 133-34
bridgehead servers, 257-61
configuring, 222-26
cost settings, recommended, 226
domain controllers, 147
parameters, tuning, 372-73
planning, 144
Properties sheet, 224-25
replication, 145-46
schedules, 225
upgrade planning, 321
LMRepl (LAN Manager Replication Service), 331-32
load balancing
Remote OS Installation, 403
secondary servers, 88
load-sharing RRs, 96
local groups, 121, 123
Local Security Authority. See LSA (Local Security Authority)
location of Active Directory Services, 31-36
locator, 109
locator services. See DNS (Domain Name Service)
logons, 157-58
planning, 125
single sign-on, 77, 78
logs, 197-98
long-term key, 161
lookup services, 50
Lost-And-Found class, 296
LSA (Local Security Authority), 155-58
M
mail servers, 94
manageability. See administration, ease of
managed computers check box, 210
Managed PC standard. See PXE (preboot execution environment)
management, 189-284. See also administration
Active Directory Installation wizard, 193-202
advanced, 190, 254-70
change, 376-79
Change and Configuration Management, 377-79
command-line, 190, 270-84
delegating administration, 241-46
Dfs, 423-24
everyday, 189-252
FSMO roles, 265-70
Group Policy, 261-65
MMCs, 190-91
multiple methods for tasks, 193
ntdsutil, 277-82
promoting servers to domain controllers, 193-202
replication strategies, 255-61
services, 219-29, 220
sites, 219-29, 220
snap-ins, 203-41
Windows NT tasks, 192
mAPIID, 309
masters, single, 68-70
mayContain
attributes, 292-93
configuration parameters, 299, 310
systemMayContain, 299
merging forests, 359
Metcalfe, Robert, 7
Metcalfe’s Law, 7
Microsoft, registering OIDs, 302
Microsoft Certificate Server, 173, 175-81
accepting certificate requests, 178
authentication, 176-77
CA status, 179-80
components, 175
creation of digital certificates, 176
CSPs (cryptographic service providers), 176-77
intermediary, 176
issuance, 176
keys, 177-78
policies, 180-81
processing certificate requests, 179-80
server database, 176
server engine, 176
Microsoft Directory Synchronization Service (MSDSS), 340, 348
Microsoft DNS. See DNS (Domain Name Service), Microsoft
Microsoft IntelliMirror. See IntelliMirror
Microsoft Management Consoles. See MMCs (Microsoft Management Consoles)
Microsoft System Management Server (SMS), 377, 388
Microsoft Windows 95/98, 69
Microsoft Windows 2000, 23
directory store, 34
DNS, 140
Microsoft Windows, pre-Windows 2000 naming conventions, 83-84
Microsoft Windows NT
3.1 and 3.5, 319
3.51 SIDs, 364
combination upgrade, 320
compatibility, 29
Dfs (distributed file system), 414, 416
directory store, 31-32, 33
domain controllers, 31-33, 34
domains, 137
PDC Emulator, 69
restructuring, 320-23
structure compared to, 31-36
task, performing with 2000, 192
trust relationships, 43
upgrading from, 319-37
migration, 339-53
ADC (Active Directory Connector), 341-42
ADSI Scripting, 351-52
DirSync, 340, 348
Exchange Server, 340-47
LDAP-compliant directories, 349-51
LDIFDE command-line utility, 349-51
MSDSS, 340
NetWare bindery, 340
Novell NDS tree, 339-40
objects between forests, 358
planning, 339-40
mirroring. See IntelliMirror
mixed mode, 122
advantages, 329-31
upgrading from Windows NT, 327
Mmc command, 276
MMCs (Microsoft Management Consoles), 15, 190-91, 203, 205
command, 276
loading snap-ins, 205-6
snap-ins, 190-91, 203
Domains And Trusts, 229-32, 229
Performance, 276
Schema, 232-41, 233
Sites And Services, 219-29, 220
Users And Computers, 206-19, 207, 241
starting, 205
Moore’s Law, 7-8
MoveTree utility, 364-67
moving objects, 217-19, 365-67
_msdcs subdomains, 104
MSDSS (Microsoft Directory Synchronization Service), 340, 348
multimaster approach, 64
multiple-forest environment, 125
multiple sites replication traffic, 136
Murphy’s Law, 9
mustContain
attributes, 292-93
configuration parameters, 299, 310
systemMustContain, 299
MX (mail exchange) RRs, 94
My Documents property sheets, 392-93, 392-93
N
name resolution
DNS, 75, 87
netBIOS, 75
names, 60
computers, adding, 211
NetBIOS/DNS conflict, 360-61
New Domain screen, 196, 197
underscores, 360-61
namespaces, 58-59, 82-84
configuration, 287
Dfs, 412
DNS (Domain Name Service), 86
domain controllers, 286-87
file servers, 412
flat, 286
hierarchical, 86, 286
pre-Windows 2000, 83-84
schema, 285-87
naming authorities, 301-2
naming contexts, 58, 61
native mode
advantages, 329
BDC-dependent applications, 328
domain local groups, 121-22
Domains And Trusts snap-in, 330
switching, 231-32
back to mixed mode, 331
during upgrading, 329
universal groups, 122-23
NDS (Novell Directory Services), 9, 339-40
NetBIOS, 83
domain controller location, 112
domain names, 360-61
Domain Name screen, 197, 197
name registration, 103
name resolution, 75
Netdom, 335
Netlogon service
dynamic updates, 104
locator, 109
server type designations, 105
NetPC standard. See PXE (preboot execution environment)
net taps, 187-88
NetWare. See Novell
networks
centralization, 4-6, 8
history, 4-5
masks, binary, 228
topology maps, 131, 132-34
traffic, reducing, 66-68
New Domain screen, 196, 197
New Object - Organizational Unit dialog box, 214, 214
New Object - Subnet dialog box, 226, 227, 228-29
New Object - User dialog box, 209, 209
NICs, Remote OS Installation, 404-5
nonauthoritative restore, 253
non-security groups, 120
notebook computers. See laptops, Remote OS Installation
notification, replication, 145
notify set, 98-99
Novell
Directory Services (NDS), 9, 339-40
NetWare bindery migration, 340
NS (name server) RRs, 92-93
ntbackup command, 246
ntds.dit, 32
Ntdsutil, 277-82
authoritative restore, 254, 278
domain management submenu, 278-79
files submenu, 279
FSMO roles submenu, 280-81
IP Deny List submenu, 279-80
ldap policy submenu, 280
main menu, 278
metadata cleanup submenu, 280
q command, 277
roles, 269-70, 280-81
Security Account submenu, 281
semantic database analysis submenu, 281
NTML protocol, 156
NTSecurityDescriptor, 291, 296, 300, 309-10
NumericString, 291, 313
O
Object-Category attribute, 296
objectClass, 296, 300, 309-10
objectClassCategory, 299, 303
objects, 58-60
attributes, 289
attribute security, 153-55
container security, 154-55
DACLs, 150-52
inheritance security, 154-55
MoveTree utility, 365-67
moving, 365-67
between containers, 217-19
between forests, 358
orphaned, 296
schema, 61-62
schema control of, 287-88
security, 149-50, 153-55
syntax, 289-90, 311-14
ObjectSecurityDescriptor, 291, 311
OctetString, 290-91, 311
Offline Folders, IntelliMirror, 383
OID (object identifier), 291, 313
assigning to objects, 234-35
attribute ID, 309-10
base, 302
governsID, 298-99
interpreting, 301
naming authorities, 301-2
obtaining, 302
OIDGEN utility, 301-2
registering with Microsoft, 302
schema class objects, 300-302
OIDGEN utility, 301-2
oMObjectClass, 309
oMSyntax, 309-14
one-way hash, 163
one-way trusts, 43-44
organizational changes, 355-73
adding domains to forests, 357
adding trees to forests, 357-58
ClonePrincipal, 367-68
domains, 359-68
forests, 356-59
MoveTree, 364-67
OUs, 368-71
sites, 372-73
organizational units. See OUs (organizational units)
originating writes, 66
ORName, 291, 312
orphaned objects, 296
OUs (organizational units), 46-47, 117-19
adding
computers, 211-12
groups, 213-14
printers, 215-17
shared folders, 215-17
users, 208-10
administration, 369-71, 370
changes, organizational, 368-71
control options, 142
creating, 214-15, 369
export objects, 282-83
GPOs, 261-65
Group Policies, 143, 371
MoveTree utility, 364-67
nested, 141
permissions, 371
planning, 140-43
from resource domains, 336-37
security, 369-70
upgrade planning, 321
P
partitioning, 47-50, 49
architecture, 56-58
copies writable, 64
domain partition namespaces, 287
maximum number of objects, 56
scalability, 56-58
Partition Knowledge Table (PKT), 414-15
passwords, 155
administrator account, local, 200
Restore Mode Administrator Password screen, 200, 200
storage, 155
users, 209
PC98 standard. See PXE (preboot execution environment)
PDC Emulator, 69, 265-66
PDCs (Primary Domain Controllers). See also domain controllers
server type designation, 105
SRV RRs, 107
upgrading from Windows NT, 326-28
Perfmon command, 276
Performance snap-in, 276
permissions
ACEs, 150
Delegation Of Control wizard, 245
OUs (organizational units), 371
schema extension, 307
SIDhistory, 362-64
SIDs, 150
Permissions screen, access rights, 199, 200
physical network topology planning, 119-20
PKI (Public Key Infrastructure), 156, 170-81
CAs (Certificate Authorities), 173-75
certificate services, 174-75, 178-79
digital certificates, 173-74
digital envelopes, 172
digital post office, 172
digital signatures, 172-73
elements of, 170
encryption, 171
Microsoft Certificate Server, 173, 175-78
policies, 180-81
Smart Cards, 181
X.509 standard, 174
PKT (Partition Knowledge Table), 414-15
planning
business hierarchies, 129-30
Configuration container, 143
deployment, 117-48
domain controllers, 146-48
domains, 118-19, 127-40
forests, 118-19, 124-27
groups, 120-24
logons, 125
maintenance costs, 118
migration, 339-40
naming domains, 137-40
number of domains, 135
OUs (organizational units), 117-19, 140-43
physical network topology, 119-20
replication management, 136, 145-46
schema class object creation, 300-308
site links, 144
policies. See also Group Policies
certificates, 170
Change and Configuration Management, 377
Exchange Server replication, 343
Microsoft Certificate Server, 180
polling
bridgehead servers, 257-59, 258, 259
replication, 145
possSuperiors, 299
postdeployment changes. See organizational changes
pre-authentication data, 161
preboot execution environment (PXE), 399, 402-6
PresentationAddress, 291, 312
primary campus, 130-31
Primary Connection Agreements, 342
primary servers, 88, 98
PrintableString, 291, 312
printers
adding, 215-17
searches, 31
pristine forest, 333, 335
profiles, roaming users. See roaming
programs, automated distribution, 29-31
propagation dampening, 68
property sheets, 390, 391, 392-93, 392-93
property version numbers, 66
PTR (pointer) RRs, 93
Public Key Infrastructure. See PKI (Public Key Infrastructure)
published software, 386
PXE (preboot execution environment), 399, 402-6
Q
queries, 100-103
security, 155
user, 52
R
rangeLower, 309-10
rangeUpper, 309-10
rDNAttID, 299
ready-to-use feature, 16-17
recovery, domain controller, 65
redirected folders. See Folder Redirection
reducing network traffic, 66-68
relational databases vs. directory services, 21
relationships. See trust relationships
relative distinguished names, 60, 84, 86
remote access, 378
Remote Installation Services (RIS), 401-3, 406
Remote OS Installation, 328, 381, 398-411
benefits of, 378-79
BIOS flash upgrade, 406
client configuration, 403-4
Client Installation wizard, 403
creating images, 410-11
drive, erases during install, 399
enabling technologies, 400-402
establishing network connection, 399
image storage, 410
implementing, 402-11
installing Windows 2000 Professional, 398-99
laptops, 406
NICs, 404-5
options during setup, 404
Preparation wizard, 411
RIS boot floppy, 406
Setup wizard, 407-10
speed of transfer, 403
System Preparation tool, 411
troubleshooting, 404
repairing damaged computers, 399
ReplicaLink, 291, 314
replication, 51-52
bridgehead servers, 257-61, 258, 259
collisions, 66
costs, 226
Dfs, 415, 423
Exchange Server, 342-43
failure recovery, 65
frequency, specifying, 224
Global Catalog server, 147-48
intersite, 145, 256, 256
intrasite, 145, 256, 256
KCC, 256-57
looping, 68
managing, 145-46
multimaster approach, 64
originating writes, 66
planning, 136
propagation dampening, 68
property version numbers, 66
reducing network traffic, 66-68
scalability, 64-68
scheduling, 225
strategies, managing, 255-61
timing, 145
topologies, 66, 255-57
transport mechanisms, 145
USN, 65, 68
volatility, 65
resolvers, 91
resource domains
restructuring, 336-37
upgrading from Windows NT, 325, 328-29
resource records. See RRs (resource records)
Restore Mode, 200
restoring Active Directory backups, 253-54
restructuring, 320-23, 333-37
ClonePrincipal, 335
domain controllers, 334
groups, 335-36
moving users and resources, 334
Netdom, 335
pristine forest, 333, 335
resource domains, 336-37
security principals, 334
SIDhistory, 334-35
steps in, 335
trust relationships, 335-36
users, 335
reverse address resolution, 93-94
reverse name resolution, 87
RID (Relative ID) Master, 70, 265-66
RIS (Remote Installation Services), 401-3, 406
boot floppy, 406
image storage, 408
server implementation, 407-10
unknown client option, 408
roaming, 30-31, 378, 382-84, 387-88, 398
rollbacks, 326, 330
root domains, 38, 87, 138-39
Dfs, 416-21, 417
upgrading from Windows NT, 325
RRAS (Routing and Remote Access Service), 187
Permissions screen, 199, 200
servers, 332
upgrading from Windows NT, 332
RRs (resource records), 82, 91-96
types of, 91-92
zone files, 96-99
runas utility, 283-84
Run command shortcut, 276
S
SACLs (system access control lists), 150
safety checks, 306-7
scalability, 13-14, 50, 55-70
FSMO, 68-70
Global Catalog, 58-64
masters, single, 68-70
namespace, 59
objects, 59-60
partitioning, 56-58
replication, 64-68
schema, 58, 61-62, 285-317
5-minute delay, 316
Active Directory Schema snap-in, 232-41, 233
adding class objects, 233-37
ADSI, 308
applications, 74, 297
attribute objects, 291-95
attributes, 287-90
adding objects, 238-40
creating, 298, 307, 314-15
deactivating, 315-16
isSingleValued, 314
resurrecting, 316
base, 295-96
cache, 316-17
centralization with, 79
classes, 287-89
creation, 297-98, 300-308
deactivating, 315-16
inheritance, 304-5
modification, 297-98, 307-8
objects, 288-89, 291-95, 300-308
&nbs
p; OIDs, 300-302
permissions, 307
process, 307-8
resurrecting, 316
system checks, 305-7
types, 303-4
configuration parameters, 298, 309
control of objects, 287-88
creating attribute objects, 237
defined, 285
domain controllers, 286-87
Exchange Server, 346-47
extending, 285, 297-317
genealogy constraints, 288-89, 294
Lost-And-Found class, 296
mandatory class attributes, 288
Master, 70
Master FSMO role, 265-67, 307
mayContain attributes, 288-89
mustContain attributes, 288-89
namespaces, 285-87
objectClassCategory, 303
object interactions, 291-95
OIDs, 300-302
optional class attributes, 288
snap-ins, 308
subclasses, 298
superclasses, 288
syntax objects, 290-91, 294
templates, 285
Top class, 296
unlocking, 307
view class object information, 240
warning, 233
Schema Administrators group, 124, 356
schemaIDGUID, 309-10
Schema Master, 70, 265-67
Schema snap-in. See Active Directory Schema snap-in
scope, groups, 213
scripts, 351-52
searches of Global Catalog, 63-64
searchFlags, 309-10
secondary servers, 88, 89, 93
secondary sites, 130-31, 133
security, 14-15, 26-27, 73-74, 149-88
access priorities, 153
access tokens, 151
ACEs, 149-50
administration delegation, 28-29
AS Exchange, 159-63
attributes, 153-55
authentication, 157-58
authorization, 159-60
backwards compatibility, 156
BDCs, 330
cabling, 187-88
Create Time inheritance, 154-55
CS Exchange, 159, 161, 166-67
DACLs, 73, 150-53
database, 155
defaultSecurityDescriptor, 299
delegation, 73
denying access, 153
descriptors, 149-50
Dfs, 424
Digital Certificates, 156
domain controllers, 153
domain trusts, 183-85, 184
dynamic inheritance, 154
fiber-optic cable, 188
fine-grained permissions, 152
floppy drives, 186
groups, 120
identifiers (see SIDs (security identifiers))
information implementation, 151-52
infrastructure, 156-83
inheritance, 73, 154-55
Internet, 170-81
KDC (Key Distribution Center), 159-65
Kerberos, 156, 159-70
logons, 157-58
LSA (Local Security Authority), 155, 157-58
Microsoft Certificate Server, 173-81
MoveTree utility, 364-67
multiple domains, 135
ntdsutil submenu, 281
NTML, 156
nTSecurityDescriptor, 300
objects, 149-50, 153-55
OUs (organizational units), 140
passwords, 155
physical, 185-88
PKI deployment, 156, 170-81
Pre-authentication data, 161
primitives, 149-51
principals, 150, 334
cloning, 367-68
moving between forests, 359
SIDhistory, 362-64
private key protection, 185
protocols, 151-52
RRAS, 187, 332
SACL, 150
SAM, 152
SIDs (security identifiers), 149-51
single sign-on, 77, 78
SSL/TLS, 156, 181-83
static inheritance, 154
taps, net, 187-88
TGS Exchange, 159, 161, 163-65
TGTs, 161-63
time stamps, 163
tokens, 150-51
trusts, 183-85, 184
upgrading from Windows NT, 328
Winlogon, 157
self-healing applications, 72
servers
caching, 88
Dfs Root, 420
DNS, 87-91, 113
file, 412-24
forwarders, 89-91
history, 4-5
mail, 94
physical security, 186-87
primary, 88
RIS, 401-10
RRAS, 332
secondary, 88, 89
SRV (service) RRs, 95
type designations, 105
service packs, 384-87
services, directory. See directory services
settings, user, 387-88
Settings property page, 392, 393
Shared System Volume screen, 198, 198
shares
creating, 389
folders, adding, 215-17
shortcut keys, command line, 275-76
Sid, 291, 314
SIDhistory, 362-64
ClonePrincipal, 367-68
restructuring, 334-35
SIDs (security identifiers), 69-70, 149-51
security tokens, 150-51
Sid, 291, 314
SIDhistory, 362-64
single sign-on, 77, 78
site plan, 119-20, 144
sites
changes, 372-73
configuring links, 222-26
creation, 220-26
GPOs, 261-65
Inter-Site Transports folder, 222
links (see links, site)
New Object - Subnet dialog box, 226, 227, 228-29
subnets, assigning, 226-27
Sites And Services snap-in, 203, 219-29, 220, 260-61
slaves, 90
Smart Cards, 170, 181
SMS (Microsoft System Management Server), 377, 388
SMTP links, 136
snap-ins, 190-91, 203
Active Directory Connector Management, 341-42
Active Directory Domains And Trusts, 203, 229-32, 229
Active Directory Schema, 203, 232-41, 233, 308
Active Directory Sites And Services, 203, 219-29, 220
Active Directory Users And Computers, 203, 206-19, 207, 241
Folder Redirection, 389-93
Software Installation and Maintenance, 394-98
Administrative Tools, 203
availability to administrators, 203
Distributed file system, 417-24
Event Viewer, 276
Exchange Server Platinum, 347
Group Policy Editor, 391-92
loading to MMC, 205-6
Performance, 276
Right-click, 191
shortcut menus, 191, 191
SOA (start of authority) RRs, 92-93, 98, 99
software
assigning vs. publishing, 385-87
automated distribution, 29-31
central administration, 379
distribution point, 393-94
Installation and Maintenance feature, 384-87, 393-98
Installation sheet, 397, 397
specifications, technical, 24-28
SRV (service) RRs, 95, 103-9
SSL Exchange Server authentication, 343
SSL/TLS (Secure Sockets Layer/Transport Layer Security), 156, 174, 181-83
Stand-alone servers group management, 206
standardization, 72, 75-76
standards supported, 27-28
Start menu shortcut key, 276
static inheritance, 154
structural classes, 303
subclasses, creating, 298
subClassOf, 299
subdomains, 87, 104
subnet masks, 228
subnets
assigning to sites, 226-27
binary addresses, 228
IP addresses, 228
New Object - Subnet dialog box, 226, 227, 228-29
superclasses, 288
synchronization. See also replication
Exchange Server, 340, 342
user files, 383-84
syntax
attributeSyntax, 309-14
naming conventions, 289-90
objects, 290-91, 294
system access control lists (SACLs), 150
systemAuxiliaryClass, 299
system checks, 305-7
systemFlags, 309
System Information snap-in, 276
System Management Server (SMS), 377, 388
systemMayContain, 299
systemMustContain, 299
systemOnly, 300, 309
systemPossSuperiors, 299
System Preparation tool, 411
System State data
backups, 246-53
components, 247
System Tools Backup, 246
T
taps, net, 187-88
target customers for Active Directory, 5-6
Target property page, 392, 392
Task Manager command shortcut, 276
Task Manager shortcut key, 276
tasks, delegating control of, 241-46
TCO (total cost of ownership), 376-77
technical specifications, 24-28
centralization, 24-25
ease of administration, 25-26
interoperability, 27-28
security, 26-27
standards supported, 27-28
templates
abstract classes, 303
classSchema objects, 288
schema, 285
TGS (Ticket Granting Service) Exchange, 159, 161, 163-65, 164
TGT (ticket granting ticket), 135, 161-63, 184
Time to Live. See TTL (Time to Live)
Top class, 296
topology, network, 66
total cost of ownership (TCO), 376-77
transitive trusts, 40, 42-43
transport, 222
trees, 39-40, 39
adding to forests, 357-58
MoveTree utility, 364-67
registered DNS names, 137
removing, 360
structure for upgrades, 326
troubleshooting Remote OS Installation, 404
trust relationships, 40-45
Active Directory Domains And Trusts snap-in, 229-32, 229
adding, 230-31, 230
creation, 42
cross-link trusts, 44-45
explicit, 358
number per domain, 41
one-way trusts, 43-44
restructuring, 335-36
transitive trusts, 40, 42-43
two-way trusts, 43
upgrades from Windows NT, 324
TTL (Time to Live), 89
U
UDP (User Datagram Protocol), 168
underscores, 360-61
Unicode characters, 85
universal groups, 122-23
unscalables, 117
UPDATE messages, 98
Update Sequence Numbers (USNs), 51, 65, 68
updating. See replication
upgrading from Microsoft Windows NT, 319-37. See also migration
account domains, 325
Active Directory Installation wizard, 327
backups, 326
BDCs, 326-28
desktop OSs, 324
domain order, 325
domain structure, 325-26
first services domain to do, 325
forest root, 325
FRS (File Replication Service), 331-32
LMRepl, 331-32
mixed mode, 327, 329-31
native mode, switching to, 329
options, 320-23
PDCs, 326-28
process for, 324-30
production environment, 322-23
resource domains, 325
restructuring, 320-23, 333-37
vs. restructuring, 321-23
rollbacks, 326, 330
RRAS, 332
servers, 324
UPNs (user principal names), 125
user accounts
domain controllers, 146
export objects, 282-83
MoveTree utility, 364-67
moving between forests, 367-68
SID history, 362-64
upgrades from Windows NT, 324
User class, subclasses from, 298
User Datagram Protocol (UDP), 168
User Data Management, 380, 383-84, 389-93
user principal names (UPNs), 125
users
access tokens, 151
adding, 208-10
backups, 384
delegating control to, 241-46
GPOs, 261-65
local information, 387
passwords, 209
restructuring, 335
roaming, 30-31, 378, 382-84, 387-88, 398
Settings Management, 380, 387-88
temporary information, 387
vital information, 387
Users And Computers snap-in. See Active Directory Users And Computers snap-in
User Settings Management, 380, 387-88, 398
USNs (Update Sequence Numbers), 51, 65, 68
UTCTime, 291, 313
utilities, command line, 277-84
V
VBScript, 351-52
VERITAS Software Corporation, 29
volatility, 65
volumes, Shared System Volume screen, 198, 198
W
Web browsers, managing ADS from, 72
web sites
DirSync, 348
MSDSS, 340
Windows 95/98. See Microsoft Windows 95/98
Windows 2000. See Microsoft Windows 2000
Windows Explorer command shortcut, 276
Windows Installer, 385
Windows log key commands, 276
Windows NT. See Microsoft Windows NT
Windows 2000 Resource Kit
ClonePrincipal, 367-68
MoveTree utility, 364
Winlogon, 157
Winmsd command, 276
WINS-R (WINS reverse) RRs, 95
WINS (Windows Internet Naming Service), 81, 83
name registration, 103
RRs, 94
servers, 75
Winver command, 276
workstations, installing, 398-406
writes, originating, 66
WSH (Windows Scripting Host) schema class creation, 308
X
X.25, 8
X.500 standard, 76
X.509 standard, 174
Z
ZAW (Zero Administration for Windows), 377
Zero Administration for Windows. See ZAW (Zero Administration for Windows)
zone files, 87-88, 96-99
RRs (resource records), 91
transfers, 96-98
Read an Excerpt
Chapter 3: Active Directory Services and Windows 2000 Domains
The Microsoft Windows 2000 domain structure and its associated objects have changed significantly from their Windows NT 4 incarnations, reflecting Active Directory service's central role in Windows 2000 and the design requirements that make it a scalable, enterprise-ready directory service. Some of these changes are obvious, such as the movement to a transitive trust relationship model, while others are subtler, such as the introduction of organizational units. Whether the issues are obvious or subtle, explaining them is central to understanding the interaction and dependencies between Windows 2000 domains and Active Directory services.Active Directory emulates the Windows 2000 domain model-or vice versa, if you'd like to look at it that way. Either way, Windows 2000 domains and Active Directory are dependent on one another and even defined by each other's characteristics. The close and indivisible relationship between Windows 2000 domains and Active Directory services requires an explanation of the Windows 2000 domain model and how it interacts with Active Directory services. Therefore, this chapter begins with an explanation of the Windows 2000 domain model and examines why that model is so different from the Windows NT domain model.
Windows 2000 Domains
Windows NT 4 domain models didn't scale well. There are other ways of stating this fact that would sugarcoat the truth, but the simple fact of the matter is that the Windows NT 4 domain model-with its one-way nontransitive trusts-required lots of administrative overhead in large-enterprise implementations. This is no longer the case with Windows 2000 and its domain model, largely because of the new approach to trusts, but also because the entire domain concept has been revamped to align with industry standards such as Lightweight Directory Access Protocol (LDAP) and Domain Name Service (DNS).
The Domain Hierarchy
In Windows 2000 networks, domains are organized in a hierarchy. With this new hierarchical approach to domains, the concepts of forests and trees were created. These new concepts, along with the existing concept of domains, help organizations more effectively manage the Windows 2000 network structure. Domains.
The atomic unit of the Windows 2000 domain model hasn't changed; it is still the domain. A domain is an administrative boundary, and in Windows 2000, a domain represents a namespace (which is discussed in Chapter 4) that corresponds to a DNS domain. See Chapter 6, "Active Directory Services and DNS," for more information about how Active Directory Services and DNS interact.
The first domain created in a Windows 2000 deployment is called the root domain, and as its name suggests, it is the root of all other domains that are created in the domain tree. (Domain trees are explained in the next section.) Since Windows 2000 domain structures are married to DNS domain hierarchies, the structure of Windows 2000 domains is similar to the familiar structure of DNS domain hierarchies. Root domains are domains such as microsoft.com or iseminger.com; they are the roots of their DNS hierarchies and the roots of the Windows 2000 domain structure.
Domains subsequently created in a given Windows 2000 domain hierarchy become child domains of the root domain. For example, if msdn is a child domain of microsoft.com, the msdn domain becomes msdn.microsoft.com.
As you can see, Windows 2000 requires that domains be either a root domain or a child domain in a domain hierarchy. Windows 2000 also requires that domain names be unique within a given parent domain; for example, you cannot have two domains called msdn that are direct child domains of the root domain microsoft.com. However, you can have two domains called msdn in the overall domain hierarchy. For example, you could have msdn.microsoft.com as well as msdn.devprods.microsoft.com; the microsoft.com namespace has only one child domain called msdn, and the devprods.microsoft.com namespace also has only one child domain called msdn.
The idea behind domains is one of logical partitioning. Most organizations large enough to require more than one Windows 2000 domain have a logical structure that divides responsibilities or work focus. By dividing an organization into multiple units (sometimes called divisions in corporate America), the management of the organization is made easier. In effect, the organization is being partitioned to provide a more logical structure and perhaps to divide work among different sections of the organization. To look at this another way, when logical business units (divisions) are gathered collectively under the umbrella of one larger entity (perhaps a corporation), these logically different divisions create a larger entity. Although work within the different divisions might be separate and very different, the divisions collectively form a larger but logically complete entity. This concept also applies to the collection of Windows 2000 domains into one larger, contiguous namespace entity known as a tree.
Trees
Trees-sometimes called domain trees-are collections of Windows 2000 domains that form a contiguous namespace. A domain tree is formed as soon as a child domain is created and associated with a given root domain. For a technical definition, a tree is a contiguous DNS naming hierarchy; for a conceptual figure, a domain tree looks like an inverted tree (with the root domain at the top), with the branches (child domains) sprouting out below.
The creation of a domain tree enables organizations to create a logical structure of domains within their organization and to have that structure comply with and mirror the DNS namespace. For example, David Iseminger and Company could have a DNS domain calledmicromingers.iseminger.com and could have various logical divisions within the company, such as sales, accounting, manufacturing, and so on. In such a situation, the domain tree might look like the domain tree in Figure 3-1.
This organization of logical divisions within the company works great for companies that have one DNS domain, but the issue of companies that might have more than one "company" in their larger enterprise must be addressed. That issue is addressed through the use of Windows 2000 forests.
Forests
Some organizations might have multiple root domains, such as iseminger.com and microsoft.com, yet the organization itself is a single entity (such as the fictional David Iseminger and Company in this example). In such cases, these multiple domain trees can form a noncontiguous namespace called a forest. A forest is one or more contiguous domain tree hierarchies that form a given enterprise. Logically, this also means that an organization that has only a single domain in its domain tree is also considered a forest. This distinction becomes more important later in this chapter when we discuss the way that Active Directory interacts with Windows 2000 domains and forests.
The forest model enables organizations that don't form a contiguous namespace to maintain organization-wide continuity in their aggregated domain structure. For example, if David Iseminger and Company-iseminger.com-were able to scrape together enough pennies to purchase another company called Microsoft that had its own directory structure, the domain structures of the two entities could be combined into a forest. There are three main advantages of having a single forest. First, trust relationships are more easily managed (enabling users in one domain tree to gain access to resources in the other tree). Second, the Global Catalog incorporates object information for the entire forest, which makes searches of the entire enterprise possible. Third, the Active Directory schema applies to the entire forest. (See Chapter 10 for technical information about the schema.) Figure 3-2 illustrates the combining of the iseminger.com and Microsoft domain structures, with a line between their root domains indicating the Kerberos trust that exists between them and establishes the forest. (The Kerberos protocol is explained in detail in Chapter 8.)
Although a forest can comprise multiple domain trees, it represents one enterprise. The creation of the forest enables all member domains to share information (through the availability of the Global Catalog). You might be wondering how domain trees within a forest establish relationships that enable the entire enterprise (represented by the forest) to function as a unit. Good question; the answer is best provided by an explanation of trust relationships.
Trust Relationships
Perhaps the most important difference between Windows NT 4 domains and Windows 2000 domains is the application and configuration of trust relationships between domains in the same organization. Rather than establishing a mesh of one-way trusts (as in Windows NT 4), Windows 2000 implements transitive trusts that flow up and down the (new) domain tree structure. This model simplifies Windows network administration, as I will demonstrate by providing a numerical example. The following two equations (bear with me-the equations are more for illustration than pain-inducing memorization) exemplify the management overhead introduced with each approach; the equations represent the number of trust relationships required by each domain trust approach, where n represents the number of domains...
loading...
Related EssentiaListsuiAction=GetRelatedListsByEanFromProductPage&page=List&pageType=list&ean=9780735606241&productCode=BK&maxCount=5&threshold=10
loading...
Fans of this BookuiAction=GetProfileBlurbsWithEANinFavorites&page=UserProfile&pageType=profile&eanInput=9780735606241
loading...