|
Active Directory Services for Windows Server 2003 Technical Reference
Get the focused, in-depth technical expertise you need to implement and optimize your Microsoft directory services infrastructure. As two Active Directory experts guide you through advanced design and deployment issues for the Windows Server 2003 environment, you'll develop a thorough understanding of the underlying concepts, architectural components,
and real-world functionality of Active Directory directory service. Whether you're upgrading from Microsoft Windows NT 4.0 or later, or performing a clean installation, you'll learn the best ways to exploit Active Directory capabilities for your organization - and deliver new levels of network performance and productivity. Get the technical drill-down you need to: * Install, upgrade, or migrate to Active Directory * Learn essential design considerations for DNS * Design Active Directory structure - forests, domains, sites, and OUs * Manage Active Directory objects, including users and groups * Optimize domain controller data replication * Use group policies to deploy software and manage desktops * Implement authentication, Kerberos, and other security features and tools * Monitor Active Directory replication and domain controller performance, and manage the Active Directory database * Perform critical maintenance and plan for disaster recovery
FEATURES:
* Includes complete coverage of Active Directory concepts - components, replication, security, installation, administration, and more
* Shows how to use Active Directory with Windows .NET Server, the integrated server foundation built for a fast-changing market
* Comes directly from the company that developed both Active Directory and Windows .NET Server - Microsoft
CONTENTS:
List of Tables xii
Dedications xiii
Acknowledgments xiv
Introduction xv
PART I Windows Server 2003 Active Directory Overview
1 Active Directory Concepts 3
The Evolution of Microsoft Directory Services 3
LAN Manager for OS/2 and MS-DOS 4
Windows NT and SAM 4
Windows 2000 and Active Directory 6
Windows Server 2003 Domains and Active Directory 7
Active Directory Open Standards 8
X.500 Hierarchies 8
Lightweight Directory Access Protocol (LDAP) 10
Key Features and Benefits of Active Directory 12
Centralized Directory 12
Single Sign-On 12
Delegated Administration 12
Common Management Interface 13
Integrated Security 13
Scalability 13
Whats New in Windows Server 2003 Active Directory 14
Active Directory Users And Computers Improvements 14
Levels of Functionality 14
Domain Rename 15
Application Directory Partitions 15
Additional Domain Controller Installed from Backup Media 15
Deactivation of Schema Objects 16
Disabling Compression of Replication Traffic Between Different Sites 16
Global Catalog Not Required for Logon 16
Group Membership Replication Improvements 16
Object Picker UI Improvements 17
Lingering Object Removal Mechanism 17
inetOrgPerson Support 17
Summary 17
2 Active Directory Components 19
Active Directory Physical Structure 19
The Directory Data Store 19
Domain Controllers 20
Global Catalog Servers 20
Operations Masters 23
Transferring Operations Master Roles 25
The Schema 26
Active Directory Logical Structure 31
Active Directory Partitions 32
Domains 36
Domain Trees 37
Forests 38
Trusts 39
Sites 43
Organizational Units 46
Summary 48
3 Active Directory and Domain Name System 49
DNS Overview 49
Hierarchical Namespace 50
Distributed Database 51
Name Resolution Process 51
Resource Records 52
DNS Domains, Zones, and Servers 54
DNS and Windows Server 2003 Active Directory 61
DNS Locator Service 61
Active Directory Integrated Zones 66
DNS Enhancements 69
Summary 75
4 Active Directory Replication and Sites 77
Active Directory Replication Model 77
Replication Enhancements in Windows Server 2003 Active Directory 79
Intrasite and Intersite Replication 80
Intrasite Replication 81
Intersite Replication 82
Replication Latency 83
Urgent Replication 83
Replication Topology Generation 84
Knowledge Consistency Checker 84
Connection Objects 85
Intrasite Replication Topology 86
Global Catalog Replication 91
Intersite Replication Topology 93
Replication Process 95
Update Types 96
Replicating Changes 96
Configuring Intersite Replication 102
Creating Additional Sites 103
Site Links 103
Site Link Bridges 105
Replication Transport Protocols 106
Configuring Bridgehead Servers 107
Monitoring and Troubleshooting Replication 108
Summary 110
PART II IMPLEMENTING WINDOWS SERVER 2003 ACTIVE DIRECTORY
5 Designing the Active Directory Structure 113
Designing the Forest Structure 113
Forests and Active Directory Design 114
Single or Multiple Forests 116
Defining Forest Ownership 119
Forest Change Control Policies 120
Designing the Domain Structure 121
Domains and Active Directory Design 121
Determining the Number of Domains 121
Designing the Forest Root Domain 124
Designing Domain Hierarchies 125
Domain Trees and Trusts 128
Changing the Domain Hierarchy 129
Defining Domain Ownership 130
Designing the DNS Infrastructure 131
Examining the Existing DNS Infrastructure 131
Namespace Design 132
Designing the Organizational Unit Structure 143
Organizational Units and Active Directory Design 143
Designing an OU Structure 144
Creating an OU Design 146
Designing the Site Topology 149
Sites and Active Directory Design 149
Networking Infrastructure and Site Design 150
Creating a Site Design 150
Designing Server Locations 153
Summary 158
6 Installing Active Directory 159
Prerequisites for Installing Active Directory 159
Hard Disk 160
Network Connectivity 160
DNS 161
Administrative Permissions 163
Active Directory Installation Options 163
Configure Your Server Wizard 163
Active Directory Installation Wizard (Dcpromo.exe) 164
Unattended Installation 165
Using the Configure Your Server Wizard 165
Using the Active Directory Installation Wizard 167
Operating System Compatibility 168
Domain and Domain Controller Types 169
Naming the Domain 171
File Locations 172
Verify or Install a DNS Server 173
Selecting Default Permissions for User and Group Objects 175
Completing the Installation 176
Performing an Unattended Installation 178
Installing Active Directory from Restored Backup Files 179
Removing Active Directory 180
Removing Additional Domain Controllers 182
Removing the Last Domain Controller 183
Unattended Removal of Active Directory 184
Summary 184
7 Migrating to Active Directory 185
Migration Paths 186
The Domain Upgrade Migration Path 187
The Domain Restructure Migration Path 189
The Upgrade-Then-Restructure Migration Path 191
Determining Your Migration Path 192
Migration Path Decision Criteria 192
Choosing the Domain Upgrade Path 193
Choosing the Domain Restructure Path 195
Choosing the Upgrade-Then-Restructure Path 197
Preparing for Migration to Active Directory 198
Planning the Migration 198
Testing the Migration Plan 204
Conducting a Pilot Migration 204
Upgrading the Domain 205
Upgrading from Windows NT Server 4 205
Upgrading from Windows 2000 Server 213
Restructuring the Domain 215
Creating the Pristine Forest 217
Migrating Account Domains 222
Migrating Resource Domains 226
Upgrading then Restructuring 231
Configuring Interforest Trusts 232
Summary 236
PART III Administering Windows Server 2003 Active Directory
8 Active Directory Security 239
Active Directory Security Basics 239
Security Principals 240
Access Control Lists 240
Access Tokens 241
Authentication 241
Authorization 242
Kerberos Security 242
Introduction to Kerberos 243
Kerberos Authentication 245
Delegation of Authentication 251
Configuring Kerberos in Windows Server 2003 253
Integration with Public Key Infrastructure 254
Integration with Smart Cards 257
Interoperability with Other Kerberos Systems 258
NTLM Security 260
Summary 260
9 Delegating the Administration of Active Directory 261
Active Directory Object Permissions 261
Standard Permissions 262
Special Permissions 264
Permissions Inheritance 268
Effective Permissions 270
Ownership of Active Directory Objects 273
Auditing the Use of Administrative Permissions 274
Delegating Administrative Tasks 276
Customized Tools for Delegated Administration 280
Customizing the Microsoft Management Console 280
Creating a Taskpad for Administration 281
Planning for the Delegation of Administration 282
Summary 283
10 Managing Active Directory Objects 285
Managing Users 285
User Objects 285
inetOrgPerson Objects 290
Contact Accounts 291
Managing Groups 292
Group Types 292
Group Scope 293
Creating a Security Group Design 296
Managing Computers 299
Managing Printer Objects 301
Publishing Printers in Active Directory 301
Managing Published Shared Folders 304
Windows Server 2003 Active Directory Administration Enhancements 305
Summary 306
11 Introduction to Group Policies 307
Group Policy Overview 308
Implementing Group Policies 311
Creating GPOs 312
Administering Group Policy Objects 313
Group Policy Inheritance and Application 314
Modifying the Default Application of Group Policies 316
Group Policy Processing 321
Delegating Administration of GPOs 326
Implementing Group Policies Between Domains and Forests 327
Group Policy Management Tools 328
RSoP Tool 328
GPResult 329
GPUpdate 330
Group Policy Management Console 330
Group Policy Design 332
Summary 333
12 Using Group Policies to Manage Software 335
Windows Installer Technology 336
Creating a .msi file 336
Deploying Software Using Group Policies 337
Deploying Applications 338
Using Group Policies to Distribute NonWindows Installer Applications 341
Configuring Software Package Properties 343
Setting the Default Software Installation Properties 345
Installing Customized Software Packages 345
Updating an Existing Software Package 347
Managing Software Categories 349
Configuring File Extension Activation 350
Removing Software Using Group Policies 351
Using Group Policies to Configure Windows Installer 352
Planning for Software Distribution Using Group Policies 354
Limitations to Using Group Policies to Manage Software 357
Summary 359
13 Using Group Policies to Manage Computers 361
Desktop Management Using Group Policies 362
Managing User Data and Profile Settings 364
Managing User Profiles 364
Folder Redirection 368
Configuring Security Settings with Group Policies 372
Configuring Domain-Level Security Policies 372
Configuring Other Security Settings 377
Software Restriction Policies 379
Security Templates 382
Administrative Templates 385
Using Scripts to Manage the User Environment 389
Summary 391
PART IV Maintaining Windows Server 2003 Active Directory
14 Monitoring and Maintaining Active Directory 395
Monitoring Active Directory 395
Why Monitor Active Directory? 396
How to Monitor Active Directory 398
What to Monitor 410
Active Directory Database Maintenance 411
Garbage Collection 411
Online Defragmentation 413
Offline Defragmentation of the Active Directory Database 414
Managing the Active Directory Database Using Ntdsutil 415
Summary 417
15 Disaster Recovery 419
Planning for a Disaster 419
Active Directory Data Storage 420
Backing Up Active Directory 423
Restoring Active Directory 424
Restoring Active Directory by Creating a New Domain Controller 425
Performing a Nonauthoritative Restore 429
Performing an Authoritative Restore 431
Restoring Sysvol Information 433
Restoring Operations Masters and Global Catalog Servers 435
Summary 440
INDEX 441
|
