CHAPTER 1 WHAT IS A DIRECTORY SERVICE? 1
A Directory 2
Objects 3
Attributes 3
The Way Things Were 3
Advantages of a Directory Service 5
Example 1 6
Without a Directory Service 6
With a Directory Service 6
Example 2 6
Without a Directory Service 6
With a Directory Service 6
With a Directory Service 7
The Building Blocks of a Directory Service 7
Without a Directory Service 7
Example 3 7
Why Has It Not Been Done Sooner? 9
Banyan Systems Street Talk 9
Novell Directory Services(NDS) 9
What about Now? 10
Microsoft s Active Directory Service 10
Let s Get Technical 11
Chapter Summary 12
CHAPTER 2 ALL ROADS LEAD TO X.500 13
One Standard for All 14
The History of X.500 14
How It All Began 15
X.500-The Service, the Myth,the Legend 17
What Is a Hierarchical Structure? 18
Application Relationships 21
Container and Noncontainer Objects 22
Client Access Protocols:DAP and LDAP 24
Directory Access Protocol(DAP) 24
LDAP 26
The Innards of LDAP 28
How Does LDAP Really Work? 29
DSAs,DUAs,and DITs,Okay? 29
LDAp and Active Directory 30
Chapter Summary 31
Review Questions 31
Real-World Project 35
CHAPTER 3 THE FUNDAMENTALS OF ACTIVE DIRECTORY 37
Active Directory Strengths 38
The Way It Was 38
Simplified Administration 39
Security 40
Scalability 40
Extensibility 40
Open Standard Support 40
Interoperability 41
The Nitty Gritty on Addressing 41
Objects 41
Groups 42
Organizational Units 42
Domains 42
Trees 43
Sites 44
Forest 44
Global Catalog 46
Schema 46
Naming Conventions 46
Active Directory Services Interface 48
Chapter Summary 48
Review Questions 49
Real-World Project 53
CHAPTER 4 TCP/IP,WINS,AND DHCP 65
TCP/IP 67
A Bit of History 67
The Four Layers of TCP/IP 68
Transport Layer 70
TCP/IP Addressing Scheme 72
Application Layer 72
Assigning the TCP/IP Address 76
TCP/IP Utilities 76
Testing Your Configuration 77
DHCP 78
How DHCP Works 78
Step One:DHCPDISCOVER 80
Step Two:DHCPOFFER 81
Step Three:DHCPREQUEST 81
Step Four:DHCPACK 81
What If Something Goes Wrong 81
Automatic Private Addressing 81
Renewing and Releasing the Lease 82
Backing Up the DHCP Database 82
How Does WINS Work 83
Restoring the DHCP Database 83
WINS 83
WINS Name Registration Process 84
Renewing Your Registration 85
When the Client Is Done with the IP Address 86
Looking for Somebody on the Network 86
WINS Proxy Agent 86
Configuring WINS with the WINS Snap-In 87
Chapter Summary 88
Review Questions 90
Real-World Projects 93
CHAPTER 5 DEVELOPING A DOMAIN NAME SERVICE(DNS) NAMESPACE STRATEGY 99
What Existed before DNS? 100
Why Do We Use Uniform Resource Locators? 101
What Is DNS? 101
How Does DNS Functions? 102
The Root and Top Levels 102
DNS Naming Conventions 104
Zones 104
Name Servers 105
Types of Name Servers 105
Name Resolution 106
Recursive 107
Iterative 108
Caching 108
Forward and Reverse Lookup Zones 109
DNS Database Files 109
Start of Authority(SOA) 110
The Mail Exchange Record 112
The Host Record(A) 112
The Name Server(NS)Record 112
The CNAME Record 113
Other Important Files for DNS 113
Dynamic DNS! 114
DHCP and DDNS 115
The Internals of DDNS 116
Planning Your DNS Implementation 118
What s In a Name? 118
The Root of your Name 120
Are You In or Are You Out? 121
Two Distinct Namespaces 122
Single Namespace Implementation 123
Server Implementation 124
Creating Your Zones and Handling Replication 126
Chapter Summary 127
Review Questions 127
Real-World Projects 132
CHAPTER 6 DESIGNING AN ACTIVE EIRECTORY DOMAIN 137
Domains 139
Organizational Units 140
Designing an Organizational Unit Structure 142
Strategy 143
The Number of Levels 144
Domains or Organizational Units 145
Security 146
Security Identifier 147
Security Descriptor 147
Groups 148
International Company 149
Implementing a Domain Structure 149
Nationwide Company 151
A Small Company 152
Delegation of Administration 153
Centralized Administration Model 154
Distributed Administration Model 154
Combination 154
Common Organizational Unit Models 155
Geographic Model 155
Object Model 156
Cost Center Model 157
Project Model 157
Division or Business Unit Model 158
Administration Model 158
Hybrid Model 159
Chapter Summary 160
Review Questions 165
Real-World Projects 168
CHAPTER 7 DESIGNING A MULTIPLE DOMAIN STRUCTURE 173
Review of Single Domain Options 174
The Need for a Larger Tree 175
What Is a Domain Tree? 176
Transitive Trusts 177
Empty Root Domains 178
Forests 179
To Forest or Not to Forest? 179
Shortcut Trusts 180
Forest Points to Remember 181
Multiple Forests 181
The First Level 183
Design Considerations for Domain Architecture 183
The Root 183
The Second Level 184
Scenario Review 192
Scenario One 192
Scenario Two 193
Scenario Three 193
Scenario Four 194
Scenario Five 194
Chapter Summary 194
Review Questions 196
Real-World Projects 200
CHAPTER 8 GROUP POLICY IMPLEMENTATION 205
The User 206
Groups 206
Groups of NT 4 207
Types of Groups 207
Mixed Mode:The Slow Integration Process 209
Windows 2000 Security Groups in “Native Mode” 210
Domain Local Groups 210
Global Groups within Windows2000 211
Universal Groups 211
Group Conversions 212
Illustrating Local,Global,and Universal Groups 212
Groups and the Global Catalog 214
Planning Your Group Strategy 215
Group Placement 215
Name that Group 216
Delegate Administrative Control 216
Scenario One 218
Implementation Options Reviewed 218
Scenario Two 219
Group Policies 219
Profiles vs.Policies 220
System Policies of NT 4 221
GPOs,GPCs,and GPTs 222
How Group Policies Are Applied 225
The Default Application of Policy 226
Overriding and Blocking of Inheritance 226
Filtering Group Policies 228
Inner Workings of a Group Policy 229
Planning:The Key to Global Policies 233
Method of Group Policy Application 233
How Many Policies for the GPO? 235
Organizing Your Organizational Units 236
Minimize Block Policy and Override Features 237
Are You Counting Time,or Making Your Time Count? 238
Chapter Summary 238
Review Questions 239
Real-World Projects 244
CHAPTER 9 ACTIVE DIRECTORY REPLICATION 249
Multi-master vs.Singlemaster Replication 250
Replication or Synchronization? 252
LDAP Data Interchange Format(LDIF) 253
Comma Separated Variable Import/Export Utility(CSVDE.EXE) 253
Into the Heart of Replication 254
Automatic and Manual Topologies 256
Active Directory Architecture 257
Extensible Storage Engine(ESE) 258
From the Top,Down 258
Database Layer 259
The Directory Service Agent 259
Update Requests 260
Deleted Objects-Where Do They Go? 260
From Origination to Replication 261
Sequence Numbers:The Nightmare Begins 261
Preventing Unnecessary Replication 264
Up-To-Date Vector(UTD Vector) 264
High Watermark Vector 266
Collisions:They Will Occur 266
Replication Partitions 268
Special Masters 269
Inter-and Intra-Site Replication 270
Intra-Site Replication 271
Inter-Site Replication 272
Manual Modifications 273
Monitoring Your Replication Traffic 274
Network Monitor 274
Performance Monitor 275
Chapter Summary 277
Review Questions 279
Real-World Projects 283
CHAPTER 10 MANAGING SITE BOUNDARIES 285
Active Directory Sites 287
Logon Traffic 287
Distributed File System(DFS)Topology 288
File Replication Service(FRS) 288
Replication Traffic 288
Site Aware Applications 289
Replication Latency 290
Replication Efficiency 290
Replication Cost 290
The Different Types of Replication 291
Intra-Site Replication 291
Inter-Site Replication 293
Seeing If Active Directory Sites Are Necessary 294
Placing the Domain Controllers(DC) 295
Connectivity 296
Available Bandwidth 297
Replication Traffic 298
Transport 299
Site links 299
Member Sites 300
Cost 300
Frequency 300
Schedule 300
Site Link Bridges 301
Planning Inter-Site Replication Topology 302
Transports 303
Bridgehead Servers 304
Inter-Site Topology Generator 304
Least-Cost Spanning Tree 305
Placing Servers in Sites 305
Placing the Global Catalog(GC)Server 306
Placing the Operation Masters 307
Chapter Summary 310
Review Questions 313
Real-World Projects 316
CHAPTER 11 DESIGNING YOUR ACTIVE DIRECTORY INFRASTRUCTURE 323
A Functional Team 324
What Will the Team Handle? 325
What Roles Will the Team Members Play? 326
The Vision and the Scope 328
Vision 329
Scope 329
The Vision/Scope Document 329
Address Your Risks 330
Your Current Physical Infrastructure 330
Hardware and Software 331
Network Details 332
The Users within the Organization 333
Design Your Naming Strategy 334
Design Your Directory Service Infrastructure 334
The Goal 334
Design Your Domain(or Multiple Domain)Strategy 335
Design a Group Policy 337
Design Your Site Topology 337
Designing Your Schema 338
Planning for Growth 338
Delegation of Authority 339
Chapter Summary 341
Review Questions 343
Real-World Projects 348
CHAPTER 12 ACTIVE DIRECTORY SECURITY FEATURES 353
Kerberos 354
A Kerberos Transaction 355
Kerberos Vocabulary 356
Kerberos and Transitive Trusts 357
File Access Permissions 360
NT 4 Permissions 360
File Permissions under Windows 2000 363
Encrypting File System(EFS) 368
How Does EFS Work? 369
Security Policies 370
Password Policy 371
Account Lockout Policy 371
Audit Policy 372
User Rights Assignment 373
Security Options 374
Smart Cards 374
How Do Smart Cards Word? 375
IP Security(IPSec) 376
The IPSec Monitor 377
Active Directory Design and Security 378
Chapter Summary 379
Review Questions 381
Real-World Projects 384
CHAPTER 13 MONITORING,OPTIMIZING,AND TROUBLESHOOTING ACTIVE DIRECTORY 387
Performance Console 388
Performance Console and Replication 389
Task Manager 390
Network Monitor 390
Replication Monitor 391
NTDSUTIL 393
SECEDIT 394
NETDOM 395
DNSCMD 396
DSASTAT 396
Miscellaneous Tools 396
NETSVC 396
MOVETREE 397
The Right Tool for the Job 397
Advanced Startup Options 397
Recovery Console 399
Backup and Restore Active Directory 400
Active Directory Restoration 402
Chapter Summary 402
Review Questions 405
Real-World Projects 409
CHAPTER 14 SCHEMA:DESIGN AND MODIFICATION 413
What Is the Schema? 414
Objects 416
Object Classes 416
Attributes 417
Syntax 418
Object Identifiers(OIDs) 419
Object Classes and Attributes Defined in the Schema 419
Before Modifying the Schema 421
Static 422
Low-Latency 422
Transient 422
Modifying the Schema 422
Installing Software Applications 423
Scripting 423
Using the Active Directory Schema Manager 423
Who Can Modify the Schema? 424
Modifying a Class 425
Items in the Schema that Can Be Modified 425
Creating a New Class 426
Modifying an Attribute 427
Creating a New Attribute 428
Deactivating a Class or and Attribute 429
Indexing an Attribute 429
Replicating an Attribute to the Global Catalog 429
Once the Modification Is Made 430
System Checks on the Schema 430
Time Interval Before Changes Take Effect 431
Schema Replication 432
Chapter Summary 433
Review Questions 436
Real-World Projects 440
CHAPTER 15 DEPLOYING WINDOWS 2000 ACTIVE DIRECTORY 443
Evaluating the Organization 445
The Planning Team 445
The Vision and the Scope 447
Managing Risks 449
The Administrative Delegation Model 450
Physical Locations 453
The Current Business Practices 454
The Security Requirements 455
Future Growth of the Company 456
Existing Network Connections 457
Designing an Active Directory Structure 458
Delegation of Administrative Authority 458
Group Policies 459
The Domain Structure 460
Schema Policy 461
Site Topology 462
The Naming Strategy 462
Chapter Summary 463
Review Questions 466
Real-World Projects 470
CHAPTER 16 MIGRATING FROM WINDOWS NT 4 TO ACTIVE DIRECTORY 473
The Different Planning Phases of Migration 474
Designing the Active Directory Structure 475
Choose a Migration Path 475
Develop a Domain Upgrade or a Restructure Strategy 476
Plan the Deployment of the Migration Strategy 476
The Migration Path 477
Defining the Existing Domain Arrangement 477
What Will Be Achieved from the Migration? 481
The Active Directory Design 482
Evaluating the Migration Paths 482
The Domain Upgrade Strategy 485
How Many Forests Are in the Design? 486
What Is the Site Topology of the Design? 487
What Are the Security and Administration Plans in the Design? 489
The Current Operating System 490
The Recovery Plan 491
Domain Upgrade Order 492
Upgrading Domain Controllers 493
Mixed Mode or Native Mode? 494
Post-Upgrade Tasks 495
Restructuring Domains 497
Inter-Forest Restructuring 497
Intra-Forest Restructuring 501
Domain Restructure Tools 503
Chapter Summary 503
Review Questions 506
Real-World Projects 510
CHAPTER 17 ACTIVE DIRECTORY AND EXCHANGE SERVERS 513
Replication vs. Synchronization Revisited 514
The Active Directory Connector 515
Installing the Active Directory Connector 516
Connection Agreements with the ADC 517
Creating Connection Agreements 519
Putting Active Directory Connector to Work 530
Manage Your Objects Centrally 531
Troubleshoot Your Connector 533
Do You Need the ADC? 535
Planning Your ADC 535
Some Questions You Need to Resolve 536
A Review of the Scenario Models 538
Final Issues 541
Exchange 2000 541
Chapter Summary 542
Review Questions 543
Real-World Projects 547
CHAPTER 18 SAMPLE TEST 551
CHAPTER 19 ANSWER KEY 577
APPENDIX A ANSWERS TO REVIEW QUESTIONS 595
APPENDIX B RFCS FOR TCP/IP FOR WINDOWS 2000 629
APPENDIX C EXAM OBJECTIVES 631
GLOSSARY 635
INDEX 649