Inside Active Directory: A System Administrator's Guide - Softcover

About the Author

Sakari Kouti, M.S. (Tech), is a senior trainer and consultant for Sovelto, the leading training company in Finland. He started working with networks in 1986 and his articles have appeared in Windows NT Magazine (now Windows and .NET Magazine). Sakari was one of the first MCSEs in the world back in 1994.

Mika Seitsonen is a senior trainer at Sovelto. His network experience spans more than ten years, and he was one of the first MCSE: Security on Microsoft Windows Server 2003 certified persons in the world. Mika was awarded MVP—Directory Services in 2004 and holds an M.S. (Tech) from University of Nottingham (U.K.) and Lappeenranta University of Technology (Finland).

Excerpt. © Reprinted by permission. All rights reserved.

During the seven years that Windows NT was sold before Active Directory shipped as part of Windows 2000 (and consequently, as part of Windows Server 2003), administrators didn’t need to learn practically anything new, at least about the core operating system features. User and group management, domains and domain models, and resource management had been the same in all Windows NT versions.

With the introduction of Active Directory, that all changed. There is a huge difference in managing Windows networks over the old NT administration model. Therefore, Active Directory will require quite a lot of study on the part of NT professionals.

Despite some administrative wizards in the user interface and the new Microsoft Management Console (MMC) administration interface, implementing and administering Active Directory requires probably more learning, testing, piloting, and planning than Windows NT required.

About This Book

This book is an implementer’s and administrator’s guide to Active Directory. Throughout the book, you will learn the workings, architecture, administration, and planning of Active Directory. Depending on your needs, however, you don’t have to read this book from cover to cover, as we describe later in this preface.

The first version of Active Directory was included in Windows 2000 (AD2000, as we call it), and the second version is included in Windows Server 2003 (AD2003, as we call it). The first edition of this book covered AD2000, and this second edition covers primarily AD2003, but secondarily also AD2000.

The following list evaluates the appropriateness of this book for a number of potential audiences.

• A current NT professional. You are the target audience for this book. However, you may want to browse relatively quickly through any introductory pages that we have in the beginning of many chapters.
• A current NetWare or UNIX professional. Prior knowledge of Windows NT is not required to successfully learn from this book. Your earlier networking skills will most likely enable you to pick up each topic quite readily. However, you probably shouldn’t skip any introductory topics.
• A network operating systems novice. Because we tend to start each chapter with the very basics, at least in theory you can use this book to effectively learn Active Directory. Obviously, you need to invest more time reading than an experienced IT professional. You should also have a test PC that you can use to try out the different tasks and experiments that the book describes.
• A current Windows 2000/Windows Server 2003 professional. Even if you are already familiar with Active Directory, we trust that you will learn more than a few things from this book.
• A developer. This book is an administrator’s guide and not a programmer’s guide. However, the book contains more architectural topics than the average book for an administrator, so you may find this book valuable to you in addition to a programmer’s guide.

For all target audiences, it is possible that you are not interested in all the advanced topics in this book, so you are free to skip any of them.

We believe that this book has the following strengths.

• We present well-thought-out diagrams that help you easily comprehend the various key concepts and other topics related to Active Directory.
• At worst, a book just shows screen shots and shortly explains what is already evident from the user interface or the online Help. In contrast, this book contains thorough and accurate information on the topics it covers.
• We claim that this book contains very few errors.
• Even though this book is not a reference guide, we present many extensive reference tables.
• If you install Active Directory on a test PC, you can try out most of the tasks and experiments described in this book, whether they are written to be walkthroughs or not.

We have divided the book into three parts.

• Part I: Background Skills (Chapters 1 and 2) gives the big picture of Active Directory so you can successfully plan and implement an Active Directory network. This part also discusses the installation of Active Directory.
• Part II: Core Skills (Chapters 3 through 7) describes the concepts, planning, and administration of both the physical and the logical structure of Active Directory. The topics presented in this part include user and group management, access control, and Group Policy. Even though Part III covers advanced skills, most chapters in this part discuss related advanced topics.
• Part III: Advanced Skills (Chapters 8 through 11) looks at advanced techniques, including the schema and scripting. Along with these topics, we also uncover many aspects of Active Directory architecture. You can probably live without the information in these chapters, but by reading them, you can greatly deepen your knowledge and understanding of Active Directory and make use of it when implementing and administering Active Directory networks.

We’ll now present a short summary of each chapter. Mika wrote Chapter 2 and Chapter 7, and Sakari wrote the remaining chapters.

Chapter 1: Active Directory: The Big Picture

Before going into detail, we give you a general picture of Active Directory. After you learn the concepts introduced in this chapter, you can skip freely some later chapters that you might not be interested in. However, we encourage you to browse through the table of contents of any such chapter to make sure that you are not going to unintentionally miss anything important.

Chapter 2: Active Directory Installation

In this chapter, we explain how to install Active Directory. We also describe the post-installation tasks, as well as how to automate and troubleshoot installation.

Chapter 3: Managing OUs, Users, and Groups

Once you have an Active Directory domain up and running, one obvious task is to create a user account for each user and plan how to enhance user administration by using groups and organizational units (OUs). This chapter looks at managing OUs, users, contacts, groups, and computer objects, and covers some related topics.

Chapter 4: Securing Active Directory

Active Directory has an access control mechanism that enables you to define who can read or modify what information in Active Directory. In this chapter, we explain the concepts and architecture of access control, as well as how to manage permissions in various scenarios.

Chapter 5: Sites and Replication

For Active Directory to work efficiently when your network spans multiple geographic locations, you must plan and implement the physical structure and define it in Active Directory itself. In this chapter, we describe the concepts, management, and advanced topics of the physical structure. Some of the content is also relevant for a company with just one site.

Chapter 6: Domains and Forests

Active Directory has several levels of hierarchies that you can use to implement an effective logical structure for your company network. In this chapter, we discuss whether you should use one or many domains and one or many forests, and how you should plan and manage that logical structure. We also revisit the physical structure, because it somewhat overlaps with the logical structure. In addition, we explain the anatomy of LDAP searches.

Chapter 7: Group Policy

Active Directory has an extensive management architecture called “Group Policy.” You can use Group Policy to manage various aspects of Active Directory objects—for example, user desktop and server security settings. Some of the largest changes to Active Directory day-to-day management come in the form of Group Policy tools. In addition to these tools, you learn the architecture, inheritance, and processing of Group Policy in this chapter.

Chapter 8: Active Directory Schema

This chapter examines the Active Directory data model and how it is enforced by the rules of the schema. After reading this chapter, you’ll better understand how Active Directory works behind the scenes, and you’ll also gain knowledge that you can use if you are going to extend the schema.

Chapter 9: Extending the Schema

One of Active Directory’s advantages over Windows NT is that you can extend the Active Directory schema, either to accommodate directory-enabled applications or for some administrative purpose. In this chapter, we explain the considerations for extensions and describe the process itself.

Chapter 10: Administration Scripts: Concepts

By downloading scripts from the Internet or writing your own scripts and executing them, you can greatly enhance and automate administration. In this chapter, we explain how to get started with technologies such as Windows Script Host (WSH), VBScript, and Active Directory Service Interfaces (ADSI).

Chapter 11: Administration Scripts: Examples

In this chapter, we present over 50 sample scripts along with their explanations. Outputs of many of the scripts provide some architectural information about Active Directory, and you can run those scripts without understanding what they do on each line. Therefore, you can use these scripts not only for various administrative tasks, but also to gain more knowledge about Active Directory. This chapter also introduces some additional scripting concepts, such as ActiveX Data Objects (ADO), between the sample scripts

0321228480P08022004