LINK DOWNLOAD MIỄN PHÍ TÀI LIỆU "Tài liệu Active Directory Cookbook, 3rd Edition pdf": http://123doc.vn/document/1045372-tai-lieu-active-directory-cookbook-3rd-edition-pdf.htm
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
1. Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Approach to the Book 1
1.2 Where to Find the Tools 3
1.3 Getting Familiar with LDIF 5
1.4 Programming Notes 7
1.5 Replaceable Text 10
1.6 Where to Find More Information 11
2. Forests, Domains, and Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.1 Creating a Forest 21
2.2 Removing a Forest 22
2.3 Creating a Domain 24
2.4 Removing a Domain 25
2.5 Removing an Orphaned Domain 27
2.6 Finding the Domains in a Forest 28
2.7 Finding the NetBIOS Name of a Domain 30
2.8 Renaming a Domain 32
2.9 Raising the Domain Mode to Windows 2000 Native Mode 33
2.10 Viewing and Raising the Functional Level of a Windows Server
2003 or 2008 Domain 36
2.11 Raising the Functional Level of a Windows Server 2003 or 2008
Forest 39
2.12 Using AdPrep to Prepare a Domain or Forest for Windows Server
2003 or 2008 42
2.13 Determining Whether AdPrep Has Completed 44
2.14 Checking If a Windows Domain Controller Can Be Upgraded to
Windows Server 2003 or 2008 47
2.15 Creating an External Trust 48
2.16 Creating a Transitive Trust Between Two AD Forests 50
2.17 Creating a Shortcut Trust Between Two AD Domains 52
iii
2.18 Creating a Trust to a Kerberos Realm 53
2.19 Viewing the Trusts for a Domain 55
2.20 Verifying a Trust 58
2.21 Resetting a Trust 60
2.22 Removing a Trust 62
2.23 Enabling SID Filtering for a Trust 64
2.24 Enabling Quarantine for a Trust 66
2.25 Managing Selective Authentication for a Trust 66
2.26 Finding Duplicate SIDs in a Domain 69
2.27 Adding Additional Fields to Active Directory Users and Computers 70
3. Domain Controllers, Global Catalogs, and FSMOs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
3.1 Promoting a Domain Controller 76
3.2 Promoting a Read-Only Domain Controller 77
3.3 Performing a Two-Stage RODC Installation 78
3.4 Modifying the Password Replication Policy 80
3.5 Promoting a Windows Server 2003 Domain Controller from Media 82
3.6 Promoting a Windows Server 2008 Domain Controller
from Media 84
3.7 Demoting a Domain Controller 86
3.8 Automating the Promotion or Demotion of a Domain Controller 87
3.9 Troubleshooting Domain Controller Promotion or Demotion
Problems 88
3.10 Verifying the Promotion of a Domain Controller 89
3.11 Removing an Unsuccessfully Demoted Domain Controller 90
3.12 Renaming a Domain Controller 93
3.13 Finding the Domain Controllers for a Domain 95
3.14 Finding the Closest Domain Controller 96
3.15 Finding a Domain Controller’s Site 98
3.16 Moving a Domain Controller to a Different Site 101
3.17 Finding the Services a Domain Controller Is Advertising 104
3.18 Restoring a Deleted Domain Controller 105
3.19 Resetting the TCP/IP Stack on a Domain Controller 106
3.20 Configuring a Domain Controller to Use an External
Time Source 107
3.21 Finding the Number of Logon Attempts Made
Against a Domain Controller 110
3.22 Enabling the /3GB Switch to Increase the LSASS Cache 110
3.23 Cleaning Up Distributed Link Tracking Objects 112
3.24 Enabling and Disabling the Global Catalog 113
3.25 Determining Whether Global Catalog Promotion Is Complete 115
3.26 Finding the Global Catalog Servers in a Forest 117
3.27 Finding the Domain Controllers or Global Catalog Servers in a Site 119
iv | Table of Contents
3.28 Finding Domain Controllers and Global Catalogs via DNS 121
3.29 Changing the Preference for a Domain Controller 122
3.30 Disabling the Global Catalog Requirement During
a Domain Login 124
3.31 Disabling the Global Catalog Requirement for Windows Server
2003 or Windows Server 2008 125
3.32 Finding the FSMO Role Holders 126
3.33 Transferring a FSMO Role 129
3.34 Seizing a FSMO Role 131
3.35 Finding the PDC Emulator FSMO Role Owner via DNS 132
3.36 Finding the PDC Emulator FSMO Role Owner via WINS 133
4. Searching and Manipulating Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
4.1 Viewing the RootDSE 136
4.2 Viewing the Attributes of an Object 140
4.3 Counting Objects in Active Directory 145
4.4 Using LDAP Controls 147
4.5 Using a Fast or Concurrent Bind 150
4.6 Connecting to an Object GUID 152
4.7 Connecting to a Well-Known GUID 153
4.8 Searching for Objects in a Domain 155
4.9 Searching the Global Catalog 158
4.10 Searching for a Large Number of Objects 161
4.11 Searching with an Attribute-Scoped Query 164
4.12 Searching with a Bitwise Filter 166
4.13 Creating an Object 170
4.14 Modifying an Object 173
4.15 Modifying a Bit Flag Attribute 177
4.16 Dynamically Linking an Auxiliary Class 180
4.17 Creating a Dynamic Object 182
4.18 Refreshing a Dynamic Object 184
4.19 Modifying the Default TTL Settings for Dynamic Objects 186
4.20 Moving an Object to a Different OU or Container 188
4.21 Moving an Object to a Different Domain 191
4.22 Referencing an External Domain 193
4.23 Renaming an Object 195
4.24 Deleting an Object 197
4.25 Deleting a Container That Has Child Objects 200
4.26 Viewing the Created and Last Modified Timestamp of an Object 202
4.27 Modifying the Default LDAP Query Policy 203
4.28 Exporting Objects to an LDIF File 206
4.29 Importing Objects Using an LDIF File 207
4.30 Exporting Objects to a CSV File 208
Table of Contents | v
4.31 Importing Objects Using a CSV File 209
5. Organizational Units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
5.1 Creating an OU 212
5.2 Enumerating the OUs in a Domain 214
5.3 Finding an OU 216
5.4 Enumerating the Objects in an OU 218
5.5 Deleting the Objects in an OU 221
5.6 Deleting an OU 222
5.7 Moving the Objects in an OU to a Different OU 223
5.8 Moving an OU 226
5.9 Renaming an OU 227
5.10 Modifying an OU 229
5.11 Determining Approximately How Many Child Objects
an OU Has 231
5.12 Delegating Control of an OU 233
5.13 Assigning or Removing a Manager for an OU 234
5.14 Linking a GPO to an OU 235
5.15 Protecting an OU Against Accidental Deletion 238
6. Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
6.1 Modifying the Default Display Name Used When Creating Users
in ADUC 244
6.2 Creating a User 245
6.3 Creating a Large Number of Users 248
6.4 Creating an inetOrgPerson User 250
6.5 Converting a user Object to an inetOrgPerson Object
(or Vice Versa) 253
6.6 Modifying an Attribute for Several Users at Once 255
6.7 Deleting a User 256
6.8 Setting a User’s Profile Attributes 258
6.9 Moving a User 260
6.10 Redirecting Users to an Alternative OU 261
6.11 Renaming a User 263
6.12 Copying a User 265
6.13 Finding Locked-Out Users 267
6.14 Unlocking a User 268
6.15 Troubleshooting Account Lockout Problems 270
6.16 Viewing the Domain-Wide Account Lockout and Password Policies 271
6.17 Applying a Fine-Grained Password Policy to a User Object 275
6.18 Viewing the Fine-Grained Password Policy That Is in Effect for a
User Account 276
6.19 Enabling and Disabling a User 278
vi | Table of Contents
6.20 Finding Disabled Users 279
6.21 Viewing a User’s Group Membership 281
6.22 Removing All Group Memberships from a User 284
6.23 Changing a User’s Primary Group 285
6.24 Copying a User’s Group Membership to Another User 287
6.25 Setting a User’s Password 290
6.26 Preventing a User from Changing a Password 291
6.27 Requiring a User to Change a Password at Next Logon 293
6.28 Preventing a User’s Password from Expiring 294
6.29 Finding Users Whose Passwords Are About to Expire 296
6.30 Viewing the RODCs That Have Cached a User’s Password 297
6.31 Setting a User’s Account Options (userAccountControl) 299
6.32 Setting a User’s Account to Expire 302
6.33 Determining a User’s Last Logon Time 303
6.34 Finding Users Who Have Not Logged On Recently 306
6.35 Viewing and Modifying a User’s Permitted Logon Hours 307
6.36 Viewing a User’s Managed Objects 309
6.37 Creating a UPN Suffix for a Forest 311
6.38 Restoring a Deleted User 312
6.39 Protecting a User Against Accidental Deletion 313
7. Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
7.1 Creating a Group 316
7.2 Viewing the Permissions of a Group 319
7.3 Viewing the Direct Members of a Group 322
7.4 Viewing the Nested Members of a Group 324
7.5 Adding and Removing Members of a Group 326
7.6 Moving a Group Within a Domain 328
7.7 Moving a Group to Another Domain 330
7.8 Changing the Scope or Type of a Group 332
7.9 Modifying Group Attributes 334
7.10 Creating a Dynamic Group 337
7.11 Delegating Control for Managing Membership of a Group 339
7.12 Resolving a Primary Group ID 342
7.13 Enabling Universal Group Membership Caching 344
7.14 Restoring a Deleted Group 347
7.15 Protecting a Group Against Accidental Deletion 348
7.16 Applying a Fine-Grained Password Policy to a Group Object 349
8. Computer Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
8.1 The Anatomy of a computer Object 351
8.2 Creating a Computer 352
8.3 Creating a Computer for a Specific User or Group 354
Table of Contents | vii
8.4 Deleting a Computer 360
8.5 Joining a Computer to a Domain 361
8.6 Moving a Computer Within the Same Domain 364
8.7 Moving a Computer to a New Domain 365
8.8 Renaming a Computer 367
8.9 Adding or Removing a Computer Account from a Group 370
8.10 Testing the Secure Channel for a Computer 371
8.11 Resetting a Computer Account 372
8.12 Finding Inactive or Unused Computers 374
8.13 Changing the Maximum Number of Computers a User Can Join
to the Domain 375
8.14 Modifying the Attributes of a computer Object 377
8.15 Finding Computers with a Particular OS 379
8.16 Binding to the Default Container for Computers 382
8.17 Changing the Default Container for Computers 385
8.18 Listing All the Computer Accounts in a Domain 387
8.19 Identifying a Computer Role 388
8.20 Protecting a Computer Against Accidental Deletion 390
8.21 Viewing the RODCs That Have Cached a Computer’s Password 391
9. Group Policy Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
9.1 Finding the GPOs in a Domain 396
9.2 Creating a GPO 397
9.3 Copying a GPO 399
9.4 Deleting a GPO 402
9.5 Viewing the Settings of a GPO 403
9.6 Modifying the Settings of a GPO 406
9.7 Importing Settings into a GPO 407
9.8 Creating a Migration Table 410
9.9 Creating Custom Group Policy Settings 412
9.10 Assigning Logon/Logoff and Startup/Shutdown Scripts in a GPO 415
9.11 Installing Applications with a GPO 416
9.12 Disabling the User or Computer Settings in a GPO 417
9.13 Listing the Links for a GPO 419
9.14 Creating a GPO Link to an OU 422
9.15 Blocking Inheritance of GPOs on an OU 424
9.16 Enforcing the Settings of a GPO Link 426
9.17 Applying a Security Filter to a GPO 428
9.18 Delegating Administration of GPOs 431
9.19 Importing a Security Template 433
9.20 Creating a WMI Filter 434
9.21 Applying a WMI Filter to a GPO 436
9.22 Configuring Loopback Processing for a GPO 438
viii | Table of Contents
9.23 Backing Up a GPO 439
9.24 Restoring a GPO 442
9.25 Simulating the RSoP 445
9.26 Viewing the RSoP 446
9.27 Refreshing GPO Settings on a Computer 447
9.28 Restoring a Default GPO 448
9.29 Creating a Fine-Grained Password Policy 449
9.30 Editing a Fine-Grained Password Policy 452
9.31 Viewing the Effective PSO for a User 454
10. Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
10.1 Registering the Active Directory Schema MMC Snap-in 459
10.2 Enabling Schema Updates 460
10.3 Generating an OID to Use for a New Class or Attribute 462
10.4 Extending the Schema 463
10.5 Preparing the Schema for an Active Directory Upgrade 464
10.6 Documenting Schema Extensions 465
10.7 Adding a New Attribute 466
10.8 Viewing an Attribute 470
10.9 Adding a New Class 473
10.10 Viewing a Class 475
10.11 Indexing an Attribute 476
10.12 Modifying the Attributes That Are Copied When Duplicating a User 479
10.13 Adding Custom Information to ADUC 481
10.14 Modifying the Attributes Included with ANR 483
10.15 Modifying the Set of Attributes Stored on a Global Catalog 486
10.16 Finding Nonreplicated and Constructed Attributes 489
10.17 Finding the Linked Attributes 492
10.18 Finding the Structural, Auxiliary, Abstract, and 88 Classes 494
10.19 Finding the Mandatory and Optional Attributes of a Class 497
10.20 Modifying the Default Security of a Class 499
10.21 Managing the Confidentiality Bit 501
10.22 Adding an Attribute to the Read-Only Filtered Attribute Set (RO-
FAS) 503
10.23 Deactivating Classes and Attributes 505
10.24 Redefining Classes and Attributes 507
10.25 Reloading the Schema Cache 507
10.26 Managing the Schema Master FSMO 509
11. Site Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
11.1 Creating a Site 517
11.2 Listing Sites in a Forest 519
11.3 Renaming a Site 521
Table of Contents | ix
11.4 Deleting a Site 522
11.5 Delegating Control of a Site 523
11.6 Configuring Universal Group Caching for a Site 526
11.7 Creating a Subnet 528
11.8 Listing the Subnets 530
11.9 Finding Missing Subnets 531
11.10 Deleting a Subnet 534
11.11 Changing a Subnet’s Site Assignment 535
11.12 Creating a Site Link 537
11.13 Finding the Site Links for a Site 539
11.14 Modifying the Sites That Are Part of a Site Link 541
11.15 Modifying the Cost for a Site Link 543
11.16 Enabling Change Notification for a Site Link 545
11.17 Modifying Replication Schedules 547
11.18 Disabling Site Link Transitivity or Site Link Schedules 549
11.19 Creating a Site Link Bridge 551
11.20 Finding the Bridgehead Servers for a Site 553
11.21 Setting a Preferred Bridgehead Server for a Site 554
11.22 Listing the Servers 556
11.23 Moving a Domain Controller to a Different Site 558
11.24 Configuring a Domain Controller to Cover Multiple Sites 560
11.25 Viewing the Site Coverage for a Domain Controller 561
11.26 Disabling Automatic Site Coverage for a Domain Controller 562
11.27 Finding the Site for a Client 563
11.28 Forcing a Host into a Particular Site 564
11.29 Creating a Connection Object 565
11.30 Listing the connection Objects for a Server 566
11.31 Load-Balancing connection Objects 568
11.32 Finding the ISTG for a Site 568
11.33 Transferring the ISTG to Another Server 570
11.34 Triggering the KCC 572
11.35 Determining Whether the KCC Is Completing Successfully 573
11.36 Disabling the KCC for a Site 574
11.37 Changing the Interval at Which the KCC Runs 577
12. Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
12.1 Determining Whether Two Domain Controllers Are in Sync 579
12.2 Viewing the Replication Status of Several Domain Controllers 582
12.3 Viewing Unreplicated Changes Between Two
Domain Controllers 583
12.4 Forcing Replication from One Domain Controller to Another 586
12.5 Enabling and Disabling Replication 588
12.6 Changing the Intra-Site Replication Interval 589
x | Table of Contents
12.7 Changing the Intra-Site Notification Delay 590
12.8 Changing the Inter-Site Replication Interval 593
12.9 Disabling Inter-Site Compression of Replication Traffic 595
12.10 Checking for Potential Replication Problems 597
12.11 Enabling Enhanced Logging of Replication Events 597
12.12 Enabling Strict or Loose Replication Consistency 597
12.13 Finding Conflict Objects 599
12.14 Finding Orphaned Objects 602
12.15 Listing the Replication Partners for a DC 604
12.16 Viewing Object Metadata 605
13. DNS and DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
13.1 Creating a Forward Lookup Zone 611
13.2 Creating a Reverse Lookup Zone 613
13.3 Viewing a Server’s Zones 614
13.4 Converting a Zone to an AD-Integrated Zone 617
13.5 Moving AD-Integrated Zones into an Application Partition 618
13.6 Configuring Zone Transfers 620
13.7 Configuring Forwarding 622
13.8 Delegating Control of an Active Directory Integrated Zone 625
13.9 Creating and Deleting Resource Records 627
13.10 Querying Resource Records 630
13.11 Modifying the DNS Server Configuration 631
13.12 Scavenging Old Resource Records 633
13.13 Clearing the DNS Cache 635
13.14 Verifying That a Domain Controller Can Register Its Resource
Records 637
13.15 Enabling DNS Server Debug Logging 639
13.16 Registering a Domain Controller’s Resource Records 642
13.17 Deregistering a Domain Controller’s Resource Records 642
13.18 Preventing a Domain Controller from Dynamically Registering All
Resource Records 643
13.19 Preventing a Domain Controller from Dynamically Registering
Certain Resource Records 645
13.20 Allowing Computers to Use a Different Domain Suffix Than Their
AD Domain 649
13.21 Authorizing a DHCP Server 651
13.22 Locating Unauthorized DHCP Servers 654
13.23 Restricting DHCP Administrators 655
14. Security and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659
14.1 Enabling SSL/TLS 660
14.2 Encrypting LDAP Traffic with SSL, TLS, or Signing 662
Table of Contents | xi
14.3 Disabling LDAP Signing or Encryption 664
14.4 Enabling Anonymous LDAP Access 665
14.5 Restricting Anonymous Access to Active Directory 667
14.6 Using the Delegation of Control Wizard 669
14.7 Customizing the Delegation of Control Wizard 671
14.8 Revoking Delegated Permissions 673
14.9 Viewing the ACL for an Object 674
14.10 Customizing the ACL Editor 676
14.11 Viewing the Effective Permissions on an Object 677
14.12 Configuring Permission Inheritance 678
14.13 Changing the ACL of an Object 680
14.14 Changing the Default ACL for an Object Class in the Schema 681
14.15 Comparing the ACL of an Object to the Default Defined in the
Schema 682
14.16 Resetting an Object’s ACL to the Default Defined
in the Schema 683
14.17 Preventing the LM Hash of a Password from Being Stored 684
14.18 Enabling Strong Domain Authentication 685
14.19 Enabling List Object Access Mode 686
14.20 Modifying the ACL on Administrator Accounts 688
14.21 Viewing and Purging Your Kerberos Tickets 689
14.22 Forcing Kerberos to Use TCP 691
14.23 Modifying Kerberos Settings 692
14.24 Viewing Access Tokens 693
15. Logging, Monitoring, and Quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695
15.1 Enabling Extended dcpromo Logging 697
15.2 Enabling Diagnostics Logging 698
15.3 Enabling NetLogon Logging 700
15.4 Enabling GPO Client Logging 701
15.5 Enabling Kerberos Logging 704
15.6 Viewing DNS Server Performance Statistics 705
15.7 Monitoring the File Replication Service 708
15.8 Monitoring the Windows Time Service 709
15.9 Enabling Inefficient and Expensive LDAP Query Logging 710
15.10 Using the STATS Control to View LDAP Query Statistics 712
15.11 Monitoring the Performance of AD 715
15.12 Using Perfmon Trace Logs to Monitor AD 717
15.13 Creating an Administrative Alert 720
15.14 Emailing an Administrator on a Performance Alert 721
15.15 Enabling Auditing of Directory Access 723
15.16 Enabling Auditing of Registry Keys 726
15.17 Creating a Quota 727
xii | Table of Contents
Không có nhận xét nào:
Đăng nhận xét