WIXLIB

ActiveDirectory William R. StanekAuthor and Series EditorAdministrator’sPocket Consultant

PUBLISHED BYMicrosoft PressA Division of Microsoft CorporationOne Microsoft WayRedmond, Washington 98052-6399Copyright 2009 by William StanekAll rights reserved. No part of the contents of this book may be reproduced or transmitted in anyform or by any means without the written permission of the publisher.Library of Congress Control Number: 2008940460Printed and bound in the United States of America.1 2 3 4 5 6 7 8 9 QWE 4 3 2 1 0 9Distributed in Canada by H.B. Fenn and Company Ltd.A CIP catalogue record for this book is available from the British Library.Microsoft Press books are available through booksellers and distributors worldwide. For furtherinformation about international editions, contact your local Microsoft Corporation office or contactMicrosoft Press International directly at fax (425) 936-7329. Visit our Web site at www.microsoft.com/mspress. Send comments to mspinput@microsoft.com.Microsoft, Microsoft Press, Active Directory, Internet Explorer, MS, Windows, Windows NT,Windows PowerShell, Windows Server, and Windows Vista are either registered trademarks ortrademarks of the Microsoft group of companies. Other product and company names mentionedherein may be the trademarks of their respective owners.The example companies, organizations, products, domain names, e-mail addresses, logos,people, places, and events depicted herein are fictitious. No association with any real company,organization, product, domain name, e-mail address, logo, person, place, or event is intended orshould be inferred.This book expresses the author’s views and opinions. The information contained in this book isprovided without any express, statutory, or implied warranties. Neither the authors, MicrosoftCorporation, nor its resellers, or distributors will be held liable for any damages caused or allegedto be caused either directly or indirectly by this book.Acquisitions Editor: Martin DelReDevelopmental Editor: Karen SzallProject Editor: Maria GargiuloEditorial Production: ICC Macmillan, Inc.Technical Reviewer: Randy Muller; Technical Review services provided by ContentMaster, a member of CM Group, Ltd.Cover: Tom Draper DesignBody Part No. X15-25190

Contents at a GlanceIntroductionxvPART IIMPLEMENTING ACTIVE DIRECTORYCHAPTER 1Overview of Active DirectoryCHAPTER 2Installing New Forests, Domain Trees,and Child Domains29CHAPTER 3Deploying Writable Domain Controllers73CHAPTER 4Deploying Read-Only Domain ControllersPART IIMANAGING ACTIVE DIRECTORY INFRASTRUCTURECHAPTER 5Configuring, Maintaining, and TroubleshootingGlobal Catalog Servers139CHAPTER 6Configuring, Maintaining, and TroubleshootingOperations Masters167Managing Active Directory Sites, Subnets,and Replication189CHAPTER 73105PART IIIMAINTAINING AND RECOVERING ACTIVE DIRECTORYCHAPTER 8Managing Trusts and Authentication227CHAPTER 9Maintaining and Recovering Active Directory259APPENDIX AActive Directory Utilities Reference295Index321

ContentsIntroductionxvPART IIMPLEMENTING ACTIVE DIRECTORYChapter 1Overview of Active Directory3Understanding Directory Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Introducing Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Active Directory Domains5DNS Domains6Domain Controllers8Active Directory Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Active Directory Schema12Active Directory Components14Managing Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Chapter 2Working with Active Directory23Active Directory Administration Tools23Installing New Forests, Domain Trees,and Child Domains29Preparing for Active Directory Installation . . . . . . . . . . . . . . . . . . . 29Working with Directory Containers and Partitions30Establishing or Modifying Your DirectoryInfrastructure31Establishing Functional Levels36Deploying Windows Server 200840Creating Forests, Domain Trees, and Child Domains . . . . . . . . . . . 41Installing the AD DS Binaries41Creating New Forests42What do you think of this book? We want to hear from you!Microsoft is interested in hearing your feedback so we can continually improve ourbooks and learning resources for you. To participate in a brief online survey, please visit:microsoft.com/learning/booksurveyv

Chapter 3Creating New Domain Trees59Creating New Child Domains66Deploying Writable Domain Controllers73Preparing to Deploy or Decommission Domain Controllers . . . . 73Adding Writable Domain Controllers . . . . . . . . . . . . . . . . . . . . . . . . 74Installing Additional Writable Domain Controllers75Adding Writable Domain Controllers UsingReplication76Adding Writable Domain Controllers UsingInstallation Media83Adding Writable Domain Controllers UsingAnswer Files or the Command Line85Decommissioning Domain Controllers . . . . . . . . . . . . . . . . . . . . . . . 88Preparing to Remove Domain Controllers88Removing Additional Domain Controllers90Removing the Last Domain Controller94Removing Domain Controllers Using AnswerFiles or the Command Line95Forcing the Removal of Domain Controllers . . . . . . . . . . . . . . . . . . 97Restarting a Domain Controller in DirectoryServices Restore Mode97Performing Forced Removal of Domain Controllers99Cleaning Up Metadata in the Active Directory ForestChapter 4Deploying Read-Only Domain Controllers102105Preparing to Deploy Read-Only Domain Controllers . . . . . . . . . 106Adding RODCs to Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Adding RODCs Using Replication109Adding RODCs Using Answer Files or theCommand Line115Using Staged Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119viContentsStage 1: Creating the RODC Account andPreparing for Installation120Stage 2: Attaching the RODC and FinalizingInstallation121

Performing Staged Installations Using theCommand Line or Answer Files123Decommissioning RODCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Setting Password Replication Policy . . . . . . . . . . . . . . . . . . . . . . . . 127Password Replication Policy Essentials127Allowing and Denying Accounts130Managing Credentials on RODCs132Identifying Allowed or Denied Accounts133Resetting Credentials134Delegating Administrative Permissions135PART IIMANAGING ACTIVE DIRECTORYINFRASTRUCTUREChapter 5Configuring, Maintaining, and TroubleshootingGlobal Catalog Servers139Working with Global Catalog Servers. . . . . . . . . . . . . . . . . . . . . . . 140Deploying Global Catalog Servers . . . . . . . . . . . . . . . . . . . . . . . . . 141Adding Global Catalog Servers141Monitoring and Verifying Global Catalog Promotion143Identifying Global Catalog Servers149Restoring Global Catalog Servers150Removing Global Catalog Servers151Controlling SRV Record Registration152Managing and Maintaining Universal GroupMembership Caching. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Universal Group Membership Caching Essentials152Enabling Universal Group Membership Caching153Monitoring and Troubleshooting UniversalGroup Membership Caching155Managing and Maintaining Replication Attributes . . . . . . . . . . . 158Understanding Global Catalog Search andthe Partial Attribute Set158Designating Replication Attributes159Monitoring and Troubleshooting ReplicationAttributes163Contentsvii

Managing and Maintaining Name Suffixes . . . . . . . . . . . . . . . . . . 163Chapter 6Configuring User Principal Name Suffixes164Configuring Name Suffix Routing165Configuring, Maintaining, and TroubleshootingOperations Masters167Operations Master Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167Introducing Operations Masters168Identifying Operations Masters169Planning for Operations Masters169Changing Operations Masters170Working with Operations Masters . . . . . . . . . . . . . . . . . . . . . . . . . 171Managing Domain Naming Masters172Managing Infrastructure Masters173Managing PDC Emulators175Managing Relative ID Masters177Managing Schema Masters180Maintaining Operations Masters . . . . . . . . . . . . . . . . . . . . . . . . . . . 181Preparing Standby Operations MastersChapter 7181Decommissioning Operations Masters183Reducing Operations Master Workload183Seizing Operations Master Roles185Troubleshooting Operations Masters187Managing Active Directory Sites, Subnets,and Replication189Implementing Sites and Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . 189Working with Sites190Setting Site Boundaries190Replication Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191The Replication ModelviiiContents191Replication with Multiple Sites192SYSVOL Replication193Essential Services for Replication193

Intrasite Versus Intersite Replication . . . . . . . . . . . . . . . . . . . . . . . . 194Intrasite Replication194Intersite Replication195Developing Your Site Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197Mapping Your Network Structure197Designing Your Sites198Designing Your Intersite Replication Topology198Configuring Sites and Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200Creating Sites200Creating Subnets202Adding Domain Controllers to Sites203Ensuring Clients Find Domain Controllers205Configuring Site Links and Intersite Replication . . . . . . . . . . . . . . 206Understanding Site Links206Creating Site Links208Configuring Link Replication Schedules210Bridging Sites212Locating and Designating Bridgehead Servers213Locating ISTGs216Optimizing Site Link Configurations217Monitoring, Verifying, and Troubleshooting Replication . . . . . . 218Monitoring Replication218Troubleshooting Replication219Generating Replication Topology222Verifying and Forcing Replication222PART IIIMAINTAINING AND RECOVERING ACTIVEDIRECTORYChapter 8Managing Trusts and Authentication227Active Directory Authentication and Trusts. . . . . . . . . . . . . . . . . . 227Trust Essentials227Authentication Essentials229Authentication Across Domain Boundaries232Authentication Across Forest Boundaries232Contentsix

Working with Domain and Forest Trusts . . . . . . . . . . . . . . . . . . . . 233Examining Trusts234Establishing Trusts236Creating External Trusts240Creating Shortcut Trusts244Creating Forest Trusts247Creating Realm Trusts251Removing Manually Created Trusts253Verifying and Troubleshooting Trusts254Configuring Selective Authentication . . . . . . . . . . . . . . . . . . . . . . . 255Chapter 9Enabling or Disabling Selective Authenticationfor External Trusts256Enabling or Disabling Selective Authenticationfor Forest Trusts256Granting the Allowed To Authenticate Permission257Maintaining and Recovering Active Directory259Protecting Objects from Accidental Deletion . . . . . . . . . . . . . . . . 259Starting and Stopping Active Directory Domain Services . . . . . 260Setting the Functional Level of Domains and Forests . . . . . . . . . 261Configuring Deleted Item Retention . . . . . . . . . . . . . . . . . . . . . . . 262Configuring the Windows Time Service . . . . . . . . . . . . . . . . . . . . . 263Understanding Windows Time264Working with W32tm265Checking the Windows Time Configuration266Configuring an Authoritative Time Source268Troubleshooting Windows Time Services269Configuring Windows Time Settings in Group Policy269Backing Up and Recovering Active Directory . . . . . . . . . . . . . . . . 277xContentsActive Directory Backup and Recovery Essentials278Backing Up and Restoring the System State280Performing a Nonauthoritative Restore ofActive Directory281Performing an Authoritative Restore of ActiveDirectory282