WIXLIB

ActiveDirectory FORDUMmIES‰2NDEDITIONby Steve Clines and Marcia Loughry

ActiveDirectory FORDUMmIES‰2NDEDITION

ActiveDirectory FORDUMmIES‰2NDEDITIONby Steve Clines and Marcia Loughry

Active Directory For Dummies, 2nd EditionPublished byWiley Publishing, Inc.111 River StreetHoboken, NJ 07030-5774www.wiley.comCopyright 2008 by Wiley Publishing, Inc., Indianapolis, IndianaPublished by Wiley Publishing, Inc., Indianapolis, IndianaPublished simultaneously in CanadaNo part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form orby any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior writtenpermission of the Publisher, or authorization through payment of the appropriate per-copy fee to theCopyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600.Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing,Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at www.wiley.com/go/permissions.Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference forthe Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and relatedtrade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in theUnited States and other countries, and may not be used without written permission. Active Directory isa registered trademark of Microsoft Corporation in the United States and/or other countries. All othertrademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with anyproduct or vendor mentioned in this book.LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NOREPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OFTHE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BECREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIESCONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THEUNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OROTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OFA COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THEAUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATIONOR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE.FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVECHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.For general information on our other products and services, please contact our Customer CareDepartment within the U.S. at 800-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002.For technical support, please visit www.wiley.com/techsupport.Wiley also publishes its books in a variety of electronic formats. Some content that appears in print maynot be available in electronic books.Library of Congress Control Number: 2008932078ISBN: 978-0-470-28720-0Manufactured in the United States of America10 9 8 7 6 5 4 3 2 1

About the AuthorsSteve Clines, MCSE, MCT, has worked as an IT architect and engineer at EDSfor over 18 years. He has worked on deployments of more than 100,000 seatsfor both Active Directory and Microsoft Exchange Server. Steve is the authorof MCSE Designing a Windows 2000 Directory Services Infrastructure ForDummies, which is a study guide for the 70-219 MCP exam. He also maintainsthe Confessions of an IT Geek blog at http://itgeek.steveco.net.Marcia Loughry, MCSE and MCP I, is a Senior Infrastructure Specialist with alarge IT firm in Dallas, Texas. She is president of the Plano, Texas BackOfficeUser Group (PBUG) and a member of Women in Technology International.Marcia received her MCSE in NT 3.51 in 1997 and completed requirements forthe NT 4.0 track in 1998.Marcia has extensive experience working with Windows NT 3.51 and 4.0 inenterprises of all sizes. She is assigned to some of her firm’s largest customers in designing NT solutions and integrating UNIX and NetWare environments with NT.

DedicationSteve Clines: I am dedicating this book to two people who are nolonger with us. First is my mom Glenda. She is the one who reallytaught me about writing and how to see a project to its completion.The second person is my nephew Boomer. You have reminded meof how precious life really is and how we are to live each day withthe joy that you did.You are both missed.Marcia Loughry: This book is dedicated to my family — my son,Chris, my parents, my sister, Karen — just because I love ‘em all!Thanks for the love, laughter, and support.Authors’ AcknowledgementsSteve Clines: I have many people to thank for their support. Foremostis my wife, Tracie, who has been my constant support. I couldn’t havedone this without you. Also, thank you to my family and friends whohave been a great source of continual encouragement to me.Thank you to Marcia Loughry for getting me started down thisroad and giving me a great starting point for doing this edition.Also, thanks to all the great folks at Wiley Publishing for giving methis opportunity and being really easy to work with.Lastly, thanks to my Lord and Savior. I can’t do anything withoutyou – Phil. 4:13.Marcia Loughry: Special thanks to literary agent Lisa Swayne, of theSwayne Agency, for finding me, taking me on, and introducing meto the fun people at Wiley Publishing.Many, many thanks to the fine folks at Wiley Publishing: JoycePepple, who get me excited about this project; Jodi Jensen, whosuffered and planned with me and generally kept me in line; BillBarton, who didn’t strangle me over my consistent use of passivevoice; and the rest of the Wiley team who made the book and CDpossible.And finally, heartfelt thanks to Jackie, Mary, Sherri, Michelle, Anne,Clifton, Sam, Steve, Kent, Sylvana, Nate, Clay, and all the otherfriends who make every day so fun.

Publisher’s AcknowledgmentsWe’re proud of this book; please send us your comments through our online registration formlocated at www.dummies.com/register/.Some of the people who helped bring this book to market include the following:Acquisitions, Editorial, andMedia DevelopmentSr. Project Editor: Christopher MorrisAcquisitions Editor: Kyle LooperCopy Editor: Brian WallsTechnical Editor: John MuellerEditorial Manager: Kevin KirschnerComposition ServicesProject Coordinator: Katherine KeyLayout and Graphics: Stacie Brooks,Reuben W. Davis, Laura Pence,Ronald TerryProofreaders: Caitie Kelly, Bonnie Mikkelson,Amanda SteinerIndexer: Rebecca SalernoEditorial Assistant: Amanda FoxworthSr. Editorial Assistant: Cherie CaseCartoons: Rich Tennant(www.the5thwave.com)Publishing and Editorial for Technology DummiesRichard Swadley, Vice President and Executive Group PublisherAndy Cummings, Vice President and PublisherMary Bednarek, Executive Acquisitions DirectorMary C. Corder, Editorial DirectorPublishing for Consumer DummiesDiane Graves Steele, Vice President and PublisherJoyce Pepple, Acquisitions DirectorComposition ServicesGerry Fahey, Vice President of Production ServicesDebbie Stailey, Director of Composition Services

Contents at a GlanceIntroduction . 1Part I: Getting Started . 5Chapter 1: Understanding Active Director y . 7Chapter 2: Analyzing Requirements for Active Director y . 23Chapter 3: Designing an Active Director y Implementation Plan . 41Part II: Planning and Deploying withActive Directory Domain Services . 53Chapter 4: Playing the Name Game . 55Chapter 5: Creating a Logical Structure . 71Chapter 6: Getting Physical . 83Chapter 7: Ready to Deploy! . 103Part III: New Active Directory Features . 127Chapter 8: AD LDS: Active Directory on a Diet . 129Chapter 9: Federating Active Directory . 141Chapter 10: AD Certificate Services and Rights Management Services . 157Part IV: Managing Active Directory . 173Chapter 11: Managing Users, Groups, and Other Objects . 175Chapter 12: Managing Active Directory Replication . 203Chapter 13: Schema-ing! . 219Chapter 14: Managing Security with Active Directory Domain Services . 233Chapter 15: Maintaining Active Directory . 253Part V: The Part of Tens . 271Chapter 16: The Ten Most Important Active Directory Design Points . 273Chapter 17: Ten Cool Web Sites for Active Directory Info . 279Chapter 18: Ten Troubleshooting Tips for Active Directory . 285Part VI: Appendixes . 291Appendix A: Windows 2008 AD Command Line Tools . 293Appendix B: Glossary . 305Index . 315

Table of ContentsIntroduction . 1This Book Is for You . 1How This Book Is Organized . 2Part I: Getting Started . 2Part II: Planning and Deploying with ActiveDirectory Domain Services . 3Part III: New Active Directory Features . 3Part IV: Managing Active Directory . 3Part V: The Part of Tens . 4Part VI: Appendixes . 4Icons Used in This Book. 4Part I: Getting Started. 5Chapter 1: Understanding Active Director y. . . . . . . . . . . . . . . . . . . . . . . .7What Is Active Directory? . 7Active Directory is an umbrella . 8Active Directory is an information store . 9Active Directory has a structure (Or hierarchy) . 11Active Directory can be customized . 11Getting Hip to Active Directory Lingo. 11The building blocks of Active Directory . 12The Active Directory schema . 18Domain Controllers and the global catalog . 19The DNS namespace . 21Because It’s Good for You: The Benefits of Active Directory . 22Chapter 2: Analyzing Requirements for Active Director y. . . . . . . . . . .23Why Gather Information? . 23Gathering Business Information . 24Surveying the business environment . 25Determining business goals. 31Gathering Technical Information . 32Surveying the technical environment . 33Determining technical goals . 39Best Practices . 39

xiiActive Directory For Dummies, 2nd EditionChapter 3: Designing an Active Director y Implementation Plan . . . .41Why You Need an Implementation Plan . 41Building the Active Directory Planning Team. 43Creating Active Directory Planning Documents . 45Business and technical assessments . 45Vision Statement .

Active Directory is an umbrella .8 Active Directory is an information store .9 Active Directory has a structure (Or hierarchy) .11 Active Directory can be customized .11