Inhaltsverzeichnis von Active Directory Cookbook

- Weitere Informationen zu diesem Buch:
  Inhaltsverzeichnis |

JETZT ONLINE BESTELLEN

Active Directory Cookbook

By Laura E. Hunter & Robbie Allen

Third Edition Januar 2009
ISBN 978-0-596-52110-3

1087 Seiten

EUR49.00

Weitere Informationen zu diesem Buch

Inhaltsverzeichnis |

Inhaltsverzeichnis

Chapter 1: Getting Started

Inhaltsvorschau

If you are familiar with the O’Reilly Cookbook format, which can be seen in other popular books such as the Perl Cookbook, Java Cookbook, and DNS and BIND Cookbook, then the layout of this book will be familiar to you. The book is composed of 21 chapters, each containing 10 to 30 recipes for performing a specific Active Directory task. Within each recipe are four sections: “Problem,” “Solution,” “Discussion,” and “See Also.” The “Problem” section briefly describes the task that the recipe focuses on. The “Solution” section contains step-by-step instructions on how to accomplish the task. The “Discussion” section contains detailed information about the problem or solution. The “See Also” section contains references to additional sources of information that can be useful if you still need more information after reading the discussion. The “See Also” section may reference other recipes, MS Knowledge Base (http://support.microsoft.com) articles, or documentation from the Microsoft Developers Network (MSDN; http://msdn.microsoft.com).

When we first began developing the content for the book, we struggled with how to capture the fact that you can do things multiple ways with Active Directory. You may be familiar with the famous computer science motto: TIMTOWTDI, or There Is More Than One Way To Do It. With Active Directory, there are often At Least Three Ways To Do It! You can perform a task with a graphical user interface (GUI), such as ADSI Edit, LDP, or the Active Directory Users and Computers snap-in; you can use a command-line interface (CLI), such as the ds utilities (i.e., dsadd, dsmod, dsrm, dsquery, dsget), nltest, netdom, or ldifde, or freeware tools such as adfind and admod from http://www.joeware.net; and, finally, you can perform the same task using a scripting language, such as VBScript, Perl, or PowerShell. Since people prefer different methods, and no single method is necessarily better than another, we decided to write solutions to the recipes using one of each. That means instead of just a single solution per recipe, we include up to three solutions using GUI, CLI, and programmatic examples; in some cases you’ll find more than one option for a given solution, as in the case where there is more than one command-line utility to perform a particular task. However, in cases where one of the methods cannot be used or would be too difficult to use to accomplish a given recipe, only the applicable methods are covered.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Approach to the Book

Inhaltsvorschau

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Where to Find the Tools

Inhaltsvorschau

For the GUI and CLI solutions to mean much to you, you need access to the tools that are used in the examples. The Windows 2000 Server Resource Kit and Windows Server 2003 Resource Kit are invaluable sources of information, along with providing numerous tools that aid administrators in daily tasks. More information on the Resource Kits can be found at http://technet.microsoft.com/en-us/windowsserver/bb633748.aspx. The Windows 2000 Support Tools package, which in Windows Server 2003 is called the Windows Support Tools package, contains many essential tools for people that work with Active Directory. The Microsoft installer (MSI) for the Windows Support Tools can be found on a Windows 2000 Server, Windows Server 2003, or Windows Server 2003 R2 CD in the \support\tools directory. You can also use the Tool Finder feature available on the ActiveDir website, located at http://www.activedir.org/TF/Default.aspx. In Windows Server 2008, the notion of Resource Kit and Support Tool utilities has been abandoned in favor of including only fully supported utilities packaged with the Active Directory binaries. Almost all of the Support Tools from Windows Server 2003 are included within the Windows Server 2008 standard distribution.

You’ll also find a number of references to third-party command-line tools such as adfind, admod, oldcmp, findexpacc, and memberof. These tools were developed by Directory Services MVP joe Richards, and he has made them available for free download from his website at http://www.joeware.net/freetools. While these tools are not native to the Windows operating system, they have become an invaluable addition to many Active Directory system administrators’ toolkits, and we include them here to showcase their capabilities.

Once you have the tools at your disposal, there are a couple other issues to be aware of while trying to apply the solutions in your environment, which we’ll now describe.

A best practice for managing Active Directory is to create separate administrator accounts that you grant elevated privileges, instead of letting administrators use their normal user account that they use to access other Network Operating System (NOS) resources. This is beneficial because an administrator who wants to use elevated privileges has to log on with his administrative account explicitly instead of having the rights implicitly, which could lead to accidental changes in Active Directory. Assuming you employ this method, then you must provide alternate credentials when using tools to administer Active Directory unless you log on to a machine, such as a domain controller, with the administrative credentials.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Getting Familiar with LDIF

Inhaltsvorschau

Even with the new utilities available with Windows Server 2003 and Windows Server 2008, native support for modifying data within Active Directory using a command-line tool is relatively weak. The dsmod tool can modify attributes on a limited set of object classes, but it does not allow you to modify every object type.

One reason for the lack of native command-line tools to do this is that the command line is not well suited for manipulating numerous attributes of an object simultaneously. If you want to specify more than just one or two values that need to be modified, a single command could get quite long. It would be easier to use a GUI editor, such as ADSI Edit, to do the task instead.

The LDAP Data Interchange Format (LDIF) was designed to address this issue. Defined in RFC 2849 (http://www.rfc-editor.org), LDIF allows you to represent directory additions, modifications, and deletions in a text-based file, which you can import into a directory using an LDIF-capable tool.

The ldifde utility has been available since Windows 2000, and it allows you to import and export Active Directory content in LDIF format. LDIF files are composed of blocks of entries. An entry can add, modify, or delete an object. The first line of an entry is the distinguished name. The second line contains a changetype, which can be add, modify, or delete. If it is an object addition, the rest of the entry contains the attributes that should be initially set on the object (one per line). For object deletions, you do not need to specify any other attributes. And for object modifications, you need to specify at least three more lines. The first should contain the type of modification you want to perform on the object. This can be add (to set a previously unset attribute or to add a new value to a multivalued attribute), replace (to replace an existing value), or delete (to remove a value). The modification type should be followed by a colon and the attribute you want to perform the modification on. The next line should contain the name of the attribute followed by a colon, and the value for the attribute. For example, to replace the last name attribute with the value Smith, you’d use the following LDIF:

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Programming Notes

Inhaltsvorschau

In the VBScript solutions, our intention was to provide the answer in as few lines of code as necessary. Since this book is not a pure programming book, we did not want to provide a detailed explanation of how to use ADSI or WMI. If you are looking for that, we recommend Active Directory, Fourth Edition, by Brian Desmond et al. .

The intent of the VBScript code is to provide you the basics for how a task can be automated and let you run with it. Most examples only take some minor tweaking to make them do something useful for you.

Just as with the GUI and CLI solutions, there are some important issues to be aware of when looking at the VBScript solutions.

We mentioned earlier that in the GUI and CLI examples we do not provide instructions for targeting a specific domain controller to perform a task. Instead, we rely on serverless binds in most cases. The same applies to the scripted solutions. A serverless bind for the RootDSE looks like the following in VBScript:

set objRootDSE = GetObject("LDAP://RootDSE")

That code will query the RootDSE for a domain controller in the domain of the currently logged-on user. You can target a specific domain instead by simply specifying the domain name in the ADsPath:

set objRootDSE = GetObject("LDAP://apac.adatum.com/RootDSE")

And similarly, you can target a specific domain controller by including the server name in the ADsPath:

set objRootDSE = GetObject("LDAP://dc1/RootDSE")

So depending on how your environment is set up and what forest you want to query, you may or may not need to specify a domain or server name in the code.

Just as you might need to run the GUI and CLI tools with alternate credentials, you may also need to run your scripts and programs with alternate credentials. One way is to use the runas method described earlier when invoking the script. A better option would be to use the Scheduled Tasks service to run the script under credentials you specify when creating the task. And yet another option is to hardcode the credentials in the script. Obviously, this is not very appealing in some scenarios because credentials can change over time, and as a security best practice you do not want the username and password contained in a script to be easily viewable by others. Nevertheless, it is a necessary evil, especially when developing against multiple forests, and we’ll describe how it can be done with ADSI and ADO. As an alternative, you can configure a script to prompt you for the username and password during the actual running of the script.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Replaceable Text

Inhaltsvorschau

This book is filled with examples. Every recipe consists of one or more examples that show how to accomplish a task. Most CLI- and VBScript-based solutions use parameters that are based on the domain, forest, OU, user, etc., that is being added, modified, queried, and so on. Instead of using fictitious names, in most cases we use replaceable text. This text should be easily recognizable because it is in italics and surrounded by angle brackets (<>). Instead of describing what each replaceable element represents every time we use it, we’ve included a list of some of the commonly used ones here:

<DomainDN>: Distinguished name of domain (e.g., dc=amer,dc=adatum,dc=com)
<ForestRootDN>: Distinguished name of the forest root domain (e.g., dc=adatum,dc=com)
<DomainDNSName>: Fully qualified DNS name of domain (e.g., amer.adatum.com)
<ForestDNSName>: Fully qualified DNS name of forest root domain (e.g., adatum.com)
<DomainControllerName>: Single-label or fully qualified DNS hostname of domain controller (e.g., dc01.adatum.com)
<UserDN>: Distinguished name of user (e.g., cn=administrator,cn=users,dc=adatum,dc=com)
<GroupDN>: Distinguished name of group (e.g., cn=DomainAdmins,cn=users,dc=adatum, dc=com)
<ComputerName>: Single-label DNS hostname of computer (e.g., adatum-xp)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Where to Find More Information

Inhaltsvorschau

While it is our hope that this book provides you with enough information to perform most of the tasks you need to do to maintain your Active Directory environment, it is not realistic to think every possible task has been covered. In fact, working on this book has made us realize just how much Active Directory administrators need to know.

Now that Active Directory has been around for a number of years, a significant user base has been built, which has led to other great resources of information. This section contains some of the useful sources of information that we use on a regular basis.

If you have any questions about the complete syntax or usage information for any of the command-line tools we use, you should first take a look at the help information for the tools. The vast majority of CLI tools provide syntax information by simply passing /? as a parameter. For example:

> dsquery /?

The Microsoft Support website is a great source of information and is home of the Microsoft Knowledge Base (MS KB) articles. Throughout the book, we include references to pertinent MS KB articles where you can find more information on the topic. You can find the complete text for a KB article by searching on the KB number at the following website: http://support.microsoft.com/default.aspx. You can also append the KB article number to the end of this URL to go directly to the article: http://support.microsoft.com/kb/<ArticleNumber>.

MSDN contains a ton of information on Active Directory and the programmatic to Active Directory, such as ADSI and LDAP. We sometimes reference MSDN pages in recipes. Unfortunately, there is no easy way to reference the exact page we’re talking about unless we provided the URL or navigation to the page, which would more than likely change by the time the book was printed. Instead we provide the title of the page, which you can use to search on via the following site: http://msdn.microsoft.com/library.

Microsoft Active Directory Home Page (

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Chapter 2: Forests, Domains, and Trusts

Inhaltsvorschau

To the layperson, the title of this chapter may seem like a hodgepodge of unrelated terms. For the seasoned Active Directory administrator, however, these terms represent the most fundamental and, perhaps, most important concepts within Active Directory. In simple terms, a forest is a collection of data partitions and domains; a domain is a hierarchy of objects that is replicated between one or more domain controllers; a trust is an agreement between two domains or forests to allow security principals (i.e., users, groups, and computers) from one domain to access resources in the other .

Active Directory domains are named using the Domain Name Service (DNS) namespace. You can group domains that are part of the same contiguous DNS namespace within the same domain tree. For example, the marketing.adatum.com, sales.adatum.com, and adatum.com domains are part of the adatum.com domain tree. A single domain tree is sufficient for most implementations, but one example in which multiple domain trees might be necessary is with large conglomerate corporations. Conglomerates are made up of multiple individual companies in which each company typically wants to maintain its own identity and, therefore, its own namespace. If you need to support noncontiguous namespaces within a single forest, you will need to create multiple domain trees. For example, adatum.com and treyresearch.com can form two domain trees within the same forest.

Assuming that each company within the conglomerate wants its Active Directory domain name to be based on its company name, you have two choices for setting up this type of environment. You could either make each company’s domain(s) a domain tree within a single forest, or you could implement multiple forests. One of the biggest differences between the two options is that all the domains within the forest trust each other, whereas separate forests, by default, do not have any trust relationships set up between them. Without trust relationships, users from one forest cannot access resources located in the other forest. In our conglomerate scenario, if you want users in each company to be able to access resources within their own domain, as well as the domains belonging to other companies in the organization, using separate domain trees can create an easier approach than separate forests. However, it’s important to keep in mind when designing your network that forests form the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Introduction

Inhaltsvorschau

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Forest

Inhaltsvorschau

You want to create a new forest by creating a new forest root domain.

Using a graphical user interface

On a Windows 2000 domain controller:

Run dcpromo from a command line or by clicking on Start→Run.
Select “Domain controller for a new domain” and click Next.
Select “Create a new domain tree” and click Next.
Select “Create a new forest of domain trees” and click Next.
Follow the rest of the configuration steps to complete the wizard.

On a Windows Server 2003 domain controller:

Run dcpromo from a command line or by clicking on Start→Run.
Select “Domain controller for a new domain” and click Next.
Select “Domain in a new forest” and click Next.
Follow the rest of the configuration steps to complete the wizard.

On a Windows Server 2008 domain controller:

Open the Server Manager utility. In the lefthand pane, click on Roles.
In the righthand pane, click Add role.
Click Next. Place a checkmark next to Active Directory Domain Services.
Click Next twice and then Install.
Click “Close this wizard” and launch the Active Directory Domain Services Installation Wizard (dcpromo.exe).
Click Next twice to continue. Click the “Create a new domain in a new forest” radio button and click Next.
Follow the rest of the configuration steps to complete the wizard.

Using a command-line interface

dcpromo can also be run in unattended mode; this is particularly useful when promoting domain controllers that are running on Server Core. See for more details.

The act of creating a forest consists of creating a forest root domain. To do this, you need to use dcpromo to promote a Windows 2000 or Windows Server 2003 server to be a domain controller for a new domain. The dcpromo program has a wizard interface that requires you to answer several questions about the forest and domain you want to promote the server into. After dcpromo finishes, you will be asked to reboot the computer to complete the promotion process.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Removing a Forest

Inhaltsvorschau

You want to tear down a forest and decommission any domains contained within it because you no longer need it.

To remove a forest, you need to demote (using dcpromo) all the domain controllers in the forest. When you run dcpromo on an existing domain controller, you will be given the option to demote the machine to a member server. After that is completed and depending on how your environment is configured, you may need to remove WINS and DNS entries that were associated with the domain controllers and domains, unless they were automatically removed via WINS deregistration and dynamic DNS (DDNS) during demotion. The following commands can help determine if all entries have been removed:

> netsh wins server \\<WINSServerName> show name <DomainNetBiosName> 1b

> netsh wins server \\<WINSServerName> show name <DomainNetBiosName> 1c

> nslookup <DomainControllerDNSName>

> nslookup -type=SRV _ldap._tcp.gc._msdcs.<ForestDNSName>

> nslookup <ForestDNSName>

You should run the first two commands for every domain in the forest if the forest contained more than one.

The method described in this solution is the graceful way to tear down a forest. You can also use a brute force method to remove a forest by simply reinstalling the operating system on all domain controllers in the forest. This method is not recommended except in lab or test environments. The brute force method is not a clean way to do it because the domain controllers are unaware the forest is being removed and may generate errors until they are rebuilt. You’ll also need to make sure any DNS resource records for the domain controllers are removed from your DNS servers since the domain controllers will not dynamically remove them like they do during the demotion process.

You will also want to remove any trusts that have been established for the forest (see for more details). For more information on how to demote a domain controller, see .

To fully remove an Active Directory forest in Windows Server 2008, you will also need to remove the Active Directory Domain Services role that has been installed on any Windows Server 2008 domain controllers. This will remove the actual system files associated with the AD DS server role. You may also need to remove any associated infrastructure roles from the servers in question, such as the DNS server role or the WINS server role. If you need to forcibly remove a single domain from an AD forest, you can also use the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Domain

Inhaltsvorschau

You want to create a new domain that may be part of an existing domain tree or the root of a new domain tree.

Using a graphical user interface

Run dcpromo from a command line or Start→Run. (On a Windows Server 2008 server, add the Active Directory Domain Services role prior to running dcpromo.)

On a Windows 2000 server, select “Domain controller for a new domain” and then you can select one of the following:

Create a new domain tree→Place this new domain tree in an existing forest
Create a new child domain in an existing domain tree

On a Windows Server 2003 server, select “Domain controller for a new domain” and then you can select one of the following:

Domain in a new forest
Child domain in an existing domain tree
Domain tree in an existing forest

On a Windows Server 2008 server, place a checkmark next to “Use advanced mode installation.” You can then select one of the following:

Existing forest
- Create a new domain in an existing forest
- Create a new domain tree root instead of a new child domain
Create a new domain in a new forest

Using a command-line interface

dcpromo can also be run in unattended mode. See for more details.

The two options dcpromo offers to create a new domain allow you a great deal of flexibility in creating an Active Directory infrastructure that maps to your organization’s business requirements. You can add a new domain to an existing domain tree, or else create a new domain tree entirely. If you want to create a new domain that is a child domain of a parent domain (i.e., contained within the same contiguous namespace), then you are creating a domain in an existing domain tree. If you are creating the first domain in a forest or a domain that is outside the namespace of the forest root, then you are creating a domain in a new domain tree. For example, if you have already created the treyresearch.com domain and then you install the first DC in the amer.treyresearch.com

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Removing a Domain

Inhaltsvorschau

You want to remove a domain from a forest. You may need to remove a domain during test scenarios or if you are collapsing or reducing the number of domains in a forest.

Removing a domain consists of demoting each domain controller in the domain, which is accomplished by running dcpromo on the domain controllers and following the steps to remove them. For the last domain controller in the domain, be sure to select “This server is the last domain controller in the domain” in the dcpromo wizard so that the objects associated with the domain get removed. If you do not select this option for the last domain controller in the domain, take a look at for how to remove an orphaned domain.

If the domain you want to remove has child domains, you must remove these child domains before proceeding.

After all domain controllers have been demoted, depending on how your environment is configured you may need to remove any WINS and DNS entries that were associated with the domain controllers and domain that were automatically removed via WINS deregistration and DDNS during the demotion process. The following commands can help determine if all entries have been removed:

> netsh wins server \\<WINSServerName> show name <DomainNetBiosName> 1b

> netsh wins server \\<WINSServerName> show name <DomainNetBiosName> 1c

> nslookup <DomainControllerName>

> nslookup -type=SRV _ldap._tcp.dc._msdcs.<DomainDNSName>

> nslookup <DomainDNSName>

You will also want to remove any trusts that have been established for the domain (see for more details). For more information on how to demote a domain controller, see .

The “brute force” method for removing a forest as described in for is not a good method for removing a domain. Doing so will leave all of the domain controller and server objects, along with the domain object and associated domain naming context hanging around in the forest. If you used that approach, you would eventually see numerous replication and file replication service errors in the event log caused by failed replication events from the nonexistent domain. You would need to remove the metadata associated with the removed domain using

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Removing an Orphaned Domain

Inhaltsvorschau

You want to completely remove a domain that was orphaned because the domain was forcibly removed, or the last domain controller in the domain failed or was otherwise decommissioned improperly.

Using a command-line interface

The following ntdsutil commands (in bold) would forcibly remove the emea.adatum.com domain from the adatum.com forest. Replace <DomainControllerName> with the hostname of the Domain Naming Master Flexible Single Master Operation (FSMO; pronounced fiz-mo) for the forest:

> ntdsutil "meta clean" "s o t" conn "con to server

  <DomainControllerName>" q q

metadata cleanup: "s o t" "list domains"

Found 4 domain(s)

0 - DC=adatum,DC=com

1 - DC=amer,DC=adatum,DC=com

2 - DC=emea,DC=adatum,DC=com

3 - DC=apac,DC=adatum,DC=com

select operation target: sel domain 2

No current site

Domain - DC=emea,DC=adatum,DC=com

No current server

No current Naming Context

select operation target: q

metadata cleanup: remove sel domain

You will receive a prompt asking you to confirm the forcible removal of the domain; click Yes. You will then receive a message indicating whether the removal was .

Removing an orphaned domain consists of removing the domain object for the domain (e.g., dc=emea,dc=adatum,dc=com), all of its child objects, and the associated crossRef object in the Partitions container. You need to target the Domain Naming FSMO when using ntdsutil because that server is responsible for creation and removal of domains.

Before you can use ntdsutil to remove an orphaned domain, you must first forcibly remove any domain controllers in that domain that were not gracefully demoted. (Forcibly removing individual domain controllers will be discussed in .) You must also remove the DomainDNSZones application partition associated with the orphaned domain, if this was not gracefully removed. (Forcibly removing the DomainDNSZones application partition will be discussed in Chapters and .)

In the solution, shortcut parameters were used to reduce the amount of typing necessary. If each parameter were typed out fully, the commands would look as follows:

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding the Domains in a Forest

Inhaltsvorschau

You want a list of all domains in an Active Directory forest.

Using a graphical user interface

Open the Active Directory Domains and Trusts snap-in (domain.msc). The list of the domains in the default forest can be browsed in the left pane.

Using a command-line interface

You can retrieve this information using ntdsutil, adfind, or dsquery, as shown here:

> ntdsutil "p m" "sel op tar" c "co t s <DomainControllerName>"

q "l d" q q q



> dsquery * -filter "objectcategory=domainDNS" -scope subtree



> adfind -root -f "objectcategory=domainDNS" -dn

The dsquery and adfind examples will not function correctly in a forest containing multiple domain trees, such as a single forest containing a domain tree named adatum.com and treyresearch.com. The AdFind syntax can be modified to work in this scenario by replacing the –root switch with the –gcb switch.

Using VBScript

' This code gets the list of the domains contained in the

' forest that the user running the script is logged into.



strForestRoot = "<ForestRootDN>" ' i.e., dc=adatum, dc=com

strADsPath = "<LDAP://" & strForestRoot & ">;"

strFilter = "(objectCategory=domainDNS);"

strAttrs = "dnsRoot;"

strScope = "SubTree"



set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

set objRS = objConn.Execute(strADsPath & strFilter & strAttrs & strScope)

objRS.MoveFirst

while Not objRS.EOF

    For Each root in objRS.Fields("dnsRoot").Value

        WScript.Echo(root)

    Next

    objRS.MoveNext

wend

Using PowerShell

The following commands assume that the Quest AD cmdlets are installed:

connect-QADservice -UseGlobalCatalog

get-QADobject -searchRoot '<ForestRootDN>' -searchScope 'subTree' -ldapFilter

'objectClass=domainDNS'

Using a graphical user interface

If you want to view the domains for a forest other than the one you are logged into, right-click on “Active Directory Domains and Trusts” in the left pane and select “Connect to Domain Controller.” Enter the forest name you want to browse in the Domain field. In the left pane, expand the forest root domain to see any subdomains.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding the NetBIOS Name of a Domain

Inhaltsvorschau

You want to find the NetBIOS name of a domain. Although Microsoft has moved to using DNS for its primary means of name resolution, the NetBIOS name of a domain is still important, especially with down-level clients that are still based on NetBIOS instead of DNS for name resolution.

Using a graphical user interface

Open the Active Directory Domains and Trusts snap-in (domain.msc).
Right-click the domain you want to view in the left pane and select Properties.

The NetBIOS name will be shown in the “Domain name (pre-Windows 2000)” field.

You can also retrieve this information using LDP, as follows:

Open LDP and from the menu, select Connection→Connect.
For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
For Port, enter 389.
Click OK.
From the menu select Connection→Bind.
Click OK to bind as the currently logged-on user, or else click “Bind with credentials” and enter a username and password.
Click OK.
From the menu, select Browse→Search.
For BaseDN, type the distinguished name of the Partitions container (e.g., cn=partitions,cn=configuration,dc=adatum,dc=com).
For Scope, select Subtree.

For Filter, enter:

(&(objectcategory=crossref)(dnsRoot=<DomainDNSName>)(netbiosname=*))

Click Run.

Using a command-line interface

To find the NetBIOS name of a Windows domain, use the following command:

> dsquery * cn=partitions,cn=configuration, <ForestRootDN> -filter

"(&(objectcategory=crossref)(dnsroot=<DomainDNSName>)(netbiosname=*))" -attr

netbiosname

Or you can use the AdFind utility as follows:

> adfind -partitions

-f "(&(objectcategory=crossref)(dnsroot=<DomainDNSName>)(netbiosname=*))" cn

netbiosname

Using VBScript

' This code prints the NetBIOS name for the specified domain

' ------ SCRIPT CONFIGURATION -----

strDomain = "<DomainDNSName>" ' e.g. amer.adatum.com

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")

strADsPath = "<LDAP://" & strDomain & "/cn=Partitions," & _

            objRootDSE.Get("configurationNamingContext") & ">;"

strFilter = "(&(objectclass=Crossref)" & _

             "(dnsRoot=" & strDomain & ")(netBIOSName=*));"

strAttrs = "netbiosname;"

strScope = "Onelevel"

set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

set objRS = objConn.Execute(strADsPath &  strFilter &  strAttrs &  strScope)

objRS.MoveFirst

WScript.Echo "NetBIOS name for " &  strDomain &  " is " &  objRS.Fields(0).Value

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Renaming a Domain

Inhaltsvorschau

You want to rename a domain, for example due to organizational changes; legal restrictions; or because of a merger, acquisition, or divestiture. Renaming a domain is a very involved process and should be done only when absolutely necessary. Changing the name of a domain can have an impact on everything from DNS, replication, and GPOs to DFS and Certificate Services. A domain rename also requires rebooting all domain controllers, member servers, and client computers in the domain!

Under Windows 2000, there is no supported process to rename a domain. There is one workaround for mixed-mode domains in which you revert the domain and any of its child domains back to Windows NT domains. This can be done by demoting all Windows 2000 domain controllers and leaving the Windows NT domain controllers in place, or simply by rebuilding all of the 2000 DCs. You could then reintroduce Windows 2000 domain controllers and use the new domain name when setting up Active Directory. The process is not very clean and probably won’t be suitable for most situations, but you can find out more about it in MS KB 292541.

A domain rename procedure is supported if a forest is running all Windows Server 2003 domain controllers and is at the Windows Server 2003 forest functional level. Microsoft provides a rename tool (rendom.exe) and detailed white paper describing the process at http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx.

Although the domain rename procedure is greatly simplified in Windows Server 2003 and Windows Server 2008, we highly recommend reading the entire white paper before attempting the procedure, as well as attempting the procedure in a test lab before performing it against a production environment.

The domain rename process can accommodate very complex changes to your domain model. You can perform the following types of renames:

Rename a domain to a new name without repositioning it in the domain tree.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Raising the Domain Mode to Windows 2000 Native Mode

Inhaltsvorschau

You want to change the mode of a Windows 2000 Active Directory domain from mixed mode to native mode. You typically want to do this as soon as possible after installing a Windows 2000 domain to take advantage of features that aren’t available with mixed-mode domains. (For more information on the features available at the different levels, see http://technet2.microsoft.com/WindowsServer/en/Library/b3674c9b-fab9-4c1e-a8f6-7871264712711033.mspx.)

Using a graphical user interface

Open the Active Directory Domains and Trusts snap-in (domain.msc).
Browse to the domain you want to change in the left pane.
Right-click on the domain and select Properties. The current mode will be listed in the Domain Operation Mode box.
To change the mode, click the Change Mode button at the bottom.

Using a command-line interface

To change the mode to native mode, create an LDIF file called change_domain_mode.ldf with the following contents:

dn: <DomainDN>

changetype: modify

replace: ntMixedDomain

ntMixedDomain: 0

-

Then run ldifde to import the change.

> ldifde -i -f change_domain_mode.ldf

Alternately, you can use the admod utility to update your domain to native mode using the following syntax:

> admod -b dc=adatum,dc=com "ntMixedDomain::0"

Using VBScript

' This code changes the mode of the specified domain to native

' ------ SCRIPT CONFIGURATION ------

strDomain = "<DomainDNSName>" ' e.g. amer.adatum.com

' ------ END CONFIGURATION ---------



set objDomain = GetObject("LDAP://" &  strDomain)

if objDomain.Get("nTMixedDomain") > 0 Then

   Wscript.Echo "

Changing mode to native ... "

   objDomain.Put "nTMixedDomain", 0

   objDomain.SetInfo

else

   Wscript.Echo "Already a native mode domain"

end if

Using PowerShell

You can modify the nTMixedDomain attribute using the Quest PowerShell cmdlets or the native ADSI methods, as follows:

connect-QADservice -UseGlobalCatalog

set-QADObject -identity '<DomainDN>' -objectAttributes @{ntMixedDomain=0}



$objDom = [ADSI] "LDAP://<DomainDN>"

$objDom.put("ntMixedDomain", "0")

$objDom.SetInfo()

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing and Raising the Functional Level of a Windows Server 2003 or 2008 Domain

Inhaltsvorschau

You want to raise the functional level of a Windows Server 2003 or Windows Server 2008 domain. You should raise the functional level of a domain as soon as possible after installing a new Windows Server 2003 domain or upgrading from Windows 2000 to take advantage of the new features and enhancements.

Using a graphical user interface

Open the Active Directory Domains and Trusts snap-in (domain.msc).
In the left pane, browse to the domain you want to raise, right-click it, and select Raise Domain Functional Level.
From this screen, you can view the current domain functional level. To raise it, select the new functional level and click OK.

After a few seconds you should see a message stating whether the operation was .

Using a command-line interface

To retrieve the current functional level using DSQuery, use the following command:

> dsquery * <DomainDN> -scope base -attr msDS-Behavior-Version

DSQuery will return the following output in a Windows 2000 functional-level domain:

> msDS-Behavior-Version

> 0

Or you can use the AdFind utility as follows:

> adfind -s Base -b <DomainDN> msDS-Behavior-Version

AdFind will return the following output in a Windows 2000 functional-level domain:

> AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

>

> Using server: dc1.adatum.com:389

> Directory: Windows Server 2003

>

> dn:dc=adatum,dc=com

>> msDS-Behavior-Version: 0

>

>

> 1 Objects returned

To change the functional level to Windows Server 2003, create an LDIF file called raise_domain_func_level.ldf with the following contents:

dn: <DomainDN>

changetype: modify

replace: msDS-Behavior-Version

msDS-Behavior-Version: 2

-

To raise the domain functional level to Windows Server 2008, use a value of '3' for msDS-Behavior-Version.

Next, run ldifde to import the change:

> ldifde -i -f raise_domain_func_level.ldf

Alternatively, you can use the admod utility to raise the domain functional level using the following syntax, with the output that follows:

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Raising the Functional Level of a Windows Server 2003 or 2008 Forest

Inhaltsvorschau

You want to raise the functional level of a Windows Server 2003 or Windows Server 2008 forest. You should raise the functional level of a forest as soon as possible after installing a new Windows Server 2003/2008 forest or when upgrading from a downlevel forest in order to take advantage of the new features and enhancements available in Windows Server 2003 and Windows Server 2008.

Using a graphical user interface

Open the Active Directory Domains and Trusts snap-in (domain.msc).
In the left pane, right-click on Active Directory Domains and Trusts and select Raise Forest Functional Level.
Select Windows Server 2003 or Windows Server 2008 Functional Level and click OK.

After a few seconds, you should see a message stating whether the operation was .

Using a command-line interface

To retrieve the current forest functional level, use the following command:

> dsquery * cn=Partitions,cn=Configuration,<ForestRootDN> -scope base -attr msDS

-Behavior-Version

> adfind -partitions -s base  msDS-Behavior-Version

>

> AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

>

> Using server: TEST-DC1.test.loc:389

> Directory: Windows Server 2003

> Base DN: CN=Partitions,CN=Configuration,DC=test,DC=loc

>

> dn:CN=Partitions,CN=Configuration,DC=test,DC=loc

> msDS-Behavior-Version: 2

>

>

> 1 Objects returned

To change the functional level to Windows Server 2003, create an LDIF file called raise_forest_func_level.ldf with the following contents:

dn: cn=partitions,cn=configuration, <ForestRootDN>

changetype: modify

replace: msDS-Behavior-Version

msDS-Behavior-Version: 2

-

To raise the forest functional level to Windows Server 2008, use a value of '3' for msDS-Behavior-Version.

Next, run ldifde to import the change:

> ldifde -i -f raise_forest_func_level.ldf

Or else you can use the admod utility as follows:

> admod -b <ForestDN> "msDS-Behavior-Version::2"

or:

> admod -b <ForestDN> "msDS-Behavior-Version::3"

This will display results similar to the following:

> AdMod V01.10.00cpp Joe Richards (joe@joeware.net) February 2007

>

> DN Count: 1

> Using server: dc1.adatum.com

> Modifying specified objects...

> DN: cn=Partitions,cn=Configuration,dc=adatum,dc=com...

>

> The command completed successfully

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Using AdPrep to Prepare a Domain or Forest for Windows Server 2003 or 2008

Inhaltsvorschau

You want to upgrade your existing Active Directory domain controllers to Windows Server 2003 or Windows Server 2008. Before doing this, you must run the AdPrep tool, which extends the schema and adds several objects in Active Directory that are necessary for new features and enhancements.

To prepare a Windows 2000 domain or forest for a Windows Server 2003 upgrade, you will first run the following command on the Schema FSMO with the credentials of an account that is in both the Enterprise Admins and Schema Admins groups:

>  adprep /forestprep

After the updates from /forestprep have replicated throughout the forest (see ), run the following command on the Infrastructure FSMO in each domain with the credentials of an account in the Domain Admins group:

>  adprep /domainprep

If the updates from /forestprep have not replicated to at least the Infrastructure FSMO servers in each domain, an error will be returned when running /domainprep. To debug any problems you encounter, check out the AdPrep logfiles located at %SystemRoot%\System32\Debug\Adprep\Logs.

AdPrep can be found in the \i386 directory on the Windows Server 2003 or Windows Server 2008 CD. The tool relies on several files in that directory, so you cannot simply copy that file out to a server and run it. You must either run it from a CD or from a location where the entire directory has been copied.

To prepare to add the first Windows Server 2003 R2 domain controller to an existing domain, you will need to run the version of AdPrep contained on Disc 2 of the R2 media. The R2 preparation also includes a third AdPrep switch that will update permissions on existing Group Policy Objects (GPOs) to allow for updated functionality in the Group Policy Management Console (GPMC):

> adprep /domainprep /gpprep

The Windows Server 2008 preparation, in addition to /forestprep, /domainprep, and /domainprep /gpprep, also includes /rodcprep to allow for the installation of Read-Only Domain Controllers (RODCs), which we will discuss in .

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Determining Whether AdPrep Has Completed

Inhaltsvorschau

You want to determine whether the AdPrep process, described in , has successfully prepared a domain or forest for Windows Server 2003 or Windows Server 2008. After AdPrep has completed, you will then be ready to start promoting Windows Server 2003 or Windows Server 2008 domain controllers.

To determine whether

adprep

      /forestprep

has completed for a Windows Server 2003 upgrade, check for the existence of the following object where <ForestRootDN> is the distinguished name of the forest root domain:

cn=Windows2003Update,cn=ForestUpdates,cn=Configuration,<ForestRootDN>

To determine whether

adprep

      /forestprep

has completed for a Windows Server 2008 upgrade, check for the existence of the following object, where <ForestRootDN> is the distinguished name of the forest root domain:

cn=ActiveDirectoryUpdate,cn=ForestUpdates,cn=Configuration,<ForestRootDN>

To determine whether

adprep

      /domainprep

has completed for a Windows Server 2003 upgrade, check for the existence of the following object where <DomainDN> is the distinguished name of the domain:

cn=Windows2003Update,cn=DomainUpdates,cn=System,<DomainDN>

To determine whether

adprep

      /domainprep

has completed for a Windows Server 2008 upgrade, check for the existence of the following object where <DomainDN> is the distinguished name of the domain:

cn=ActiveDirectoryUpdate,cn=DomainUpdates,cn=System,<DomainDN>

As described in , the AdPrep utility is used to prepare an Active Directory forest for the upgrade to Windows Server 2003 or Windows Server 2008. One of the nice features of AdPrep is it stores its progress in Active Directory. For /domainprep, a container with a distinguished name of cn=DomainUpdates,cn=System,<DomainDN> is that has child object containers cn=Operations and cn=Windows2003Update for Windows Server 2003 domainprep operations. After AdPrep completes a task, such as extending the schema, it creates an object under the cn=Operations container to signify its completion. Each object has a GUID for its name, which represents some internal operation for AdPrep.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Checking If a Windows Domain Controller Can Be Upgraded to Windows Server 2003 or 2008

Inhaltsvorschau

You want to determine whether a domain controller is ready to be upgraded to Windows Server 2003 or Windows Server 2008.

Using a graphical user interface

Windows Server 2003

Insert a Windows Server 2003 CD into the Windows 2000 domain controller or map a drive to the files contained on the CD. Run the following command from the \i386 directory:

> winnt32 /checkupgradeonly

Windows Server 2008

Download and run the Microsoft Assessment and Planning Solution Accelerator from the Microsoft website, which will generate upgrade readiness reports to help your organization prepare for an upgrade to Windows Vista and Windows Server 2008.

Using a command-line interface

To produce a compatibility report from the command line, you first need to create a text file containing the following information:

[Unattended]

Win9xUpgrade = Yes



[Win9xUpg]

ReportOnly = Yes

SaveReportTo = "\\server1\upgradereports\"

Save this file as unattend.txt, and then run the following from the command line:

> winnt32 /checkupgradeonly /unattend:c:\unattend.txt

The /checkupgradeonly switch simulates the initial steps for upgrading a server to Windows Server 2003. It verifies, among other things, that AdPrep has completed and checks any installed applications against a known list of compatible and noncompatible applications with the new operating system.

Windows Server 2008 has eliminated the /checkupgradeonly switch in the Windows Server 2008 installation media, instead opting to provide a free inventory and analysis tool in the form of the MS Assessment and Planning (MAP) tools.

for determining whether AdPrep has completed, MS KB 331161 (List of Fixes to Use on Windows 2000 Domain Controllers Before You Run the Adprep/ Command), and the Assessment and Planning Tools Solution Accelerator (http://technet.microsoft.com/en-us/library/bb977556.aspx)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating an External Trust

Inhaltsvorschau

You want to create a one-way or two-way nontransitive trust from an AD domain to a Windows NT domain, or to a domain within an untrusted Active Directory forest.

Using a graphical user interface

Open the Active Directory Domains and Trusts snap-in (domain.msc).
In the left pane, right-click the domain you want to add a trust for and select .
Click on the Trusts tab.
Click the New Trust button.
After the New Trust Wizard opens, click Next.
Type the NetBIOS name of the NT domain or the DNS name of the AD domain, and click Next.
Assuming the domain name was resolvable via its NetBIOS name or FQDN, the next screen will ask for the Direction of Trust. Select Two-way, One-way incoming, or One-way outgoing, and click Next.
You will be given the option to create only one side of the trust, or to create both sides of the trust simultaneously. (This assumes you have administrative credentials in both .)
If you selected Two-way or One-way outgoing, you’ll need to select the scope of authentication, which can be either Domain-wide or Selective, and click Next.
Enter and retype the trust password and click Next.
Click Next twice to finish.

Using a command-line interface

> netdom trust TrustingDomainName/d:TrustedDomainName/add

For example, to create a trust from the NT4 domain ADATUM_NT4 to the AD domain ADATUM, use the following command:

> netdom trust ADATUM_NT4 /d:ADATUM /add

         /UserD:ADATUM\administrator /PasswordD:*

         /UserO:ADATUM_NT4\administrator /PasswordO:*

You can make the trust bidirectional, i.e., two-way, by adding a /TwoWay switch to the example.

Using PowerShell

The following code will create an outbound external trust between the local domain and a remote domain named treyresearch.net. This code will need to be mirrored on the opposite side of the trust in order for the trust to be fully functional:

$localDom = [System.DirectoryServices.ActiveDirectory.Domain]::getCurrentDomain()

$strRemoteDom = 'treyresearch.net'

$strRemoteUser = 'administrator'

$strRemotePass = 'P@ssw0rd'

$remoteCon = New-Object

System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain',$strRemoteDom,

$strRemoteUser,$strRemotePass)

$remoteDom =

[System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($remoteCon)

$trustDirection = 'Outbound'

$localDom.CreateTrustRelationship($remoteDom, $trustDirection)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Transitive Trust Between Two AD Forests

Inhaltsvorschau

This recipe requires at least the Windows Server 2003 forest functional level in both forests.

You want to create a transitive trust between two AD forests. This causes all domains in both forests to trust each other without the need for additional trusts.

Using a graphical user interface

Open the Active Directory Domains and Trusts snap-in (domain.msc).
In the left pane, right-click the forest root domain and select Properties.
Click on the Trusts tab.
Click the New Trust button.
After the New Trust Wizard opens, click Next.
Type the DNS name of the AD forest and click Next.
Select Forest trust and click Next.
Complete the wizard by stepping through the rest of the configuration screens.

Using a command-line interface

> netdom trust <Forest1DNSName> /Domain:<Forest2DNSName> /Twoway /Transitive /ADD

         [/UserD:<Forest2AdminUser> /PasswordD:*]

         [/UserO:<Forest1AdminUser> /PasswordO:*]

For example, to create a two-way forest trust from the AD forest adatum.com to the AD forest othercorp.com, use the following command:

> netdom trust adatum.com /Domain:othercorp.com /Twoway /Transitive /ADD

         /UserD:administrator@othercorp.com /PasswordD:*

         /UserO:administrator@adatum.com /PasswordO:*

Using PowerShell

The following code will create a two-way transitive trust between the local forest and a remote forest named treyresearch.net. This code will need to be mirrored on the opposite side of the trust in order for the trust to be fully functional:

$localFor = [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest()

$strRemoteFor = 'treyresearch.net'

$strRemoteUser = 'administrator'

$strRemotePass = 'P@ssw0rd'

$remoteCon = New-Object

System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest',

$strRemoteFor,$strRemoteUser,$strRemotePass)

$trustDirection = 'Bidirectional'$localFor.CreateTrustRelationship

($remoteFor, $trustDirection)

A new type of trust called a forest trust was introduced in Windows Server 2003. Under Windows 2000, if you wanted to create a fully trusted environment between two forests, you would have to set up individual external two-way trusts between every domain in both forests. If you have two forests with three domains each and wanted to set up a fully trusted model, you would need nine individual trusts. illustrates how this would look.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Shortcut Trust Between Two AD Domains

Inhaltsvorschau

You want to create a shortcut trust between two AD domains that are in the same forest or in two different forests. Shortcut trusts can make the authentication process more efficient between two domains in a forest.

Using a graphical user interface

Open the Active Directory Domains and Trusts snap-in (domain.msc).
In the left pane, right-click the domain you want to add a trust for, and select .
Click on the Trusts tab.
Click the New Trust button.
After the New Trust Wizard opens, click Next.
Type the DNS name of the AD domain and click Next.
Assuming the AD domain was resolvable via DNS, the next screen will ask for the Direction of Trust. Select Two-way and click Next.
For the Outgoing Trust Properties, select all resources to be authenticated and click Next.
Enter and retype the trust password and click Next.
Click Next twice.

Using a command-line interface

> netdom trust <Domain1DNSName> /Domain:<Domain2DNSName /Twoway /ADD

         [/UserD:<Domain2AdminUser> /PasswordD:*]

         [/UserO:<Domain1AdminUser> /PasswordO:*]

To create a shortcut trust from the emea.adatum.com domain to the apac.adatum.com domain, use the following netdom command:

> netdom trust emea.adatum.com /Domain:apac.adatum.com /Twoway /ADD

         /UserD:administrator@apac.adatum.com /PasswordD:*

         /UserO:administrator@emea.adatum.com /PasswordO:*

Consider the forest shown in . It has five domains in a single domain tree. For authentication requests for Domain 3 to be processed by Domain 5, the request must traverse the path from Domain 3 to Domain 2 to Domain 1 to Domain 4 to Domain 5. If you create a shortcut trust between Domain 3 and Domain 5, the authentication path is just a single hop from Domain 3 to Domain 5. To create a shortcut trust, you must be a member of the Domain Admins group in both domains, or a member of the Enterprise Admins group.

Figure : Shortcut trust

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Trust to a Kerberos Realm

Inhaltsvorschau

You want to create a trust to a Kerberos realm.

Using a graphical user interface

Open the Active Directory Domains and Trusts snap-in (domain.msc).
In the left pane, right-click the domain you want to add a trust for and select .
Click on the Trusts tab.
Click the New Trust button.
After the New Trust Wizard opens, click Next.
Type the name of the Kerberos realm.
Select the radio button beside Realm Trust and click Next.
Select either Transitive or Nontransitive and click Next.
Select Two-way, One-way incoming, or One-way outgoing and click Next.
Enter and retype the trust password and click Next.
Click Next and click Finish.

Using a command-line interface

> netdom trust <ADDomainDNSName> /Domain:<KerberosRealmDNSName>

         /Realm /ADD /PasswordT:<TrustPassword>

         [/UserO:<ADDomainAdminUser> /PasswordO:*]

The <TrustPassword> has to match what was set on the Kerberos side. To create a realm trust from the adatum.com domain to the Kerberos realm called kerb.adatum.com, use the following command:

> netdom trust adatum.com /Domain:kerb.adatum.com

         /Realm /ADD /PasswordT:MyKerbRealmPassword

         /UserO:administrator@adatum.com /PasswordO:*

You can create a Kerberos realm trust between an Active Directory domain and a non-Windows Kerberos v5 realm. A realm trust can be used to allow clients from the non-Windows Kerberos realm to access resources in Active Directory, and vice versa. See for more information on MIT Kerberos interoperability with Active .

, MS KB 260123 (Information on the Transitivity of a Kerberos Realm Trust), and MS KB 266080 (Answers to Frequently Asked Kerberos Questions)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing the Trusts for a Domain

Inhaltsvorschau

You want to view the trusts that have been configured for a domain.

Using a graphical user interface

Open the Active Directory Domains and Trusts snap-in (domain.msc).
In the left pane, right-click the domain you want to view and select Properties.
Click on the Trusts tab.

Using a command-line interface

To enumerate domain trusts using the netdom utility, use the following syntax:

> netdom query trust /Domain:<DomainDNSName>

You can also use nltest, available from the Windows Support Tools, as follows:

> nltest /domain_trusts /All_Trusts

Using VBScript

strComputer = "."

Set objWMIService = GetObject("winmgmts:" _

    & "{impersonationLevel=impersonate}!\\" & _

    strComputer &  "\root\MicrosoftActiveDirectory")



Set trustList = objWMIService.ExecQuery _

    ("Select * from Microsoft_DomainTrustStatus")



For each trust in trustList

    Wscript.Echo "Trusted domain: " &  trust.TrustedDomain

    Wscript.Echo "Trust direction: " &  trust.TrustDirection

    Wscript.Echo "(1: inbound, 2: outbound, 3: two-way)"

    Wscript.Echo "Trust type: " &  trust.TrustType

    Wscript.Echo "(1: downlevel, 2: uplevel, 3: realm, 4: DCE)"

    Wscript.Echo "Trust attributes: " &  trust.TrustAttributes

    Wscript.Echo "(1: nontransitive, 2: up-level clients only,"

    Wscript.Echo " 4: tree parent, 8: tree root)"

    Wscript.Echo "Trusted domain controller name: " &  trust.TrustedDCName

Next

If the adatum.com domain is configured with a two-way external trust with the barcelona.corp domain, running this script from dc1.adatum.com would produce the following output:

Microsoft (R) Windows Script Host Version 5.6

Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.



Trusted domain: barcelona.corp

Trust direction: 3

(1: inbound, 2: outbound, 3: two-way)

Trust type: 2

(1: downlevel, 2: uplevel, 3: realm, 4: DCE)

Trust attributes: 4

(1: nontransitive, 2: up-level clients only,

4: tree parent, 8: tree root)

Trusted domain controller name: \\dc1.barcelona.corp

Using PowerShell

$dom = [System.DirectoryServices.ActiveDirectory.Domain]::getCurrentDomain()

$dom.GetAllTrustRelationships() | format-list *

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Verifying a Trust

Inhaltsvorschau

You want to verify that a trust is working correctly. This is the first diagnostic step to take if users notify you that authentication to a remote domain appears to be failing.

Using a graphical user interface

For the Windows 2000 version of the Active Directory Domains and Trusts snap-in (domain.msc):

In the left pane, right-click on the trusting domain and select Properties.
Click the Trusts tab.
Click the domain that is associated with the trust you want to verify.
Click the Edit button.
Click the Verify button.

For the Windows Server 2003 and Windows Server 2008 version of the Active Directory Domains and Trusts snap-in:

In the left pane, right-click on the trusting domain and select Properties.
Click the Trusts tab.
Click the domain that is associated with the trust you want to verify.
Click the Properties button.
Click the Validate button.

Using a command-line interface

> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Verify /verbose

    [/UserO:<TrustingDomainUser> /PasswordO:*]

    [/UserD:<TrustedDomainUser> /PasswordD:*]

Using VBScript

' The following code lists all of the trusts for the

' specified domain using the Trustmon WMI Provider.

' The Trustmon WMI Provider is supported on Windows Server 2003 and 2008.

' ------ SCRIPT CONFIGURATION ------

strDomain = "<DomainDNSName>" ' e.g. amer.adatum.com

' ------ END CONFIGURATION ---------



set objWMI = GetObject("winmgmts:\\" &  strDomain &  _

                       "\root\MicrosoftActiveDirectory")

set objTrusts = objWMI.ExecQuery("Select * from Microsoft_DomainTrustStatus")

for each objTrust in objTrusts

    Wscript.Echo objTrust.TrustedDomain

    Wscript.Echo " TrustedAttributes: " &  objTrust.TrustAttributes

    Wscript.Echo " TrustedDCName: "     &  objTrust.TrustedDCName

    Wscript.Echo " TrustedDirection: "  &  objTrust.TrustDirection

    Wscript.Echo " TrustIsOk: "         &  objTrust.TrustIsOK

    Wscript.Echo " TrustStatus: "       &  objTrust.TrustStatus

    Wscript.Echo " TrustStatusString: " &  objTrust.TrustStatusString

    Wscript.Echo " TrustType: "         &  objTrust.TrustType

    Wscript.Echo ""

next



' This code shows how to search specifically for trusts

' that have failed, which can be accomplished using a WQL query that

' contains the query: TrustIsOk = False

' ------ SCRIPT CONFIGURATION ------

strDomain = "

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Resetting a Trust

Inhaltsvorschau

You want to reset a trust password. If you’ve determined a trust is broken, you need to reset it, which will allow users to authenticate across it again.

Using a graphical user interface

Follow the same directions as . The option to reset the trust will only be presented if the Verify/Validate did not succeed. In Windows Server 2003, if the trust validation process fails, you will be prompted to reset the trust password.

Using a command-line interface

> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Reset /verbose

    [/UserO:<TrustingDomainUser> /PasswordO:*]

    [/UserD:<TrustedDomainUser> /PasswordD:*]

Using VBScript

' This code resets the specified trust.

' ------ SCRIPT CONFIGURATION ------

' Set to the DNS or NetBIOS name for the Windows 2000,

' Windows NT domain or Kerberos realm you want to reset the trust for.

strTrustName = "<TrustToCheck>"

' Set to the DNS name of the source or trusting domain.

strDomain = "<TrustingDomain>"

' ------ END CONFIGURATION ---------



' Enable SC_RESET during trust enumerations

set objTrustProv = GetObject("winmgmts:\\" &  strDomain &  _

               "\root\MicrosoftActiveDirectory:Microsoft_TrustProvider=@")

objTrustProv.TrustCheckLevel = 3 ' Enumerate with SC_RESET

objTrustProv.Put_



' Query the trust and print status information

set objWMI = GetObject("winmgmts:\\" &  strDomain &  _

                       "\root\MicrosoftActiveDirectory")

set

objTrusts = objWMI.ExecQuery("Select * " _

                       &  " from Microsoft_DomainTrustStatus " _

                       &  " where TrustedDomain = '" &  strTrustName &  "'" )

for each objTrust in objTrusts

    Wscript.Echo objTrust.TrustedDomain

    Wscript.Echo " TrustedAttributes: " &  objTrust.TrustAttributes

    Wscript.Echo " TrustedDCName: "     &  objTrust.TrustedDCName

    Wscript.Echo " TrustedDirection: "  &  objTrust.TrustDirection

    Wscript.Echo " TrustIsOk: "         &  objTrust.TrustIsOK

    Wscript.Echo " TrustStatus: "       &  objTrust.TrustStatus

    Wscript.Echo " TrustStatusString: " &  objTrust.TrustStatusString

    Wscript.Echo " TrustType: "         &  objTrust.TrustType

    Wscript.Echo ""

next

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Removing a Trust

Inhaltsvorschau

You want to remove a trust. This is commonly done when the remote domain has been decommissioned or access to it is no longer required.

Using a graphical user interface

Open the Active Directory Domains and Trusts snap-in (domain.msc).
In the left pane, right-click on the trusting domain and select Properties.
Click the Trusts tab.
Click on the domain that is associated with the trust you want to remove.
Click the Remove button.
Click OK.

Using a command-line interface

To remove a trust relationship using the netdom utility, use the following syntax:

> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Remove /verbose

   [/UserO:<TrustingDomainUser> /PasswordO:*]

   [/UserD:<TrustedDomainUser> /PasswordD:*]

To remove a trust using a combination of AdFind and AdMod, issue the following two commands:

> adfind -b cn=<Trusted Domain>,cn=system,<Domain DN> -dsq | admod -rm

> adfind -b cn=<TrustName>$,cn=users,<Domain DN> -dsq | admod -rm

Both of these commands first use AdFind to return the object that needs to be deleted, then use the | operator to send that object to AdMod to perform the actual deletion.

Using VBScript

' This code deletes a trust in the specified domain.

' ------ SCRIPT CONFIGURATION ------

' Set to the DNS or NetBIOS name for the Windows 2000,

' Windows NT domain or Kerberos realm trust you want to delete.

strTrustName = "<TrustName>"

' Set to the DNS name of the source or trusting domain

strDomain = "<DomainDNSName>"

' ------ END CONFIGURATION ---------



set objRootDSE = GetObject("LDAP://" &  strDomain &  "/RootDSE")

set objTrust = GetObject("LDAP://cn=System," &  _

                         objRootDSE.Get("defaultNamingContext") )

objTrust.Delete "trustedDomain", "cn=" &  strTrustName

set objTrustUser = GetObject("LDAP://cn=Users," &  _

                             objRootDSE.Get("defaultNamingContext") )

objTrustUser.Delete "trustedDomain", "cn=" &  strTrustName &  "$"

WScript.Echo "Successfully deleted trust for " &  strTrustName

Using PowerShell

The following code will remove an external trust relationship configured between the local domain and the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling SID Filtering for a Trust

Inhaltsvorschau

You want to enable Security Identifier (SID) filtering for a trust. By enabling SID filtering, you can keep a hacker from spoofing an SID across a trust.

Using a command-line interface

> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /EnableSIDHistory:No

   [/UserO:<TrustingDomainUser> /PasswordO:*]

   [/UserD:<TrustedDomainUser> /PasswordD:*]

Using PowerShell

The following PowerShell code retrieves the current SID Filtering setting on an external trust configured between the local domain and the remote treyresearch.net domain:

$dom = [System.DirectoryServices.Activedirectory.Domain]::getCurrentDomain()

$dom.GetSidFilteringStatus('treyresearch.net')

The following code enables SID Filtering on a trust configured between the local domain and the remote treyresearch.net domain:

$dom = [System.DirectoryServices.Activedirectory.Domain]::getCurrentDomain()

$dom.SetSidFilteringStatus('treyresearch.net', $true)

A security vulnerability exists with the use of SID history, which is described in detail in MS KB 289243. An administrator in a trusted domain can modify the SID history for a user, which could grant her elevated privileges in the trusting domain. The risk of this exploit is relatively low due to the complexity of forging an SID, but nevertheless, you should be aware of it. To prevent this from happening you can enable SID Filtering for a trust. When SID filtering is enabled, the only SIDs that are used as part of a user’s token are from those domains in the trust path of the trusted domain—so if the trusted domain is adatum.com, which has a child domain called emea.adatum.com, SID filtering would accept SIDs from both the adatum.com domain and its child domain emea. SIDs that are not a part of the trusted domain’s trust path are not included, so an SID from the barcelona.corp would be stripped from the user’s access token. SID filtering makes things more secure, but prevents the use of SID history and can cause problems with transitive trusts and domain migrations. For example, if we migrated a user from

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling Quarantine for a Trust

Inhaltsvorschau

You want to enable Quarantine for a trust. By enabling Quarantine, you can greatly restrict the acceptable domain SIDs in a trust relationship.

Using a command-line interface

> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Quarantine:Yes

   [/UserO:<TrustingDomainUser> /PasswordO:*]

   [/UserD:<TrustedDomainUser> /PasswordD:*]

A security vulnerability exists with the use of SID history, which is described in detail in MS KB 289243. An administrator in a trusted domain can modify the SID history for a user, which could grant him elevated privileges in the trusting domain. The risk of this exploit is relatively low due to the complexity in forging an SID, but nevertheless, you should be aware of it. You can put in strong restrictions in order to minimize the risk of privilege elevation by enabling Quarantine for a trust. When Quarantine is enabled, the only SIDs that are used as part of a user’s token are from those domains in the trusted domain itself. So if the trusted domain is adatum.com, which has a child domain called emea.adatum.com, Quarantine will only accept SIDs from adatum.com itself. Even domain SIDs that are a part of the trusted domain’s trust path are not included, so an SID from emea.adatum.com would be stripped from the user’s access token. Enabling Quarantine for a trust effectively removes the transitivity of a forest trust relationship, restricting the trust relationship to only the domain that you specified when you created the trust. (This causes a forest trust to emulate the default behavior of an external trust instead.)

You can disable Quarantine on a trust relationship by running the netdom command again and specifying the /Quarantine:No switch.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Managing Selective Authentication for a Trust

Inhaltsvorschau

You want to enable or disable Selective Authentication for a trust. By enabling Selective Authentication, you can control which computers in a trusting domain users in a trusted domain can access. Disabling Selective Authentication will allow users in the trusted domain to authenticate to any computer in the trusting domain.

Using a graphical user interface

To enable Selective Authentication:

Open the Active Directory Domains and Trusts snap-in (domain.msc).
To enable selective authentication for a forest trust, right-click on the forest root domain and select Properties. To enable selective authentication for an external trust, right-click on the domain you wish to configure and select Properties.
On the Trusts tab, right-click on the trust that you wish to administer, and select Properties.
On the Authentication tab, click Selective Authentication.
Click OK to finish.

To disable Selective Authentication:

Open the Active Directory Domains and Trusts snap-in.
To enable forest-wide authentication for a forest trust, right-click on the forest root domain and select Properties. To enable domain-wide authentication for an external trust, right-click on the domain you wish to configure and select Properties.
On the Trusts tab, right-click on the trust that you wish to administer, and select Properties.
In the case of a forest trust, on the Authentication tab click Forest-Wide Authentication. For an external trust, on the Authentication tab click Domain-Wide .
Click OK to finish.

To grant permissions on individual computers in the trusted domain:

Open the Active Directory Users and Computers snap-in (dsa.msc).
Right-click on the computer object that you wish to grant permissions on, and select Properties.
On the Security tab, select the user or group that you want to authorize, and select the Allow checkbox next to the Allowed to Authenticate permission.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding Duplicate SIDs in a Domain

Inhaltsvorschau

You want to find any duplicate SIDs in a domain. Generally, you should never be able to find duplicate SIDs in a domain, but it is possible in some situations, such as when the relative identifier (RID) FSMO role owner has to be seized or you are migrating users from Windows NT domains.

Using a command-line interface

To find duplicate SIDs, run the following command, replacing <DomainControllerName> with a domain controller or domain name:

> ntdsutil "sec acc man" "co to se <DomainControllerName" "check dup sid" q q

The following message will be returned:

Duplicate SID check completed successfully. Check dupsid.log for any duplicates

The dupsid.log file will be in the directory where you started ntdsutil.

If you want to delete any objects that have duplicate SIDs, you can use the following command:

> ntdsutil "sec acc man" "co to se <DomainControllerName>" "clean dup sid" q q

Like the check command, the clean command will generate a message like the following upon completion:

Duplicate SID cleanup completed successfully. Check dupsid.log for any duplicate

All security principals in Active Directory have an SID, which is used to uniquely identify the object in the Windows security system. There are two parts of an SID: the domain identifier and the RID. Domain controllers are allocated an RID pool from the RID FSMO for the domain. When a new security principal (user, group, or computer) is created, the domain controller takes an RID from its pool to generate an SID for the account.

In some rare circumstances, such as when the RID master role is seized, overlapping RID pools can be allocated, which can ultimately lead to duplicate SIDs. Having duplicate SIDs is a potentially hazardous problem because a user, group, or computer could gain access to sensitive data they were never intended to have access to.

MS KB 315062 (How to Find and Clean Up Duplicate Security Identifiers with Ntdsutil in Windows 2000) and MS KB 816099 (How to Find and Clean Up Duplicate Security Identifiers with Ntdsutil in Windows Server 2003)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Adding Additional Fields to Active Directory Users and Computers

Inhaltsvorschau

You want to add to the list of attributes that you can search and sort records by within the ADUC MMC snap-in (dsa.msc).

Using a graphical user interface

In this example, we will add the operating system service-pack-level attributes of computer objects to ADUC to allow you to search and sort by these fields:

Open ADSI Edit from the Windows Support Tools.
If an entry for the Configuration NC is not already displayed, do the following:
Right-click on ADSI Edit in the right pane and click “Connect to…”.
Under “Select a well-known naming context,” select Configuration. Click Advanced if you need to specify alternate credentials, then click OK to create the connection.
In the left pane, click on CN=DisplaySpecifiers, then CN=409. Right-click on the container and select Properties.

If you are using a locale other than US English, specify the appropriate local number in place of CN=409, using the reference listed at http://www.microsoft.com/globaldev/reference/lcid-all.mspx.

Right-click on cn=computerDisplay and select Properties.
Double-click on attributeDisplayNames. Type operatingSystemServicePack, Operating System Service Pack, and click Add.
Click Apply, followed by OK.

Using a command-line interface

First create an LDIF file containing the following information, and save it as modify_display_specifiers.ldif:

dn: cn=computer-display,cn=409,cn=DisplaySpecifiers,

    cn=Configuration, <ForestRootDN>

changetype: modify

add: attributeDisplayNames

attributeDisplayNames: operatingSystemServicePack,Operating System Service Pack

-

Then run the following command:

> ldifde -v -i -f modify_display_specifiers.ldf

You can also modify this information using a combination of AdFind and AdMod, as follows:

> adfind -config -rb cn=computer-display,cn=409,cn=DisplaySpecifiers | admod

"attributeDisplayNames:+:operatingSystemServicePack,Operating System Service Pack"

Using VBScript

' The following script will append a new value to the

' US English display specifiers

'---------- SCRIPT CONFIGURATION ------------------

  Const ADS_PROPERTY_APPEND = 3

  strForestRoot = "

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Chapter 3: Domain Controllers, Global Catalogs, and FSMOs

Inhaltsvorschau

Domain controllers are servers that host an Active Directory domain and provide and directory services to clients. A domain controller (DC) can only be authoritative (i.e., it can only process authentication requests) for a single domain, but it can store partial read-only copies of objects in other domains in the forest if it is enabled as a global catalog server. All domain controllers in a forest also host a copy of the Configuration and Schema Naming Contexts, which are replicated to all domain controllers in a forest.

In Windows 2000 and Windows Server 2003, Active Directory domain controllers are fully multimaster in nature, meaning that updates to the directory (with a few exceptions, which we’ll discuss next) can originate on any domain controller in a forest. However, some tasks are sufficiently sensitive in nature that they cannot be distributed to all DCs, due to the potential of significant issues arising from more than one DC performing the same update simultaneously. For example, if two different domain controllers made conflicting updates to the schema, the impact could be severe and could result in data loss or an unusable directory. For this reason, Active Directory mandates the use of Flexible Single Master Operations (FSMO, pronounced “fiz-mo”) roles. For each FSMO role, there is only one domain controller that acts as the role owner and performs the tasks associated with the role. These roles are termed “single master” because only a single DC can hold a role at any one time, but “flexible” because a single physical server can host multiple FSMOs, and a FSMO role can be transferred from one DC to another, largely without repercussion. In each Active Directory forest there are two FSMO roles that are unique across an entire forest, and three FSMO roles that appear within each domain. So in the case of a forest containing three domains, there would be two forest-wide FSMO role-holders and nine domain-wide FSMO role-holders, three for each of the three domains. See for more information on FSMO roles.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Introduction

Inhaltsvorschau

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Promoting a Domain Controller

Inhaltsvorschau

You want to promote a server to a domain controller. You may need to promote a domain controller to initially create a domain in an Active Directory forest, or to add additional domain controllers to a domain for load balancing and fault tolerance.

On a Windows Server 2003 computer, run dcpromo.exe from a command line or via Start→Run and answer the questions according to the forest and domain you want to promote the server into.

On a Windows Server 2008 computer, click Start→Server Manager, and then use the Server Manager MMC to add the Active Directory Domain Services binaries to the server, after which you will be prompted to launch dcpromo.exe. (If you launch dcpromo.exe prior to adding the AD DS binaries, the dcpromo.exe wizard will appear to pause before launching as the binaries are installed in the background.)

Promoting a server to a domain controller is the process where the server becomes authoritative for an Active Directory domain. When you run the dcpromo program, a wizard interface walks you through a series of screens that collects information about the forest and domain to promote the server into. There are several options for promoting a server to domain controller status:

Promoting into a new forest (see )
Promoting into a new domain tree or child domain (see )
Promoting into an existing domain

Windows Server 2008 introduces the new Server Manager MMC, which provides a single graphical point of administration for most server administration tasks, such as adding and removing server roles and features. In Windows Server 2008, the Active Directory Domain Services binaries need to be explicitly added to the server before dcpromo can be run; this can be done automatically by dcpromo or by using the Server Manager console to add the AD DS server role.

Additionally, Windows Server 2008 introduces the servermanagercmd.exe command-line tool, which is the equivalent to the Server Manager MMC. To add the Active Directory Domain Services role via the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Promoting a Read-Only Domain Controller

Inhaltsvorschau

You want to promote a new RODC in a Windows Server 2008 domain.

This recipe requires that at least one writable Windows Server 2008 be present in the domain.

First, add the Active Directory Domain Services role using Server Manager. Once the role has been added, run dcpromo from a command line or from the Run line on the start menu.
Click Next twice to begin the dcpromo wizard. After the dcpromo wizard starts, select Existing Forest→Add a Domain Controller to an existing domain and click Next.
In the Network Credentials screen, enter the name of the domain to which you are adding the DC, and specify valid network credentials for the domain if necessary. Click Next.
In the Select a Domain screen, select the domain to which you wish to add the DC and then click Next.
In the Select a Site screen, select the site that the new DC should belong to and then click Next.
In the Additional Domain Controller Options screen, place a checkmark next to Read-Only Domain Controller. Click Next.
On the Location for Database, Log Files, and SYSVOL screen, modify the default location of the Active Directory database files, log files, and SYSVOL share if necessary, or else just click Next.
On the Directory Services Restore Mode screen, enter and confirm a recovery password for Active Directory and then click Next.
Click Next to begin the promotion; restart the server when prompted.

In order to add a Read-Only Domain Controller to an Active Directory domain, the domain must be running at the Windows Server 2003 domain functional mode or better, and there must be at least one writable Windows Server 2008 domain controller available, since a 2008 RODC will only accept replication traffic from a 2008 writable DC.

To further customize the behavior of an RODC installation, you can select the Advanced installation option, which will allow you to install an RODC using IFM media, as well as customizing the Password Replication Policy. The installation of an RODC can also be automated using an

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Performing a Two-Stage RODC Installation

Inhaltsvorschau

You want to perform a two-stage promotion of an RODC in a Windows Server 2008 domain.

This recipe requires that at least one writable Windows Server 2008 be present in the domain.

The first stage of the two-stage installation process is performed from a writable Windows Server 2008 domain controller, using the steps listed below.

The server designated to be configured as an RODC must be joined to a workgroup prior to the start of this process; if the computer is joined to the 2008 domain as a member server, these steps will fail. The server must also be configured with the same name that you will specify in the steps below.

Open Active Directory Users and Computers.
Right-click on the Domain Controllers OU and click “Pre-create Read-Only Domain Controller account…”. Click Next twice.
The Network Credentials screen appears. Click Next to create the RODC using the credentials of the currently logged-on user, or click the Alternate Credentials radio button and click Set.
Click Next. The Computer Name screen appears. Enter the name of the RODC computer account and click Next.
The Select a Site screen appears. Select the site that the RODC should reside in and click Next. The Additional Domain Controller Options screen appears. Place a checkmark next to DNS server and/or Global catalog if desired, then click Next.
The Delegation of RODC Installation and Administration screen appears. Click Set and enter the name of users or groups who should have local administrator rights to the RODC. Click Next twice.
Click Finish.

The second stage of the RODC installation will be completed from the console of the server that is to be configured as an RODC, using the following steps:

First, add the Active Directory Domain Services role using Server Manager. Once the role has been added, run dcpromo from a command line or from the Run line on the start menu.
Click Next twice to begin the dcpromo wizard. After the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Modifying the Password Replication Policy

Inhaltsvorschau

You wish to modify the Password Replication Policy on a Read-Only Domain Controller to control which user and computer passwords can and cannot be cached on a particular RODC.

Using a graphical user interface

Open Active Directory Users and Computers.
Click View→Advanced Features.
Browse to the Domain Controllers OU.
Right-click on the RODC’s computer account and click Properties.
Click on the Password Replication Policy tab.
To add a user or group to the Password Replication Policy for this RODC, click Add.
To allow the user or users’ passwords to be cached on this RODC, click Allow passwords for the account to replicate to this RODC. To prevent the user or users’ passwords from being cached on this RODC, click Deny passwords for this account from replicating to this RODC. Click OK.
To remove a user or group from the Password Replication Policy from the RODC, highlight the user or group and click Remove. Click Yes to confirm.

Using a command-line interface

To add a user or group to the “Allowed to Cache” list, use the following syntax:

admod -b <DN of RODC> msDS-RevealOnDemandGroup:+:<DN of User/Group>

To remove a user or group from the “Allowed to Cache” list, use the following syntax:

admod -b <DN of RODC> msDS-NeverRevealGroup:-:<DN of User/Group>

To add a user or group to the “Denied to Cache” list, use the following syntax:

admod -b <DN of RODC> msDS-NeverRevealGroup:+:<DN of User/Group>

Using VBScript

To add a user or group to the “Allowed” or “Denied” list, use the following syntax:

Const ADS_PROPERTY_APPEND = 3

Set objRODC = GetObject("LDAP://<RODC DN>")

objRODC.PutEx ADS_PROPERTY_DELETE, "msDS-RevealOnDemandGroup",

Array("<DN of User/group>")

A separate Password Replication Policy can be maintained individually on each Read-Only Domain Controller; this is implemented by the addition of several attributes on each RODC that control which users’ passwords can and cannot be cached on the RODC in question. As a best practice it is advisable to manage these attributes using security groups rather than individual users or computers, as this makes for a much more simplified management model. By default, the following domain groups are added to the Password Replication Policy of each RODC in the domain:

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Promoting a Windows Server 2003 Domain Controller from Media

Inhaltsvorschau

This recipe requires that the server being promoted is running Windows Server 2003.

You want to promote a new domain controller using a backup from another domain controller as the initial source of the Active Directory database instead of replicating the entire NTDS.DIT file over the network.

You first need to back up the system state of an existing domain controller in the domain the new server will go in. This can be accomplished by running the MS Backup utility found at Start→Programs→Accessories→System Tools→Backup.
Once you have a good backup, you then need to restore it to the new server, which can also be done using MS Backup. You should restore the files to an alternate location, not to their original location.
Next, run dcpromo with the /adv switch from a command line or by clicking Start→Run, as follows:
```
dcpromo /adv
```
After the dcpromo wizard starts, select Additional Domain Controller for an existing domain and click Next.
Under Copy Domain Information, select “From these restored backup files.” Browse to the files that you restored in Step 2, and then click Next.
Enter credentials of a user in the Domain Admins group in the domain you are promoting the domain controller into and click Next.
Choose the folders in which to store the Active Directory database and logfiles and click Next.
Choose the folder in which to store SYSVOL and click Next.
Enter a Restore Mode password and click Next.
Click Next to start the promotion.

The ability to promote a domain controller using the System State backup of another domain controller was introduced in Windows Server 2003. With Windows 2000, a new domain controller had to replicate the entire NTDS.DIT Active Directory database file over a network connection object by object from an existing domain controller. For organizations with a sizable Active Directory DIT file and/or very poor network connectivity to a remote site, replicating the full contents over the network presented challenges. Under these conditions, the promotion process could take a prohibitively long time to complete. With the “Install from Media” option, the initial domain controller promotion process can be substantially quicker. After you’ve done the initial installation from media (i.e., backup tape or CD/DVD), the new domain controller will replicate any changes that have been made to the Active Directory database since the backup media was created.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Promoting a Windows Server 2008 Domain Controller

Inhaltsvorschau

You first need to create an IFM backup of an existing Windows Server 2008 domain controller in the domain the new server will go in. This can be accomplished using the ntdsutil utility.
Next, add the Active Directory Domain Services role using Server Manager. Once the role has been added, run dcpromo with the /adv switch from a command line, or place a checkmark next to Use Advanced Options on the first screen of the dcpromo wizard.
Click Next twice to begin the dcpromo wizard. After the dcpromo wizard starts, select Existing Forest→Add a Domain Controller to an existing domain and click Next.
In the Network Credentials screen, enter the name of the domain to which you are adding the DC, and specify valid network credentials for the domain if necessary. Click Next.
In the Select a Domain screen, select the domain to which you wish to add the DC and then click Next.
In the Select a Site screen, select the site that the new DC should belong to and then click Next.
In the Additional Domain Controller Options screen, select one or all of the following configuration options for the new DC: DNS Server, Global Catalog, and Read-Only Domain Controller. Click Next.
On the Install from Media screen, select the “Replicate data from media at the following location” radio button, and browse to the location of the IFM backup that you created in step 1. Click Next.
On the Source Domain Controller screen, select the existing DC that you want this new DC to replicate information from, or select the “Let the wizard choose an appropriate domain controller” radio button. Click Next.
On the Location for Database, Log Files, and SYSVOL screen, modify the default location of the Active Directory database files, logfiles, and SYSVOL share if necessary, or else just click Next.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Demoting a Domain Controller

Inhaltsvorschau

You want to demote a domain controller from a domain. If you want to decommission a domain controller for whatever reason, you’ll need to follow these demotion .

Using a graphical user interface

Run the dcpromo command from a command line or Start→Run.
Click Next.
If the server is the last domain controller in the domain, check the box beside “This server is the last domain controller in the domain.”
Click Next.
Type and confirm the password for the local Administrator account.
Click Next twice to begin the demotion.

Before demoting a domain controller, you first need to ensure that all of the FSMO roles have been transferred to other servers; otherwise, they will be transferred to random domain controllers that may not be optimal for your installation. (Managing FSMO role holders is discussed in .) Also, if the DC is a global catalog server or running a service such as DNS, WINS, DHCP, etc., ensure that you have sufficient GCs and other infrastructure servers elsewhere in your forest that can handle the increased load.

It is important to demote a domain controller before decommissioning or rebuilding it so that its associated objects in Active Directory are removed, its DNS locator resource records are dynamically removed, and replication with the other domain controllers is not interrupted. If a domain controller does not successfully demote, or if you do not get the chance to demote it because of some type of hardware failure, see for removing a domain from Active Directory, and for instructions on manually removing a domain controller from Active Directory.

, , for removing an unsuccessfully demoted domain controller, for disabling the global catalog, , for transferring FSMO roles, and MS KB 238369 (How to Promote and Demote Domain Controllers in Windows 2000)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Automating the Promotion or Demotion of a Domain Controller

Inhaltsvorschau

You want to automate the installation or removal of a domain controller. You can make the promotion process part of your standard build process by incorporating the necessary configuration lines in your answer file(s).

You can automate the promotion of a domain controller by using the unattended process when building the server or by manually running dcpromo after the system has been built. Pass an answer file containing the necessary lines to promote the server to dcpromo by specifying an /answer switch. Here is an example:

> dcpromo /answer:<path_to_answer_file>

If you want to run dcpromo as part of an unattended setup, you need to add a [GUIRunOnce] section in your unattended setup file that calls the dcpromo process.

You can promote a domain controller only after setup has completed and someone logs in for the first time. That is why it is necessary to use a [GUIRunOnce] section, which sets the RunOnce registry key to kick off dcpromo on the first user logon, either at the console or via Terminal Services. Here is an example:

[GUIRunOnce]

"dcpromo /answer:%systemroot%\system32\$winnt$.inf"

The dcpromo answer section starts with [DCInstall]. Here is an example answer file for adding a domain controller to an existing domain in the adatum.com forest:

[DCINSTALL]

UserName=administrator

Password=AdatumAdminPassword

UserDomain=adatum.com

DatabasePath=%systemroot%\ntds

LogPath=%systemroot%\ntds

SYSVOLPath=%systemroot%\sysvol

SafeModeAdminPassword=DSrestoreModePassword

CriticalReplicationOnly=no

ReplicaOrNewDomain=Replica

ReplicaDomainDNSName=adatum.com

RebootOnSuccess=yes

CreateOrJoin=Join

For a complete list of Windows Server 2008 unattended installation settings, enter dcpromo /?:Promotion at the command line, or reference Windows Help and Support or the Microsoft Technet site. For a complete list of Windows Server 2003 [DCInstall] settings, see the ref.chm help file in \support\tools\deploy.cab that can be found on the Windows Server 2003 CD. For Windows 2000, the settings can be found in the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Troubleshooting Domain Controller Promotion or Demotion Problems

Inhaltsvorschau

You are having problems promoting or demoting a domain controller and you want to troubleshoot it.

The best source of information about the status of promotion or demotion problems are the Dcpromo.log and Dcpromoui.log files contained in the %SystemRoot%\Debug folder on the server. The Dcpromo.log captures the input entered into dcpromo and logs the information that is displayed as dcpromo progresses. The Dcpromoui.log file is much more detailed and captures discrete actions that occur during dcpromo processing, including any user input. A sample dcpromoui.log file might look something like this:

dcpromoui D38.A65 0000 opening log file C:\WINDOWS\debug\dcpromoui.log

dcpromoui D38.A65 0001 C:\WINDOWS\system32\dcpromo.exe

dcpromoui D38.A65 0002 file timestamp 11/19/2005 07:02:35.000

dcpromoui D38.A65 0003 local time 11/19/2005 07:03:45.406

dcpromoui D38.A65 0004 running Windows NT 5.2 build 3718

(BuildLab:3718.dnsrv.021114-1947) i386

...

dcpromoui D38.A65 00E3 Enter ControlSubclasser::UnhookWindowProc

dcpromoui D38.A65 00E4 exitCode = 0

dcpromoui D38.A65 00E5 closing log

Additionally, the Windows Server 2003 and Windows Server 2008 versions of dcdiag contain two new tests that can aid in troubleshooting promotion problems. The dcpromo test reports anything it finds that could impede the promotion process. The RegisterInDNS test checks if the server can register records in DNS. Here is an example of running both commands to test against the adatum.com domain:

> dcdiag /test:dcpromo /DnsDomain:adatum.com /ReplicaDC /test:RegisterInDNS

In most cases, the level of detail provided by Dcpromoui.log should be sufficient to pinpoint any problems, but you can increase logging if necessary. To enable the highest level of logging available, set the following registry value to

FF0003:

      HKLM\Software\Microsoft\Windows\CurrentVersion\AdminDebug

. You can confirm that this mask took effect by running dcpromo again, checking the Dcpromoui.log, and searching for “logging mask.” For more information on the various logging settings, see MS KB 221254.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Verifying the Promotion of a Domain Controller

Inhaltsvorschau

You want to verify that a domain controller has been successfully promoted within an Active Directory domain.

Using a command-line interface

> netdiag /test:dns

> netdiag /test:member

> netdiag /test:dsgetdc

> dcdiag  /test:replications

> dcdiag  /s:<DCName> /test:knowsofroleholders

> dcdiag  /s:<DCName> /test:fsmocheck

The netdiag.exe utility is not available on Windows Server 2008 domain controllers.

Once you’ve installed a domain controller using the dcpromo process, there are several steps that you can take to ensure that the promotion process has completed successfully. In Windows 2000 and Windows Server 2003, dcdiag and netdiag are two utilities that come with the Windows Support tools. In Windows Server 2008, dcdiag.exe has been built directly into the AD DS binaries; netdiag.exe is no longer supported. Regardless of the version of the server operating system, dcdiag and netdiag can perform a number of diagnostic tests, including the following:

Verify that all necessary DNS records have been registered and are present on the DNS server.
Check the domain membership for the newly promoted computer.
Confirm that the new DC can communicate with other DCs in the domain.
Confirm that the new DC is replicating with other DCs.
Verify that the new DC can communicate with all of the FSMO role holders.

In addition, you can verify a successful domain controller promotion by verifying that it is responding on TCP port 389 and 3268, running dcdiag/replsum, confirming that the SYSVOL directory has been shared, as well as checking the Directory Service log in the Event Viewer for any errors or warnings.

MS KB 839880 (How to Troubleshoot RPC Endpoint Mapper Errors), MS KB 250842 (Troubleshooting Group Policy Application Problems), and MS KB 321708 (How to Use the Network Diagnostics Tool [Netdiag.exe] in Windows 2000)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Removing an Unsuccessfully Demoted Domain Controller

Inhaltsvorschau

You want to manually remove a domain controller from Active Directory if the dcpromo process was unsuccessful or you are unable to bring a domain controller back online after a hardware or software failure.

The first step in the removal process is to run the following ntdsutil command, where <DomainControllerName> is a domain controller in the same domain as the one you want to forcibly remove.

The following ntdsutil syntax is applicable to 2000 and Server 2003 installations without Service Pack 1 installed. Windows Server 2003 Service Pack 1 and Windows Server 2008 greatly simplify the syntax involved; we will cover the new syntax later.

> ntdsutil "meta clean" conn "co to ser <DomainControllerName>"q "s o t" "l d"

Found 2 domain(s)

0 - DC=adatum,DC=com

1 - DC=emea,DC=adatum,DC=com

Select the domain of the domain controller you want to remove. In this case, we’ll select the emea.adatum.com domain:

select operation target: sel domain 1

Now, list the sites and select the site the domain controller is in (use 1 for MySite1):

select operation target: list sites

Found 4 site(s)

0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=adatum,DC=com

1 - CN=MySite1,CN=Sites,CN=Configuration,DC=adatum,DC=com

2 - CN=MySite2,CN=Sites,CN=Configuration,DC=adatum,DC=com

3 - CN=MySite3,CN=Sites,CN=Configuration,DC=adatum,DC=com

select operation target: sel site 1

Next, select the server you want to remove; in this case, we’re choosing 0 for DC5:

select operation target: list servers for domain in site

Found 2 server(s)

0 - CN=DC5,CN=Servers,CN=MySite1,CN=Sites,CN=Configuration,DC=adatum,DC=com

1 - CN=DC9,CN=Servers,CN=MySite1,CN=Sites,CN=Configuration,DC=adatum,DC=com

select operation target: sel server 0

Type quit to get back to the metadata cleanup menu:

select operation target: quit

metadata cleanup:

Finally, remove the server:

metadata cleanup: remove selected server

If successful, a message will state that the removal was complete. However, if you receive an error message, check to see if the server’s

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Renaming a Domain Controller

Inhaltsvorschau

You want to rename a domain controller.

Windows 2000 Active Directory

To rename a domain controller, you must first demote it to a member server. You can then rename it and then promote it back to a domain controller.

Windows Server 2003 Active Directory

Your first step in renaming a Windows Server 2003 domain controller is as follows, where <NewName> is a fully qualified domain name (FQDN):

> netdom computername <CurrentName> /Add:<NewName>

The new name will be automatically replicated throughout Active Directory and DNS. Once you’ve verified that the new name has replicated (which may take some time depending on your replication topology), you can designate it as the domain controller’s primary name as follows, and then reboot the domain controller:

> netdom computername <CurrentName> /MakePrimary:<NewName>

See for information on verifying Active Directory .

Once you’re satisfied that your clients are accessing the domain controller using its new name, you can remove the old computer name using the following syntax:

> netdom computername <NewName> /remove:<OldName>

To use the domain controller rename functionality, you must be running at the Windows Server 2003 or Windows Server 2008 domain functional level.

There is no supported means to rename a Windows 2000 domain controller, which is why the only way you can approximate the process is by demoting the server before performing the rename, and then promoting the server to DC status using the new name. Before you demote the domain controller, you should transfer any FSMO roles it holds to other servers in your domain or forest. You can allow dcpromo to transfer the roles during the demotion process, but you should check afterward to verify which server(s) the role(s) were transferred to ensure that they are placed appropriately for your environment. Likewise, if the domain controller is a global catalog server, ensure that another global catalog server is available to take its place.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding the Domain Controllers for a Domain

Inhaltsvorschau

You want to find the domain controllers in a domain.

Using a graphical user interface

Open the Active Directory Users and Computers snap-in (dsa.msc).
Right-click on the target domain and select Find.
In the Find drop-down box, select “Computers.”
In the Role drop-down box, select “Domain controller.”
Click Find Now. The list of domain controllers for the domain will be present in the right pane.

Using a command-line interface

> adfind -h domain.com -default -s base -asq  msds-masteredby -dn

Using VBScript

' This code displays the

' domain controllers for the specified domain.

' ------ SCRIPT CONFIGURATION -----

strDomain = "<DomainDNSName>" ' e.g. emea.adatum.com

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")

set objDomain = GetObject("LDAP://" & objRootDSE.Get("defaultNamingContext"))

strMasteredBy = objDomain.GetEx("masteredBy")

for each strNTDSDN in strMasteredBy

   set objNTDS = GetObject("LDAP://" & strNTDSDN)

   set objServer = GetObject(objNTDS.Parent)

   Wscript.echo objServer.Get("dNSHostName")

next

Using PowerShell

$dom = [System.DirectoryServices.ActiveDirectory.Domain]::getCurrentDomain()

$dom.FindAllDomainControllers()

There are several ways to get a list of domain controllers for a domain. The GUI solution simply uses the built-in “Find” functionality of the Active Directory Users & Computers MMC. The CLI and VBScript solutions take a slightly different approach by looking at the masteredBy attribute on the domain object (e.g., dc=emea,dc=adatum,dc=com) of the domain. The masteredBy attribute contains a list of distinguished names of the nTDSDSA objects of all the domain controllers for that domain. The server object of the domain controller, which is the parent object of the nTDSDSA object, has a distinguishedName attribute that contains the distinguished name of the server.

And for yet another solution, see to find out how to query DNS to get the list of domain controllers for a domain.

for finding domain controllers via DNS

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding the Closest Domain Controller

Inhaltsvorschau

You want to find the closest domain controller for a particular domain.

Using a command-line interface

The following command finds the closest domain controller in the specified domain (<DomainDNSName>); that is, a domain controller that is located in the same site or in the closest site if a local DC is not available. By default, it will return the closest DC for the computer nltest is being run from, but you can optionally use the /server option to target a remote host. If you are interested in finding a DC within a particular site regardless of whether it is the closest DC to you, you can also optionally specify the /site option to find a domain controller that belongs to a particular site:

> nltest/dsgetdc:<DomainDNSName> [/site:<SiteName>] [/server:<ClientName>]

Using VBScript

The IADsTools functionality is not supported under Windows Vista or Windows Server 2008.

' This code finds the closest domain controller in the domain

' that the computer running the script is in.

' ------ SCRIPT CONFIGURATION ------

strDomain = "<DomainDNSName>" ' e.g. emea.adatum.com

' ------ END CONFIGURATION --------



set objIadsTools = CreateObject("IADsTools.DCFunctions")

objIadsTools.DsGetDcName( Cstr(strDomain) )

Wscript.Echo "DC: " & objIadsTools.DCName

Wscript.Echo "DC Site: " & objIadsTools.DCSiteName

Wscript.Echo "Client Site: " & objIadsTools.ClientSiteName

Using PowerShell

$dom = [System.DirectoryServices.ActiveDirectory.Domain]::getCurrentDomain()

$dom.FindDomainController()

The DC locator process as described in MS KB 314861, and MS KB 247811 defines how clients find the closest domain controller. The process uses the site topology stored in Active Directory to calculate the site a particular client is in. After the client site has been identified, then it is a matter of finding a domain controller that is either a member of that same site or that is covering for that site.

The Microsoft DsGetDcName Directory Services API method implements the DC Locator process, but unfortunately cannot be used directly from a scripting language, such as VBScript. The

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding a Domain Controller’s Site

Inhaltsvorschau

You need to determine the site of which a domain controller is a member.

Using a graphical user interface

Open LDP and from the menu, select Connection→Connect.
For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
For Port, enter 389.
Click OK.
From the menu select Connection→Bind.
Enter credentials of a domain user.
Click OK.
From the menu, select Browse→Search.
For BaseDN, type the distinguished name of the Sites container (for example, cn=sites,cn=configuration,dc=adatum,dc=com).
For Scope, select Subtree.

For Filter, enter:

(&(objectcategory=server)(dnsHostName=<DomainControllerName>))

Click Run.

Using a command-line interface

To retrieve the site for a particular DC, use the following command syntax:

> nltest /dsgetsite /server:<DomainControllerName>

The nltest /dsgetsite command is a wrapper around the DsGetSiteName method.

You can also use the AdFind utility as follows:

adfind -h <Domain FQDN> -rootdse servername

For example, to find the site containing the server dc1 in the adatum.com domain, you would see the following output:

> adfind -config -rb cn=sites -f "(&(objectcategory=server)(cn=dc1))"

distinguishedName

> AdFind  V01.37.00cpp Joe Richards (joe@joeware.net) June 2007



> Using server: dc1.adatum.com:389

> Directory: Windows Server 2003

> Base DN: cn=sites,CN=Configuration,DC=adatum,DC=com

>

> dn:CN=dc1,CN=Servers,CN=Raleigh,CN=Sites,CN=Configuration,DC=adatum,DC=com

> distinguishedName: CN=dc1,CN=Servers,CN=Raleigh,CN=Sites,CN=Configuration,

DC=adatum,DC=com

>

> 1 Objects returned

You can also specify the FQDN of the DC in question by using (&(objectcategory=server)(dnsHostName=dc1.adatum.com)).

Using VBScript

' This code prints the

' site the specified domain controller is in

' ------ SCRIPT CONFIGURATION -----

strDC = "<DomainControllerName>" ' e.g. dc1.adatum.com

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://" & strDC & "/RootDSE")

set objNTDS = GetObject("LDAP://" & objRootDSE.Get("

dsServiceName"))

set objSite = GetObject(GetObject(GetObject(objNTDS.

Parent).Parent).Parent)

WScript.Echo objSite.Get("cn")

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Moving a Domain Controller to a Different Site

Inhaltsvorschau

You want to move a domain controller to a different site.

Using a graphical user interface

Open the Active Directory Sites and Services snap-in (dssite.msc).
In the left pane, expand the site that contains the domain controller.
Expand the Servers container.
Right-click on the domain controller you want to move and select Move.
In the Move Server box, select the site to which the domain controller will be moved and click OK.

Using a command-line interface

When using DSMove, you must specify the DN of the object you want to move. In this case, it needs to be the distinguished name of the server object for the domain controller. The value for the -newparent option is the distinguished name of the Servers container you want to move the domain controller to:

> dsmove "<ServerDN>" -newparent "<NewServersContainerDN>"

For example, the following command would move dc2 from the Default-First-Site-Name site to the Raleigh site:

> dsmove "cn=dc2,cn=servers,cn=Default-First-Site-

Name,cn=sites,cn=configuration,cn=

adatum,dc=com" -newparent

"cn=servers,cn=Raleigh,cn=sites,cn=configuration,cn=adatum,dc=com"

You can also move an object using AdMod, as follows:

> admod -b cn=<ServerName>,cn=servers,cn=<OldSite>,cn=sites,

cn=configuration,<ForestRootDN> -move cn=servers,cn=<NewSite>,

cn=sites,cn=configuration,<ForestRootDN>

Using VBScript

' This code moves a domain controller to a different site

' ------ SCRIPT CONFIGURATION ------

strDCName      = "<DomainControllerName>" ' e.g. dc2

strCurrentSite = "<CurrentSiteName>"      ' e.g. Default-First-Site-Name

strNewSite     = "<NewSiteName>"          ' e.g. Raleigh

' ------ END CONFIGURATION ---------



strConfigDN = GetObject("LDAP://RootDSE").Get("configurationNamingContext")

strServerDN = "LDAP://cn=" & strDCName & ",cn=servers,cn=" & _

                      strCurrentSite & ",cn=sites," & strConfigDN

strNewParentDN = "LDAP://cn=servers,cn=" & strNewSite & ",cn=sites," & _

                         strConfigDN



set objCont = GetObject(strNewParentDN)

objCont.MoveHere strServerDN, "cn=" & strDCName

WScript.Echo "Successfully moved " & strDCName & " to " & strNewSite

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding the Services a Domain Controller Is Advertising

Inhaltsvorschau

You want to find the services that a domain controller is .

The following command will display the list of services a domain controller is :

> dcdiag /v /s:<DomainControllerName> /test:advertising

Running this command on a typical domain controller will produce the following :

Starting test: Advertising

   The DC dc1 is advertising itself as a DC and having a DS.

   The DC dc1 is advertising as an LDAP server

   The DC dc1 is advertising as having a writable directory

   The DC dc1 is advertising as a Key Distribution Center

   The DC dc1 is advertising as a time server

   The DS dc1 is advertising as a GC.

You can also use nltest to get similar information:

> nltest /server:<DomainControllerName> /dsgetdc:<DomainName>

Running this command on a domain controller in the adatum.com domain will produce the following output:

      DC: \\dc1.adatum.com

      Address: \\10.0.0.1

     Dom Guid: ac0e4884-cf79-4c9d-8cd9-817e3bfdab54

     Dom Name: adatum.com

  Forest Name: adatum.com

 Dc Site Name: Raleigh

Our Site Name: Raleigh

        Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN

DNS_FOREST CLOSE_SITE

In the previous example, GTIMESERV denotes a DC that is a master time server. WRITABLE denotes a DC that holds a writable copy of the Active Directory database. Prior to Windows Server 2008, only NT 4.0 BDCs would not possess this flag; in 2008 Read-Only Domain Controllers will also lack the WRITABLE flag.

The dcdiag /test:advertising command is a wrapper around the DsGetDcName method. DsGetDcName returns a structure called DOMAIN_CONTROLLER_INFO that contains the list of services a domain controller provides. contains the possible values returned from this call.

Table : DOMAIN_CONTROLLER_INFO flags
Value	Description
DS_DS_FLAG	Directory server for the domain
DS_GC_FLAG	Global catalog server for the forest
DS_KDC_FLAG	Kerberos Key Distribution Center for the domain
DS_PDC_FLAG	Primary domain controller of the domain

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Restoring a Deleted Domain Controller

Inhaltsvorschau

You want to restore the computer account of a domain controller that has been accidentally deleted.

Using a graphical user interface

Reboot a domain controller that is currently functioning correctly into Directory Services Restore Mode.
Perform a System State restore.
Before rebooting the server, perform the steps listed in the following section.

Using a command-line interface

To restore the computer account, use the following sequence of commands in Windows 2000 or Windows Server 2003:

> ntdsutil

> authoritative restore> restore subtree <ComputerDN>

> quit

> exit

In Windows Server 2008, you must enter the following command before accessing the authoritative restore menu:

activate instance ntds

Restart the domain controller after running these commands.

When you restore a deleted object within Active Directory, you have the option of performing an authoritative or a nonauthoritative restore. In both cases, any changes that have been made to the AD database subsequent to the time that the backup was taken will be replicated back to the restored DC. With an authoritative restore, the version number of the object(s) being restored is incremented so that the restored objects will “win” in the case of any replication collisions. In a case where you want to restore an object that has been inadvertently deleted, you need to perform an authoritative restore to prevent the deletion from repropagating to the restored domain controller. You can mark an entire restore as authoritative, or any subtree of your AD environment down to a single object (in this case, the computer object for the DC that was deleted).

for more on recovering and restoring Active Directory and MS KB 216993 (Useful Shelf Life of a System-State Backup of Active Directory)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Resetting the TCP/IP Stack on a Domain Controller

Inhaltsvorschau

You want to uninstall and reinstall the TCP/IP protocol on a domain controller as part of a disaster recovery or troubleshooting operation.

Using a command-line interface

> netsh ip reset <Log_File_Name>

Beginning in Windows 2000, the TCP/IP protocol has been installed as the default network protocol for Windows server and client products. In Windows 2000 in particular, uninstalling TCP/IP was a fairly laborious process involving numerous registry changes. This was greatly improved in Windows Server 2003 with the addition of the reset commands within netsh. Resetting the TCP/IP stack using netsh will remove all configuration information, including the default gateway and any configured DNS and WINS servers. This procedure might be necessary during a disaster recovery situation where you’re restoring System State data to a server with a dissimilar hardware configuration, for example, as the restore process might corrupt the TCP/IP stack on the destination computer.

Using a command-line interface

In addition to resetting the TCP/IP stack, you can also reset Winsock using the following command:

> netsh winsock reset

Use this command with care, though, as resetting Winsock can cause network applications such as antivirus scanners to malfunction and require reinstallation.

MS KB 317518 (How to Reset “Internet Protocol” [TCP/IP] in Windows Server 2003), MS KB 325356 (How to Remove and Reinstall TCP/IP on a Windows Server 2003 Domain Controller), and MS KB 299451 (How to Remove and Reinstall TCP/IP on a Windows 2000 Domain Controller)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Configuring a Domain Controller to Use an External

Inhaltsvorschau

You want to set the reliable time source for a domain controller.

Using the Registry

To configure your Windows Server 2003 or Windows Server 2008 PDC Emulator to sync to an external time provider, set the following Registry keys:

[HKLM\System\CurrentControlSet\Services\W32Time\Parameters\]

Type: REG_SZ - "NTP"



[HKLM\System\CurrentControlSet\Services\W32Time\Config\]

AnnounceFlags: REG_DWORD - 10



[HKLM\System\CurrentControlSet\Services\W32Time\TimeProviders\]

NTPServer: REG_DWORD - 1



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\]

NTPServer: REG_SZ -<Peer1>,0x1,<Peer2>,0x1,<Peer3>,0x1

<Peers> in this case refers to a comma-separated list of FQDNs of external time servers. Each DNS name must be followed by ,0x1 for the rest of these settings to take effect.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\

NtpClient\]

SpecialPollInterval: REG_DWORD -<TimeBetweenPollsInSeconds>



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\]

MaxPosPhaseCorrection: REG_DWORD -<MaximumForwardOffsetInSeconds>



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\]

MaxNegPhaseCorrection: REG_DWORD -<MaximumBackwardOffsetInSeconds>

Once you have made these changes to the Registry, stop and restart the W32time service by issuing the following commands:

> net stop w32time

> net start w32time

Using VBScript

' This codes configures a reliable

' time source on a domain controller'

 ------ SCRIPT CONFIGURATION ------

strPDC = "<DomainControllerName>       ' e.g. dc01.adatum.com

strTimeServer = "<TimeServerNameOrIP>" ' e.g. ntp01.adatum.com

' ------ END CONFIGURATION --------



strTimeServerReg = "SYSTEM\CurrentControlSet\Services\W32Time\Parameters"

const HKLM = &H80000002

set objReg = GetObject("winmgmts:\\" & strPDC & "\root\default:StdRegProv")

objReg.GetStringValue HKLM, strTimeServerReg, "ntpserver", strCurrentServer

WScript.Echo "Current Value: " & strCurrentServer

objReg.SetStringValue HKLM, strTimeServerReg, "ntpserver", strTimeServer

objReg.SetStringValue HKLM, strTimeServerReg, "type", "NTP"

strCurrentServer = ""

objReg.GetStringValue HKLM, strTimeServerReg, "ntpserver", strCurrentServer

WScript.Echo "New Value: " & strCurrentServer



' Restart Time Service

set objService = GetObject("winmgmts://" & strPDC & _

                           "/root/cimv2:Win32_Service='W32Time'")

WScript.Echo "Stopping " & objService.Name

objService.StopService()



Wscript.Sleep 2000 ' Sleep for 2 seconds to give service time to stop



WScript.Echo "Starting " & objService.Name

objService.StartService()

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding the Number of Logon Attempts Made Against

Inhaltsvorschau

You want to find the number of logon requests a domain controller has processed.

The following query returns the number of logon requests processed:

> nltest /server:<DomainControllerName> /LOGON_QUERY

This will produce output similar to the following:

Number of attempted logons: 1054

The nltest /LOGON_QUERY command is a wrapper around the I_NetLogonControl2 method, and can be useful to determine how many logon requests are being processed by a server. Viewing the results of the command over a period of time and comparing them against another DC in the same domain can also tell you if one domain controller is being used significantly more or less than the others.

MSDN: I_NetLogonControl2

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling the /3GB Switch to Increase the LSASS Cache

Inhaltsvorschau

You have installed more than 1 GB of memory on your 32-bit domain controllers and want to enable the /3GB switch so that the LSASS process can use more memory.

Using a command-line interface

In Windows Server 2003, run the following command:

> bootcfg /raw /"3GB" /ID <BootID>

If you do not know the Boot ID of the partition you wish to modify, simply run bootcfg from a command prompt without any switches.

In Windows Server 2008, use the following command:

> bcdedit /set IncreaseUserVA 3072

Alternatively, you can edit the boot.ini file on a Windows Server 2003 domain controller to contain the /3GB switch:

[boot loader]

timeout=30

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows Server 2003" /3GB

Restart the computer.

Note that the boot.ini file is not present on Windows Server 2008 computers.

On Windows Server 2003, you can edit the boot.ini file by opening the System applet in the Control Panel. Click the Startup and Recovery tab and click the Edit button, or else use the built-in msconfig utility.

On Windows 2000, the process involves a few more steps. You need to open an Explorer window, select Tools→Folder Options, and click the View tab. Uncheck “Hide protected operating system files (Recommended),” and check “Show hidden files and folders.” Now browse to the root of your operating system partition (e.g., C:\) and edit the boot.ini file with a text editor.

When computers are referred to as 32-or 64-bit computers it means they support memory addresses that are 32- or 64-bits long. This is the total available memory (virtual and real) that can be processed by the system. Since the days of Windows NT, Microsoft has split memory allocation in half by giving applications up to 2 GB and the Windows kernel 2 GB of memory to use (32 bits of address space = 2^32 = 4 GB). In many cases, administrators would rather allocate more memory to applications than to the kernel. For this reason, Microsoft developed the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Cleaning Up Distributed Link Tracking Objects

Inhaltsvorschau

You want to make sure the Distributed Link Tracking (DLT) service is disabled and all DLT objects are removed from Active Directory. The Distributed Link Tracking Server service is used to track links to files on NTFS partitions. If a file that has a shortcut to it is renamed or moved, Windows uses the DLT service to find the file when the shortcut is opened. Most organizations are unaware this service even exists, yet it can populate thousands of objects in Active Directory. Unless you are actively using the functionality of the DLT service, it is recommended that you disable it.

If you upgrade a Windows 2000 domain controller to Windows Server 2003, the DLT Server service is stopped and set to disabled. A new install of Windows Server 2003 also has the service stopped and set to disabled. But the DLT Server service on Windows 2000 domain controllers is enabled by default. Unless you need it, you should stop the service and disable it on all of your domain controllers.

Next, remove any DLT objects (linkTrackVolEntry and linkTrackOMTEntry) from Active Directory. Since there can be hundreds of thousands of DLT objects, you will probably want to stagger the deletion of those objects. (This is not so much because of the delete operation itself, but because the scavenging process that occurs afterward can be quite memory-intensive.) The script in MS KB 315229 (dltpurge.vbs) can delete DLT objects over a period of time instead of all at once. Here is an example of running the dltpurge.vbs script against the dc1 domain controller in the adatum.com domain:

> cscript dltpurge.vbs -s dc1 -d dc=adatum,dc=com

Once you’ve run the DLT Purge process and the AD tombstone and garbage collection process has completed, it’s also recommended that you perform an offline defragmentation of the Active Directory database if you are low on disk space and need to reduce the size of the AD database file (NTDS.DIT).

DLT consists of a client and server service. The server service runs on domain controllers and the client service can run on any Windows 2000 or later machine. The server service stores data in Active Directory in the form of

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling and Disabling the Global Catalog

Inhaltsvorschau

You want to enable or disable the global catalog (GC) on a particular server.

Using a graphical user interface

Open the Active Directory Sites and Services snap-in (dssite.msc).
Browse to the nTDSDSA object (NTDS Settings) underneath the server object for the domain controller you want to enable or disable the global catalog for.
Right-click on NTDS Settings and select Properties.
Under the General tab, check (to enable) or uncheck (to disable) the box beside Global Catalog.
Click OK.

Using a command-line interface

In the following command, <ServerObjectDN> should be the server object DN, not the DN of the nTDSDSA object:

> dsmod server "<ServerObjectDN>" -isgc yes|no

For example, the following command will enable the global catalog on dc1 in the site:

> dsmod server

"cn=DC1,cn=servers,cn=Raleigh,cn=sites,cn=configuration,dc=adatum,dc=com" -isgc

Yes

You can also use AdMod with the following syntax and output to disable the GC; to enable it, use options::{{.:CLR:1}}:

> adfind –b "cn=NTDS 

Settings,cn=dc1,cn=Servers,cn=Raleigh,cn=Sites,cn=Configuration,dc=adatum,dc=com" 

options –adcsv | admod options::{{.:SET:1}}

See for information on safely modifying bitwise operators.

Using VBScript

' This code enables or disables the GC for the specified DC

' ------ SCRIPT CONFIGURATION ------

strDC = "<DomainControllerName>" ' e.g. dc01.adatum.com

strGCEnable = 1                  ' 1 = enable, 0 = disable

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://" & strDC & "/RootDSE")

objNTDS = GetObject("LDAP://" & strDC & "/" & _

                    objRootDSE.Get("dSServiceName"))

objNTDS.Put "options", strGCEnable

objNTDS.SetInfo

Using PowerShell

$dcname = <DomainDNSName>

$context = New-Object

System.DirectoryServices.ActiveDirectory.DirectoryContext('DirectoryServer',$dcname)

$dc =

[System.DirectoryServices.ActiveDirectory.DomainController]::getDomainController

($context)

$dc.EnableGlobalCatalog()

The first domain controller promoted into a forest is also made a global catalog (GC) server by default. If you want additional servers to have the global catalog, you have to enable it manually. In a single-domain environment, the global catalog server incurs no memory or bandwidth overhead beyond that of a domain controller, so you could conceivably configure each DC in a single-domain forest as a GC without any ill effects. In a multidomain environment, however, each global catalog server will require additional disk space to store a partial replica of other domains in the forest, and will require additional network bandwidth to replicate with other GCs. For more details on DC and GC placement planning, see

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Determining Whether Global Catalog Promotion Is Complete

Inhaltsvorschau

You want to determine whether a domain controller is a global catalog server. After you initially enable the global catalog on a domain controller, it can take some time for all of the read-only naming contexts to replicate to it, depending on the number of domains, the volume of directory data, and the underlying network topology.

Query the isGlobalCatalogReady attribute on the RootDSE for the domain controller. A TRUE value means the server is a global catalog and a FALSE value indicates it is not.

For more information on how to query the RootDSE, see .

You can also check the Directory Services Event Log in the Event Viewer MMC for the presence of Event ID 1119, whose text reads as follows:

"This Windows Domain Controller is now a Global Catalog Server"

Using the Registry

To confirm that GC promotion has completed, check the value of the following Registry key:

> HKLM\System\CurrentControlSet\Services\NTDS\Parameters\

> Global Catalog Promotion Complete: REG_DWORD - "1" if complete, "0" if not.

Using a command-line interface

To confirm that a domain controller in the adatum.com domain is functioning as a global catalog server, use nltest with the following syntax:

> nltest /dsgetdc:adatum.com

If the DC in question is functioning as a GC, you’ll see output similar to the following:

> C:\>nltest /dsgetdc:adatum.com

>           DC: \\dc1.adatum.com

>      Address: \\10.0.0.1

>     Dom Guid: ac0e4884-cf79-4c9d-8cd9-817e3bfdab54

>     Dom Name: adatum.com

>  Forest Name: adatum.com

> Dc Site Name: Raleigh

> Our Site Name: Raleigh

>        Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN

> DNS_FOREST CLOSE_SITE

> The command completed successfully

Using PowerShell

$dcname = <DomainDNSName>

$username = <Username>

$pass = <Password>

$context = New-Object

System.DirectoryServices.ActiveDirectory.DirectoryContext('DirectoryServer',$dcname

,$username,$pass)

$dc =

[System.DirectoryServices.ActiveDirectory.DomainController]::getDomainController

($context)

$dc.IsGlobalCatalog()

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding the Global Catalog Servers in a Forest

Inhaltsvorschau

You want a list of the global catalog servers in a forest.

Using a graphical user interface

Open LDP and from the menu select Connection→Connect.
For Server, enter the name of a DC.
For Port, enter 389.
Click OK.
From the menu select Connection→Bind.
Enter the credentials of a domain user.
Click OK.
From the menu select Browse→Search.
For BaseDN, type the DN of the Sites container, for example, cn=sites,cn=configuration,dc=adatum,dc=com.
For Scope, select Subtree.
For Filter, enter (&(objectcategory=ntdsdsa)(options=1)).
Click Run.

Using a command-line interface

To enumerate all GCs in a forest using DSQuery, use the following syntax:

> dsquery server -forest -isgc

You can also use AdFind as follows:

> adfind -sites -f "(&(objectcategory=ntdsdsa)

   (options:AND:=1))" -bit -dn

Using VBScript

' This code prints the global catalog servers for the specified forest.

' ------ SCRIPT CONFIGURATION -----

strForestName = "<ForestDNSName>" ' e.g. rallencorp.com

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://" & strForestName & "/" & "RootDSE")

strADsPath = "<LDAP://" & objRootDSE.Get("configurationNamingContext") & ">;"

strFilter  = "(&(objectcategory=ntdsdsa)(options=1));"

strAttrs   = "distinguishedname;"

strScope   = "SubTree"



set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

set objRS = objConn.Execute(strADsPath & strFilter & strAttrs & strScope)

objRS.MoveFirst

while not objRS.EOF

    set objNTDS = GetObject("LDAP://" & objRS.Fields(0).Value)

    set objServer = GetObject( objNTDS.Parent )

    Wscript.Echo objServer.Get("dNSHostName")

    objRS.MoveNext

wend

Using PowerShell

To find all global catalogs in the current domain, use the following syntax:

$dom = [System.DirectoryServices.ActiveDirectory.Domain]::getCurrentDomain()

$dom.FindAllDomainControllers() | where {$_.IsGlobalCatalog() -eq "TRUE" }

To find all global catalogs in the forest, use the following:

$for = [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest()

$dom.FindAllGlobalCatalogs()

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding the Domain Controllers or Global Catalog Servers in a Site

Inhaltsvorschau

You want a list of the domain controllers or global catalog servers in a specific site.

Using a graphical user interface

Open the Active Directory Sites and Services snap-in (dssite.msc).
In the right pane, expand the site that contains the domain controller.
For the list of domain controllers, expand the Servers container.
To find the global catalog servers, expand each domain controller, right-click on NTDS Settings, and select Properties.
Global catalog servers will have the appropriate box checked beside Global .

Using a command-line interface

The following query finds all domain controllers in the specified site:

> adfind -sites-rb cn=<SiteName> -f (objectcategory=ntdsdsa)

To find only the global catalog servers in a site, use the same command with the -bit filter enabled to perform a bitwise search for a 1 in the options attribute:

adfind -sites -rb cn=<SiteName> -f

"(&(objectcategory=ntdsdsa)(options:AND:=1))" -bit

Using VBScript

' This code prints the domain controllers in a site and then

' prints the global catalog servers in the site

' ------ SCRIPT CONFIGURATION -----

strSite = "<SiteName>" ' e.g. Default-First-Site-Name

strForest = "<ForestDNSName>" ' e.g. rallencorp.com

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://" & strForest & "/RootDSE")

strADsPath = "<LDAP://cn=servers,cn=" & strSite & ",cn=sites," & _

              objRootDSE.Get("configurationNamingContext") & ">;"

strFilter  = "(objectcategory=ntdsdsa);"

strAttrs   = "distinguishedName;"

strScope   = "SubTree"



WScript.Echo "Domain controllers in " & strSite & ":"

set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

set objRS = objConn.Execute(strADsPath & strFilter & strAttrs & strScope)

objRS.MoveFirst

while not objRS.EOF

    Set objNTDS = GetObject("LDAP://" & objRS.Fields(0).Value)

    Set objServer = GetObject( objNTDS.Parent )

    Wscript.Echo " " & objServer.Get("dNSHostName")

    objRS.MoveNext

wend



' Global Catalog filter

strFilter = "(&(objectcategory=ntdsdsa)(options=1));"

WScript.Echo ""

WScript.Echo "

Global Catalogs in " & strSite & ":"

set objRS = objConn.Execute(strADsPath & strFilter & strAttrs & strScope)

objRS.MoveFirst

while not objRS.EOF

    set objNTDS = GetObject("LDAP://" & objRS.Fields(0).Value)

    set objServer = GetObject( objNTDS.Parent )

    Wscript.Echo " " & objServer.Get("dNSHostName")

    objRS.MoveNext

wend

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding Domain Controllers and Global Catalogs via DNS

Inhaltsvorschau

You want to find domain controllers or global catalogs using DNS lookups.

Domain controllers and global catalog servers are represented in DNS as SRV records. You can query SRV records using nslookup by setting the type=SRV, such as the :

> nslookup

Default Server: dns01.adatum.com

Address: 10.1.2.3



> set type=SRV

You then need to issue the following query to retrieve all domain controllers for the specified domain:

> _ldap._tcp.<DomainDNSName>

You can issue a similar query to retrieve global catalogs, but since they are forest-wide, the query is based on the forest name:

> _gc._tcp.<ForestDNSName>

An alternate query to find Global Catalogs via nslookup would be to query for _gc._msdcs.<ForestDNSName>.

You can even find the domain controllers or global catalogs that are in a particular site or that cover a particular site by querying the following:

> _ldap._tcp.<SiteName>._sites.<DomainDNSName>

> _gc._tcp.<SiteName>._sites.<ForestDNSName>

See for more information on site coverage.

One of the benefits of Active Directory over its predecessor Windows NT is that it relies on DNS for name resolution, which is the standard for name resolution on the Internet and on most TCP/IP-based networks. Active Directory uses DNS to locate servers that serve a particular function, such as a domain controller for a domain, global catalog server, PDC Emulator, or KDC. It also uses the site topology information stored in Active Directory to populate site-specific records for domain controllers.

The DC locator process relies on this information in DNS to direct clients to the most optimal server when logging in. Reliance on DNS makes it easy to troubleshoot problems related to clients finding domain controllers. If you know the site a client is in, you can make a few DNS queries to determine which domain controller they should be using to authenticate.

The resource records that a domain controller registers in DNS can be restricted, if you have a lag site configured, for example, so querying DNS may return only a subset of the actual domain controllers that are available. See Recipes and for more information.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Changing the Preference for a Domain Controller

Inhaltsvorschau

You want a particular domain controller to be used less frequently for client requests or not at all. This may be necessary if a particular domain controller is overloaded, perhaps due to numerous application requests.

You can modify the Priority or Weight fields in SRV resource records by modifying the registry on the domain controller. Open regedit or regedt32 on the domain controller and browse to the following key: HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters. To configure the priority, add a REG_DWORD with the name LdapSrvPriority. To configure the weight, add a REG_DWORD with the name LdapSrvWeight.

After you make the change, the %SystemRoot%\System32\Config\netlogon.dns file should be updated and the DDNS updates sent to the DNS server within an hour. You can also restart the NetLogon service to expedite the process.

Each domain controller registers several SRV records that clients use as part of the DC locator process to find the closest domain controller. Two fields of the SRV record let clients determine which server to use when multiple possibilities are returned. The Priority field is used to dictate if a specific server or set of servers should always be contacted over others unless otherwise unavailable. A server with a higher priority (i.e., lower Priority field value) will always be contacted before a server with a lower priority. For example, if DC1 has an SRV priority of 5 and DC2 has an SRV priority of 10, DC1 will always be used unless it is unavailable.

The Weight field, on the other hand, determines the percentage of time clients should use a particular server. You can easily calculate the percentage by dividing the weight by the sum of all weights for servers with the same priority. If servers DC1, DC2, and DC3 have weights of 1, 2, and 3, respectively, then DC1 will be contacted one out of six times or (1 / (3 + 2 + 1)), DC2 will be contacted two out of every six times or 1/3 (2 / (3 + 2 + 1)), and DC3 will be contacted three out of every six times or 1/2 ( 3 / (3 + 2 + 1 )). Here is an example of how the SRV records look with these weights:

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Disabling the Global Catalog Requirement During

Inhaltsvorschau

You want to disable the requirement for a global catalog server to be reachable when a user logs into a Windows 2000, Windows Server 2003, or Windows Server 2008 domain.

Using a graphical user interface

Open the Registry Editor (regedit).
In the left pane, expand HKEY_LOCAL_MACHINE→ System→Current-→Control.
Right-click on LSA and select New→Key.
Enter IgnoreGCFailures for the key name and hit Enter.
Restart the server.

Using a command-line interface

> reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA\IgnoreGCFailures /ve

> shutdown /r

Using VBScript

' This code enables the IgnoreGCFailres registry setting and reboots

strLSA = "HKLM\SYSTEM\CurrentControlSet\Control\LSA\IgnoreGCFailures\"

Set objWSHShell = WScript.CreateObject("WScript.Shell")

objWSHShell.RegWrite strLSA, ""

WScript.Echo "Successfully created key"

WScript.Echo "Rebooting server . . . "

objWSHShell.Run "rundll32 shell32.dll,SHExitWindowsEx 2"

Beginning with Windows 2000 native mode, a global catalog server must be contacted for every login attempt; otherwise, the login will fail (unless there is no network connectivity, which would result in a user being logged on with cached credentials). This is necessary to process all universal security groups a user may be a member of. When a client attempts to authenticate with a domain controller, that domain controller contacts a global catalog server behind the scenes to enumerate the user’s universal groups. (See for more details.) If you have domain controllers in remote sites and they are not enabled as global catalog servers, you may run into a situation where users cannot log in if the network connection to the network with the closest global catalog server fails.

The only option you have available with Windows 2000 is to have the domain controllers ignore GC lookup failures ( provides a different solution for Windows Server 2003 and Windows Server 2008).

You can do this by adding an IgnoreGCFailures registry key under HKLM\SYSTEM\CurrentControlSet\Control\LSA

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Disabling the Global Catalog Requirement for Windows Server 2003 or Windows Server 2008

Inhaltsvorschau

You want to disable the requirement for a global catalog server to be reachable when a user logs into a Windows 2003 or Windows Server 2008 domain.

This recipe requires a minimum of Windows Server 2003 forest functional level.

See for information on enabling universal group caching, which can reduce the need to contact a global catalog server during logon for universal group expansion.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding the FSMO Role Holders

Inhaltsvorschau

You want to find the domain controllers that are acting as one of the FSMO roles.

Using a graphical user interface

For the Schema Master:

Open the Active Directory Schema snap-in.
Right-click on Active Directory Schema in the left pane and select Operations Master.

For the Domain Naming Master:

Open the Active Directory Domains and Trusts snap-in (domain.msc).
Right-click on Active Directory Domains and Trusts in the left pane and select Operations Master.

For the PDC Emulator, RID Master, and Infrastructure Master:

Open the Active Directory Users and Computers snap-in (dsa.msc).
Make sure you’ve targeted the correct domain.
Right-click on Active Directory Users and Computers in the left pane and select Operations Master.
There are individual tabs for the PDC, RID, and Infrastructure roles.

Using a command-line interface

In the following command, you can leave out the /Domain <DomainDNSName> option to query the domain you are currently logged into:

> netdom query fsmo /Domain:<DomainDNSName>

To query the owner of an individual FSMO role, you can use the dsquery server command shown here, where <Role> can be schema, name, infr, pdc, or rid:

> dsquery server -hasfsmo <Role>

You can also obtain fsmo information using AdFind, as follows:

> adfind -sc fsmo

Using VBScript

' This code prints the FSMO role

' owners for the specified domain.

' ------ SCRIPT CONFIGURATION ------

strDomain = "<DomainDNSName>" ' e.g. emea.rallencorp.com

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")

strDomainDN = objRootDSE.Get("defaultNamingContext")

strSchemaDN = objRootDSE.Get("schemaNamingContext")

strConfigDN = objRootDSE.Get("configurationNamingContext")



' PDC Emulator

set objPDCFsmo = GetObject("LDAP://" & strDomainDN)

Wscript.Echo "PDC Emulator: " & objPDCFsmo.fsmoroleowner



' RID Master

set objRIDFsmo = GetObject("LDAP://cn=RID Manager$,cn=system," & strDomainDN)

Wscript.Echo "RID Master: " & objRIDFsmo.fsmoroleowner



' Schema Master

set objSchemaFsmo = GetObject("LDAP://" & strSchemaDN)

Wscript.Echo "Schema Master: " & objSchemaFsmo.fsmoroleowner



' Infrastructure Master

set objInfraFsmo = GetObject("LDAP://cn=Infrastructure," & strDomainDN)

Wscript.Echo "Infrastructure Master: " & objInfraFsmo.fsmoroleowner



' Domain Naming Master

set objDNFsmo = GetObject("LDAP://cn=Partitions," & strConfigDN)

Wscript.Echo "Domain Naming Master: " & objDNFsmo.fsmoroleowner

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Transferring a FSMO Role

Inhaltsvorschau

You want to transfer a FSMO role to a different domain controller. This may be necessary if you need to take a current FSMO role holder down for maintenance.

Using a graphical user interface

Use the same directions as described in for viewing a specific FSMO, except target (i.e., right-click and select Connect to Domain Controller) the domain controller you want to transfer the FSMO to before selecting Operations Master.
Click the Change button.
Click OK twice.
You should then see a message stating whether the transfer was successful.

Using a command-line interface

The following would transfer the PDC Emulator role to <NewRoleOwner> (see to see about transferring the other roles):

> ntdsutil roles conn "co t s <NewRoleOwner>" q "transfer PDC" q q

Using VBScript

' This code transfers the PDC Emulator role to the specified owner.

' See the discussion to see about

' transferring the other roles.

' ------ SCRIPT CONFIGURATION ------

strNewOwner = "<NewRoleOwner>" ' e.g. dc2.rallencorp.com

' ------ END CONFIGURATION ---------



Set objRootDSE = GetObject("LDAP://" & strNewOwner & "/RootDSE")

Set domainNC = GetObject("LDAP://" & objRootDSE.get("defaultNamingContext"))

domainSID = domainNC.objectSid

objRootDSE.Put "becomePDC", domainSID

objRootDSE.SetInfo

Using PowerShell

The following code will transfer the PDC Emulator role to another DC:

$dom = [ADSI]""

$domainSID = $dom.objectSID

$dcDSE = [ADSI]"LDAP://<DC>/rootDSE"

$role = "becomePdc"

$dcDSE.put($role,$domainSID)

$dcDSE.Setinfo()

The following will transfer the RID Master role to another DC; this syntax can be used for all FSMO role holders except for the PDC Emulator:

$dcDSE = [ADSI]"LDAP://<DC>/rootDSE"

$role = "becomeRID"

$dcDSE.put($role,1)

$dcDSE.Setinfo()

The first domain controller in a new forest is assigned the two forest-wide FSMO roles (schema and domain naming). The first domain controller in a new domain gets the other three domain-wide roles. It is very likely you’ll need to move the roles around to different domain controllers at some point. Also, when you need to decommission a domain controller that is currently a FSMO role owner (either permanently or for a significant period of time), you’ll want to transfer the role beforehand.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Seizing a FSMO Role

Inhaltsvorschau

You need to seize a FSMO role because the current role holder is down and will not be restored.

Using a command-line interface

The following would seize the PDC Emulator role to <NewRoleOwner>:

> ntdsutil roles conn "co t s <NewRoleOwner>" q "seize PDC" q q

Any of the other roles can be transferred as well using ntdsutil by replacing "seize PDC" in the previous solution with one of the following:

"seize domain naming master"
"seize infrastructure master"
"seize RID master"
"seize schema master"

Using VBScript

Seizing a FSMO role is typically not something you would want to do programmatically, but you could. All you need to do is set the fSMORoleOwner attribute for the object that represents the FSMO role (as described in ) with the distinguished name of nTDSDSA object of the new role owner. However, this can be an extremely dangerous operation in the case of the RID Master FSMO, since it maintains extensive information that needs to be gracefully moved from one DC to another to avoid corruption of the AD database. In the case of the RID master, you should use ntdsutil to transfer or seize the role whenever possible.

Seizing a FSMO role should not be done lightly. The general recommendation is to seize a FSMO role only when you cannot possibly bring the previous role holder back online. One reason that seizing a role is problematic is that you could possibly lose data. For example, let’s say that you extended the schema and immediately after it was extended the Schema FSMO went down. If you could not bring that server back online, those extensions may not have replicated before the server went down. You would need to determine if any of the schema extensions replicated and, if not, re-extend the schema. Other issues can result from losing the RID FSMO, where duplicate RID pools may be allocated. See for more information.

for finding FSMO role holders, for transferring a FSMO role, MS KB 223787 (Flexible Single Master Operation Transfer and Seizure Process), and MS KB 255504 (Using Ntdsutil.exe to Seize or Transfer FSMO Roles to a Domain Controller)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding the PDC Emulator FSMO Role Owner via DNS

Inhaltsvorschau

You want to find the PDC Emulator for a domain using DNS.

Using a command-line interface

> nslookup -type=SRV _ldap._tcp.pdc._msdcs.<DomainDNSName>

The PDC Emulator FSMO role is the only FSMO role that is stored in DNS. Like many of the other Active Directory-related DNS records, the PDC record is stored as an SRV record under _ldap._tcp.pdc._msdcs.<DomainDNSName> where <DomainDNSName> is the domain the PDC is in. This allows your Active Directory clients to use normal DNS name resolution to locate the PDC Emulator for their domain.

for finding domain controllers via DNS

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding the PDC Emulator FSMO Role Owner via WINS

Inhaltsvorschau

You want to find the PDC Emulator for a domain using WINS.

Using a command-line interface

> netsh wins server \\<WINS server> show name netbiosname 1b

In addition to registering a record with DNS, the PDC Emulator FSMO role will also register a record with a WINS server if it is configured to point to one. The PDC Emulator will register a record called "<DomainName> 1b"; this record corresponds to the Domain Master Browser record for the Browser service. Since the PDC Emulator will always be the domain master browser, this allows any downlevel clients to locate the PDC Emulator using NetBIOS name resolution.

for finding the PDC Emulator via DNS

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Chapter 4: Searching and Manipulating Objects

Inhaltsvorschau

Active Directory is based on the Lightweight Directory Access Protocol (LDAP) and supports the LDAP version 3 specification defined in RFC 2251. And while many of the AD tools and interfaces, such as ADSI, abstract and streamline LDAP operations to make things easier, any good AD administrator or developer must have a thorough understanding of LDAP to fully utilize Active Directory. This chapter will cover some of the LDAP-related tasks you may need to perform when working with Active Directory, along with other tasks related to searching and manipulating objects within the directory.

The Active Directory schema is composed of a hierarchy of classes that define the types of objects that can be created within Active Directory, as well as the different attributes that they can possess. These classes support inheritance, which enables developers to reuse existing class definitions for more than one type of object; for example, the description attribute is available with every type of AD object, but the attribute itself is only defined once within the schema. At the top of the inheritance tree is the top class, from which every class in the schema is derived. contains a list of some of the attributes that are available from the top class, and subsequently are defined on every object that is created in Active Directory.

Table : Common attributes of objects
Attribute	Description
`cn`	RDN attribute for most object classes, also referred to as the common name.
`whenCreated`	Timestamp when the object was created. See for more information.
`description`	Multivalued attribute that can be used as a generic field for storing a description of the object. Although this attribute is multivalued, objects such as users and groups can only have one value populated due to legacy support requirements.
`displayName`	Name of the object displayed in administrative interfaces.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Introduction

Inhaltsvorschau

Table : Common attributes of objects
Attribute	Description
`cn`	RDN attribute for most object classes, also referred to as the common name.
`whenCreated`	Timestamp when the object was created. See for more information.
`description`	Multivalued attribute that can be used as a generic field for storing a description of the object. Although this attribute is multivalued, objects such as users and groups can only have one value populated due to legacy support requirements.
`displayName`	Name of the object displayed in administrative interfaces.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing the RootDSE

Inhaltsvorschau

You want to view attributes of the RootDSE, which can be useful for discovering basic information about a forest, domain, or domain controller without hardcoding the name of a particular naming context into a query.

Using a graphical user interface

Open LDP from the Windows Support Tools. (LDP is installed by default on a Windows Server 2008 domain controller.)
From the menu, select Connection→Connect.
For Server, enter a domain controller, domain name, or leave blank to do a bind.
For Port, enter 389.
Click OK.
The contents of the RootDSE will be shown in the right pane.

Using a command-line interface

To display the RootDSE of a domain controller using AdFind, use the following syntax:

> adfind -rootdse

You’ll see results similar to the following (truncated for readability):

>currentTime: 20051130204431.0Z

>subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=contoso,DC=com

>dsServiceName: CN=NTDS Settings,CN=2K3-SP1-R2,CN=Servers,CN=Default-First-Site-

Name,CN=Sites,CN=Configuration,DC=contoso,DC=com

>namingContexts: DC=contoso,DC=com

>namingContexts: CN=Configuration,DC=contoso,DC=com

>namingContexts: CN=Schema,CN=Configuration,DC=contoso,DC=com

>namingContexts: DC=DomainDnsZones,DC=contoso,DC=com

>namingContexts: DC=ForestDnsZones,DC=contoso,DC=com

>defaultNamingContext: DC=contoso,DC=com

>schemaNamingContext: CN=Schema,CN=Configuration,DC=contoso,DC=com

>configurationNamingContext: CN=Configuration,DC=contoso,DC=com

>rootDomainNamingContext: DC=contoso,DC=com

>serverName: CN=2K3-SP1-R2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,

CN=Configuration,DC=contoso,DC=com

>supportedCapabilities: 1.2.840.113556.1.4.800

>supportedCapabilities: 1.2.840.113556.1.4.1670

>supportedCapabilities: 1.2.840.113556.1.4.1791

>isSynchronized: TRUE

>isGlobalCatalogReady: TRUE

>domainFunctionality: 0

>forestFunctionality: 0

>domainControllerFunctionality: 2

Using VBScript

' This code prints the

' attributes of the RootDSE

set objRootDSE = GetObject("LDAP://RootDSE")

objRootDSE.GetInfo

for i = 0 to objRootDSE.PropertyCount - 1

    set strProp = objRootDSE.Item(i)

    WScript.Echo strProp.Name & " "

    for each strPropval in strProp.Values

       WScript.Echo " " & strPropval.CaseIgnoreString

    next

 next

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing the Attributes of an Object

Inhaltsvorschau

You want to view one or more attributes of an object.

Using a graphical user interface

Open LDP from the Windows Support Tools or from the Windows Server 2008 command prompt.
From the menu, select Connection→Connect.
For Server, enter the name or IP address of a domain controller or domain that contains the object.
For Port, enter 389.
Click OK.
From the menu, select Connection→Bind.
Enter credentials of a user who can view the object (if necessary).
Click OK.
From the menu, select View→Tree.
For BaseDN, type the DN of the object you want to view.
For Scope, select Base.
Click OK.

Using a command-line interface

To obtain a list of attributes for a particular object using DSQuery, use the following syntax:

> dsquery * "<ObjectDN>" -scope base -attr *

For Windows 2000, use this command:

> enumprop "LDAP://<ObjectDN>"

To query for an object using AdFind, use the following syntax:

> adfind -b <Parent Container DN> -f cn=<Object CN> -tdcgt

For example, querying for the administrator user object produces the following output:

C:\>adfind -b dc=contoso,dc=com -f cn=administrator -tdc -tdcgt



AdFind V01.27.00cpp Joe Richards (joe@joeware.net) November 2005



Using server: 2k3-sp1-r2.contoso.com:389

Directory: Windows Server 2003



dn:CN=Administrator,CN=Users,DC=contoso,DC=com

>objectClass: top

>objectClass: person

>objectClass: organizationalPerson

>objectClass: user

>cn: Administrator

>description: Built-in account for administering the computer/domain

>distinguishedName: CN=Administrator,CN=Users,DC=contoso,DC=com

>instanceType: 4

>whenCreated: 05/26/2008-12:13:15 Eastern Daylight Time

>whenChanged: 

05/26/2008-12:13:15 Eastern Daylight Time



>uSNCreated: 8194

>memberOf: CN=Group Policy Creator Owners,CN=Users,DC=contoso,DC=com

>memberOf: CN=Domain Admins,CN=Users,DC=contoso,DC=com

>memberOf: CN=Enterprise Admins,CN=Users,DC=contoso,DC=com

>memberOf: CN=Schema Admins,CN=Users,DC=contoso,DC=com

>memberOf: CN=Administrators,CN=Builtin,DC=contoso,DC=com

>uSNChanged: 13905

>name: Administrator

>objectGUID: {A5C30B01-535C-4BCF-83C1-ABA5D445B9F6}

>userAccountControl: 66048

>badPwdCount: 0

>codePage: 0

>countryCode: 0

>badPasswordTime: 0

>lastLogoff: 0

>lastLogon: 05/26/2008-23:09:03 Eastern Daylight Time

>pwdLastSet: 5/17/2008-18:09:27 Eastern Daylight Time

>primaryGroupID: 513

>objectSid: S-1-5-21-751427308-4037830757-4109730475-500

>adminCount: 1

>accountExpires: 00/00/0000-00:00:00

>logonCount: 7

>sAMAccountName: Administrator

>sAMAccountType: 805306368

>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=contoso,DC=com

>isCriticalSystemObject: TRUE



1 Objects returned

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Counting Objects in Active Directory

Inhaltsvorschau

You want to retrieve the number of directory objects that meet the result of an LDAP query.

Using a graphical user interface

Open LDP from the Windows Support Tools.
From the menu, select Connection→Connect.
For Server, enter the name or IP address of a domain controller or domain that contains the object.
For Port, enter 389.
Click OK.
From the menu, select Connection→Bind.
Enter credentials of a user who can view the object (if necessary).
Click OK.
From the menu, select Browse→Search.
Enter the base DN, scope, and the LDAP filter of the objects that you’re looking for.
Click on Options and remove the checkmark next to Display Results. This will display the number of objects returned by the query without displaying the details of the items that are returned.
Click OK and then click Run to perform the query.

Using a command-line interface

To retrieve a count of objects that match a particular query, use the following syntax:

> adfind -b <Search Base> -s <Scope> -f <Search Filter> -c

For example, retrieving the number of user objects in the adatum.com domain would use the following syntax:

> adfind -default -f "(&(objectclass=user)(objectcategory=person))" -c

>

> AdFind V01.27.00cpp Joe Richards (joe@joeware.net) November 2005

>

> Using server: 2k3-sp1-r2.adatum.com:389

> Directory: Windows Server 2003

> Base DN: DC=adatum,DC=com

>

> 5 Objects returned

Using VBScript

' This code lists the number of objects

' returned based on the specified criteria.

' ------ SCRIPT CONFIGURATION ------

strBase    =  "<LDAP://<BaseDN>>;" ' BaseDN should be the search base

strFilter  = "<Filter>;"           ' Valid LDAP search filter

strAttrs   = "<AttrList>;"         ' Comma-separated list

strScope   = "<Scope>"             ' Should be one of Subtree, Onelevel, or Base

' ------ END CONFIGURATION ---------



set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)

Wscript.Echo(objRS.RecordCount & " objects returned.")

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Using LDAP Controls

Inhaltsvorschau

You want to use an LDAP control as part of an LDAP operation.

Using a graphical user interface

Open LDP from the Windows Support Tools.
From the menu, select Options→Controls.
For the Windows Server 2003 version of LDP, select the control you want to use under Load Predefined. The control should automatically be added to the list of Active Controls.
For the Windows 2000 version of LDP, you’ll need to type the object identifier (OID) of the control under Object Identifier.
Enter the value for the control under Value.
Select whether the control is server- or client-side under Control Type.
Check the box beside Critical if the control is critical.
Click the Check-in button.
Click OK.
At this point, you will need to invoke the LDAP operation (e.g., Search) that will use the control. In the dialog box for any operation, be sure that the “Extended” option is checked before initiating the operation.

Using a command-line interface

The AdFind and AdMod utilities will enable a number of LDAP controls, either by default or through the use of various command-line switches. For example, the –showdel switch will invoke the Show Deleted Objects LDAP control, and -stats will invoke the Show Stats control.

Using VBScript

None of the ADSI automation interfaces directly expose LDAP controls. That means they cannot be utilized from VBScript. On the other hand, many of the controls, such as paged searching or deleting a subtree, are wrapped within their own ADSI methods that can be used within VBScript.

Any LDAP-based API, such as the Perl Net::LDAP modules, can be used to set controls as part of LDAP operations.

Using PowerShell

You can leverage LDAP controls within the current version of PowerShell by setting various properties on a DirectorySearcher object, such as the Tombstone property to return deleted objects, the ReferralChasing property, etc. For example, the following code will search for deleted objects that have an

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Using a Fast or Concurrent Bind

Inhaltsvorschau

You want to perform an LDAP bind using a concurrent bind, also known as a fast bind. Concurrent binds are typically used in situations where you need to authenticate a lot of users, and those users either do not need to directly access the directory or else the directory access is done with another account.

This capability was added in Windows Server 2003.

Using a graphical user interface

Open LDP from the Windows Support Tools.
From the menu, select Connection→Connect.
For Server, enter the name of a DC.
For Port, enter 389.
Click OK.
From the menu, select Options→Connection Options.
Under Option Name: select LDAP_OPT_F*_CONCURRENT_BIND.
Click the Set button.
From the menu, select Connection→Bind.
Enter credentials of a user.
Click OK.

Unlike simple binding, concurrent binding does not generate a security token or determine a user’s group memberships during the authentication process. It only determines if the authenticating user has a valid enabled account and password, which makes it much faster than a typical bind. This is usually used pro grammatically for AD- applications to improve the speed of AD authentication; it’s not something that you’ll typically do on the fly. Concurrent binding is implemented as a session option that is set after you establish a connection to a domain controller, but before any bind attempts are made. After the option has been set, any bind attempt made with the connection will be a concurrent bind.

There are a couple of caveats when using concurrent binds. First, you cannot enable signing or encryption, which means that all data for concurrent binds will be sent over the network in clear text. Secondly, because the user’s security token is not generated, access to the directory is done anonymously and access restrictions are based on the ANONYMOUS LOGON principal.

It is worth mentioning that there is another type of bind—a fast bind—which has been available since Windows 2000, but it is completely different from the procedure just described. This fast bind is implemented within ADSI, and simply means that when you fast bind to an object, the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Connecting to an Object GUID

Inhaltsvorschau

You want to bind to a container using its Globally Unique Identifier (GUID).

Using a graphical user interface

Open LDP from the Windows Support Tools.
From the menu, select Connection→Connect.
For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
For Port, enter 389.
Click OK.
From the menu, select Connection→Bind.
Enter credentials of a user.
Click OK.
From the menu, select Browse→Search.
For BaseDN, enter the GUID of the object that you’re searching for in the following format:
```
<GUID=758A39F4A44A0C48A16016457C1AE9E9>
```
For Scope, select the appropriate scope.
For Filter, enter an LDAP filter.
Click Run.

Using a command-line interface

> adfind -b "<GUID=ObjectGUID>"

Using VBScript

' This code illustrates how to bind to an object GUID.

' ------ SCRIPT CONFIGURATION ------

strDomain = "<DomainDNSName>" ' e.g. apac.adatum.com

strGUID = "<GUID>" ' e.g. "aa312825768811d1aded00c04fd8d5cd"

                          ' for the default Computers container

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")

set objContainer = GetObject("LDAP://<GUID=" & _

                             strGUID & "," & _

                             objRootDSE.Get("defaultNamingContext") & ">" )

WScript.Echo objContainer.Get("distinguishedName")

Using PowerShell

$obj = [System.DirectoryServices.DirectoryEntry] "LDAP://<GUID=<ObjectGUID>>"

Each object in Active Directory has a GUID associated with it, stored in the objectGUID attribute. The GUID is for most purposes a unique identifier that retains its value even if an object is updated, renamed, or moved. This makes the GUID the preferable means of binding to an object, rather than hardcoding a reference to an object name that might change or by using a potentially complex LDAP query.

For a more in-depth discussion of the objectGUID attribute, see “GUIDs, or Having Unique in the Name Doesn’t Make It So” (http://blog.joeware.net/2005/06/19/42/), MSDN: IADs.GUID, MSDN: Using objectGUID to Bind to an Object, and

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Connecting to a Well-Known GUID

Inhaltsvorschau

You want to connect to LDAP using one of the well-known GUIDs in Active Directory.

Using a graphical user interface

Open LDP.
From the menu, select Connection→Connect.
For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
For Port, enter 389.
Click OK.
From the menu, select Connection→Bind.
Enter credentials of a domain user.
Click OK.
From the menu, select View→Tree.
For the DN, enter:
```
<WKGUID=<WKGUID>,<DomainDN>>
```
where <WKGUID> is the well-known GUID that you want to connect to, and <DomainDN> is the distinguished name of a domain.
Click OK. In the lefthand menu, you can now browse the container corresponding to the well-known GUID that you specified.

Using a command-line interface

To enumerate the well-known GUIDs in the Domain NC, use the following syntax:

> adfind -default -s base wellknownObjects

To display the WKGUIDs in the Configuration NC, replace –default with –config in the previous syntax.

To connect to a well-known GUID in the Domain NC using AdFind, use the following syntax:

> adfind -b "<WKGUID=<WKGUID>,<DomainDN>>" -s base -dn

Because of additional security settings attached to the Deleted Objects container, if you specify this GUID you must also use the –showdel switch in adfind.

Using VBScript

' This code illustrates how to bind to the default computer's container.

' ------ SCRIPT CONFIGURATION ------

strDomain = "<DomainDNSName>" ' e.g. apac.adatum.com

strWKGUID = "<WKGUID>" ' e.g. "aa312825768811d1aded00c04fd8d5cd"

                    ' for the default Computer's container

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")

set objCompContainer = GetObject("LDAP://<WKGUID=" & _

                             strWKGUID & "," & _

                             objRootDSE.Get("defaultNamingContext") & ">" )

WScript.Echo objCompContainer.Get("distinguishedName")

Using PowerShell

$obj = [ADSI] "LDAP://<WKGUID=<Well-Known GUID>,<Domain DN>>"

The domain NC in Active Directory contains a number of well-known GUIDs that correspond to containers that exist in every AD implementation. These GUIDs are stored as

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Searching for Objects in a Domain

Inhaltsvorschau

You want to find objects in a domain that match certain criteria.

Using a graphical user interface

Open LDP from the Windows Support Tools.
From the menu, select Connection→Connect.
For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
For Port, enter 389.
Click OK.
From the menu, select Connection→Bind.
Enter credentials of a user.
Click OK.
From the menu, select Browse→Search.
For BaseDN, type the base distinguished name where the search will start. (You can leave this blank if you wish to connect to the domain NC as the base DN.)
For Scope, select the appropriate scope.
For Filter, enter an LDAP filter.
Click Run.

Using a command-line interface

To run a query using the built-in DSQuery tool, use the following syntax:

> dsquery * <BaseDN> -scope <Scope> -filter "<Filter>" -attr "<AttrList>"

To retrieve the SAM account name for all user objects within the adatum.com domain, for example, use the following syntax:

> dsquery * dc=adatum,dc=com -filter

"(&(objectclass=user)(objectcategory=person))" -attr sAMAccountName

To run a query using adfind, use the following syntax:

> adfind -b <BaseDN> -s <Scope> -f <Filter> <Attributes>

Querying for SAM account names of user objects with adfind takes the following :

> adfind -b dc=adatum,dc=com -f "(&(objectclass=user)(objectcategory=person))"

sAMAccountName

Both DSQuery and AdFind assume a default search scope of subtrees; you only need to specify the search scope if you want to use a different one.

Using VBScript

' This code searches

' for objects based on the specified criteria.

' ------ SCRIPT CONFIGURATION ------

strBase   = "<LDAP://<BaseDN>>;" ' BaseDN should be the search base

strFilter = "<Filter>;"                ' Valid LDAP search filter

strAttrs  = "<AttrList>;"              ' Comma-separated list

strScope  = "<Scope>"                  ' Should be one of Subtree, Onelevel, or Base

' ------ END CONFIGURATION --------



set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)

objRS.MoveFirst

While Not objRS.EOF

    Wscript.Echo objRS.Fields(0).Value

    objRS.MoveNext

Wend

WScript.Echo("Search complete!")

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Searching the Global Catalog

Inhaltsvorschau

You want to perform a forest-wide search using the global catalog.

Using a graphical user interface

Open LDP from the Windows Support Tools.
From the menu, select Connection→Connect.
For Server, enter the name of a global catalog server.
For Port, enter 3268.
Click OK.
From the menu, select Connection→Bind.
Enter the credentials of a user.
Click OK.
From the menu, select Browse→Search.
For BaseDN, type the base distinguished name of where to start the search.
For Scope, select the appropriate scope.
For Filter, enter an LDAP filter.
Click Run.

Using a command-line interface

To query the global catalog using DSQuery, use the following syntax:

> dsquery * <BaseDN> -gc -scope <Scope> -filter "<Filter>" -attr "<AttrList>"

To run a query using AdFind, use the following syntax:

> adfind -gc -b <BaseDN> -s <Scope> -f <Filter> <Attributes>

Using VBScript

' This code searches the global catalog

' ------ SCRIPT CONFIGURATION ------

strBase    = "<GC://<BaseDN>>;"

strFilter  = "<Filter>;"

strAttrs   = "<AttrList>;"

strScope   = "<Scope>"

' ------ END CONFIGURATION ---------



set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)

objRS.MoveFirst

while Not objRS.EOF

    Wscript.Echo objRS.Fields(0).Value

    objRS.MoveNext

wend

Using PowerShell

To query the global catalog using the Quest AD cmdlets, use the following syntax to create the global catalog connection, and then use get-QADObject as described in previous recipes:

get-QADService -UseGlobalCatalog

To query the global catalog using the DirectorySearcher class, use the following syntax:

$strCategory = "computer"

$objGC = [System.DirectoryServices.DirectoryEntry] "GC://<DomainDN>"

$objGCSearcher = New-Object System.DirectoryServices.DirectorySearcher

$objGCSearcher.SearchRoot = $objGC

$objSearcher.Filter = ("(objectCategory=$strCategory)")

$colResults = $objSearcher.FindAll()

The global catalog facilitates forest-wide searches. When you perform a normal LDAP search over port 389, you are searching against a particular partition within Active Directory, whether that is the Domain naming context, Configuration naming context, Schema naming context, or an application partition. If you have multiple domains in your forest, this type of search will not search against all domains but only the domain that you specify.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Searching for a Large Number of Objects

Inhaltsvorschau

Your search is returning exactly 1,000 objects, which is only a subset of the objects you expected, and you want it to return all matching objects.

You might notice that searches with large numbers of matches stop displaying after 1,000. By default, domain controllers return a maximum of 1,000 entries from a search unless paging is enabled. This is done to prevent queries from consuming excessive resources on domain controllers by retrieving the results all at once instead of in pages or batches. The following examples are variations of , which will show how to enable paging and return all matching entries.

Using a graphical user interface

Open LDP from the Windows Support Tools.
From the menu, select Connection→Connect.
For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
For Port, enter 389.
Click OK.
From the menu, select Connection→Bind.
Enter the credentials of a user.
Click OK.
From the menu, select Browse→Search.
For BaseDN, type the base distinguished name of where the search will start. (You can leave this blank if you wish to connect to the domain NC as the base DN.)
For Scope, select the appropriate scope.
For Filter, enter an LDAP filter.
Click Options to customize the options for this query.
For Timeout(s), enter a value such as 10.
For Page size, enter the number of objects to be returned with each page (e.g., 1,000).
Under Search Call Type, select Paged.
Click OK and then Run to perform the query. A page of results (i.e., 1,000 entries) will be displayed each time you click Run until all results have been returned.

Using a command-line interface

> dsquery * <BaseDN> -limit 0 -scope <Scope> -filter "<Filter>" -attr "<AttrList>"

Using VBScript

' This code enables paged searching

' ------ SCRIPT CONFIGURATION ------

strBase   = "<LDAP://<BaseDN>>;"

strFilter = "<Filter>;"

strAttrs  = "<AttrList>;"

strScope  = "<Scope>"

' ------ END CONFIGURATION ---------

set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

set objComm = CreateObject("ADODB.Command")

objComm.ActiveConnection = objConn

objComm.Properties("Page Size") = 1000

objComm.CommandText = strBase & strFilter & strAttrs & strScope

set objRS = objComm.Execute

objRS.MoveFirst

while Not objRS.EOF

    Wscript.Echo objRS.Fields(0).Value

    objRS.MoveNext

wend

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Searching with an Attribute-Scoped Query

Inhaltsvorschau

This recipe requires the Windows Server 2003 forest functional level or better.

You want to perform a search using an individual value within a multivalued attribute as part of the search criteria. An attribute-scoped query can do this in a single query, instead of the previous method, which required multiple queries.

Using a graphical user interface

Follow the steps in to enable an LDAP control.
Select the Attribute Scoped Query control (you can select controls by name with the Windows Server 2003 and Windows Server 2008 version of LDP). For the Windows 2000 version of LDP, add a control with an OID of 1.2.840.113556.1.4.1504.
For Value, enter the multivalued attribute name (e.g., member).
Click the “Check in” button.
Click OK.
From the menu, select Browse→Search.
For BaseDN, type the DN of the object that contains the multivalued attributes.
For Scope, select Base.
For Filter, enter an LDAP filter to match against the objects that are part of the multivalued DN attribute.
Click Run.

Attribute-scoped queries can only be performed using a Base scope.

Using a command-line interface

AdFind allows attribute-scoped queries by using the -asq switch; for example:

adfind -b cn=somegroup,cn=users,dc=domain,dc=group -asq member -f objectclass=user

samaccountname

Using VBScript

You cannot use attribute-scoped queries with ADSI, ADO, and VBScript. In an ADO search, you can use the ADSI Flags property as part of a Connection object to set the search preference, but there is no way to set the attribute that should be matched, which must be included as part of the LDAP control.

Using PowerShell

The Quest AD cmdlets will allow you to perform an attribute-scoped query as follows:

Get-QADObject -SearchRoot <ObjectDN> -AttributeScopeQuery '<Attribute>'

You can also use the native ADSI methods in PowerShell:

$group  = New-Object System.DirectoryServices.DirectoryEntry(

    "LDAP://CN=Domain Admins,CN=Users,<DomainDN>")

$source = New-Object System.DirectoryServices.DirectorySearcher



$source.SearchRoot  = $group

$source.SearchScope = [System.DirectoryServices.SearchScope]::Base

$source.Filter      = "(objectClass=*)"



$source.PropertiesToLoad.Add("member")

$source.PropertiesToLoad.Add("sAMAccountName")



$source.AttributeScopeQuery = "member"



$results = $source.FindAll()

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Searching with a Bitwise Filter

Inhaltsvorschau

You want to search against an attribute that contains a bit flag, which requires you to use a bitwise filter to perform the search.

Using a graphical user interface

Open LDP from the Windows Support Tools.
From the menu, select Connection→Connect.
For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
For Port, enter 389.
Click OK.
From the menu, select Connection→Bind.
Enter credentials of a user.
Click OK.
From the menu, select Browse→Search.
For BaseDN, type the base distinguished name of where the search will start. (You can leave this blank if you wish to connect to the domain NC as the base DN.)
For Scope, select the appropriate scope.
For the Filter, enter the bitwise expression, such as the following, which will find all universal groups:
```
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=8))
```

Click Run.

Using a command-line interface

The following query finds universal groups in the adatum.com domain by using a bitwise AND filter:

> dsquery * dc=adatum,dc=com -scope subtree -attr "name" -filter

"(&(objectclass=group)(objectCategory=group)

(groupType:1.2.840.113556.1.4.804:=8) )"

The following query finds disabled user accounts in the adatum.com domain by using a bitwise AND filter:

> dsquery * dc=adatum,dc=com -attr name -scope subtree -filter

"(&(objectclass=user)(objectcategory=person)(useraccountcontrol:1.2.840.113556.1.4.

803:=2))"

You can also perform queries that use bitwise filters using AdFind. The following will find all disabled user accounts in the adatum.com domain:

> adfind -default -bit -f useraccountcontrol:AND:=2

Similarly, the following will return all universal groups in the adatum.com domain using a bitwise filter:

> adfind -default -bit -f groupType:AND:=8

Using VBScript

' The following query finds all disabled user accounts in the

' adatum.com domain

strBase   = "<LDAP://dc=adatum,dc=com>;"

strFilter = "(&(objectclass=user)(objectcategory=person)" & _

            "(useraccountcontrol:1.2.840.113556.1.4.803:=2));"

strAttrs  = "name;"

strScope  = "subtree"



set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)

objRS.MoveFirst

while Not objRS.EOF

    Wscript.Echo objRS.Fields(0).Value

    objRS.MoveNext

wend

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating an Object

Inhaltsvorschau

You want to create an object.

In each solution below, an example of adding a user object is shown. Modify the examples as needed to include whatever class and attributes you need to create.

Using a graphical user interface

Open ADSI Edit from the Windows Support Tools in Windows 2000 and Windows Server 2003. (ADSI Edit is a native MMC snap-in in Windows Server 2008.)
If an entry for the naming context you want to browse is not already displayed, do the following:
1. Right-click on ADSI Edit in the right pane and click “Connect to…”.
2. Fill in the information for the naming context, container, or OU you want to add an object to. Click on the Advanced button if you need to enter alternate credentials.

In the left pane, browse to the container or OU you want to add the object to. Once you’ve found the parent container, right-click on it and select New→Object.
Under Select a Class, select user.
For the cn, enter jsmith and click Next.
For sAMAccountName, enter jsmith and click Next.
Click the More Attributes button to enter additional attributes.
Click Finish.

You can also create an object using LDP as follows:

Open LDP from the Windows Support Tools.
From the menu, select Connection→Connect.
For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
For Port, enter 389.
Click OK.
From the menu, select Connection→Bind.
Enter credentials of a user.
Click OK.
Click Browse→Add Child. For DN, enter the Distinguished Name of the object that you want to create.
Under Attribute and Values, enter the name of any attribute that you want to populate along with its associated value, and then click Enter. Repeat this until you’ve added all of the required attributes for the type of object you are creating, as well as any optional attributes that you want to populate.
Click Run to create the object.

Using a command-line interface

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Modifying an Object

Inhaltsvorschau

You want to modify one or more attributes of an object.

The following examples set the last name (sn) attribute for the jsmith user object.

Using a graphical user interface

Open ADSI Edit.
If an entry for the naming context you want to browse is not already displayed, do the following:
1. Right-click on ADSI Edit in the right pane and click “Connect to…”.
2. Fill in the information for the naming context, container, or OU you want to add an object to. Click on the Advanced button if you need to enter alternate credentials.

In the left pane, browse to the container or OU that contains the object you want to modify. Once you’ve found the object, right-click on it and select Properties.
Right-click the sn attribute and select Edit.
Enter Smith and click OK.
Click Apply, followed by OK.

You can also modify an object using LDP as follows:

Open LDP from the Windows Support Tools.
From the menu, select Connection→Connect.
For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
For Port, enter 389.
Click OK.
From the menu, select Connection→Bind.
Enter credentials of a user.
Click OK.
Click Browse→Modify. For DN, enter the Distinguished Name of the object that you want to modify.
Under Attribute and Values, enter the name of any attribute that you want to modify along with its associated value, and then click Enter. Repeat this until you’ve added all of the attributes that you want to modify.
Click Run to modify the object.

Using a command-line interface

Create an LDIF file called modify_object.ldf with the following contents:

dn: cn=jsmith,cn=users,dc=adatum,dc=com

changetype: modify

replace: givenName

givenName: Jim

-

Then run the following command:

> ldifde -v -i -f modify_object.ldf

To modify an object using AdMod, you’ll use the following general syntax:

> admod -b <ObjectDN> <attribute>:<operation>:<value>

For example, you can add a description to a user object using the following syntax:

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Modifying a Bit Flag Attribute

Inhaltsvorschau

You want to safely modify an attribute that contains a bit flag, without blindly overwriting its existing contents.

Using VBScript

' This code safely modifies a bit flag attribute

' ------ SCRIPT CONFIGURATION ------

strObject = "<ObjectDN>" ' e.g. cn=jsmith,cn=users,dc=adatum,dc=com

strAttr = "<AttrName>" ' e.g. adatum-UserProperties

boolEnableBit = <TRUEorFALSE> ' e.g. FALSE

intBit = <BitValue> ' e.g. 16

' ------ END CONFIGURATION --------



set objObject = GetObject("LDAP://" & strObject)

intBitsOrig = objObject.Get(strAttr)

intBitsCalc = CalcBit(intBitsOrig, intBit, boolEnableBit)



if intBitsOrig <> intBitsCalc then

   objObject.Put strAttr, intBitsCalc

   objObject.SetInfo

   WScript.Echo "Changed " & strAttr & " from " & intBitsOrig & " to " & intBitsCalc

else

   WScript.Echo "Did not need to change " & strAttr & " (" & intBitsOrig & ")"

end if



Function CalcBit(intValue, intBit, boolEnable)



   CalcBit = intValue



   if boolEnable = TRUE then

      CalcBit = intValue Or intBit

   else

      if intValue And intBit then

         CalcBit = intValue Xor intBit

      end if

   end if



End Function

Using PowerShell

To set the userAccountControl bit value using a logical OR operation, use the following syntax:

$objUser = [ADSI] "LDAP://cn=testuser,cn=users,dc=adatum,dc=com"

$newUAC = ($objUser.userAccountControl.ToString()) -bor 2

$objUser.Put("userAccountControl", $newValue)

$objUser.SetInfo()

described how to search against attributes that contain a bit flag, which is used to encode various settings about an object in a single attribute. As a quick recap, you need to use a logical OR operation to match any bits being searched against, and a logical AND to match a specific set of bits. If you want to set an attribute that is a bit flag, you need to take special precautions to ensure you don’t overwrite an existing bit. Let’s consider an example. Adatum wants to secretly store some politically incorrect information about their users, such as whether the user is really old or has big feet. They don’t want to create attributes such as

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Dynamically Linking an Auxiliary Class

Inhaltsvorschau

This recipe requires Windows Server 2003 or better forest functional level.

You want to dynamically link an auxiliary class to an existing object instance.

In each solution below, an example of adding the custom adatum-SalesUser auxiliary class to the jsmith user object will be described.

Using a graphical user interface

Open ADSI Edit.
If an entry for the naming context you want to browse is not already displayed, do the following:
1. Right-click on ADSI Edit in the right pane and click “Connect to…”.
2. Fill in the information for the naming context, container, or OU you want to add an object to. Click on the Advanced button if you need to enter alternate credentials.

In the left pane, browse to the container or OU that contains the object you want to modify. Once you’ve found the object, right-click on it and select Properties.
Right-click the sn attribute and select Edit.
Click the More Attributes button to enter additional attributes.
Edit the values for the objectClass attribute.
For “Value to add,” enter adatum-SalesUser.
Click Add.
Click OK twice.

Using a command-line interface

Create an LDIF file called dynamically_link_class.ldf with the following contents:

dn: cn=jsmith,cn=users,dc=adatum,dc=com

changetype: modify

add: objectClass

objectClass: adatum-SalesUser

-

Then run the following command:

> ldifde -v -i -f dynamically_link_class.ldf

Alternatively, you can use AdMod as follows:

> admod -b <ObjectDN> objectClass:+:<Dynamic Object Class>

Using VBScript

const ADS_PROPERTY_APPEND = 3

set objUser = GetObject("LDAP://cn=jsmith,cn=users,dc=adatum,dc=com")

objUser.PutEx ADS_PROPERTY_APPEND,"objectClass",Array("adatum-SalesUser")

objUser.SetInfo

Using PowerShell

set-variable -name ADS_PROPERTY_APPEND -value 3 -option constant

$objUser = [ADSI] "LDAP://cn=testuser,cn=users,dc=adatum=,dc=com"

$objUser.PutEx(ADS_PROPERTY_APPEND, "objectClass", @("adatum-SalesUser"))

$objUser.SetInfo()

Dynamically linking an auxiliary class to an object is an easy way to use new attributes without modifying the existing object class definition in the schema. In Windows 2000, auxiliary classes could only be statically linked in the schema. Beginning with Windows Server 2003, you can dynamically link them by appending the auxiliary class name to the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Dynamic Object

Inhaltsvorschau

This recipe requires the Windows Server 2003 or better forest functional level.

You want to create an object that is automatically deleted after a period of time unless it is refreshed.

Using a graphical user interface

Open LDP. Click Connection→Connect and click OK.
Click Connection→Bind. Enter the appropriate user credentials, or just click OK.
Click View→Tree. Enter the DN of the parent container of the object you want to create, then click OK.
Click Browse→Add Child. The Add window appears.
In the DN text box, enter the DN of the new object.
In the Attribute text box, enter objectClass. In the Values: text box, enter the object class of the object you are creating, such as 'user'. Click Enter. In the Values: text box, enter dynamicObject and click Enter.
In the Attribute text box, enter entryTTL. In the Values: text box, enter the TTL of the object you are creating, such as '3600'. Click Enter.
Enter any other attributes and values that you wish to populate in the Attribute and Values: text boxes.
Click Run.

Using a command-line interface

Create an LDIF file called create_dynamic_object.ldf with the following contents:

dn: cn=jsmith,cn=users,dc=adatum,dc=com

changetype: add

objectClass: user

objectClass: dynamicObject

entryTTL: 1800

sAMAccountName: jsmith

Then run the following command:

> ldifde -v -i -f create_dynamic_object.ldf

Using VBScript

' This code creates a

' dynamic user object with a TTL of 30 minutes (1800 secs)

set objUsersCont = GetObject("LDAP://cn=users,dc=adatum,dc=com")

set objUser = objUsersCont.Create("user", "CN=jsmith")

objUser.Put "objectClass", "dynamicObject"

objUser.Put "entryTTL", 1800

objUser.Put "sAMAccountName", "jsmith" ' mandatory attribute

objUser.SetInfo

Using PowerShell

set-variable -name ADS_PROPERTY_APPEND -value 3 -option constant

$parentOU = [System.DirectoryServices.DirectoryEntry]

"LDAP://ou=adatumUsers,dc=adatum,dc=com"

$objUser = $parentOU.Create("user","TestUser1")

$objUser.put("samaccountName,"testuser1")

$objUser.put("description","New Vista Workstation")

$objUser.Put("objectClass", "dynamicObject")

$objUser.Put("entryTTL", "1800)

$objUser.Put("sAMAccountName', "jsmith")

$objUser.SetInfo()

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Refreshing a Dynamic Object

Inhaltsvorschau

This recipe requires the Windows Server 2003 or Windows Server 2008 forest functional level.

You want to refresh a dynamic object to keep it from expiring and getting deleted from Active Directory.

In each solution below, an example of adding a user object is used. Modify the examples as needed to refresh whatever object is needed.

Using a graphical user interface

Open LDP.
From the menu, select Connection→Connect.
For Server, enter the name of a domain controller (or leave it blank to do a serverless bind).
For Port, enter 389.
Click OK.
From the menu, select Connection→Bind.
Enter credentials of a user who can modify the object.
Click OK.
Select Browse→Modify.
For DN, enter the DN of the dynamic object you want to refresh.
For Attribute, enter entryTTL.
For Values, enter the new time to live (TTL) for the object in seconds.
Under Operation, select Replace.
Click Enter.
Click Run.

Using a command-line interface

Create an LDIF file called refresh_dynamic_object.ldf with the following contents:

dn: cn=jsmith,cn=users,dc=adatum,dc=com

changetype: modify

replace: entryTTL

entryTTL: 1800

-

Then run the following command:

> ldifde -v -i -f refresh_dynamic_object.ldf

You can also use AdMod with the following syntax:

> admod -b <ObjectDN> entryTTL::<TTL in Seconds>

Using VBScript

set objUser = GetObject("LDAP://cn=jsmith,cn=users,dc=adatum,dc=com")

objUser.Put "entryTTL", "1800"

objUser.SetInfo

Using PowerShell

To refresh a dynamic object using the Quest AD cmdlets, use the following syntax:

set-QADObject -Identity <ObjectDN> @{entryTTL=1800}

To modify an object using ADSI, use the following:

$objDyn = [System.DirectoryServices.DirectoryEntry] "LDAP://<ObjectDN>"

$objDyn.put("entryTTL","1800")

$objDyn.SetInfo()

Dynamic objects expire after their TTL becomes 0. You can determine when a dynamic object will expire by looking at the current value of an object’s entryTTL attribute or by querying msDS-Entry-Time-To-Die, which contains the seconds remaining until expiration. If you’ve created a dynamic object and need to refresh it so that it will not get deleted, you must reset the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Modifying the Default TTL Settings for Dynamic Objects

Inhaltsvorschau

You want to modify the minimum and default TTLs for dynamic objects.

In each solution below, we’ll show how to set the DynamicObjectDefaultTTL setting to 172800. Modifying the DynamicObjectMinTTL can be done in the same manner.

Using a graphical user interface

Open ADSI Edit.
If an entry for the Configuration naming context is not already displayed, do the following:
1. Right-click on ADSI Edit in the right pane and click “Connect to…”.
2. Fill in the information for the naming context for your forest. Click on the Advanced button if you need to enter alternate credentials.
In the left pane, browse to the following path under the Configuration naming context: Services→Windows NT→Directory Service.
Right-click cn=Directory Service and select Properties.
Edit the msDS-Other-Settings attribute.
Click on DynamicObjectDefaultTTL= <xxxxx> and click Remove.
The attribute/value pair should have been populated in the “Value to add” field.
Edit the number part of the value to be 172800.
Click Add.
Click OK twice.

Using a command-line interface

The following ntdsutil command connects to <DomainControllerName>, displays the current values for the dynamic object TTL settings, sets the DynamicObjectDefaultTTL to 172800, commits the change, and displays the results:

> ntdsutil "config settings" connections "connect to server <DomainControllerName>"

q "show values" "set DynamicObjectDefaultTTL to 172800" "commit changes"

"show values" q q

Using VBScript

' This code modifies the

' default TTL setting for dynamic objects in a forest

' ------ SCRIPT CONFIGURATION ------

strNewValue = 172800



' Could be DynamicObjectMinTTL instead if you wanted to set that instead

strTTLSetting = "DynamicObjectDefaultTTL"

' ------ END CONFIGURATION --------



const ADS_PROPERTY_APPEND = 3

const ADS_PROPERTY_DELETE = 4



set objRootDSE = GetObject("LDAP://RootDSE")

set objDS = GetObject("LDAP://CN=Directory Service,CN=Windows NT," & _

                      "CN=Services,CN=Configuration," & _

                      objRootDSE.Get("rootDomainNamingContext"))

for each strVal in objDS.Get("msDS-Other-Settings")

   Set objRegEx = New RegExp

   objRegEx.Pattern = strTTLSetting & "="

   objRegEx.IgnoreCase = True

   Set colMatches = objRegEx.Execute(strVal)

   For Each objMatch in colMatches

      Wscript.Echo "Deleting " & strVal

      objDS.PutEx ADS_PROPERTY_DELETE, "msDS-Other-Settings", Array(strVal)

      objDS.SetInfo

   Next

Next



Wscript.Echo "Setting " & strTTLSetting & "=" & strNewValue

objDS.PutEx ADS_PROPERTY_APPEND, _

            "msDS-Other-Settings", _

            Array(strTTLSetting & "=" & strNewValue)

objDS.SetInfo

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Moving an Object to a Different OU or Container

Inhaltsvorschau

You want to move an object to a different container or OU.

Using a graphical user interface

Open ADSI Edit.
If an entry for the naming context you want to browse is not already displayed, do the following:
1. Right-click on ADSI Edit in the right pane and click “Connect to…”.
2. Fill in the information for the naming context, container, or OU containing the object. Click on the Advanced button if you need to enter alternate .
In the left pane, browse to the container or OU that contains the object you want to modify. Once you’ve found the object, right-click on it and select Move.
Browse to the new parent of the object, select it, and click OK.

You can also move most objects within the Active Directory Users and Computers MMC snap-in (dsa.msc) by navigating to the object in question, right-clicking on it, and selecting Move. In Windows Server 2003 and later, you can also drag-and-drop the object to its new location.

Using a command-line interface

To move an object to a new parent container within the same domain, you can use either dsmove or admod, as follows:

> dsmove "<ObjectDN>" -newparent "<NewParentDN>"

Or:

> admod -b <ObjectDN> -move <NewParentDN>

Using VBScript

' This code moves an object from one location to another in the same domain.

' ------ SCRIPT CONFIGURATION ------

strNewParentDN = "LDAP://<NewParentDN>"

strObjectDN    = "LDAP://cn=jsmith,<OldParentDN>"

strObjectRDN   = "cn=jsmith"

' ------ END CONFIGURATION --------



set objCont = GetObject(strNewParentDN)

objCont.MoveHere strObjectDN, strObjectRDN

Using PowerShell

To move an Active Directory object using the Quest AD cmdlets, use the following syntax:

move-QADObject -identity <ObjectDN> -newparent <NewParentDN>

To use the .NET methods, use the following syntax:

$obj = [ADSI] "LDAP://<Object DN>"

$newParent = [ADSI] "LDAP://<New Parent DN>"

$obj.psbase.MoveTo($newParent)

Using a graphical user interface

If the parent container of the object you want to move has a lot of objects in it, you may want to add a new connection entry for the DN of the object you want to move. This may save you time searching through the list of objects in the container. You can do this by right clicking ADSI Edit and selecting “Connect to…”. Under Connection Point, select Distinguished Name and enter the DN of the object you want to move.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Moving an Object to a Different Domain

Inhaltsvorschau

You want to move an object to a different domain.

Using a graphical user interface

To migrate user, computer, group, or OU objects between domains in the same forest, use the following steps:

Open the Active Directory Migration Tool (ADMT) MMC snap-in.
Right-click on the Active Directory Migration Tool folder, and select one of the following:
- User Account Migration Wizard
- Group Account Migration Wizard
- Computer Migration Wizard

Using a command-line interface

To migrate objects from the command line using the ADMT utility, use the following syntax:

> ADMT [ USER | GROUP | COMPUTER | SECURITY | SERVICE |

       REPORT | KEY | PASSWORD | CONFIG | TASK ] <Options>

For example, to migrate a computer object, you would use the following syntax:

> ADMT COMPUTER /N <ComputerName> /SD:<Source Domain> /TD:<Target Domain>

/TO:<Target OU>

To move an object using the movetree Resource Kit utility, use the following syntax:

> movetree /start /s SourceDC /d TargetDC /sdn SourceDN /ddn TargetDN

In the following example, the cn=jsmith object in the amer.adatum.com domain will be moved to the emea.adatum.com domain:

> movetree /start /s dc-amer1 /d dc-emea1\

  /ddn cn=jsmith,cn=users,dc=amer,dc=adatum,dc=com\

  /sdn cn=jsmith,cn=users,dc=emea,dc=adatum,dc=com\

Movetree should only be used to migrate object types such as contact objects that cannot currently be migrated by ADMT. In all other cases, Microsoft recommends using ADMT to move objects between domains.

Using VBScript

set objObject = GetObject("LDAP://TargetDC/TargetParentDN")

objObject.MoveHere "LDAP://SourceDC/SourceDN", vbNullString

In the following example, the cn=jsmith object in the amer.adatum.com domain will be moved to the emea.adatum.com domain:

set objObject = GetObject( _

   "LDAP://dc-amer1/cn=users,dc=amer,dc=adatum,dc=com")

objObject.MoveHere _

   "LDAP://dc-emea1/cn=jsmith,cn=users,dc=emea,dc=adatum,dc=com", _

   vbNullString

You can move objects between domains assuming you follow a few guidelines:

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Referencing an External Domain

Inhaltsvorschau

You need to create a reference to an external Active Directory domain.

Using a graphical user interface

Open ADSI Edit from the Windows Support Tools.
If an entry for the naming context you want to browse is not already displayed, do the following:
1. Right-click on ADSI Edit in the right pane and click “Connect to…”.
2. Fill in the information for the naming context, container, or OU you want to add an object to. Click on the Advanced button if you need to enter alternate credentials.
Right-click on the top-level node and open a connection to the Configuration NC.
Right-click on the Partitions container and select New→Object. Click Next.
Right-click on crossRef and click Next.
For the cn attribute, enter the FQDN of the external domain, othercorp.com for example. Click Next.
For the nCName attribute, enter the DN of the external domain, such as dc=othercorp,dc=com. Click Next.
For the dnsRoot attribute, enter the DNS name of a server that can respond to LDAP queries about the domain in question, such as dc1.othercorp.com.
Click Next and then Finish to create the crossRef object.

Using a command-line interface

Create an LDIF file called create_crossref.ldf with the following contents:

dn: cn=othercorp.com,cn=partitions,cn=configuration,dc=adatum,dc=com

changetype: add

objectClass: crossRef

cn: othercorp.com

nCName: dc=othercorp,dc=com

dnsRoot: dc1.othercorp.com

Then run the following command:

> ldifde -v -i -f create_crossref.ldf

You can also create a crossRef using AdMod as follows:

> admod -config -rb cn=othercorp.com,cn=partitions

objectClass::crossRef cn::othercorp.com nCName::dc=othercorp,dc=com

dnsRoot::dc1.othercorp.com -add

Using VBScript

set objPartitions =

GetObject("LDAP://cn=partitions,cn=configuration,dc=adatum,dc=com")

set objCrossRef = objPartitions.Create("crossRef", "CN=othercorp.com")

objCrossRef.Put "cn", "othercorp.com" ' mandatory attribute

objCrossRef.Put "nCName", "dc=othercorp,dc=com" ' mandatory attribute

objCrossRef.Put "dnsRoot", "dc1.othercorp.com" ' mandatory attribute

objCrossRef.SetInfo

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Renaming an Object

Inhaltsvorschau

You want to rename an object and keep it in its current container or OU.

Using a graphical user interface

Open ADSI Edit.
If an entry for the naming context you want to browse is not already displayed, do the following:
1. Right-click on ADSI Edit in the right pane and click “Connect to…”.
2. Fill in the information for the naming context, container, or OU that contains the object you want to rename. Click on the Advanced button if you need to enter alternate credentials.
In the left pane, browse to the container or OU that contains the object you want to modify. Once you’ve found the object, right-click on it and select Rename.
Enter the new name and click OK.

You can also rename a leaf object by using LDP as follows:

Open LDP from the Windows Support Tools.
From the menu, select Connection→Connect.
For Server, enter the name of a domain controller (or leave blank for a serverless bind).
For Port, enter 389.
Click OK.
From the menu, select Connection→Bind.
Enter credentials of a user.
Click OK.
Click Browse→Modify RDN. For Old DN, enter the Distinguished Name of the object that you want to rename. For New DN, enter the object’s new name.
Click Run to rename the object.

Using a command-line interface

To rename an object using the built-in DSMove utility, use the following syntax:

> dsmove "<ObjectDN>" -newname "<NewName>"

To use AdMod, use the following:

> admod -b "<ObjectDN>" -rename "<NewName>"

Using VBScript

' This code renames an object and leaves it in the same location.

' ------ SCRIPT CONFIGURATION ------

strCurrentParentDN = "<CurrentParentDN>"

strObjectOldName = "cn=<OldName>"

strObjectNewName = "cn=<NewName>"

' ------ END CONFIGURATION --------



set objCont = GetObject("LDAP://" & strCurrentParentDN)

objCont.MoveHere "LDAP://" & strObjectOldName & "," & _

                 strCurrentParentDN, strObjectNewName

Using PowerShell

To rename an object using the Quest AD cmdlets, use the following syntax:

 Rename-QADObject -identity '<Object DN>' -NewName '<New Value of 'name'

attribute>'

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Deleting an Object

Inhaltsvorschau

You want to delete an individual object.

Using a graphical user interface

Open ADSI Edit.
If an entry for the naming context you want to browse is not already displayed, do the following:
1. Right-click on ADSI Edit in the right pane and click “Connect to…”.
2. Fill in the information for the naming context, container, or OU that contains the object you want to delete. Click on the Advanced button if you need to enter alternate credentials.
In the left pane, browse to the object you want to delete.
Right-click on the object and select Delete.
Click Yes to confirm.

You can also delete an object using LDP, as follows:

Open LDP from the Windows Support Tools.
From the menu, select Connection→Connect.
For Server, enter the name of a domain controller (or leave blank for a serverless bind).
For Port, enter 389.
Click OK.
From the menu, select Connection→Bind.
Enter credentials of a user.
Click OK.
Click Browse→Delete. For DN, enter the Distinguished Name of the object that you want to delete.
Click Run to delete the object.

Using a command-line interface

You can delete an object using the built-in dsrm utility, as well as AdMod. For dsrm, use the following syntax:

> dsrm "<ObjectDN>"

For AdMod, enter the following:

> admod -b "<ObjectDN>" -del

Using VBScript

strObjectDN = "<ObjectDN>"

set objUser = GetObject("LDAP://" & strObjectDN)

objUser.DeleteObject(0)

Using PowerShell

To delete an object using the Quest AD cmdlets, use the following syntax:

remove-QADObject -identity <Object DN>

To delete an object using the .NET methods, use the following:

$obj = [ADSI] "LDAP://<Object DN>"

$obj.DeleteObject(0)

This recipe covers deleting individual objects. If you want to delete a container or OU and all the objects in it, take a look at .

Using a graphical user interface

If the parent container of the object you want to delete has a lot of objects in it, you may want to add a new connection entry for the DN of the object you want to delete. This can save you time searching through the list of objects in the container and could help avoid accidental deletions. You can do this by right-clicking ADSI Edit and selecting “Connect to…”. Under Connection Point, select Distinguished Name and enter the DN of the object you want to delete.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Deleting a Container That Has Child Objects

Inhaltsvorschau

You want to delete a container or organizational unit and all child objects contained within.

Using a graphical user interface

Open ADSI Edit and follow the same steps as in . The only difference is that you’ll be prompted to confirm twice instead of once before the deletion occurs.

Using a command-line interface

You can delete a container and its child objects using the built-in dsrm utility, as well as AdMod. For dsrm, use the following syntax:

> dsrm "<ObjectDN>" -subtree

For AdMod, enter the following:

> admod -b "<ObjectDN>" -del -treedelete

Using VBScript

The same code from will also delete containers and objects contained within them.

Using PowerShell

To delete an object using the Quest AD cmdlets, use the following syntax:

remove-QADObject -identity <Object DN> -DeleteTree

To delete an object using the .NET methods, use the following:

$obj = [System.DirectoryServices.DirectoryEntry] "LDAP://<Object DN>"

$obj.psbase.DeleteTree()

As you can see from the solutions, there is not much difference between deleting a leaf node versus deleting a container that has child objects. However, there is a distinction in what is happening in the background.

Deleting an object that has no children can be done with a simple LDAP delete operation. On the other hand, to delete a container and its children, the tree-delete LDAP control has to be used. If you were to do the deletion from an LDAP-based tool like LDP (the Active Directory Administration Tool), you would first need to enable the Subtree Delete control, which has an OID of 1.2.840.113556.1.4.805. LDP provides another option to do a Recursive Delete from the client side. That will essentially iterate through all the objects in the container, deleting them one by one. The Subtree Delete is much more efficient, especially when dealing with large containers.

As with the other operations we’ve discussed in this chapter (create, rename, move, etc.), the user performing the delete operation needs to have the necessary permissions to delete the object or objects in question. Active Directory permissions are discussed more extensively in .

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing the Created and Last Modified Timestamp

Inhaltsvorschau

You want to determine when an object was either created or last updated.

Using a graphical user interface

Follow the steps in .
Ensure that createTimestamp and modifyTimestamp are included in the list of attributes to be returned by looking at Attributes under Options→Search.

Using a command-line interface

You can view the created and modified timestamps using the built-in DSQuery utility, as well as AdFind. For DSQuery, use the following syntax:

> dsquery * "<ObjectDN>" -attr name createTimestamp modifyTimestamp

For AdFind, use the following:

> adfind -default -rb cn=Users -f "cn=Joe Smith"

createTimestamp modifyTimestamp

Using VBScript

' This code prints the created and last modified timestamp

' for the specified object.

' ------ SCRIPT CONFIGURATION ------

strObjectDN = "<ObjectDN>"

' ------ END CONFIGURATION --------



set objEntry = GetObject("LDAP://" & strObjectDN)

Wscript.Echo "Object Name: " & objEntry.Get("name")

Wscript.Echo " Created: " & objEntry.Get("createTimestamp")

Wscript.Echo " Changed: " & objEntry.Get("modifyTimestamp")

Using PowerShell

The following code uses first the Quest AD cmdlets, followed by the .NET methods:

$obj1 = get-QADObject 'cn=administrator,cn=users,dc=adatum,dc=com'

$obj1.DirectoryEntry.whenChanged

$obj2 = [System.DirectoryServices.DirectoryEntry] "LDAP://<ObjectDN>"

$obj2.whenCreated

When an object is created or modified in Active Directory, the createTimestamp and modifyTimestamp attributes get set with the current time. The createTimestamp attribute is replicated between domain controllers, so assuming the latest modification of the object in question has replicated to all domain controllers, they will all contain the timestamp when the object was created. whenChanged and modifyTimestamp are not replicated, which means that their values will be local to an individual domain controller. Additionally, modifyTimestamp is a constructed attribute.

for viewing the attributes of an object and for a more detailed description of the Active Directory replication process

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Modifying the Default LDAP Query Policy

Inhaltsvorschau

You want to view or modify the default LDAP query policy of a forest. The query policy contains settings that restrict search behavior, such as the maximum number of entries that can be returned from a search.

Using a graphical user interface

Open ADSI Edit.
In the Configuration partition, browse to Services→Windows NT→Directory Service→Query Policies.
In the left pane, click on the Query Policies container, then right-click on the Default Query Policy object in the right pane, and select Properties.
Double-click on the lDAPAdminLimits attribute.
Click on the attribute you want to modify and click Remove.
Modify the value in the “Value to add” box and click Add.
Click OK twice.

Using a command-line interface

To view the current settings, use the following command:

> ntdsutil "ldap pol" conn "con to server <DomainControllerName>" q "show values"

To change the MaxPageSize value to 2000, you can do the following:

> ntdsutil "ldap pol" conn "con to server <DomainControllerName>" q

ldap policy: set MaxPageSize to 2000

ldap policy: Commit Changes

Using VBScript

' This code modifies a setting of the default

' query policy for a forest

' ------ SCRIPT CONFIGURATION ------

pol_attr  = "MaxPageSize" ' Set to the name of the setting you want to modify

new_value = 1000          ' Set to the value of the setting you want modify

' ------ END CONFIGURATION ---------

Const ADS_PROPERTY_APPEND = 3

Const ADS_PROPERTY_DELETE = 4



set rootDSE = GetObject("LDAP://RootDSE")

set ldapPol = GetObject("LDAP://cn=Default Query Policy,cn=Query-Policies," & _

                "cn=Directory Service,cn=Windows NT,cn=Services," & _

                rootDSE.Get("configurationNamingContext") )

set regex = new regexp

regex.IgnoreCase = true

regex.Pattern = pol_attr & "="

for Each prop In ldapPol.GetEx("ldapAdminLimits")

   if regex.Test(prop) then

      if prop = pol_attr & "=" & new_value then

         WScript.Echo pol_attr & " already equal to " & new_value

      else

         ldapPol.PutEx ADS_PROPERTY_APPEND, "lDAPAdminLimits", _

                    Array( pol_attr & "=" & new_value )

         ldapPol.SetInfo

         ldapPol.PutEx ADS_PROPERTY_DELETE, "lDAPAdminLimits", Array(prop)

         ldapPol.SetInfo

         WScript.Echo "Set " & pol_attr & " to " & new_value

      end if

      Exit For

   end if

next

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Exporting Objects to an LDIF File

Inhaltsvorschau

You want to export objects to an LDAP Data Interchange Format (LDIF) file.

Using a graphical user interface

None of the standard Microsoft tools support exporting LDIF from a GUI.

Using a command-line interface

> ldifde -f output.ldf -l <AttrList> -p <Scope> -r "<Filter>" -d "<BaseDN>"

Using VBScript

There are no COM or VBScript-based interfaces to LDIF. With Perl you can use the Net::LDAP::LDIF module, which supports reading and writing LDIF files.

The LDIF specification defined in RFC 2849 describes a well-defined file-based format for representing directory entries. The format is intended to be both human and machine parseable, which adds to its usefulness. LDIF is the de facto standard for importing and exporting a large number of objects in a directory and is supported by virtually every directory vendor, including Microsoft.

Using a command-line interface

The -f switch specifies the name of the file to use to save the entries to, -s is the DC to query, -l is the comma-separated list of attributes to include, -p is the search scope, -r is the search filter, and -d is the base DN. If you encounter any problems using ldifde, the -v switch enables verbose mode and can help identify problems.

for importing objects using LDIF, RFC 2849 (The LDAP Data Interchange Format [LDIF]—Technical Specification), and MS KB 237677 (Using LDIFDE to Import and Export Directory Objects to Active Directory)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Importing Objects Using an LDIF File

Inhaltsvorschau

You want to import objects into Active Directory using an LDIF file. The file could contain object additions, modifications, and deletions.

Using a command-line interface

To import objects using the ldifde utility, you must first create an LDIF file with the objects to add, modify, or delete. Here is an example LDIF file that adds a user, modifies the user twice, and then deletes the user:

dn: cn=jsmith,cn=users,dc=adatum,dc=com

changetype: add

objectClass: user

samaccountname: jsmith

sn: JSmith



dn: cn=jsmith,cn=users,dc=adatum,dc=com

changetype: modify

add: givenName

givenName: Jim

-

replace: sn

sn: Smith

-



dn: cn=jsmith,cn=users,dc=adatum,dc=com

changetype: delete

Once you’ve created the LDIF file, you just need to run the ldifde command to import the new objects:

> ldifde -i -f input.ldf

For more information on the LDIF format, check RFC 2849.

Using a command-line interface

To import with ldifde, simply specify the -i switch to turn on import mode and -f <filename> for the file. It can also be beneficial to use the -v switch to turn on verbose mode to get more information in case of errors. The Windows Server 2003 version of ldifde also includes the –j switch that will create a logfile for troubleshooting purposes.

for information on LDIF, RFC 2849 (The LDAP Data Interchange Format [LDIF]—Technical Specification), and MS KB 237677 (Using LDIFDE to Import and Export Directory Objects to Active Directory)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Exporting Objects to a CSV File

Inhaltsvorschau

You want to export objects to a comma-separated variable (CSV) file. The CSV file can then be opened and manipulated from a spreadsheet application or with a text editor.

Using a command-line interface

You can export objects to a CSV file using the built-in csvde utility, as well as AdFind. For csvde, use the following syntax:

> csvde -f output.csv -l <AttrList> -p <Scope> -r "<Filter>" -d "<BaseDN>"

You can also export information to a CSV file using adfind:

> adfind -b <SearchBase> -f <Filter> -csv <Attr1> <Attr2> <Attr3>

Using PowerShell

You can export objects to a CSV file in PowerShell using the Quest AD cmdlets or the native ADSI methods, as follows:

 get-QADObject -identity <ObjectDN> -IncludeProperty <Property1> <Property2> ... |

Select <Property1> <Property2> ... | export-csv adobjects.csv



$obj = [ADSI]"LDAP://<Object DN>"

$record = ""

foreach ($property in ($obj | get-member)) { $record += $property.name + "|" }

$record | out-file -force adobjects.csv

$record = ""

foreach ($property in ($obj | get-member)) { $record += $obj.($property.name) + "|" }

$record | out-file -append adobjects.csv

Once you have a CSV file containing entries, you can use a spreadsheet application such as Excel to view, sort, and manipulate the data.

Using a command-line interface

The parameters used by cvsde are nearly identical to those used by ldifde. The -f switch specifies the name of the file to use to save the entries to, -s is the DC to query, -l is the comma-separated list of attributes to include, -p is the search scope (base, onelevel, or subtree), -r is the search filter, and -d is the base DN. If you encounter any issues, the -v switch enables verbose mode and can help identify problems.

AdFind offers a number of additional switches to customize the behavior of CSV file output, including:

-csv xxx: CSV output. xxx is an optional string that specifies value to use for empty attributes.
-csvdelim x: Delimiter to use for separating attributes in CSV output. The default is (,).

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Importing Objects Using a CSV File

Inhaltsvorschau

You want to import objects into Active Directory using a CSV file.

Using a command-line interface

To import objects using the csvde utility, you must first create a CSV file containing the objects to add. The first line of the file should contain a comma-separated list of attributes you want to set, with DN being the first attribute. Here is an example:

DN,objectClass,cn,sn,userAccountControl,sAMAccountName,userPrincipalName

The rest of the lines should contain entries to add. If you want to leave one of the attributes unset, then leave the value blank (followed by a comma). Here is a sample CSV file that would add two user objects:

DN,objectClass,sn,userAccountControl,sAMAccountName,userPrincipalName

"cn=jim,cn=users,dc=adatum,dc=com",user,Smith,512,jim,jim@adatum.com

"cn=john,cn=users,dc=adatum,dc=com",user,,512,john,john@adatum.com

Once you’ve created the CSV file, you just need to run cvsde to import the new objects:

> csvde -i -f input.csv

The major difference between csvde and ldifde is that you can only use csvde to import objects; unlike ldifde, you can’t use it to modify existing objects. Note that each line of the CSV import file, except the header, should contain entries to add objects. You cannot modify attributes of an object or delete objects using csvde; however, you can accomplish this using admod. If you have a spreadsheet containing objects you want to import, first save it as a CSV file and use csvde to import it.

Using a command-line interface

To import with csvde, simply specify the -i switch to turn on import mode and -f <filename> for the file. It can also be beneficial to use the -v switch to turn on verbose mode to get more information in case of errors.

for exporting objects in CSV format and MS KB 327620 (How to Use Csvde to Import Contacts and User Objects into Active Directory)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Chapter 5: Organizational Units

Inhaltsvorschau

An LDAP directory such as Active Directory stores data in a hierarchy of containers and leaf nodes called the directory information tree (DIT). Leaf nodes are end points in the tree, while containers can store other containers and leaf nodes. In Active Directory, the two most common types of containers are organizational units (OUs) and container objects. The container objects are generic containers that do not have any special properties about them other than the fact that they can contain objects. Organizational units, on the other hand, have some special properties, such as the ability to link a Group Policy Object (GPO) to an OU. In most cases when designing a hierarchy of objects in Active Directory, especially users and computers, you should use OUs instead of containers. There is nothing you can do with a container that you can’t do with an OU, but the reverse is certainly not the case.

Organizational units can be created as a child of a domain object or another OU; by default, OUs cannot be added as a child of a container object. (See for more on how to work around this.) OUs themselves are represented in Active Directory by organizationalUnit objects. contains a list of some interesting attributes that are available on organizationalUnit objects.

Table : Attributes of organizationalUnit objects
Attribute	Description
`description`	Textual description of the OU.
`gPLink`	List of GPOs that have been linked to the OU.
`gpOptions`	Contains 1 if GPO inheritance is blocked and 0 otherwise.
`msDS-Approx-Immed-Subordinates`	Approximate number of direct child objects in the OU. See for more information.
`managedBy`	DN of user or group that is in charge of managing the OU.
`ou`	Relative distinguished name of the OU.
`modifyTimestamp`	Timestamp of when the OU was last modified.
`createTimestamp`	Timestamp of when the OU was created.

You want to create an OU.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Introduction

Inhaltsvorschau

Table : Attributes of organizationalUnit objects
Attribute	Description
`description`	Textual description of the OU.
`gPLink`	List of GPOs that have been linked to the OU.
`gpOptions`	Contains 1 if GPO inheritance is blocked and 0 otherwise.
`msDS-Approx-Immed-Subordinates`	Approximate number of direct child objects in the OU. See for more information.
`managedBy`	DN of user or group that is in charge of managing the OU.
`ou`	Relative distinguished name of the OU.
`modifyTimestamp`	Timestamp of when the OU was last modified.
`createTimestamp`	Timestamp of when the OU was created.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating an OU

Inhaltsvorschau

You want to create an OU.

Using a graphical user interface

Open the ADUC snap-in.
If you need to change domains, right-click on the Active Directory Users and Computers label in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, browse to the parent container of the new OU, right-click on it, and select New→Organizational Unit.
Enter the name of the OU and click OK.
To enter a description for the new OU, right-click on the OU in the left pane and select Properties.
Click OK after you are done.

Using a command-line interface

You can create a new OU using the built-in DSAdd utility, as well as AdMod. To create an OU using DSAdd, use the following syntax:

> dsadd ou "<OrgUnitDN>" -desc "<Description>"

To create an OU with AdMod, use the following syntax:

> admod -b <OrgUnitDN> objectclass::organizationalUnit

  description::"<Description>" -add

For example, creating the Finance OU with the description of “Finance OU” in the adatum.com domain would look like this:

> admod -b ou=Finance,dc=adatum,dc=com

  objectclass::organizationalUnit

  description::"Finance OU" -add



> AdMod V01.10.00cpp Joe Richards (joe@joeware.net) February 2007



>

> DN Count: 1

> Using server: 2k3-sp1-r2.adatum.com

> Adding specified objects...

>   DN: ou=Finance,dc=adatum,dc=com...

>

> The command completed successfully

Using VBScript

' This code creates an OU

' ------ SCRIPT CONFIGURATION ------

strOrgUnit       = "<OUName>" '      e.g. Tools

strOrgUnitParent = "<ParentDN>" '    e.g. ou=Engineering,dc=adatum,dc=com

strOrgUnitDescr  = "<Description>" ' e.g. Tools Users

' ------ END CONFIGURATION ---------



set objDomain = GetObject("LDAP://" & strOrgUnitParent)

set objOU = objDomain.Create("organizationalUnit", "OU=" & strOrgUnit)

objOU.Put "description", strOrgUnitDescr

objOU.SetInfo

WScript.Echo "Successfully created " & objOU.Name

Using PowerShell

To create an organizational unit using the Quest AD cmdlets, use the following syntax:

new-QADObject -parentcontainer '<Parent Container DN

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enumerating the OUs in a Domain

Inhaltsvorschau

You want to enumerate all containers and OUs in a domain, which effectively displays the structure of the domain.

Using a graphical user interface

Open the Active Directory Users and Computers snap-in.
If you need to change domains, right-click on “Active Directory Users and Computers” in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, you can browse the directory structure.

Using a command-line interface

The following command will enumerate all OUs in the domain of the user running the command using the built-in DSQuery utility:

> dsquery ou domainroot

You can also retrieve this information with AdFind, using the following syntax:

> adfind -default -f "objectcategory=organizationalUnit" -dn

This adfind syntax can be shortened as follows:

> adfind -default -sc oudmp

Output from the adfind command will resemble the following:

> adfind -default -f "objectcategory=organizationalUnit" -dn

>

> AdFind V01.27.00cpp Joe Richards (joe@joeware.net) November 2005

>

> Using server: dc1.adatum.com:389

> Directory: Windows Server 2003

> Base DN: DC=adatum,DC=com

>

> dn:OU=Domain Controllers,DC=adatum,DC=com

> dn:OU=Finance,DC=adatum,DC=com

> dn:OU=FinanceTemps,OU=Finance,DC=adatum,DC=com

>

> 3 Objects returned

Using VBScript

' This code recursively displays all container and organizationalUnit

' objects under a specified base. Using "" for the second parameter means

' that there will be no indention for the first level of objects displayed.

Call DisplayOUs(LDAP://<DomainDN>", "")



'

DisplayOUs takes the ADsPath of the object to display

' child objects for and the number of spaces (indention) to

' use when printing the first parameter

Function DisplayOUs( strADsPath, strSpace)

   set objObject = GetObject(strADsPath)

   Wscript.Echo strSpace & strADsPath

   objObject.Filter = Array("container","organizationalUnit")

   for each objChildObject in objObject

      Call DisplayOUs(objChildObject.ADsPath, strSpace & " ")

   next

End Function

Using PowerShell

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding an OU

Inhaltsvorschau

You want to find a specific OU within an Active Directory domain.

Using a graphical user interface

Open the ADUC snap-in.
If you need to change domains, right-click on the Active Directory Users and Computers label in the left pane, select Connect to Domain, enter the domain name, and click OK.
Right-click on the domain node and select Find.
In the Find drop-down box, select Organizational Unit. In the Named: text box, enter the name of the OU.
Click Find Now.

Using a command-line interface

> adfind -default -f "ou=<OU Name>"

Using VBScript

Set objCommand = CreateObject("ADODB.Command")

Set objConnection = CreateObject("ADODB.Connection")

objConnection.Provider = "ADsDSOObject"

objConnection.Open "Active Directory Provider"

objCommand.ActiveConnection = objConnection



strBase = "<LDAP://<DomainDN>>"

strOUName = "Finance"

strFilter = "(&(objectCategory=organizationalUnit)" _

  "&(name=" & strOUName & "))"

strAttributes = "distinguishedName"

strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"



objCommand.CommandText = strQuery

objCommand.Properties("Page Size") = 100

objCommand.Properties("Timeout") = 30

objCommand.Properties("Cache Results") = False

Set objRecordSet = objCommand.Execute



While Not objRecordSet.EOF

  strName = objRecordSet.Fields("distinguishedName").Value

  Wscript.Echo "Distinguished Name: " & strName

  objRecordSet.MoveNext

Wend



objConnection.Close

Using PowerShell

To find a specific OU using the Quest AD cmdlets, use the following syntax:

get-QADObject -SearchRoot <Base Search DN> -LdapFilter '(ou=<OU Name>)'

To find a specific OU using System.DirectoryServices, use the following:

$objDomain = New-Object System.DirectoryServices.DirectoryEntry

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher

$objSearcher.SearchRoot = $objDomain

$objSearcher.Filter = "(ou=<OU Name>)"

$objSearcher.FindAll()

In a heavily nested environment, you may need to locate an OU based on its name when you don’t necessarily know its location. By using the ADUC GUI or a command-line tool with a search scope of

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enumerating the Objects in an OU

Inhaltsvorschau

You want to enumerate all the objects in an OU.

The following solutions will enumerate all the objects directly under an OU. Look at for more on how to display all objects under an OU regardless of the number of objects involved.

Using a graphical user interface

Open the ADUC snap-in.
If you need to change domains, right-click on “Active Directory Users and Computers” in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, browse to the OU you want to view.
The contents of the OU will be displayed in the right pane.

Using a command-line interface

To list the contents of an OU using the built-in DSQuery utility, use the following syntax:

> dsquery * "<OU DN>" -limit 0 -scope onelevel

You can also use AdFind, as follows:

> adfind -b "<OU DN>" -s one -dn

Using VBScript

set objOU = GetObject("LDAP://<OU DN>")

for each objChildObject in objOU

    Wscript.Echo objChildObject.ADSPath

next

Using PowerShell

To enumerate the contents of an OU using the Quest AD cmdlets, use the following syntax:

get-QADObject -searchRoot <OU DN>

To perform the same task using System.DirectoryServices, use the following:

([ADSI]"LDAP://<OU DN>").psbase.Children

Using a graphical user interface

By default, ADUC will display only 2,000 objects. To view more than 2,000 objects, select View→Filter Options. Then modify the maximum number of items displayed per folder.

Using a command-line interface

Using -limit 0, all objects under the OU will be displayed. If -limit is not specified, 100 will be shown by default. You can also specify your own number if you want to only display a limited number of objects.

The -scope onelevel or -s one (for AdFind) option causes only direct child objects of the OU to be displayed. Displaying all objects regardless of depth is referred to as the subtree scope, which is the default search scope for AdFind and DSQuery. If you want to return all objects regardless of depth, including the OU being searched, simply omit the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Deleting the Objects in an OU

Inhaltsvorschau

You want to delete all child objects in an OU, but not the OU itself.

Using a graphical user interface

Open the ADUC snap-in.
If you need to change domains, right-click on “Active Directory Users and Computers” in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, browse to and select the OU that contains the objects you want to delete.
Highlight all the objects in the right pane and press the Delete key on your .
Press F5 to refresh the contents of the OU. If objects still exist, repeat the previous step.

Using a command-line interface

To delete all objects within an OU, but not the OU itself, you need to use the -subtree and -exclude options with the dsrm command:

> dsrm "<OrgUnitDN>" -subtree -exclude

You can also perform this task by piping the results of an adfind query into admod, as follows:

>adfind -default -rb ou=<OU Name> -s one -dsq | admod -unsafe -del

Using VBScript

' This code deletes the objects in an OU, but not the OU itself

set objOU = GetObject("LDAP://<OrgUnitDN>")

for each objChildObject in objOU

    Wscript.Echo "

Deleting " & objChildObject.ADSPath

    objChildObject.DeleteObject(0)

next

Using PowerShell

To delete the child objects within an OU using the Quest cmdlets, use the following:

get-QADObject -searchRoot <OU DN> | remove-QADObject -force

To use the System.DirectoryServices methods, use this syntax:

$objOU = [ADSI] "LDAP://<OU DN>"

$objOU.psbase.Children() |% $_.psbase.DeleteObject(0)

If you want to delete the objects in an OU and re-create the OU, you can either delete the OU itself, which will delete all child objects, or you could just delete the child objects. The benefit to the latter approach is that you do not need to reconfigure the ACL on the OU or relink any Group Policy Objects after you’ve re-created the OU.

for enumerating objects in an OU, for deleting an OU, and MSDN: IADsDeleteOps::DeleteObject

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Deleting an OU

Inhaltsvorschau

You want to delete an OU and all objects in it.

Using a graphical user interface

Open the ADUC snap-in.
If you need to change domains, right-click on “Active Directory Users and Computers” in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, browse to the OU you want to delete, right-click on it, and select Delete.
Click Yes.
If the OU contains child objects, you will be asked for confirmation again before deleting it. Click Yes to continue.

Using a command-line interface

To delete an OU and all objects contained within, use the -subtree option with the dsrm command. If you don’t use -subtree and the object you are trying to delete has child objects, the deletion will fail:

> dsrm "<OrgUnitDN>" -subtree

You can also delete an OU and all of its contents using the following admod command:

> admod -b "<OrgUnitDN>" -del -treedelete

Using VBScript' This code deletes an OU and all child objects of the OU

set objOU = GetObject("LDAP://<OrgUnitDN>")

objOU.DeleteObject(0)

Using PowerShell

To delete an OU and its contents using the Quest AD cmdlets, use the following syntax:

remove-QADObject -identity '<OU DN>' -DeleteTree

To use System.DirectoryServices, use the following:

$objOU = [System.DirectoryServices.DirectoryEntry] "LDAP://<OU DN>"

$objOU.psbase.DeleteTree()

Deleting OUs that do not contain objects is just like deleting any other type of object. Deleting an OU that contains objects, however, requires a special type of delete operation. The Tree Delete LDAP control (OID: 1.2.840.113556.1.4.805) must be used by the application or script to inform AD to delete everything contained in the OU. All three solutions in this case use the control behind the scenes, but if you were going to perform the operation via an LDAP utility such as LDP, you would need to enable the control first.

for using LDAP controls and MSDN: IADsDeleteOps::DeleteObject

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Moving the Objects in an OU to a Different OU

Inhaltsvorschau

You want to move some or all of the objects in an OU to a different OU. You may need to do this as part of a domain restructuring effort.

Using a graphical user interface

Open the ADUC snap-in.
If you need to change domains, right-click on the Active Directory Users and Computers node in the lefthand pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, browse to and select the OU that contains the objects you want to move.
Highlight the objects in the right pane you want to move, right-click on them, and select Move.
Browse to and select the parent container you want to move the objects to, and then click OK.
Press F5 to refresh the contents of the OU. If objects still exist, repeat the previous three steps.

Using a command-line interface

To move each object from one OU to another, you can use dsquery as part of a for do loop as follows:

> for /f "usebackq delims=""" %i in (`dsquery * "<Old OU DN>" -scope

Onelevel') do dsmove -newparent "<New OU DN>" %i

An alternative is to pipe the results of an adfind query into admod using the following syntax:

> adfind -b "<Old OU DN>" -s one -dsq |

         admod -move "<New OU DN>"

Using VBScript

' This code moves objects from the "old" OU to the "new" OU

' ------ SCRIPT CONFIGURATION -----

strOldOU = "<Old OU DN>" ' e.g. ou=EngTools,dc=adatum,dc=com

strNewOU = "<New OU DN>" ' e.g. ou=Tools,dc=adatum,dc=com

' ------ END CONFIGURATION --------



set objOldOU = GetObject("LDAP://" & strOldOU)

set objNewOU = GetObject("LDAP://" & strNewOU)

for each objChildObject in objOldOU

    Wscript.Echo "

Moving " & objChildObject.Name

    objNewOU.MoveHere objChildObject.ADsPath, objChildObject.Name

next

Using PowerShell

To move all users from one OU to another using the Quest AD cmdlets, use the following syntax:

get-QADObject -searchroot '<Old OU DN>' | move-QADObject -newparent '<New OU DN>'

To move objects using System.DirectoryServices, use the following:

$objOldOU = [ADSI] "LDAP://<Old OU DN>"

$objNewOU = [ADSI] "LDAP://

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Moving an OU

Inhaltsvorschau

You want to move an OU and all its child objects to a different location in the directory tree.

Using a graphical user interface

Open the ADUC snap-in.
If you need to change domains, right-click on “Active Directory Users and Computers” in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, browse to the OU you want to move.
Right-click on the OU and select Move.
Select the new parent container for the OU and click OK.

Using a command-line interface

You can move an OU from one location to another by using either DSMove or AdMod. The DSMove syntax is as follows:

> dsmove "<OrgUnitDN>" -newparent "<NewParentDN>"

If you wish to move an OU with AdMod, use the following syntax:

> admod -b "<OrgUnitDN>" -move "<NewParentDN>"

Using VBScript

set objOU = GetObject("LDAP://<NewParentDN>")

objOU.MoveHere "LDAP://<OrgUnitDN>", "<OrgUnitRDN>"

Using PowerShell

To move an OU from one location to another, use either of the following syntaxes:

move-QADObject -identity '<OU DN>' -newparent '<Destination DN>'



$objOU = [ADSI] "LDAP://<OU DN>"

$newParent = [ADSI] "LDAP://<Destination DN>'

$objOU.psbase.MoveTo($newParent)

One of the benefits of Active Directory is the ability to structure and restructure data easily. Moving an OU, even one that contains a complex hierarchy of other OUs and objects, can be done without impacting the child objects.

If any applications have a dependency on the location of specific objects, you need to ensure they are either updated with the new location or preferably reference the objects by GUID, not by distinguished name.

You should also be mindful of the impact of inherited ACLs and the effect of any new GPOs that are linked to the new parent OU. Keep in mind that any GPOs that were already linked to the OU will stay intact and the link will follow the OU to its new location in the directory structure.

MS KB 313066 (How to Move Users, Groups, and Organizational Units Within a Domain in Windows 2000) and MSDN: IADsContainer::MoveHere

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Renaming an OU

Inhaltsvorschau

You want to rename an organizational unit in your domain.

Using a graphical user interface

Open the ADUC snap-in.
If you need to change domains, right-click on “Active Directory Users and Computers” in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, browse to the OU you want to move.
Right-click on the OU and select Rename.
Type in the new name for the OU and press Enter.

Using a command-line interface

To rename an object using the built-in DSMove utility, use the following syntax:

> dsmove "<ObjectDN>" -newname "<NewName>"

To use admod, use the following:

> admod -b "<ObjectDN>" -rename "<NewName>"

Using VBScript

' This code renames an object and leaves it in the same location.

' ------ SCRIPT CONFIGURATION -----

strCurrentParentDN = "<CurrentParentDN>"

strObjectOldName   = "ou=<OldName>"

strObjectNewName   = "ou=<NewName>"

' ------ END CONFIGURATION --------



set objCont = GetObject("LDAP://" & strCurrentParentDN)

objCont.MoveHere "LDAP://" & strObjectOldName & "," & _

                 strCurrentParentDN, strObjectNewName

Using PowerShell

You can rename an OU using either the Quest AD cmdlets or using a method in the System.DirectoryServices namespace, as follows:

Rename-QADObject -identity '<OU DN>' -newname '<New OU Name>'



$objOU = [ADSI] "LDAP://<OU DN>"

$objOU.psbase.Rename("<New OU Name>")

Before you rename an OU, ensure that none of your production applications reference it by name. You can make objects rename-safe by requiring all applications that must store a reference to an object to use the GUID of the object, rather than the name. The GUID (stored in the objectGUID attribute) is effectively unique within a forest and does not change when an object is renamed.

Using a command-line interface

The two parameters needed to rename an object are the original DN of the object and the new RDN (-newname). The -s option can also be used to specify a server name to work against.

Using VBScript

The MoveHere method can be tricky to use, so an explanation of how to use it to rename objects is in order. First, you need to call

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Modifying an OU

Inhaltsvorschau

You want to modify one or more attributes of an OU.

The following examples set the description (description) attribute for the Finance Organizational Unit.

Using a graphical user interface

Open ADSI Edit.
If an entry for the naming context you want to browse is not already displayed, do the following:
1. Right-click on ADSI Edit in the right pane and click “Connect to…”.
2. Fill in the information for the naming context, container, or OU you want to add an object to. Click on the Advanced button if you need to enter alternate credentials.

In the left pane, browse to the container or OU that contains the object you want to modify. Once you’ve found the object, right-click on it and select Properties.
Right-click the description attribute and select Edit.
Enter Finance Department and click OK.
Click Apply, followed by OK.

Using a command-line interface

To modify an object using AdMod, you’ll use the following general syntax:

> admod -b <ObjectDN> <attribute>:<operation>:<value>

For example, you can add a description to an OU object using the following syntax:

> admod -b cn="ou=Finance,dc=adatum,dc=com"

   description::"Finance Department"

You can modify a limited number of object types with DSMod. Run dsmod /? from a command line for more details.

Using VBScript

strObjectDN = "ou=Finance,dc=adatum,dc=com"

set objUser = GetObject("LDAP://" & strObjectDN)

objUser.Put "description", "Finance Department"

objUser.SetInfo

Using PowerShell

set-QADObject -identity '<OU DN>' -ObjectAttributes

@{'<Attribute1>'='<Value>';'<Attribute2>'='<Value>'...}



$objOU = [System.DirectoryServices.DirectoryEntry] "LDAP://<OU DN>"

$objOU.put("<Attribute1>","<Value>")

$objOU.put("<Attribute2>","<Value>")

$objOU.SetInfo()

Modifying the attributes of an OU is a relatively straightforward process that’s similar to modifying other types of objects within Active Directory. You can modify most attributes of an OU using the Active Directory Computers and Users MMC snap-in, but some attributes will be available for editing only by using ADSI Edit or a command-line or scripting utility.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Determining Approximately How Many Child Objects

Inhaltsvorschau

You want to quickly determine a rough approximation of how many child objects, if any, an OU contains.

Using a graphical user interface

Open LDP.
From the Menu, select Browse→Search.
For Base DN, enter <OrgUnitDN>.
For Filter, enter (objectclass=*).
For Scope, select Base.
Click the Options button and enter msDS-Approx-Immed-Subordinates for .
Click OK and then Run.
The results will be displayed in the righthand pane.

Another option would be to run a search using the onelevel scope and count the number of objects returned by the query. In LDP you can suppress the display of results so that it only displays the number of objects returned rather than displaying the specifics of each item.

Using a command-line interface

You can retrieve the number of child objects that are contained in an OU using either DSQuery or AdFind. To perform this task using DSQuery, use the following syntax:

> dsquery * "<OrgUnitDN>" -scope base -attr

msDS-Approx-Immed-Subordinates

The syntax for AdFind is as follows:

> adfind -b "<OrgUnitDN>" -s base msDS-Approx-Immed-Subordinates

Using VBScript

' This code displays the approximate number of child objects for an OU

set objOU = GetObject("LDAP://<OU DN>")

objOU.GetInfoEx Array("msDS-Approx-Immed-Subordinates"), 0

WScript.Echo "Number of child objects: " & _

             objOU.Get("msDS-Approx-Immed-Subordinates")

The msDS-Approx-Immed-Subordinates attribute was introduced in Windows Server 2003. It contains the approximate number of direct child objects in a container or organizational unit. Note that this is an approximation and can be off by 10 percent or more, sometimes significantly more, of the actual total for large containers. (For instance, we ran this query for a container with 2,008 objects in it that reported a value of 1306 for the msDS-Appox-Immed-Subordinates attribute.) The main reason for adding this attribute was to give applications an idea of the rough order of magnitude of how many objects a container has so that it can display them accordingly.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Delegating Control of an OU

Inhaltsvorschau

You want to delegate administrative access of an OU to allow a group of users to manage objects in the OU.

Using a graphical user interface

Open the ADUC snap-in.
If you need to change domains, right-click on “Active Directory Users and Computers” in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, browse to and select the target OU, and then select Delegate .
Select the users and/or groups to delegate control to by using the Add button, and then click Next.
Select the type of privilege to grant to the users or groups you selected in step 4, and then click Next.
Click Finish.

Using a command-line interface

ACLs can be set via a command-line with the dsacls utility from the Windows 2000 and Windows Server 2003 Support Tools, or built directly into the Windows Server 2008 operating system. See for more information.

Although you can delegate control of an OU to a particular user, it is almost universally a better practice to use a group instead. Even if there is only one user to delegate control to, you should create a group, add that user as a member, and use that group in the ACL. That way in the future when you have to replace that user with someone else, you can simply make sure the new person is in the correct group instead of modifying ACLs again. The Delegation of Control wizard is discussed further in .

for changing the ACL on an object and

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Assigning or Removing a Manager for an OU

Inhaltsvorschau

You want to assign or remove a manager for an OU.

Using a graphical user interface

Open the ADUC snap-in.
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, right-click on the domain and select Find.
Right-click on the OU and select Properties.
Select the Managed By tab.
Click the Change button.
Locate the group or user to delegate control to and click OK.
To remove a manager from an OU, return to the Managed By tab and click Clear.

Using a command-line interface

To add a manager for an OU, use the following syntax:

> admod -b <ObjectDN> managedBy::<ManagerDN>

To clear the managedBy attribute, use the following:

> admod -b <ObjectDN> managedBy:-

Using VBScript

strObjectDN = "ou=Finance,dc=adatum,dc=com"

strUserDN = "cn=Joe Smith,ou=Finance,dc=adatum,dc=com"

set objUser = GetObject("LDAP://" & strObjectDN)

objUser.Put "managedBy", strUserDN

objUser.SetInfo

Using PowerShell

Set-QADObject -identity <OU DN> -objectAttributes @{'managedBy'='<User DN>'}



$objOU = [ADSI] "LDAP://<OU DN>"

$objOU.put("managedBy", "<User DN>"

$objOU.SetInfo()

In the case of an OU, specifying a user, group, computer, or another OU in the Managed By tab does not confer any particular rights onto the manager; this is used as a strictly informational field. When you configure a manager for an OU, the manager’s DN is placed in the OU’s managedBy attribute, and the OU’s DN is placed in the manager’s managedObjects attribute. managedObjects is the backlink attribute of managedBy, showing all objects where that manager is specified.

MSDN: Managed-by attribute [AD Schema] and MSDN: Managed-Objects [AD ]

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Linking a GPO to an OU

Inhaltsvorschau

You want to apply the settings in a GPO to the users and/or computers within an OU, also known as linking the GPO to the OU.

Using a graphical user interface

Open the GPMC snap-in.
Expand Forest in the left pane.
Expand Domain and navigate down to the OU in the domain you want to link the GPO to.
Right-click on the OU and select either “Create and Link a GPO Here” (if the GPO does not already exist) or “Link an Existing GPO” (if you have already created the GPO).
To unlink a GPO, right-click on an existing link and remove the checkmark next to Link Enabled.

Using VBScript

' This code links a GPO to an OU in the specified domain

' ------ SCRIPT CONFIGURATION -----

strDomainDN = "<DomainDN>" '  e.g. dc=adatum,dc=com

strGPO      = "<GPOName>" '   e.g. WorkstationsGPO

strOUDN     = "<OrgUnitDN>" ' e.g. ou=Workstations,dc=adatum,dc=com



' ------ END CONFIGURATION --------



strBaseDN = "<LDAP://cn=policies,cn=system,dc=" & strDomainDN & ">;"

strFilter = "(&(objectcategory=grouppolicycontainer)" & _

              "(objectclass=grouppolicycontainer)" & _

              "(displayname=" & strGPO & "));"

strAttrs = "ADsPath;"

strScope = "OneLevel"



set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

set objRS = objConn.Execute(strBaseDN & strFilter & strAttrs & strScope)

if objRS.EOF <> TRUE then

   objRS.MoveFirst

end if



if objRS.RecordCount = 1 then

   strGPOADsPath = objRS.Fields(0).Value

   WScript.Echo "GPO Found: " & strGPOADsPath

elseif objRS.RecordCount = 0 then

   WScript.Echo "Did not founding matching GPO for: " & strGPO

   Wscript.Quit

elseif objRS.RecordCount > 1 then

   WScript.Echo "More than 1 GPO found matching: " & strGPO

   Wscript.Quit

end if



set objOU = GetObject("LDAP://" & strOUDN)



on error resume next

strGPLink = objOU.Get("gpLink")

if Err.Number then

   if Err.Number <> -2147463155 then

      WScript.Echo "Fatal error while retrieving gpLink attribute: " & _

                    Err.Description

      Wscript.Quit

   end if

end if

on error goto 0



objOU.Put "gpLink", strGPLink & "[" & strGPOADsPath & ";0]"

objOU.SetInfo

WScript.Echo "GPO successfully linked"



' The following code segment will remove any GPOs that

' are linked to an OU



Const ADS_PROPERTY_CLEAR = 1



Set objContainer = GetObject _

  ("LDAP://<

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Protecting an OU Against Accidental Deletion

Inhaltsvorschau

You want to prevent an Organizational Unit object from being accidentally deleted by an administrator who selects the incorrect option in Active Directory Users and .

Using a graphical user interface (Windows Server 2008 only)

Open Active Directory Users and Computers. Click on View and confirm that Advanced Features is selected.
Drill down to the current domain. To connect to a different domain, right-click on the top-level node and click Change domain; select the appropriate domain and then drill down to it.
Right-click on the OU that you want to modify and click Properties.
Click on the Object tab.
Place a checkmark next to “Protect object from accidental deletion.”
Click OK.

Using a command-line interface (all versions)

dsacls <OU DN> /d EVERYONE:SDDT

Using PowerShell (all versions)

Add-QADPermission -identity <OU DN> -Account 'EVERYONE' -Rights 'Delete,DeleteTree'

-ApplyTo 'ThisObjectOnly'

One of the challenges in delegating permissions within Active Directory is the potential for accidental deletions, particularly when administrators delete an entire Organizational Unit when they had only intended to delete a single object within that OU. Windows Server 2008 exposes a new option in the Active Directory Users and Computers and the Active Directory Sites and Services MMC that will prevent an object from being deleted by means of a “fat-finger” deletion. By default, all new OUs that are created in Windows Server 2008 via the Active Directory Users and Computers MMC will have this protection enabled; however, any pre-existing OUs or OUs created through other methods will not unless you enable it manually using one of the methods shown above. Additionally, built-in Active Directory containers such as the BUILTIN, Computers, and Users containers, as well as the Domain Controllers OU and other built-in containers, do not have this protection enabled by default. If you attempt to delete an OU that is protected using this option, even when signed on as a Domain Admin or other similarly elevated account, you will receive an “Access Denied” message until you manually remove the checkbox or manually remove the DENY ACE associated with it.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Chapter 6: Users

Inhaltsvorschau

User accounts are some of the most frequently used objects in Active Directory; they create the means of authenticating and authorizing someone to access resources on your network. Because Windows 2000 and newer Windows server systems manage users primarily through Active Directory, many key issues that system administrators deal with are covered in this chapter. In particular, Active Directory manages information regarding user passwords; group membership; enabling, disabling, or expiring user accounts; and keeping track of when users have logged on to your network.

The default location for user objects in a domain is the cn=Users container directly off the domain root. You can, of course, create user objects in other containers and organizational units in a domain, or move them to these containers after they’ve been created. contains a list of some of the interesting attributes that are available on user objects. This is by no means a complete list. There are many other informational attributes that we haven’t included.

Table : Attributes of user objects
Attribute	Description
`accountExpires`	Large integer representing when the user’s account is going to expire. See for more information.
`cn`	Relative distinguished name of `user` objects. This is commonly the username or the display name of the user.
`displayName`	Typically the full name of a user. This attribute is used in administrative tools to display a user’s descriptive name.
`givenName`	First name of the user.
`homeDirectory`	Local or UNC path of user’s home directory. See for more information.
`homeDrive`	Defines the drive letter to map the user’s home directory to. See for more information.
`lastLogon`	The last time that a user logged onto a particular DC. This information is not replicated among domain controllers.
`lastLogonTimestamp`	Approximate last logon timestamp, which is replicated among domain controllers. This attribute was introduced in Windows Server 2003. See for more information.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Introduction

Inhaltsvorschau

Table : Attributes of user objects
Attribute	Description
`accountExpires`	Large integer representing when the user’s account is going to expire. See for more information.
`cn`	Relative distinguished name of `user` objects. This is commonly the username or the display name of the user.
`displayName`	Typically the full name of a user. This attribute is used in administrative tools to display a user’s descriptive name.
`givenName`	First name of the user.
`homeDirectory`	Local or UNC path of user’s home directory. See for more information.
`homeDrive`	Defines the drive letter to map the user’s home directory to. See for more information.
`lastLogon`	The last time that a user logged onto a particular DC. This information is not replicated among domain controllers.
`lastLogonTimestamp`	Approximate last logon timestamp, which is replicated among domain controllers. This attribute was introduced in Windows Server 2003. See for more information.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Modifying the Default Display Name Used When Creating Users in ADUC

Inhaltsvorschau

You want to modify how the default display name gets generated when you create a new user through the ADUC snap-in.

Using a graphical user interface

Open ADSI Edit.
In the Configuration Naming Context, browse to DisplaySpecifiers→<Locale> where <Locale> is the locale for your language (e.g., the U.S. English locale is 409).
Double-click on cn=user-Display.
Edit the createDialog attribute with the value you want the new default to be (e.g., %<sn>, %<givenName>).
Click OK.

Using a command-line interface

> admod -config -rb cn=user-Display,cn=409,cn=DisplaySpecifiers,

 createDialog::"%<sn>, %<givenName>"

Using VBScript

' This code modifies the default ADUC display name.

' ------ SCRIPT CONFIGURATION ------

strNewDefault = "%<sn>, %<givenName>"

strForestName = "<ForestDNSName>" ' e.g. adatum.com

' ------ END CONFIGURATION ---------



Set objRootDSE = GetObject("LDAP://" & strForestName & "/RootDSE")

Set objDispSpec = GetObject("LDAP://cn=User-Display,cn=409," & _

                              "cn=DisplaySpecifiers," & _

                              objRootDSE.Get("ConfigurationNamingContext"))

objDispSpec.Put "createDialog", strNewDefault

objDispSpec.SetInfo

WScript.Echo "New default for user's display name has been set to: " & _

              strNewDefault

Using PowerShell

To modify display specifiers using the Quest AD cmdlets, use the following syntax:

$strNewDefault = "%<sn>, %<givenName>"

$objDN = 

    "cn=User-Display,cn=409,cn=DisplaySpecifiers,cn=Configuration,<Forest Root DN>"

get-QADObject -identity $objDN | set-QADObject 

    -ObjectAttributes @{createDialog=$strNewDefault}

To modify display specifiers using System.DirectoryServices, use the following:

$root = [ADSI]"LDAP://RootDSE"

$strNewDefault = "%<sn>, %<givenName>"

$objDN = "cn=User-Display,cn=409,cn=DisplaySpecifiers,cn=Configuration,"

$obj = [ADSI]("LDAP://" + $objDN + $root.rootDomainNamingContext)

$obj.Put("createDialog", $strNewDefault)

$obj.SetInfo()

When you create a new user object in the Active Directory Users and Computers snap-in, it will automatically fill in the Full Name field as you type in the First Name, Initials, and Last Name fields. As a convenience, you may want to alter that behavior so that it automatically fills in a different value. To do that, you need to modify the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a User

Inhaltsvorschau

You want to create a user object.

Using a graphical user interface

Open the ADUC snap-in.
If you need to change domains, right-click on “Active Directory Users and Computers” in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, browse to and select the container where the new user should be located and select New→User.
Enter the values for the first name, last name, full name, and user logon name fields as appropriate and click Next.
Enter and confirm password, set any of the password flags, and click Next.
Click Finish.

Using a command-line interface

You can create a user with the built-in DSAdd utility or by using AdMod. Using DSAdd requires the following syntax:

> dsadd user "<UserDN>" -upn <UserUPN> -fn "<UserFirstName>"

-ln "<UserLastName>" -display "<UserDisplayName>" -pwd <UserPasswd>

To create a user account with AdMod, use the following syntax:

> admod -b "<UserDN>" -add objectClass::user

   sAMAccountName::<SAMAccount> unicodepwd::<password> userAccountControl::512

-kerbenc

Using VBScript

' Taken from ADS_USER_FLAG_ENUM

Const ADS_UF_NORMAL_ACCOUNT = 512



set objParent = GetObject("LDAP://<ParentDN>")

set objUser = objParent.Create("user", "cn=<UserName>") ' e.g. joes

objUser.Put "sAMAccountName", "<UserName>"   ' e.g. joes

objUser.Put "userPrincipalName", "<UserUPN>" ' e.g. joes@adatum.com

objUser.Put "givenName", "<UserFirstName>"   ' e.g. Joe

objUser.Put "sn", "<UserLastName>"           ' e.g. Smith

objUser.Put "displayName", "<UserFirstName> <UserLastName>" ' e.g. Joe Smith

objUser.SetInfo

objUser.SetPassword("<Password>")



objUser.Put "userAccountControl", ADFS_UF_NORMAL_ACCOUNT

objUser.SetInfo

Using PowerShell

To create a new Active Directory user with the Quest AD cmdlets, use the following :

new-QADUser -name '<User CN>' -parentContainer '<Parent DN>' -UserPassword

'<Password>' -FirstName '<User First Name>' -LastName '<User Last Name>'

-UserPrincipalName '<User UPN>'

To create a new Active Directory user with System.DirectoryServices

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Large Number of Users

Inhaltsvorschau

You want to create a large number of user objects, either for testing purposes or to initially populate Active Directory with your employee, customer, or student user .

Using a command-line interface

The following example uses a

for

        do

loop in combination with dsadd to create 1,000 users under the bulk OU in the adatum.com domain with usernames such as User1, User2, User3, etc. The password is set, but no other attributes are configured. You can modify the dsadd syntax to populate additional attributes, as well:

> for /F %i in (1,1,1000) do dsadd user cn=User%i,ou=bulk,dc=adatum,dc=com

-pwd User%i

You can also use the ldifde utility to perform a bulk import of unique usernames. Create an .LDF file using the following syntax (separate multiple entries with a blank line in between):

dn: CN=Joe Richards, OU=Engineering, DC=adatum, DC=com

changetype: add

cn: Joe Richards

objectClass: user

samAccountName: jrichards

Once you’ve created the LDIF file containing your user records, import the file using the following command:

> ldifde -i -f <filename.ldf> -s <servername>

You may notice that the LDIF file does not specify the user’s password; this attribute must be modified after the user object has been created.

You can also use admod to automate this task as follows. The code below will create 4,000 users named "TestUser_1", "TestUser_2", "TestUser_3":

> admod -sc adau:4000;MyPassword1!;cn=testuser,ou=testou,dc=adatum,dc=com

Using VBScript

' This code creates a large number of users with incremented user names

' e.g. User1, User2, User3, ....

' ------ SCRIPT CONFIGURATION ------



intNumUsers = 1000               ' Number of users to create

strParentDN = "<ParentDN>" ' e.g. ou=bulk,dc=emea,dc=adatum,dc=com

' ------ END CONFIGURATION --------



' Taken from ADS_USER_FLAG_ENUM

Const ADS_UF_NORMAL_ACCOUNT = 512



set objParent = GetObject("LDAP://" & strParentDN)

for i = 1 to intNumUsers

   strUser = "User" & i

   Set objUser = objParent.Create("user", "cn=" & strUser)

   objUser.Put "sAMAccountName", strUser

   objUser.SetPassword(strUser)

   objUser.SetInfo

   objUser.Put "userAccountControl", ADS_UF_NORMAL_ACCOUNT

   objUser.SetInfo

   WScript.Echo "Created " & strUser

next

WScript.Echo ""

WScript.Echo "Created " & intNumUsers & " users"

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating an inetOrgPerson User

Inhaltsvorschau

You want to create an inetOrgPerson object, which is the standard LDAP object class to represent users.

Using a graphical user interface

Open the ADUC snap-in.
If you need to change domains, right-click on “Active Directory Users and Computers” in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, browse to the parent container of the new user, right-click on it, and select New→InetOrgPerson.
Enter first name, last name, and user logon name fields as appropriate and click Next.
Enter and confirm the password, set any of the password flags, and click Next.
Click Finish.

Using a command-line interface

DSAdd does not support creating inetOrgPerson objects, so use ldifde or AdMod instead. First, you need to create an LDIF file called create_inetorgperson.ldf with the following contents:

dn: <UserDN>

changetype: add

objectclass:

inetorgperson

sAMAccountName: <UserName>



dn: <UserDN>

changetype: modify

add: userAccountControl

userAccountControl: 512

Be sure to replace <UserDN> with the distinguished name of the user you want to add and <UserName> with the user’s username. Then run the following command:

> ldifde -i -f create_inetorgperson.ldf

You can also use the admod utility to create an inetOrgPerson object, as follows:

> admod -b "cn=inetOrgPerson,cn=Users,dc=adatum,dc=com"

   objectclass::inetOrgPerson sAMAccountName::inetOrgPerson -add

Using VBScript

' This code creates an inetOrgPerson object



set objParent = GetObject("LDAP://<ParentDN>")

set objUser = objParent.Create("inetorgperson", "cn=<UserName>")



' Taken from ADS_USER_FLAG_ENUM

Const ADS_UF_NORMAL_ACCOUNT = 512



objUser.Put "sAMAccountName", "<UserName>"

objUser.Put "userPrincipalName", "<UserUPN>"

objUser.Put "givenName", "<UserFirstName>"

objUser.Put "sn", "<UserLastName>"

objUser.Put "displayName", "<UserFirstName> <UserLastName>"

objUser.SetInfo

objUser.SetPassword("<Password>")

objUser.SetInfo

objUser.Put "userAccountControl", ADS_UF_NORMAL_ACCOUNT

objUser.SetInfo

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Converting a user Object to an inetOrgPerson Object

Inhaltsvorschau

You want to convert one or more user objects to inetOrgPerson objects to improve interoperability in a heterogeneous environment.

Using a graphical user interface

This requires at least Windows Server 2003 forest functional level.

Open ADSI Edit.
If an entry for the naming context you want to browse is not already displayed, do the following:
1. Right-click on ADSI Edit in the right pane and click “Connect to…”.
2. Fill in the information for the domain naming context, container, or OU that contains the object you want to modify. Click on the Advanced button if you need to enter alternate credentials.
In the left pane, browse to the naming context, container, or OU containing the user object that you want to view. Once you’ve found the object, right-click on it and select Properties.
Scroll to objectClass and select Edit.
Under Value to add, enter inetOrgPerson and click Add.
Click OK twice to save your changes.

Using a command-line interface

To convert a user object to an inetOrgPerson object, use the following syntax:

> admod -b "<UserDN>" objectClass:+:inetOrgPerson

To revert the object back to a regular user, replace + with - in the previous syntax.

Using VBScript

' This code will convert a user object to inetOrgPerson.

' ------ SCRIPT CONFIGURATION ------

strUserDN = "<UserDN>" ' e.g. cn=jsmith,cn=Users,dc=adatum,dc=com

strClass = "inetOrgPerson"

' ------ END CONFIGURATION --------



set objUser = GetObject("LDAP://" & strUserDN)

objUsr.PutEx ADS_PROPERTY_APPEND,"objectClass",Array(strClass)

objUsr.SetInfo

Using PowerShell

set-variable -name $ADS_PROPERTY_APPEND -value 3 -option constant

$strClass = "inetOrgPerson"

$objUser = "LDAP://<UserDN>"

$objUser.PutEx($ADS_PROPERTY_APPEND, "objectClass", @($strClass))

$objUser.SetInfo()

In a heterogeneous environment, you may wish to convert one or more Active Directory user objects to inetOrgPerson objects. Since the inetOrgPerson class inherits from the user class, making this modification is a simple matter of adding the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Modifying an Attribute for Several Users at Once

Inhaltsvorschau

You want to modify an attribute for several users at once.

Using a graphical user interface

This capability first became available in the Windows Server 2003 version of the ADUC snap-in.

Open the ADUC snap-in.
If you need to change domains, right-click on “Active Directory Users and Computers” in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, browse to the parent container of the objects you want to modify.
In the right pane, highlight each object you want to modify, right-click, and select Properties.
Check the box beside the attribute(s) you want to modify and edit the fields for the attributes.
Click OK.

Using a command-line interface

The following command sets the home directory of all users under a parent container (<ParentDN>) to be on a particular file server (<FileServer>). The folder name is automatically replaced with the sAMAccountName for the user by using the $username$ syntax:

> dsquery user "<ParentDN>" -limit 0 -scope onelevel | dsmod user -hmdir

"\\<FileServerName>\$username$"

Using VBScript

' This code sets the home drive of all users under a container

' to be on a file server where the share name is the same as the user's

' sAMAccountName.

set objParent = GetObject("LDAP://<ParentDN>")

objParent.Filter = Array("user")

for each objUser in objParent

    strSAM = objUser.Get("sAMAccountName")

    Wscript.Echo " 

Modifying " & strSAM

    objUser.HomeDirectory = "\\<FileServerName>\" & _

                            strSAM

    objUser.SetInfo

next

Using PowerShell

$strfileServer = "\\Server1\"

$objOU = [ADSI] "LDAP://<OU DN>"

$objOU.psbase.Children |% {

    $uac = [int](($_.userAccountControl).ToString())

    if (($_.objectClass -eq "user") -and (($uac -band 2) -eq 0))

    {

        $_.put("homeDirectory", $strFileServer + $_.sAMAccountName)

        $_.SetInfo()

    }

}

It is often necessary to update several users at once due to an organizational, geographic, or file server change. In each solution, we showed how to modify all users within a parent container, but you may need to use different criteria for locating the users.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Deleting a User

Inhaltsvorschau

You want to delete a user object.

Using a graphical user interface

Open Active Directory Users and Computers.
In the left pane, browse to the parent container or OU of the user that you want to delete. Alternatively, right-click on the domain and click Find…, then enter the name of the user and click Find Now.
Right-click on the user object and select Delete.
Click Yes to confirm.

You can also delete a user through LDP, as follows:

Open LDP from the Windows Support Tools.
From the menu, select Connection→Connect.
For Server, enter the name of a domain controller (or leave blank for a serverless bind).
For Port, enter 389.
Click OK.
From the menu, select Connection→Bind.
Enter credentials of a user.
Click OK.
Click Browse → Delete. For DN, enter the Distinguished Name of the user that you want to delete.
Click Run to delete the user.

Using a command-line interface

You can delete a user using the built-in dsrm utility, as well as AdMod. For dsrm, use the following syntax:

> dsrm "<UserDN>"

For AdMod, enter the following:

> admod -b "<UserDN>" -del

Using VBScript

strUserDN = "<UserDN>"

set objUser = GetObject("LDAP://" & strUserDN)

objUser.DeleteObject(0)

Using PowerShell

To delete an object using the Quest AD cmdlets, use the following syntax:

remove-QADObject -identity <User DN>

To delete an object using the .NET methods, use the following:

$usr = [ADSI] "LDAP://<User DN>"

$usr.DeleteObject(0)

This recipe covers deleting individual users. If you want to delete a container or OU and all the objects in it, take a look at .

Using VBScript

Using the DeleteObject method is straightforward. Passing 0 as a parameter is required, but does not have any significance at present.

An alternate and perhaps safer way to delete objects is to use the IADsContainer::Delete method. To use this method, you must first bind to the parent container of the object. You can then call Delete by passing the object class and RDN of the object you want to delete. Here is an example for deleting a

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Setting a User’s Profile Attributes

Inhaltsvorschau

You want to set one or more of the user profile attributes.

Using a graphical user interface

Open the ADUC snap-in.
In the left pane, right-click on the domain and select Find.
Select the appropriate domain beside In.
Beside Name, type the name of the user and click Find Now.
In the Search Results window, double-click on the user.
Click the Profile tab.
Modify the various profile settings as necessary.
Click OK.

Using a command-line interface

You can update a user’s profile attributes using either DSMod or AdMod. DSMod uses the following syntax:

> dsmod user "<UserDN>" -loscr <ScriptPath> -profile <ProfilePath>

-hmdir <HomeDir> -hmdrv <DriveLetter>

AdMod uses the following syntax:

> admod -b "<UserDN>" <attribute>::<NewValue>

Using VBScript

' This code sets the various profile related attributes for a user.

strUserDN = "<UserDN>" ' e.g. cn=jsmith,cn=Users,dc=adatum,dc=com

set objUser = GetObject("LDAP://" & strUserDN)

objUser.Put " 

homeDirectory", "\\fileserver\" & objUser.Get("sAMAccountName")

objUser.Put " 

homeDrive", "z:"

objUser.Put "profilePath", "\\fileserver\" & _

            objUser.Get("sAMAccountName") & "\profile"

objUser.Put "scriptPath", "login.vbs"

objUser.SetInfo

Wscript.Echo "Profile info for " & objUser.Get("sAMAccountName") & " updated"

Using PowerShell

To modify user profile attributes using the Quest AD cmdlets, use the following syntax:

get-QADUser -identity "<User DN>" | set-QADUser -HomeDirectory '\\server1\jsmith' 

-HomeDrive 'Z:' -ProfilePath '\\server1\profiles\jsmith' -scriptpath

'\\dc1\netlogon\script.vbs'

To modify these attributes using System.DirectoryServices, use the following syntax:

([ADSI]"LDAP://<User DN>") |% {

    $_.put("homeDirectory", "\\server1\" + $_.sAMAccountName)

    $_.put("homeDrive", "Z:")

    $_.put("profilePath", "\\server1\profiles\" + $_.sAMAccountName)

    $_.put("scriptPath", "\\dc1\netlogon\script.vbs")

    $_.SetInfo()

}

The four attributes that make up a user’s profile settings include:

homeDirectory: UNC path to home directory
homeDrive: Drive letter (e.g., Z:) to map home directory

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Moving a User

Inhaltsvorschau

You want to move a user object to a different container or OU.

Using a graphical user interface

Open the ADUC snap-in.
If you need to change domains, right-click on “Active Directory Users and Computers” in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, right-click on the domain and select Find.
Type the name of the user and click Find Now.
In the Search Results window, right-click on the user and select Move.
Browse to and select the new parent container or OU.
Click OK.

In Windows Server 2003 and newer, you can also drag and drop objects from one container or OU into another.

Using a command-line interface

You can move an object using either the built-in DSMove utility or AdMod. DSMove takes the following syntax:

> dsmove "<UserDN>" -newparent "<NewParentDN>"

To move an object using AdMod, do the following:

> admod -b "<Current User DN>" -move "<New Parent DN>"

Using VBScript

' This code moves a user from one container to another.

' ------ SCRIPT CONFIGURATION ------

strUserDN = "<UserDN>"    ' e.g. cn=rallen,cn=users,dc=adatum,dc=com

strOUDN = "<NewParentDN>" ' e.g. ou=Sales,dc=adatum,dc=com

' ------ END CONFIGURATION ---------

Set objUser = GetObject("LDAP://" & strUserDN)

Set objOU = GetObject("LDAP://" & strOUDN)

objOU.MoveHere objUser.ADsPath, objUser.Name

Using PowerShell

To move a user with the Quest AD cmdlets, use the following syntax:

move-QADObject -Identity <UserDN> -NewParentContainer <New OU DN>

To move a user with the System.DirectoryServices methods, use the following:

$objUser = [ADSI] "LDAP://<UserDN>"

$objNewOU = [ADSI] "LDAP://<New Parent OU DN>"

$objUser.psbase.MoveTo($objNewOU)

Moving a user object between OUs in the same domain has no direct impact on the actual user in terms of any security or distribution groups that the user is a member of. The things to be cautious of when moving the user to a new OU are different security settings, different GPOs, and the possibility of breaking applications that have the user’s DN hardcoded into them.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Redirecting Users to an Alternative OU

Inhaltsvorschau

This solution requires at least Windows Server 2003 domain functional level.

You want to redirect all new users from the default OU (i.e., cn=Users) into the destination OU that you specify.

Using a graphical user interface

Open LDP.
From the menu, select Connection→Connect.
For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
For Port, enter 389.
Click OK.
From the menu, select Connection→Bind.
Enter credentials of a domain user.
Click OK.
From the menu, select Browse→Modify.
For DN, enter the distinguished name of the domainDNS object of the domain you want to modify.
For Attribute, enter wellKnownObjects.
For Values, enter the following:
```
B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,<DomainDN>
```
where <DomainDN> is the same as the DN you enter for the DN field.

Select Delete for the Operation and click the Enter button.
Go back to the Values field and enter the following:
```
B:32:A9D1CA15768811D1ADED00C04FD8D5CD:<NewUsersParent>,<DomainDN>
```
where <NewUsersParent> is the new parent container for new computer objects (e.g., "ou=Adatum Users").

Select Add for the Operation and click the Enter button.
Click the Run button.
The result of the operations will be displayed in the right pane of the main LDP window.

Using the command-line interface

To redirect the default OU that new users will be created into, use the following syntax:

> redirusr "<DestinationDN>"

Most modern methods for creating user accounts, including the ADUC MMC snap-in, AdFind, and DSAdd, allow you to specify which OU a new user should be created in. However, some utilities such as net user or the WinNT ADSI provider still rely on a legacy API that will create a user only in its default location until it is manually moved to another OU by an administrator. The default location in Windows Server 2003 is the cn=Users container; this can create issues applying Group Policy to new user objects since the Users container cannot have a GPO linked to it. To ensure that all newly created users receive the necessary Group Policy settings as soon as they are created, use the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Renaming a User

Inhaltsvorschau

You want to rename a user.

Using a graphical user interface

Open the ADUC snap-in.
In the left pane, right-click on the domain and select Find.
Type the name of the user and click Find Now.
In the Search Results window, right-click on the user and select Rename.
You can modify the Full Name, Last Name, First Name, Display Name, User Principal Name (logon name), and SAM Account Name (pre-Windows 2000).
Click OK after you are done.

Using a command-line interface

The following command will rename the RDN of the user:

> dsmove "<UserDN>" -newname "<NewUserName>"

You can modify the UPN (-upn), First Name (-fn), Last Name (-ln), and Display Name (-display) using the dsmod user command. For example, the following command would change the user’s UPN and last name:

> dsmod user "<UserDN>" -upn "<NewUserUPN>" -ln "<NewUserLastName>"

You can also rename a user by using AdMod with the following syntax:

> admod -b "<UserDN>" -rename "<NewUserName>"

Using VBScript

' This code renames the RDN of a user and the sAMAccountName attribute.

' ------ SCRIPT CONFIGURATION ------

strParentDN = "<ParentDN>" ' e.g. cn=Users,dc=adatum,dc=com

strUserOldName = "<OldUserName>" ' e.g. jsmith

strUserNewName = "<NewUserName>" ' e.g. jim

' ------ END CONFIGURATION --------



set objCont = GetObject("LDAP://" & strParentDN)

objCont.MoveHere "LDAP://cn=" & strUserOldName & "," & strParentDN, _

                 "cn=" & strUserNewName

set objUser = GetObject("LDAP://cn=" & strUserNewName & "," & strParentDN)

objUser.Put "sAMAccountName", strUserNewName

objUser.SetInfo

WScript.Echo "Rename successful"

Using PowerShell

To rename a user object using the Quest cmdlets, use the following:

Get-QADUser -Identity <UserDN>

 | Rename-QADObject -NewName '<NewCN>'

To rename a user object through System.DirectoryServices, use the following syntax:

$objUser = [ADSI] "LDAP://<UserDN>"

$strNewName = "<New User CN>"

$objUser.psbase.Rename($strNewName)

Renaming a user object can have a couple different meanings in Active Directory. In the generic object sense, renaming an object consists of changing the RDN for the object to something else, as when

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Copying a User

Inhaltsvorschau

You want to copy an existing user account, which may be serving as a template, to create a new account.

Using a graphical user interface

Open the ADUC snap-in.
In the left pane, browse to the parent container of the template user object.
In the right pane, right-click on the user and select Copy.
Enter the name information for the new user and click Next.
Enter a password, check any options you want enabled, and click Next.
Click Finish.

Using VBScript

' This code copies the attributes in the Attrs array from an

' existing object to a new one.

' ------ SCRIPT CONFIGURATION ------

arrAttrs = Array("department","co","title","l", "c", "st")

strParentDN = "<ParentContainer>" ' e.g. cn=Users,dc=adatum,dc=com

strTemplateUser = "<TemplateUserName>" ' e.g. template-user-sales

strNewUser = "<NewUserName>" ' e.g. jdoe

strPassword = "<Password>"

' ------ END CONFIGURATION ---------



Const ADS_UF_NORMAL_ACCOUNT = 512 ' from ADS_USER_FLAG_ENUM



Set objTemplate = GetObject("LDAP://cn=" & strTemplateUser & _

                            "," & strParentDN)

Set objParent = GetObject("LDAP://" & strParentDN)

Set objUser = objParent.Create("user", "cn=" & strNewUser)



objUser.Put "sAMAccountName", strNewUser



for each strAttr in arrAttrs

   objUser.Put strAttr, objTemplate.Get(strAttr)

next



objUser.SetInfo

objUser.SetPassword(strPassword)

objUser.SetInfo



objUser.Put "userAccountControl", ADS_UF_NORMAL_ACCOUNT

objUser.AccountDisabled = FALSE

objUser.SetInfo



WScript.Echo "Successfully created user"

Using PowerShell

$objTemplateUser = [ADSI] "LDAP://<TemplateUserDN>"

$strNewUsername = "<NewUsername>"

$strNewUserCN = "cn=<New User CN>"

$objParentDN = [ADSI] "LDAP://<Parent DN for New User>"

$arrAttrs = "department","co","title","l", "c", "st"

$objNewUser = $objParentDN.Create("user", $strNewUserCN)

$objNewUser.put("samaccountname",$strNewUserName)

$objNewUser.SetInfo()

$objNewUser.psbase.Invoke("setPassword", "MyPassword1")

$objNewUser.SetInfo()

$objNewUser.put("userAccountControl", 512)

$objNewUser.SetInfo()

foreach ($attr in $arrAttrs) {

>> $newAttr = $objTemplateUser.$attr

>> $objNewUser.put("" + $attr, "" + $newAttr)

}

$objNewUser.SetInfo()

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding Locked-Out Users

Inhaltsvorschau

You want to find users whose accounts are locked out.

Using a command-line interface

The following command finds all locked-out users in the domain of the specified domain controller:

> unlock <DomainControllerName> * -view

Using PowerShell

The following Quest AD cmdlet would find all locked-out users in a specified domain:

Get-QADuser -locked

Despite the deceptively simple command just shown, finding the accounts that are currently locked out is a surprisingly complicated task. You would imagine that you could run a query using DSQuery or AdFind (similar to the one to find disabled users in ), but unfortunately, it is not that easy.

The lockoutTime attribute is populated with a timestamp when a user is locked. One way to find locked-out users would be to find all users that have something populated in lockoutTime (i.e., lockoutTime=*). That query would definitely find all the currently locked users, but it would also find all the users that subsequently became unlocked and have yet to log in since being unlocked; the lockoutTime attribute doesn’t get reset until the next time the user logs on successfully. This is where the complexity comes into play.

To determine the users that are currently locked out, you have to query the attribute lockoutDuration stored on the domain object (e.g., dc=adatum,dc=com). This attribute defines the number of minutes that an account will stay locked before becoming unlocked. You need to take this value and subtract it from the current time to derive a timestamp that would be the outer marker for which users could still be locked. You can then compare this timestamp with the lockoutTime attribute of the user object. The search filter to find all locked users once you’ve determined the locked timestamp would look something like this:

(&(objectcategory=Person)(objectclass=user)(lockoutTime>DerivedTimestamp))

For any users that have a lockoutTime that is less than the derived timestamp, their account has already been automatically unlocked per the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Unlocking a User

Inhaltsvorschau

You want to unlock a locked-out user.

Using a graphical user interface

Open the ADUC snap-in.
In the left pane, right-click on the domain and select Find.
Select the appropriate domain beside In.
Type the name of the user beside Name and click Find Now.
In the Search Results window, right-click on the user and select Unlock.
Click OK.

Using a command-line interface

To unlock all locked user accounts in your domain, use unlock.exe with the following syntax:

> unlock . *

To unlock a specific user object, replace * with the user’s sAMAccountName or distinguished name, as follows:

> unlock . joe.smith

Using VBScript

' This code unlocks a locked user.

' ------ SCRIPT CONFIGURATION ------

strUsername = "<UserName>"        ' e.g. jsmith

strDomain = "<NetBiosDomainName>" ' e.g. ADATUM

' ------ END CONFIGURATION --------



set objUser = GetObject("WinNT://" & strDomain & "/" & strUsername)

if objUser.IsAccountLocked = TRUE then

   objUser.IsAccountLocked = FALSE

   objUser.SetInfo

   WScript.Echo "Account unlocked"

else

   WScript.Echo "Account not locked"

end if

Using PowerShell

Unlock-QADUser -Identity <UserDN>

If you’ve enabled account lockouts for an Active Directory domain (see ), users will inevitably get locked out. A user can get locked out for a number of reasons, but generally it is because a user mistypes her password a number of times, changes her password and does not log off and log on again, or has services or scheduled tasks running under the security context of her individual user account rather than a security account.

You can use ADSI’s IADsUser::IsAccountLocked method to determine if a user is locked out. You can set IsAccountLocked to FALSE to unlock a user. You can also query the msDS-User-Account-Control-Computed attribute of an object.

for finding locked out users, for viewing the account lockout policy, MS KB 250873 (Programmatically Changing the Lockout Flag in Windows 2000), and MSDN: Account Lockout

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Troubleshooting Account Lockout Problems

Inhaltsvorschau

A user is having account lockout problems and you need to determine from where and how the account is getting locked out.

Using a graphical user interface

LockoutStatus is a new program available for WindowsActive Directory that can help identify which domain controller’s users are getting locked out. It works by querying the lockout status of a user against all domain controllers in the user’s domain.

To determine the lockout status of a user:

Launch LockoutStatus and select File→Select Target from the menu.
Enter the target username and the domain of the user.
Click OK.

At this point, each domain controller in the domain will be queried and the results will be displayed.

The lockoutstatus.exe tool is just one of many that are available in the “Account Lockout and Management” toolset provided by Microsoft. These new lockout tools are intended to help administrators with account lockout problems that were very difficult to given the tools available under Windows 2000. Along with the tool mentioned in , here are a few others that are included in the set:

ALockout.dll: A script that uses this DLL, called EnableKerbLog.vbs (included with the toolset), can be used to enable logging of application authentication. This can help identify applications that are using bad credentials and causing account lockouts.
ALoInfo.exe: Displays services and shares that are using a particular account name. It can also print all the users and their password age.
NLParse.exe: A filter tool for the netlogon.log files. You can use it to extract just the lines that relate to account lockout information.
EventCombMT: A utility to parse Event Logs from multiple servers, either to collect all entries together or to search for individual events across multiple computers. This is useful when troubleshooting user account lockouts, for example, by determining which computer is causing the account lockout.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing the Domain-Wide Account Lockout and Password Policies

Inhaltsvorschau

You want to view the domain-wide account lockout and password policies for a .

Using a graphical user interface

Open the Domain Security Policy snap-in.
In the left menu, expand Default Domain Policy→Computer Configuration→ Settings→Security Settings→Account Policies.
Click on Password Policy or Account Lockout Policy and double-click the property you want to set or view in the right frame.

Using a command-line interface

To view the account lockout and password properties of your domain, use the following AdFind query:

> adfind -default -s base Lockoutduration lockoutthreshold lockoutobservationwindow

maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties

Using VBScript

' This code displays the current settings for the password

' and account lockout policies.

' ------ SCRIPT CONFIGURATION ------

strDomain = "<DomainDN>" ' e.g. adatum.com

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")

set objDomain = GetObject("LDAP://" & _

objRootDSE.Get("defaultNamingContext") )



' Hash containing the domain password and lockout policy attributes

' as keys and the units (e.g. minutes) as the values

set objDomAttrHash = CreateObject("Scripting.Dictionary")

objDomAttrHash.Add "lockoutDuration", "minutes"

objDomAttrHash.Add "lockoutThreshold", "attempts"

objDomAttrHash.Add "lockoutObservationWindow", "minutes"

objDomAttrHash.Add "maxPwdAge", "minutes"

objDomAttrHash.Add "minPwdAge", "minutes"

objDomAttrHash.Add "minPwdLength", "characters"

objDomAttrHash.Add "pwdHistoryLength", "remembered"

objDomAttrHash.Add "pwdProperties", " "



' Iterate over each attribute and print it

for each strAttr in objDomAttrHash.Keys

   if IsObject( objDomain.Get(strAttr) ) then

      set objLargeInt = objDomain.Get(strAttr)

      if objLargeInt.LowPart = 0 then

         value = 0

      else

         value = Abs(objLargeInt.HighPart * 2^32 + objLargeInt.LowPart)

         value = int ( value / 10000000 )

         value = int ( value / 60 )

      end if

   else

      value = objDomain.Get(strAttr)

   end if

   WScript.Echo strAttr & " = " & value & " " & objDomAttrHash(strAttr)

next



'Constants from DOMAIN_PASSWORD_INFORMATION

Set objDomPassHash = CreateObject("Scripting.Dictionary")

objDomPassHash.Add "DOMAIN_PASSWORD_COMPLEX", &h1

objDomPassHash.Add "DOMAIN_PASSWORD_NO_ANON_CHANGE", &h2

objDomPassHash.Add "DOMAIN_PASSWORD_NO_CLEAR_CHANGE", &h4

objDomPassHash.Add "DOMAIN_LOCKOUT_ADMINS", &h8

objDomPassHash.Add "DOMAIN_PASSWORD_STORE_CLEARTEXT", &h16

objDomPassHash.Add "DOMAIN_REFUSE_PASSWORD_CHANGE", &h32



' The PwdProperties attribute requires special processing because

' it is a flag that holds multiple settings.

for each strFlag In objDomPassHash.Keys

  if objDomPassHash(strFlag) and objDomain.Get("PwdProperties") then

    WScript.Echo " " & strFlag & " is enabled"

  else

    WScript.Echo " " & strFlag & " is disabled"

  end If

next

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Applying a Fine-Grained Password Policy to a User Object

Inhaltsvorschau

You want to apply a Fine-Grained Password Policy to a User object in a Windows Server 2008 domain.

Using a graphical user interface

Open ADSI Edit. Right-click on the top-level node and click “Connect To…”. In the Connection Settings screen, click OK.
In the righthand pane, double-click on “Default naming context,” then double-click on the domain node (i.e., dc=adatum,dc=com).
Browse to CN=System, then CN=Password Settings Container.
Right-click on the PSO that you wish to modify and click Properties.
In the Select an Attribute to View drop-down box, select msDS-PSOAppliesTo.
In the Edit Attribute text box, enter the DN of the user object that this password policy should apply to, such as cn=msteele,ou=Corp,dc=adatum,dc=com.
Click Add, then click OK.
Click OK.

Using a command-line interface

The following will add the 'cn=joer' user to the list of groups that a PSO will apply to:

psomgr -applyto CN=joer,CN=Users,DC=ADATUM,DC=COM -pso TestPSO -forreal

Using PowerShell

To add a group to the list of groups that a PSO will apply to, use the following syntax:

Add-QADPasswordSettingsObjectAppliesTo -Identity <PSO DN> -AppliesTo <User DN>

Once a PasswordSettingsObject has been created, you can modify the password and account lockout settings controlled by the object, as well as the users and groups that the PSO should apply to. Since the PasswordSettingsObject is an Active Directory object class, these modifications can be made using any interface that can modify objects. When working from the command line, the psomgr tool from http://www.joeware.net/freetools allows you to modify one or multiple PSOs at a time, and can also create “starter” PSOs using the -quickstart command-line switch. The full syntax for psomgr.exe can be obtained by typing psomgr.exe /? at a command prompt, or by visiting the joeware website.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing the Fine-Grained Password Policy That Is in Effect for a User Account

Inhaltsvorschau

You want to determine which FGPP is in effect for a particular user.

Using a graphical user interface

Open Active Directory Users and Computers. Click on View, and confirm that there is a checkmark next to Advanced Features.
Browse to the user or group in question; right-click on the object and click .
Click on the Attribute Editor tab. Click Filter, and confirm that there is a checkmark next to Show read-only attributes: Constructed and Backlinks.
Scroll to the msDS-PSOApplied.
Click OK.

Using a command prompt

psomgr.exe -effective <User DN>

Using PowerShell

get-QADUser -Identity <UserDN> -IncludedProperties msDS-ResultantPSO | format-list

dn,msDS-ResultantPSO

Within a Windows Server 2008 domain, each user object contains a constructed back-link attribute called msDS-ResultantPSO that indicates which PasswordSettingsObject is in effect for that user. The precedence rules for PasswordSettingsObjects are as follows:

If a PSO has been applied directly to the user object, this PSO will take precedence. If multiple PSOs have been applied to a single user, the following tiebreakers will be used:
- A PSO with a lower-numbered Precedence attribute (e.g., 5) will be applied over a higher-numbered one (e.g., 50).
- If multiple PSOs have been configured with the same Precedence attribute, the PSO with the lowest GUID will take final precedence
If no PSOs have been applied directly to the user, any PSO that has been applied to a group that the user is a member of, whether directly or indirectly, will be applied. The same tiebreakers will be used here as in #1, above.
If no PSOs have been applied to the user or any groups that the user is a member of, the default domain PSO will be applied.

Recipes and

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling and Disabling a User

Inhaltsvorschau

You want to enable or disable a user account.

Using a graphical user interface

Open the ADUC snap-in.
In the left pane, right-click on the domain and select Find.
Select the appropriate domain beside In.
Type the name of the user beside Name and click Find Now.
In the Search Results window, right-click on the user and select Enable Account to enable or Disable Account to disable.
Click OK.

Using a command-line interface

To enable a user, use the following command:

> dsmod user <UserDN> -disabled no

To disable a user, use the following command:

> dsmod user <UserDN> -disabled yes

Using VBScript

' This code will enable or disable a user.

' ------ SCRIPT CONFIGURATION ------

' Set to FALSE to disable account or TRUE to enable account

strDisableAccount = FALSE

strUserDN = "<UserDN>" ' e.g. cn=jsmith,cn=Users,dc=adatum,dc=com

' ------ END CONFIGURATION --------



set objUser = GetObject("LDAP://" & strUserDN)

if objUser.AccountDisabled = TRUE then

   WScript.Echo "Account for " & objUser.Get("cn") & " currently disabled"

   if strDisableAccount = FALSE then

      objUser.AccountDisabled = strDisableAccount

      objUser.SetInfo

      WScript.Echo "Account enabled"

   end if

else

   WScript.Echo "Account currently enabled"

   if strDisableAccount = TRUE then

      objUser.AccountDisabled = strDisableAccount

      objUser.SetInfo

      WScript.Echo "Account disabled"

   end if

end if

Using PowerShell

To use the Quest AD cmdlets to enable or disable a user account, use the following syntax:

enable-QADUser -Identity <User DN>

disable-QADUser -Identity <User DN>

To use the System.DirectoryServices methods to disable a user, use the following:

$objUser = [ADSI] "LDAP://<UserDN>"

$objUser.psbase.InvokeSet('AccountDisabled', $true)

$objUser.psbase.CommitChanges()



---------alternate method

$objUser = [ADSI] "LDAP://<UserDN>"

$objUser.userAccountControl = ([int]$objUser.userAccountControl.ToString()) -bOR 2

$objUser.SetInfo()

To enable a user, use $false instead of $true (or in the alternate method, change the bOR

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding Disabled Users

Inhaltsvorschau

You want to find disabled users in a domain.

Using a graphical user interface

Open the ADUC snap-in.
In the left pane, connect to the domain you want to query.
Right-click on the domain and select Find.
Beside Find, select Common Queries.
Check the box beside “disabled accounts.”
Click the Find Now button.

Using a command-line interface

You can enumerate all disabled user objects in your domain by using the built-in DSQuery utility, as follows:

> dsquery user <DomainDN> -disabled

You can also use a bitwise query in AdFind to produce the same output, using the following syntax:

> adfind -bit -b <DomainDN> -f

"&(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2)"

You can replace <DomainDN> with the DN of a specific Organizational Unit if you wish to restrict the results of your AdFind query.

Using VBScript

' This code finds all disabled

' user accounts in a domain.

' ------ SCRIPT CONFIGURATION ------

strDomainDN = "<DomainDN>" ' e.g. dc=adatum,dc=com

' ------ END CONFIGURATION --------



strBase = "<LDAP://" & strDomainDN & ">;"

strFilter = "(&(objectclass=user)(objectcategory=person)" & _

            "(useraccountcontrol:1.2.840.113556.1.4.803:=2));"

strAttrs = "name;"

strScope = "subtree"



set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)

objRS.MoveFirst

while Not objRS.EOF

    Wscript.Echo objRS.Fields(0).Value

    objRS.MoveNext

wend

Using PowerShell

To locate all disabled users in a domain using the Quest AD cmdlets, use the following syntax:

get-qaduser -disabled

To locate all disabled users using the System.DirectoryServices method, use the :

$strFilter = "(&(objectcategory=person)(objectclass=user))"

$objDomain = New-Object System.DirectoryServices.DirectoryEntry

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher

$objSearcher.SearchRoot = $objDomain

$objSearcher.Filter = ($strFilter) useraccountcontrol:1.2.840.113556.1.4.803:=2))")

$objSearcher.FindAll()

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing a User’s Group Membership

Inhaltsvorschau

You want to view the group membership of a user.

Using a graphical user interface

Open the ADUC snap-in.
In the left pane, right-click on the domain and select Find.
Select the appropriate domain beside In.
Type the name of the user beside Name and click Find Now.
In the Search Results window, double-click on the user.
Click the Member Of tab.
To view all indirect group membership (from nested groups), you’ll need to double-click on each group.

Using a command-line interface

The following command displays the groups <UserDN> is a member of. Use the -expand switch to list nested group membership as well:

> dsget user <UserDN> -memberof [-expand]

You can also use the GetUserInfo tool (another tool available from http://www.joeware.net) with the following syntax:

> getuserinfo \\<Domain>\<Username>

A third option would be to use the whoami tool, as follows:

> whoami /groups

To round out the command-line options for viewing group memberships, you can use the MemberOf joeware utility with the following syntax:

> memberof -u <Domain>\<User>

To query group membership from a specific domain controller using MemberOf, use the -s switch followed by the name of the DC.

Using VBScript

' This code displays the

' group membership of a user.

' It avoids infinite loops due to circular group nesting by

' keeping track of the groups that have already been seen.

' ------ SCRIPT CONFIGURATION ------

strUserDN = "<UserDN>" ' e.g. cn=jsmith,cn=Users,dc=adatum,dc=com

' ------ END CONFIGURATION --------



set objUser = GetObject("LDAP://" & strUserDN)

Wscript.Echo "Group membership for " & objUser.Get("cn") & ":"

strSpaces = ""

set dicSeenGroup = CreateObject("Scripting.Dictionary")

DisplayGroups("LDAP://" & 

strUserDN, strSpaces, dicSeenGroup)



Function DisplayGroups ( strObjectADsPath, strSpaces, dicSeenGroup)



   set objObject = GetObject(strObjectADsPath)

   WScript.Echo strSpaces & objObject.Name

   on error resume next ' Doing this to avoid an error when 

                        ' memberOf is empty

   if IsArray( objObject.Get("memberOf") ) then

      colGroups = objObject.Get("memberOf")

   else

      colGroups = Array( objObject.Get("memberOf") )

   end if



   for each strGroupDN In colGroups

      if Not dicSeenGroup.Exists(strGroupDN) then

         dicSeenGroup.Add strGroupDN, 1

         DisplayGroups "LDAP://" & strGroupDN, strSpaces & " ", dicSeenGroup

      end if

   next

End Function

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Removing All Group Memberships from a User

Inhaltsvorschau

You want to remove all group membership information from a user object.

Using a graphical user interface

Open the ADUC snap-in.
In the left pane, right-click on the domain and select Find.
Select the appropriate domain beside In.
Type the name of the user beside Name and click Find Now.
In the Search Results window, double-click on the user.
Click the Member Of tab.
Highlight all groups listed in the Member Of tab and select Remove. Click Yes to confirm.
Click OK.

Using a command-line interface

You can accomplish this task at the command line using a combination of AdFind and AdMod:

> adfind -b <DomainDN> -f  member=<UserDN> -dsq  | admod member:-:<UserDN> -unsafe

Using VBScript

Const ADS_PROPERTY_DELETE = 4

Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D



Set objUser = GetObject("LDAP://<UserDN>")

arrMemberOf = objUser.GetEx("memberOf")



If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then

    WScript.Echo "No group memberships found."

    WScript.Quit

End If



For Each Group in arrMemberOf

    Set objGroup = GetObject("LDAP://" & Group)

    objGroup.PutEx ADS_PROPERTY_DELETE, _

        "member", Array("<UserDN>")

    objGroup.SetInfo

Next

Using PowerShell

To remove group memberships using the Quest AD cmdlets, use the following syntax:

$objUser = get-QADUser -identity <User DN>

foreach ($strGroup in $objUser.memberOf) {

   $objGroup = get-QADGroup -identity $group

   remove-QADGroupMember $objGroup -member $objUser

}

To remove group memberships using ADSI, use the following:

$objUser = [ADSI] "LDAP://<User DN>"

foreach ($strGroup in $objUser.memberOf) {

   $objGroup = [ADSI]( "LDAP://" + $strGroup)

   $objGroup.PutEx(4, "member", @($objUser.distinguishedName))

   $objGroup.SetInfo()

}

Using VBScript

The memberOf attribute on the user object is constructed; therefore, the code necessary to clear a user’s group memberships actually involves modifying each group object in turn, rather than modifying the user object itself.

MSDN: Adding Members to Groups in a Domain [Active Directory] and MSDN: Group Objects [Active Directory]

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Changing a User’s Primary Group

Inhaltsvorschau

You want to change the primary group of a user.

Using a graphical user interface

Open the ADUC snap-in.
In the left pane, right-click on the domain and select Find.
Select the appropriate domain beside In.
Type the name of the user beside Name and click Find Now.
In the Search Results window, double-click on the user.
Click the Member Of tab.
Click on the name of the group you want to set as the primary group.
Click the Set Primary Group button.
Click OK.

Using VBScript

' This code first checks to see if the user's primary group is already

' set to the specified group. If not it will a) add the user to the group

' if not already a member and b) set the primary group id to the group.

' ------ SCRIPT CONFIGURATION ------

strUserDN = "<UserDN>"   ' e.g. cn=rallen,ou=Sales,dc=adatum,dc=com

strGroupDN = "<GroupDN>" ' e.g. cn=SalesGroup,ou=Sales,dc=adatum,dc=com

' ------ END CONFIGURATION ---------



Const ADS_PROPERTY_APPEND = 3



set objUser = GetObject("LDAP://" & strUserDN )

WScript.Echo



set objGroup = GetObject("LDAP://" & strGroupDN )

objGroup.GetInfoEx Array("primaryGroupToken"), 0



if objGroup.Get("primaryGroupToken") = objUser.Get("primaryGroupID") then

   WScript.Echo "Primary group for user already set to " & strGroupDN

   WScript.Quit

end if



intAddMember = 1

for each strMemberDN in objUser.GetEx("memberOf")

   if LCase(strMemberDN) = LCase(strGroupDN) then

      intAddMember = 0

      Exit for

   end if

next



if intAddMember > 0 then

   objGroup.PutEx ADS_PROPERTY_APPEND, "member", Array(strUserDN)

   objGroup.SetInfo

   WScript.Echo "Added " & strUserDN & " as member of " & strGroupDN

end if



objUser.Put "primaryGroupID", objGroup.Get("primaryGroupToken")

objUser.SetInfo

WScript.Echo "Changed primary group id of " & strUserDN & _

             " to " & objGroup.Get("primaryGroupToken")

Using PowerShell

This PowerShell script performs similar functionality to the VBScript—it first checks to see if the user is a member of the group in question, adds the user if she is not, and then sets the primaryGroupID

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Copying a User’s Group Membership to Another User

Inhaltsvorschau

You want to copy one user’s group membership to another user.

Using a graphical user interface

Open the ADUC snap-in.
In the left pane, right-click on the domain and select Find.
Select the appropriate domain beside In.
Beside Name, type the name of the user you want to transfer groups from and click Find Now.
In the Search Results window, double-click on the user.
Click the Member Of tab.
For each group you want to add another user in, do the following:
1. Double-click on the group.
2. Click the Members tab.
3. Click the Add button.
4. Find the user you want to add in the object picker and click OK.
5. Click OK.

Using a command-line interface

The following command line will add <NewUserDN> to all of the groups that <CurrentUserDN> is a member of:

> for /F "usebackq delims=""" %i in ('dsget user

"<CurrentUserDN>" -memberof') do dsmod group %i -addmbr "<NewUserDN>"

If you want to get fancy and remove <CurrentUserDN> from each of the groups in the same operation, simply add an -rmmbr option on the end:

> for /F "usebackq delims=""" %i in ('dsget user

"<CurrentUserDN>" -memberof') do dsmod group %i -addmbr "<NewUserDN>"

-rmmbr "<CurrentUserDN>"

You can also accomplish this using a combination of AdFind and AdMod, as follows:

> adfind -b <DomainDN> -f member=<Source User DN> -dsq | admod member:+:<Dest. User

DN> -unsafe

Using VBScript

' This code adds the "new" user to the groups the "current"

' user is a member of

' ------ SCRIPT CONFIGURATION -----

strCurrentUserDN = "<CurrentUserDN>"

' e.g. cn=jsmith,ou=Sales,dc=adatum,dc=com

strNewUserDN = "<NewUserDN>"



' ------ SCRIPT CONFIGURATION ------



Const ADS_PROPERTY_APPEND = 3

set 

objCurrentUser = GetObject("LDAP://" & 

strCurrentUserDN )

set objNewUser = GetObject("LDAP://" & strNewUserDN )



on error resume next

WScript.Echo "Transfering groups from " & strCurrentUserDN & " to " & strNewUserDN

for each strGroupDN in objCurrentUser.GetEx("memberOf")

   set objGroup = GetObject("LDAP://" & strGroupDN)

   objGroup.PutEx ADS_PROPERTY_APPEND, "member", Array( strNewUserDN )

   objGroup.SetInfo

   if Err then

      WScript.Echo "Error adding user to group: " & strGroupDN

   else

      WScript.Echo "Added user to group: " & strGroupDN

   end if

next

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Setting a User’s Password

Inhaltsvorschau

You want to set the password for a user.

Using a graphical user interface

Open the ADUC snap-in.
In the left pane, right-click on the domain and select Find.
Select the appropriate domain beside In.
Type the name of the user beside Name and click Find Now.
In the Search Results window, right-click on the user and select Reset Password.
Enter and confirm the new password.
Click OK.

Using a command-line interface

This command changes the password for the user specified by <UserDN>. Using * after the -pwd option prompts you for the new password. You can replace * with the password you want to set, but it is not a good security practice since other users that are logged into the machine may be able to see it:

> dsmod user <UserDN> -pwd *

You can modify the unicodepwd attribute directly by encrypting the admod connection using the -kerbenc switch:

> admod -b "<UserDN>" unicodepwd::<Password> -kerbenc

You can also use admod with the #setpwd# switch:

> admod -b "<UserDN>" #setpwd#::<NewPassword>

Using VBScript

' This code sets the password for a user.

' ------ SCRIPT CONFIGURATION ------

strUserDN = "<UserDN>" ' e.g. cn=jsmith,cn=Users,dc=adatum,dc=com

strNewPasswd = "<NewPasword>"

' ------ END CONFIGURATION --------



set objUser = GetObject("LDAP://" & strUserDN)

objUser.SetPassword(strNewPasswd)

Wscript.Echo "Password set for " & objUser.Get("cn")

Using PowerShell

To set a user’s password with the Quest AD cmdlets, use the following syntax:

set-QADUser -Identity <UserDN> -UserPassword '<PasswordString>'

To set a password using System.DirectoryServices, use the following:

$objUser = [ADSI] "LDAP://<UserDN>"

$objUser.SetPassword("<PasswordString>")

$objUser.SetInfo()

A one-way hash of a user’s password is stored in the unicodePwd attribute. There are several supported methods to modify this attribute directly, or you can use one of the supported APIs to do so.

With the VBScript solution, you can use the IADsUser::SetPassword method or IADsUser::ChangePassword. The latter requires the existing password to be known setting it. This is the method you’d want to use if you’ve created a web page that accepts the previous password before allowing a user to change it.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Preventing a User from Changing a Password

Inhaltsvorschau

You want to disable a user’s ability to change a password.

Using a graphical user interface

Open the ADUC snap-in.
In the left pane, right-click on the domain and select Find.
Select the appropriate domain beside In.
Beside Name, type the name of the user you want to modify and click Find Now.
In the Search Results window, double-click on the user.
Click the Account tab.
Under Account options, check the box beside “User cannot change password.”
Click OK.

Using a command-line interface

> dsmod user <UserDN> -canchpwd no

Using VBScript

' This code disables a user's ability to change a password

' ------ SCRIPT CONFIGURATION ------

strUserDN = "<UserDN>" ' e.g. cn=rallen,ou=Sales,dc=adatum,dc=com

' ------ END CONFIGURATION ---------



Const ACETYPE_ACCESS_DENIED_OBJECT = 6

Const ACEFLAG_OBJECT_TYPE_PRESENT = 1

Const RIGHT_DS_CONTROL_ACCESS = 256

Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"



set objUser = GetObject("LDAP://" & strUserDN)

set objSD = objUser.Get("ntSecurityDescriptor")

set objDACL = objSD.DiscretionaryAcl



' Add a deny ACE for Everyone

set objACE = CreateObject("AccessControlEntry")

objACE.Trustee = "Everyone"

objACE.AceFlags = 0

objACE.AceType = ACETYPE_ACCESS_DENIED_OBJECT

objACE.Flags = ACEFLAG_OBJECT_TYPE_PRESENT

objACE.ObjectType = CHANGE_PASSWORD_GUID

objACE.AccessMask = RIGHT_DS_CONTROL_ACCESS

objDACL.AddAce objACE



' Add a deny ACE for Self

' (This is only necessary to prevent a user from

' changing their own password.)

set objACE = CreateObject("AccessControlEntry")

objACE.Trustee = "Self"

objACE.AceFlags = 0

objACE.AceType = ACETYPE_ACCESS_DENIED_OBJECT

objACE.Flags = ACEFLAG_OBJECT_TYPE_PRESENT

objACE.ObjectType = CHANGE_PASSWORD_GUID

objACE.AccessMask = RIGHT_DS_CONTROL_ACCESS

objDACL.AddAce objACE



objSD.DiscretionaryAcl = objDACL

objUser.Put "nTSecurityDescriptor", objSD

objUser.SetInfo

WScript.Echo "Enabled no password changing for " & strUserDN

Even though in the GUI solution you check and uncheck the “User cannot change password” setting, actually making the change in Active Directory is a little more complicated, as is evident in the VBScript solution. Not allowing a user to change his password consists of setting two deny Change Password ACEs on the target

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Requiring a User to Change a Password at Next Logon

Inhaltsvorschau

You want to require a user to change her password the next time she logs on to the domain.

Using a graphical user interface

Open the ADUC snap-in.
In the left pane, right-click on the domain and select Find.
Select the appropriate domain beside In.
Beside Name, type the name of the user you want to modify and click Find Now.
In the Search Results window, double-click on the user.
Click the Account tab.
Under Account options, check the box beside “User must change password at next logon.”
Click OK.

Using a command-line interface

You can configure the “User must change password” using either DSMod or AdMod. To modify this setting using DSMod, use the following syntax:

> dsmod user "<UserDN>" -mustchpwd yes

For AdMod, do the following:

> admod -b "<UserDN>" pwdLastSet::0

Using VBScript

' This code sets the flag that requires a

' user to change their password

' ------ SCRIPT CONFIGURATION ------

strUserDN = "<UserDN>" ' e.g. cn=rallen,ou=Sales,dc=adatum,dc=com

' ------ END CONFIGURATION --------

set objUser = GetObject("LDAP://" & strUserDN)

objUser.Put "pwdLastSet", 0

objUser.SetInfo

WScript.Echo "User must change password at next logon: " & strUserDN

Using PowerShell

To flag a user’s password to change on next logon using the Quest AD cmdlets, use the following syntax:

set-QADUser -Identity <UserDN> -UserMustChangePassword

To use the

System.DirectoryServices

        methods

, use the following:

$objUser = [ADSI] "LDAP://<UserDN>"

$objUser.Put("pwdLastSet", 0)

$objUser.SetInfo()

When a user changes a password, a timestamp is written to the pwdLastSet attribute of the user object. When the user logs in to the domain, this timestamp is compared to the effective maximum password age that is defined for the user to determine if the password has expired. To force a user to change his password at next logon, set the pwdLastSet attribute of the target user to zero, and verify that the user’s account doesn’t have the “password never expires” option enabled.

To disable this option so that a user does not have to change his password, set

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Preventing a User’s Password from Expiring

Inhaltsvorschau

You want to prevent a user’s password from expiring.

Using a graphical user interface

Open the ADUC snap-in.
In the left pane, right-click on the domain and select Find.
Select the appropriate domain beside In.
Beside Name, type the name of the user you want to modify and click Find Now.
In the Search Results window, double-click on the user.
Click the Account tab.
Under Account options, check the box beside “Password never expires.”
Click OK.

Using a command-line interface

> dsmod user "<UserDN>" -pwdneverexpires yes

Using VBScript

' This code sets a user's password to never expire

' See  for the code for the CalcBit function

' ------ SCRIPT CONFIGURATION ------

strUserDN = "<UserDN>" ' e.g. cn=rallen,ou=Sales,dc=adatum,dc=com

' ------ END CONFIGURATION --------



intBit = 65536

strAttr = "userAccountControl"



set objUser = GetObject("LDAP://" & strUserDN)

intBitsOrig = objUser.Get(strAttr)

intBitsCalc = CalcBit(intBitsOrig, intBit, TRUE)

if intBitsOrig <> intBitsCalc then

   objUser.Put strAttr, intBitsCalc

   objUser.SetInfo

   WScript.Echo "Changed " & strAttr & " from " & _

                intBitsOrig & " to " & intBitsCalc

else

   WScript.Echo "Did not need to change " & strAttr & " (" & _

                intBitsOrig & ")"

end if

Using PowerShell

To prevent a user’s password from expiring using the Quest AD cmdlets, use the following syntax:

set-QADUser -Identity <UserDN> -PasswordNeverExpires

To use the System.DirectoryServices methods, use the following:

$objUser = [ADSI] "LDAP://<UserDN>"

$currentUAC = [int]($objUser.userAccountControl.ToString())



$newUAC = $currentUAC -bor 65536

$objUser.put("userAccountControl", $newValue)

$objUser.SetInfo()

Setting a user’s password to never expire overrides any password aging policy you’ve defined in the domain. To disable password expiration, you need to set the bit equivalent of 65,536 (i.e., 10000000000000000) in the userAccountControl attribute of the target user.

Using PowerShell

The PowerShell solution makes use of the built-in -bor operator in PowerShell, which performs a bitwise OR. You can also use

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding Users Whose Passwords Are About to Expire

Inhaltsvorschau

You want to find the users whose passwords are about to expire.

Using a command-line interface

> dsquery user -stalepwd <NumDaysSinceLastPwdChange>

You can also use the FindExpAcc joeware tool with the following syntax:

> findexpacc -pwd

When a Windows-based client logs on to Active Directory, a check is done against the domain password policy and the user’s pwdLastSet attribute to determine if the user’s password has expired. If it has, the user is prompted to change it. In a pure Windows-based environment, this notification process may be adequate, but if you have a lot of non-Windows-based computers that are joined to an Active Directory domain (e.g., Kerberos-enabled Unix clients), or you have a lot of application and service accounts, you’ll need to develop your own user password expiration notification process. Even in a pure Windows environment, cached logins present a problem because when a user logs into the domain with cached credentials (i.e., when the client is not able to reach a domain controller), this password expiration notification check is not done.

The process of finding users whose passwords are about to expire is a little complicated. Fortunately, the new dsquery user command helps by providing an option for searching for users that haven’t changed their password for a number of days (-stalepwd). The downside to the dsquery user command is that it will not only find users whose password is about to expire, but also users that must change their password at next logon (i.e., pwdLastSet = 0).The Perl solution does not suffer from this limitation.

Using a command-line interface

You can use the FindExpAcc tool to query Active Directory for expired user or computer accounts, as well as active accounts with expired passwords. It also includes switches that are familiar from AdFind and AdMod, such as -b to specify the Base DN, -f to specify an LDAP filter, etc.

The findexpacc utility can also be used to query for user accounts that are about to expire, in addition to accounts with expiring passwords.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing the RODCs That Have Cached a User’s Password

Inhaltsvorschau

You wish to view the RODCs that have cached a user account’s password secrets in a Windows Server 2008 domain.

Using a graphical user interface

Open the ADUC snap-in.
Click View→Advanced Features. In the left pane, right-click on the domain and select Find.
Select the appropriate domain beside In.
Beside Name, type the name of the user and click Find Now.
In the Search Results window, double-click on the user.
Select the Attribute Editor tab. Click Filter and ensure that there is a checkmark next to Backlinks.
Scroll to the msDS-RevealedDSAs attribute to view a list of RODCs that have cached this user’s password secrets.
Click OK after you’re done.

Using a command-line interface

> adfind -b <UserDN> msDS-RevealedDSAs

Using VBScript

' ------ SCRIPT CONFIGURATION ------

strUserDN = "<UserDN>" ' e.g. cn=rallen,ou=Sales,dc=adatum,dc=com

' ------ END CONFIGURATION --------



set objUser = GetObject("LDAP://" & strUserDN)

strRODCs = objUser.Get("msDS-RevealedDSAs")

WScript.Echo strRODCs

Using PowerShell

> $objUser = [ADSI] "LDAP://<UserDN>"

> $objUser.psbase.InvokeGet("msDS-RevealedDSAs")

As discussed in , Windows Server 2008 introduces the Read-Only Domain Controller (RODC) to improve the security of branch office and other remote environments. One of the security measures introduced by the RODC is the Password Replication Policy (PRP), which specifies a list of users and groups that can and cannot have their password secrets cached on one or more DCs. Each RODC maintains a forward-link attribute called msDS-RevealedUsers, which lists the user accounts for whom each RODC has cached password secrets. Each user account, in turn, maintains a backlink called msDS-RevealedDSAs. This backlink can be queried to determine which RODCs have stored password information for a particular user account; however, like all backlinks, this attribute cannot be modified directly.

Recipes and .

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Setting a User’s Account Options (userAccountControl)

Inhaltsvorschau

You want to view or update the userAccountControl attribute for a user. This attribute controls various account options, such as if the user must change her password at next logon and if the account is disabled.

Using a graphical user interface

Open the ADUC snap-in.
In the left pane, right-click on the domain and select Find.
Select the appropriate domain beside In.
Beside Name, type the name of the user and click Find Now.
In the Search Results window, double-click on the user.
Select the Account tab.
Many of the userAccountControlflags can be set under Account options.
Click OK after you’re done.

Using a command-line interface

The dsmod user command has several options for setting various userAccountControl flags, as shown in . Each switch accepts yes or no as a parameter to either enable or disable the setting.

Table : dsmod user options for setting userAccountControl
dsmod user switch	Description
-mustchpwd	Sets whether the user must change password at next logon
-canchpwd	Sets whether the user can change his password
-disabled	Sets account status to enabled or disabled
-reversiblepwd	Sets whether the user’s password is stored using reversible encryption
-pwdneverexpires	Sets whether the user’s password never expires

Using VBScript

' This code enables or disables a bit value in the userAccountControl attr.

' See  for the code for the CalcBit function.

' ------ SCRIPT CONFIGURATION ------

strUserDN = "<UserDN>" ' e.g. cn=rallen,ou=Sales,dc=adatum,dc=com

intBit = <BitValue> ' e.g. 65536

boolEnable = <TrueOrFalse> ' e.g. TRUE

' ------ END CONFIGURATION --------



strAttr = "

userAccountControl"

set objUser = GetObject("LDAP://" & strUserDN)

intBitsOrig = objUser.Get(strAttr)

intBitsCalc = CalcBit(intBitsOrig, intBit, boolEnable)

if intBitsOrig <> intBitsCalc then

   objUser.Put strAttr, intBitsCalc

   objUser.SetInfo

   WScript.Echo "Changed " & strAttr & " from " & _

                 intBitsOrig & " to " & intBitsCalc

else

   WScript.Echo "Did not need to change " & strAttr & " (" & _

                 intBitsOrig & ")"

end if

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Setting a User’s Account to Expire

Inhaltsvorschau

You want a user’s account to expire at some point in the future.

Using a graphical user interface

Open the ADUC snap-in.
In the left pane, right-click on the domain and select Find.
Select the appropriate domain beside In.
Beside Name, type the name of the user you want to modify and click Find Now.
In the Search Results window, double-click on the user.
Click the Account tab.
Under “Account expires,” select the radio button beside “End of.”
Select the date the account should expire.
Click OK.

Using a command-line interface

Valid values for the -acctexpires flag include a positive number of days in the future when the account should expire, for instance at the end of the day, or to never expire the account:

> dsmod user "<UserDN>" -acctexpires <NumDays>

Using VBScript

' This code sets the

' account expiration date for a user.

' ------ SCRIPT CONFIGURATION ------

strExpireDate = "<Date>" ' e.g. "07/10/2004"

strUserDN = "<UserDN>" ' e.g. cn=rallen,ou=Sales,dc=adatum,dc=com

' ------ END CONFIGURATION --------



set objUser = GetObject("LDAP://" & strUserDN)

objUser.AccountExpirationDate = strExpireDate

objUser.SetInfo

WScript.Echo "Set user " & strUserDN & " to expire on " & strExpireDate



' These two lines would disable 

account expiration for the user

' objUser.Put "

accountExpires", 0

' objUser.SetInfo

Using PowerShell

set-QADUser -Identity <UserDN> -AccountExpires "08/08/2008"

User accounts can be configured to expire on a certain date. Account expiration is stored in the accountExpires attribute on a user object. This attribute contains a large integer representation of the date in which the account expires, expressed in 100-nanosecond intervals since January 1, 1601. If you set this attribute to 0, it disables account expiration for the user (i.e., the account will never expire). Note that this is different than the dsmod user command where a value of 0 with -acctexpires will cause the account to expire at the end of the day.

MS KB 278359 (Account Expiration for a Migrated User Appears to be One Day Ahead of or Behind the Date in the Source Domain) and MSDN: Account Expiration

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Determining a User’s Last Logon Time

Inhaltsvorschau

This recipe requires at least Windows Server 2003 forest functional .

You want to determine the last time a user logged into a domain.

Using a graphical user interface

If you install the AcctInfo.dll extension to ADUC in Windows Server 2003, you can view the last logon timestamp:

Open the ADUC snap-in.
In the left pane, right-click on the domain and select Find.
Select the appropriate domain beside In.
Beside Name, type the name of the user you want to locate and click Find Now.
In the Search Results window, double-click on the user.
Click the Additional Account Info tab.
View the value for Last-Logon-Timestamp.

AcctInfo.dll can be downloaded from the Microsoft download site as a part of the Account Lockout and Management Tools:

http://microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

In Windows Server 2008, you do not need to install additional DLLs to view this information in ADUC. To view the last logon timestamp in ADUC in Windows Server 2008, do the following:

Open the ADUC snap-in
Click View and confirm that Advanced Features has a checkmark next to it.
Right-click on the domain and select Find.
Select the appropriate domain beside In.
Beside Name, type the name of the user you want to locate and click Find Now.
In the Search Results window, double-click on the user.
Click the Attribute Editor tab.
View the value for the lastLogonTimestamp attribute.

Using a command-line interface

> adfind -b <UserDN> lastLogonTimestamp -tdc

The -tdc and -tdcs switches will display attributes such as lastLogonTimestamp in a human-readable format.

Using VBScript

' This code prints the

' last logon timestamp for a user.

' ------ SCRIPT CONFIGURATION ------

strUserDN = "<UserDN>" ' e.g. cn=rallen,ou=Sales,dc=adatum,dc=com

' ------ END CONFIGURATION --------



set objUser = GetObject("LDAP://" & strUserDN)

set objLogon = objUser.Get("

lastLogonTimestamp")

intLogonTime = objLogon.HighPart * (2^32) + objLogon.LowPart

intLogonTime = intLogonTime / (60 * 10000000)

intLogonTime = intLogonTime / 1440

WScript.Echo "Approx 

last logon timestamp: " & intLogonTime + #1/1/1601#

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding Users Who Have Not Logged On Recently

Inhaltsvorschau

This recipe requires at least Windows Server 2003 domain functional level.

You want to determine which users have not logged on recently.

Using a graphical user interface

Open the ADUC snap-in.
In the left pane, right-click on the domain and select Find.
Beside Find, select Common Queries.
Select the number of days beside “Days since last logon.”
Click the Find Now button.

Using a command-line interface

You can locate users who have not logged on for a certain amount of time using either the built-in DSQuery tool or the OldCmp utility from http://www.joeware.net:

> dsquery user -inactive <NumWeeks>

OldCmp can create a report of all user objects based on several criteria. To create a report of all users in the adatum.com domain who haven’t logged on in more than 90 days, for example, use the following syntax:

> oldcmp -report -users -b dc=adatum,dc=com -llts -age 90-sh

As discussed in , in Windows Server 2003 a new attribute on user objects called lastLogonTimestamp contains the approximate last time the user logged on. Using this to find the users that have not logged on in a number of weeks is much easier than the option with Windows 2000, where we would need to query every domain controller in the domain. However, the lastLogonTimestamp attribute has a certain amount of latency associated with it to cut down on replication traffic; the date contained in this attribute can be anywhere from 9 to 14 days off in a default Windows Server 2003 domain. This latency can be made longer or shorter by modifying the attribute msDS-LogonTimeSyncInterval of the Domain NC.

for more on computing large integer timestamps and for more on finding a user’s last logon timestamp

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing and Modifying a User’s Permitted Logon Hours

Inhaltsvorschau

You want to see the hours that a user is permitted to log onto the network.

Using a graphical user interface

Open the ADUC snap-in.
If you need to change domains, right-click on “Active Directory Users and Computers” in the left pane, select Connect to Domain, enter the domain name, and click OK.
Right-click on the user and select Properties. From the Account tab, click on Logon Hours.
Select the hours that you want to allow or disallow, and click Logon Permitted or Logon Denied. Click OK.
Click Apply, followed by OK.

Using VBScript

Days = Array _

("Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday")

Set objUser = GetObject("LDAP://<UserDN>")

arrHours = objUser.Get("logonHours")



For i = 1 To LenB(arrHours)

    arrHoursBytes(i-1) = AscB(MidB(arrHours, i, 1))

    WScript.Echo "MidB returns: " & MidB(arrHours, i, 1)

    WScript.Echo "arrHoursBytes: " & arrHoursBytes(i-1)

    wscript.echo vbcrlf

Next



intCounter = 0

intLoopCounter = 0

WScript.echo "Day Byte 1 Byte 2 Byte 3"

For Each HourByte In arrHoursBytes

    arrHourBits = DisplayLogonHourBits(HourByte)



    If intCounter = 0 Then

        WScript.STDOUT.Write Days(intLoopCounter) & Space(2)

        intLoopCounter = intLoopCounter + 1

    End If



    For Each HourBit In arrHourBits

        WScript.STDOUT.Write HourBit

        intCounter = 1 + intCounter



        If intCounter = 8 or intCounter = 16 Then

           Wscript.STDOUT.Write Space(1)

        End If



        If intCounter = 24 Then

           WScript.echo vbCr

           intCounter = 0

        End If

    Next

Next



Function DisplayLogonHourBits(x)

    Dim arrBits(7)

    For i = 7 to 0 Step -1

        If x And 2^i Then

            arrBits(i) = 1

        Else

            arrBits(i) = 0

        End If

    Next

    DisplayLogonHourBits = arrBits

End Function

Using PowerShell

# similar algorithm to vbscript, but easier to understand

# output is identical



## user DN

$userDN = "LDAP://<UserDN>"



## powers of two in a single byte

## can use [System.Math]::Pow(), but this is faster

$pow2 = @(1, 2, 4, 8, 16, 32, 64, 128)



## bit-state - a bit is either off (0) or on (1)

$onoff = @("0", "1")



function dump($byte)

{

    $result = ""

    for ($i = 0; $i -lt 8; $i++)

    {

        $result += $onoff[($byte -band $pow2[$i]) -ne 0]

    }

    return $result

}



# days of the week, zero based

$days = @("Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", 

"Friday", "Saturday")

$day = 0



# main

$obj  = [ADSI]$userDN

$arr = $obj.logonHours.Value



for ($i = 0; $i -lt $arr.Length; $i += 3)

{

    $days[$day]

    (dump $arr[$i]) + " " + (dump $arr[$i+1]) + " " + (dump $arr[$i+2])

    $day += 1

}

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing a User’s Managed Objects

Inhaltsvorschau

You want to view the objects that are owned by a user.

Using a graphical user interface

Open ADSI Edit.
If an entry for the naming context you want to browse is not already displayed, do the following:
1. Right-click on ADSI Edit in the right pane and click “Connect to…”.
2. Fill in the information for the naming context, container, or OU you want to add an object to. Click on the Advanced button if you need to enter alternate credentials.
In the left pane, browse to the naming context, container, or OU of the object you want to view. Once you’ve found the object, right-click on it and select .
View the managedObjects attribute.

Using a command-line interface

> adfind -b "<UserDN>" managedObjects

Using VBScript

' This code displays the

' managed objects for a user

' ------ SCRIPT CONFIGURATION ------

strUserDN = "<UserDN>" ' e.g. cn=jsmith,cn=Users,dc=adatum,dc=com

' ------ END CONFIGURATION ---------



On Error Resume Next

set objUser = GetObject("LDAP://" & strUserDN)

Wscript.Echo objUser.Get("cn") & "'s 

Managed Objects:"

colObjects = objUser.GetEx("managedObjects")

if Err.Number = -2147463155 then

   Wscript.Echo " none"

else

   for each strObjectDN in colObjects

      Wscript.Echo " " & strObjectDN

   next

end if

Using PowerShell

To retrieve a user’s managedObjects property using the System.DirectoryServices methods, use the following syntax:

$obj = [ADSI] "LDAP://<UserDN>"

$obj.managedObjects

To use the Quest AD cmdlets, use the following:

$obj = get-QADUser -identity "<UserDN>"

$obj.DirectoryEntry.managedObjects

The managedObjects attribute is linked to the managedBy attribute that can be set on certain objects in Active Directory like computers, OUs, and groups. Setting the managedBy attribute provides a quick way to define who owns an object. If you do use it, you can use the managedObjects attribute on user, contact, or group objects to get the list of objects for which the user has been configured in the managedBy

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a UPN Suffix for a Forest

Inhaltsvorschau

You want users to have a different UPN suffix from the default provided by your forest.

Using a graphical user interface

Open the Active Directory Domains and Trusts snap-in.
In the left pane, right-click Active Directory Domains and Trusts and select .
Under Alternative UPN suffixes, type the name of the suffix you want to add.
Click Add and OK.

Using a command-line interface

> admod -config -rb cn=Partitions

     uPNSuffixes:+:treyresearch.com

The attributeName:+:attributeValue syntax will add an additional value to an existing list of values in a multivalued attribute. Using attributeName::attributeValue would overwrite the existing values with the value you specify.

Using VBScript

' This code adds a new UPN suffix.

' ------ SCRIPT CONFIGURATION ------

Const ADS_PROPERTY_APPEND = 3

strNewSuffix = "<NewSuffix>" ' e.g. othercorp.com

strDomain = "<DomainDNSName>" ' e.g. adatum.com

' ------ END CONFIGURATION --------

set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")

set objPartitions = GetObject("LDAP://cn=Partitions," & _

                              objRootDSE.Get("ConfigurationNamingContext"))

objPartitions.PutEx ADS_PROPERTY_APPEND, "uPNSuffixes", Array(strNewSuffix)

objPartitions.SetInfo

Using PowerShell

set-variable -name $ADS_PROPERTY_APPEND -value 3 -option constant

$strDN = "LDAP://cn=Partitions,cn=Configuration,<ForestDN>"

$strNewSuffix = "<NewSuffix>"

$objPart = [ADSI] $strDN

$objPart.PutEx($ADS_PROPERTY_APPEND, "uPNSuffixes", @($strNewSuffix))

$objPart.SetInfo()

The UPN allows users to log on with a friendly name that may even correspond to their email address. UPN logons also do not require the domain to be known so that it can be abstracted away from the user. You may need to create an additional UPN suffix (e.g., @adatum.com) if you want UPNs to map to email addresses, but your AD forest is rooted at a different domain name (e.g., ad.adatum.com) than the domain name used in email addresses (e.g., treyresearch.com).

Using VBScript

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Restoring a Deleted User

Inhaltsvorschau

You want to restore a user object that has been inadvertently deleted, as well as restore its members.

Using a graphical user interface

Reboot the domain controller in Directory Services Restore Mode.
Perform a System State restore.
Before rebooting the server, perform the steps listed in the following section.

Using a command line interface

To restore the user and group accounts, use the following sequence of commands. Replace <GroupDN> with the name of the user object that needs to be restored (the activate instance ntds line is only necessary in Windows Server 2008):
```
> ntdsutil

> activate instance ntds

> authoritative restore

> restore object <UserDN>

> quit

> exit
```
Reboot the domain controller into normal mode and wait for replication to .

In most cases, it is sufficient when restoring a deleted object within Active Directory to simply perform an authoritative restore of the individual object. Performing this authoritative restore will allow the restored user object to be replicated to other DCs within the domain along with all attributes that were present at the time that the System State backup was taken.

MS KB 216993 (Useful Shelf Life of a System-State Backup of Active Directory), MS KB 840001 (How to Restore Deleted User Accounts and Their Group Memberships in Active Directory), and for more on recovering and restoring Active

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Protecting a User Against Accidental Deletion

Inhaltsvorschau

You want to prevent a user object from being accidentally deleted by an administrator who selects the incorrect option in Active Directory Users and Computers.

Using a graphical user interface (Windows Server 2008 only)

Open Active Directory Users and Computers. Click on View and confirm that Advanced Features is selected.
Drill down to the current domain. To connect to a different domain, right-click on the top-level node and click Change domain; select the appropriate domain and then drill down to it.
Right-click on the object that you want to modify and click Properties.
Click on the Object tab.
Place a checkmark next to “Protect object from accidental deletion.”
Click OK.

Using a command-line interface (all versions)

dsacls <User DN> /d EVERYONE:SDDT

Using PowerShell (all versions)

Add-QADPermission -identity <User DN> -Account 'EVERYONE' -Rights

'Delete,DeleteTree' -ApplyTo 'ThisObjectOnly'

By default, all new OUs that are created in Windows Server 2008 will have this enabled; however, no other object types are configured with this default protection. If you attempt to delete a group that is protected using this option, even when signed on as a Domain Admin or other similarly elevated account, you will receive an “Access Denied” message until you manually remove the checkbox or manually remove the DENY ACE associated with it.

By using the command-line or PowerShell methods, this protection can be applied to group objects in all versions of Windows Server, even though the GUI checkbox is only available in Windows Server 2008.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Chapter 7: Groups

Inhaltsvorschau

A group is a simple concept that has been used in many different types of standalone and networked systems over the years. In generic terms, a group is just a collection of objects. Groups are often used to apply security in an efficient manner, where you create a collection of users and assign certain permissions or rights to that group, rather than to each individual user within the group. When applying security settings, it’s much easier to use a group rather than individual users, because you only need to apply the security setting once instead of once per user. In addition, groups are also frequently used to send email messages to an entire group of users at once rather than requiring the sender to address each person individually.

In Active Directory, groups are flexible objects that can contain virtually any other type of object as a member, although they’ll generally only contain users, inetOrgPersons, computers, and other groups. Active Directory groups can be used for many different purposes, including controlling access to resources, defining a filter for the application of group policies, and as an email distribution list.

The ways in which a group can be used in an Active Directory forest are defined by the group’s scope and type. The type of a group can be either security or distribution. Security groups can be used to restrict access to Windows resources, whereas distribution groups can be used only as a simple grouping mechanism for sending email messages or for some other non-Windows security-related function. Both security and distribution groups can be used as email lists, but only security groups can be used to assign access to resources.

The scope of a group determines where members of the group can be located within the forest and where in the forest you can use the group in an ACL. The supported group scopes include universal, global, and domain local. Universal groups and domain local groups can have members that are part of any domain in the same forest (or a separate forest if a cross-forest trust exists), whereas global groups can only have members that are part of the same domain that the group is contained in. When assigning permissions to group objects, universal and global groups can be assigned permissions to resources anywhere in the forest, whereas domain local groups can only be assigned permissions to resources in the same domain. (In this way, domain local and global groups are functional opposites of one another.)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Introduction

Inhaltsvorschau

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Group

Inhaltsvorschau

You want to create a group.

Using a graphical user interface

Open the ADUC snap-in.
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, browse to the parent container of the new group, right-click on it, and select New→Group.
Enter the name of the group and select the group scope (global, domain local, or universal) and group type (security or distribution).
Click OK.

Using a command-line interface

In the following example, <GroupDN> should be replaced with the DN of the group to create, <GroupScope> should be l, g, or u for domain local, global, and universal groups, respectively, and -secgroup should be set to yes if the group is a security group or no otherwise. Another recommended option is to set -desc for specifying a group :

> dsadd group "<GroupDN>" -scope <GroupScope> -secgrp yes|no -desc "<GroupDesc>"

You can also create a group object with admod, using the following syntax:

> admod -b "<GroupDN>" objectClass::group groupType::

"<GroupType>" sAMAccountName::"<Pre-Windows2000Name>" -add

For example, to create a global security group called “Finance Users” in the Finance OU of the adatum.com domain, you can use either of the following commands:

> dsadd group "cn=Finance Users,ou=Finance,dc=adatum,dc=com"-scope global-

secgrp yes



> admod-b "cn=Finance Users,ou=Finance,dc=adatum,dc=com" groupType::-2147483646

sAMAccountName::"Finance Users" -add

In the case of AdMod, you must specify the numeric value for the group type, which can be any one of those listed in .

Table : Numeric values for group types
Group type	Numeric value
Universal Distribution Group	8
Universal Security Group	–2147483640
Domain Local Distribution Group	4
Domain Local Security Group	–2147483644
Global Distribution Group	2
Global Security Group	–2147483646

These values are defined in the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing the Permissions of a Group

Inhaltsvorschau

You want to list the AD object permissions that have been assigned to a group object.

Using a graphical user interface

Open the Active Directory Users and Computers (ADUC) snap-in. Click on View and confirm that there is a checkmark next to Advanced Features.
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, right-click on the domain and select Find.
Enter the name of the group and click Find Now.
Double-click on the group in the bottom results pane.
Click on the Security tab. The users and groups that have been assigned permissions to the object are listed in the bottom pane; select each entry to view the permissions that have been assigned to it.
Click on Advanced to view the owner of the group, as well as any auditing that has been configured.

Using a command-line interface

> dsacls "<GroupDN>"

You can also obtain this information using AdFind, as follows:

adfind -gcb -f name=<Group Name> ntsecuritydescriptor -sddl++ -resolvesids

Using VBScript

Const SE_DACL_PROTECTED = &H1000



Set objGroup = GetObject("LDAP://<GroupDN>")



Set objNtSecurityDescriptor = objGroup.Get("nTSecurityDescriptor")



Control = objNtSecurityDescriptor.Control



WScript.Echo "Group Permissions"

If (intNtSecurityDescriptorControl And SE_DACL_PROTECTED) Then

    Wscript.Echo "Permission inheritance is disabled."

Else

    WScript.Echo "Permission inheritance is enabled."

End If

WScript.Echo



Set objDACL = objNtSecurityDescriptor.DiscretionaryAcl

DisplayAceInformation objDACL, "DACL"



Sub DisplayAceInformation(SecurityStructure, strType)

    Const ADS_ACETYPE_ACCESS_ALLOWED = &H0

    Const ADS_ACETYPE_ACCESS_DENIED = &H1

    Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5

    Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6

    intAceCount = 0

    For Each objAce In SecurityStructure

        strTrustee = Mid(objAce.Trustee,1,12)

        If StrComp(strTrustee, "NT AUTHORITY", 1) <> 0 Then

            intAceCount = intAceCount + 1

            WScript.Echo strType & " permission entry: " & intAceCount

            WScript.Echo "Name: " & objAce.Trustee



            intAceType = objAce.AceType

            If (intAceType = ADS_ACETYPE_ACCESS_ALLOWED Or _

                intAceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT) Then

                WScript.Echo "Allow ACE"

            ElseIf (intAceType = ADS_ACETYPE_ACCESS_DENIED Or _

                intAceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) Then

                WScript.Echo "Deny ACE"

            Else

                WScript.Echo "Unknown ACE."

            End If

            ReadBitsInAccessMask(objAce.AccessMask)

            WScript.Echo VbCr

        End If

    Next

End Sub



Sub ReadBitsInAccessMask(AccessMask)

    Const ADS_RIGHT_DELETE = &H10000

    Const ADS_RIGHT_READ_CONTROL = &H20000

    Const ADS_RIGHT_WRITE_DAC = &H40000

    Const ADS_RIGHT_WRITE_OWNER = &H80000

    Const ADS_RIGHT_DS_CREATE_CHILD = &H1

    Const ADS_RIGHT_DS_DELETE_CHILD = &H2

    Const ADS_RIGHT_ACTRL_DS_LIST = &H4

    Const ADS_RIGHT_DS_SELF = &H8

    Const ADS_RIGHT_DS_READ_PROP = &H10

    Const ADS_RIGHT_DS_WRITE_PROP = &H20

    Const ADS_RIGHT_DS_DELETE_TREE = &H40

    Const ADS_RIGHT_DS_LIST_OBJECT = &H80

    Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100



    WScript.Echo VbCrLf & "Standard Access Rights"

    If (AccessMask And ADS_RIGHT_DELETE) Then _

        WScript.Echo vbTab & "-Delete an object."

    If (AccessMask And ADS_RIGHT_READ_CONTROL) Then _

        WScript.Echo vbTab & "-Read permissions."

    If (AccessMask And ADS_RIGHT_WRITE_DAC) Then _

        WScript.Echo vbTab & "-Write permissions."

    If (AccessMask And ADS_RIGHT_WRITE_OWNER) Then _

        WScript.Echo vbTab & "-Modify owner."



    WScript.Echo VbCrLf & "Directory Service Specific Access Rights"

    If (AccessMask And ADS_RIGHT_DS_CREATE_CHILD) Then _

        WScript.Echo vbTab & "-Create child objects."

    If (AccessMask And ADS_RIGHT_DS_DELETE_CHILD) Then _

        WScript.Echo vbTab & "-Delete child objects."

    If (AccessMask And ADS_RIGHT_ACTRL_DS_LIST) Then _

        WScript.Echo vbTab & "-Enumerate an object."

    If (AccessMask And ADS_RIGHT_DS_READ_PROP) Then _

        WScript.Echo vbTab & "-Read the properties of an object."

    If (AccessMask And ADS_RIGHT_DS_WRITE_PROP) Then _

        WScript.Echo vbTab & "-Write the properties of an object."

    If (AccessMask And ADS_RIGHT_DS_DELETE_TREE) Then _

        WScript.Echo vbTab & "-Delete a tree of objects"

    If (AccessMask And ADS_RIGHT_DS_LIST_OBJECT) Then _

        WScript.Echo vbTab & "-List a tree of objects."



    WScript.Echo VbCrLf & "Control Access Rights"

    If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) + _

        (AccessMask And ADS_RIGHT_DS_SELF) = 0 Then

        WScript.Echo "-None"

    Else

        If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) Then _

            WScript.Echo vbTab & "-Extended access rights."

        If (AccessMask And ADS_RIGHT_DS_SELF) Then

            WScript.Echo vbTab & "-Active Directory must validate a property "

            WScript.Echo vbTab & " write operation beyond the schema " & _

                "definition "

            WScript.Echo vbTab & " for the attribute."

      End If

    End If

End Sub

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing the Direct Members of a Group

Inhaltsvorschau

You want to view the direct members of a group.

Using a graphical user interface

Open the ADUC snap-in.
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, right-click on the domain and select Find.
Enter the name of the group and click Find Now.
Double-click on the group in the bottom results pane.
Click the Members tab.

Using a command-line interface

You can enumerate the direct members of a group using the built-in DSGet utility, or AdFind. Using DSGet requires the following syntax:

> dsget group "<GroupDN>" -members

To list group members with AdFind, enter the following:

> adfind -b "<GroupDN>" member

Using VBScript

' This code prints the direct members of the specified group.

' ------ SCRIPT CONFIGURATION -----

strGroupDN = "<GroupDN>" ' e.g. cn=SalesGroup,ou=Groups,dc=adatum,dc=com

' ------ END CONFIGURATION --------



set objGroup = GetObject("LDAP://" & strGroupDN)

Wscript.Echo "Members of " & objGroup.Name & ":"

for each objMember in objGroup.Members

   Wscript.Echo objMember.Name

next

Using PowerShell

To enumerate direct group membership, use either the Quest AD cmdlet Get-QADGroupMember or ADSI syntax, as shown here:

Get-QADGroupMember -identity <Group DN>

[ADSI] "LDAP://<Group DN>".Member

The member attribute of a group object contains the distinguished names of the direct members of the group. By direct members, we mean the members that have been directly added to the group. This is in contrast to indirect group members, which are members of the group due to nested group membership. See for how to find the nested membership of a group.

The memberOf attribute is a backlink to member. This means that, for each group membership listed in a group’s member attribute, the DN of the group itself appears in that user/computer/group’s memberOf attribute. Think of it this way: if the FinanceUsers group has Jane as a member, then Jane is a member of the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing the Nested Members of a Group

Inhaltsvorschau

You want to view the nested membership of a group.

Using a graphical user interface

Open the ADUC snap-in.
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, right-click on the domain and select Find.
Enter the name of the group and click Find Now.
Double-click on the group in the bottom results pane.
Click the Members tab.
You must now double-click on each group member to view its membership.

Using a command-line interface

> dsget group "<GroupDN>" -members -expand

You can also obtain this information using the joeware MemberOf utility:

> memberof -group <GroupDN>

Using VBScript

' This code prints the nested membership of a group.

' ------ SCRIPT CONFIGURATION ------

strGroupDN = "<GroupDN>" ' e.g. cn=SalesGroup,ou=Groups,dc=adatum,dc=com

' ------ END CONFIGURATION ---------



strSpaces = " "

set dicSeenGroupMember = CreateObject("Scripting.Dictionary")

Wscript.Echo "Members of " & strGroupDN & ":"

DisplayMembers("LDAP://" & strGroupDN, strSpaces, dicSeenGroupMember)



Function

DisplayMembers ( strGroupADsPath, strSpaces,dicSeenGroupMember)



   set objGroup = GetObject(strGroupADsPath)

   for each objMember In objGroup.Members

      Wscript.Echo strSpaces & objMember.Name

      if objMember.Class = "group" then

         if dicSeenGroupMember.Exists(objMember.ADsPath) then

            Wscript.Echo strSpaces & " ^ already seen group member " & _

                                         "(stopping to avoid loop)"

         else

            dicSeenGroupMember.Add objMember.ADsPath, 1

            DisplayMembers objMember.ADsPath, strSpaces & " ", _

                           dicSeenGroupMember

         end if

      end if

   next



End Function

Using PowerShell

The simplest method of listing nested group membership in PowerShell is using the Quest AD cmdlets, as follows:

Get-QADGroupMember -identity <Group DN> -indirect

As described in , group membership is stored in the multivalued member

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Adding and Removing Members of a Group

Inhaltsvorschau

You want to add or remove members of a group.

Using a graphical user interface

Open the ADUC snap-in.
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, right-click on the domain and select Find.
Enter the name of the group and click Find Now.
Double-click on the group in the bottom results pane.
Click the Members tab.
To remove a member, click on the member name, click the Remove button, click Yes, and click OK.
To add a member, click on the Add button, enter the name of the member, and click OK twice.

Using a command-line interface

The -addmbr option in dsmod adds a member to a group:

> dsmod group "<GroupDN>" -addmbr "<MemberDN>"

To add a group member with admod, use the following syntax:

> admod -b "<GroupDN>" member:+:"<MemberDN>"

The -rmmbr option in dsmod removes a member from a group:

> dsmod group "<GroupDN>" -rmmbr "<MemberDN>"

To remove a group member with admod, use the following syntax:

> admod -b "<GroupDN>" member:-:"<MemberDN>"

The -chmbr option in dsmod replaces the complete membership list:

> dsmod group "<GroupDN>" -chmbr "<Member1DN Member2DN ... >"

To replace the membership of a group with admod, use the following command:

> admod -b "<GroupDN>" member:+-:"<Member1DN>;<Member2DN>;<Member3DN>"

Using VBScript

' This code adds a member to a group.

' ------ SCRIPT CONFIGURATION ------

strGroupDN = "<GroupDN>" ' e.g. cn=SalesGroup,ou=

Groups,dc=adatum,dc=com

strMemberDN = "<MemberDN>" ' e.g. cn=jsmith,cn=users,dc=adatum,dc=com

' ------ END CONFIGURATION ---------



set objGroup = GetObject("LDAP://" & strGroupDN)

' Add a member



objGroup.Add("LDAP://" & strMemberDN)

' This code removes a member from a group.

' ------ SCRIPT CONFIGURATION ------

strGroupDN = "<GroupDN>" ' e.g. cn=SalesGroup,ou=Groups,dc=adatum,dc=com

strMemberDN = "<MemberDN>" ' e.g. cn=jsmith,cn=users,dc=adatum,dc=com

' ------ END CONFIGURATION ---------



set objGroup = GetObject("LDAP://" & strGroupDN)

' Remove a member

objGroup.Remove("LDAP://" & strMemberDN)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Moving a Group Within a Domain

Inhaltsvorschau

You want to move a group to a different OU or container within the same domain.

Using a graphical user interface

Open ADSI Edit.
If an entry for the naming context you want to browse is not already displayed, do the following:
1. Right-click on ADSI Edit in the right pane and click “Connect to…”.
2. Fill in the information for the naming context, container, or OU containing the object. Click on the Advanced button if you need to enter alternate .

In the left pane, browse to the container or OU that contains the group you want to move. Once you’ve found the object, right-click on it and select Move.
Browse to the new parent of the object, select it, and click OK.

Using a command-line interface

To move an object to a new parent container within the same domain, you can use either DSMove or AdMod, as follows:

> dsmove "<GroupDN>" -newparent "<NewParentDN>"

or:

> admod -b "<GroupDN>" -move "<NewParentDN>"

Using VBScript

' This code moves an object from one location to another in the same domain.

' ------ SCRIPT CONFIGURATION -----

strNewParentDN = "LDAP://<NewParentDN>"

strGroupRDN  = "<GroupRDN>" ' i.e. "cn=Finance"

strGroupDN   = "LDAP://cn=<GroupRDN>,<OldParentDN>"

' ------ END CONFIGURATION --------



set objCont = GetObject(strNewParentDN)

objCont.MoveHere strGroupDN,strGroupRDN

Using PowerShell

To move a group with the Quest AD cmdlets, use the following syntax:

move-QADObject -Identity <GroupDN> -NewParentContainer <New OU DN>

To move a group with the System.DirectoryServices methods, use the following:

$objGroup = [ADSI] "LDAP://<GroupDN>"

$objNewOU = [ADSI] "LDAP://<New Parent OU DN>"

$objGroup.psbase.MoveTo($objNewOU)

Using a command-line interface

The DSMove utility can work against any type of object, including groups. The first parameter is the DN of the group that you want to move. The second parameter is the new parent container of the group. The -s parameter can additionally be used to specify a specific server to work against.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Moving a Group to Another Domain

Inhaltsvorschau

You want to move a group to a different domain.

Using a graphical user interface

To migrate user, computer, group, or OU objects between domains in the same forest, use the following steps:

Open the ADMT MMC snap-in.
Right-click on the Active Directory Migration Tool folder, and select the Group Account Migration Wizard.
On the Test or Migrate Changes screen, click Migrate Now?
On the Domain Selection screen, enter the DNS or NetBIOS name of the source and target domains and click Next.
On the Group Selection screen, select the group objects that you wish to migrate and click Next. (You cannot migrate built-in or well-known groups such as Domain Users or Domain Admins using this process.)
On the Organizational Unit Selection screen, enter the name of the target OU or select Browse to open up an object picker in the target domain. Click Next to continue.
On the Group Options screen, select one or more of the following and click Next:
Update user rights
Copies any user rights that are assigned in the source domain to the target domain.
Copy group members
Specifies whether the user objects that belong to the group should be migrated along with the group. If you don’t select this option, the group will be created in the target domain with no members.
Update previously migrated objects
Supports migrations that take place over time by comparing the source and target groups and migrating any changes that have taken place.
Fix membership of group
Adds any migrated user accounts to groups in the target domain if the user accounts were members of the source groups in the source domain.
Migrate group SIDs to target domain
Adds the security identifiers (SIDs) of the migrated group accounts in the source domain to the SID history of the new group in the target domain.

On the Naming Conflicts screen, select whether you want to migrate

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Changing the Scope or Type of a Group

Inhaltsvorschau

You want to change the scope or type of a group.

Using a graphical user interface

Open the ADUC snap-in.
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, right-click on the domain and select Find.
Enter the name of the group you want to modify and click Find Now.
Double-click on the group in the results pane.
In the group properties dialog box, select the new scope or type, and click OK.

Using a command-line interface

The following example changes the group scope for <GroupDN> to <NewScope>, which should be l for domain local group, g for global group, or u for universal group:

> dsmod group "<GroupDN>" -scope <NewScope>

The following example changes the group type for <GroupDN>. For the -secgrp switch, specify yes to change to a security group or no to make the group a distribution group:

> dsmod group "<GroupDN>" -secgrp yes|no

To change the scope and/or type of a group using AdMod, use the following syntax:

> admod -b <GroupDN> groupType::<GroupType>

Just as when you created a group using AdMod, you must specify the numeric value for the group type; refer back to for more information.

Using VBScript

' This code sets the scope and type of the specified group

' to a universal security group.

' ------ SCRIPT CONFIGURATION ------

strGroupDN = "<GroupDN>" ' e.g. cn=SalesGroup,ou=

Groups,dc=adatum,dc=com

' ------ END CONFIGURATION ---------



' Constants taken from ADS_GROUP_TYPE_ENUM

ADS_GROUP_TYPE_GLOBAL_GROUP       = 2

ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = 4

ADS_GROUP_TYPE_UNIVERSAL_GROUP    = 8

ADS_GROUP_TYPE_SECURITY_ENABLED   = -2147483648



set objGroup = GetObject("LDAP://" & strGroupDN )

objGroup.Put "

groupType", ADS_GROUP_TYPE_UNIVERSAL_GROUP _

                       Or ADS_GROUP_TYPE_SECURITY_ENABLED

objGroup.SetInfo

Using PowerShell

To modify a group’s type or scope using the Quest AD cmdlets, use the following syntax. Use

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Modifying Group Attributes

Inhaltsvorschau

You want to modify one or more attributes of an object.

Using a graphical user interface

Open ADSI Edit.
If an entry for the naming context you want to browse is not already displayed, do the following:
1. Right-click on ADSI Edit in the right pane and click “Connect to…”.
2. Fill in the information for the naming context, container, or OU containing the group that you want to modify. Click on the Advanced button if you need to enter alternate credentials.
In the left pane, browse to the container or OU that contains the group you want to modify. Once you’ve found the group, right-click on it and select Properties.
Right-click the attribute that you want to modify and select Edit.
Enter the new value that you want to use and click OK.
Click Apply, followed by OK.

Using a command-line interface

Create an LDIF file called modify_object.ldf with the following contents:

dn: cn=Finance Users,cn=users,dc=adatum,dc=com

changetype: modify

add: description

description: Members of the Finance Department

-

Then run the following command:

> ldifde -v -i -f modify_object.ldf

To modify a group using AdMod, you’ll use the following general syntax:

> admod-b <GroupDN> <attribute>:<operation>:<value>

For example, you can add a description to a group object using the following syntax:

> C:\>admod -b cn="Finance Users,cn=Users,dc=adatum,dc=com"

   description::"Members of the Finance Department"

You can also modify group objects with the dsmod group command using the following syntax:

> dsmod group <GroupDN> <options>

The available options for dsmod include the following:

-samid <NewSAMName>: Updates the sAMAccountName attribute of the group object
-desc <NewDescription>: Updates the description attribute of the group object
-secgrp {yes | no}: Configures the group object as a security group (yes) or a distribution group (no)
-scope {l | g | u}: Configures the group scope as domain local (

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Dynamic Group

Inhaltsvorschau

You want to create a dynamic group using the optional Authorization Manager (AzMan) component.

Using a graphical user interface

Install the Authorization Manager component through Add/Remove Programs, if it is not already present.
Open the Authorization Manager MMC snap-in.
Right-click on the Authorization Manager node and select Open Authorization Store.
Under “Select authorization store type,” select one of the following:
Active Directory (in Windows Server 2008, this will read ‘Active Directory or Active Directory Application Mode (ADAM)’)
Enter the name of the application partition, for example, cn=ERP,cn=Program Data,dc=adatum,dc=com, or click Browse to select it from the Active Directory tree.
XML file
Enter the path to the XML file, or click Browse to select it from the filesystem.
Microsoft SQL (Windows Server 2008 only)
This will be a URL in the format MSSQL://<Connection String>/<Database Name>/<Policy Store Name>
Drill down to Console Root→Authorization Manager→Authorization Share→ Name→Groups.
Right-click on Groups and select New→Group.

This will create a group that is scoped to the entire authorization store. You can drill down to an individual application to create a group that is only applicable within the app itself.

From the New Application Group screen, enter the name of the group and a description. Under Group Type, select LDAP query. Click OK to create the group.
Right-click on the group you just created and select Properties. From the LDAP tab, enter the LDAP attributes that will make up the group. For example, you can configure the group to include only Managers by entering (title=Manager).
Click OK to finish creating the group.

Using a command-line interface

The following syntax will create an application group that’s based on an LDAP query:

> admod -b <GroupDN>

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Delegating Control for Managing Membership of a Group

Inhaltsvorschau

You want to delegate the ability to manage the membership of a group.

Using a graphical user interface

This requires Windows Server 2003 or later version of ADUC.

Open the ADUC snap-in.
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, right-click on the domain and select Find.
Enter the name of the group and click Find Now.
Double-click on the group in the results pane.
Select the Managed By tab.
Click the Change button.
Locate the group or user to delegate control to and click OK.
Check the box beside “Manager can update membership list.”
Click OK.

Using a command-line interface

> dsacls <GroupDN> /G <GroupName>@DomainName:WP;member;

In the following example, the SalesAdmin group will be given rights to modify membership of the PreSales group:

> dsacls cn=presales,ou=sales,dc=adatum,dc=com /G salesadmins@adatum.com:

WP;member;

Using VBScript

' This code grants write access to the member attribute of a group.

' ------ SCRIPT CONFIGURATION -----

strGroupDN = "<GroupDN>" ' e.g. cn=SalesGroup,ou=Sales,dc=adatum,dc=com"

strUserOrGroup = "<UserOrGroup>" ' e.g. joe@adatum.com or ADATUM\joe

' ------ END CONFIGURATION --------



set objGroup = GetObject("LDAP://" & strGroupDN)

'############################

' Constants

'############################

' ADS_ACETYPE_ENUM

Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5

Const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1

Const ADS_RIGHT_DS_WRITE_PROP = &h20



' From schemaIDGUID of member attribute

Const MEMBER_ATTRIBUTE = "{bf9679c0-0de6-11d0-a285-00aa003049e2}"



'############################

' Create ACL

'############################

set objSD = objGroup.Get("nTSecurityDescriptor")

set objDACL = objSD.DiscretionaryAcl



' Set WP for member attribute

set objACE = CreateObject("AccessControlEntry")

objACE.Trustee    = strUserOrGroup

objACE.AccessMask = ADS_RIGHT_DS_WRITE_PROP

objACE.AceFlags   = 0

objACE.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT

objACE.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT

objACE.ObjectType = MEMBER_ATTRIBUTE



objDACL.AddAce objACE



'############################

' Set ACL

'############################



objSD.DiscretionaryAcl = objDACL

objGroup.Put "nTSecurityDescriptor", objSD

objGroup.SetInfo

WScript.Echo "Delegated control of member attribute for " & _

              strGroupDN & " to " & strUserOrGroup

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Resolving a Primary Group ID

Inhaltsvorschau

You want to find the name of a user’s primary group.

Using a graphical user interface

Open the ADUC snap-in.
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, right-click on the domain and select Find.
Type the name of the user and click Find Now.
In the Search Results window, double-click on the user.
Click the Member Of tab.
The Primary Group name is shown on the bottom half of the dialog box.

Using VBScript

' This code prints the group name of a user's primary group

'-----------SCRIPT CONFIGURATION----------------------------

strUserDN = "<UserDN>" ' i.e. "cn=jsmith,dc=adatum,dc=com"

strDomain = "<DomainNetBIOSName>" ' i.e. ADATUM

'----------------------------------------------------------



' Grab the primary group's RID from the user object

set objUser = GetObject("LDAP://" & strUserDN)

strGroupRID = objUser.Get("primaryGroupID")



' Grab the user's SID to obtain the domain SID

strUserName = objUser.sAMAccountName

Set WMIUser = GetObject("winmgmts:{impersonationlevel=impersonate}!" _

    & "/root/cimv2:

Win32_UserAccount.Domain='" & strDomain & "'" _

    & ",Name='" & strUserName & "'")

strUserSID = WMIUser.SID

strDomainSID = mid(strUserSID,1,(InStrREV(strUserSID,"-")))



' Now construct the Primary Group SID

strGroupSID = strDomainSID & strGroupRID



' Bind to the primary group using its SID and echo its name

set objGroup = GetObject("LDAP://<SID=" & strGroupSID &">")

strGroupDN = objGroup.distinguishedName

WScript.Echo(strGroupDN)

Using PowerShell

# This code prints the group name of a user's primary group



$strUserDN = "<UserDN>" # i.e. "cn=jsmith,cn=users,dc=adatum,dc=com"



# bind to the user object

$objUser = [ADSI]("LDAP://" + $strUserDN)



# get the user's primary group ID

$grpID = $objUser.primaryGroupID



# get the user's SID into a byte array

$sid = $objUser.objectSID.Value



# create a .NET SID object

$objSID = new-object System.Security.Principal.SecurityIdentifier($sid, 0)



# build the SID of the primary group

$grp = $objSID.AccountDomainSid.Value + "-" + $objUser.primaryGroupID.ToString()



# bind to the group object

$objGroup = [ADSI]("LDAP://<SID=" + $grp + ">")



# output the group name

$objGroup.distinguishedName

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling Universal Group Membership Caching

Inhaltsvorschau

This recipe requires at least Windows Server 2003 forest functional .

You want to enable universal group membership caching so that a global catalog server is not needed during most user logins.

Using a graphical user interface

Open the Active Directory Sites and Services snap-in.
In the left pane, browse to the site you want to enable group caching for and click on it.
In the right pane, double-click on the NTDS Site Settings object.
Under Universal Group Membership Caching, check the box beside Enable Universal Group Caching.
If you want to force the cache refresh from a particular site, select a site or else leave the default set to <Default>.
Click OK.

Using a command-line interface

You can use a combination of the dsquery site and dsget site commands to find if a site has group caching enabled:

> dsquery site -name <SiteName> | dsget site -dn -cachegroups -prefGCSite

You can use ldifde to enable group caching. Create a file called enable_univ_cache.ldf with the following contents, but change <SiteName> to the name of the site you want to enable, and <ForestRootDN> to the distinguished name of the forest root domain:

dn: cn=NTDS Site Settings,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>

changetype: modify

replace: options

options: 32

-

Then use the following command to import the change:

> ldifde -i -f enable_univ_cache.ldf

You can also perform this change by using a combination of AdFind and AdMod with the following syntax:

>  adfind –config –rb "cn=NTDS Settings,cn=<SiteName>,cn=Sites" 

options –adcsv | admod options::{{.:SET:32}}

Using VBScript

' This code enables universal group

' caching for the specified site.

' ------ SCRIPT CONFIGURATION -----

strSiteName = "<SiteName>" ' e.g. Default-First-Site-Name

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://RootDSE")

set objSite = GetObject("LDAP://cn=NTDS Site Settings,cn=" & strSiteName & _

              ",cn=sites," & objRootDSE.Get("configurationNamingContext") )

objSite.Put "options", 32

objSite.SetInfo

WScript.Echo "Successfully enabled universal group caching for " & _

             strSiteName

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Restoring a Deleted Group

Inhaltsvorschau

You want to restore a group object that has been inadvertently deleted, as well as restore its members.

Using a graphical user interface

Reboot the domain controller in Directory Services Restore Mode.
Perform a System State restore.
Before rebooting the server, perform the steps listed in the following section.

Using a command line interface

To restore the user and group accounts, use the following sequence of commands. Replace <ContainerDN> with the name of the container or OU containing the user and group objects that need to be restored. (The activate instance ntds line is only necessary in Windows Server 2008):
```
> ntdsutil

> activate instance ntds

> authoritative restore



> restore subtree <ContainerDN>

> quit

> exit
```
Reboot the domain controller into normal mode and wait for replication to .
Reboot the domain controller into Directory Services Restore Mode again. Perform the commands in Step 1 a second time. (It is only necessary to mark the restore as authoritative a second time; you do not need to perform the actual System State restore again.)
Restart the domain controller after running these commands.

In most cases, it is sufficient when restoring a deleted object within Active Directory to simply perform an authoritative restore of the object or container. However, things get a bit more complicated when you’re restoring group objects as well as the users who were members of those groups. Because you cannot easily control the order in which objects are restored to the AD database, you may run into a situation where a group object gets restored before the users who were members of that group. In this case, when Active Directory attempts to populate the restored group’s member attribute, it can only populate it with user objects that already exist within the directory. Put another way, if some or all of the users or other groups that are referenced in the restored group’s

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Protecting a Group Against Accidental Deletion

Inhaltsvorschau

You want to prevent a group object from being accidentally deleted by an administrator who selects the incorrect option in Active Directory Users and Computers.

Using a graphical user interface (Windows Server 2008 only)

Open Active Directory Users and Computers. Click on View and confirm that Advanced Features is selected.
Drill down to the current domain. To connect to a different domain, right-click on the top-level node and click Change domain; select the appropriate domain and then drill down to it.
Right-click on the group that you want to modify and click Properties.
Click on the Object tab.
Place a checkmark next to “Protect object from accidental deletion.”
Click OK.

Using a command-line interface (all versions)

dsacls <Group DN> /d EVERYONE:SDDT

Using PowerShell (all versions)

Add-QADPermission -identity <Group DN> -Account 'EVERYONE' -Rights

'Delete,DeleteTree' -ApplyTo 'ThisObjectOnly'

If you have Exchange 2007 installed in your environment, you can also use the following Exchange cmdlet to modify this information:

Add-ADPermission -Identity <Group Name> -User <User or Group Name>

    -AccessRights Delete,DeleteTree -Deny $true

By using the command-line or PowerShell methods, this protection can be applied to group objects in all versions of Windows Server, even though the GUI checkbox is only available in Windows Server 2008.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Applying a Fine-Grained Password Policy to a Group Object

Inhaltsvorschau

You want to apply a Fine-Grained Password Policy to a Group object in a Windows Server 2008 domain.

Using a graphical user interface

Open ADSI Edit. Right-click on the top-level node and click “Connect to…”. In the Connection Settings screen, click OK.
In the righthand pane, double-click on Default naming context, then double-click on the domain node (i.e., dc=adatum,dc=com).
Browse to CN=System, then CN=Password Settings Container.
Right-click on the PSO that you wish to modify and click Properties.
In the Select an Attribute to View drop-down box, select msDS-PSOAppliesTo.
In the Edit Attribute text box, enter the DN of the group object that this password policy should apply to, such as cn=Marketing,ou=Corp,dc=adatum,dc=com.
Click Add, then click OK.
Click OK.

Using a command-line interface

The following will add the Marketing group to the list of groups that a PSO will apply to:

C:> psomgr -applyto CN=Marketing,CN=Users,DC=ADATUM,DC=COM -pso TestPSO -forreal

Using PowerShell

To add a group to the list of groups that a PSO will apply to, use the following syntax:

Add-QADPasswordSettingsObjectAppliesTo -Identity <PSO DN> -AppliesTo <Group DN>

Chapter 9 of Active Directory

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Chapter 8: Computer Objects

Inhaltsvorschau

As far as Active Directory is concerned, computers are very similar to users. In fact, computer objects inherit directly from the user object class, which is used to represent user accounts. That means that computer objects possess all of the attributes of user objects and then some. Computers need to be represented in Active Directory for many of the same reasons users do, including the need to access resources securely, utilize GPOs, and have permissions assigned to them.

To participate in a domain, computers need a secure channel to a domain controller. A secure channel is an authenticated connection that can transmit encrypted data. To set up the secure channel, a computer must present a password to a domain controller. Similar to the way in which it authenticates a user account, Active Directory will use Kerberos authentication to verify the identity of a computer account. Without the computer object and, by association, the password stored with it that is changed behind the scenes on a regular basis by the operating system, there would be no way for the domain controller to verify a computer is what it claims to be.

The default location for computer objects in a domain is the cn=Computers container located directly off the domain root. You can, however, create computer objects anywhere in a domain. Beginning with Windows Server 2003, you can modify the default location for computer objects as described in . contains a list of some of the interesting attributes that are available on computer objects.

Table : Attributes of computer objects
Attribute	Description
`cn`	Relative distinguished name of `computer` objects.
`dnsHostName`	Fully qualified DNS name of the computer.
`lastLogonTimestamp`	The approximate timestamp of the last time the computer logged in to the domain. This attribute was introduced in Windows Server 2003.
`managedBy`	The distinguished name (DN) of the user or group that manages the computer.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Introduction

Inhaltsvorschau

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

The Anatomy of a computer Object

Inhaltsvorschau

Table : Attributes of computer objects
Attribute	Description
`cn`	Relative distinguished name of `computer` objects.
`dnsHostName`	Fully qualified DNS name of the computer.
`lastLogonTimestamp`	The approximate timestamp of the last time the computer logged in to the domain. This attribute was introduced in Windows Server 2003.
`managedBy`	The distinguished name (DN) of the user or group that manages the computer.
`memberOf`	List of DNs of the groups the computer is a member of.
	New to Windows Server 2008. A backlink attribute that identifies users who have successfully authenticated to a full DC via a particular RODC.
`msDS-RevealedUsers`	New to Windows Server 2008. Identifies the list of users and computers whose secrets have been replicated to an RODC.
`operatingSystem`	Textual description of the operating system running on the computer. See for more information.
`operatingSystemHotFix`	Currently not being used, but will hopefully be populated at some point.
	Service pack version installed on the computer. See for more information.
`operatingSystemVersion`	Numeric version of the operating system installed on the computer. See for more information.
`pwdLastSet`	Large integer that can be translated into the last time the computer’s password was set. See for more information.
`sAMAccountName`	NetBIOS-style name of the computer. This is typically the name of the computer with `$` at the end.
`userAccountControl`	Account flag that defines various account properties. In the case of a computer object, this specifies whether the computer is a member computer or a domain controller.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Computer

Inhaltsvorschau

You want to create a computer account.

Using a graphical user interface

Open the ADUC snap-in.
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select “Connect to Domain,” enter the domain name, and click OK.
In the left pane, browse to the parent container for the computer, right-click on it, and select New→Computer.
Enter the name of the computer. If necessary, place a checkmark next to “Assign this computer as a pre-Windows 2000 computer” or “Assign this computer as a backup domain controller.” Click Next to continue.
If you will be using this computer account as part of an RIS deployment, place a checkmark next to “This is a managed computer” and enter the GUID that it should use, and then click Next. Otherwise, just click Next to continue.
Click Finish.

Using a command-line interface

You can create a computer object using either the built-in DSAdd utility or AdMod. To create an account using DSAdd, use the following syntax:

> dsadd computer "<ComputerDN>" -desc "<Description>"

To create a computer account using AdMod, enter the following:

> admod -b "<ComputerDN>" objectclass::computer

  sAMAccountName::<ComputerName>$ userAccountControl::4096

  description::"<Description>" -add

Using VBScript

' This code creates a computer object.

' ------ SCRIPT CONFIGURATION -------

strBase = "<ParentComputerDN>" ' e.g. cn=Computers,dc=adatum,dc=com

strComp = "<ComputerName>"     ' e.g. joe-xp

strDescr = "<Description>"     ' e.g. Joe's Windows XP workstation

' ------ END CONFIGURATION ---------



' ADS_USER_FLAG_ENUM

Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = &h1000 ' 4096



set objCont = GetObject("LDAP://" & strBase)

set objComp = objCont.Create("computer", "cn=" & strComp)

objComp.Put "sAMAccountName", strComp & "$"

objComp.Put "description", strDesc

objComp.Put "userAccountControl", ADS_UF_WORKSTATION_TRUST_ACCOUNT

objComp.SetInfo

Wscript.Echo "Computer account for " & strComp & " created"

Using PowerShell

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Computer for a Specific User or Group

Inhaltsvorschau

You want to create a computer account for a specific user or group to join to the domain. This requires setting permissions on the computer account so that the user or group can modify certain attributes.

Using a graphical user interface

Open the ADUC snap-in.
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select “Connect to Domain,” enter the domain name, and click OK.
In the left pane, browse to the parent container for the computer, right-click on it, and select New→Computer.
Enter the name of the computer.
Under “The following user or group can join this computer to a domain,” click the Change button.
Use the Object Picker to select a user or group to join the computer to the domain.
Click OK.

Using a command-line interface

In the following solution, replace <ComputerDN> with the distinguished name of the computer object and <UserOrGroup> with the user principal name or NT-style name of a user or group you want to manage the computer:

> dsadd computer <ComputerDN>

> dsacls <ComputerDN> /G <UserOrGroup>:CALCGRSDDTRC;;

> dsacls <ComputerDN> /G <UserOrGroup>:WP;description;

> dsacls <ComputerDN> /G <UserOrGroup>:WP;sAMAccountName;

> dsacls <ComputerDN> /G <UserOrGroup>:WP;displayName;

> dsacls <ComputerDN> /G <UserOrGroup>:WP;userAccountControl;

> dsacls <ComputerDN> /G <UserOrGroup>:WS;"Validated write to service principal\

name";

> dsacls <ComputerDN> /G <UserOrGroup>:WS;"Validated write to DNS host name";

You can replace the first line of this code with the AdMod code from if you choose.

Using VBScript

' This code creates a computer object and grants a 

user/group rights over it.

' ------ SCRIPT CONFIGURATION -------

strComputer = "<ComputerName>"   ' e.g. joe-xp

strUser     = "<UserOrGroup>"    ' e.g. joe@adatum.com or ADATUM\joe

strDescr    = "<ComputerDescr>"  ' e.g. Joe's workstation

strDomain   = "<ComputerDomain>" ' e.g. adatum.com

' ------ END CONFIGURATION ---------



'############################

' Constants

'############################



' ADS_USER_FLAG_ENUM

Const ADS_UF_PASSWD_NOTREQD             = &h0020

Const ADS_UF_WORKSTATION_TRUST_ACCOUNT  = &h1000



' ADS_ACETYPE_ENUM

Const ADS_ACETYPE_ACCESS_ALLOWED        = &h0

Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5



' ADS_FLAGTYPE_ENUM

Const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1



' ADS_RIGHTS_ENUM

Const ADS_RIGHT_DS_SELF           = &h8

Const ADS_RIGHT_DS_WRITE_PROP     = &h20

Const ADS_RIGHT_DS_CONTROL_ACCESS = &h100

Const ADS_RIGHT_ACTRL_DS_LIST     = &h4

Const ADS_RIGHT_GENERIC_READ      = &h80000000

Const ADS_RIGHT_DELETE            = &h10000

Const ADS_RIGHT_DS_DELETE_TREE    = &h40

Const ADS_RIGHT_READ_CONTROL      = &h20000



' schemaIDGUID values

Const DISPLAY_NAME     = "{bf967953-0de6-11d0-a285-00aa003049e2}"

Const SAM_ACCOUNT_NAME = "{3e0abfd0-126a-11d0-a060-00aa006c33ed}"

Const DESCRIPTION      = "{bf967950-0de6-11d0-a285-00aa003049e2}"



' controlAccessRight rightsGUID values

Const USER_LOGON_INFORMATION    = "{5f202010-79a5-11d0-9020-00c04fc2d4cf}"

Const USER_ACCOUNT_RESTRICTIONS = "{4C164200-20C0-11D0-A768-00AA006E0529}"

Const VALIDATED_DNS_HOST_NAME   = "{72E39547-7B18-11D1-ADEF-00C04FD8D5CD}"

Const VALIDATED_SPN             = "{F3A64788-5306-11D1-A9C5-0000F80367C1}"



'############################

' Create Computer

'############################



set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")

set objContainer = GetObject("LDAP://cn=Computers," & _

                             objRootDSE.Get("defaultNamingContext"))

set objComputer = objContainer.Create("Computer", "cn=" & strComputer)



objComputer.Put "sAMAccountName", strComputer & "$"

objComputer.Put "userAccountControl", _

                 ADS_UF_PASSWD_NOTREQD Or ADS_UF_WORKSTATION_TRUST_ACCOUNT

objComputer.Put "description", strDescr

objComputer.SetInfo



'############################

' Create ACL

'############################



set objSD = objComputer.Get("nTSecurityDescriptor")

set objDACL = objSD.DiscretionaryAcl



' Special: Control Rights, List Children

'          Generic Read, Delete,

'          Delete Subtree, Read Permission

set objACE1 = CreateObject("AccessControlEntry")

objACE1.Trustee    = strUser

objACE1.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS Or _

                     ADS_RIGHT_ACTRL_DS_LIST Or _

                     ADS_RIGHT_GENERIC_READ Or _

                     ADS_RIGHT_DELETE Or _

                     ADS_RIGHT_DS_DELETE_TREE Or ADS_RIGHT_READ_CONTROL

objACE1.AceFlags   = 0

objACE1.AceType    = ADS_ACETYPE_ACCESS_ALLOWED



' Write Property: description

set objACE2 = CreateObject("AccessControlEntry")

objACE2.Trustee    = strUser

objACE2.AccessMask = ADS_RIGHT_DS_WRITE_PROP

objACE2.AceFlags   = 0

objACE2.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT

objACE2.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT

objACE2.ObjectType = DESCRIPTION



' Write Property: sAMAccountName

set objACE3 = CreateObject("AccessControlEntry")

objACE3.Trustee    = strUser

objACE3.AccessMask = ADS_RIGHT_DS_WRITE_PROP

objACE3.AceFlags   = 0

objACE3.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT

objACE3.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT

objACE3.ObjectType = SAM_ACCOUNT_NAME



' Write Property: displayName

set objACE4 = CreateObject("AccessControlEntry")

objACE4.Trustee    = strUser

objACE4.AccessMask = ADS_RIGHT_DS_WRITE_PROP

objACE4.AceFlags   = 0

objACE4.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT

objACE4.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT

objACE4.ObjectType = DISPLAY_NAME



' Write Property: Logon Information



set objACE5 = CreateObject("AccessControlEntry")

objACE5.Trustee    = strUser

objACE5.AccessMask = ADS_RIGHT_DS_WRITE_PROP

objACE5.AceFlags   = 0

objACE5.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT

objACE5.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT

objACE5.ObjectType = USER_LOGON_INFORMATION



' Write Property: Account Restrictions

set objACE6 = CreateObject("AccessControlEntry")

objACE6.Trustee    = strUser

objACE6.AccessMask = ADS_RIGHT_DS_WRITE_PROP

objACE6.AceFlags   = 0

objACE6.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT

objACE6.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT

objACE6.ObjectType = USER_ACCOUNT_RESTRICTIONS



' Write Self: Validated SPN

set objACE7 = CreateObject("AccessControlEntry")

objACE7.Trustee    = strUser

objACE7.AccessMask = ADS_RIGHT_DS_SELF

objACE7.AceFlags   = 0

objACE7.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT

objACE7.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT

objACE7.ObjectType = VALIDATED_SPN



' Write Self: Validated DNS Host Name

set objACE8 = CreateObject("AccessControlEntry")

objACE8.Trustee    = strUser

objACE8.AccessMask = ADS_RIGHT_DS_SELF

objACE8.AceFlags   = 0

objACE8.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT

objACE8.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT

objACE8.ObjectType = VALIDATED_DNS_HOST_NAME



objDACL.AddAce objACE1

objDACL.AddAce objACE2

objDACL.AddAce objACE3

objDACL.AddAce objACE4

objDACL.AddAce objACE5

objDACL.AddAce objACE6

objDACL.AddAce objACE7

objDACL.AddAce objACE8



'############################

' Set ACL

'############################

objSD.DiscretionaryAcl = objDACL

objComputer.Put "nTSecurityDescriptor", objSD

objComputer.SetInfo

WScript.Echo "Successfully created " & strComputer & _

             " and gave rights to " & strUser

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Deleting a Computer

Inhaltsvorschau

You want to delete a computer account.

Using a graphical user interface

Open the ADUC snap-in.
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select “Connect to Domain,” enter the domain name, and click OK.
In the left pane, browse to the parent container for the computer, right-click on it, and select Find….
In the Find: drop-down box, select Computers. Enter the name of the computer account and click Find Now.
Right-click on the computer and click Delete. Click Yes to confirm.

Using a command-line interface

You can delete a computer using the built-in dsrm utility, as well as AdMod. For dsrm, use the following syntax:

> dsrm "<Computer DN>"

For AdMod, enter the following:

> admod -b "<Computer DN>" -del

Using VBScript

strCompDN = "<Computer DN>"

set objComp = GetObject("LDAP://" & strCompDN)

objComp.DeleteObject(0)

Using PowerShell

To delete an object using the Quest AD cmdlets, use the following syntax:

remove-QADObject -identity <Computer DN>

To delete an object using the .NET methods, use the following:

$obj = [ADSI] "LDAP://<Computer DN>"

$obj.DeleteObject(0)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Joining a Computer to a Domain

Inhaltsvorschau

You want to join a computer to a domain after the computer object has already been created in Active Directory.

Using a graphical user interface

Log on to the computer you want to join to the domain and open the Control Panel.
Open the System applet.
Click the Computer Name tab.
Click the Change button.
Under “Member of,” select Domain.
Enter the domain you want to join and click OK.
You may be prompted to enter credentials that grant permission to join the .
Reboot the computer.
Note that the tabs in the System applet vary between Windows 2000, Windows XP, and Windows Server 2003.

Using a command-line interface

> netdom join <ComputerName> /Domain <DomainName> /UserD <DomainUserUPN>

/PasswordD * /UserO <ComputerAdminUser> /PasswordO * /Reboot

Using VBScript

' This code joins a computer to a domain ' ------ SCRIPT CONFIGURATION ------

strComputer     = "<ComputerName>"      ' e.g. joe-xp

strDomain       = "<DomainName>"        ' e.g. adatum.com

strDomainUser   = "<DomainUserUPN>"     ' e.g. administrator@adatum.com

strDomainPasswd = "<DomainUserPasswd>"

strLocalUser    = "<ComputerAdminUser>" ' e.g. administrator

strLocalPasswd  = "<ComputerUserPasswd>"

' ------ END CONFIGURATION ---------



'########################

' Constants

'########################

Const JOIN_DOMAIN             = 1

Const ACCT_CREATE             = 2

Const ACCT_DELETE             = 4

Const WIN9X_UPGRADE           = 16

Const DOMAIN_JOIN_IF_JOINED   = 32

Const JOIN_UNSECURE           = 64

Const MACHINE_PASSWORD_PASSED = 128

Const DEFERRED_SPN_SET        = 256

Const INSTALL_INVOCATION      = 262144



'###########################

' Connect to Computer

'###########################

set objWMILocator = CreateObject("WbemScripting.SWbemLocator")

objWMILocator.Security_.AuthenticationLevel = 6

set objWMIComputer = objWMILocator.ConnectServer(strComputer,  _

                                                 "root\cimv2", _

                                                 strLocalUser, _

                                                 strLocalPasswd)

set objWMIComputerSystem = objWMIComputer.Get( _

                               "Win32_ComputerSystem.Name='" & _

                               strComputer & "'")



'###########################

' Join Computer

'###########################

rc = objWMIComputerSystem.JoinDomainOrWorkGroup(strDomain, _

                                                strDomainPasswd, _

                                                strDomainUser, _

                                                vbNullString, _

                                                JOIN_DOMAIN)

if rc <> 0 then

    WScript.Echo "Join failed with error: " & rc

else

    WScript.Echo "Successfully joined " & strComputer & " to " & strDomain

end if

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Moving a Computer Within the Same Domain

Inhaltsvorschau

You want to move a computer object to a different container or OU within the same domain.

Using a graphical user interface

Open the ADUC snap-in.
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select “Connect to Domain,” enter the domain name, and click OK.
In the left pane, right-click on the domain and select Find.
Beside Find, select Computers.
Type the name of the computer and click Find Now.
In the Search Results window, right-click on the computer and select Move.
Browse to and select the new parent container or OU.
Click OK.

Starting with the Windows Server 2003 version of Active Directory Users and Computers, you can also use the new drag-and-drop functionality to move computers and other objects.

Using a command-line interface

You can move a computer object to a new container using the built-in DSMove utility or AdMod. To use DSMove, enter the following syntax:

> dsmove "<ComputerDN>" -newparent "<NewParentDN>"

To move a computer object using AdMod, use the following:

> admod -b "<ComputerDN>" -move "<NewParentDN>"

Using VBScript

' This code moves a computer

' to the specified container/OU.

' ------ SCRIPT CONFIGURATION -------

strCompDN = "<ComputerDN>" ' e.g. cn=joe-xp,cn=Users,dc=adatum,dc=com

strOUDN = "<NewParentDN>"  ' e.g. ou=workstations,dc=adatum,dc=com

' ------ END CONFIGURATION --------



set objComp = GetObject("LDAP://" & strCompDN)

set objOU = GetObject("LDAP://" & strOUDN)

objOU.MoveHere objComp.ADsPath, objComp.Name

Using PowerShell

To move an Active Directory computer account using the Quest AD cmdlets, use the following syntax:

move-QADObject -identity <ComputerDN> -newparent <NewParentDN>

To use the .NET methods, use the following syntax:

$obj = [ADSI] "LDAP://<Computer DN>"

$newParent = [ADSI] "LDAP://<New Parent DN>"

$obj.psbase.MoveTo($newParent)

You can move computer objects around a domain without much impact on the computer itself. You just need to be cautious of the security settings on the new parent OU, which may impact a user’s ability to manage the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Moving a Computer to a New Domain

Inhaltsvorschau

You want to move a computer object to a different domain.

Using a graphical user interface

To migrate a computer object between domains in the same forest, use the following steps:

Open the ADMT MMC snap-in.
Right-click on the Active Directory Migration Tool folder and select the Computer Account Migration Wizard.
On the Domain Selection page, enter the DNS or NetBIOS name of the source and target domains. Click Next.
On the Translate Objects screen, specify which objects should have new ACLs applied in the new domain. Select any, none, or all of the following, and then click Next to continue:
- Files and folders
- Local groups
- Printers
- Registry
- Shares
- User profiles
- User rights
On the Security Migration Options screen, select the following options to determine how local user accounts will be migrated into the new domain. Select one of the following and click Next to continue:
Replace
Replaces any references to objects from the source domain with references to objects in the target domain.
Add
Adds references to objects in the target domain while leaving the source domain objects intact.
Remove
Removes all references to source domain objects.
On the Naming Conflicts page, configure how the wizard should handle naming conflicts during the migration process. Select one of the following and click Next to continue:
- Ignore conflicting accounts and don’t migrate.
- Replace conflicting accounts.
- Rename conflicting accounts by adding a designated prefix or suffix.
On the Options screen, select the amount of time the wizard should wait before rebooting the target computer into the new domain.
Click Next to review your choices and begin the migration process.

Using a command-line interface

The following command migrates a computer object from the adatum.com domain to the emea.adatum.com domain. It will place the migrated object in the Finance OU and will wait two minutes before rebooting the target computer:

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Renaming a Computer

Inhaltsvorschau

You want to rename a computer.

Using a graphical user interface

Log on to the computer either directly or with a remote console application such as Terminal Services.
Open the Control Panel and double-click on the System applet.
Select the Computer Name tab and click the Change button.
Under Computer Name, type the new name of the computer and click OK until you are out of the System applet.
Reboot the machine.

Using a command-line interface

You can rename a computer object by using the built-in netdom utility with the following syntax:

> netdom renamecomputer <ComputerName> /NewName <NewComputerName>

/UserD<DomainUserUPN> /PasswordD * /UserO <ComputerAdminUser> /PasswordO * /Reboot

Using VBScript

' This code renames a computer in AD and on the host itself.

' ------ SCRIPT CONFIGURATION -------

strComputer     = "<ComputerName>"      ' e.g. joe-xp

strNewComputer  = "<NewComputerName>"   ' e.g. joe-pc

strDomainUser   = "<DomainUserUPN>"     ' e.g. administrator@adatum.com

strDomainPasswd = "<DomainUserPasswd>"

strLocalUser    = "<ComputerAdminUser>" 'e.g. joe-xp\administrator

strLocalPasswd  = "<ComputerAdminPasswd>"

' ------ END CONFIGURATION ---------



'###########################

' Connect to Computer

'###########################

set objWMILocator = CreateObject("WbemScripting.SWbemLocator")

objWMILocator.Security_.AuthenticationLevel = 6

set objWMIComputer = objWMILocator.ConnectServer(strComputer,  _

                                                 "root\cimv2", _

                                                 strLocalUser, _

                                                  strLocalPasswd)

set objWMIComputerSystem = objWMIComputer.Get( _

                               "Win32_ComputerSystem.Name='" & _

                               strComputer & "'")

'###########################

' Rename Computer

'###########################

rc = objWMIComputerSystem.Rename(strNewComputer, _

                                 strDomainPasswd, _

                                 strDomainUser)

if rc <> 0 then

    WScript.Echo "Rename failed with error: " & rc

else

    WScript.Echo "Successfully renamed " & strComputer & " to " & _

                 strNewComputer

end if



WScript.Echo "Rebooting ... "

set objWSHShell = WScript.CreateObject("WScript.Shell")

objWSHShell.Run "rundll32 shell32.dll,SHExitWindowsEx 2"

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Adding or Removing a Computer Account from a Group

Inhaltsvorschau

You want to add or remove a computer account from an Active Directory security group.

Using a graphical user interface

Open the ADUC snap-in.
If you need to change domains, right-click on “Active Directory Users and Computers” in the left pane, select “Connect to Domain,” enter the domain name, and click OK.
In the left pane, browse to the parent container of the objects you want to modify.
In the right pane, highlight each object you want to modify, right-click, and select Properties.
On the “Member of” tab, click Add.
Click the group to which you want to add the computer, and then click Add. To add the computer to more than one group, press Ctrl while selecting the groups you want to add the computer to, and then click Add.
To remove a group, select the group object and click Remove.
Click OK to finish.

Using a command-line interface

To add a computer object to a group, use the following syntax:

> admod -b "<GroupDN>" member:+:"<ComputerDN>"

To remove an object, replace :+: with :-: in the previous syntax.

Using VBScript

' This code adds and removes a computer object from a group.

' ------ SCRIPT CONFIGURATION ------

strGroupDN = "<GroupDN>" ' e.g. cn=SalesGroup,ou=Groups,dc=adatum,dc=com

strComputerDN = "<ComputerDN>" ' e.g. cn=Fin101,cn=Computers,dc=adatum,dc=com

' ------ END CONFIGURATION ---------



set objGroup = GetObject("LDAP://" & strGroupDN)

' Add a member

objGroup.Add("LDAP://" & strComputerDN)



' Remove a member

objGroup.Remove("LDAP://" & strComputerDN)

Using PowerShell

To add a computer account to a group using the Quest AD cmdlets, use the following syntax:

$objComp = get-QADComputer -identity "<ComputerDN>"

add-QADGroupMember -identity "<GroupDN>" -member $objComputer

To add a computer to a group using ADSI, use the following:

$objGroup = [ADSI]("LDAP://" + "<Group DN>")

$objGroup.Add("LDAP://" + "<Computer DN>")

#

# to remove a computer from the group instead

#

$objGroup.Remove("LDAP://" + "<Computer DN>")

In Active Directory, both user

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Testing the Secure Channel for a Computer

Inhaltsvorschau

You want to test the secure channel of a computer.

Using a command-line interface

> nltest /server:<ComputerName> /sc_query:<DomainName>

Every member computer in an Active Directory domain establishes a secure channel with a domain controller. The computer’s password is stored locally in the form of an LSA secret and in Active Directory. This password is used by the NetLogon service to establish the secure channel with a domain controller. If for some reason the LSA secret and computer password become out of sync, the computer will no longer be able to authenticate in the domain. The

nltest

      /sc_query

command can query a computer to verify its secure channel is working. Here is sample output from the command when things are working:

Flags: 30 HAS_IP HAS_TIMESERV

Trusted DC Name \\dc1.adatum.com

Trusted DC Connection Status Status = 0 0x0 NERR_Success

The command completed successfully

If a secure channel is failing, you’ll need to reset the computer as described in . Here is sample output when things are not working:

Flags: 0

Trusted DC Name

Trusted DC Connection Status Status = 1311 0x51f ERROR_NO_LOGON_SERVERS

The command completed successfully

for resetting a computer and MS KB 216393 (Resetting Computer Accounts in Windows 2000 and Windows XP)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Resetting a Computer Account

Inhaltsvorschau

You want to reset a computer because its secure channel is failing.

Using a graphical user interface

Open the ADUC snap-in.
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select “Connect to Domain,” enter the domain name, and click OK.
In the left pane, right-click on the domain and select Find.
Beside Find, select Computers.
Type the name of the computer and click Find Now.
In the Search Results, right-click on the computer and select Reset Account.
Click Yes to verify.
Click OK.
Rejoin the computer to the domain.

Using a command-line interface

You can use the DSMod utility to reset a computer’s password. You will need to rejoin the computer to the domain after doing this:

> dsmod computer "<ComputerDN>" -reset

Another option is to use the netdom command, which can reset the secure channel between the computer and the domain controller without affecting the computer’s password, so that you do not need to rejoin it to the domain:

> netdom reset <ComputerName> /Domain <DomainName> /UserO <UserUPN> /PasswordO *

You can also use the nltest command to reset a secure channel using the following syntax:

> nltest /sc_reset:<DomainName>\<DCName>

Using VBScript

' This resets an existing computer object's password to initial default.

' You'll need to rejoin the computer after doing this.

set objComputer = GetObject("LDAP://<ComputerDN>")

objComputer.SetPassword "<ComputerName>"

When you’ve identified that a computer’s secure channel has failed, you’ll need to reset the computer object, which consists of setting the computer object password to the name of the computer. This is the default initial password for new computers. Every 30 days, Windows 2000 and newer systems automatically change their passwords in the domain. After you’ve set the password, you’ll need to rejoin the computer to the domain since it will no longer be able to communicate with a domain controller due to unsynchronized passwords. However, the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding Inactive or Unused Computers

Inhaltsvorschau

You want to find inactive computer accounts in a domain.

These solutions might only apply to Windows-based machines. Other types of machines—e.g., Unix, Mac, Network Attached Storage (NAS)—that have accounts in Active Directory might not update their login timestamps or passwords, which are used to determine inactivity.

Using a command-line interface

The following query will locate all inactive computers in the current forest:

> dsquery computer forestroot -inactive <NumWeeks>

You can also use domainroot in combination with the -d option to query a specific domain:

> dsquery computer domainroot -d <DomainName> -inactive <NumWeeks>

or you can target your query at a specific container:

> dsquery computer ou=MyComputers,dc=adatum,dc=com -inactive <NumWeeks>

These commands can only be run against a Windows Server 2003 domain functional level or higher domain.

You can also use the OldCmp joeware utility to create a report of all computer accounts whose passwords are older than a certain number of days (90 by default) by using the following syntax:

> oldcmp -report

To specify an alternate password age with oldcmp, use the –age x switch. You can also use the –llts switch to use the lastLogonTimeStamp attribute to perform the age calculations. (Without this switch, oldcmp will use pwdLastSet by default, which will work against any version of Active Directory in any domain mode.)

Using a command-line interface

The dsquery computer command is very handy for finding inactive computers that have not logged in to the domain for a number of weeks or months. You can pipe the results of the query to the dsrm command-line utility if you want to remove the inactive computer objects from Active Directory in a single command. Here is an example that would delete all computers in the current domain that have been inactive for 12 weeks or longer:

> for /F "usebackq" %i in (`dsquery computer domainroot -inactive 12`) do dsrm %i

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Changing the Maximum Number of Computers a User Can Join to the Domain

Inhaltsvorschau

You want to grant users the ability to join more or fewer than 10 computers to a domain. This limit is called the machine account quota.

Using a graphical user interface

Open the ADSI Edit MMC snap-in and connect to the Domain Naming Context.
Right-click on the domainDNS object for the domain you want to change and select Properties.
Edit the ms-DS-MachineAccountQuota attribute and enter the new quota value.
Click OK twice.

Using a command-line interface

In the following LDIF code, replace <DomainDN> with the distinguished name of the domain you want to change, and replace <Quota> with the new machine account quota:

dn: <DomainDN>

changetype: modify

replace: ms-DS-MachineAccountQuota

ms-DS-MachineAccountQuota: <Quota>

-

If the LDIF file was named change_computer_quota.ldf, you would then run the following command:

> ldifde -v -i -f change_computer_quota.ldf

You can also make this change using AdMod, as follows:

> admod -b <DomainDN> ms-DS-MachineAccountQuota::<Quota>

Using VBScript

' This code sets the

' machine account quota for a domain.

' ------ SCRIPT CONFIGURATION ------

intQuota = <Quota>

strDomain = "<DomainDNSName>" ' e.g. emea.adatum.com

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")

set objDomain = GetObject("LDAP://" & objRootDSE.Get("defaultNamingContext"))

objDomain.Put "

ms-DS-MachineAccountQuota", intQuota

objDomain.SetInfo

WScript.Echo "Updated user quota to " & intQuota

Using PowerShell

You can modify the MachineAccountQuota attribute using either the Quest cmdlets or ADSI, as follows:

set-QADObject '<DomainDN>' -ObjectAttributes 

@('ms-DS-MachineAccountQuota'='<NewQuota>')



$objDom = [System.DirectoryServices.ActiveDirectory.Domain]::getCurrentDomain()

$objDom.Put("ms-DS-MachineAccountQuota","<NewQuota>")

$objDom.SetInfo()

In a default Active Directory installation, members of the Authenticated Users group can add and join up to 10 computer accounts in the default Computers container. The number of computer accounts that can be created is defined in the attribute

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Modifying the Attributes of a computer Object

Inhaltsvorschau

You want to modify one or more attributes of a computer object.

Using a graphical user interface

Open ADSI Edit.
If an entry for the naming context you want to browse is not already displayed, do the following:
1. Right-click on ADSI Edit in the right pane and click “Connect to…”.
2. Fill in the information for the naming context, container, or OU you want to add an object to. Click on the Advanced button if you need to enter alternate credentials.
3. In the left pane, browse to the container or OU that contains the computer object you want to modify. Once you’ve found the object, right-click on it and select Properties.

Right-click the attribute you want to modify and select Edit.
Enter the new value and click OK.
Click Apply, followed by OK.

Using a command-line interface

Create an LDIF file called modify_object.ldf with the following contents:

dn: <ComputerDN>

changetype: modify

add: <AttributeName>

<AttributeName>: <AttributeValue>

-

Then run the following command:

> ldifde -v -i -f modify_object.ldf

To modify an object using AdMod, you’ll use the following general syntax:

> admod -b <ComputerDN> <attribute>:<operation>:<value>

For example, you can add a location to a computer object using the following syntax:

> admod -b cn="Fin101,cn=Computers,dc=adatum,dc=com" location::"Berlin, Germany"

Using VBScript

' The following code will modify the location attribute

' of a computer object.



Set objComputer = GetObject ("LDAP://<ComputerDN>")



objComputer.Put "Location" , "<NewLocationValue>"

objComputer.SetInfo

Using PowerShell

set-QADObject -identity <ComputerDN> -ObjectAttributes

@{'<attribute1>'='<Value>';'<attribute2>'='<Value>'...}



$objComp = [ADSI] "LDAP://<ComputerDN>"

$objComp.Put("<attribute>","<Value>")

$objComp.SetInfo()

Like all objects within Active Directory, computer objects have various attributes that can be queried, modified, and deleted during the day-to-day management of your domain. Because

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding Computers with a Particular OS

Inhaltsvorschau

You want to find computers that have a certain OS version, release, or service pack in a domain.

Using a graphical user interface

Open LDP.
From the menu, select Connection→Connect.
For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
For Port, enter 389.
Click OK.
From the menu, select Connection→Bind.
Enter credentials of a user to perform the search.
Click OK.
From the Menu, select Browse→Search.
For Base DN, enter the base of where you want your search to begin.
For Filter, enter a filter that contains the OS attribute you want to search on. For example, a query for all computers that are running Windows XP would look like the following:
```
(&(objectclass=computer)(objectcategory=computer)(operatingSystem=Windows XP

Professional))
```

Select the appropriate Scope based on how deep you want to search.
Click the Options button if you want to customize the list of attributes returned for each matching object.
Click Run, and the results will be displayed in the right pane.

You can also perform this search using the Active Directory Users and Computers MMC snap-in (dsa.msc), as follows:

Open the ADUC MMC snap-in.
Right-click on the domain, OU, or container that you wish to search, and click Find.
In the Find drop-down box, select Computers.
Click on the Advanced tab. Click on Field and select Operating System.
Select the Condition that you want to search on from one of the following:
- Starts with
- Ends with
- Is (exactly)
- Is not
- Present
- Not present
In the Value field, enter the value that you want to search for, such as “Windows Server 2003.”
Click Find Now.

Using a command-line interface

You can query for computer objects of a particular operating system using either DSQuery or AdFind. To perform the query with DSQuery, use the following syntax:

> dsquery * <DomainDN> -scope subtree -attr "*" -filter "(&(objectclass=

computer)(objectcategory=computer)(operatingSystem=Windows Server 2003))"

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Binding to the Default Container for Computers

Inhaltsvorschau

This recipe requires the Windows Server 2003 or Windows Server 2008 domain functional level.

You want to bind to the default container that new computer objects are created in.

Using a graphical user interface

Open LDP.
From the menu, select Connection→Connect.
For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
For Port, enter 389.
Click OK.
From the menu, select Connection→Bind.
Enter credentials of a domain user.
Click OK.
From the menu, select View→Tree.
For the DN, enter:
```
<WKGUID=aa312825768811d1aded00c04fd8d5cd,<DomainDN>>
```
where <DomainDN> is the distinguished name of a domain.

Click OK.
In the lefthand menu, you can now browse the default computers container for the domain.

Using a command-line interface

By default, all computer objects created in an Active Directory domain are placed into the built-in Computers container. This default container has a significant limitation, in that you are unable to link Group Policy Objects (GPOs) to the built-in container. If you have one or more GPOs that you wish to apply to all computer objects in your domain, you should modify the default location for computer accounts in AD. You can use the redircmp utility to change this default location, as we will discuss in .

Using VBScript

' This code illustrates how to bind to the default computers container.

' ------ SCRIPT CONFIGURATION ------

strDomain = "<DomainDNSName>" ' e.g. apac.adatum.com

' ------ END CONFIGURATION --------



' Computer GUID as defined in ntdsapi.h

Const ADS_GUID_COMPUTRS_CONTAINER = "aa312825768811d1aded00c04fd8d5cd"



set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")

set objCompContainer = GetObject("LDAP://<WKGUID=" & _

                             ADS_GUID_COMPUTRS_CONTAINER & "," & _

                             objRootDSE.Get("defaultNamingContext") & ">" )

WScript.Echo objCompContainer.Get("distinguishedName")

Using PowerShell

$obj = [ADSI] "LDAP://<WKGUID= aa312825768811d1aded00c04fd8d5cd>,<Domain DN>

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Changing the Default Container for Computers

Inhaltsvorschau

You want to change the container that computers are created in by default.

Using a graphical user interface

Open LDP.
From the menu, select Connection→Connect.
For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
For Port, enter 389.
Click OK.
From the menu, select Connection→Bind.
Enter credentials of a domain user.
Click OK.
From the menu, select Browse→Modify.
For DN, enter the distinguished name of the domainDNS object of the domain you want to modify.
For Attribute, enter wellKnownObjects.
For Values, enter the following:
```
B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,<DomainDN>
```
where <DomainDN> is the same as the DN you enter for the DN field.

Select Delete for the Operation and click the Enter button.
Go back to the Values field and enter the following:
```
B:32:AA312825768811D1ADED00C04FD8D5CD:<NewComputersParent>,<DomainDN>
```
where <NewComputersParent> is the new parent container for new computer objects (e.g., ou=Adatum Computers).

Select Add for the Operation and click the Enter button.
Click the Run button.

The result of the operations will be displayed in the right pane of the main LDP window.

Using a command-line interface

> redircmp "<NewParentDN>"

Using VBScript

' This code changes the

' default computers container.

' ------ SCRIPT CONFIGURATION ------

strNewComputersParent = "<NewComputersParent>" ' e.g. OU=Adatum Computers

strDomain             = "<DomainDNSName>"      ' e.g. adatum.com

' ------ END CONFIGURATION ---------



Const COMPUTER_WKGUID = "B:32:AA312825768811D1ADED00C04FD8D5CD:"

' ADS_PROPERTY_OPERATION_ENUM

Const ADS_PROPERTY_APPEND = 3

Const ADS_PROPERTY_DELETE = 4



set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")

set objDomain = GetObject("LDAP://" & objRootDSE.Get("

defaultNamingContext"))

set objCompWK = GetObject("LDAP://" & _

                           "<WKGUID=AA312825768811D1ADED00C04FD8D5CD," & _

                           objRootDSE.Get("defaultNamingContext") & ">")



objDomain.PutEx ADS_PROPERTY_DELETE, "wellKnownObjects", _

                Array( COMPUTER_WKGUID & objCompWK.Get("distinguishedName"))

objDomain.PutEx ADS_PROPERTY_APPEND, "wellKnownObjects", _

                Array( COMPUTER_WKGUID & strNewComputersParent & "," &

                       objRootDSE.Get("defaultNamingContext") )

objDomain.SetInfo

WScript.Echo "New default Computers container set to " & _

              strNewComputersParent

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Listing All the Computer Accounts in a Domain

Inhaltsvorschau

You want to obtain a list of all computer accounts in an Active Directory domain.

Using a graphical user interface

Open the Active Directory Users and Computers MMC snap-in.
Right-click on the domain node and select Find.
In the Find drop-down box, select Computers and click Find Now.
All computer objects in the domain will be displayed in the Search Results window.

Using a command-line interface

> adfind -default -f objectCategory=computer

Using VBScript

' The following script will enumerate all computer accounts

' within an Active Directory domain.



Const ADS_SCOPE_SUBTREE = 2

strDomain = "<DomainDN>"



Set objConnection = CreateObject("ADODB.Connection")

Set objCommand = CreateObject("ADODB.Command")

objConnection.Provider = "ADsDSOObject"

objConnection.Open "Active Directory Provider"



Set objCOmmand.ActiveConnection = objConnection

objCommand.CommandText = _

    "Select Name, Location from 'LDAP://" & strDomain & "' " _

        & "Where objectCategory='computer'"

objCommand.Properties("Page Size") = 1000

objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

Set objRecordSet = objCommand.Execute

objRecordSet.MoveFirst



Do Until objRecordSet.EOF

    Wscript.Echo "Computer Name: " & objRecordSet.Fields("Name").Value

    Wscript.Echo "Location: " & objRecordSet.Fields("Location").Value

    objRecordSet.MoveNext

Loop

Using PowerShell

You can obtain a listing of computer accounts using either the Quest AD cmdlets or the native ADSI methods, as shown here:

get-QADObject -ldapfilter 'objectclass=computer'



$strCategory = "computer"

$objDomain = New-Object System.DirectoryServices.DirectoryEntry

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher

$objSearcher.SearchRoot = $objDomain

$objSearcher.Filter = "(objectCategory=$strCategory)"

$objSearcher.FindAll()

Using VBScript and PowerShell

To obtain a list of domain controllers, rather than just computer objects, you should query the Configuration NC rather than the domain NC, and replace "where objectCategory=computer" with "where objectCategory=ntDSDSA"

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Identifying a Computer Role

Inhaltsvorschau

You want to identify the role that a particular computer serves in an Active Directory domain.

Using a graphical user interface

Open the Active Directory Users and Computers MMC snap-in.
Right-click on the domain node and select Find.
In the Find drop-down box, select Computers and click Find Now.
The role of each computer will be displayed in the Machine Role column in the Search Results window.

Using a command-line interface

> wmic computersystem get domainrole

For a domain controller that holds the PDC Emulator FSMO role, this will return the following output:

DomainRole

5

For a DC that doesn’t hold the PDCe FSMO, this command will return a value of 4.

Using VBScript

' The following code will return the domain role of the

' local computer.

strComputer = "."

Set objWMIService = GetObject("winmgmts:" _

    & "{impersonationLevel=impersonate}!\\" _

    & strComputer & "\root\cimv2")

Set colComputers = objWMIService.ExecQuery _

    ("Select DomainRole from Win32_ComputerSystem")

For Each objComputer in colComputers

    Select Case objComputer.DomainRole

        Case 0

            strComputerRole = "Standalone Workstation"

        Case 1

            strComputerRole = "Member Workstation"

        Case 2

            strComputerRole = "Standalone Server"

        Case 3

            strComputerRole = "Member Server"

        Case 4

            strComputerRole = "Backup Domain Controller"

        Case 5

            strComputerRole = "Primary Domain Controller"

    End Select

    Wscript.Echo strComputerRole

Next

Using a command-line interface

WMIC is the command-line component of the Windows Management Instrumentation that uses aliases to enable you to easily access WMI namespaces from the command line. To run wmic against a remote computer, specify the /node:"<ComputerFQDN>" switch.

Using VBScript

Rather than relying on an if…else construct to produce output, this script uses Select Case. In situations where there are numerous possible outcomes for a conditional statement,

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Protecting a Computer Against Accidental Deletion

Inhaltsvorschau

You want to prevent a computer object from being accidentally deleted by an administrator who selects the incorrect option in Active Directory Users and Computers.

Using a graphical user interface (Windows Server 2008 only)

Open Active Directory Users and Computers. Click on View and confirm that Advanced Features is selected.
Drill down to the current domain. To connect to a different domain, right-click on the top-level node and click “Change domain”; select the appropriate domain and then drill down to it.
Right-click on the computer that you want to modify and click Properties.
Click on the Object tab.
Place a checkmark next to “Protect object from accidental deletion.”
Click OK.

Using a command-line interface (all versions)

dsacls <Computer DN> /d EVERYONE:SDDT

Using PowerShell (all versions)

Add-QADPermission -identity <Computer DN> -Account 'EVERYONE' -Rights

'Delete,DeleteTree' -ApplyTo 'ThisObjectOnly'

If you have Exchange 2007 installed in your environment, you can also obtain this information using the Exchange 2007 Management Tools, as follows:

Add-ADPermission -Identity <Computer Name> -User EVERYONE

    -AccessRights Delete,DeleteTree -Deny $true

By default, all new OUs that are created in Windows Server 2008 will have this enabled; however, no other object types are configured with this default protection. If you attempt to delete a computer object that is protected using this option, even when signed on as a Domain Admin or other similarly elevated account, you will receive an “Access Denied” message until you manually remove the checkbox or manually remove the Deny ACE associated with it.

Using the command-line or PowerShell methods can apply this protection to group objects in all versions of Windows Server, even though the GUI checkbox is only available in Windows Server 2008.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing the RODCs That Have Cached a Computer’s Password

Inhaltsvorschau

You wish to view the RODCs that have cached a computer account’s password secrets in a Windows Server 2008 domain.

Using a graphical user interface

Open the ADUC snap-in.
Click View→Advanced Features. In the left pane, right-click on the domain and select Find.
In the Find drop-down box, select Computers. Select the appropriate domain beside In.
Beside Name, type the name of the computer account and click Find Now.
In the Search Results window, double-click on the user.
Select the Attribute Editor tab. Click Filter and ensure that there is a checkmark next to Backlinks.
Scroll to the msDS-RevealedDSAs attribute to view a list of RODCs that have cached this user’s password secrets.
Click OK.

Using a command-line interface

> adfind -b <ComputerDN> msDS-RevealedDSAs

Using VBScript

' ------ SCRIPT CONFIGURATION ------

stCompDN = "<ComputerDN>" ' e.g. cn=rallen,ou=Sales,dc=adatum,dc=com

' ------ END CONFIGURATION --------



set objComp = GetObject("LDAP://" & strCompDN)

strRODCs = objComp.Get("msDS-RevealedDSAs")

WScript.Echo strRODCs

Using PowerShell

> $objComp = [ADSI] "LDAP://<CompDN>"

> $objComp.psbase.InvokeGet("msDS-RevealedDSAs")

As discussed in , Windows Server 2008 introduces the Read-Only Domain Controller (RODC) to improve the security of branch office and other remote environments. One of the security measures introduced by the RODC is the Password Replication Policy (PRP), which specifies a list of users, computers, and groups that can and cannot have their password secrets cached on one or more DCs. Each RODC maintains a forward-link attribute called msDS-RevealedUsers, which lists the user and computer accounts for whom each RODC has cached password secrets. Each computer account, in turn, maintains a backlink called msDS-RevealedDSAs. This backlink can be queried to determine which RODCs have stored password information for a particular user account; however, like all backlinks, this attribute cannot be modified directly.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Chapter 9: Group Policy Objects

Inhaltsvorschau

Active Directory Group Policy Objects (GPOs) can customize virtually any aspect of a computer or user’s desktop. They can also be used to install applications, secure a computer, run logon/logoff or startup/shutdown scripts, and much more. You can assign a GPO to a local computer, site, domain, or Organizational Unit. This is called scope of management (SOM), because only the users or computers that fall under the scope of the computer, OU, site, or domain will process the GPO. Assigning a GPO to a SOM is referred to as linking the GPO. You can further restrict the application of GPOs by using security groups to filter which users or groups they will apply to.

With Windows Server 2003 and newer servers and Windows XP and newer , you can also use a WMI filter to restrict the application of a GPO. A WMI filter is simply a WMI query that can search against any information on a client’s computer. If the WMI filter returns a true value (i.e., the client computer matches the conditions that are specified in the filter), the GPO will be processed; otherwise, it will not. So not only do you have all of the SOM options for applying GPOs, you can now use any WMI information available on the client’s computer to determine whether GPOs should be applied. For more on the capabilities of GPOs, we recommend Chapter 7 of Active Directory, Fourth Edition, by Brian Desmond et al. (O’Reilly).

Group Policies are defined by a set of files that are replicated to each domain controller in a domain and a groupPolicyContainer (GPC) object that is stored in the cn=Policies,cn=System,<DomainDN> container. GPC objects contain information related to software deployment, wireless deployments, IPSec assignments, and metadata about the version of the GPO. GPC objects are used for linking to OUs, sites, and domains. The guts of GPOs are stored on the filesystem of each domain controller in group policy template (GPT) files and can be found in the %SystemRoot%\SYSVOL\sysvol\<DomainDNSName>\Policies

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Introduction

Inhaltsvorschau

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding the GPOs in a Domain

Inhaltsvorschau

You want to find all of the GPOs that have been created in a domain.

Using a graphical user interface

Open the GPMC snap-in.
In the left pane, expand the Forest container.
Expand the Domains container.
Browse to the domain of the target GPO.
Expand the Group Policy Objects container. All of the GPOs in the domain will be listed under that container.

Using a command-line interface

You can generate a list of all GPOs in a domain using the listastallgpos.wsf script, as well as DSQuery and AdFind:

> listallgpos.wsf [/domain:<DomainDNSName>] [/v]



> dsquery * domainroot -filter (objectcategory=grouppolicycontainer) 

-attr displayname



> adfind -default -f (objectcategory=grouppolicycontainer) displayname

You can also use the gpotool utility from the Windows Server 2003 Resource Kit to display the GPOs:

> gpotool [/domain:<DomainDNSName>] [/verbose]

Using VBScript

' This code displays

' all of the GPOs for a domain.

' ------ SCRIPT CONFIGURATION ------

strDomain = "<DomainDNSName>" ' e.g. adatum.com

' ------ END CONFIGURATION --------



set objGPM = CreateObject("GPMgmt.GPM")

set objGPMConstants = objGPM.GetConstants()



' Initialize the Domain object

set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC)



' Create an empty search criteriaset objGPMSearchCriteria =

objGPM.CreateSearchCriteria

set objGPOList =

objGPMDomain.SearchGPOs(objGPMSearchCriteria)



' Print the GPOs

WScript.Echo "Found " & objGPOList.Count & " GPOs in " & strDomain & ":"

for each objGPO in objGPOList

   WScript.Echo "   " & objGPO.DisplayName

next

Using PowerShell

get-SDMgpo *

See the “Introduction” to this chapter for more on how GPOs are stored in Active Directory.

Using VBScript

You can find the GPOs in a domain by using the GPMDomain.SearchGPOs method. The only parameter you need to pass to SearchGPOs is a GPMSearchCriteria object, which can be used to define criteria for your search. In this case, we created a object GPMSearchCriteria without additional criteria so that all GPOs are returned. The SearchGPOs

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a GPO

Inhaltsvorschau

You want to create a Group Policy Object within Active Directory.

Using a graphical user interface

Open the GPMC snap-in.
In the left pane, expand the Forest container, expand the Domains container, and browse to the domain of the target GPO.
Right-click on the Group Policy Objects container and select New.
Enter the name of the GPO and click OK.

Using a command-line interface

> creategpo.wsf <GPOName> [/domain:<DomainDNSName>]

Using VBScript

' This code creates an empty GPO.

' ------ SCRIPT CONFIGURATION -----

strGPO = "<GPOName>"          ' e.g. "Sales GPO"

strDomain = "<DomainDNSName>" ' e.g. "adatum.com"

' ------ END CONFIGURATION --------



set objGPM = CreateObject("GPMgmt.GPM")

set objGPMConstants = objGPM.GetConstants()



' Initialize the Domain object

set objGPMDomain = objGPM.

GetDomain(strDomain, "", objGPMConstants.UseAnyDC)



' Create the GPO and print the results

set objGPO = objGPMDomain.CreateGPO()

WScript.Echo "Successfully created GPO"

objGPO.DisplayName = strGPO

WScript.Echo "Set GPO name to " & strGPO

Using PowerShell

To create a GPO called

"Marketing

        GPO"

in the adatum.com domain, use the following syntax:

new-SDMgpo -name "Marketing GPO" -domain "adatum.com"

If the GPO is successfully created, the cmdlet will output the display name of the GPO, along with the GUID and the Distinguished Name of the GPC that resides in the cn=Policies,cn=System,<DomainDN> container.

When you create a GPO through the GPMC, it is initially empty with no settings or links configured. See for more on modifying GPO settings, and for creating a link.

Using VBScript

To create a GPO, first instantiate a GPMDomain object for the domain to add the GPO to. This is accomplished with the GPM.GetDomain method. Then it is just a matter of calling the GPMDomain.CreateGPO method (with no parameters) to create an empty GPO. A GPM.GPO object is returned from this method, which you then use to set the display name of the GPO.

MS KB 216359 (How to Identify Group Policy Objects in the Active Directory and SYSVOL) and MSDN: GPMDomain.CreateGPO

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Copying a GPO

Inhaltsvorschau

You want to copy the properties and settings of a GPO into another GPO.

Using a graphical user interface

Open the GPMC snap-in.
In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the source GPO, and expand the Group Policy Objects container.
Right-click on the source GPO and select Copy.
Right-click on the Group Policy Objects container and select Paste.
Select whether you want to use the default permissions or to preserve the existing permissions from the GPO being copied, and click OK.
A status window will pop up that will indicate whether the copy was successful. Click OK to close.
Rename the new GPO by right-clicking it in the left pane and selecting Rename.

Using a command-line interface

> copygpo.wsf <SourceGPOName> <TargetGPOName>

Using VBScript

' This code copies a source GPO to a new GPO.

' ------ SCRIPT CONFIGURATION ------

strSourceGPO = "<SourceGPOName>" ' e.g. SalesGPO

strNewGPO    = "<NewGPOName>"    ' e.g. Marketing GPO

strDomain    = "<DomainDNSName>" ' e.g. adatum.com

' ------ END CONFIGURATION ---------



set objGPM = CreateObject("GPMgmt.GPM")

set objGPMConstants = objGPM.GetConstants()

' Initialize the Domain object

set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC)



' Find the source GPO

set objGPMSearchCriteria = objGPM.CreateSearchCriteria

objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _

                         objGPMConstants.SearchOpEquals, cstr(strSourceGPO)

set objGPOList = objGPMDomain.

SearchGPOs(objGPMSearchCriteria)

if objGPOList.Count = 0 then

   WScript.Echo "Did not find GPO: " & strGPO

   WScript.Echo "Exiting."

   WScript.Quit

elseif objGPOList.Count > 1 then

   WScript.Echo "Found more than one matching GPO. Count: " & _

                objGPOList.Count

   WScript.Echo "Exiting."

   WScript.Quit

else

   WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName

End if



' Copy from source GPO to target GPO

set objGPMResult = objGPOList.Item(1).CopyTo(0, objGPMDomain, strNewGPO)



' This will throw an exception if there were any errors

' during the actual operation.

on error resume next

objGPMResult.OverallStatus()

if objGPMResult.Status.Count > 0 then

   WScript.Echo "Status message(s): " & objGPMResult.Status.Count

   for i = 1 to objGPMResult.Status.Count

      WScript.Echo objGPMResult.Status.Item(i).Message

   next

   WScript.Echo vbCrLf

end if



' Display the results

if Err.Number <> 0 then

   WScript.Echo "Error copying GPO."

   WScript.Echo "Error: " & Err.Description

else

   WScript.Echo "Copy successful to " & strNewGPO & "."

end if

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Deleting a GPO

Inhaltsvorschau

You want to delete a GPO.

Using a graphical user interface

Open the GPMC snap-in.
In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the target GPO, and expand the Group Policy Objects container.
Right-click on the target GPO and select Delete.
Click OK to confirm.

Using a command-line interface

> deletegpo.wsf <GPOName> [/domain:<DomainDNSName>]

To retain the links to the deleted GPO (in case you will be re-creating it with the same name), use the /keeplinks switch. Otherwise, all links will be deleted along with the GPO.

Using VBScript

' This code deletes the specified GPO.

' ------ SCRIPT CONFIGURATION ------

strGPO = "<GPOName>"          ' e.g. "My New GPO"

strDomain = "<DomainDNSName>" ' e.g. "adatum.com"

' ------ END CONFIGURATION --------



set objGPM = CreateObject("GPMgmt.GPM")

set objGPMConstants = objGPM.GetConstants()



' Initialize the Domain object

set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC)



' Find the GPO

set objGPMSearchCriteria = objGPM.CreateSearchCriteria

objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _

                         objGPMConstants.SearchOpEquals, cstr(strGPO)

set objGPOList =

objGPMDomain.SearchGPOs(objGPMSearchCriteria)

if objGPOList.Count = 0 then

   WScript.Echo "Did not find GPO: " & strGPO

   WScript.Echo "Exiting."

   WScript.Quit

elseif objGPOList.Count > 1 then

   WScript.Echo "Found more than one matching GPO. Count: " & _

                objGPOList.Count

   WScript.Echo "Exiting."

   WScript.Quit

else

   WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName

end if

' Delete the GPO

objGPOList.Item(1).Delete

WScript.Echo "Successfully deleted GPO: " & strGPO

Using PowerShell

remove-SDMgpo -Name "<GPO Friendly Name>"

When you delete a GPO through the GPMC, it attempts to find all links to the GPO in the domain and will delete them if the user has permissions to delete the links. If the user does not have the necessary permissions to remove the links, the GPO will still get deleted, but the links will remain intact. Any links external to the domain the GPO is in are not automatically deleted. For this reason, it is a good practice to view the links to the GPO before you delete it. Links to deleted GPOs show up as “Not Found” in GPMC.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing the Settings of a GPO

Inhaltsvorschau

You want to view the settings that have been defined on a GPO.

Using a graphical user interface

Open the GPMC snap-in.
In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the target GPO, and expand the Group Policy Objects container.
Click on the target GPO.
In the right pane, click on the Settings tab.
Click the Show All link to display all configured settings.

Using a command-line interface

> getreportsforgpo.wsf "<GPOName>" <ReportLocation> [/domain:<DomainDNSName>]

Using VBScript

' This code generates a HTML report of all the properties

' and settings for a GPO.

' ------ SCRIPT CONFIGURATION ------

strGPO        = "<GPOName>"         ' e.g. Sales GPO

strDomain     = "<DomainDNSName>"   ' e.g. adatum.com

strReportFile = "<FileNameAndPath>" ' e.g. c:\gpo_report.html

' ------ END CONFIGURATION --------



set objGPM = CreateObject("GPMgmt.GPM")

set objGPMConstants = objGPM.GetConstants()



' Initialize the Domain object

set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC)



set objGPMSearchCriteria = objGPM.CreateSearchCriteria

objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _

                         objGPMConstants.SearchOpEquals, cstr(strGPO)

set objGPOList = objGPMDomain.SearchGPOs(objGPMSearchCriteria)



if objGPOList.Count = 0 then

   WScript.Echo "Did not find GPO: " & strGPO

   WScript.Echo "Exiting."

   WScript.Quit

elseif objGPOList.Count > 1 then

   WScript.Echo "Found more than one matching GPO. Count: " & _

                 objGPOList.Count

   WScript.Echo "Exiting."

   WScript.Quit

else

   WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName

end if



set objGPMResult = objGPOList.Item(1).GenerateReportToFile( _

                          objGPMConstants.ReportHTML, _

                                        strReportFile)



' This will throw an exception if there were any errors

' during the actual operation.

on error resume next

objGPMResult.OverallStatus()



if objGPMResult.Status.Count > 0 then

   WScript.Echo "Status message(s): " & objGPMResult.Status.Count

   for i = 1 to objGPMResult.Status.Count

      WScript.Echo objGPMResult.Status.Item(i).Message

   next

   WScript.Echo vbCrLf

end if

' Display the result

if Err.Number <> 0 then

   WScript.Echo "Error generating report."

   WScript.Echo "Error: " & Err.Description

else

   WScript.Echo "Reported saved to " & strReportFile

end if

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Modifying the Settings of a GPO

Inhaltsvorschau

You want to modify the settings associated with a GPO.

Using a graphical user interface

Open the GPMC snap-in.
In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the target GPO, and expand the GPO container.
Right-click on the target GPO and select Edit. This will bring up the GPOE.
Browse through the Computer Configuration or User Configuration settings and modify them as necessary.

Using PowerShell

You can find a pre-made PowerShell function to copy the settings from one GPO to another in the May 2007 issue of Technet Magazine, available online at http://technet.microsoft.com/en-us/magazine/cc162355.aspx.

Using a command-line interface, VBScript, or PowerShell

You cannot modify the settings of a GPO with any of the command-line tools or APIs, but you can copy and import settings as described in Recipes and .

The one function that the GPMC tool and APIs cannot accomplish is modifying GPO settings. This still must be done from within the GPOE. You can, however, launch GPOE from within GPMC as described in the GUI solution. Not having a scriptable way to modify GPO settings has been a big roadblock with managing GPOs, especially across multiple forests. Copying or importing GPOs can help with migrating settings across forests.

for copying a GPO, for viewing the settings of a GPO, and for importing settings into a GPO

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Importing Settings into a GPO

Inhaltsvorschau

You want to import settings from one GPO to another.

Using a graphical user interface

Open the GPMC snap-in.
In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the target GPO, and expand the Group Policy Objects container.
Right-click on the target GPO and select Import Settings.
Click Next.
Click the Backup button if you want to take backup of the GPO you are importing into.
Click Next.
Select the backup folder location and click Next.
Select the backup instance you want to import from and click Next.
It then will scan to see if there are any security principals or UNC paths in the GPO being imported from. If there are, it will give you an option to modify those settings.
Click Next.
Click Finish.

Using a command-line interface

> importgpo.wsf "<GPOBackupLocation>" "<OrigGPOName>" "<NewGPOName>"

Using VBScript

' This code imports the settings from a GPO that has been backed up into

' an existing GPO.

' ------ SCRIPT CONFIGURATION ------

strGPOImportTo    = "<GPOName>"        ' e.g. "Sales GPO"

strDomain         = "<DomainDNSName>"  ' e.g. "adatum.com"

strBackupLocation = "<BackupLocation>" ' e.g. "c:\GPMC Backups"



' GUID representing the specific backup

' e.g.{3E53B39B-C29B-44FF-857B-8A84528804FF}

strBackupID       = "<BackupGUID>"

' ------ END CONFIGURATION --------



set objGPM = CreateObject("GPMgmt.GPM")

set objGPMConstants = objGPM.GetConstants()



' Initialize the Domain object

set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC)



' Locate GPO backup

set objGPMBackupDir = objGPM.GetBackupDir(strBackupLocation)

set objGPMBackup = objGPMBackupDir.GetBackup(strBackupID)

WScript.Echo "Backup found:"

WScript.Echo " ID: " & objGPMBackup.ID

WScript.Echo " Timestamp: " & objGPMBackup.TimeStamp

WScript.Echo " GPO ID: " & objGPMBackup.GPOID

WScript.Echo " GPO Name: " & objGPMBackup.GPODisplayName

WScript.Echo " Comment: " & objGPMBackup.Comment

WScript.Echo



' Find GPO to import into

set objGPMSearchCriteria = objGPM.CreateSearchCriteria

objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _

                         objGPMConstants.SearchOpEquals, cstr(strGPOImportTo)

set objGPOList =

objGPMDomain.SearchGPOs(objGPMSearchCriteria)

if objGPOList.Count = 0 then

   WScript.Echo "Did not find GPO: " & strGPO

   WScript.Echo "Exiting."

   WScript.Quit

elseif objGPOList.Count > 1 then

   WScript.Echo "Found more than one matching GPO. Count: " & _

                objGPOList.Count

   WScript.Echo "Exiting."

   WScript.Quit

else

   WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName

end if



' Perform the import

set objGPMResult = objGPOList.Item(1).Import(0,objGPMBackup)



' This will throw an exception if there were any errors

' during the actual operation.

on error resume next

objGPMResult.OverallStatus()



if objGPMResult.Status.Count > 0 then

   WScript.Echo "Status message(s): " & objGPMResult.Status.Count

   for i = 1 to objGPMResult.Status.Count

      WScript.Echo objGPMResult.Status.Item(i).Message

   next

   WScript.Echo vbCrLf

end if



' Print results

if Err.Number <> 0 then

   WScript.Echo "Error importing GPO " & objGPMBackup.GPODisplayName

   WScript.Echo "Error: " & Err.Description

else

   WScript.Echo "Import successful."

   WScript.Echo "GPO '" & objGPMBackup.GPODisplayName & _

                "' has been imported into GPO '" & _

                objGPOList.Item(1).DisplayName & "'"

end if

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Migration Table

Inhaltsvorschau

You want to create a migration table to assist in copying or migrating a GPO from one domain or forest to another.

Using a graphical user interface

Open the Group Policy Management Console. Navigate to the forest and domain containing the GPOs you wish to migrate or copy.
Right-click on the Group Policy Objects node and select Open Migration Table Editor.
You will begin with a blank migration table. To populate the source fields from existing data, click on Tools→Populate from GPO or Tools→Populate from Backup. Select the GPO or the backup that you wish to import. Optionally, place a checkmark next to “During scan, include security principals from the DACL on the GPO.” Click OK.
Modify the Destination Name column of any entries to match their format in the destination forest or domain.
To add a new entry, enter the name of the item in the Source Name column. In the Source Type column, select one of the following:
- User
- Computer
- Domain Local Group
- Domain Global Group
- Universal Group
- UNC Path
- Free Text or SID

To delete an entry, right-click on the entry and select Delete.
To configure an entry to use the same information as configured in the source GPO, right-click on the entry and select Set Destination→Same As Source.
To configure an entry to use the relative name of the destination, right-click on the entry and select Set Destination→Map by Relative Name. For example, if you have an entry for the salesuser@adatum.com user in a GPO that you wish to copy to the mycompany.com forest, selecting Map by Relative Name will populate the entry in the destination GPO as salesuser@mycompany.com.
To ensure that you have properly formatted all entries in the table, click Tools→Validate Table, then click File→Save or File→Save As to save the migration table.

Using a command-line interface

> createmigrationtable.wsf

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating Custom Group Policy Settings

Inhaltsvorschau

You want to deploy settings via Group Policy that are not covered by the default set of GPO templates that come with Active Directory.

Windows 2000, XP, and 2003 Group Policy Objects come preloaded with a number of default templates (also called ADM files) that define a number of settings that can be controlled via GPO. To control and deploy settings for additional or third-party applications, you’ll need to create your own custom ADM files to manage the settings you require. You’ll create this file in Notepad or another simple text editor, and save it as <FileName>.adm. For example, the following ADM file will allow you to disable dynamic DNS registration for Windows 2000 clients:

Class Machine



Category !!AdministrativeServices



Category !!DNSClient



Policy !!DisableDynamicUpdate

Keyname "System\CurrentControlSet\Services\Tcpip\Parameters"

Explain !!DisableDynamicUpdate_Help

Valuename "DisableDynamicUpdate"

End Policy



End Category ;;DNS Client



End Category ;;AdministrativeServices



[strings]

AdministrativeServices="System"

DNSClient="DNS Client"

DisableDynamicUpdate="Disable Dynamic Update"

DisableDynamicUpdate_Help="Stops the client from dynamically registering all

adapters

with DNS.\n\nWhen this setting is enabled it changes the DisableDynamicUpdate value

to 1 in

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\n\nWhen

this setting is disabled, the value is set back to its default of zero. Note that

when the policy is disabled, the registry value may be deleted from the

registry.\n\

nSee Q246804 for more details."



;End of Strings

To import custom ADM settings into the GPE, follow these steps:

Open the GPMC snap-in.
In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the target GPO, and expand the Group Policy Objects container.
Drill down to User Configuration or Computer Configuration, as appropriate. Right-click on Administrative Templates and select Add/Remove Template.
Click Add and browse to the location of the ADM file you created, and then click Open.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Assigning Logon/Logoff and Startup/Shutdown Scripts in a GPO

Inhaltsvorschau

You want to assign either user logon/logoff scripts or computer startup/shutdown scripts in a GPO.

Using a graphical user interface

Open the GPMC snap-in.
In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the target GPO, and expand the Group Policy Objects container.
Right-click on the target GPO and select Edit. This will bring up the GPOE.
In the Windows 2000 and Windows Server 2003 GPMC, if you want to assign a computer startup or shutdown script, browse to Computer Configuration→Windows Settings→Scripts. If you want to assign a user logon or logoff script, browse to User Configuration→Windows Settings→Scripts.
In the Windows Server 2008 GPMC, browse to Computer Configuration→Policies→Windows Settings→Scripts. If you want to assign a user logon or logoff script, browse to User Configuration→Policies→Windows Settings→Scripts.
In the right pane, double-click on the type of script you want to add.
Click the Add button.
Select the script by typing its name or browsing to its location.
Optionally, type any script parameters in the Script Parameters field.
Click OK twice.

When you assign a script in a GPO, you can either reference a script that is stored locally on the domain controller somewhere under the SYSVOL share, or in a UNC path to a remote file server. The default storage location is in the SYSVOL share in the <DomainName>\scripts folder—e.g., \\adatum.com\sysvol\adatum.com\scripts. The logon script can also be set as an attribute of the user object (scriptPath). This is provided as legacy support for users migrated from NT 4.0 domains and requires the script to be stored in the Netlogon share. You should choose one method of specifying the logon script or the other—but not both, as this will cause the logon script to run twice.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Installing Applications with a GPO

Inhaltsvorschau

You want to install an application on a group of computers using a GPO.

Using a graphical user interface

Open the GPMC snap-in.
In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the target GPO, and expand the Group Policy Objects container.
Right-click on the target GPO and select Edit. This will bring up the GPOE.
Expand Software Settings under Computer Configuration or User Configuration, depending on which you want to target the installation for. In the Windows Server 2008 version of GPMC, browse to Computer Configuration→Policies or User Configuration→Policies.
Right-click on Software Installation and select New→Package.
Browse to the network share that has the MSI package for the application and click OK. Be sure to specify a UNC path such as \\servername\share\installer.msi. If you enter a local file path on the DC such as c:\packages\pro.msi, the client will not be able to access the installer.
Select whether you want to assign the application or publish it, and click OK. You can also click Advanced to further define how you want to deploy the software installation package.

Installing applications with a GPO is a powerful feature, but you must be careful about the impact it can have on your network throughput and clients. If the MSI package you are installing is several megabytes in size, it will take a while for it to download to the client computer. This can result in sluggish performance on the client, especially over a heavily utilized connection. (Software installation does not occur over slow links, by default.) You’ll also want to make sure you’ve thoroughly tested the application before deployment. After you’ve configured the GPO to install an application, it will be only a short period of time before it has been installed on all targeted clients. If there is a bug in the application or the installer program is faulty, the impact could be severe to your user base and support staff alike.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Disabling the User or Computer Settings in a GPO

Inhaltsvorschau

You want to disable either the user or computer settings of a GPO.

Using a graphical user interface

Open the GPMC snap-in.
In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the target GPO, and expand the Group Policy Objects container.
Right-click on the target GPO and select GPO Status.
You can either select User Configuration Settings Disabled to disable the user settings or Computer Configuration Settings Disabled to disable the computer .

Using VBScript

' This code can enable or disable the user or computer settings of a GPO.

' ------ SCRIPT CONFIGURATION ------

strGPO    = "<GPOName>"       ' e.g. "Sales GPO"

strDomain = "<DomainDNSName>" ' e.g. "adatum.com"

boolUserEnable = False

boolCompEnable = True

' ------ END CONFIGURATION --------



set objGPM = CreateObject("GPMgmt.GPM")

set objGPMConstants = objGPM.GetConstants()



' Initialize the Domain object

set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC)



' Find the specified GPO

set objGPMSearchCriteria = objGPM.CreateSearchCriteria

objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _

                         objGPMConstants.SearchOpEquals, cstr(strGPO)

set objGPOList =

objGPMDomain.SearchGPOs(objGPMSearchCriteria)

if objGPOList.Count = 0 then

   WScript.Echo "Did not find GPO: " & strGPO

   WScript.Echo "Exiting."

   WScript.Quit

elseif objGPOList.Count > 1 then

   WScript.Echo "Found more than one matching GPO. Count: " & _

                objGPOList.Count

   WScript.Echo "Exiting."

   WScript.Quit

else

   WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName

end if



' You can comment out either of these if you don't want to set one:



objGPOList.Item(1).

SetUserEnabled boolUserEnable

WScript.Echo "User settings: " & boolUserEnable



objGPOList.Item(1).

SetComputerEnabled boolCompEnable

WScript.Echo "Computer settings: " & boolCompEnable

Using PowerShell

$gpm = New-Object -ComObject GPMgmt.GPM

$gpmConstants = $gpm.GetConstants()

$objDomain = $gpm.GetDomain("<

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Listing the Links for a GPO

Inhaltsvorschau

You want to list all of the links for a particular GPO.

Using a graphical user interface

Open the GPMC snap-in.
In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the target GPO, and expand the Group Policy Objects container.
Click on the GPO you want to view the links for.
In the right pane, the defined links for the GPO will be listed under Links.

Using a command-line interface

> dumpgpoinfo.wsf "<GPOName>"

Using VBScript

' This code lists all the sites, OUs, and domains a GPO is linked to.

' ------ SCRIPT CONFIGURATION ------

strGPO    = "<GPOName>"       ' e.g. "SalesGPO"

strForest = "<ForestName>"    ' e.g. "adatum.com"

strDomain = "<DomainDNSName>" ' e.g. "adatum.com"

' ------ END CONFIGURATION ---------



set objGPM = CreateObject("GPMgmt.GPM")

set objGPMConstants = objGPM.GetConstants()



' Initialize the Domain object

set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC)

' Initialize the Sites Container object

set objGPMSitesContainer = objGPM.GetSitesContainer(strForest, _

                           strDomain, "", objGPMConstants.UseAnyDC)

' Find the specified GPO

set objGPMSearchCriteria = objGPM.CreateSearchCriteria

objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _

                         objGPMConstants.SearchOpEquals, cstr(strGPO)

set objGPOList =

objGPMDomain.SearchGPOs(objGPMSearchCriteria)

if objGPOList.Count = 0 then

   WScript.Echo "Did not find GPO: " & strGPO

   WScript.Echo "Exiting."

   WScript.Quit

elseif objGPOList.Count > 1 then

   WScript.Echo "Found more than one matching GPO. Count: " & _

                objGPOList.Count

   WScript.Echo "Exiting."

   WScript.Quit

else

   WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName

end if



' Search for all SOM links for this GPO

set objGPMSearchCriteria = objGPM.CreateSearchCriteria

objGPMSearchCriteria.Add objGPMConstants.SearchPropertySOMLinks, _

                         objGPMConstants.SearchOpContains, objGPOList.Item(1)

set objSOMList =

objGPMDomain.SearchSOMs(objGPMSearchCriteria)

set objSiteLinkList =

objGPMSitesContainer.SearchSites(objGPMSearchCriteria)



if objSOMList.Count = 0 and objSiteLinkList.Count = 0 Then

   WScript.Echo "No Site, Domain, or OU links found for this GPO"

else

   WScript.Echo "Links:"

   for each objSOM in objSOMList

      select case objSOM.Type

         case objGPMConstants.SOMDomain

            strSOMType = "Domain"

         case objGPMConstants.SOMOU

            strSOMType = "OU"

      end select

      ' Print GPO Domain and OU links

      WScript.Echo " " & objSOM.Name & " (" & strSOMType & ")"

   next



   ' Print GPO Site Links

   for each objSiteLink in objSiteLinkList

      WScript.Echo " " & objSiteLink.Name & " (Site)"

   next

end if

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a GPO Link to an OU

Inhaltsvorschau

You want to apply the GPO settings to the users and/or computers in an OU. This is called linking a GPO to an OU.

Using a graphical user interface

Open the GPMC snap-in.
In the left pane, expand the Forest container, expand the Domains container, and browse to the target domain.
Right-click on the OU you want to link and select Link an Existing GPO.
Select from the list of available GPOs and click OK.

Using VBScript

' This code links a GPO to an OU

' ------ SCRIPT CONFIGURATION ------

strGPO     = "<GPOName>"           ' e.g. "Sales GPO"

strDomain  = "<DomainDNSName>"     ' e.g. "adatum.com"

strOU      = "<OrgUnitDN>"         ' e.g. "ou=Sales,dc=adatum,dc=com"

intLinkPos = -1 ' set this to the position the GPO evaluated at

                ' a value of -1 signifies appending it to the end of the list

' ------ END CONFIGURATION ---------



set objGPM = CreateObject("GPMgmt.GPM")

set objGPMConstants = objGPM.GetConstants()



' Initialize the Domain object

set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC)



' Find the specified GPO

set objGPMSearchCriteria = objGPM.CreateSearchCriteria

objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _

objGPMConstants.SearchOpEquals, cstr(strGPO)

set objGPOList = objGPMDomain.SearchGPOs(objGPMSearchCriteria)

if objGPOList.Count = 0 then

   WScript.Echo "Did not find GPO: " & strGPO

   WScript.Echo "Exiting."

   WScript.Quit

elseif objGPOList.Count > 1 then

   WScript.Echo "Found more than one matching GPO. Count: " & _

                objGPOList.Count

   WScript.Echo "Exiting."

   WScript.Quit

else

   WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName

end if



' Find the specified OU

set objSOM = objGPMDomain.

GetSOM(strOU)

if IsNull(objSOM) then

   WScript.Echo "Did not find OU: " & strOU

   WScript.Echo "Exiting."

   WScript.Quit

else

   WScript.Echo "Found OU: " & objSOM.Name

end if



on error resume next



set objGPMLink = objSOM.

CreateGPOLink( intLinkPos, objGPOList.Item(1) )



if Err.Number <> 0 then

   WScript.Echo "There was an error creating the GPO link."

   WScript.Echo "Error: " & Err.Description

else

   WScript.Echo "Sucessfully linked GPO to OU"

end if

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Blocking Inheritance of GPOs on an OU

Inhaltsvorschau

You want to block inheritance of GPOs on an OU.

Using a graphical user interface

Open the GPMC snap-in.
In the left pane, expand the Forest container, expand the Domains container, and browse to the target domain.
Right-click on the OU you want to block inheritance for and select Block .

Using VBScript

' This code blocks inheritance of GPOs on the specified OU

' ------ SCRIPT CONFIGURATION ------

strDomain  = "<DomainDNSName>" ' e.g. "adatum.com"

strOU     = "<OrgUnitDN>"      ' e.g. "ou=Sales,dc=adatum,dc=com"

boolBlock = TRUE               ' e.g. set to FALSE

to not block inheritance

' ------ END CONFIGURATION --------



set objGPM = CreateObject("GPMgmt.GPM")

set objGPMConstants = objGPM.GetConstants()



' Initialize the Domain object

set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC)



' Find the specified OU

set objSOM = objGPMDomain.GetSOM(strOU)

if IsNull(objSOM) then

   WScript.Echo "Did not find OU: " & strOU

   WScript.Echo "Exiting."

   WScript.Quit

else

   WScript.Echo "Found OU: " & objSOM.Name

end if



' on error resume next



objSOM.GPOInheritanceBlocked = boolBlock



if Err.Number <> 0 then

   WScript.Echo "There was an error blocking inheritance."

   WScript.Echo "Error: " & Err.Description

else

   WScript.Echo "Successfully set inheritance blocking on OU to " & boolBlock

end if

Using PowerShell

$gpm = New-Object -ComObject GPMgmt.GPM

$gpmConstants = $gpm.GetConstants()

$objDomain = $gpm.GetDomain("<Domain FQDN>", "", $gpmConstants.UseAnyDC)

$objOU = $objDomain.GetSOM("<OU DN>")

$objOU.GPOInheritanceBlocked = $true

By default, GPOs are inherited down through the directory tree. If you link a GPO to a top-level OU, that GPO will apply to any objects within the child OUs. Sometimes that may not be what you want, and you can disable inheritance as described in the solutions.

Try to avoid blocking inheritance when possible because it can make determining what settings should be applied to a user or computer difficult. If someone sees that a GPO is applied at a top-level OU, he may think it applies to any object under it. Using the Resultant Set of Policies (RSoP) snap-in can help identify what settings are applied to a user or computer (see ).

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enforcing the Settings of a GPO Link

Inhaltsvorschau

You want to ensure that a GPO’s settings are enforced regardless of any Block Inheritance settings that have been enforced further down the scope of management.

Using a graphical user interface

Open the GPMC snap-in.
In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the target GPO, and expand the container containing the link you want to enforce.
Right-click on the link you want to configure and place a checkmark next to Enforced. To remove the Enforced setting, right-click on the link and remove the checkmark.

Using VBScript

' This code enforces a link to a GPO.

' ------ SCRIPT CONFIGURATION ------

strGPO      = "<GPOName>"    ' e.g. SalesGPO

strForest   = "<ForestName>" ' e.g. adatum.com

strDomain   = "<DomainName>" ' e.g. adatum.com

strLinkName = "<LinkName>"   ' e.g. "Finance" for an OU link,

                                     ' "adatum.com" for a domain,

                                     ' "Default-First-Site-Link" for a site

boolEnforced = TRUE                  ' FALSE to disable the enforced setting

' ------ END CONFIGURATION ---------



set objGPM = CreateObject("GPMgmt.GPM")

set objGPMConstants = objGPM.GetConstants()



' Initialize the Domain object

set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC)

' Initialize the Sites Container object

set objGPMSitesContainer = objGPM.GetSitesContainer(strForest, _

                           strDomain, "", objGPMConstants.UseAnyDC)

' Find the specified GPO

set objGPMSearchCriteria = objGPM.CreateSearchCriteria

objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _

                         objGPMConstants.SearchOpEquals, cstr(strGPO)

set objGPOList =

objGPMDomain.SearchGPOs(objGPMSearchCriteria)

if objGPOList.Count = 0 then

   WScript.Echo "Did not find GPO: " & strGPO

   WScript.Echo "Exiting."

   WScript.Quit

elseif objGPOList.Count > 1 then

   WScript.Echo "Found more than one matching GPO. Count: " & _

                objGPOList.Count

   WScript.Echo "Exiting."

   WScript.Quit

else

   WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName

   strGUID = objGPOList.Item(1).ID

end if

' Search for all SOM links for this GPO

set objGPMSearchCriteria = objGPM.CreateSearchCriteria

objGPMSearchCriteria.Add objGPMConstants.SearchPropertySOMLinks, _

                         objGPMConstants.SearchOpContains,

objGPOList.Item(1)

set objSOMList = objGPMDomain.SearchSOMs(objGPMSearchCriteria)

set objSiteLinkList = objGPMSitesContainer.SearchSites(objGPMSearchCriteria)



if objSOMList.Count = 0 and objSiteLinkList.Count = 0 Then

   WScript.Echo "No Site, Domain, or OU links found for this GPO"

else

    for each objSOM in objSOMList

       if strcomp(objSOM.Name, strLinkName, vbTextCompare) = 0 then

           set colGPOLinks = objSOM.getGPOLinks()

           for each objGPOLink in colGPOLinks

               if strcomp(objGPOLink.GPOID,strGUID,vbTextCompare) = 0 then

                   objGPOLink.Enforced = boolEnforced

                   WScript.Echo("Enforced GPO " & strGPO & _

                                " link to " & strLinkName)

               end if

           next

       end if

    next



   ' Print GPO Site Links

   for each objSiteLink in objSiteLinkList

      if strcomp(objSiteLink.Name, strLinkName, vbTextCompare) = 0 then

           set colGPOLinks = objSiteLink.getGPOLinks()

           for each objGPOLink in colGPOLinks

               if strcomp(objGPOLink.GPOID,strGUID,vbTextCompare) = 0 then

                   objGPOLink.Enforced = boolEnforced

                       WScript.Echo("Enforced GPO " & strGPO & _

                                    " link to " & strLinkName)

               end if

           next

      end if

   next

end if

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Applying a Security Filter to a GPO

Inhaltsvorschau

You want to configure a GPO so that it applies only to members of a particular security group.

Using a graphical user interface

Open the GPMC snap-in.
In the left pane, expand the Forest container, expand the Domains container, browse to the target domain, and expand the Group Policy Objects container.
Click on the GPO you want to modify.
In the right pane under Security Filtering, click the Add button.
Use the Object Picker to select a group and click OK.
Highlight Authenticated Users and click the Remove button.
Click OK to confirm.

Using a command-line interface

> setgpopermissions.wsf "<GPOName>" "<GroupName>" /permission:Apply

> setgpopermissions.wsf "<GPOName>" "Authenticated Users" /permission:None

Using VBScript

' This code adds a security group filter permission to a GPO

' and removes the Authenticated Users filter permission.

' ------ SCRIPT CONFIGURATION ------

strGPO         = "<GPOName>"       ' e.g. "Sales GPO"

strDomain      = "<DomainDNSName>" ' e.g. "adatum.com"

strGroupAdd    = "<GroupName>"     ' e.g. "SalesUsers"

strGroupRemove = "Authenticated Users"

' ------ END CONFIGURATION ---------



set objGPM = CreateObject("GPMgmt.GPM")

set objGPMConstants = objGPM.GetConstants()



' Initialize the Domain object

set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC)



' Find the specified GPO

set objGPMSearchCriteria = objGPM.CreateSearchCriteria

objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _

                         objGPMConstants.SearchOpEquals, cstr(strGPO)

set objGPOList =

objGPMDomain.SearchGPOs(objGPMSearchCriteria)

if objGPOList.Count = 0 then

   WScript.Echo "Did not find GPO: " & strGPO

   WScript.Echo "Exiting."

   WScript.Quit

elseif objGPOList.Count > 1 then

   WScript.Echo "Found more than one matching GPO. Count: " & _

                objGPOList.Count

   WScript.Echo "Exiting."

   WScript.Quit

else

   WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName

end if



' Get permission objects to Apply GPO

set objGPMPerm1 = objGPM.CreatePermission(strGroupAdd, _

                         objGPMConstants.PermGPOApply, False)

set objGPMPerm2 = objGPM.CreatePermission(strGroupRemove, _

                         objGPMConstants.PermGPOApply, False)



' Get the existing set of permissions on the GPO

set objSecurityInfo = objGPOList.Item(1).GetSecurityInfo()



' Add the new permission

objSecurityInfo.Add objGPMPerm1

' Remove Authenticate users

objSecurityInfo.Remove objGPMPerm2



on error resume next



' Apply the permission to the GPO

objGPOList.Item(1).SetSecurityInfo objSecurityInfo

if Err.Number <> 0 then

   WScript.Echo "There was an error setting the

security filter."

   WScript.Echo "Error: " & Err.Description

else

   WScript.Echo "Added Apply permission for group " & strGroupAdd

   WScript.Echo "Removed Apply permission for group " & strGroupRemove

end if

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Delegating Administration of GPOs

Inhaltsvorschau

You want to delegate permissions on GPOs and related tasks within Active Directory.

Using a graphical user interface

To delegate the ability to create GPOs, do the following:

Open the Group Policy Management Console.
Navigate to the Group Policy Objects node and click on the Delegation tab.
To add permissions for a new user or group to create GPOs, click Add. Use the object picker to select the object you want and click OK.

To delegate permissions on a particular GPO, follow these steps:

Open the Group Policy Management Console.
Navigate to the GPO that you want to delegate permissions for and click on the Delegation tab.
To add permissions for a new user or group, click Add. Use the object picker to select the object you want and click OK.
In the Permissions drop-down box, select “Read, Edit Settings” or “Edit Settings, Delete, and Modify Security,” then click OK.

To delegate Group Policy-related tasks on a particular site, domain, or OU, do the following:

Open the Group Policy Management Console.
Navigate to the site, domain, or OU that you want to delegate permissions for and click on the Delegation tab.
In the Permission drop-down, select Link GPOs, Perform Group Policy Modeling Analyses, or Read Group Policy Results Data.
To add permissions for a new user or group, click Add. Use the object picker to select the object you want and click OK.
In the Permissions drop-down box, select “This container only” or “This container and all child containers,” then click OK.

In addition to using Active Directory users and groups to control how GPOs are applied within a site, domain, or OU, you can also use ACLs to delegate permissions over GPOs to allow you to decentralize the administration of them in your organization.

You can delegate the ability to do the following:

Create GPOs
Manage the settings of an individual GPO
Link GPOs to a site, domain, or OU

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Importing a Security Template

Inhaltsvorschau

You want to import a security template into a GPO.

Using a graphical user interface

Open the GPMC snap-in.
In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the GPO you want to target, and expand the Group Policy Objects container.
Right-click on the target GPO and select Edit.
Navigate to Computer Configuration→Windows Settings.
Right-click on Security Settings and select Import Policy.
Browse to the template you want to import and click Open.

Rather than manually configuring the plethora of security settings available in Windows 2000 and Windows Server 2003, you can use a template.

Some common security templates include the following:

compatws.inf: Used for workstations that need backward compatibility with legacy applications or networks.
hisec*.inf: Used for a high-security configuration. hisecdc.inf corresponds to a domain controller. hisecws.inf is for a secure workstation or member server.
secure*.inf: Used for situations in which you want a secure configuration, but the settings in the hisec*.inf templates are a bit over-the-top. Sufficient for most environments.

It’s important to test the settings created by these templates before deploying them in a production network, since it may be necessary to modify one or more to meet the needs of your unique environment.

To configure security settings for a local computer or for computers not configured in an Active Directory domain, you can use the secedit command-line utility with the /configure switch.

Windows Server 2003 Security Guide (http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx), Windows Server 2008 Security Guide (http://technet.microsoft.com/en-us/library/cc264463.aspx), MS KB 216735 (Methods Used to Apply Security Settings Throughout an Enterprise), MS KB 816297 (How to Define Security Templates by Using the Security Templates Snap-in in Windows Server 2003), and MS KB 816585 (How to Apply Predefined Security Templates in Windows Server 2003)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a WMI Filter

Inhaltsvorschau

WMI filters can be configured only on Windows Server 2003 and newer domain controllers, and they will not apply to Windows 2000 .

You want to create a WMI filter.

Using a graphical user interface

Open the GPMC snap-in.
In the left pane, expand the Forest container, expand the Domains container, browse to the target domain, and click the WMI Filters container.
Right-click on the WMI Filters container and select New.
Enter a name and description for the filter.
Click the Add button.
Select the appropriate namespace, enter a WQL query, and click OK.
Repeat steps 5 and 6 for as many queries as you need to add.
Click the Save button.

Using VBScript

At the time of publication of this book, there were no GPM methods available for creating WMI filters.

WMI filters are new in Windows Server 2003 and provide another way to filter how GPOs are applied to clients. WMI filters live in Active Directory as objects under the WMIPolicy container within the System container for a domain. A WMI filter consists of a WMI Query Language (WQL) query that when linked to a GPO will be run against all clients that the GPO applies to. If the WQL returns a true value (that is, it returns nonempty results from the WQL query), the GPO will continue to process. If the WQL query returns false (nothing is returned from the query), the GPO will not be .

The great thing about WMI filters is that the vast amount of information that is available in WMI on a client becomes available to filter GPOs. You can query against CPU, memory, disk space, hotfixes installed, service packs installed, applications installed, running processes, and the list goes on and on.

For example, if you want to create a GPO that applies only to computers that are running Windows XP Professional, it would have been really difficult to accomplish under Windows 2000 Active Directory. You would have either needed to create a security group that contained all of those computers as members (and apply a security filter) or to move all of those workstations to a particular OU. With a WMI filter, this becomes trivial to create. (Bear in mind, however, that there is client performance overhead associated with WMI queries, as each computer will need to process the WMI query to determine whether a particular GPO should or should not be applied.) Here is a sample WQL query that would return

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Applying a WMI Filter to a GPO

Inhaltsvorschau

WMI filters can be configured only on a Windows Server 2003 domain controller, and they will apply only to Windows Server 2003 and Windows XP-based clients.

You want to apply a WMI filter to a GPO.

Using a graphical user interface

Open the GPMC snap-in.
In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the GPO you want to target, and expand the Group Policy Objects container.
Click on the target GPO.
At the bottom of the right pane, you can select from the list of WMI filters.
After you’ve selected the WMI filter, click Yes to confirm.

Using VBScript

' This code links an existing WMI filter with a GPO.

' ------ SCRIPT CONFIGURATION ------

strGPO         = "<GPOName>"       ' e.g. "Sales GPO"

strDomain      = "<DomainDNSName>" ' e.g. "adatum.com"



' e.g. {D715559A-7965-45A6-864D-AEBDD9934415}

strWMIFilterID = "<WMIFilterID>"

' ------ END CONFIGURATION --------



set objGPM = CreateObject("GPMgmt.GPM")

set objGPMConstants = objGPM.GetConstants()



' Initialize the Domain object

set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC)

' Find the GPO

set objGPMSearchCriteria = objGPM.CreateSearchCriteria

objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _

                         objGPMConstants.SearchOpEquals, _

                         cstr(strGPO)

set objGPOList =

objGPMDomain.SearchGPOs(objGPMSearchCriteria)

if objGPOList.Count = 0 then

   WScript.Echo "Did not find GPO: " & strGPO

   WScript.Echo "Exiting."

   WScript.Quit

elseif objGPOList.Count > 1 then

   WScript.Echo "Found more than one matching GPO. Count: " & _

                objGPOList.Count

   WScript.Echo "Exiting."

   WScript.Quit

else

   WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName

end if



on error resume next



' Retrieve the WMI filter

strWMIFilter = "MSFT_SomFilter.Domain=""" & _

                strDomain & """,ID=""" & _

                strWMIFilterID & """"

set objWMIFilter = objGPMDomain.GetWMIFilter(strWMIFilter)

if Err.Number <> 0 then

   WScript.Echo "Did not find WMI Filter: " & strWMIFilterID

   WScript.Echo "Exiting."

   WScript.Quit

else

   WScript.Echo "Found WMI Filter: " & objWMIFilter.Name

end if



' Link the filter and print the result

objGPOList.Item(1).SetWMIFilter(objWMIFilter)

if Err.Number <> 0 then

   WScript.Echo "Failed

to set WMI filter."

   WScript.Echo "Error: " & err.description

else

   WScript.Echo "Set WMI filter successfully."

end if

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Configuring Loopback Processing for a GPO

Inhaltsvorschau

You want to configure a GPO to use loopback processing that will enforce consistent computer settings regardless of which user logs on to a computer.

Using a graphical user interface

Open the GPMC snap-in.
Navigate to the GPO that you want to configure. Right-click on the GPO and select Edit Settings.
Navigate to Computer Configuration→System→Group Policy. Double-click on “User Group Policy loopback processing mode.” Select the radio button next to Enabled.
In the Mode drop-down box, select either Merge or Replace. (See of this recipe for more information on these two .)
Click OK.

GPOs are applied to user/computer combinations on an Active Directory network based on the site, domain, and OU that the user and computer objects belong to. If the user and computer are located in two separate locations, the user will receive the GPOs that apply to the user’s container combined with those that apply to the computer’s container. However, there may be cases where you want a user to receive GPOs based solely on the location of the computer objects. In this case, you will enable loopback processing in one of two modes:

Merge Mode: In this mode, any GPOs that are associated with the user will be applied first. The GPOs associated with the computer object will be applied after the GPOs associated with the user object, thereby giving them a higher precedence than the user GPOs. In this case, the user will still receive any GPO settings associated with her user object, but settings configured for the computer will override in the case of any conflicts.
Replace Mode: In this mode, only the list of GPOs that apply to the computer object will be applied.

MS KB 231287 (Loopback Processing of Group Policy)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Backing Up a GPO

Inhaltsvorschau

You want to back up a GPO.

Using a graphical user interface

Open the GPMC snap-in.
In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the GPO you want to back up, and expand the Group Policy Objects container.
Right-click on the GPO you want to back up and select Back Up.
For Location, enter the folder path to store the backup files.
For Description, enter a descriptive name for the backup.
Click the Back Up button.
You will see a progress bar and status message that indicates if the backup was successful.
Click OK to exit.

Using a command-line interface

> backupgpo.wsf "<GPOName>" "<BackupFolder>" /comment:"<BackupComment>"

Using VBScript

' This code backs up a GPO to the specified backup location.

' ------ SCRIPT CONFIGURATION ------

strGPO      = "<GPOName>"       ' e.g. "Default Domain Policy"

strDomain   = "<DomainDNSName>;"' e.g. "adatum.com"

strLocation = "<BackupFolder>"  ' e.g. "c:\GPMC Backups"

strComment  = "<BackupComment>" ' e.g. "Default Domain Policy Weekly"

' ------ END CONFIGURATION ---------



set objGPM = CreateObject("GPMgmt.GPM")

set objGPMConstants = objGPM.GetConstants()



' Initialize the Domain object

set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC)



' Find the GPO you want to back up

set objGPMSearchCriteria = objGPM.CreateSearchCriteria

objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _

                         objGPMConstants.SearchOpEquals, cstr(strGPO)

set objGPOList =

objGPMDomain.SearchGPOs(objGPMSearchCriteria)

if objGPOList.Count = 0 then

   WScript.Echo "Did not find GPO: " & strGPO

   WScript.Echo "Exiting."

   WScript.Quit

elseif objGPOList.Count > 1 then

   WScript.Echo "Found more than one matching GPO. Count: " & _

                objGPOList.Count

   WScript.Echo "Exiting."

   WScript.Quit

else

   WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName

End if



' Kick off the backup

On Error Resume Next

set objGPMResult = objGPOList.Item(1).Backup(strLocation, strComment)

' Call the OverallStatus method on the GPMResult.

' This will throw an exception if there were any

' errors during the actual operation.

objGPMResult.OverallStatus()

if objGPMResult.Status.Count > 0 then

   WScript.Echo "Status messages:" & objGPMResult.Status.Count

   for i = 1 to objGPMResult.Status.Count

   WScript.Echo objGPMResult.Status.Item(i).Message

   next

   WScript.Echo vbCrLf

end if



' Print the results

if Err.Number <> 0 then

   WScript.Echo "The backup failed."

   WScript.Echo "Attempted to backup GPO '" & strGPO & "' to location " &

strLocation

   WScript.Echo "Error: " & err.description

else

   set objGPMBackup = objGPMResult.Result

   WScript.Echo "Backup completed successfully."

   WScript.Echo "GPO ID: " & objGPMBackup.GPOID

   WScript.Echo "Timestamp: " & objGPMBackup.TimeStamp

   WScript.Echo "Backup ID: " & objGPMBackup.ID

end if

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Restoring a GPO

Inhaltsvorschau

You want to restore a GPO.

Using a graphical user interface

Open the GPMC snap-in.
In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the GPO you want to back up, and expand the Group Policy Objects container.
Right-click on the GPO you want to restore, and select “Restore from Backup.”
Click Next.
Select the backup folder location and click Next.
Select the backup you want to restore and click Next.
Click Finish.
You will see the restore status window. After it completes, click OK to close the window.

Using a command-line interface

> restoregpo.wsf "<BackupFolder>" "<GPOName>"

Using VBScript

' This code restores a GPO from a backup.

' ------ SCRIPT CONFIGURATION ------

strGPO      = "<GPOName>"       ' e.g. "Sales Users GPO"

strDomain   = "<DomainDNSName>" ' e.g. "adatum.com"

strLocation = "<BackupFolder>"  ' e.g. "c:\GPMC Backups"

strBackupID = "<BackupGUID>"    ' e.g. "{85CA37AC-0DB3-442B-98E8-537291D26ED3}"

' ------ END CONFIGURATION --------

set objGPM = CreateObject("GPMgmt.GPM")

set objGPMConstants = objGPM.GetConstants()



' Initialize the Domain object

set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC)



' Make sure backup location and ID are valid

set objGPMBackupDir = objGPM.GetBackupDir(strLocation)

set objGPMBackup = objGPMBackupDir.GetBackup(strBackupID)

WScript.Echo "Backup found:"

WScript.Echo "  ID: " & objGPMBackup.ID

WScript.Echo "  Timestamp: " & objGPMBackup.TimeStamp

WScript.Echo "  GPO ID: " & objGPMBackup.GPOID

WScript.Echo "  GPO Name: " & objGPMBackup.GPODisplayName

WScript.Echo "  Comment: " & objGPMBackup.Comment

WScript.Echo



' Perform restore

set objGPMResult = objGPMDomain.RestoreGPO(objGPMBackup, _

                                           objGPMConstants.DoNotValidateDC)

' This will throw an exception if there were any errors

' during the actual operation.

on error resume next

objGPMResult.OverallStatus()

if objGPMResult.Status.Count > 0 then

   WScript.Echo "Status message(s): " & objGPMResult.Status.Count

   for i = 1 to objGPMResult.Status.Count

      WScript.Echo objGPMResult.Status.Item(i).Message

   next

   WScript.Echo vbCrLf

end if



' Print result

if Err.Number <> 0 then

   WScript.Echo "Error restoring GPO " & objGPMBackup.GPODisplayName

   WScript.Echo "Error: " & Err.Description

else

   WScript.Echo "Restore successful."

   WScript.Echo "GPO '" & objGPMBackup.GPODisplayName & _

                "' has been restored."

end if

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Simulating the RSoP

Inhaltsvorschau

You want to simulate the Resultant Set of Policies (RSoP) based on OU, site, and security group membership. This is also referred to as Group Policy Modeling.

This must be run against a Windows Server 2003 or newer domain .

Using a graphical user interface

Open the GPMC snap-in.
In the left pane, right-click Group Policy Modeling and select Group Policy Modeling Wizard.
Select a domain controller to process the query and click Next.
Under User Information and/or Computer Information, either select the container you want to simulate to contain the user or computer, or select a specific user or computer account, and click Next.
Select a site if necessary, and specify whether you wish to simulate a slow link or loopback processing, and then click Next.
If you selected a target user container or user account in step 4, you will be presented with an option to simulate different group membership. Click Next when you are done.
If you selected a target computer container or computer account in step 4, you will be presented with an option to simulate different group membership. Click Next when you are done.
If you selected a target user container or user account in step 4, you will be presented with an option to simulate any additional WMI filters. Click Next when you are done.
If you selected a target computer container or computer account in step 4, you will be presented with an option to simulate any additional WMI filters. Click Next when you are done.
Click Next to start the simulation.
Click Finish.
In the right pane of the GPMC window, the results of the simulation will be .

With GPMC, you can simulate the RSoP based on user-defined OU, site, group, and domain membership. This is very powerful because it allows you to create one or more GPOs, simulate them being applied to a user and computer, and determine whether any changes are necessary before deployment.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing the RSoP

Inhaltsvorschau

You want to view the actual RSoP for a user and computer. This is a great tool for determining if policies are being applied correctly on a client.

Using a graphical user interface

The RSoP snap-in is available only on Windows Server 2003 and newer.

Open the RSoP snap-in by running rsop.msc from the command line. This will cause the RSoP snap-in to evaluate the group policies for the target computer and pop open an MMC console so that you can browse the applied settings.

You can target a different computer by right-clicking the top of the tree in the left pane and selecting Change Query. You will then be prompted for the name of the computer to query.

You can also gather this information by using the Group Policy Results Wizard in the GPMC.

Using a command-line interface

> gpresult

With the Windows Server 2003 and newer versions of gpresult, you can specify a /S option and the name of a computer to target, which allows you to run the command remotely. With Windows 2000, there is a /S option, but it enables super-verbose mode. There is no way to target another computer with the Windows 2000 version. For a complete list of options with either version, run gpresult /? from a command line.

If you implement more than a few GPOs, it can get confusing as to what settings will apply to users. To address this problem, you can query the resultant set of policies on a client to determine what settings have been applied.

The registry on the target computer is another source of information. You can view the list of policies that were applied to the computer by viewing the subkeys under this key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\History

The settings that were applied are not stored in the registry, but you can obtain the GPO name, distinguished name, SYSVOL location, version, and where the GPO is linked.

for simulating the RSoP

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Refreshing GPO Settings on a Computer

Inhaltsvorschau

You’ve made some changes to a GPO and want to apply them to a computer by refreshing the group policies for the computer.

Using a command-line interface

On Windows XP or newer computer, use this command:

> gpupdate [/target:{Computer | User}]

On Windows 2000, use this command:

> secedit /refreshpolicy [machine_policy | user_policy]

Using PowerShell

update-SDMgp -Target "<Machine FQDN>"

By default, Group Policy settings will refresh automatically every 5 minutes on a domain controller and every 90 minutes on clients and member servers. To force GPO settings to refresh sooner than that, you will need to run the gpupdate utility on the client computer. The new gpupdate command is a much-needed improvement over the older secedit utility that was used to refresh Group Policy in Windows 2000. With gpupdate, you can force all settings to be applied with the /force option (the default is only changed settings). You can apply the computer or user settings of GPOs using the /target option, and you can force a logoff or reboot after the settings have been applied using the /logoff and /boot options.

Using PowerShell

The update-SDMgp cmdlet includes a number of optional switches that map to the gpupdate.exe command-line option, including -Computer, -User, -Force, -Logoff, -Boot, -Sync. In addition, you can use the -Username and -Password switches to provide alternate credentials to connect to the remote computer.

MS KB 298444 (A Description of the Group Policy Update Utility)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Restoring a Default GPO

Inhaltsvorschau

You’ve made changes to the Default Domain Security Policy, Default Domain Controller Security Policy, or both, and now want to reset them to their original .

Using a command-line interface

The following command would replace both the Default Domain Security Policy and Default Domain Controller Security Policy on a Windows Server 2003 domain controller. You can specify Domain or DC instead of Both, to only restore one or the other:

> dcgpofix /target:Both

Note that this must be run from a domain controller in the target domain where you want to reset the GPO.

To re-create the default GPOs in a Windows 2000 domain, download the Windows 2000 Default Group Policy Restore Tool (recreatedefpol.exe) from http://www.microsoft.com/downloads/details.aspx?FamilyID=b5b685ae-b7dd-4bb5-ab2a-976d6873129d&DisplayLang=en.

If you’ve made changes to the default GPOs in Windows Server 2003 or newer Active Directory and would like to revert back to the original settings, the dcgpofix utility is your solution. dcgpofix works with a particular version of the schema. If the version it expects to be current is different from what is in Active Directory, it will not restore the GPOs. You can work around this by using the /ignoreschema switch, which will restore the GPO according to the version dcgpofix thinks is current. The only time you might experience this issue is if you install a service pack on a domain controller (dc1) that extends the schema but the changes have not yet replicated to a second domain controller (dc2). If you try to run dcgpofix from dc2, you will receive the error since a new version of the schema and the dcgpofix utility was installed on dc1.

In Windows 2000, the recreatedefpols.exe utility will instruct you to log out after running the utility, and then log back on to complete the process using the administrative account that should be added as an EFS Recovery Agent.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Fine-Grained Password Policy

Inhaltsvorschau

You want to create a Fine-Grained Password Policy in a Windows Server 2008 domain.

Using a graphical user interface

Open ADSI Edit. Right-click on the top-level node and click “Connect to…”. In the Connection Settings screen, click OK.
In the right pane, double-click on Default naming context, then double-click on the domain node (i.e., dc=adatum,dc=com).
Browse to CN=System, then CN=Password Settings Container. Right-click on CN=Password Settings Container and click New→Object….
The Create Object screen appears. Click Next. In the Value text box, enter a name for the Fine-Grained Password Policy, such as “20CharacterNoExpiry”. Click Next.
The Password Settings Precedence screen appears. In the Value text box, enter the value for the precedence of the password policy, such as "1". Click Next.
The Password reversible encryption status for user accounts screen appears. In the Value text box, enter FALSE. Click Next.
The Password history length for user accounts screen appears. In the Value text box, enter the number of passwords that should be retained in password history, such as 24. Click Next.
The Password complexity status for user accounts screen appears. In the Value text box, enter TRUE if you want complex passwords enabled, FALSE if you do not. Click Next.
The “Minimum password length for user accounts” screen appears. In the Value text box, enter the minimum length of a password defined by this policy, such as 20. Click Next.
The “Minimum password age for user accounts” screen appears. In the Value text box, enter the minimum age for a password defined by this policy (in days) before it can be changed by the user, in the format D:HH:MM:SS. For a value of 2 days, for example, enter 2:00:00:00. Click Next.
The “Maximum password age for user accounts” screen appears. In the Value text box, enter 0 to configure nonexpiring passwords. (To define the maximum age for a password defined by this policy, enter a value in the format days:hours: after which the password will expire, such as 42:00:00:00.)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Editing a Fine-Grained Password Policy

Inhaltsvorschau

You want to modify a Fine-Grained Password Policy in a Windows Server 2008 domain.

Using a graphical user interface

Open ADSI Edit. Right-click on the top-level node and click “Connect to…”. In the Connection Settings screen, click OK.
In the right pane, double-click on Default naming context, then double-click on the domain node (i.e., dc=adatum,dc=com).
Browse to CN=System, then CN=Password Settings Container.
Right-click on the PSO that you wish to modify and click Properties.
Click Finish.

Using a command-line interface

The following command renames a PasswordSettingsObject:

psomgr -rename newname -pso oldname -forreal

The following modifies a PSO’s maximum password age to 60 days:

psomgr -mod -pso TestPSO -pwdlen 60 -forreal

The following adds the Marketing group to the list of groups that a PSO will apply to:

psomgr -applyto CN=Marketing,CN=Users,DC=ADATUM,DC=COM -pso TestPSO -forreal

The following removes the Marketing group from the list of groups that a PSO will apply to:

psomgr -unapplyto CN=Marketing,CN=Users,DC=ADATUM,DC=COM -pso TestPSO -forreal

You can also use the Domain\sAMAccountName syntax instead of a distinguished name.

Using PowerShell

The following renames a PSO using the AD cmdlets:

rename-QADObject -Identity <PSO DN> -NewName <New PSO CN>

To rename a PSO using the .NET methods, use the following:

$objPSO = [System.DirectoryServices.DirectoryEntry] "LDAP://<PSO DN>"

$newName = "<New Value of 'name' Attribute>"

$objPSO.psbase.Rename($newName)

To add a group to the list of groups that a PSO will apply to, use the following syntax:

Add-QADPasswordSettingsObjectAppliesTo -Identity <PSO DN> -AppliesTo <Group DN>

To remove a group from the list of groups that a PSO will apply to, use the following syntax:

Remove-QADPasswordSettingsObjectAppliesTo -Identity <PSO DN> -AppliesTo <Group DN>

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing the Effective PSO for a User

Inhaltsvorschau

You want to determine which PSO is in effect for a particular user.

Using a graphical user interface

Open Active Directory Users and Computers. Click on View and confirm that there is a checkmark next to Advanced Features.
Browse to the user or group in question; right-click on the object and click .
Click on the Attribute Editor tab. Click Filter, and confirm that there is a checkmark next to Show read-only attributes: Constructed and Backlinks.
Scroll to the msDS-PSOApplied.
Click OK.

Using a command-line interface

psomgr.exe -effective <User DN>

Using PowerShell

get-QADUser -Identity <UserDN> -IncludedProperties msDS-ResultantPSO | format-list

dn,msDS-ResultantPSO

Within a Windows Server 2008 domain, each user object contains a constructed backlink attribute called msDS-ResultantPSO that indicates which PasswordSettingsObject is in effect for that user. The precedence rules for PasswordSettingsObjects are as follows:

If a PSO has been applied directly to the user object, it will take precedence. If multiple PSOs have been applied to a single user, the following tiebreakers will be used:
- A PSO with a lower-numbered Precedence attribute (e.g., 5) will be applied over a higher-numbered one (e.g., 50).
- If multiple PSOs have been configured with the same Precedence attribute, the PSO with the lowest GUID will take final precedence.
If no PSOs have been applied directly to the user, any PSO that has been applied to a group that the user is a member of, whether directly or indirectly, will be applied. The same tiebreakers will be used here as in #1, above.
If no PSOs have been applied to the user or any groups that the user is a member of, the default domain PSO will be applied.

Recipes and and Chapter 9 of Active

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Chapter 10: Schema

Inhaltsvorschau

The Active Directory schema contains the blueprint for how objects are structured and secured, what data they can contain, and even how they can be viewed. Having a good understanding of the schema is paramount for any Active Directory administrator, designer, or architect. Understanding key concepts, such as class inheritance, class types, attribute syntax, and attribute indexing options is critical to being able to adequately design an Active Directory infrastructure and should be considered mandatory for any developer who is writing applications or automation scripts that utilize Active Directory.

If you are one of the lucky few who is designated as a schema administrator (i.e., a member of the Schema Admins group), then the importance of the schema is already well known to you. This chapter serves as a guide to accomplishing many of the day-to-day tasks of schema administrators. For a more in-depth discussion of the schema, we suggest reading Active Directory, Fourth Edition, by Brian Desmond et al. ().

An interesting feature of Active Directory not common among other LDAP implementations is that the schema is stored within Active Directory itself as a set of objects. This means that you can use similar interfaces and programs to manage the schema as you would any other type of object without any need to shut down or restart Active .

All schema objects are stored in the Schema container (for example, cn=schema,

cn=configuration,

<ForestRootDN>). The schema is comprised of two classes of objects, classSchema and attributeSchema. Unsurprisingly, the classSchema objects define classes and attributeSchema objects define attributes. The Schema container contains a third type of object called subSchema, also known as the abstract schema, which is defined in the LDAP version 3 specification (RFC 2251). There is only a single subSchema object in the Schema container, named cn=Aggregate, and it contains a summary of the entire schema.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Introduction

Inhaltsvorschau

All schema objects are stored in the Schema container (for example, cn=schema,

cn=configuration,

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Registering the Active Directory Schema MMC Snap-in

Inhaltsvorschau

You want to use the Active Directory Schema MMC snap-in for the first time on an administrative computer.

Before you can use the Active Directory Schema MMC snap-in, you have to register the DLL associated with it. This can be done with the regsvr32 utility using the following command:

> regsvr32 schmmgmt.dll

If the command is successful, you’ll see the following message:

DllRegisterServer in schmmgmt.dll succeeded.

Most of the Active Directory MMC snap-ins do not require that you manually register the associated DLL. Microsoft requires this with the Active Directory Schema snap-in, however, due to the sensitive nature of modifying the schema. This doesn’t actually do much to prevent users from using it, but at least it isn’t available by default. And regardless, only members of the Schema Admins group have permission to modify the schema anyway, so making this snap-in available should not pose any risk.

The schmmgmt.dll file is installed as part of the adminpak.msi Administrative Tools installer in Windows 2000, XP, and Windows Server 2003, or else it is installed by default on domain controllers when they are first promoted. It is also installed with the Remote Server Administration Tool (RSAT) for Windows Vista workstations. If you want to use the Schema snap-in on a domain member server or workstation machine and you have not installed the adminpak.msi package or RSAT, you’ll need to specify the full path to schmmgmt.dll when using regsvr32.

MS KB 320337 (How to Manage the Active Directory Schema in Windows 2000) and MS KB 326310 (How to Manage the Active Directory Schema in Windows Server 2003 Enterprise Edition)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling Schema Updates

Inhaltsvorschau

This is necessary only when the Schema FSMO role owner is running Windows 2000.

You want to enable schema modifications on a Windows 2000 Schema FSMO. This is a necessary first step before you can extend the schema.

Using a graphical user interface

Open the Active Directory Schema snap-in.
Click on Active Directory Schema in the left pane.
Right-click on Active Directory Schema and select Operations Master.
Check the box beside “Allow schema modifications.”
Click OK.

Using a command-line interface

To enable modifications to the schema, use the following command:

> reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters /t

REG_DWORD /v "Schema Update Allowed" /d 1

To disable modifications to the schema, use the following command:

> reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

/v "Schema Update Allowed" /f

Using VBScript

' This code enables or disables schema mods on Schema FSMO.

' ------ SCRIPT CONFIGURATION ------

' TRUE to enable schema mods and FALSE to disable

boolSetReg = TRUE



' Name of the Schema FSMO or "." to run locally

strDC = "<SchemaFSMOName>"

' ------ END CONFIGURATION --------



const HKEY_LOCAL_MACHINE = &H80000002

set objReg = GetObject("winmgmts:\\" & strDC & "\root\default:StdRegProv")

strKeyPath   = "System\CurrentControlSet\Services\NTDS\Parameters"

strValueName = "Schema Update Allowed"



if boolSetReg = TRUE then

   strValue = 1

   intRC = objReg.SetDWORDValue(HKEY_LOCAL_MACHINE,strKeyPath, _

                                strValueName,strValue)

   if intRC > 0 then

      WScript.Echo "Error occurred: " & intRC

   else

      WScript.Echo strValueName & " value set to " & strValue

   end if

else

   intRC = objReg.DeleteValue(HKEY_LOCAL_MACHINE,strKeyPath,strValueName)

   if intRC > 0 then

      WScript.Echo "Error occurred: " & intRC

   else

      WScript.Echo strValueName & " value deleted"

   end if

end if

When the Schema FSMO role owner is running Windows 2000, you must explicitly enable schema modifications on the server before extending the schema. To enable this, you need to create a key value called

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Generating an OID to Use for a New Class or Attribute

Inhaltsvorschau

You want to generate an OID to use with a new class or attribute that you intend to add to the schema.

To implement schema extensions for production use, you should use an OID from your company or organization’s OID branch. To determine if your company already has an assigned OID, see these sites:

If your organization does not have an assigned OID, go to your country’s national registry to request one. The list of registries can be found at the following site: http://www.iso.ch/iso/en/aboutiso/isomembers/index.html.

Once you have a base OID, you can create branches from that OID however you want. For example, if you had a base OID of 1.2.3.4, you could start new class OIDs under 1.2.3.4.1 and new attributes under 1.2.3.4.2. In that case, the first class OID you would create would be 1.2.3.4.1.1 and the first attribute OID would be 1.2.3.4.2.1.

An OID is nothing more than a string of numbers separated by periods (.). OIDs were initially defined by the ITU-T in X.208 and have been used to uniquely identify a variety of things, including SNMP MIB objects and LDAP schema classes and attributes. OIDs are hierarchical, and the national registries are responsible for managing and assigning OID branches.

for more on enabling schema updates

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Extending the Schema

Inhaltsvorschau

You want to extend the schema to support new classes and attributes in Active .

Extending the schema is a straightforward process that consists of adding new classes or attributes, or modifying existing ones in the schema. While extending the schema is not hard, due to the sensitive nature of the schema you should implement a schema extension process that thoroughly tests any extensions before you put them in your production forest. Here is a suggested summary of what your schema extension process should be:

Meet with clients and determine if there is a business justification for integrating their application with Active Directory. Determine if there are any existing attributes that would fulfill the desired requirements.
Examine the extensions and determine what impact, if any, they will have on your Active Directory environment (e.g., adding an attribute to the global catalog).
Try out the extensions in a test environment. Observe any peculiarities.
Document the extensions.
Extend the schema in your production Active Directory.

For more information on defining a schema extension process, see Chapter 12 of Active Directory.

One thing to be cautious of when developing a schema extension process is not to make it an overly bureaucratic process that can require several weeks to complete. At the same time, you want to ensure that any schema changes that you make are well thought out, tested, and documented thoroughly to avoid encountering issues later. While some organizations may want to strictly limit schema extensions, there is nothing inherently bad about properly extending the schema; it is one of the core features and advantages over Active Directory’s predecessor, Windows NT 4.0.

for adding a new attribute, for adding a new class, and MS KB 283791 (How to Modify Schema Information Using the Ldifde Utility)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Preparing the Schema for an Active Directory Upgrade

Inhaltsvorschau

You want to prepare the Active Directory schema for an application installation, such as an Active Directory upgrade.

From a graphical user interface

To prepare your Active Directory forest for a Windows upgrade, do the following:

Log on to the Schema Master FSMO of your AD forest.
Click Start→Run or open a command prompt.
Run the command adprep /forestprep. Read the warning message that appears and press C, followed by Enter.

To determine whether

adprep

        /forestprep

has completed for a Windows Server 2003 upgrade, check for the existence of the following object, where <ForestRootDN> is the distinguished name of the forest root domain:

cn=Windows2003Update,cn=ForestUpdates,cn=Configuration,<ForestRootDN>

To determine whether adprep/forestprep has completed for a Windows Server 2008 upgrade, check for the existence of the following object, where <ForestRootDN> is the distinguished name of the forest root domain:

cn=ActiveDirectoryUpdate,cn=ForestUpdates,cn=Configuration,<ForestRootDN>

To extend an Active Directory domain to prepare for a Windows Server 2003 or Windows Server 2008 upgrade, follow these steps:

Log on to the Infrastructure Master FSMO for the domain.
Click Start→Run or open a command prompt.
Run the command adprep /domainprep. Read the warning message that appears and press C, followed by Enter.

Just like some third-party applications, major upgrades to the Windows operating system itself will usually require that the Active Directory schema be extended with new classes and attributes. To automate this process, Active Directory includes the adprep utility to perform these modifications. adprep needs to be run once for the entire forest using the /forestprep switch and once for each domain that will be upgraded using the /domainprep switch. In the case of a Windows Server 2003 upgrade, you can view the schema extensions that will be performed by this utility by looking at the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Documenting Schema Extensions

Inhaltsvorschau

You want to document your schema extensions.

There are several different ways you can document schema extensions. If you require LDIF files of the schema extensions before you extend the schema, you can use the files themselves as a simple self-documenting system. You can put comments in LDIF files by putting # at the beginning of a line, or else use the new schema analyzer functionality available with Active Directory Application Mode (ADAM, referred to as the Active Directory Lightweight Directory Service, or AD LDS, in Windows Server 2008). We recommend a combination of these options, and recommend that any company that needs to extend the schema of their customer’s Active Directory should include LDIF files, regardless of whether you use that method to actually extend the schema.

The AD Schema Analyzer is a useful new tool that can document your existing schema, as well as create a file to help you modify the schema. To use the Schema Analyzer, do the following:

In Windows Server 2003, click Start→All Programs→ADAM→ADAM Tools Command Prompt. In Windows Server 2008, open a command prompt and cd to the Windows\ADAM directory. Run the program adschemaanalyzer from the command prompt.
Click File→Load target schema. To load the current Active Directory schema, enter your username, password, and domain name, and then click OK.
Click File→Load base schema. Enter your username, password, and domain name, and then click OK.
Place a checkmark next to each class, attribute, and property set that you wish to export.
Click File→Create LDIF file. Enter a path and name of the file to export, and click Save.

There are no hard and fast rules for documenting schema extensions. Documenting schema extensions in some fashion, even a rudimentary one, should be a requirement of any schema extension process you adopt. If you have the resources and time, you can even develop a much more elaborate documentation system using the Web or even an object-modeling system.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Adding a New Attribute

Inhaltsvorschau

You want to add a new attribute to the schema.

For Windows 2000 Active Directory, you need to enable schema modifications before proceeding. See for more information.

Using a graphical user interface

Open the Active Directory Schema snap-in.
In the left pane, right-click on the Attributes folder and select Create Attribute.
Click the Continue button to confirm that you want to extend the schema.
Enter the information for the new attribute.
Click OK.

Using a command-line interface

You can create new attributes by using ldifde and an LDIF file that contains the properties to be set on the attribute. The following text shows a sample LDIF file called create_attr.ldf that creates an attribute called adatum-LanguagesSpoken:

dn: cn=adatum-LanguagesSpoken,cn=schema,cn=configuration,<ForestRootDN>

changetype: add

objectclass: attributeSchema

lDAPDisplayName: adatumLanguagesSpoken

attributeId: 1.3.6.1.4.1.999.1.1.28.3

oMSyntax: 20

attributeSyntax: 2.5.5.4

isSingleValued: FALSE

searchFlags: 1

description: "Languages a user speaks"

Then run the following command:

> ldifde -v -i -f create_attr.ldf

You can also use AdMod to add a schema attribute as follows:

> admod -schema -rb cn=adatumLanguagesSpoken

  objectClass::attributeSchema

     lDAPDisplayName::adatumLanguagesSpoken

     attributeId::1.3.6.1.4.1.999.1.1.28.3

     omSyntax::20

     attributeSyntax::2.5.5.4

     isSingleValued::FALSE

     searchFlags::1

     description::"Languages a user speaks"

     -add

Using VBScript

' This code illustrates how to create an attribute

' called adatum-LanguagesSpoken.



set objRootDSE = GetObject("LDAP://RootDSE")

set objSchemaCont = GetObject("LDAP://" & _

                             objRootDSE.Get("schemaNamingContext") )

set objAttr = objSchemaCont.Create("attributeSchema", _

                                  "cn=adatum-LanguagesSpoken")

objAttr.Put "lDAPDisplayName", "adatum-LanguagesSpoken"

objAttr.Put "attributeId", "1.3.6.1.4.1.999.1.1.28.3"

objAttr.Put "oMSyntax", 20

objAttr.Put "attributeSyntax", "2.5.5.4"

objAttr.Put "isSingleValued", FALSE

objAttr.Put "description", "Languages a user speaks"

objAttr.Put "searchFlags", 1 ' index the attribute

objAttr.SetInfo

WScript.Echo "Attribute created"

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing an Attribute

Inhaltsvorschau

You want to view the properties of an attribute.

Using a graphical user interface

Open the Active Directory Schema snap-in.
In the left pane, click on the Attributes folder.
In the right pane, double-click the attribute you want to view.
Click on each tab to view the available properties.

Using a command-line interface

In the following command, replace <AttrCommonName> with the common name (not LDAP display dame) of the attribute you want to view:

> dsquery * cn=schema,cn=configuration,<ForestRootDN> -scope onelevel -attr *

-filter "(&(objectcategory=attributeSchema)(cn=<AttrCommonName>))"

You can also use AdFind to view the properties of an attribute as follows:

> adfind -schema -f (ldapdisplayname=<AttributeName>)

You can also use a shortcut syntax for this command, as follows:

> adfind -sc s:<AttributeName>

Using VBScript

' This code displays the

' attributes for the specified attributeSchema object

' Refer to  for the DisplayAttributes()

' function code.

' ------ SCRIPT CONFIGURATION ------

' Set to the common name (not LDAP display dame) of the attribute

strAttrName = "<AttrCommonName>" ' e.g. surname

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://RootDSE")

set objAttr = GetObject("LDAP://cn=" & strAttrName & "," & _

                        objRootDSE.Get("schemaNamingContext"))

objAttr.GetInfo

WScript.Echo "Properties for " & strAttrName & ":"

DisplayAttributes(objAttr.ADsPath)

Using PowerShell

You can view the properties of a schema attribute using the Quest AD cmdlets or native ADSI commands, as follows:

$attr = get-QADObject -LdapFilter

"(&(objectcategory=attributeSchema)(cn=<AttrCommonName>))"

$attr.psbase.getProperties() | format-table PropertyName, Value



$strAttrName  "<AttrCommonName>"  ## e.g., surname



$root = [ADSI]"LDAP://RootDSE"

$obj = [ADSI]("LDAP://cn=" + $strAttrName + "," + $root.schemaNamingContext)

$obj.psbase.Properties | ft PropertyName, Value

In the CLI and VBScript solutions, we mention that you need to specify the common name (or cn) of the attribute you want to view. The common name is a source of confusion for many people. For example, the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Adding a New Class

Inhaltsvorschau

You want to add a new class to the schema.

For Windows 2000 Active Directory, you need to enable schema modifications before proceeding. See for more information.

Using a graphical user interface

Open the Active Directory Schema snap-in.
In the left pane, right-click on the Classes folder and select “Create Class…”.
Click the Continue button to confirm that you want to extend the schema.
Enter the information for the new class and click Next.
Enter any mandatory and optional attributes and click Finish.

Using a command-line interface

You can create new classes by using ldifde and an LDIF file that contains the properties to be set on the class. The following text shows a sample LDIF file called create_class.ldf that creates a class called adatum-SalesUser:

dn: cn=adatum-SalesUser,cn=schema,cn=configuration,<ForestRootDN>

changetype: add

objectclass: classSchema

lDAPDisplayName: adatum-SalesUser

governsId: 1.3.6.1.4.1.999.1.1.28.4

objectClassCategory: 3

subClassOf: top

description: Auxiliary class for Sales user attributes

adminDescription: Auxiliary class for Sales user

attributes

mayContain: adatum-Building

mayContain: adatum-Theatre

Then run the following command:

> ldifde -v -i -f create_class.ldf

You can also add a new class using AdMod, as follows:

> admod -schema -rb cn=adatum-SalesUser

    objectclass::classSchema lDAPDisplayName::adatum-SalesUser

    governsId::1.3.6.1.4.1.999.1.1.28.4 objectClassCategory::3

    subClassOf::top

    description::"Auxiliary class for Sales user"

    adminDescription::"Auxiliary class for Sales user"

    mayContain::adatum-Building;adatum-Theatre

    -add

Using VBScript

' This code creates a class in the schema called adatum-SalesUser.

' It is assumed that the script is being run by a member of Schema Admins



set objRootDSE = GetObject("LDAP://RootDSE")

set objSchemaCont = GetObject("LDAP://" & _

                              objRootDSE.Get("schemaNamingContext") )

set objClass = objSchemaCont.Create("classSchema", _

                                    "cn=adatum-SalesUser")

objClass.Put "lDAPDisplayName", "adatum-SalesUser"

objClass.Put "governsId", "1.3.6.1.4.1.999.1.1.28.4"

objClass.Put "objectClassCategory", 3

objClass.Put "subClassOf", "top"

objClass.Put "adminDescription", "Auxilliary class for Sales user attributes"

objClass.Put "mayContain", Array("adatum-Building","adatum-Theatre")

objClass.SetInfo

WScript.Echo "Class created"

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing a Class

Inhaltsvorschau

You want to view the attributes of a class.

Using a graphical user interface

Open the Active Directory Schema snap-in.
In the left pane, click on the Classes folder.
In the right pane, double-click the class you want to view.
Click on each tab to view the available properties.

Using a command-line interface

In the following command, replace <ClassCommonName> with the common name (not LDAP display name) of the class you want to view:

> dsquery * cn=<ClassCommonName>,cn=schema,cn=configuration,<ForestRootDN> -scope

base -attr *

You can also use AdFind to view the properties of a class as follows:

> adfind -schema -rb cn=<ClassCommonName>

You can also use a shortcut syntax for this command, as follows:

> adfind -sc s:<ClassCommonName or ClassLDAPDisplayName>

Using VBScript

' This code prints out the attributes for the specified class.

'  for the code for the DisplayAttributes()

' function.

' ------ SCRIPT CONFIGURATION ------

' Set to the common name (not LDAP display dame)

' of the class you want to view.

strClassName = "<ClassCommonName>" ' e.g. user

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://RootDSE")

set objClass = GetObject("LDAP://cn=" & strClassName & "," & _

                         objRootDSE.Get("schemaNamingContext"))

objClass.GetInfo

WScript.Echo "Properties for " & strClassName

DisplayAttributes(objClass.ADsPath)

Using PowerShell

$objClass = get-QADObject -Identity "cn=<Class

Name>,cn=schema,cn=Configuration,<ForestRootDN>"

$objClass.psbase.getProperties() | format-table PropertyName, Value



$root = [ADSI]"LDAP://RootDSE"

$obj = [ADSI]("LDAP://cn=" + $strClassName + "," + $root.schemaNamingContext)

$obj.psbase.Properties | ft PropertyName, Value

See , at the beginning of this chapter, for a list of the important classSchema attributes and their descriptions.

for viewing the attributes of an object

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Indexing an Attribute

Inhaltsvorschau

You want to index an attribute so that searches using that attribute are faster.

For Windows 2000 Active Directory you need to enable schema modifications before proceeding. See for more information.

Using a graphical user interface

Open the Active Directory Schema snap-in.
In the left pane, click on the Attributes folder.
In the right pane, double-click the attribute you want to index.
Check the box beside “Index this attribute in the Active Directory.”
Click OK.

Using a command-line interface

You can index an attribute by using the ldifde utility and an LDIF file that contains the following:

dn: cn=<AttrCommonName>,cn=schema,cn=configuration,<ForestRootDN>

changetype: modify

replace: searchFlags

searchFlags: 1

-

If the LDIF file were named index_attribute.ldf, you would run the following command:

> ldifde -v -i -f index_attribute.ldf

You can also enable the appropriate searchFlags value using admod, as follows:

> admod -schema -rb cn=<AttrCommonName> searchFlags::1

Using VBScript

' This code indexes an attribute.

' ------ SCRIPT CONFIGURATION ------

' Set to the common name (not LDAP display name) of the attribute

strAttrName = "<AttrCommonName>" ' e.g. adatum-LanguagesSpoken

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://RootDSE")

set objAttr = GetObject("LDAP://cn=" & strAttrName & "," &

                        objRootDSE.Get("schemaNamingContext"))

objAttr.Put "searchFlags", 1

objAttr.SetInfo

WScript.Echo "

Indexed attribute: " & strAttrName

The CLI and VBScript solutions assume that searchFlags wasn’t previously set; if a value is present, they just blindly overwrite it. See for a better solution that will enable the bit value you want without overwriting any previous settings.

Using PowerShell

To set the searchFlags bit value using a bitwise OR operation, use the following syntax:

$strAttrName = "<AttrCommonName>"  # e.g. adatum-LanguagesSpoken



$root = [ADSI]"LDAP://RootDSE"

$objAttr = [ADSI]("LDAP://cn=" + $strAttrName + "," + $root.schemaNamingContext)

$objAttr.put("searchFlags", $objAttr.searchFlags.Value -bor 1)

$objAttr.setInfo()

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Modifying the Attributes That Are Copied When Duplicating a User

Inhaltsvorschau

You want to add an attribute to the list of attributes that are copied when duplicating a user with the ADUC snap-in.

For Windows 2000 Active Directory you need to enable schema modifications before proceeding. See for more information.

Using a graphical user interface

Open the Active Directory Schema snap-in.
In the left pane, click on the Attributes folder.
In the right pane, double-click the attribute you want to edit.
Check the box beside “Attribute is copied when duplicating a user.”
Click OK.

Using a command-line interface

You can cause an attribute to get copied when duplicating a user by using the ldifde utility and an LDIF file that contains the following:

dn: cn=adatum-LanguagesSpoken,cn=schema,cn=configuration,<ForestRootDN>

changetype: modify

replace: searchFlags

searchFlags: 16

-

If the LDIF file were named add_dup_user_attr.ldf, you would run the following :

> ldifde -v -i -f add_dup_user_attr.ldf

You can also modify the searchFlags attribute using AdMod, as follows:

> admod -b <AttributeDN> searchFlags::16

Using VBScript

' This code adds an attribute to the list of

' attributes that get

' copied when duplicating a user.

' ------ SCRIPT CONFIGURATION ------

' Set to the common name (not LDAP display dame) of the attribute

strAttrName = "<AttrCommonName>" ' e.g. adatum-LanguagesSpoken

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://RootDSE")

set objAttr = GetObject("LDAP://cn=" & strAttrName & "," & objRootDSE.

Get("schemaNamingContext"))

objAttr.Put "searchFlags", 16

objAttr.SetInfo

WScript.Echo "New copied attribute: " & strAttrName

The CLI and VBScript solutions assume that searchFlags wasn’t previously set; if a value is present, they just blindly overwrite it. See for a better solution that will enable the bit you want without overwriting any previous settings.

Using PowerShell

To set the searchFlags bit value using a bit-wise OR operation, use the following syntax:

$strAttrName = "<AttrCommonName>"  # e.g. adatum-LanguagesSpoken



$root = [ADSI]"LDAP://RootDSE"

$objAttr = [ADSI]("LDAP://cn=" + $strAttrName + "," + $root.schemaNamingContext)

$objAttr.put("searchFlags", $objAttr.searchFlags.Value -bor 16)

$objAttr.setInfo()

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Adding Custom Information to ADUC

Inhaltsvorschau

You want schema information that you’ve created to be visible in the ADUC MMC snap-in.

This recipe is only required for Windows 2000 and Windows Server 2003. In the Windows Server 2008 version of ADUC, you can access all available attributes for an object using the Attribute Editor tab.

Using VBScript

Set oFileSystem = WScript.CreateObject("Scripting.FileSystemObject")

sSystemFolder = oFileSystem.GetSpecialFolder(1)

set oRootDSE = Getobject("LDAP://RootDSE")



' The display specifier for US English is 409; modify this

' for another locale if necessary.

set oCont = GetObject("LDAP://" & "CN=409, CN=DisplaySpecifiers," &

oRootDSE.get("configurationNamingContext"))

Set oDisp = oCont.GetObject("displaySpecifier","cn=user-Display")



'Add Attribute Display Names

oDisp.PutEx 3,"attributeDisplayNames" , Array("BudgetCode,BudgetCode")

oDisp.SetInfo



'Add this field to the Right-Click Context Menu

iCount = 0

If Not IsEmpty(oDisp.shellContextMenu) Then

  aMenu = oDisp.GetEx("shellContextMenu")

  iCount = iCount + 1

End If

sNewMenu = CStr(iCount) & ",&Budget code…,budgetshell.vbs"

oDisp.PutEx 3,"shellContextMenu" , Array(sNewMenu)

oDisp.SetInfo

Set sOutFile = oFileSystem.CreateTextFile(sSystemFolder & "\budgetshell.vbs",True)

sOutFile.WriteLine "Set Args = Wscript.Arguments"

sOutFile.WriteLine "Set oUser = GetObject(Args(0))"

sOutFile.WriteLine "MsgBox " & Chr(34) & "Budget Code" & Chr(34) & " & vbCRLF & " &

Chr(34) & "Budget Code: " & Chr(34) & " & oUser.BudgetCode & vbCRLF & " & Chr(34)

sOutFile.WriteLine "Set oUser = Nothing"

sOutFile.WriteLine "WScript.Quit"

sOutFile.Close

'Allow for updates

iCount = 0

If Not IsEmpty(oDisp.adminContextMenu) Then

  aMenu = oDisp.GetEx("adminContextMenu")

  iCount = iCount + 1

End If

sNewMenu = CStr(iCount) & ",&Budget Code…,budgetadmin.vbs"

oDisp.PutEx 3,"adminContextMenu" , Array(sNewMenu)

oDisp.SetInfo

MsgBox " Adding Admin Context Menu Program"

Set sOutFile = oFileSystem.CreateTextFile(sSystemFolder & "\budgetadmin.vbs",True)

sOutFile.WriteLine "Set Args = Wscript.Arguments"

sOutFile.WriteLine "Set oUser = GetObject(Args(0))"

sOutFile.WriteLine "temp = InputBox(" & Chr(34) & "Current Budget Code: " & Chr(34)

& " & oUser.BudgetCode & vbCRLF & " & Chr(34) & "New Budget Code" & Chr(34) & ")"

sOutFile.WriteLine "if temp <> " & Chr(34) & Chr(34) & " then oUser.Put " & Chr(34)

& "BudgetCode" & Chr(34) & ",temp"sOutFile.WriteLine "oUser.SetInfo"

sOutFile.WriteLine "Set oUser = Nothing"

sOutFile.WriteLine "WScript.Quit"

sOutFile.Close

Set oDisp = Nothing

Set oCont = Nothing

Set oRoot = Nothing

Set oFileSystem = Nothing

WScript.Quit

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Modifying the Attributes Included with ANR

Inhaltsvorschau

You want to modify the attributes that are included as part of ANR.

For Windows 2000 Active Directory, you need to enable schema modifications before proceeding. See for more information.

Using a graphical user interface

To proceed, you must have first indexed the attribute.
Open the Active Directory Schema snap-in.
In the left pane, click on the Attributes folder.
In the right pane, double-click the attribute you want to edit.
Check the box beside ANR.
Click OK.

Using a command-line interface

You can include an attribute as part of ANR by using the ldifde utility and an LDIF file that contains the following:

dn: cn=adatum-LanguagesSpoken,cn=schema,cn=configuration,<ForestRootDN>

changetype: modify

replace: searchFlags

searchFlags: 5

-

If the LDIF file were named add_anr_attr.ldf, you’d run the following command:

> ldifde -v -i -f add_anr_attr.ldf

You can also modify the searchFlags attribute using AdMod, as follows:

> admod -b <AttributeDN> searchFlags::5

Using VBScript

' This code will make an attribute part of the ANR set.

' ------ SCRIPT CONFIGURATION ------

' Set to the common name (not LDAP display dame) of the attribute

strAttrName = "<AttrCommonName>" ' e.g. adatum-LanguagesSpoken

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://RootDSE")

set objAttr = GetObject("LDAP://cn=" & strAttrName & "," & _

                        objRootDSE.Get("

schemaNamingContext"))

objAttr.Put "searchFlags", 5

objAttr.SetInfo

WScript.Echo "New ANR attribute: " & strAttrName

The CLI and VBScript solutions assume that searchFlags wasn’t previously set; if a value is present, they just blindly overwrite it. Check out for a better solution that will enable the bit you want without overwriting any previous settings.

Using PowerShell

To set the ANR bit value using a bitwise OR operation, use the following syntax:

$strAttrName = "<AttrCommonName>"  # e.g. adatum-LanguagesSpoken



$root = [ADSI]"LDAP://RootDSE"

$objAttr = [ADSI]("LDAP://cn=" + $strAttrName + "," + $root.schemaNamingContext)

$objAttr.put("searchFlags", $objAttr.searchFlags.Value -bor 5)

$objAttr.setInfo()

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Modifying the Set of Attributes Stored on a Global Catalog

Inhaltsvorschau

You want to add or remove an attribute in the global catalog.

For Windows 2000 Active Directory, you need to enable schema modifications before proceeding. See for more information.

Using a graphical user interface

Open the Active Directory Schema snap-in.
In the left pane, click on the Attributes folder.
In the right pane, double-click the attribute you want to edit.
Check the box beside “Replicate this attribute to the Global Catalog” to add to the global catalog, or uncheck to remove the global catalog.
Click OK.

Using a command-line interface

You can add an attribute to the global catalog by using the ldifde utility and an LDIF file that contains the following:

dn: cn=<AttrCommonName>,cn=schema,cn=configuration,<ForestRootDN>

changetype: modify

replace:

isMemberOfPartialAttributeSet

isMemberOfPartialAttributeSet: TRUE

-

If the LDIF file were named add_gc_attr.ldf, you would run the following command:

> ldifde -v -i -f add_gc_attr.ldf

You can also modify this property using AdMod, as follows:

> admod -schema -rb cn=<AttrCommonName> isMemberOfPartialAttributeSet::TRUE

Using VBScript

' This code adds an attribute to the global catalog.

' ------ SCRIPT CONFIGURATION ------

' Set to the common name (not LDAP display name) of the attribute.

strAttrName = "<AttrCommonName>" ' e.g. User

' Set to TRUE to add to GC, set to FALSE to remove from GC

boolAddtoGC = TRUE

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://RootDSE")

set objAttr = GetObject("LDAP://cn=" & strAttrName & "," & _

                        objRootDSE.Get("schemaNamingContext"))

objAttr.Put "isMemberOfPartialAttributeSet", boolAddtoGC

objAttr.SetInfo

WScript.Echo "Added attribute to GC: " & strAttrName

Using PowerShell

To add an attribute to the Partial Attribute Set using the Quest cmdlets, use the :

$boolAddToGC = $true

$attr = get-QADobject -Identity 'cn=<Attribute

Name>,cn=schema,cn=configuration,<ForestRootDN> -IncludedProperties

'isMemberOfPartialAttributeSet'

$attr.isMemberOfPartialAttributeSet = $boolAddToGC

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding Nonreplicated and Constructed Attributes

Inhaltsvorschau

You want to find the attributes that are not replicated or that are constructed by Active Directory.

Using a graphical user interface

Open LDP.
From the menu, select Connection→Connect.
For Server, enter the name of a domain controller (or leave blank to do a server-less bind).
For Port, enter 389.
Click OK.
From the menu, select Connection→Bind.
Enter credentials of a domain user.
Click OK.
From the menu, select Browse→Search.
For BaseDN, type the Schema Container DN (for example, cn=schema,cn=configuration,dc=adatum,dc=com).
For Scope, select One Level.
To find nonreplicated attributes, use the following for Filter:
```
(&(objectcategory=attributeSchema)(systemFlags:1.2.840.113556.1.4.803:=1))
```

To find constructed attributes, use the following for Filter:

(&(objectcategory=attributeSchema)(systemFlags:1.2.840.113556.1.4.803:=4))

Click Run.

Using a command-line interface

To find the nonreplicated attributes using DSQuery, use the following command:

> dsquery * cn=schema,cn=configuration,<ForestRootDN> -attr "cn" -filter

"(&(objectcategory=attributeSchema)(systemFlags:1.2.840.113556.1.4.803:=1))"

To find the nonreplicated attributes using AdFind, use the following:

> adfind -sc norepl

To find the constructed attributes using DSQuery, use the following command:

> dsquery * cn=schema,cn=configuration,<ForestRootDN> -attr "cn" -filter

"(&(objectcategory=attributeSchema)(systemFlags:1.2.840.113556.1.4.803:=4))"

To find the constructed attributes using AdFind, use the following:

> adfind -sc constructed

Using VBScript

' This script will print out the nonreplicated

' and constructed attributes.

set objRootDSE = GetObject("LDAP://RootDSE")

strBase = "<LDAP://" & objRootDSE.Get("SchemaNamingContext") & ">;"

strFilter = "(&(objectcategory=attributeSchema)" _

          & "(

systemFlags:1.2.840.113556.1.4.803:=1));"

strAttrs = "cn;"

strScope = "onelevel"



set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)

objRS.MoveFirst

WScript.Echo "Nonreplicated attributes: "

while Not objRS.EOF

    Wscript.Echo " " & objRS.Fields(0).Value

    objRS.MoveNext

wend



strFilter = "(&(objectcategory=attributeSchema) " _

          & "(systemFlags:1.2.840.113556.1.4.803:=4));"

set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)

objRS.MoveFirst

WScript.Echo ""

WScript.Echo "

Constructed attributes: "

while Not objRS.EOF

    Wscript.Echo " " & objRS.Fields(0).Value

    objRS.MoveNext

wend

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding the Linked Attributes

Inhaltsvorschau

You want to find attributes that are linked.

Using a graphical user interface

Open LDP.
From the menu, select Connection→Connect.
For Server, enter the name of a domain controller (or leave blank to do a server-less bind).
For Port, enter 389.
Click OK.
From the menu, select Connection→Bind.
Enter credentials of a domain user.
Click OK.
From the menu, select Browse→Search.
For BaseDN, type the Schema container DN (e.g., cn=schema, cn=configuration,dc=adatum,dc=com).
For Scope, select One Level.

To find linked attributes, use the following for Filter:
```
(&(objectcategory=attributeSchema)(linkid=*))
```
Click Run.

Using a command-line interface

You can return a list of linked attributes using either the built-in DSQuery tool or AdMod. To use DSQuery, use the following syntax:

> dsquery * cn=schema,cn=configuration,<ForestRootDN> -scope onelevel -filter

"(&(objectcategory=attributeSchema)(linkid=*))" -attr cn linkID

To return a list of linked attributes with AdFind, use the following:

> adfind -sc linked

Using VBScript

' This code prints out all of the attributes that are linked

' and their corresponding linkID values.

set objRootDSE = GetObject("LDAP://RootDSE")

strBase   = "<LDAP://" & objRootDSE.Get("SchemaNamingContext") & ">;"

strFilter = "(&(objectcategory=attributeSchema)(linkid=*));"

strAttrs  = "cn,linkid;"

strScope  = "onelevel"



set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)

objRS.MoveFirst

while Not objRS.EOF

    Wscript.Echo objRS.Fields(1).Value & " : " & objRS.Fields(0).Value

    objRS.MoveNext

wend

Using PowerShell

You can obtain linked attribute information using the Quest AD cmdlets or ADSI, as follows:

get-QADObject -SearchRoot "cn=schema,cn=configuration,<ForestRootDN>" -LdapFilter

"(&(objectcategory=attributeSchema)(linkId=*))"



function search([string]$searchDN, [string]$localfilter)

{

    $searcher = New-Object System.DirectoryServices.DirectorySearcher

    $searcher.SearchRoot = [ADSI]("LDAP://" + $searchDN)

    $searcher.PageSize = 1000

    $searcher.SearchScope = [System.DirectoryServices.SearchScope]::OneLevel

    $searcher.Filter = $localfilter



    return $searcher.FindAll()

}



$root = [ADSI]"LDAP://RootDSE"

$filter = "(&(objectcategory=attributeSchema)(linkId=*))"



$results = search $root.schemaNamingContext $filter

foreach ($r in $results) {

    $r.Properties.cn.Item(0).ToString() + " : " + $r.Properties.linkid.Item(0)

}

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding the Structural, Auxiliary, Abstract, and 88 Classes

Inhaltsvorschau

You want to list the structural, auxiliary, abstract, and 88 classes.

Using a graphical user interface

Open the Active Directory Schema snap-in.
In the left pane, click on the Classes folder.
In the right pane, the list of all the classes will be displayed. The Type column contains the type of class. Even though you can click on the column header, it currently does not sort the classes by type.

Using a command-line interface

You can return the list of Active Directory classes using either DSQuery or AdFind. DSQuery takes the following syntax:

> dsquery * cn=schema,cn=configuration,<ForestRootDN> -limit 0 -scope onelevel

-filter "(objectcategory=classSchema)" -attr lDAPDisplayName objectclasscategory

AdFind requires the following syntax:

> adfind -schema -f "(objectcategory=classSchema)" lDAPDisplayName

objectClassCategory

Using VBScript

' This code prints out classes of a particular type

' ------ SCRIPT CONFIGURATION ------

' Set the following to TRUE or FALSE depending if you want to

' view or not view classes of the type defined by the variable

boolShowStructural = TRUE

boolShowStructural = TRUE

boolShowAuxiliary  = TRUE

boolShowAbstract   = TRUE

boolShow88         = TRUE

' ------ END CONFIGURATION ---------



set objRootDSE = GetObject("LDAP://RootDSE")

set objSchemaCont = GetObject("LDAP://cn=schema," & _

                              objRootDSE.Get("configurationNamingContext"))

objSchemaCont.Filter = Array("classSchema")

WScript.Echo "Loading classes, this will take a few seconds."

for each objClass in objSchemaCont

   WScript.StdOut.Write(".")

   if objClass.Get("

objectClassCategory") = 0 then

      str88 = str88 & vbTab & objClass.Get("lDAPDisplayName") & vbCrlf

   elseif objClass.Get("objectClassCategory") = 1 then

      strStruct = strStruct & vbTab & _

                  objClass.Get("lDAPDisplayName") & vbCrlf

   elseif objClass.Get("objectClassCategory") = 2 then

      strAbst = strAbst & vbTab & objClass.Get("lDAPDisplayName") & vbCrlf

   elseif objClass.Get("objectClassCategory") = 3 then

      strAux = strAux & vbTab & objClass.Get("lDAPDisplayName") & vbCrlf

   else

      WScript.Echo "Unknown class type: " & _

                   objClass.Get("lDAPDisplayName") & vbCrlf

   end if

next

WScript.Echo vbCrlf



if boolShowStructural = TRUE then

   WScript.Echo " Structural Classes: "

   WScript.Echo strStruct

   WScript.Echo

end if



if boolShowAbstract = TRUE then

   WScript.Echo " Abstract Classes: "

   WScript.Echo strAbst

   WScript.Echo

end if



if boolShowAuxiliary = TRUE then

   WScript.Echo "Auxiliary Classes: "

   WScript.Echo strAux

   WScript.Echo

end if



if boolShow88 = TRUE then

   WScript.Echo "88 Classes: "

   WScript.Echo str88

   WScript.Echo

end if

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding the Mandatory and Optional Attributes of a Class

Inhaltsvorschau

You want to view the mandatory and optional attributes of a class.

Using a graphical user interface

Open the Active Directory Schema snap-in.
In the left pane, click on the Classes folder.
In the right pane, double-click the class you want to view.
Click on the Attributes tab.

Using a command-line interface

You can enumerate the mandatory and optional attributes of a class using either DSQuery or AdFind. DSQuery takes the following syntax:

> dsquery * cn=<ClassCommonName>,cn=schema,cn=configuration,<ForestRootDN> -l

-attr mayContain mustContain systemMayContain systemMustContain

To list these attributes using AdFind, use the following syntax:

> adfind -schema -rb cn=<ClassCommonName> mayContain mustContain systemMayContain

systemMustContain

Using VBScript

' This code displays the mandatory and optional attributes for a class.

' ------ SCRIPT CONFIGURATION -----

' Set to common name of class to view

strClassName = "<ClassCommonName>" ' e.g. Surname

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://RootDSE")

set objClass = GetObject("LDAP://cn=" & strClassName & "," & _

                         objRootDSE.Get("schemaNamingContext"))



WScript.Echo "Class: " & strClassName & vbCrlf



' Need to enable this so that if an attribute is not set, the code won't fail

on error resume next



WScript.Echo "mayContain:"

for each strVal in objClass.Get("mayContain")

   WScript.Echo vbTab & strVal

next



WScript.Echo vbCrlf & "systemMayContain:"

for each strVal in objClass.Get("systemMayContain")

   WScript.Echo vbTab & strVal

next



WScript.Echo vbCrlf & "mustContain:"

for each strVal in objClass.Get("mustContain")

   WScript.Echo vbTab & strVal

next



WScript.Echo vbCrlf & "systemMustContain:"

for each strVal in objClass.Get("systemMustContain")

   WScript.Echo vbTab & strVal

next

Using PowerShell

$obj = get-QADObject -Identity "cn=<Class Name>,cn=schema,cn=configuration,Forest

Root DN>" -IncludedProperties maycontain, mustcontain, systemmaycontain,

systemmustcontain

$obj.mayContain

$obj.mustContain

$obj.systemMayContain

$obj.systemMustContain



$strClassName = "

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Modifying the Default Security of a Class

Inhaltsvorschau

You want to modify the default security that is applied to objects instantiated from a particular structural class.

For Windows 2000 Active Directory, you need to enable schema modifications before proceeding. See for more information.

Using a graphical user interface

Open the Active Directory Schema snap-in.
In the left pane, click on the Classes folder.
In the right pane, double-click the class you want to modify the security for.
Click the Default Security tab.
Modify the security as necessary.
Click OK.

Using a command-line interface

> admod -schema -rb cn=<ClassShortName>

defaultSecurityDescriptor::"O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)"

Using VBScript

' This code modifies the defaultSecurityDescriptor of a class

' ------ SCRIPT CONFIGURATION -----

' Set to the common name (not LDAP display dame) of the class

strClassName = "<ClassCommonName>" ' e.g. User

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://RootDSE")

set objClass = GetObject("LDAP://cn=" & strAttrName & "," & _

                         objRootDSE.Get("schemaNamingContext"))

objClass.Put "defaultSecurityDescriptor", _

  "O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)"

objClass.SetInfo

WScript.Echo "Default Security Descriptor modified"

Using PowerShell

get-QADObject -Identity "cn=<Class Name>,cn=schema,cn=configuration,<Forest Root 

 DN>" -IncludeAllProperties | set-QADObject -ObjectAttributes

@{defaultSecurityDescriptor=" O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)"}



$strClassName = "<ClassCommonName>"  # e.g. User



# what is the new default security for the object?

$strSDDL = O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)"



$root = [ADSI]"LDAP://RootDSE"



$obj = [ADSI]("LDAP://cn=" + $strClassName + "," + $root.schemaNamingContext)

$obj.Put("defaultSecurityDescriptor", $strSDDL)

$obj.SetInfo()

Whenever a new object is created in Active Directory, if a security descriptor is not specified in the object creation, a default security descriptor (SD) is applied to it. Then any inherited security from its parent container is applied. The default security descriptor is stored in the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Managing the Confidentiality Bit

Inhaltsvorschau

You want to manage the confidentiality of a schema attribute.

Using a command-line interface

admod -schema -rb cn=<AttrName> searchFlags::128

Using VBScript

' This code safely modifies the

' confidentiality bit of an attribute.

' ------ SCRIPT CONFIGURATION ------

strAttribute = "<schemaAttributeDN>"

 ' e.g. "cn=SalesUser-Description,cn=Schema,

 ' cn=Configuration,dc=adatum,dc=com"

strAttr = "searchFlags"         ' e.g. adatum-UserProperties

boolEnableBit = <TRUEorFALSE>   ' e.g. TRUE

intBit = 128

' ------ END CONFIGURATION --------



set objAttribute = GetObject("LDAP://" & strAttribute)

intBitsOrig = objAttribute.Get(strAttr)

intBitsCalc = CalcBit(intBitsOrig, intBit, boolEnableBit)



if intBitsOrig <> intBitsCalc then

   objObject.Put strAttr, intBitsCalc

   objObject.SetInfo

   WScript.Echo "Changed " & strAttr & " from " & intBitsOrig & " to " & intBitsCalc

else

   WScript.Echo "Did not need to change " & strAttr & " (" & intBitsOrig & ")"

end if



Function CalcBit(intValue, intBit, boolEnable)



   CalcBit = intValue



   if boolEnable = TRUE then

      CalcBit = intValue Or intBit

   else

      if intValue And intBit then

         CalcBit = intValue Xor intBit

      end if

   end if



End Function

Using PowerShell

To set the searchFlags bit value using a logical OR operation, use the following syntax:

$objAttr = [ADSI] "LDAP://cn=<AttrName>,cn=schema,cn=Configuration,<ForestRootDN>"

$currentSearchFlags = $objAttr.searchFlags.Value

$newSearchFlags = $currentSearchFlags -bor 128

$objAttr.put("searchFlags", $newSearchFlags)

$objAttr.setInfo()

The confidentiality bit was introduced in Windows Server 2003 Service Pack 1; it is a feature that allows you to restrict access to attributes that should not be accessible to all users. For example, you may have created an attribute to store users’ Social Security Number information. Even though this attribute may be populated for every user object in the directory, you will likely wish to restrict access to that specific attribute to only a subset of your personnel. The confidentiality bit is set in the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Adding an Attribute to the Read-Only Filtered Attribute Set (RO-FAS)

Inhaltsvorschau

You want to add an attribute to the RO-FAS to prevent it from being replicated to any Read-Only Domain Controllers (RODCs) in your environment.

Using a command-line interface

admod -schema -rb cn=<AttrName> searchFlags::512

Using VBScript

' This code safely adds an attribute to the Read-Only Filtered Attribute Set.

' ------ SCRIPT CONFIGURATION ------

strAttribute = "<schemaAttributeDN>"

 ' e.g. "cn=adatum-EmplID,cn=Schema,

 ' cn=Configuration,dc=adatum,dc=com"

strAttr = "searchFlags"

boolEnableBit = <TRUEorFALSE> ' e.g. TRUE

intBit = 512

' ------ END CONFIGURATION --------



set objAttribute = GetObject("LDAP://" & strAttribute)

intBitsOrig = objAttribute.Get(strAttr)

intBitsCalc = CalcBit(intBitsOrig, intBit, boolEnableBit)



if intBitsOrig <> intBitsCalc then

   objObject.Put strAttr, intBitsCalc

   objObject.SetInfo

   WScript.Echo "Changed " & strAttr & " from " & intBitsOrig & " to " & intBitsCalc

else

   WScript.Echo "Did not need to change " & strAttr & " (" & intBitsOrig & ")"

end if



Function CalcBit(intValue, intBit, boolEnable)



   CalcBit = intValue



   if boolEnable = TRUE then

      CalcBit = intValue Or intBit

   else

      if intValue And intBit then

         CalcBit = intValue Xor intBit

      end if

   end if



End Function

Using PowerShell

To set the searchFlags bit value using a logical OR operation, use the following syntax:

$objAttr = [ADSI] "LDAP://cn=<AttrName>,cn=schema,cn=Configuration,<ForestRootDN>"

$currentSearchFlags = $objAttr.searchFlags.Value

$newSearchFlags = $currentSearchFlags -bor 512

$objAttr.put("searchFlags", $newSearchFlags)

$objAttr.setInfo()

As discussed in , Read-Only Domain Controllers contain a read-only copy of all partitions that are held by a writable domain controller, with the exception of attributes that are configured as part of the RO-FAS, as well as user credentials, except for those that are specifically configured so that they are allowed to be cached to one or more RODCs.

Attributes that are configured as part of the RO-FAS are not replicated to any RODCs within an Active Directory forest. Because this data is not replicated to RODCs, the data will not be resident on an RODC if it is compromised or stolen. Administrators can add any attribute to the RO-FAS that is not a system-critical attribute; that is, any attribute that does not have a

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Deactivating Classes and Attributes

Inhaltsvorschau

You want to deactivate a class or attribute in the schema because you no longer need it.

Using a graphical user interface

Open the Active Directory Schema snap-in.
In the left pane, click on the Classes folder or the Attributes folder.
In the right pane, double-click the class or attribute you want to deactivate.
Uncheck the box beside “Class is active” or “Attribute is active.”
Click OK.

Using a command-line interface

You can deactivate a class using the ldifde utility and an LDIF file that contains the following lines:

dn: cn=<SchemaObjectCommonName>,cn=schema,cn=configuration,<ForestRootDN>

changetype: modify

replace: isDefunct

isDefunct: TRUE

-

If the LDIF file were named deactivate_class.ldf, you would run the following command:

> ldifde -v -i -f deactivate_class.ldf

You can also deactivate a class using AdMod, as follows:

> admod -schema -rb cn=<SchemaObjectCommonName>

isDefunct::TRUE

Using VBScript

' This code deactivates a

' class or attribute.

' ------ SCRIPT CONFIGURATION ------

strName = "<SchemaObjectCommonName>" ' e.g. adatum-LanguagesSpoken

' ------ END CONFIGURATION --------

set objRootDSE = GetObject("LDAP://RootDSE")

set objSchemaObject = GetObject("LDAP://cn=" & strName & "," & _

                                objRootDSE.Get("schemaNamingContext"))

objSchemaObject.Put "isDefunct", TRUE

objSchemaObject.SetInfo

WScript.Echo "Schema object deactivated: " & strName

Using PowerShell

To deactivate a schema attribute or class using the Quest cmdlets, use the following syntax:

get-QADObject -Identity "cn=<ObjectName>,cn=schema,cn=configuration,<ForestRootDN>

-IncludedProperties 'isDefunct' | set-QADObject -ObjectAttributes

@{isDefunct="TRUE"}

To deactivate a schema object using native PowerShell methods, use the following:

$obj = [ADSI] "LDAP://cn=<ObjectName>,cn=schema,cn=configuration,<ForestRootDN>"

$obj.put("isDefunct", $true)

$obj.SetInfo()

There is no supported way to delete classes or attributes defined in the schema. You can, however, deactivate them, also known as making them

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Redefining Classes and Attributes

Inhaltsvorschau

This recipe requires the Windows Server 2003 or Windows Server 2008 forest functional level.

You want to redefine a class or attribute that was previously created.

To redefine a class or attribute, you must first deactivate it by setting the isDefunct attribute to TRUE (see for more details). If you are deactivating a class, make sure that no objects are instantiated that use the class. If you are deactivating an attribute, make sure that it isn’t populated on any objects and remove it from any classes that have it defined as part of mayContain and mustContain. After the class or attribute has been deactivated, you can modify (i.e., redefine) the LDAP display name (lDAPDisplayName), the OID (governsID or attributeID), the syntax (attributeSyntax and oMSyntax), and the schemaIDGUID. The one attribute that you cannot modify is the common name.

Redefining schema objects became available in Windows Server 2003. Although you still cannot delete schema objects, you can work around many of the reasons that would cause you to want to delete a schema object by redefining it instead. Redefining schema objects comes in handy if you accidentally mistype an OID (governsID/attributeID) or lDAPDisplayName, or no longer need an attribute you previously created. You can reuse it by renaming the attribute and giving it a different syntax.

for deactivating classes and attributes

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Reloading the Schema Cache

Inhaltsvorschau

You want to reload the schema cache so that schema extensions will take effect .

Using a graphical user interface

Open the Active Directory Schema snap-in.
In the left pane, click on Active Directory Schema.
Right-click on the label and select “Reload the Schema.”

Using a command-line interface

You can reload the schema by using the ldifde utility and an LDIF file that contains the following:

dn:

changetype: modify

add: schemaUpdateNow

schemaUpdateNow: 1

-

If the LDIF file were named reload.ldf, you would run the following command:

> ldifde -v -i -f reload.ldf

You can also reload the schema cache using AdMod, as follows:

> admod -sc refreshschema

Using VBScript

set objRootDSE = GetObject("LDAP://dc1/RootDSE")

objRootDSE.Put "schemaUpdateNow", 1

objRootDSE.SetInfo

WScript.Echo "Schema reloaded"

Using PowerShell

$objRootDSE = [ADSI] "LDAP://<DCName>/RootDSE" # Specify the Schema Master FSMO

$objRootDSE.put("schemaUpdateNOW", 1)

$objRootDSE.SetInfo()

Each domain controller maintains a complete copy of the schema in memory to make access to the schema very fast. This is called the schema cache. When you extend the schema on the Schema FSMO role owner, the change is written to the schema cache, and not committed to disk yet. The schema automatically commits any changes to the schema every five minutes if a change has taken place, but you can also do it manually/programmatically by writing to the schemaUpdateNow operational attribute of the RootDSE on the Schema FSMO role owner. Once that is done, any changes to the schema cache are written to disk.

It is necessary to force a schema cache update if your schema extensions reference newly created attributes or classes. For example, let’s say that you want to create one new auxiliary class that contains one new attribute. To do that, you would first need to create the attribute and then create the auxiliary class. As part of the auxiliary class’s definition, you would need to reference the new attribute, but unless you reload the schema cache, an error would be returned stating that the attribute does not exist. For this reason, you need to add an additional step. First, create the attribute, then reload the schema cache, and finally create the auxiliary class. Here is what an LDIF representation would look like:

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Managing the Schema Master FSMO

Inhaltsvorschau

You want to view, transfer, or seize the Schema Master FSMO for your Active Directory Forest.

Using a graphical user interface

To view the current Schema Master FSMO role holder, do the following:

Open the Active Directory Schema snap-in.
Right-click on Active Directory Schema in the left pane and select Operations Master.

To transfer the Schema Master to another server, follow these steps:

Open the Active Directory Schema snap-in. Right-click on Active Directory Schema and select “Connect to Domain Controller.” Select the DC that you wish to transfer the FSMO role to.
Right-click on Active Directory Schema in the left pane and select Operations Master.
Click the Change button.
Click OK twice.
You should then see a message stating whether the transfer was successful.

Using a command-line interface

To query the owner of the Schema Master FSMO role, you can use the dsquery server or adfind commands shown here:

> dsquery server -hasfsmo schema

> adfind -sc fsmo:schema

To transfer the Schema Master to another server, follow these steps:

> ntdsutil roles conn "co t s <NewRoleOwner>" q "transfer Schema Master" q q

To forcibly seize the Schema Master to another DC, do the following:

> ntdsutil roles conn "co t s <NewRoleOwner>" q "seize Schema Master" q q

Using VBScript

' This code prints the Schema Master role owner for the specified forest.



strSchemaDN = objRootDSE.Get("schemaNamingContext")



' Schema Master

set objSchemaFsmo = GetObject("LDAP://" & strSchemaDN)

Wscript.Echo "Schema Master: " & objSchemaFsmo.fsmoroleowner



' This code transfers the Schema Master role to the local server

Set dse = GetObject("LDAP://localhost/RootDSE")

set myDomain = GetObject("LDAP://" & dse.get("defaultNamingContext"))

dse.Put "becomeSchemaMaster",1

dse.SetInfo



' This code seizes the Schema Master role to another server

set myDomain = GetObject("LDAP://" & dse.get("defaultNamingContext"))

dse.Put "becomeSchemaMaster",1

dse.SetInfo

Using PowerShell

$dcDSE = [ADSI]"LDAP://<DC>/rootDSE"

$role = "becomeSchemaMaster" $dcDSE.put($role,1)

$dcDSE.Setinfo()

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Chapter 11: Site Topology

Inhaltsvorschau

Active Directory needs information about the underlying network to determine how domain controllers should replicate and what domain controller(s) are optimal for a given client to authenticate with. This network information is often referred to as the site or replication topology, and consists of numerous object types that represent various aspects of the network.

At a high level, a site is a logical collection of high-speed LAN segments. One or more subnets can be associated with a site, and this mapping is used to determine which site a client belongs to, based on its IP address. Sites are connected via site links, which are analogous to WAN connections. Finally, each domain controller in a site has one or more connection objects, which define a replication connection to another domain controller.

These site topology objects are contained under the Sites container within the Configuration naming context. shows an example of the site topology hierarchy using the Active Directory Sites and Services snap-in.

Directly under the Sites container are the individual site containers, plus containers that store the site link objects (

cn=Inter-site

    Transports

) and subnets (cn=Subnets). There are three objects included within a site:

An NTDS Site Settings (nTDSSiteSettings) object that contains attributes that can customize replication behavior for the whole site
A License Site Settings (licensingSiteSettings) object that can be used to direct hosts within the site to the appropriate licensing server
A Servers container

The Servers container contains a server object for each of the domain controllers that are members of the site, along with any other servers that need to be represented in the site topology (e.g., DFS servers). shows the site topology hierarchy.

Figure : Site topology hierarchy

A server object can contain an NTDS Settings (nTDSDSA) object, which distinguishes domain-controller server objects from other

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Introduction

Inhaltsvorschau

Directly under the Sites container are the individual site containers, plus containers that store the site link objects (

cn=Inter-site

    Transports

) and subnets (cn=Subnets). There are three objects included within a site:

An NTDS Site Settings (nTDSSiteSettings) object that contains attributes that can customize replication behavior for the whole site
A License Site Settings (licensingSiteSettings) object that can be used to direct hosts within the site to the appropriate licensing server
A Servers container

Figure : Site topology hierarchy

A server object can contain an NTDS Settings (nTDSDSA) object, which distinguishes domain-controller server objects from other

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Site

Inhaltsvorschau

You want to create a site.

Using a graphical user interface

Open the Active Directory Sites and Services snap-in.
Right-click on the Sites container and select New Site.
Beside Name, enter the name of the new site.
Under Link Name, select a site link for the site.
Click OK twice.

Using a command-line interface

Create an LDIF file called create_site.ldf with the following contents:

dn: cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>

changetype: add

objectclass: site



dn: cn=Licensing Site Settings,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>

changetype: add

objectclass: licensingSiteSettings



dn: cn=NTDS Site Settings,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>

changetype: add

objectclass: nTDSSiteSettings



dn: cn=Servers,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>

changetype: add

objectclass: serversContainer

Then run the following command:

> ldifde -v -i -f create_site.ldf

You can also create a site by issuing the following four AdMod commands:

> admod -config -rb "cn=<SiteName>,cn=sites" -add

> admod -config -rb "cn=Licensing Site Settings,cn=<SiteName>,

cn=sites" objectclass::licensingSiteSettings -add

> admod -config -rb "cn=NTDS Site Settings,cn=<SiteName>,

cn=sites" objectclass::nTDSSiteSettings -add

> admod -config -rb cn=Servers,cn=<SiteName>,cn=sites"

objectclass::serversContainer -add

Using VBScript

' This code creates the objects that make up a site.

' ------ SCRIPT CONFIGURATION ------

strSiteName = "<SiteName>" ' e.g. Dallas

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://RootDSE")



set objSitesCont = GetObject("LDAP://cn=sites," & _

                             objRootDSE.Get("configurationNamingContext") )

' Create the site

set objSite = objSitesCont.Create("site","cn=" & strSiteName)

objSite.SetInfo



' Create the Licensing Site Settings object

set objLicensing = objSite.Create("licensingSiteSettings", _

                                  "cn=Licensing Site Settings")

objLicensing.SetInfo



' Create the NTDS Site Settings object

set objNTDS = objSite.Create("nTDSSiteSettings","cn=NTDS Site Settings")

objNTDS.SetInfo



' Create the Servers container

set objServersCont = objSite.Create("

serversContainer","cn=Servers")

objServersCont.SetInfo



WScript.Echo "Successfully created site " & strSiteName

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Listing Sites in a Forest

Inhaltsvorschau

You want to obtain the list of sites in a forest.

Using a graphical user interface

Open the Active Directory Sites and Services snap-in.
Click on the Sites container.
The list of sites will be displayed in the right pane.
Double-click on a site to view its properties.

Using a command-line interface

Run one of the following commands to list the sites in a forest:

> dsquery site

or:

> adfind -sites -f (objectcategory=site)

Run one of the following commands to view the properties for a particular site:

> dsget site "<SiteName>"

or:

> adfind -sites -rb "cn=<SiteName>"

Using VBScript

' This code lists all of the site objects.



set objRootDSE = GetObject("LDAP://RootDSE")

set objSitesCont = GetObject("LDAP://cn=sites," & _

                             objRootDSE.Get("configurationNamingContext") )

objSitesCont.Filter = Array("site")

for each objSite in objSitesCont

   Wscript.Echo " " & objSite.Get("cn")

next

Using PowerShell

You can obtain a list of sites in a forest using either native PowerShell syntax or the Quest cmdlets, as follows:

$strCategory = "site"

$objForest = [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest()

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher

$objSearcher.SearchRoot = $objForest

$objSearcher.Filter = ("(objectCategory=$strCategory)")

$colResults = $objSearcher.FindAll()



get-QADObject -searchroot "cn=sites,cn=configuration,<ForestRootDN>" -ldapfilter

"objectcategory=site"

Site objects are stored in the Sites container (for example, cn=sites,cn=configuration,dc=adatum,dc=com) in the Configuration Naming Context (CNC). For more information on creating sites, see .

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Renaming a Site

Inhaltsvorschau

You want to rename a site.

Using a graphical user interface

Open the Active Directory Sites and Services snap-in.
Click on the Sites container.
In the right pane, right-click the site you want to rename and select Rename.
Enter the new name of the site and press Enter.

Using a command-line interface

The following command will change the RDN of a site:

> dsmove "<SiteDN>" -newname "<NewSiteName>"

You can also rename a site using AdMod, using the following syntax:

> admod -b "<SiteDN>" -rename "<NewSiteName>"

Using VBScript

' This code renames a site object.

' ------ SCRIPT CONFIGURATION ------

strSiteOldName = "<OldSiteName>" ' e.g. Raleigh

strSiteNewName = "<NewSiteName>" ' e.g. Raleigh-Durham

' ------ END CONFIGURATION ---------



Set objRootDSE = GetObject("LDAP://RootDSE")

strConfigurationNC = objRootDSE.Get("configurationNamingContext")



strSitesContainer = "LDAP://cn=Sites," & strConfigurationNC

strOldSiteDN = "LDAP://cn=" & strSiteOldName & ",cn=Sites," & strConfigurationNC



Set objSitesContainer = GetObject(strSitesContainer)

objSitesContainer.MoveHere strOldSiteDN, strSiteNewName

Using PowerShell

To rename a site using the Quest AD cmdlets, use the following syntax:

Rename-QADObject -identity '<Site DN>' -NewName '<New site name>'

To rename a site using native PowerShell methods, use the following:

$obj = [ADSI] "LDAP://<Site DN>"

$newName = "<New site name>"

$obj.psbase.Rename($newName)

Renaming a site in Active Directory involves changing the cn of the site object. The largest concern with renaming a site, as with any other AD object, is to ensure that no applications reference the site by name. A best practice to avoid this pitfall is to reference AD objects by their GUIDs, which will not change even when the object is renamed.

MSDN: Object Names and Identities and MSDN: Using objectGUID to Bind to an Object

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Deleting a Site

Inhaltsvorschau

You want to delete a site.

Using a graphical user interface

Open the Active Directory Sites and Services snap-in.
Click on the Sites container.
In the right pane, right-click the site you want to delete and select Delete.
Click Yes twice.

Using a command-line interface

> dsrm <SiteDN> -subtree -noprompt

Alternatively, you can remove a site and its associated objects by issuing the following AdMod command:

> admod -b "cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>" -del -treedelete

Using VBScript

' This code deletes a site and all child containers.

' ------ SCRIPT CONFIGURATION ------

strSiteName = "<SiteName>" ' e.g. Dallas

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://RootDSE")

set objSite = GetObject("LDAP://cn=" & strSiteName & ",cn=sites," & _

                        objRootDSE.Get("configurationNamingContext") )

objSite.DeleteObject(0)

WScript.Echo "Successfully deleted site " & strSiteName

Using PowerShell

To delete a site using the Quest AD cmdlets, use the following syntax:

remove-QADObject -identity <Site DN>

To delete a site using ADSI, use the following:

$objSite = [ADSI] "LDAP://<Site DN>"

$objSite.psbase.DeleteTree()

When deleting a site, be very careful to ensure that no active server objects exist within it. If you delete a site that contains domain controllers, it will disrupt replication for all domain controllers in that site. A more robust VBScript solution would be to first perform an ADO query for all server objects using the distinguished name of the site as the base DN. If no servers were returned, then you could safely delete the site. If server objects were found, you should move them before deleting the site.

It is also worth noting that deleting a site does not delete any of the subnets or site links that are associated with the site. This would be another good thing to add to the VBScript solution. That is, before you delete the site, delete any subnets and site links that are associated with the site or, more likely, associate them with a different site.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Delegating Control of a Site

Inhaltsvorschau

You want to delegate permission of an AD site to allow it to be administered by another user or group.

Using a graphical user interface

The following example will delegate administration of the managedBy attribute of a site:

Open the Active Directory Sites and Services snap-in.
Click on the Sites container.
In the right pane, right-click the site you want to delegate and select Delegate .
Click Next to bypass the initial Welcome screen of the Delegation of Control .
Click Add to select the users or groups that you want to delegate control to. Click Next to continue.
Select “Create a custom task to delegate” and click Next.
Click “Only the following objects in the folder.” Place a checkmark next to site objects and click Next.
Place a checkmark next to “Write managedBy.” Click Next to continue.
Click Finish.

Using a command-line interface

The following code will allow a group called SiteAdmins to manage the managedBy attribute of sites within adatum.com:

> dsacls cn=Sites,cn=Configuration,dc=adatum,dc=com /I:S /G

adatum.com\SiteAdmins:WP;;managedBy

Using VBScript

' This VBScript code grants write access to the managedBy attribute of a site.



' ------ SCRIPT CONFIGURATION -------

strSiteDN = "<SiteDN>"  ' e.g. cn=SalesGroup,ou=Sales,dc=adatum,dc=com"

strUserOrGroup = "<UserOrGroup>"  ' e.g. joe@adatum.com or ADATUM\joe

' ------ END CONFIGURATION ---------



set objSite = GetObject("LDAP://" & strSiteDN)



'############################

' Constants

'############################

' ADS_ACETYPE_ENUM

Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5

Const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1

Const ADS_RIGHT_DS_WRITE_PROP = &h20



' From schemaIDGUID of managedBy attribute

Const MANAGEDBY_ATTRIBUTE = "{0296c120-40da-11d1-a9c0-0000f80367c1}"



'############################

' Create ACL

'############################

set objSD = objSite.Get("nTSecurityDescriptor")

set objDACL = objSD.DiscretionaryAcl



' Set WP for member attribute

set objACE = CreateObject("AccessControlEntry")

objACE.Trustee    = strUserOrGroup

objACE.AccessMask = ADS_RIGHT_DS_WRITE_PROP

objACE.AceFlags   = 0

objACE.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT

objACE.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT

objACE.ObjectType = MANAGEDBY_ATTRIBUTE



objDACL.AddAce objACE



'############################

' Set ACL

'############################

objSD.DiscretionaryAcl = objDACL

objSite.Put "nTSecurityDescriptor", objSD

objSite.SetInfo

WScript.Echo "Delegated control of description attribute for " & strSiteDN & " to "

& strUser

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Configuring Universal Group Caching for a Site

Inhaltsvorschau

This recipe requires the Windows Server 2003 forest functional level or higher.

You want to configure a site so that it does not require access to a global catalog server during most user logins.

Using a graphical user interface

Open the Active Directory Sites and Services snap-in.
In the left pane, browse to the site you want to enable group caching for and click on it.
In the right pane, double-click on the NTDS Site Settings object.
Under Universal Group Membership Caching, check the box beside Enable Universal Group Caching.
If you want to force the cache refresh from a particular site, select a site; otherwise, leave the default set to <Default>.
Click OK.

Using a command-line interface

You can use ldifde to enable universal group caching. Create a file called enable_ univ_cache.ldf with the following contents, but change <SiteName> to the name of the site you want to enable, and <ForestRootDN> to the distinguished name of the forest root domain:

dn: cn=NTDS Site Settings,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>

changetype: modify

replace: options

options: 32

-

Then use the following command to import the change:

> ldifde -i -f enable_univ_cache.ldf

You can also perform this change using a combination of AdFind and AdMod, using the following syntax:

>  adfind –config –rb "cn=NTDS Settings,cn=<SiteName>,cn=Sites" 

options –adcsv | admod options::{{.:SET:32}}

To explicitly set the site that domain controllers in this site should use to refresh universal group membership, configure the msDS-Preferred-GC-Site attribute on the NTDS Site Settings object with the DN of the desired site.

Using VBScript

' This code safely enables universal group caching for the specified site.

' ------ SCRIPT CONFIGURATION ------

strNTDS = "cn=NTDS Site Settings,<SiteDN>"    ' e.g. cn=NTDS Site

                                                 ' Settings,cn=Raleigh,

                                                 ' cn=Sites,cn=Configuration,

                                                 ' dc=adatum,dc=com

strAttr = "options"

boolEnableCaching = TRUE  ' Set to false to disable UG caching

intBit = 32

' ------ END CONFIGURATION --------



set objNTDS = GetObject("LDAP://" & strNTDSDN)

intBitsOrig = objNTDS.Get(strAttr)

intBitsCalc = CalcBit(intBitsOrig, intBit, boolEnableBit)



if intBitsOrig <> intBitsCalc then

   objNTDS.Put strAttr, intBitsCalc

   objNTDS.SetInfo

   WScript.Echo "Changed " & strAttr & " to " & boolEnableCaching

else

   WScript.Echo "Did not need to change " & strAttr & " value."

end if



Function CalcBit(intValue, intBit, boolEnable)



   CalcBit = intValue



   if boolEnableCaching = TRUE then

      CalcBit = intValue Or intBit

   else

      if intValue And intBit then



          CalcBit = intValue Xor intBit

      end if

   end if



End Function

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Subnet

Inhaltsvorschau

You want to create a subnet.

Using a graphical user interface

Open the Active Directory Sites and Services snap-in.
Right-click on the Subnets container and select New Subnet.
Enter the Address and Mask and then select the site the subnet is part of.
Click OK.

Using a command-line interface

Create an LDIF file called create_subnet.ldf with the following contents:

dn: cn=<Subnet>,cn=subnets,cn=sites,cn=configuration,<ForestRootDN>

changetype: add

objectclass: subnet

siteObject: cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>

Then run the following command:

> ldifde -v -i -f create_subnet.ldf

You can also create a subnet using AdMod, as follows:

> admod -b "cn=<Subnet>,cn=subnets,cn=sites,cn=configuration,<ForestRootDN>"

objectClass::subnet siteObject::"cn=<SiteName>,

cn=sites,cn=configuration,<ForestRootDN>" -add

Using VBScript

' This code creates a subnet object and associates it with a site.

' ------ SCRIPT CONFIGURATION ------

strSubnet = "<Subnet>"   ' e.g. 10.5.3.0/24

strSite   = "<SiteName>" ' e.g. Dallas

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://RootDSE")

set objSubnetsCont = GetObject("LDAP://cn=subnets,cn=sites," & _

                               objRootDSE.Get("configurationNamingContext") )

set objSubnet = objSubnetsCont.Create("subnet", "cn=" & strSubnet)

objSubnet.Put "siteObject", "cn=" & strSite & ",cn=sites," & _

                               objRootDSE.Get("configurationNamingContext")

objSubnet.SetInfo

WScript.Echo "Successfully created subnet " & strSubnet

Using PowerShell

You can create a subnet object and associate it with an existing site using the Quest cmdlets or else by using the native PowerShell commands, as follows:

new-QADObject -parentcontainer 'cn=subnets,cn=sites,cn=configuration,<ForestRootDN>

-type 'subnet' -name '10.10.10.0/24' -ObjectAttributes @{siteObject='<SiteDN>'



$parentDN = [ADSI] "LDAP://cn=subnets,cn=sites,cn=configuration,<ForestRootDN>"

$newSubnet = $parentDN.Create("subnet","cn=10.10.10.0/24")

$newSubnet.put("siteObject","<SiteDN

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Listing the Subnets

Inhaltsvorschau

You want to list the subnet objects in Active Directory.

Using a graphical user interface

Open the Active Directory Sites and Services snap-in.
Click on the Subnets container.
The list of subnets will be displayed in the right pane.
To view the properties of a specific subnet, double-click on the one you want to view.

Using a command-line interface

The following command will list all subnets:

> dsquery subnet

The following command will display the properties for a particular subnet. Replace <Subnet> with the subnet address and mask (e.g., 10.5.3.0/24):

> dsget subnet "<Subnet>"

You can also list all configured subnets with AdFind, as follows:

> adfind -subnets -f (objectCategory=subnet)

To display the properties of a particular subnet with AdFind, use this syntax:

> adfind -subnets -rb "cn=<Subnet>"

Using VBScript

' This code lists all the subnets stored in Active Directory.

set objRootDSE = GetObject("LDAP://RootDSE")

set objSubnetsCont = GetObject("LDAP://cn=subnets,cn=sites," & _

                               objRootDSE.Get("configurationNamingContext") )

objSubnetsCont.Filter = Array("subnet")

for each objSubnet in objSubnetsCont

   Wscript.Echo " " & objSubnet.Get("cn")

next

Using PowerShell

get-QADObject -searchRoot cn=subnets,cn=sites,cn=configuration,<ForestRootDN>

-lDAPFilter "objectcategory=subnet"



$strCategory = "subnet"

$objForest = [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest()

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher

$objSearcher.SearchRoot = $objForest

$objSearcher.Filter = ("(objectCategory=$strCategory)")

$colResults = $objSearcher.FindAll()

To display the site that subnets are associated with, include the siteObject attribute as one of the attributes to return from the query. For example, the second-to-last line of the VBScript solution could be modified to return the site by using this code:

Wscript.Echo " " & objSubnet.Get("cn") & " : " & objSubnet.Get("siteObject")

MS KB 323349 (How to Configure Subnets in Windows Server 2003 Active Directory)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding Missing Subnets

Inhaltsvorschau

You want to find the subnets that are missing from your site topology. Missing subnets can result in clients not authenticating against the most optimal domain controller, which can degrade performance.

Having all of your subnets in Active Directory is important because a client that attempts to log on from a subnet that is not associated with any site may authenticate with any domain controller in the domain. This can result in the logon process taking longer to complete. Unfortunately, Microsoft has not provided an easy way to rectify this problem.

Under Windows 2000, the only source of missing subnet information is the System event 5778. Here is an example:

Event Type:         Information

Event Source:         NETLOGON

Event Category:         None

Event ID:         5778

Date:                 1/27/2007

Time:                 12:07:04 AM

User:                 N/A

Computer:         DC2

Description:

'JSMITH-W2K' tried to determine its site by looking up its IP address

('10.21.85.34')

in the Configuration\Sites\Subnets container in the DS. No subnet matched the IP

address. Consider adding a subnet object for this IP address.

The only way to dynamically determine missing subnets is to query each domain controller for 5778 events and map the IP addresses specified within the events to a subnet you add to the site topology.

As of Windows Server 2008, things are not that much better. One of the issues with the 5778 events under Windows 2000 is that they can easily fill up your System event log if you have many missing subnets. Starting in Windows 2003, Microsoft decided to instead display a summary event 5807 that states that some number of connection attempts have been made by clients that did not map to a subnet in the site topology. Here is an example:

Event Type:         Warning

Event Source:       NETLOGON

Event Category:     None



Event ID:         5807

Date:             1/10/2007

Time:             10:59:53 AM

User:             N/A

Computer:         DC1

Description:

During the past 4.18 hours there have been 21 connections to this Domain Controller

from client machines whose IP addresses don't map to any of the existing sites in

the enterprise. Those clients, therefore, have undefined sites and may connect to any

Domain Controller including those that are in far distant locations from the

clients.

A client's site is determined by the mapping of its subnet to one of the existing

sites. To move the above clients to one of the sites, please consider creating

subnet object(s) covering the above IP addresses with mapping to one of the existing

sites.

The names and IP addresses of the clients in question have been logged on this

computer in the following log file '%SystemRoot%\debug\netlogon.log' and,

potentially, in the log file '%SystemRoot%\debug\netlogon.bak' created if the

former log becomes full. The log(s) may contain additional unrelated debugging

information.

To filter out the needed information, please search for lines which contain text

'NO_CLIENT_SITE:'. The first word after this string is the client name and the

second word is the client IP address. The maximum size of the log(s) is 

controlled by the following registry DWORD value

'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

Netlogon\Parameters\LogFileMaxSize'; the default is 20000000 bytes. The current

maximum size is 20000000 bytes. To set a different maximum size, create the above

registry value and set the desired maximum size in bytes.



For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Deleting a Subnet

Inhaltsvorschau

You want to delete a subnet object.

Using a graphical user interface

Open the Active Directory Sites and Services snap-in.
Click on the Subnets container.
The list of subnets will be displayed in the right pane.
Right-click on the subnet you wish to remove and select Delete.
Click Yes to confirm.

Using a command-line interface

You can delete a subnet object using the built-in dsrm utility or AdMod. The dsrm utility takes the following syntax:

> dsrm cn=<SubnetName>,cn=subnets,cn=sites,cn=configuration,<ForestRootDN>

To remove a subnet using AdMod, use this syntax:

> admod -b cn=<SubnetName>,cn=subnets,cn=sites,cn=configuration,<ForestRootDN> -del

Using VBScript

strSubnetName = "cn=<SubnetName>" ' e.g. "cn=10.0.0.0/8"

strParentDN = cn=subnets,cn=sites,cn=configuration," _

              & strForestDN

strForestDN = "<ForestRootDN>" ' e.g. "dc=adatum,dc=com"



set objContainer = GetObject("LDAP://" & strParentDN)

objContainer.Delete "subnet", strSubnetName

Using PowerShell

To delete a site using the Quest AD cmdlets, use the following syntax:

remove-QADObject -identity <Subnet DN>

To delete a site using ADSI, use the following:

$objSubnet = [ADSI] "LDAP://<Subnet DN>"

$objSubnet.psbase.DeleteTree()

Using VBScript

This script example uses the IADsContainer::Delete method to delete the subnet object. To use this method, you must first bind to the parent container of the object. You then call Delete by passing the object class along with the RDN of the object that you want to delete.

The Delete method is a safer alternative to the DeleteObject method because you need to be more explicit about what you are deleting. With DeleteObject, you only have to specify the distinguished name of an object and it will summarily delete it. For example, the following code will delete a subnet object using DeleteObject:

strSubnetDN = "<SubnetDN>"

set objSubnet = GetObject("LDAP://" & strObjectDN)

objSubnet.DeleteObject(0)

As you can see, if a user accidentally or maliciously mistypes an inappropriate DN, the result could be disastrous. Using the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Changing a Subnet’s Site Assignment

Inhaltsvorschau

You want to change the site object that a particular subnet is associated with.

Using a graphical user interface

Open the Active Directory Sites and Services MMC snap-in (dssite.msc).
Browse to Sites→Subnets, then right-click on the subnet that you wish to modify and select Properties.
In the Site drop-down box, select the name of the site that this subnet should be associated with and click OK.

Using a command-line interface

> admod cn=<SubnetName>,cn=Subnets,cn=Sites,cn=Configuration,<ForestRootDN>

siteObject::<NewSiteDN>

For <SubnetName>, use the format “192.168.1.0/24”, for example.

Using VBScript

' This code updates the

' site assignment of a subnet object.

' ------ SCRIPT CONFIGURATION ------

strNewSiteName = "<SiteName>" ' e.g. "Raleigh"

strSubnetName = "<SubnetName>" ' e.g. "192.168.1.0/24"

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://RootDSE")

set objSiteSettings = GetObject("LDAP://cn=" & _strSubnetName & _

                                "cn=subnets,cn=sites," & _

                                objRootDSE.Get("ConfigurationNamingContext"))



objSiteSettings.Put "siteObject", _

                    "cn=" & strNewSiteName & ",cn=sites," & _

                    objRootDSE.Get("ConfigurationNamingContext")

objSiteSettings.SetInfo

WScript.Echo("Site membership updated successfully!")

Using PowerShell

set-QADObject -Identity <SubnetDN> -ObjectAttributes @{siteObject='<NewSiteDN>'}



$objSubnet = [ADSI] "LDAP://<SubnetDN>"

$objSubnet.put("siteObject","<SiteDN>"

$objSubnet.SetInfo()

Since the site topology that you create in Active Directory is meant to map to your physical network topology, an Active Directory subnet object can be associated with only a single AD site at any one time. If you modify your site configuration or need to delete a site object for any reason, you should configure any subnets associated with that site that are still active on your network so that they are associated with another Active Directory site. This will ensure that any clients that reside on those subnets will be able to locate resources such as domain controllers appropriately, without sending authentication requests across site links unnecessarily.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Site Link

Inhaltsvorschau

You want to create a site link to connect two or more sites together.

Using a graphical user interface

Open the Active Directory Sites and Services snap-in.
Expand the Sites container.
Expand the Inter-Site Transports container.
Right-click on IP (or SMTP) and select New Site Link.
For Name, enter the name for the site link.
Under “Sites not in this site link,” select at least two sites and click the Add button.
Click OK.

Using a command-line interface

The following LDIF would create a site link connecting the SJC and Dallas sites:

dn: cn=Dallas-SJC,cn=IP,cn=inter-site

transports,cn=sites,cn=configuration,<ForestRootDN>

changetype: add

objectclass: siteLink

siteList: cn=SJC,cn=sites,cn=configuration,<ForestRootDN>

siteList: cn=Dallas,cn=sites,cn=configuration,<ForestRootDN>

If the LDIF file were named create_site_link.ldf, you’d then run the following command:

> ldifde -v -i -f create_site_link.ldf

You can also create a site link using AdMod, as follows:

> admod -b "cn=<SiteLinkName>,cn=IP,cn=inter-site

    transports,cn=sites,cn=configuration,<ForestRootDN>"

    objectclass::sitelink

    "sitelist:++:cn=<FirstSite>,cn=sites,cn=configuration,

    <ForestRootDN>;

    cn=<SecondSite>,cn=sites,cn=configuration,<ForestRootDN>"

    cost::50 replInterval::180

    -add

Using VBScript

' This code creates a site link.

' ------ SCRIPT CONFIGURATION ------

intCost = 100            ' site link cost

intReplInterval = 180    ' replication interval in minutes

strSite1 = "<Site1>"     ' e.g. SJC

strSite2 = "<Site2>"     ' e.g. Dallas

strLinkName = strSite1 & " - " & strSite2

' ------ END CONFIGURATION ---------



' Taken from ADS_PROPERTY_OPERATION_ENUM

const ADS_PROPERTY_UPDATE = 2



set objRootDSE = GetObject("LDAP://RootDSE")

set objLinkCont = GetObject( _

                   "LDAP://cn=IP,cn=Inter-site Transports,cn=sites," & _

                   objRootDSE.Get("configurationNamingContext") )

set objLink = objLinkCont.Create("siteLink", "cn=" & strLinkName)

strSite1DN = "cn=" & strSite1 & ",cn=sites," & _

               objRootDSE.Get("configurationNamingContext")

strSite2DN = "cn=" & strSite2 & ",cn=sites," & _

               objRootDSE.Get("configurationNamingContext")

objLink.PutEx ADS_PROPERTY_UPDATE, "siteList", Array(strSite1DN,strSite2DN)

objLink.Put "cost", intCost

objLink.Put "replInterval", intReplInterval

objLink.SetInfo



WScript.Echo "Successfully created link: " & strLinkName

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding the Site Links for a Site

Inhaltsvorschau

You want to list the site links that are associated with a site.

Using a graphical user interface

Open LDP and from the menu, select Connection→Connect.
For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
For Port, enter 389.
Click OK.
From the menu, select Connection→Bind.
Enter the credentials of the domain user.
Click OK.
From the menu, select Browse→Search.
For BaseDN, type the Inter-Site Transports container DN (e.g.,cn=Inter-siteTransports,cn=sites,cn=configuration,dc=adatum,dc=com).
For Scope, select Subtree.

For Filter, enter the following:

(&(objectcategory=siteLink)(siteList=cn=<SiteName>,

cn=sites,cn=configuration,<ForestRootDN>))

Click Run.

Using a command-line interface

You can list the site links associated with a particular site using DSQuery or AdFind. DSQuery requires the following syntax:

> dsquery * "cn=inter-site transports,cn=sites,cn=configuration,<ForestRootDN>"

-filter "(&(objectcategory=siteLink)(siteList=cn=<SiteName>,

cn=sites,cn=configuration,<ForestRootDN>))" -scope subtree -attr name

To obtain this information using AdFind, use the following:

> adfind -config -f "(&(objectcategory=siteLink)(siteList=cn=<SiteName>,

cn=sites,cn=configuration,<ForestRootDN>))" name

Using VBScript

' This code displays the site links associated with the specified site.

' ------ SCRIPT CONFIGURATION ------

strSiteName = "<SiteName>" ' e.g. Raleigh

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://RootDSE")

strSiteDN = "cn=" & strSiteName & ",cn=sites," & _

            objRootDSE.Get("ConfigurationNamingContext")



strBase    = "<LDAP://cn=Inter-site Transports,cn=sites," _

              & objRootDSE.Get("ConfigurationNamingContext") & ">;"

strFilter  = "(&(objectcategory=siteLink)" & _

             "(siteList=" & strSiteDN & "));"

strAttrs   = "name;"

strScope   = "subtree"



set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)



WScript.Echo "Total site links for " & strSiteName & ": " & objRS.RecordCount

if objRS.RecordCount > 0 then



   objRS.MoveFirst

   while Not objRS.EOF

       Wscript.Echo vbTab & objRS.Fields(0).Value

       objRS.MoveNext

   wend

end if

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Modifying the Sites That Are Part of a Site Link

Inhaltsvorschau

You want to modify the sites associated with a site link.

Using a graphical user interface

Open the Active Directory Sites and Services snap-in.
In the left pane, expand Sites→Inter-Site Transports.
Click either the IP or SMTP folder, depending where the site link is stored.
In the right pane, double-click on the link you want to modify.
Under the General tab, you can add and remove sites that are associated with the site link.
Click OK.

Using a command-line interface

Create an LDIF file called modify_site_link.ldf with the following contents. Replace <LinkName> with the name of the link and <SiteName> with the site to add to the link:

dn: cn=<LinkName>,cn=IP,cn=inter-site

transports,cn=sites,cn=configuration,<ForestRootDN>

changetype: modify

add: siteList



siteList: cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>

-

Then run the following command:

> ldifde -v -i -f modify_site_link.ldf

You can also add sites to a site link using AdMod, as follows:

> admod -b "cn=<LinkName>,cn=IP,cn=inter-site

transports,cn=sites,cn=configuration,<ForestRootDN>" siteList:+:"cn=<SiteName>

,cn=sites,cn=configuration,<ForestRootDN>"

Using VBScript

' This code adds a site to an existing site link.

' ------ SCRIPT CONFIGURATION ------

strSite = "<SiteName>" ' e.g. Burlington

strLink = "<LinkName>" ' e.g. DEFAULTIPSITELINK

' ------ END CONFIGURATION --------



' Taken from ADS_PROPERTY_OPERATION_ENUM

const ADS_PROPERTY_APPEND = 3



set objRootDSE = GetObject("LDAP://RootDSE")

set objLink = GetObject("LDAP://cn=" & strLink & _

                        ",cn=IP,cn=Inter-site Transports,cn=sites," & _

                        objRootDSE.Get("configurationNamingContext") )

strSiteDN = "cn=" & strSite & ",cn=sites," & _

            objRootDSE.Get("configurationNamingContext")

objLink.PutEx ADS_PROPERTY_APPEND, "siteList", Array(strSiteDN)

objLink.SetInfo



WScript.Echo "Successfully modified link: " & strLink

Using PowerShell

To append one or more values to the list of sites within a site link using the Quest tools, use the following syntax:

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Modifying the Cost for a Site Link

Inhaltsvorschau

You want to modify the cost for a site link.

Using a graphical user interface

Open the Active Directory Sites and Services snap-in.
In the left pane, expand Sites→Inter-Site Transports.
Click either the IP or SMTP folder, depending on where the site link is stored.
In the right pane, double-click on the link you want to modify.
Under the General tab, you can change the cost for the site link.
Click OK.

Using a command-line interface

Create an LDIF file called modify_site_link_cost.ldf with the following contents. Replace <LinkName> with the name of the link you want to modify and <LinkCost> with the cost:

dn: cn=<LinkName>,cn=IP,cn=inter-site

transports,cn=sites,cn=configuration,<ForestRootDN>

changetype: modify

replace: cost

cost: <LinkCost>

-

Then run the following command:

> ldifde -v -i -f modify_site_link_cost.ldf

You can also modify the cost of a site link using AdMod, as follows:

> admod -b "cn=<LinkName>,cn=IP,cn=inter-site

transports,cn=sites,cn=configuration,<ForestRootDN>" cost::<LinkCost>

Using VBScript

' This code modifies the cost attribute of a site link.

' ------ SCRIPT CONFIGURATION ------

strLink = "<SiteLink>" ' e.g. DEFAULTIPSITELINK

intCost = <LinkCost>   ' e.g. 200

' ------ END CONFIGURATION ---------



set objRootDSE = GetObject("LDAP://RootDSE")

set objLink = GetObject("LDAP://cn=" & strLink & _

                        ",cn=IP,cn=Inter-site Transports,cn=sites," & _

                        objRootDSE.Get("configurationNamingContext") )

objLink.Put "cost", intCost

objLink.SetInfo



WScript.Echo "Successfully modified link: " & strLink

Using PowerShell

You can modify the cost of a site link using the Quest cmdlets or ADSI, as follows:

set-QADObject -Identity <SiteLinkDN> -ObjectAttributes @{cost=<New Cost>}



$objSiteLink = [ADSI] "LDAP://<SiteLinkDN>"

$objSiteLink.put("cost", "<New Cost>")

$objSiteLink.SetInfo()

The cost attribute is one of the most important attributes of siteLink objects. cost is used by the KCC to determine what connection objects should be created to allow domain controllers to replicate data.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling Change Notification for a Site Link

Inhaltsvorschau

You want to enable change notification between sites so that replication will occur as changes occur rather than according to a set schedule.

Using a graphical user interface

Open ADSI Edit. Create or open a connection to the Configuration Container, then browse to CN=Configuration,<ForestRootDN>→CN=Sites→CN=Inter-Site Transports→CN=IP.
Right-click on the site link object that you want to modify and select Properties.
Scroll to the options attribute. If the attribute has not been set, click Edit and enter a value of 1. Click OK.
If there is an existing value in place, perform a bitwise OR with 1 and the existing value, click Edit, and enter the new value. Click OK.

Using a command-line interface

>  adfind –b cn=<SiteLinkName>,cn=IP,cn=Inter-site 

Transports,cn=Sites,cn=Configuration,cn=<ForestRootDN>" 

options –adcsv | admod options::{{.:SET:1}}

Using VBScript

' This code safely modifies a bit flag attribute.

' ------ SCRIPT CONFIGURATION -------

strSiteLink = "<SiteLinkDN>"   ' e.g. cn=jsmith,cn=users,dc=adatum,dc=com

strAttr = "options"

boolEnableBit = <TRUEorFALSE>  ' e.g. TRUE to enable

intBit = 1

' ------ END CONFIGURATION ---------



set objSiteLink = GetObject("LDAP://" & strSiteLink)

intBitsOrig = objSiteLink.Get(strAttr)

intBitsCalc = CalcBit(intBitsOrig, intBit, boolEnableBit)



if intBitsOrig <> intBitsCalc then

   objSiteLink.Put strAttr, intBitsCalc

   objSiteLink.SetInfo

   WScript.Echo "Changed " & strAttr & " from " & intBitsOrig & " to " &

intBitsCalc

else

   WScript.Echo "Did not need to change " & strAttr & " (" & intBitsOrig & ")"

end if



Function CalcBit(intValue, intBit, boolEnable)

   CalcBit = intValue



   if boolEnable = TRUE then

      CalcBit = intValue Or intBit

   else

      if intValue And intBit then

         CalcBit = intValue Xor intBit

      end if

   end if



End Function

Using PowerShell

$objSiteLink = [ADSI] "<Site Link DN>"

$currentOptions = [int]($objSiteLink.options.ToString())

$newOptions = $currentOptions -bor 1

$objSiteLink.put("options", $newOptions)

$objSiteLink.setInfo()

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Modifying Replication Schedules

Inhaltsvorschau

You want to change the times of day or week that a particular site link (IP or SMTP) is available for replication.

Open the Active Directory Sites and Services snap-in.
In the left pane, expand Sites→Inter-Site Transports.
Click either the IP or SMTP folder, depending on where the site link is stored.
In the right pane, double-click on the link you want to modify.
On the General tab, click Change Schedule.
Click OK.
Select the times and days of the week that you wish to allow or disallow, and select the Replication Available or Replication Not Available radio button, as .
Click OK twice to save your changes.

Using a command-line interface

To configure a site link to be available 24 hours a day, 7 days a week, use the following syntax:

> admod -b cn=<SiteLinkName>,cn=<TransportName>,cn=Inter-site

Transports,cn=sites,cn=configuration,<ForestRootDN> schedule::0

Using VBScript

' The following script will display the availability schedule

' for a particular site link.



Days = Array _

    ("Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday")



Set objSiteLink = GetObject _

    ("LDAP://<SiteLinkDN>")

arrHours = objSiteLink.Get("schedule")



For i = 1 To LenB(arrHours)

    arrHoursBytes(i-1) = AscB(MidB(arrHours, i, 1))

    WScript.Echo "MidB returns: " & MidB(arrHours, i, 1)

    WScript.Echo "arrHoursBytes: " & arrHoursBytes(i-1)

    wscript.echo vbcrlf

Next



intCounter = 0



intLoopCounter = 0

WScript.echo "Day Byte 1 Byte 2 Byte 3"

For Each HourByte In arrHoursBytes

    arrHourBits = DisplayLogonHourBits(HourByte)



    If intCounter = 0 Then

        WScript.STDOUT.Write Days(intLoopCounter) & Space(2)

        intLoopCounter = intLoopCounter + 1

    End If



    For Each HourBit In arrHourBits

        WScript.STDOUT.Write HourBit

        intCounter = 1 + intCounter



        If intCounter = 8 or intCounter = 16 Then

            Wscript.STDOUT.Write Space(1)

        End If



        If intCounter = 24 Then

            WScript.echo vbCr

            intCounter = 0

        End If

    Next

Next



Function DisplayLogonHourBits(x)

    Dim arrBits(7)

    For i = 7 to 0 Step -1

        If x And 2^i Then

            arrBits(i) = 1

        Else

            arrBits(i) = 0

        End If

    Next

    DisplayLogonHourBits = arrBits

End Function

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Disabling Site Link Transitivity or Site Link Schedules

Inhaltsvorschau

You want to disable site link transitivity to control replication manually.

Using a graphical user interface

Open the Active Directory Sites and Services snap-in.
In the left pane, expand Sites→Inter-Site Transports.
Right-click either the IP or SMTP folder, depending on which protocol you want to disable transitivity or ignore schedules for.
Select Properties.
To disable site link transitivity, uncheck “Bridge all site links.”
To ignore site link schedules, check “Ignore schedules.”
Click OK.

Using a command-line interface

You can modify the options attribute of a site link object using an LDIF file and ldifde, but since the attribute is a bit flag, you are better off using the GUI, VBScript, or PowerShell solutions that look at the current value of options and modify it accordingly. ldifde doesn’t handle this type of logic.

Using VBScript

' This code can disable site link transitivity and site

' schedules for all links of the IP transport.

' The code for the CalcBit function can be found in 

------ SCRIPT CONFIGURATION ------

boolDisableTrans = <TrueOrFalse>    ' e.g. TRUE

boolIgnoreSchedules = <TrueOrFalse> ' e.g. FALSE

' ------ END CONFIGURATION ---------



set objRootDSE = GetObject("LDAP://RootDSE")

set objLink = GetObject( _

                  "LDAP://cn=IP,cn=Inter-site Transports,cn=sites," & _

                  objRootDSE.Get("configurationNamingContext") )



intBitsOrg = objLink.Get("options")

intBits = CalcBit(intBitsOrig, 2, boolDisableTrans)

intBits = CalcBit(intBitsOrig, 1, boolIgnoreSchedules)



if objLink.Get("options") <> intBits then

   objLink.Put "options", intBits

   objLink.SetInfo

   WScript.Echo "Successfully modified link transitivity for " & strLink

else

   WScript.Echo "Did not need to modify link transitivity for " & strLink

end if

Using PowerShell

$objIP = [ADSI] "LDAP://cn=IP,cn=Inter-site

Transports,cn=sites,cn=configuration,<ForestRootDN>"

$currentOptions = [int]($objIP.options.ToString())

$newOptions = $currentOptions -bor 2

$newOptions = $currentOptions -bor 1

$objIP.put("options", $newOptions)

$objIP.setInfo()

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Site Link Bridge

Inhaltsvorschau

You want to create a site link bridge because you’ve disabled site link transitivity.

Using a graphical user interface

Open the Active Directory Sites and Services snap-in.
In the left pane, expand Sites→Inter-Site Transports.
Right-click either the IP or SMTP folder, depending on which protocol you want to create a site link bridge for.
Select New Site Link Bridge.
Highlight two or more site links in the left box.
Click the Add button.
Click OK.

Using a command-line interface

Create an LDIF file called create_site_link_bridge.ldf with the following contents, where <Link1> and <Link2> refer to the site links to be bridged:

dn: cn=<BridgeName>,cn=IP,cn=inter-site

transports,cn=sites,cn=configuration,<ForestRootDN>

changetype: add

objectclass: siteLinkBridge

siteLinkList: cn=<Link1>,cn=IP,cn=Inter-site

Transports,cn=sites,cn=configuration,<ForestRootDN>

siteLinkList: cn=<Link2>,cn=IP,cn=Inter-site

Transports,cn=sites,cn=configuration,<ForestRootDN>

Then run the following command:

> ldifde -v -i -f create_site_link_bridge.ldf

You can also create a site link bridge using AdMod, as follows:

> admod -b "cn=<BridgeName>,cn=IP,cn=inter-site

     transports,cn=sites,cn=configuration,<ForestRootDN>"

     objectclass::sitelinkBridge

     "sitelist:++:cn=<FirstSiteLink>,cn=IP,cn=inter-site

     transports,cn=sites,cn=configuration,<ForestRootDN>;

     cn=<SecondSiteLink>,cn=IP,cn=inter-site

     transports,cn=sites,cn=configuration,<ForestRootDN>"

     -add

Using VBScript

' This code creates a site link bridge between two site links.

' ------ SCRIPT CONFIGURATION -------

strLink1 = "<Link1>"      ' e.g. AMS-LON

strLink2 = "<Link2>"      ' e.g. SJC-RTP

strBridge = "<BridgeName>"' e.g. AMER-EUR

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://RootDSE")

set objLinkCont = GetObject( _

                   "LDAP://cn=IP,cn=Inter-site Transports,cn=sites," & _

                   objRootDSE.Get("configurationNamingContext") )

set objBridge = objLinkCont.Create("siteLinkBridge", "cn=" & strBridge)

strLink1DN = "cn=" & strLink1 & _

             ",cn=IP,cn=Inter-site Transports,cn=sites," & _

             objRootDSE.Get("configurationNamingContext")

strLink2DN = "cn=" & strLink2 & _

             ",cn=IP,cn=Inter-site Transports,cn=sites," & _

             objRootDSE.Get("configurationNamingContext")

objBridge.Put "siteLinkList", Array(strLink1DN,strLink2DN)

objBridge.SetInfo



WScript.Echo "Successfully created bridge: " & strBridge

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding the Bridgehead Servers for a Site

Inhaltsvorschau

You want to find the bridgehead servers for a site.

Using a graphical user interface

The replmon.exe utility is no longer available in Windows Server 2008; for 2008 servers, the command-line interface option is the appropriate option. Open the Replication Monitor from the Support Tools (replmon.exe).
From the menu, select View→Options.
In the left pane, right-click on Monitored Servers and select Add Monitored Server.
Use the Add Monitored Server Wizard to add a server in the site you want to find the bridgehead server(s) for.
In the left pane, right-click on the server and select Show BridgeHead Servers→In This Server’s Site.

Using a command-line interface

> repadmin /bridgeheads [<ServerName>] [/verbose]

The /bridgeheads option is valid only with the Windows Server 2003 version of repadmin. There is no such option in the Windows 2000 version.

Using VBScript

' This code finds the bridgehead servers for the specified site.

' ------ SCRIPT CONFIGURATION ------

strServer = "<ServerName>" ' server to target query against, e.g. dc01

strSite = "<SiteName>" ' name of site to query

                           ' e.g. Default-First-Site-Name

' ------ END CONFIGURATION --------



set objIadsTools = CreateObject("IADsTools.DCFunctions")

intRes = objIadsTools.GetBridgeHeadsInSite(Cstr(strServer),Cstr(strSite),0)



if intRes = -1 then

   Wscript.Echo "Bridge heads: " & objIadsTools.LastErrorText

   WScript.Quit

end if



for count = 1 to intRes

   WScript.Echo vbTab & objIadsTools.BridgeHeadName(count)

next

Bridgehead servers are responsible for replicating data between sites. Instead of all domain controllers replicating the same naming contexts outside of the site, the bridgehead servers act as a funnel for replication into and out of a site. Any domain controller in a site can become a bridgehead server, and bridgeheads are designated by the KCC for each writable partition in the site. You can control which servers are designated as bridgehead servers by defining preferred bridgehead servers (see for more on how to do this).

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Setting a Preferred Bridgehead Server for a Site

Inhaltsvorschau

You want to set a preferred bridgehead server for a site.

Using a graphical user interface

Open the Active Directory Sites and Services snap-in.
In the left pane, expand Sites, expand the site where the server you want to set as a bridgehead is contained, and expand the Servers container.
Right-click on the server you want to set as the bridgehead and select Properties.
Highlight IP, SMTP, or both, depending on the protocol(s) for which you want the server to be a bridgehead.
Click the Add button.
Click OK.

Using a command-line interface

Create an LDIF file called set_bridgehead_server.ldf with the following contents:

dn: cn=<DCName>,cn=servers,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>

changetype: modify

add: bridgeheadTransportList

bridgeheadTransportList: cn=IP,cn=Inter-site

Transports,cn=sites,cn=configuration,<ForestRootDN>

-

Then run the following command:

> ldifde -v -i -f set_bridgehead_server.ldf

You can also set the preferred bridgehead server with AdMod, using the following syntax:

Admod -b cn=<DCName>,cn=servers,cn=<SiteName>,

cn=sites,cn=configuration,<ForestRootDN> bridgeheadTransportList:+:"cn=IP,

cn=Inter-site transports,cn=sites,cn=configuration,<ForestRootDN>"

Using VBScript

' This code sets a preferred bridgehead server for a particular transport.

' ------ SCRIPT CONFIGURATION ------

strServer     = "<DomainControllerName>"  ' e.g. dc1

strServerSite = "<SiteName>"              ' e.g. Default-First-Site-Name

strTransport  = "<TransportName>"         ' e.g. either IP or SMTP

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://RootDSE")



set objServer = GetObject("LDAP://cn=" & strServer & ",cn=Servers,cn=" & _

                          strServerSite & ",cn=sites," & _

                          objRootDSE.Get("configurationNamingContext") )

objServer.Put "bridgeHeadTransportList", _

              "cn=" & strTransport & ",cn=Inter-site Transports,cn=sites," _

                    & objRootDSE.Get("configurationNamingContext")

objServer.SetInfo



WScript.Echo "Successfully set bridgehead server: " & strServer

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Listing the Servers

Inhaltsvorschau

You want to list the server objects in the site topology.

Using a graphical user interface

Open LDP.
From the menu, select Connection→Connect.
For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
For Port, enter 389.
Click OK.
From the menu, select Connection→Bind.
Enter the credentials of a domain user.
Click OK.
From the menu, select Browse→Search.
For BaseDN, type the Sites container’s DN (for example, cn=sites,cn=configuration,dc=adatum,dc=com).
For Scope, select Subtree.
For Filter, enter (objectcategory=server).
Click Run.

You can also view the servers in your site topology by using the Active Directory Sites and Services MMC snap-in (dssite.msc) and manually browsing the site topology.

Using a command-line interface

> dsquery server [-site <SiteName>]

To list all servers in the site topology using AdFind, use the following syntax:

> adfind -sites -f (objectcategory=server)

To restrict the results to a specific site, do the following:

> adfind -config -rb cn=<SiteName>,cn=sites -f (objectcategory=server)

Using VBScript

' This code lists the server objects in the site topology.



set objRootDSE = GetObject("LDAP://RootDSE")

strBase    =  "<LDAP://cn=sites," & _

              objRootDSE.Get("ConfigurationNamingContext") & ">;"

strFilter = "(objectcategory=server);"

strAttrs = "distinguishedName;"

strScope = "subtree"



set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)

objRS.MoveFirst

while Not objRS.EOF

    Wscript.Echo objRS.Fields(0).Value

    objRS.MoveNext

wend

Using PowerShell

get-QADObject -SearchRoot "cn=sites,cn=configuration,<ForestRootDN>" -lDAPFilter

"objectcategory=server"



$strCategory = "server"

$objRoot = [ADSI] "LDAP://cn=sites,cn=configuration,<ForestRootDN>"

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher

$objSearcher.SearchRoot = $objForest

$objSearcher.Filter = ("(objectCategory=$strCategory)")

$colResults = $objSearcher.FindAll()

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Moving a Domain Controller to a Different Site

Inhaltsvorschau

You want to move a domain controller to a different site. This may be necessary if you promoted the domain controller without first adding its subnet to Active Directory. In that case, the domain controller may not be added to the appropriate site.

Using a graphical user interface

Open the Active Directory Sites and Services snap-in.
In the left pane, expand Sites, expand the site where the server you want to move is contained, and expand the Servers container.
Right-click on the server you want to move and select Move.
Select the site to move the server to.
Click OK.

Starting with Windows Server 2003, you can also drag-and-drop the server object from one site to another, if desired.

Using a command-line interface

You can move a domain controller to a new site using either the built-in DSMove utility or AdMod. DSMove takes the following syntax:

> dsmove "cn=<ServerName>,cn=servers,cn=<CurrentSite>,

cn=sites,cn=configuration,<ForestRootDN>" -newparent "cn=servers,cn=<NewSite>,

cn=sites,cn=configuration,<ForestRootDN>"

To move a DC using AdMod, use the following:

> admod -b "cn=<ServerName>,cn=servers,cn=<CurrrentSite>,

cn=sites,cn=configuration,<ForestRootDN> -move "cn=servers,cn=<NewSite>,

cn=sites,cn=configuration,<ForestRootDN>

Using VBScript

' This code moves a server to a different site.

' ------ SCRIPT CONFIGURATION ------

' Should contain the common name of the server object

strDC = "<DomainControllerName>" ' e.g. dc02

' Name of servers current site

strCurrentSite = "<CurrentSite>" ' e.g. Default-First-Site-Name

' Name of site you want to move server to



strNewSite = "<NewSite>"         ' e.g. Raleigh

' ------ END CONFIGURATION --------



strConfigDN = GetObject("LDAP://RootDSE").Get("configurationNamingContext")

strServerDN = "LDAP://cn=" & strDC & ",cn=servers,cn=" & _

                           strCurrentSite & ",cn=sites," & strConfigDN

strNewParentDN = "LDAP://cn=servers,cn=" & strNewSite & ",cn=sites," & strConfigDN



Set objCont = GetObject(strNewParentDN)

objCont.MoveHere strServerDN, "cn=" & strDC

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Configuring a Domain Controller to Cover Multiple Sites

Inhaltsvorschau

You want to configure a domain controller to cover multiple sites, which will cause clients in all of those sites to use that domain controller for authentication and directory lookups.

Using a graphical user interface

Run regedit.exe from the command line or click Start→Run.
In the left pane, expand HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters.
If the SiteCoverage value does not exist, right-click on Parameters in the left pane and select New→Multi-String Value. For the name, enter SiteCoverage.
In the right pane, double-click on the value and enter each site the server should cover on a separate line.
Click OK.

Using a command-line interface

> reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v

"SiteCoverage" /t REG_MULTI_SZ /d <Site1>\0<Site2>

Using VBScript

' This code configures a domain controller to cover multiple sites.

' ------ SCRIPT CONFIGURATION ------

strDC = "<DomainControllerName>" ' e.g. dc01

arrSites = Array("<Site1>","<Site2>") ' Array of sites to cover

' ------ END CONFIGURATION ---------



strNTDSReg = "SYSTEM\CurrentControlSet\Services\Netlogon\Parameters"

const HKLM = &H80000002

set objReg = GetObject("winmgmts:\\" & strDC & "\root\default:StdRegProv")

objReg.SetMultiStringValue HKLM, strNTDSReg, _

                     "SiteCoverage", _

                     arrSites

WScript.Echo "Site coverage set for " & strDC

Using PowerShell

$strRegPath = "HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters"

$arrSites = "<Site1 DN>", "<Site2 DN>"

new-ItemProperty -path $strRegPath -name "SiteCoverage" -type MultiString

set-ItemProperty -path $strRegPath -name "SiteCoverage -value $arrSites

In an Active Directory environment, it is perfectly valid to have a site that does not contain its own domain controller. In fact, if you model the site topology after your real network, some sites will lack their own domain controllers unless you’ve deployed a branch office architecture or have very few sites. If you create sites without any domain controllers, the site links between the sites will determine which domain controllers will

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing the Site Coverage for a Domain Controller

Inhaltsvorschau

You want to view the sites that a domain controller covers.

Using a command-line interface

In the following command, replace <DomainControllerName> with the name of the domain controller you want to view site coverage for:

> nltest /server:<DomainControllerName> /DsGetSiteCov

Using VBScript

Although you cannot use it directly from a scripting language like VBScript, Microsoft provides a DsGetDcSiteCoverage method that can be used by languages such as Visual Basic and C++ to retrieve site coverage information. In fact, the nltest command shown in the CLI solution is a wrapper around this method.

describes how to configure a domain controller to cover multiple sites. describes how you can prevent a domain controller from covering for any sites other than its own.

MSDN: DsGetDcSiteCoverage

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Disabling Automatic Site Coverage for a Domain Controller

Inhaltsvorschau

You want to prevent a domain controller from covering sites outside of the one in which it resides.

Using a graphical user interface

Run regedit.exe from the command line or Start→Run.
Expand HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters.
Right-click on Parameters and select New→DWORD Value.
For the name, enter AutoSiteCoverage.
Double-click on the new value, enter 0 under Value data, and click OK.

Using a command-line interface

> reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v

AutoSiteCoverage /t REG_DWORD /d 0

Using VBScript

' This code disables auto site coverage.

strNetlogonReg = "SYSTEM\CurrentControlSet\Services\Netlogon\Parameters"

const HKLM = &H80000002

Set objReg = GetObject("winmgmts:root\default:StdRegProv")



objReg.SetDWORDValue HKLM, strNetlogonReg, "AutoSiteCoverage", 0

WScript.Echo "Site coverage disabled"

Using PowerShell

$strRegPath = "HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters"

set-ItemProperty -path $strRegPath -name "AutoSiteCoverage" -value 0

If you want to reduce the load on a domain controller, one way is to prevent it from covering for other sites. Automatic site coverage happens when a site does not contain any member domain controllers.

for viewing the site coverage for a domain controller

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding the Site for a Client

Inhaltsvorschau

You want to find which site a client computer is located in.

Using a command-line interface

In the following command, replace <HostName> with the name of the host you want to find the site for:

> nltest /server:<HostName> /DsGetSite

You’ll use the /server: <HostName> parameter even if you are specifying a client computer.

Using VBScript

Although you cannot use it directly from a scripting language like VBScript, Microsoft provides a DsGetSiteName method that can be used by languages such as Visual Basic and C++ to retrieve site coverage information. In fact, the nltest command shown in the CLI solution is a wrapper around this method.

The IADsTool interface provides a wrapper around this method:

set objIadsTools = CreateObject("IADsTools.DCFunctions")

strSite = objIadsTools.DsGetSiteName("<HostName>")

Wscript.Echo "Site: " & strSite

Each domain controller has a server object that is contained within a site. Clients are different—they are associated with a site based on their IP address, and the corresponding subnet that it matches is in the Subnets container. The client site information is important because it determines the domain controller the client authenticates with. If the client’s IP address does not match the subnet range of any of the subnets stored in Active Directory, it will randomly pick a site to use, which means it could authenticate against any domain controller in the domain. See for a way to hardcode the site association for a client.

for forcing a host into a particular site, MS KB 247811 (How Domain Controllers Are Located in Windows), and MSDN: DsGetSiteName

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Forcing a Host into a Particular Site

Inhaltsvorschau

You want to force a host to be in a particular site.

Using a graphical user interface

Run regedit.exe from the command line or Start→Run.
Expand HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters.
Right-click on Parameters and select New→String Value.
Enter SiteName for the name.
Double-click on the new value, enter the name of the site under Value data, and click OK.

Using a command-line interface

> reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v SiteName /t

REG_SZ /d <SiteName>

Using VBScript

' This code forces the host the script is run on to use a particular host.

' ------ SCRIPT CONFIGURATION ------

strSite = "<SiteName>" ' e.g. Raleigh

' ------ END CONFIGURATION ---------



strNetlogonReg = "SYSTEM\CurrentControlSet\Services\Netlogon\Parameters"

const HKLM = &H80000002

set objReg = GetObject("winmgmts:root\default:StdRegProv")

objReg.SetStringValue HKLM, strNetlogonReg, "SiteName", strSite

WScript.Echo "Set SiteName to " & strSite

Using PowerShell

$strRegPath = "HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters"

set-ItemProperty -path $strRegPath -name "SiteName" -value "<SiteName>"

You can bypass the part of the DC Locator process that determines a client’s site by hardcoding it in the Registry. This is generally not recommended and should primarily be used as a troubleshooting tool. If a client is experiencing authentication delays due to a misconfigured site or subnet object, you can hardcode its site so that it temporarily points to a more optimal location (and domain controller) to see if this alleviates the problem. However, in a situation like this, your ultimate goal should be to properly configure your sites and subnets so that the DC Locator process can function without this kind of manual intervention.

for finding the site for a client and MS KB 247811 (How Domain Controllers Are Located in Windows)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Connection Object

Inhaltsvorschau

You want to create a connection object to manually set up replication between two servers.

Using a graphical user interface

Open the Active Directory Sites and Services snap-in.
In the left pane, expand Sites, expand the site that contains the connection object you want to check, expand the Servers container, and expand the server for which you want to create the connection object.
Right-click on the NTDS Settings object and select Create New Active Directory Connection.
Select the replication partner and click OK.
Enter the name for the connection and click OK.

Using a command-line interface

> repadmin /add <PartitionDN> <DC1DNSName> <DC2DNSName>

Hopefully you will not need to create connection objects manually, since creating and maintaining connection objects is the job of the KCC. It can be a lot of work to keep your connection objects up-to-date by yourself, especially if you have a large topology. The KCC uses complex algorithms to determine the best partners for a domain controller to replicate with. The Windows 2000 KCC had problems generating very large topologies, but the Windows Server 2003 version is significantly better.

It is sometimes necessary to create connections manually if you find a replication problem and need to get replication going again between one or more sites. By creating a connection and forcing replication to occur over that connection, you can get servers back in sync quickly.

for listing the connection objects for a server

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Listing the connection Objects for a Server

Inhaltsvorschau

You want to view the connection objects associated with a domain controller.

Using a graphical user interface

Open the Active Directory Sites and Services snap-in.
In the left pane, expand Sites, expand the site that contains the connection object you want to check, expand the Servers container, expand the server that contains the connection object, and click on the NTDS Settings object.
In the right pane, under the name column, it will display which connection objects were automatically generated by the KCC and which ones were manually .

Using a command-line interface

> repadmin /showconn [<DomainControllerName>]

Using VBScript

' This code lists the connection objects for a server.

' ------ SCRIPT CONFIGURATION ------

strServer = "<ServerName>" ' e.g. dc01

strSite = "<SiteName>"     ' e.g. MySite1

' ------ END CONFIGURATION ---------



set objRootDSE = GetObject("LDAP://RootDSE")

set objNTDSCont = GetObject("LDAP://cn=NTDS Settings,cn=" & strServer & _

                            ",cn=servers,cn=" & strSite & ",cn=sites," & _

                             objRootDSE.Get("configurationNamingContext") )



objNTDSCont.Filter = Array("ntdsConnection")

WScript.Echo " Connection objects for " & strSite & "\" & strServer

for each objConn in objNTDSCont

   if objConn.Get("options") = 0 then

      Wscript.Echo " " & objConn.Get("cn") & " (MANUAL)"

   else

      Wscript.Echo " " & objConn.Get("cn") & " (AUTO)"

   end if

next

Another option for programmatically getting the connection objects for a server is to use the GetDSAConnections method from the IADsTool .

Using PowerShell

get-QADObject -SearchRoot "cn=NTDS Settings,cn=<DC Name>,cn=servers,cn=<Site

Name>,cn=configuration,<ForestRootDN>" -lDAPFilter "objectclass=ntdsConnection"



$strCategory = "ntdsConnection"

$objSearchRoot = [ADSI] "LDAP://cn=NTDS Settings,cn=<DC Name>,cn=servers,

cn=<SiteName>,cn=configuration,<ForestRootDN>"

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher

$objSearcher.SearchRoot = $objForest

$objSearcher.Filter = ("(objectCategory=$strCategory)")

$colResults = $objSearcher.FindAll()

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Load-Balancing connection Objects

Inhaltsvorschau

You want to evenly distribute connection objects between bridgehead servers in a site.

Using a command-line interface

To see what changes the Active Directory Load Balancing (ADLB) utility would make, run the following command without the /commit option. To actually make the changes in Active Directory, use the /commit option:

> adlb /server:<DomainControllerName> -site:<SiteName> [/commit] [/verbose]

This utility is available in the Windows Server 2003 Resource Kit.

Bridgeheads can become overloaded or end up with too many connection objects in relation to other bridgeheads in the domain. The ADLB tool allows you to balance the load of connection objects among bridgehead servers within a site. The Windows Server 2003 algorithms are much better than Windows 2000 at load-balancing connection objects across servers, but that process happens only when new connection objects are added. You can use the adlb tool to load-balance existing connection objects more efficiently at any time.

We recommend first viewing the changes adlb would make before using the /commit option. Though the tool has matured to the point that it will typically make good decisions for your topology, it is still always good to do a sanity check to ensure adlb doesn’t mess up your replication topology.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding the ISTG for a Site

Inhaltsvorschau

You want to find the Inter-Site Topology Generator (ISTG) for a site.

Using a graphical user interface

Open the Active Directory Sites and Services snap-in.
Click on the site you are interested in.
In the right pane, double-click on the NTDS Site Settings object.
The ISTG will be displayed under ISTG if one is present.

Using a command-line interface

In Windows Server 2003, you can query for this information using repadmin or DSQuery:

> repadmin /istg <DomainControllerName>



> dsquery * "cn=NTDS Site Settings,cn=<SiteName>,cn=sites,<ForestRootDN>" -attr

intersitetopologygenerator

You can leave off the <DomainControllerName> switch to query the local DC for this information.

These commands are available only with Windows Server 2003. You can also use for both Windows 2000 and Windows Server 2003, as follows:

> adfind -config -rb "cn=ntds site settings,cn=<SiteName>,cn=sites"

intersitetopologygenerator

Using VBScript

' This code finds the ISTG for the specified site.

' ------ SCRIPT CONFIGURATION ------

strSiteName = <SiteName> ' e.g. Raleigh

' ------ END CONFIGURATION ---------



set objRootDSE = GetObject("LDAP://RootDSE")

set objSiteSettings = GetObject("LDAP://cn=NTDS Site Settings,cn=" & _

                                strSiteName & ",cn=sites," & _

                                objRootDSE.Get("ConfigurationNamingContext"))

on error resume next

strISTGDN = objSiteSettings.Get("interSiteTopologyGenerator")

if (strISTGDN <> "") then

   set objNTDSSettings = GetObject("LDAP://" & strISTGDN)

   set objServer = GetObject( objNTDSSettings.Parent )

   WScript.Echo "ISTG for site " & strSiteName & " is " & _

                objServer.Get("dnsHostName")

else

   WScript.Echo "No ISTG found for site " & strSiteName

end if

One domain controller in every site is picked as the ISTG for that site. While each domain controller is responsible for creating its own intra-site connection objects, the ISTG for a site is responsible for creating the inter-site connection objects for the bridgehead servers in the site.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Transferring the ISTG to Another Server

Inhaltsvorschau

You want to move the ISTG for a site to another domain controller. This happens automatically if you take the current ISTG offline, but you may want to transfer the role to a server that is more optimal in your environment.

Using a graphical user interface

Open ADSI Edit.
Connect to the Configuration NC if it is not already displayed in the left pane.
In the left pane, browse to Configuration NC→Sites.
Click on the site you want to transfer the ISTG for.
In the right pane, double-click CN=NTDS Site Settings.
Modify the interSiteTopologyGenerator attribute to include the NTDS Settings object of the domain controller you want to transfer the ISTG role to.
Click OK.

Using a command-line interface

> admod -b "cn=NTDS Site Settings,cn=<SiteName>,

cn=sites,cn=configuration,<ForestRootDN>" interSiteTopologyGenerator::"cn=NTDS Site

Settings,cn=<NewISTGName>,cn=servers,cn=<SiteName>,

cn=sites,cn=configuration,<ForestRootDN>

Using VBScript

' This code forces a new ISTG in a site.

' ------ SCRIPT CONFIGURATION ------

' Name of site to transfer ISTG in

strSiteName = "<SiteName>" ' e.g. Raleigh

' Site the new ISTG server is in

strNewISTGSite = "<ISTGSiteName>" ' e.g. Raleigh

' Common name of server object for new ISTG

strNewISTGName = "<DomainControllerName>" ' e.g. dc01

' ------ END CONFIGURATION ---------



set objRootDSE = GetObject("LDAP://RootDSE")

set objSiteSettings = GetObject("LDAP://cn=NTDS Site Settings,cn=" & _

                                strSiteName & ",cn=sites," & _

                                objRootDSE.Get("ConfigurationNamingContext"))

strCurrentISTG = objSiteSettings.Get("interSiteTopologyGenerator")



objSiteSettings.Put "interSiteTopologyGenerator", _

                    cn=NTDS Settings,cn=" & strNewISTGName & _

                    ",cn=servers,cn=" & strNewISTGSite & ",cn=sites," & _

                    objRootDSE.Get("ConfigurationNamingContext")

objSiteSettings.SetInfo

WScript.Echo "ISTG for " & strSiteName & " changed from:"

WScript.Echo " " & strCurrentISTG

WScript.Echo "To"

WScript.Echo " " & objSiteSettings.Get("interSiteTopologyGenerator")

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Triggering the KCC

Inhaltsvorschau

You want to trigger the KCC.

Using a graphical user interface

Open the Active Directory Sites and Services snap-in.
In the left pane, browse to the NTDS Settings object for the server you want to trigger the KCC for.
Right-click on NTDS Settings, select All Tasks, and check Replication Topology.
Click OK.

Using a command-line interface

> repadmin /kcc <DomainControllerName>

Using VBScript

' This code triggers the KCC on a DC.

' ------ SCRIPT CONFIGURATION ------

strDC = "<DomainControllerName>" ' e.g. dc01

' ------ END CONFIGURATION ---------



set objIadsTools = CreateObject("IADsTools.DCFunctions")

intRes = objIadsTools.TriggerKCC(Cstr(strDC),0)



if intRes = -1 then

   Wscript.Echo objIadsTools.LastErrorText

else

   Wscript.Echo "KCC successfully triggered"

end if

The KCC runs every 15 minutes by default on all domain controllers to generate the intra-site topology connections. The KCC that runs on the server that is selected as the ISTG generates inter-site topology connections to other sites from the bridgehead servers in its site. In some situations—such as when you create new site, siteLink, or subnet objects—you may want to run the KCC immediately so that any new connections between domain controllers are created right away.

for determining if the KCC is completing successfully, the iadstools.doc file that is installed with the Support Tools for more information on IADsTools, and MS KB 224815 (The Role of the Inter-Site Topology Generator in Active Directory Replication)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Determining Whether the KCC Is Completing Successfully

Inhaltsvorschau

You want to determine whether the KCC is completing successfully.

Using a graphical user interface

Open the Event Viewer of the target domain controller.
Click on the Directory Service log.
In the right pane, click on the Source heading to sort by that column.
Scroll down to view any events with Source: NTDS KCC.

Using a command-line interface

The following command will display any KCC errors found in the Directory Service log:

> dcdiag /v /test:kccevent /s:<DomainControllerName>

Using PowerShell

The following syntax will query the Directory Service log for all events that have a source of

"NTDS

        KCC"

get-Eventlog "Directory Service" | where-object {$_.Source -eq "NTDS KCC" } |

format-list

The only way to debug issues with the KCC is by looking for NTDS KCC events in the Directory Service event log. If you suspect a problem or perhaps are seeing errors, you can increase the amount of logging in the event log by enabling diagnostics logging for the KCC. When KCC diagnostics logging is enabled, each KCC exception logs a significant amount of information to the event log that may help you pinpoint the problem. See for more information on enabling diagnostics logging.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Disabling the KCC for a Site

Inhaltsvorschau

You want to disable the KCC for a site and generate your own replication connections between domain controllers.

Using a graphical user interface

Open ADSI Edit.
Connect to the Configuration Naming Context if it is not already displayed.
In the left pane, browse to the cn=Sites folder.
Click on the site you want to disable the KCC for.
In the right pane, double-click CN=NTDS Site Settings.
Modify the options attribute. To disable only intra-site topology generation, enable bit 0 (decimal 1). To disable inter-site topology generation, enable bit 4 (decimal 16). To disable both, enable both bit 4 and bit 1 (decimal 17).
Click OK.

Using a command-line interface

You can disable the KCC for <SiteName> by using the ldifde utility and an LDIF file that contains the following:

dn: cn=NTDS Site Settings,<SiteName>,cn=sites,cn=configuration,<ForestRootDN>

changetype: modify

replace: options

options: <OptionsValue>

-

If the LDIF file were named disable_kcc.ldf, you would run the following command:

> ldifde -v -i -f disable_kcc.ldf

You can also perform this change using a combination of AdFind and AdMod, as :

>  adfind –b "cn=NTDS Settings,cn=<SiteName>,cn=Sites,cn=configuration,<ForestRootDN>" 

options –adcsv | admod options::{{.:SET:<OptionsValue>}}

The LDIFDE solution simply overwrites the value of the options attribute without checking to see if any current value may be in place. See , or use the AdFind/AdMod solution for a safer method to modify bitwise values.

Using VBScript

' This code disables the KCC for a site.

' ------ SCRIPT CONFIGURATION ------

strSiteName = "<SiteName>" ' e.g. Default-First-Site-Name

boolDisableIntra = TRUE    ' set to TRUE/FALSE to disable/enable intra-site

boolDisableInter = TRUE    ' set to TRUE/FALSE to disable/enable inter-site

' ------ END CONFIGURATION ---------



strAttr = "options"

set objRootDSE = GetObject("LDAP://RootDSE")

set objObject = GetObject("LDAP://cn=NTDS Site Settings,cn=" _

                          & strSiteName & ",cn=sites," & _

                          objRootDSE.Get("configurationNamingContext") )



intBitsOrig = objObject.Get(strAttr)

intBitsCalc = CalcBit(intBitsOrig, 1, boolDisableIntra)

WScript.Echo "Checking the KCC Intra-site generation flag:"

if intBitsOrig <> intBitsCalc then

   objObject.Put strAttr, intBitsCalc

   objObject.SetInfo

   WScript.Echo "  Changed " & strAttr & " from " & _

                intBitsOrig & " to " & intBitsCalc



else

   WScript.Echo " Did not need to change " & strAttr & _

                " (" & intBitsOrig & ")"

end if



intBitsOrig = objObject.Get(strAttr)

intBitsCalc = CalcBit(intBitsOrig, 16, boolDisableInter)

WScript.Echo "Checking the KCC Inter-site generation flag:"

if intBitsOrig <> intBitsCalc then

   objObject.Put strAttr, intBitsCalc

   objObject.SetInfo

   WScript.Echo " Changed " & strAttr & " from " & intBitsOrig & _

                " to " & intBitsCalc

else

   WScript.Echo " Did not need to change " & strAttr & " (" & _

                intBitsOrig & ")"

end if

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Changing the Interval at Which the KCC Runs

Inhaltsvorschau

You want to change the interval at which the KCC runs.

Using a graphical user interface

Run regedit.exe from the command line or Start→Run.
Expand HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.
Right-click on Parameters and select New→DWORD Value.
Enter the following for the name: Repl topology update period (secs).
Double-click on the new value, and under “Value data” enter the KCC interval in number of seconds (900 is the default).
Click OK.

Using a command-line interface

> reg add HKLM\System\CurrentControlSet\Services\NTDS\Parameters /v "Repl topology

update period (secs)" /t REG_DWORD /d <NumSecs>

Using VBScript

' This code changes the interval in which the KCC runs.

' ------ SCRIPT CONFIGURATION -------

intNumSecs = <NumSecs> ' Number of seconds between intervals

                       ' 900 is default

' ------ END CONFIGURATION ---------



strNetlogonReg = "SYSTEM\CurrentControlSet\Services\NTDS\Parameters"

const HKLM = &H80000002

Set objReg = GetObject("winmgmts:root\default:StdRegProv")

objReg.SetDWORDValue HKLM, strNetlogonReg, _

                     "Repl topology update period (secs)", _

                     intNumSecs

WScript.Echo "KCC interval set to " & intNumSecs

Using PowerShell

$strRegPath = "HKLM:\System\CurrentControlSet\Services\NTDS\Parameters"

set-ItemProperty -path $strRegPath -name "Repl topology update period (secs)" -

value "<# of secs>

By default, the KCC checks its connections every 15 minutes and makes changes as necessary. You can modify this interval by simply modifying the registry. This was necessary with many Windows 2000 implementations that had large topologies. In that case, the KCC might have taken longer than 15 minutes to run, or else it would have monopolized the CPU. Changing the KCC to run every hour instead of 15 minutes helps ensure that it has enough time to complete. With Windows Server 2003, Microsoft made significant improvements to the scalability of the KCC, and we recommend running the KCC at the default interval.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Chapter 12: Replication

Inhaltsvorschau

Replication is one of the most important and perhaps complex components of Active Directory. The infrastructure behind Active Directory replication, including the site topology, connection objects, and the KCC, was covered in . This chapter focuses strictly on some of the tasks and processes associated with replicating data and checking replication health. For an in-depth overview of how replication works in Active Directory, we suggest reading Active Directory, Fourth Edition, Brian Desmond et al. .

You want to determine whether two domain controllers are in sync and have no objects to replicate to each other.

Using a command-line interface

By running the following command you can compare the up-to-dateness vector on the two DCs:

> repadmin /showchanges <DestinationDC's FQDN> <SourceDCGUID> <NamingContext>

For example, the following illustrates the syntax needed to compare the up-to-dateness vectors using dc2.adatumadatum.com as the destination DC and the GUID of dc1.adatum.com as the source, checking replication on the Domain NC:

> repadmin /showchanges dc1.adatum.com 5f09d979-1795-4ca1-9fc3-04efd

2bb721 dc=adatum,dc=com

Building starting position from destination server dc1.adatum.com



Source Neighbor:

dc=adatum,dc=com

==== INBOUND NEIGHBORS ======================================



dc=adatum,dc=com

    Default-First-Site-Name\DC2 via RPC

        DC object GUID: 5f09d979-1795-4ca1-9fc3-04efd22bb721

        Address: 5f09d979-1795-4ca1-9fc3-04efd22bb721._msdcs.adatum.com

        DC invocationID: accbf436-4577-4191-9a42-16f49e01db5d

        SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE

        USNs: 12384/OU, 12384/PU

        Last attempt @ 2006-02-26 10:04:08 was successful.



Destination's up-to-date vector:

accbf436-4577-4191-9a42-16f49e01db5d @ USN 12393

e197616c-7465-43f2-a502-bac90df20b09 @ USN 14059



==== SOURCE DC: 5f09d979-1795-4ca1-9fc3-04efd22bb721._msdcs.adatum.com ====



No Changes

The Windows 2000 version of repadmin requires you to use a different syntax, running a command against both DCs to allow you to manually compare the information that’s automatically displayed by the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Introduction

Inhaltsvorschau

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Determining Whether Two Domain Controllers Are in Sync

Inhaltsvorschau

You want to determine whether two domain controllers are in sync and have no objects to replicate to each other.

Using a command-line interface

By running the following command you can compare the up-to-dateness vector on the two DCs:

> repadmin /showchanges <DestinationDC's FQDN> <SourceDCGUID> <NamingContext>

> repadmin /showchanges dc1.adatum.com 5f09d979-1795-4ca1-9fc3-04efd

2bb721 dc=adatum,dc=com

Building starting position from destination server dc1.adatum.com



Source Neighbor:

dc=adatum,dc=com

==== INBOUND NEIGHBORS ======================================



dc=adatum,dc=com

    Default-First-Site-Name\DC2 via RPC

        DC object GUID: 5f09d979-1795-4ca1-9fc3-04efd22bb721

        Address: 5f09d979-1795-4ca1-9fc3-04efd22bb721._msdcs.adatum.com

        DC invocationID: accbf436-4577-4191-9a42-16f49e01db5d

        SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE

        USNs: 12384/OU, 12384/PU

        Last attempt @ 2006-02-26 10:04:08 was successful.



Destination's up-to-date vector:

accbf436-4577-4191-9a42-16f49e01db5d @ USN 12393

e197616c-7465-43f2-a502-bac90df20b09 @ USN 14059



==== SOURCE DC: 5f09d979-1795-4ca1-9fc3-04efd22bb721._msdcs.adatum.com ====



No Changes

> repadmin /showvector <NamingContextDN> <DC1Name>

> repadmin /showvector <NamingContextDN> <DC2Name>

Using VBScript

' This code prints the

' up-to-dateness vector for the DCs defined in

' the array arrDCList for the naming context defined by strNCDN.

' ------ SCRIPT CONFIGURATION -----

' Set to the DN of the naming context you want to check the DCs against

strNCDN = "

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing the Replication Status of Several

Inhaltsvorschau

You want to take a quick snapshot of replication activity for one or more domain .

Using a command-line interface

The following command will show the replication status of all the domain controllers in the forest, as shown in the output that follows:

> repadmin /replsum



Replication Summary Start Time: 2006-02-26 11:01:34



Beginning data collection for replication summary, this may take awhile:

  .....



Source DC          largest delta  fails/total %% error

 DC1                      15m:22s    0 /   3   0

 DC2                         :12s    0 /   3   0



Destination DC largest delta     fails/total %% error

 DC1                       :05s     0 /   3   0

 DC2                    15m:22s     0 /   3   0

You can also use * as a wildcard character to view the status of a subset of domain controllers. The following command will display the replication status of only the servers that begin with the name dc-rtp:

> repadmin /replsum dc-rtp*

This command is available starting with the Windows Server 2003 version of repadmin.

The new /replsum option in repadmin is a great way to quickly determine if there are any replication issues. This command should be your starting point if you suspect any replication problems. If you are running /replsum against a lot of domain controllers, you can use the /sort option to sort the returned table output by any of the table columns. You can also use the /errorsonly option to display only the replication partners who are encountering errors.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing Unreplicated Changes Between Two

Inhaltsvorschau

You want to find the unreplicated changes between two domain controllers.

Using a graphical user interface

Open the Replication Monitor from the Support Tools (replmon.exe).
From the menu, select View→Options.
On the General tab, check the boxes beside Show Transitive Replication Partners and Extended Data.
Click OK.
In the left pane, right-click on Monitored Servers and select Add Monitored Server.
Use the Add Monitored Server Wizard to add one of the domain controllers you want to compare (we’ll call it dc1).
In the left pane, under the server you just added, expand the naming context that you want to check for unreplicated changes.
Right-click on the other domain controller you want to compare (we’ll call it dc2) and select “Check Current USN and Un-replicated Objects.”
Enter credentials if necessary and click OK.
If some changes have not yet replicated from dc2 to dc1, a box will pop up that lists the unreplicated objects.
To find out what changes have yet to replicate from dc1 to dc2, repeat the same steps, except add dc2 as a monitored server and check for unreplicated changes against dc1.

Using a command-line interface

Run the following command to find the differences between two domain controllers. Use the /statistics option to view a summary of the changes:

> repadmin /showchanges <DC1Name> <DC2GUID> <NamingContextDN>

> repadmin /showchanges <DC2Name> <DC1GUID> <NamingContextDN>

The Windows 2000 version of repadmin has a different syntax to accomplish the same thing. Here is the equivalent syntax:

> repadmin /getchanges <NamingContextDN> <DC1Name> <DC2GUID>

> repadmin /getchanges <NamingContextDN> <DC2Name> <DC1GUID>

Using VBScript

' This code uses the IADsTools interface to print the unreplicated

' changes for the naming context defined by strNCDN for the DCs

' defined by strDC1Name and strDC2Name.

' ------ SCRIPT CONFIGURATION ------

strNCDN     = "<NamingContextDN>

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Forcing Replication from One Domain Controller

Inhaltsvorschau

You want to force replication between two partners.

Using a graphical user interface

Open the Active Directory Sites and Services snap-in.
Browse to the NTDS Setting object for the domain controller you want to replicate to.
In the right pane, right-click on the connection object corresponding to the domain controller you want to replicate from and select Replicate Now.

Using a command-line interface

The following command will perform a replication sync from <DC2Name> to <DC1Name> of the naming context specified by <NamingContextDN>:

> repadmin /replicate <DC1Name> <DC2Name> <NamingContextDN>

The Windows 2000 version of repadmin has a different syntax to accomplish the same thing. Here is the equivalent syntax:

> repadmin /sync <NamingContextDN> <DC1Name> <DC2GUID>

Using VBScript

' This code initiates a replication event between two DCs

' for a naming context

' ------ SCRIPT CONFIGURATION -----

strDC1Name = "<DC1Name>" ' e.g. dc1

strDC2Name = "<DC2Name>" ' e.g. dc2

strNamingContextDN = "<NamingContextDN>" ' e.g. dc=adatum,dc=com

' ------ END CONFIGURATION --------



set objIadsTools = CreateObject("IADsTools.DCFunctions")

intRes = objIadsTools.ReplicaSync(Cstr(strDC1Name),_

                                  Cstr(strNamingContextDN),_

                                  Cstr(strDC2Name), 0, 0)



if intRes = -1 then

   Wscript.Echo "Error: " & objIadsTools.LastErrorText

else

   WScript.Echo "Replication intitiated from " & strDC2Name & _

                " to " & strDC1Name

end if

Using PowerShell

$strDCname = <DomainDNSName>

$context = New-Object

System.DirectoryServices.ActiveDirectory.DirectoryContext('DirectoryServer',

$strDCname)

$dc =

[System.DirectoryServices.ActiveDirectory.DomainController]::getDomainController

($context)

$strPartDN = "<Partition DN>"

$dc.TriggerSyncReplicaFromNeighbors($strPartDN)

Each solution shows how to replicate all unreplicated changes from a source domain controller to a destination domain controller. This sync is a one-way operation. If you want to ensure that both domain controllers are in sync, you’ll need to follow the same procedure in the opposite direction, replicating both from DC1 to DC2 and from DC2 to DC1. It’s important to remember that all replication takes place as a

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling and Disabling Replication

Inhaltsvorschau

You want to enable or disable inbound or outbound replication on a domain controller.

Using a command-line interface

To disable outbound replication on a domain controller, use the following syntax:

> repadmin /options +DISABLE_OUTBOUND_REPL

To re-enable outbound replication, enter the following:

> repamin /options -DISABLE_OUTBOUND_REPL

To disable inbound replication, use the following syntax:

> repadmin /options +DISABLE_INBOUND_REPL

To re-enable inbound replication, use the following:

> repadmin /options -DISABLE_INBOUND_REPL

When you are making major changes to Active Directory, particularly in cases where you are extending the schema, it is recommended that you disable outbound replication on the DC that you’re modifying. This will allow you to test any changes that you’ve made on a single DC without propagating those changes to the remainder of your directory. If you make a mistake or find that the changes you’ve made are otherwise unacceptable, you can restore a single DC rather than being faced with the prospect of performing a disaster recovery operation on your entire domain.

It’s important to note that disabling outbound replication on a domain controller will not have any effect on inbound replication; the DC in question will still receive updates from its other replication partners unless you disable inbound replication on them as well.

In a worst-case scenario, you can disable replication for an entire forest by issuing the following command:

> repadmin /options * +DISABLE_INBOUND_REPL

MS KB 321153 (How to Disable or Enable Active Directory Replication in Windows 2000)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Changing the Intra-Site Replication Interval

Inhaltsvorschau

You want to change the number of seconds that a domain controller in a site waits before replicating within the site.

Using a graphical user interface

Run regedit.exe from the command line or Start→Run.
Expand HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.
If a value entry for Replicator notify pause after modify (secs) does not exist, right-click on Parameters and select New→DWORD Value. For the name, enter Replicator notify pause after modify (secs).
Double-click on the value and enter the number of seconds to wait before notifying intra-site replication partners.
Click OK.

Using a command-line interface

> reg add HKLM\System\CurrentControlSet\Services\NTDS\Parameters /v "Replicator

notify pause after modify (secs)" /t REG_DWORD /d <NumSeconds>

Using VBScript

' This code sets the intra-site delay interval.

' ------ SCRIPT CONFIGURATION -----

strDC = "<DomainControllerName>" ' DC you want to configure

intNumSeconds = <NumSeconds> ' Time in seconds to delay

' ------ END CONFIGURATION --------



const HKLM = &H80000002

strNTDSReg = "SYSTEM\CurrentControlSet\Services\NTDS\Parameters"

set objReg = GetObject("winmgmts:\\" & strDC & _

                       "\root\default:StdRegProv")

objReg.SetDWORDValue HKLM, strNTDSReg, _

                     "Replicator notify pause after modify (secs)", _

                     intNumSeconds

WScript.Echo "Intra-site replication delay set to " & intNumSeconds

Using PowerShell

$strRegPath = "HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters"

$strKeyName = "Replicator notify pause after modify (secs)"

$intSeconds = <NumSeconds>

Set-ItemProperty -path $strRegPath -name $strKeyName -value $intSeconds

After a change has been made to a domain controller’s local copy of Active Directory, it waits for a period of time before sending change-notification requests to its intra-site replication partners. The default delay on Windows 2000 domain controllers is 5 minutes; for Windows Server 2003, the default delay has been changed to 15 seconds. You can customize this notification delay by changing the registry value

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Changing the Intra-Site Notification Delay

Inhaltsvorschau

You want to change how long a domain controller waits before notifying domain controllers within a site that updates are available.

Using a graphical user interface

Open ADSI Edit.
If an entry for the Configuration naming context you want to browse is not already displayed, do the following:
1. Right-click on ADSI Edit in the right pane and click “Connect to…”.
2. Fill in the information for the Configuration NC. Click on the Advanced button if you need to enter alternate credentials.

In the left pane, browse to CN=Configuration, <ForestRootDN>→CN=Partitions. Right-click on the domain partition designated by the short name of the domain (CN=ADATUM for adatum.com) and select Properties.
Double-click on the following attributes and modify their values as appropriate:
- msDS-Replication-Notify-First-DSA-Delay
- msDS-Replication-Notify-Subsequent-DSA-Delay

Using a command-line interface

Create a file called modify_replication_interval.ldf with the following contents:

dn: <DomainPartitionCrossRefDN>

changetype: modify

replace: msDS-Replication-Notify-First-DSA-Delay

msDS-Replication-Notify-First-DSA-Delay: <FirstDelayInSeconds>

-

replace: msDS-Replication-Notify-Subsequent-DSA-Delay

msDS-Replication-Notify-Subsequent-DSA-Delay: <NextDelayInSeconds>

Then import the changes into Active Directory using the following syntax:

ldifde -i -v modify_replication_interval.ldf

You can also make the changes using AdMod, as follows:

admod -b cn=<DomainPartition>,cn=Partitions,cn=Configuration,<ForestRootDN> msDS-

Replication-Notification-First-DSA-Delay::<FirstDelayInSeconds> msDS-

Replication-Notify-Subsequent-DSA-Delay::<NextDelayInSeconds>

Using VBScript

' This code sets the

' replication delay for an application partition.

' ------ SCRIPT CONFIGURATION -----

strDomainPartDN = "<DomainPartitionDN>" ' e.g. cn=adatum,dc=adatum,dc=com

intFirstDelay = <FirstDelayInSeconds>

intNextDelay = <NextDelayInSeconds>

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://RootDSE")

strBase = "<LDAP://cn=Partitions," & _

          objRootDSE.Get("ConfigurationNamingContext") & ">;"

strFilter = "(&(objectcategory=crossRef)(nCName=" & strDomainPartDN & "));"

strAttrs = "cn,distinguishedName;"

strScope = "onelevel"

set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)



if objRS.RecordCount <> 1 then

   WScript.Echo "Did not find a match for " & strDomainPartDN

else

   objRS.MoveLast

   set objAppPart = GetObject("LDAP://" & _

                    objRS.Fields("distinguishedName").Value )

   objAppPart.Put "msDS-Replication-Notify-First-DSA-Delay", intFirstDelay

   objAppPart.Put "msDS-Replication-Notify-Subsequent-DSA-Delay", intNextDelay

   objAppPart.SetInfo

   Wscript.Echo "Modified " & objRS.Fields("distinguishedName").Value

end if

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Changing the Inter-Site Replication Interval

Inhaltsvorschau

You want to set the replication schedule for a site link.

Using a graphical user interface

Open the Active Directory Sites and Services snap-in.
Expand the Inter-Site Transport container.
Click on the IP container.
In the right pane, double-click on the site link you want to modify the replication interval for.
Enter the new interval beside “Replicate every.”
Click OK.

Using a command-line interface

To change the replication interval, create an LDIF file named set_link_rep_interval.ldf with the following contents:

dn: cn=<LinkName>,cn=ip,cn=Inter-Site Transports,cn=sites,

cn=configuration,<ForestRootDN>

changetype: modify

replace: replInterval

replInterval: <NewInterval>

-

Then run the following command:

> ldifde -v -i -f set_link_rep_interval.ldf

You can also make this change using AdMod, as follows:

> admod -b cn=<LinkName>,cn=ip,cn=Inter-Site

Transports,cn=sites,cn=configuration,<ForestRootDN>

replInterval::<NewInterval>

Using VBScript

' This code sets the

' replication interval for a site link.

' ------ SCRIPT CONFIGURATION -----

strLinkName    = "<LinkName>" ' cn of the link you want to configure

intNewInterval = <NewInterval> ' replication interval in minutes

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://RootDSE")

set objLink = GetObject("LDAP://cn=" & strLinkName & _

                        ",cn=IP,cn=Inter-site Transports,cn=sites," & _

                        objRootDSE.Get("configurationNamingContext") )

objLink.Put "replInterval", intNewInterval

objLink.SetInfo

WScript.Echo "Set interval for link " & objLink.Get("cn") & _

             " to " & intNewInterval

Using PowerShell

set-QADObject -Identity "cn=<LinkName>,cn=ip,cn=Inter-Site

Transports,cn=sites,cn=configuration,<ForestRootDN>" -objectAttributes

@{replInterval="<newInterval>"



$objSiteLink = [ADSI] "cn=<LinkName>,cn=ip,cn=Inter-Site

Transports,cn=sites,cn=configuration,<ForestRootDN>"

$objSiteLink.Put("replInterval", "<newInterval>")

$objSiteLink.SetInfo()

To configure the inter-site replication interval between two sites, you need to set the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Disabling Inter-Site Compression of Replication Traffic

Inhaltsvorschau

You want to disable inter-site compression of replication traffic.

You need to modify the options attribute of the site-link object that connects the sites you want to disable compression for. Site-link objects are stored in the following :

cn=IP,cn=Inter-site Transports,cn=Sites,cn=Configuration,<ForestRootDN>

The options attribute is a bit flag. In order to disable compression, you must set bit 2, or 0100 in binary. If the attribute is currently unset, you can simply set it to 4.

Using a command-line interface

> adfind -b cn=IP,cn=Inter-site Transports,cn=Sites,cn=Configuration,<ForestRootDN>

options -adcsv | admod options::{{.:SET:4}}

Using VBScript

' This code safely modifies a bit flag attribute

' ------ SCRIPT CONFIGURATION ------

strSiteLink = "cn=<LinkName>,cn=IP" &

  ",cn=Inter-site Transports,cn=Sites,cn=Configuration,<ForestRootDN>"

strAttr = "options"

boolEnableBit = <TRUEorFALSE> ' e.g. FALSE

intBit = 4

' ------ END CONFIGURATION --------



set objSiteLink = GetObject("LDAP://" & strSiteLink)

intBitsOrig = objObject.Get(strAttr)

intBitsCalc = CalcBit(intBitsOrig, intBit, boolEnableBit)



if intBitsOrig <> intBitsCalc then

   objSiteLink.Put strAttr, intBitsCalc

   objSiteLink.SetInfo

   WScript.Echo "Changed " & strAttr & " from " & intBitsOrig & " to " &

intBitsCalc

else

   WScript.Echo "Did not need to change " & strAttr & " (" & intBitsOrig & ")"

end if



Function CalcBit(intValue, intBit, boolEnable)



   CalcBit = intValue



   if boolEnable = TRUE then

      CalcBit = intValue Or intBit

   else

      if intValue And intBit then

         CalcBit = intValue Xor intBit

      end if

   end if



End Function

Using PowerShell

To set the options bit value using a bitwise OR operation, use the following syntax:

$objSiteLink = [ADSI]("LDAP:// cn=<LinkName>,cn=IP," +

    "cn=Inter-site Transports,cn=Sites,cn=Configuration,<ForestRootDN>")

$currentOptions = $objSiteLink.options.Value

$newOptions = $currentOptions -bor 4

$objSiteLink.Put("options", $newOptions)

$objSiteLink.SetInfo()

By default, data replicated inter-site is compressed. By contrast, intra-site replication traffic is not compressed. It is useful to compress inter-site traffic if the traffic is going over a WAN on the assumption that the less traffic the better. The trade-off to reducing WAN traffic is increased CPU utilization on the bridgehead servers replicating the data. If CPU utilization is an issue on your bridgehead servers and you aren’t as concerned about the amount of traffic being replicated, you should consider disabling inter-site compression.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Checking for Potential Replication Problems

Inhaltsvorschau

You want to determine whether replication is succeeding.

The following two commands will help identify problems with replication on a source domain controller:

> dcdiag /test:replications

> repadmin /showrepl /errorsonly

For a more detailed report, you can use the Replication Monitor (replmon.exe). The Generate Status Report option will produce a lengthy report of site topology and replication information, and will provide details on any errors encountered. The Directory Service event log can also be an invaluable source of information on replication and KCC problems.

for viewing the replication status of several domain controllers

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling Enhanced Logging of Replication Events

Inhaltsvorschau

You want to enable enhanced logging of replication events.

Enable diagnostics logging for five Replication Events. See for more .

MS KB 220940 (How to Enable Diagnostic Event Logging for Active Directory Services)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling Strict or Loose Replication Consistency

Inhaltsvorschau

You want to enable strict or loose replication consistency.

Using a graphical user interface

Run regedit.exe from the command line or Start→Run.
Expand HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.
If the Strict Replication Consistency value does not exist, right-click on Parameters and select New→DWORD Value. For the name, enter Strict Replication Consistency.
In the right pane, double-click on the value and enter 1 to enable strict consistency or 0 to enable loose consistency.
Click OK.

Using a command-line interface

To enable strict consistency, run the following command:

> reg add HKLM\System\CurrentControlSet\Services\NTDS\Parameters /v "Strict

Replication Consistency" /t REG_DWORD /d 1

To enable loose consistency, run the following command:

> reg add HKLM\System\CurrentControlSet\Services\NTDS\Parameters /v "Strict

Replication Consistency" /t REG_DWORD /d 0

You can also enable and disable strict replication using repadmin. You can either specify an individual domain controller in the <DC Name> field, or use a * to enable or disable strict replication on every DC in the forest, as follows:

repadmin /regkey <DCName> +strict

repadmin /regkey <DCName> -strict

Using VBScript

' This code enables strict or loose consistency on the specified DC.

' ------ SCRIPT CONFIGURATION -----

intEnableStrict = 1 ' 1 = strict consistency, 0 = loose consistency

strDC = "<DomainControllerName>"

' ------ END CONFIGURATION --------



const HKLM = &H80000002

strNTDSReg = "SYSTEM\CurrentControlSet\Services\NTDS\Parameters"

set objReg = GetObject("winmgmts:\\" & strDC & _

                       "\root\default:StdRegProv")

objReg.SetDWORDValue HKLM, strNTDSReg, "

Strict Replication Consistency", _

                     intEnableStrict

WScript.Echo "Strict Replication Consistency value set to " & _

             intEnableStrict

Using PowerShell

$strRegPath = "HKLM:\System\CurrentControlSet\Services\NTDS\Parameters"

Set-ItemProperty -path $strRegPath -name "Strict Replication Consistency" -value

"1"

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding Conflict Objects

Inhaltsvorschau

You want to find conflict objects that are a result of replication collisions.

Using a graphical user interface

Open LDP from the Windows Support Tools.
From the menu, select Connection→Connect.
For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
For Port, enter 389 or 3268 for the global catalog.
Click OK.
From the menu, select Connection→Bind.
Enter credentials (if necessary) of a user who can view the object.
Click OK.
From the menu, select Browse→Search.
For BaseDN, type the base DN from where you want to start the search.
For Scope, select the appropriate scope.
For Filter, enter (name=*\0ACNF:*).
Click Run.

Using a command-line interface

The following command finds all conflict objects within the whole forest:

> dsquery * forestroot -gc -attr distinguishedName -scope subtree -filter

"(name=*\0ACNF:*)"

You can also perform this query with AdFind as follows:

> adfind -b -gc -f "(name=*\0ACNF:*)" -dn

Using VBScript

' This code finds any

' conflict objects in a forest.

' If the search times out, you may need to change strBase to

' a specific OU or container

' ------ SCRIPT CONFIGURATION ------

strBase = "<GC://" & "<ForestRootDN>" & ">;"

' ------ END CONFIGURATION --------



strFilter = "(name=*\0ACNF:*);"

strAttrs = "distinguishedName;"

strScope = "Subtree"



set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open

Set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)



WScript.Echo objRS.RecordCount & "

conflict objects found"

while not objRS.EOF

  Wscript.Echo objRS.Fields.Item("distinguishedName").Value

  objRS.MoveNext

wend

Using PowerShell

The following example will search for conflict objects within an Active Directory domain using the Quest get-QADObject cmdlet:

get-QADObject -ldapfilter 'name=*\0ACNF:*'

Another option is to use the DirectorySearcher class from the .NET Framework, as follows:

$strFilter = "name=*\0ACNF:*"

$objDomain = New-Object System.DirectoryServices.DirectoryEntry

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher

$objSearcher.SearchRoot = $objDomain

$objSearcher.Filter = ($strFilter)

$colResults = $objSearcher.FindAll()

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding Orphaned Objects

Inhaltsvorschau

You want to find orphaned objects within Active Directory

Using a graphical user interface

Open the ADUC snap-in.
If you need to change domains, right-click on “Active Directory Users and Computers” in the left pane, select “Connect to Domain,” enter the domain name, and click OK.
If the LostAndFound container is not visible in the lefthand pane, click on View and place a checkmark next to Advanced Features.
You will see a list of any orphaned objects in the righthand pane.

Using a command-line interface

You can query for orphaned objects using either the built-in DSQuery utility or AdFind. DSQuery takes the following syntax:

> dsquery * cn=LostAndFound,<DomainDN> -scope onelevel -attr *

To use AdFind, enter the following:

> adfind -default -rb cn=LostAndFound -s onelevel

Using VBScript

' Using "" for the second parameter means that there will be no

' indentation for the first level of objects displayed.

DisplayLostAndFound "LDAP://cn=LostAndFound,<DomainDN>", ""



' DisplayLostAndFound takes the ADsPath of the

LostAndFound container

' and recursively displays all objects contained within it

Function DisplayLostAndFound( strADsPath, strSpace)

   set objObject = GetObject(strADsPath)

   Wscript.Echo strSpace & strADsPath

   for each objChildObject in objObject

      DisplayLostAndFound objChildObject.ADsPath, strSpace & " "

   next

End Function

Using PowerShell

get-QADObject -searchroot 'cn=LostAndFound,<DomainDN>' -searchScope 'OneLevel'

Another option is to use the DirectorySearcher class from the .NET Framework, as follows:

$objRoot = [ADSI] "LDAP://cn=LostAndFound,<DomainDN>"

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher

$objSearcher.SearchRoot = $objRoot

$objSearcher.SearchScope = [System.DirectoryServices.SearchScope]::OneLevel

$colResults = $objSearcher.FindAll()

Because of the distributed nature of Active Directory, there exists the possibility that an administrator working on one DC can attempt to create or move a user into a container object such as an OU at the same time that another administrator

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Listing the Replication Partners for a DC

Inhaltsvorschau

You want to find the replication partners for a particular DC.

Using a graphical user interface

Open Active Directory Sites and Services.
Browse to Sites→<SiteName>→Servers→<DCName>→NTDS Settings.
The replication partners that have been configured for the DC in question will appear in the righthand pane. Double-click on any connection object to view its properties.

Using a command-line interface

You can query for replication connections using either the built-in DSQuery utility or AdFind. DSQuery takes the following syntax:

> dsquery * "cn=NTDS Settings,cn=<DCName>,cn=Servers,cn=<SiteName>,

cn=Sites,cn=Configuration,<ForestRootDN> -filter (objectcategory=NTDSConnection)

-attr *

To use AdFind, enter the following:

> adfind -config -rb "cn=NTDS

Settings,cn=<DCName>,cn=Servers,cn=<SiteName>,cn=Sites"

-f (objectcategory=NTDSConnection)

Using VBScript

' This code searches for ntdsConnection Objects within the Sites container.

' ------ SCRIPT CONFIGURATION ------

strSite = "<SiteName>" ' e.g. "cn=Raleigh"

strForestDN = "<ForestRootDN>" ' e.g. "dc=adatum,dc=com"

strBaseDN = "<LDAP://" & strSite & _

            ",cn=Sites,cn=Configuration," & strForestDN & ">;"

            ' BaseDN should be the search base

strFilter = "(objectclass=NTDSConnection);"

strAttrs = "fromServer;"

strScope = "Subtree"

' ------ END CONFIGURATION ---------



set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

set objRS = objConn.Execute(strBaseDN & strFilter & strAttrs & strScope)

objRS.MoveFirst

While Not objRS.EOF

    Wscript.Echo objRS.Fields(0).Value

    objRS.MoveNext

Wend

WScript.Echo("Search complete!")

Using PowerShell

$strdcName = "win2003-dc.essential.local"



$cType = [DirectoryServices.ActiveDirectory.DirectoryContextType]::DirectoryServer

$context = new-object DirectoryServices.ActiveDirectory.DirectoryContext($cType,

$strDCname)

$dc =

[DirectoryServices.ActiveDirectory.DomainController]::GetDomainController($context)

$dc.GetAllReplicationNeighbors()

By default, Active Directory’s replication topology is created by the KCC, which runs on every DC to dynamically create and maintain

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing Object Metadata

Inhaltsvorschau

You want to view metadata for an object. The object’s replPropertyMetaData attribute stores metadata information about the most recent updates to every attribute that has been set on the object.

Using a graphical user interface

Open LDP.
From the menu, select Connection→Connect.
For Server, enter the name of a domain controller or domain that contains the object.
For Port, enter 389.
Click OK.
From the menu, select Connection→Bind.
Enter credentials (if necessary) of a user that can view the object.
Click OK.
From the menu, select Browse→Replication→View Metadata.
For Object DN, type the distinguished name of the object you want to view.
Click OK.

Using a command-line interface

In the following command, replace <ObjectDN> with the distinguished name of the object for which you want to view metadata:

> repadmin /showobjmeta <DomainControllerName> <ObjectDN>

This command was called /showmeta in the Windows 2000 version of repadmin. Also, the parameters were switched in that version; <ObjectDN> came before <DomainControllerName>.

You can also obtain object metadata for a single object using AdFind, as follows:

> adfind -sc objmeta:<ObjectDN>

To obtain the object metadata for all objects within a container, use the following syntax:

> adfind -sc objsmeta:<ContainerDN>

Using VBScript

' This code displays the metadata for the specified object.

' ------ SCRIPT CONFIGURATION -----

strObjectDN = "<ObjectDN>"       ' e.g. dc=adatum,dc=com

strDC = "<DomainControllerName>" ' e.g. dc1

' ------ END CONFIGURATION --------



set objIadsTools = CreateObject("IADsTools.DCFunctions")

intRes = objIadsTools.

GetMetaData(Cstr(strDC),Cstr(strObjectDN),0)



if intRes = -1 then

   Wscript.Echo objIadsTools.LastErrorText

   WScript.Quit

end if



for count = 1 to intRes

   WScript.Echo count & ". " & objIadsTools.MetaDataName(count)

   WScript.Echo vbTab & " Version: " & _

                              objIadsTools.MetaDataVersionNumber(count)

   WScript.Echo vbTab & " Last Write: " & _

                              objIadsTools.MetaDataLastWriteTime(count)

   WScript.Echo vbTab & " Local USN: " & _

                              objIadsTools.MetaDataLocalUSN(count)

   WScript.Echo vbTab & " Source USN: " & _

                              objIadsTools.MetaDataSourceUSN(count)

   WScript.Echo vbTab & " Server: " & _

                              objIadsTools.MetaDataServerName(count)

next

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Chapter 13: DNS and DHCP

Inhaltsvorschau

Active Directory is tightly coupled with the Domain Name System (DNS) name resolution service. Windows clients (running Windows 2000 or later) and domain controllers alike use DNS to locate domain controllers that are housed in a particular site or that serve a particular function (like a Global Catalog server). Each domain controller registers numerous resource records (RRs) in DNS to advertise its services as a domain controller, global catalog server, PDC Emulator, etc.

One of the innovative uses of Active Directory is as a store for DNS data. Instead of using the primary and secondary zone transfer method, or even the more recent NOTIFY method (RFC 1996) to replicate zone data between non-AD-integrated DNS servers, AD-integrated zones store the zone data in Active Directory and use the same replication process used to replicate other data between domain controllers. The one catch with AD-integrated zones is that the DNS server must also be a domain controller, and overloading DNS server responsibilities on your domain controllers may not be something you want to do if you plan on supporting a large volume of DNS requests. You can integrate forward and reverse lookup zones into Active Directory, as well as stub zones, a feature introduced in Windows Server 2003 that is used to maintain information about remote DNS zones and to reduce zone transfer traffic across WAN links. Additionally, Windows Server 2008 introduces the GlobalNamesZone (GNZ), a manually maintained zone that is used to provide short name resolution on a DNS network: GNZ allows clients to resolve server1 via DNS instead of a fully qualified domain name such as server1.adatum.com. For a detailed description of resource records, zone types, and much more on DNS, see Chapter 6 in Active Directory, Fourth Edition, by Brian Desmond et al. .

The only time DNS data is stored in Active Directory is if you have a zone that is AD-. When using standard primary and secondary zones that are not AD-, the DNS data is stored locally in the filesystem of each DNS server in

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Introduction

Inhaltsvorschau

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Forward Lookup Zone

Inhaltsvorschau

You want to create a forward lookup zone. A forward lookup zone maps FQDNs to IP addresses or other names.

Using a graphical user interface

Open the DNS Management snap-in.
If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select “Connect to DNS Server.” Select “This computer” or “The following computer,” then enter the server you want to connect to (if applicable), and click OK.
Expand the server in the left pane and click on Forward Lookup Zones.
Right-click on Forward Lookup Zones and select New Zone.
Click Next.
Select the zone type and click Next.

If you selected to store the zone data in Active Directory, next you will be asked which servers you want to replicate the DNS data to. Click Next after you make your selection.
Step 7 applies only to DNS servers that are Windows Server 2003 or newer domain controllers. If you still have Windows 2000 DNS servers in your environment, choose the option to replicate the zone to all domain controllers in your domain.

Enter the zone name and click Next.
Fill out the information for the remaining screens. They will vary depending on whether you are creating a primary, secondary, or stub zone.

Using a command-line interface

The following command creates an AD-integrated zone:

> dnscmd <DNSServerName> /zoneadd <ZoneName> /DsPrimary

Using VBScript

' This code creates an AD-integrated forward zone.

' ------ SCRIPT CONFIGURATION ------

strServer = "<DNSServerName>" ' e.g. dc1.adatum.com

strNewZone = "<ZoneName>"     ' e.g. othercorp.com

' ------ END CONFIGURATION --------

set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS")

set objDNSZone = objDNS.Get("MicrosoftDNS_Zone")

strNull = objDNSZone.CreateZone(strNewZone, 0 , True)

WScript.Echo "Created zone " & strNewZone

Using PowerShell

The following PowerShell code will create an Active Directory-integrated forward lookup zone:

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Reverse Lookup Zone

Inhaltsvorschau

You want to create a reverse lookup zone. A reverse lookup zone maps IP addresses to names.

Using a graphical user interface

Open the DNS Management snap-in.
If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select “Connect to DNS Server.” Select “This computer” or “The following computer,” then enter the server you want to connect to (if applicable) and click OK.
Expand the server in the left pane and click on Reverse Lookup Zones.
Right-click on Reverse Lookup Zones and select New Zone.
Click Next.
Select the zone type (Primary, Secondary, or Stub zone). To AD-integrate the zone, place a checkmark next to “Store the zone in Active Directory (available only if DNS server is a domain controller)” and click Next.

If you selected to store the zone data in Active Directory, next you will be asked which servers you want to replicate the DNS data to: all DNS servers in the forest, all DNS servers in the domain, all domain controllers in the domain, or all DCs that are hosting a particular application partition. Click Next after you make your selection.
Step 7 applies only to DNS servers that are installed on Windows Server 2003 or higher domain controllers. If you still have Windows 2000 DNS servers in your environment, choose the option to replicate the zone to all domain controllers in your domain.

Type the Network ID for the reverse zone or enter a reverse zone name to use.
Fill out the information for the remaining screens. They will vary depending on if you are creating a primary, secondary, or stub zone.

Using a command-line interface

The following command creates an AD-integrated reverse zone:

> dnscmd <DNSServerName> /zoneadd <ZoneName> /DsPrimary

Using VBScript

' This code creates an

' AD-integrated reverse zone.

' ------ SCRIPT CONFIGURATION ------

strServer = "

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing a Server’s Zones

Inhaltsvorschau

You want to view the zones on a server.

Using a graphical user interface

Open the DNS Management snap-in.
Right-click on DNS in the left pane and select “Connect to DNS Server.”
Enter the server you want to connect to and click Enter.
In the left pane, expand the server and click Forward Lookup Zones and Reverse Lookup Zones to view the hosted zones.

Using a command-line interface

> dnscmd <DNSServerName> /enumzones

Using VBScript

' This code lists the zones that are hosted by the specified server.

' ------ SCRIPT CONFIGURATION ------

strServer = "<DNSServerName>" ' e.g. dc1.adatum.com

' ------ END CONFIGURATION --------



set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS")

set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")

set objZones = objDNS.ExecQuery("Select * from MicrosoftDNS_Zone " & _

                                "Where DnsServerName = '" & _

                                objDNSServer.Name & "'")

WScript.Echo "Zones on " & objDNSServer.Name

for each objZone in objZones

   WScript.Echo " " & objZOne.Name

next

Using PowerShell

$computername = "<Server FQDN>"

$server = Get-WmiObject -Class MicrosoftDNS_Zone -computer $computername -Namespace

root\MicrosoftDNS

$server | format-list ContainerName

Using a graphical user interface

When you click on either the Forward Lookup Zones or Reverse Lookup Zones in the lefthand pane of the DMS MMC, the right pane contains a Type column that displays the zone type for each zone.

Using a command-line interface

When using the /enumzones switch without any more parameters, it displays all zones on the server. You can specify additional filters that limit the types of zones returned. With the Windows 2000 version of dnscmd, you can specify up to two filters (for example, using the

/enumzones /primary

        /forward

switch combination will display all primary forward zones on the server):

Filter1:

    /Primary

    /Secondary

    /Cache

    /Auto-Created

Filter2:

    /Forward

    /Reverse

Starting with the Windows Server 2003 version of

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Converting a Zone to an AD-Integrated Zone

Inhaltsvorschau

You want to convert a standard primary zone to an AD-integrated zone. This causes the contents of the zone to be stored and replicated in Active Directory instead of in a text file on the local server.

Using a graphical user interface

Open the DNS Management snap-in.
Right-click on DNS in the left pane and select “Connect to DNS Server.”
Enter the server you want to connect to and click Enter.
If you want to convert a forward zone, expand the Forward Lookup Zone folder. If you want to convert a reverse zone, expand the Reverse Lookup Zone folder.
Right-click on the zone you want to convert and select Properties.
Beside Type, click the Change button.
Check the box beside “Store the zone in Active Directory.”
Click OK twice.

Using a command-line interface

> dnscmd <ServerName> /zoneresettype <ZoneName> /DsPrimary

Using VBScript

' This code converts a zone to AD-integrated.

' ------ SCRIPT CONFIGURATION ------

strZone = "<ZoneName>"     ' e.g. adatum.com

strServer = "<ServerName>" ' e.g. dc1.adatum.com

' ------ END CONFIGURATION --------



set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS")

set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")

set objDNSZone = objDNS.Get("MicrosoftDNS_Zone.ContainerName=""" & _

                            strZone & """,DnsServerName=""" & _

                            objDNSServer.Name & """,Name=""" & strZone & """")

strNull = objDNSZone.ChangeZoneType(0, True)

objDNSZone.Put_

WScript.Echo "Converted " & strZone & " to

AD-Integrated"

See , , and Chapter 6 of Active Directory for more on zones.

MS KB 198437 (How to Convert DNS Primary Server to Active Directory Integrated), MS KB 227844 (Primary and Active Directory Integrated Zones Differences), and MSDN: ChangeZoneType Method of the MicrosoftDNS_Zone Class

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Moving AD-Integrated Zones into an Application Partition

Inhaltsvorschau

This recipe requires at least Windows Server 2003 domain functional level.

You want to move AD-integrated zones into an application partition.

Using a graphical user interface

Open the DNS Management snap-in.
If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select “This computer” or “The following computer,” then enter the server you want to connect to (if applicable), and click OK.
Expand the server in the left pane and expand either Forward Lookup Zones or Reverse Lookup Zones, depending on the type of zone.
Right-click on the name of the zone and select Properties.
Click on the Change button beside Replication.
Select the application partition you want to move the zone into.
Click OK twice.

Using a command-line interface

The following command will move a zone to the default application partition that replicates across all domain controllers in the domain that are configured as DNS :

> dnscmd <DNSServerName> /zonechangedirectorypartition <ZoneName> /domain

Using VBScript

At the time of publication of this book, the DNS WMI Provider did not support programmatically moving a zone into an application partition.

With Windows 2000 Active Directory, if you had AD-integrated zones, those zones were replicated to every domain controller in the domain where they were stored. In many cases, not every domain controller also served as a DNS server, which resulted in increased and unnecessary traffic to replicate zone changes to DCs that did not require the data.

Windows Server 2003 and higher provides an elegant solution to this issue by using application partitions. Application partitions are user-defined partitions that can be configured to replicate with any domain controller in a forest. This provides a lot more flexibility for how you store and replicate your AD-integrated zones. You could, in fact, have a few domain controllers from each domain act as DNS servers for all of your AD domains.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Configuring Zone Transfers

Inhaltsvorschau

You want to enable zone transfers to specific secondary nameservers.

Using a graphical user interface

Open the DNS snap-in.
In the left pane, expand the server node and expand either Forward Lookup Zone or Reverse Lookup Zone depending on the type of zone you want to manage.
Right-click on the zone and select Properties.
Select the Zone Transfers tab.
Select either the option to restrict zone transfers to those servers listed on the Name Servers tab or the option to restrict zone transfers to specific IP addresses. See for more on these two options.

Using a command-line interface

The following command enables zone transfers for the test.local zone and specifies they can only occur with servers that have NS records in the zone (i.e., servers listed within the Name Servers tab of the DNS snap-in):

> dnscmd <ServerName> /ZoneResetSecondaries test.local /SecureNs

The next command enables zone transfers for the same zone, but specifies they can only occur with hosts whose IP addresses are 172.16.11.33 and 172.16.11.34:

> dnscmd <ServerName> /ZoneResetSecondaries test.local /SecureList 172.16.11.33

172.16.11.34

Using VBScript

' This code configures the allowed secondaries for zone transfer and notify



' XFR constants

const ZONE_SECSECURE_NO_SECURITY = 0

const ZONE_SECSECURE_NS_ONLY = 1

const ZONE_SECSECURE_LIST_ONLY = 2

const ZONE_SECSECURE_NO_XFR = 3



' NOTIFY constants

const ZONE_NOTIFY_OFF = 0

const ZONE_NOTIFY_ALL_SECONDARIES = 1

const ZONE_NOTIFY_LIST_ONLY = 2



' ------ SCRIPT CONFIGURATION -------

strZone = "<ZoneName>" ' e.g. adatum.com

strServer = "<ServerName>" ' e.g. dc1.adatum.com



' use one of the above XFR constants

intSecureSecondaries = ZONE_SECSECURE_LIST_ONLY

arrSecondaries = Array("1.1.1.2","1.1.1.3")



' use one of the above NOTIFY constants

intNotify = ZONE_NOTIFY_LIST_ONLY

arrNotify = Array("<IP1>","<IP2>")

' ------ END CONFIGURATION ---------



set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS")

set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")

set objDNSZone = objDNS.Get("MicrosoftDNS_Zone.ContainerName=""" & _

                          strZone & """,DnsServerName=""" & _

                          objDNSServer.Name & """,Name=""" & strZone & """")

strNull = objDNSZone.ResetSecondaries(arrSecondaries,intSecureSecondaries, _

                                      arrNotify,intNotify)

objDNSZone.Put_

WScript.Echo "Updated secondaries for zone transfer and notify"

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Configuring Forwarding

Inhaltsvorschau

You want to configure forwarding to allow for name resolution outside of your corporate network.

Using a graphical user interface

Open the DNS Management snap-in.
Connect to the DNS Server you want to modify. In the left pane, right-click on DNS and select “Connect to DNS Server.” Select “The following computer” and enter the target server name. Click OK.
Right-click on the server and select Properties.
Click the Forwarders tab.
To configure a global forwarder, make sure “All other DNS domains” is selected under DNS domain, type an IP under “Selected domain’s forwarder IP address list,” click Add, and then click Apply.
To configure a conditional forwarder for a specific domain, click the New button.
Enter the domain name and click OK.
Add IPs as described for global forwarders in step 5.
From the Forwarders tab, you can also set the number of seconds that the server waits before forward queries time out. You can also disable the use of recursion for certain domains. Both of these can be set on a per-domain basis.

Using a command-line interface

The following command sets the default forwarders. Replace <IPsOfForwarders> with a space-separated list of IP addresses for the name servers to forward requests to:

> dnscmd <ServerName> /resetforwarders <IPsOfForwaders>

For example:

> dnscmd dns01 /resetforwarders 10.22.3.4 10.22.3.5

The following command creates a domain-based forwarder:

> dnscmd <ServerName> /zoneadd <DomainName> /forwarder <IPsOfForwarders>

The following command configures the default forwarder timeout:

> dnscmd <ServerName> /config /forwardingtimeout <NumSeconds>

The following command configures the forwarder timeout for a specific domain:

> dnscmd <ServerName> /config <DomainName> /forwardertimeout <NumSeconds>

Using VBScript

' This code enumerates the default forwarders.

' ------ SCRIPT CONFIGURATION ------

strServer = "<ServerName> " ' e.g. dns1.adatum.com

' ------ END CONFIGURATION --------



set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS")

set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")

for each strForwarder in objDNSServer.Forwarders

   Wscript.Echo strForwarder

Next



' This code sets the default forwarders.

' ------ SCRIPT CONFIGURATION ------

strServer = "

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Delegating Control of an Active Directory Integrated Zone

Inhaltsvorschau

You want to delegate control of managing the resource records in a zone.

Using a graphical user interface

Open the DNS Management snap-in.
If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select “Connect to DNS Server.” Select “This computer” or “The following computer,” then enter the server you want to connect to (if applicable) and click OK.
Expand the server in the left pane and expand either Forward Lookup Zones or Reverse Lookup Zones, depending on the type of zone.
Right-click on the name of the zone and select Properties.
Click on the Security tab.
Click the Add button.
Use the Object Picker to locate the user or group to which you want to delegate control.
Under Permissions, check the Full Control box.
Click OK.

Using a command-line interface

The following command grants full control over managing the resource records in an AD-Integrated zone:

> dsacls dc=<ZoneName>,cn=MicrosoftDNS,<DomainOrAppPartitionDN> /G

<UserOrGroup>:GA;;

Using VBScript

' This code grants full control for the specified user or group over

' an AD-Integrated zone.

' ------ SCRIPT CONFIGURATION -------

strZoneDN = "dc=<ZoneName>,cn=MicrosoftDNS,<DomainOrAppPartitionDN>"

strUserOrGroup = "<UserOrGroup>" ' e.g. joe@adatum.com or ADATUM\joe

' ------ END CONFIGURATION ---------



set objZone = GetObject("LDAP://" & strZoneDN)

'############################

' Constants

'############################

' ADS_ACETYPE_ENUM

Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5



' ADS_FLAGTYPE_ENUM

Const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1



' ADS_RIGHTS_ENUM

Const ADS_RIGHT_GENERIC_ALL = &h10000000



'############################

' Create ACL

'############################



set objSD = objZone.Get("nTSecurityDescriptor")

set objDACL = objSD.DiscretionaryAcl



' Full Control

set objACE1 = CreateObject("AccessControlEntry")

objACE1.Trustee    = strUserOrGroup

objACE1.AccessMask = ADS_RIGHT_GENERIC_ALL

objACE1.AceFlags   = 0

objACE1.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT

objACE1.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT



objDACL.AddAce objACE1



'############################

' Set ACL

'############################

objSD.DiscretionaryAcl = objDACL

objZone.Put "nTSecurityDescriptor", objSD

objZone.SetInfo

WScript.Echo "Delegated

control of " & strZoneDN & " to " & strUserOrGroup

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating and Deleting Resource Records

Inhaltsvorschau

You want to create and delete resource records in a zone.

Using a graphical user interface

Open the DNS Management snap-in.
If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select “Connect to DNS Server.” Select “This computer” or “The following computer,” then enter the server you want to connect to (if applicable) and click OK.
If you want to add or delete a record in a forward zone, expand the Forward Lookup Zone folder. If you want to add or delete a record for a reverse zone, expand the Reverse Lookup Zone folder.

To create a resource record, do the following:

In the left pane, right-click the zone and select the option that corresponds to the record type you want to create—e.g., New Host (A).
Fill in all required fields.
Click OK.

To delete a resource record, do the following:

In the left pane, click on the zone the record is in.
In the right pane, right-click on the record you want to delete and select Delete.
Click Yes to confirm.

Using a command-line interface

To add a resource record, use the following command:

> dnscmd <DNSServerName> /recordadd <ZoneName> <NodeName> <RecordType> <RRData>

The following command adds an A record in the adatum.com zone:

> dnscmd dc1 /recordadd adatum.com wins01 A 19.25.52.2.25

To delete a resource record, use the following command:

> dnscmd <DNSServerName> /recorddelete <ZoneName> <NodeName> <RecordType> <RRData>

The following command deletes an A record in the adatum.com zone:

> dnscmd dc1 /recorddelete adatum.com wins01 A 19.25.52.2.25

Using VBScript

' This code shows how to add an A record and PTR record using

' the DNS WMI Provider.

' ------ SCRIPT CONFIGURATION ------

strForwardRRAdd = "test-xp.adatum.com. IN A 192.32.64.13"

strReverseRRAdd = "13.64.32.192.in-addr.arpa IN PTR test-xp.adatum.com"

strForwardDomain = "adatum.com"

strReverseDomain = "192.in-addr.arpa."

' ------ END CONFIGURATION --------



set objDNS = GetObject("winMgmts:root\MicrosoftDNS")

set objRR = objDNS.Get("MicrosoftDNS_ResourceRecord")

set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")



' Create the A record

strNull = objRR.CreateInstanceFromTextRepresentation( _

                  objDNSServer.Name, _

                  strForwardDomain, _

                  strForwardRRAdd, _

                  objOutParam)

set objRR2 = objDNS.Get(objOutParam)

WScript.Echo "Created Record: " & objRR2.TextRepresentation



' Create the PTR record

strNull = objRR.CreateInstanceFromTextRepresentation( _

                  objDNSServer.Name, _

                  strReverseDomain, _

                  strReverseRRAdd, _

                  objOutParam)

set objRR2 = objDNS.Get(objOutParam)

WScript.Echo "Created Record: " & objRR2.TextRepresentation



' This code shows how to delete an A and PTR record for the record

' we created in the previous example.



strHostName = "test-xp.adatum.com."



set objDNS = GetObject("winMgmts:root\MicrosoftDNS")

set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")



set objRRs = objDNS.ExecQuery(" select * " & _

                          " from MicrosoftDNS_ResourceRecord " & _

                          " where OwnerName = """ & strHostName & """" & _

                          " Or RecordData = """ & strHostName & """")

if objRRs.Count < 1 then

   WScript.Echo "No matches found for " & strHostName

else

   for each objRR in objRRs

      objRR.Delete_

      WScript.Echo "Deleted " & objRR.TextRepresentation

   next

end if

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Querying Resource Records

Inhaltsvorschau

You want to query resource records.

Using a graphical user interface

The DNS Management snap-in does not provide an interface for searching resource records.

Using a command-line interface

In the following command, replace <RecordType> with the type of resource record you want to find (e.g., A, CNAME, SRV) and <RecordName> with the name or IP address of the record to match:

> nslookup -type=<RecordType> <RecordName>

Using VBScript

' This code prints the

' resource records that match

' the specified name.

' ------ SCRIPT CONFIGURATION ------

strQuery = "<RecordName>"

' ------ END CONFIGURATION --------



set objDNS = GetObject("winMgmts:root\MicrosoftDNS")

set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")

set objRRs = objDNS.ExecQuery(" select * " & _

                              " from MicrosoftDNS_ResourceRecord" & _

                              " where OwnerName = """ & strQuery & """" & _

                              " Or DomainName = """ & strQuery & """" & _

                              " Or RecordData = """ & strQuery & """")

if objRRs.Count < 1 then

   WScript.Echo "No matches found for " & strHostName & " of " _

                & strRecordType & " type"

else

   for each objRR in objRRs

      WScript.Echo objRR.TextRepresentation

   next

end if

Using PowerShell

Get-WmiObject -ComputerName <ServerName> -Namespace 'root\MicrosoftDNS' -Class

MicrosoftDNS_AType  -Filter "ContainerName ='<ZoneName>'" | Where-Object

{$_.ownername -eq "<Record FQDN>" | Select OwnerName, IPAddress

Using a command-line interface

You can leave off the -type switch, and the command will find any A, PTR, and CNAME records that match <RecordName>.

You can also run nslookup from interactive mode, which can be entered by typing nslookup at a command prompt with no additional parameters, or switch back and forth between query types by using the q=ANY command to reset nslookup.

Using VBScript

In the VBScript solution, a WQL query was used to find all matching resource records. This is a good example of how powerful the DNS WMI Provider can be. The query attempts to find any object of the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Modifying the DNS Server Configuration

Inhaltsvorschau

You want to modify the DNS Server settings.

Using a graphical user interface

Open the DNS Management snap-in.
If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select “Connect to DNS Server.” Select “This computer” or “The following computer,” then enter the server you want to connect to (if applicable), and click OK.
Right-click on the server and select Properties.
There will be several tabs you can choose from to edit the server settings.
Click OK to commit the changes after you complete your modifications.

Using a command-line interface

With the following command, replace <Setting> with the name of the setting to modify and <Value> with the value to set:

> dnscmd <DNSServerName> /config /<Setting> <Value>

The following command enables the EnableDnsSec setting on dns01:

> dnscmd dns01 /config /EnableDnsSec 1

The following command disables the NoTcp setting on the local host:

> dnscmd /config /NoTcp 0

The following command sets the DsPollingInterval setting to 60 on dns02:

> dnscmd dns02 /config /DsPollingInterval 60

For the complete list of settings, run dnscmd /config from the command line.

Using VBScript

set objDNS = GetObject("winMgmts:root\MicrosoftDNS")

set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")

objDNSServer.<Setting> = <Value> ' e.g. objDNSServer.AllowUpdate = TRUE

objDNSServer.Put_

Using PowerShell

$server = Get-WmiObject -Class MicrosoftDNS_Server -computer "<Server FQDN>" 

-namespace root\MicrosoftDNS

$server.<Setting> = <Value> # e.g. $server.EnableDNSSec = $false

$server.Put()

The Microsoft DNS server supports a variety of settings to configure everything from scavenging and forwarders to logging. With the DNS Management snap-in, the settings are spread over several tabs in the Properties property page. You can get a list of these settings by simply running dnscmd /config from a command line. For the CLI and VBScript solutions, the setting names are nearly identical. In the VBScript solution, be sure to call the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Scavenging Old Resource Records

Inhaltsvorschau

You want to scavenge old resource records. DNS scavenging is the process whereby resource records are automatically removed if they are not updated after a period of time. Typically, this applies only to resource records that were added via DDNS, but you can also scavenge manually created static records as well. DNS scavenging is a recommended practice so that your DNS zones are automatically kept clean of stale resource records.

The following solutions will show how to enable automatic scavenging on all AD- zones.

Using a graphical user interface

Open the DNS Management snap-in.
If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select “Connect to DNS Server.” Select “This computer” or “The following computer,” then enter the server you want to connect to (if applicable), and click OK.
Click on the server, right-click on it, and select “Set Aging/Scavenging for all zones.”
Check the box beside “Scavenge stale resource records.”
Configure the No-Refresh and Refresh intervals as necessary, and click OK.
Check the box beside “Apply these settings to the existing Active Directory- zones” and click OK.
Right-click on the server again and select Properties.
Select the Advanced tab.
Check the box beside “Enable automatic scavenging of stale resource records.”
Configure the scavenging period as necessary.
Click OK.

Using a command-line interface

> dnscmd <DNSServerName> /config /ScavengingInterval <  ScavengingMinutes>

> dnscmd <DNSServerName> /config /DefaultAgingState 1

> dnscmd <DNSServerName> /config /DefaultNoRefreshInterval <NoRefreshMinutes>

> dnscmd <DNSServerName> /config /DefaultRefreshInterval <RefreshMinutes>

> dnscmd <DNSServerName> /config ..AllZones /aging 1

Using VBScript

' This code enables scavenging for all AD-integrated zones.

' ------ SCRIPT CONFIGURATION ------

strServer = "<DNSServerName>"

intScavengingInterval = <ScavengingMinutes>

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Clearing the DNS Cache

Inhaltsvorschau

You want to clear the DNS cache. The DNS cache contains resource records that are cached by the server or workstation for a period of time in memory so that repeated requests for the same record can be returned immediately. There are two types of DNS cache. One pertains to the cache on the Windows DNS client resolver (this can refer to both server and workstation operating systems when they are requesting DNS information from a server), and the other refers to the cache used by the Microsoft DNS server software.

To flush the client resolver cache, use the following command:

> ipconfig /flushdns

To flush the DNS server cache, use any of the following solutions.

Using a graphical user interface

Open the DNS Management snap-in.
Right-click on DNS in the left pane and select “Connect to DNS Server.”
Enter the server you want to connect to and click Enter.
Right-click on the server and select Clear Cache.

Using a command-line interface

The following command will clear the cache on <DNSServerName>. You can leave out the <DNSServerName> parameter to simply run the command against the local server:

> dnscmd <DNSServerName> /clearcache

Using VBScript

' This code clears the DNS server cache on the specified server.

' ------ SCRIPT CONFIGURATION ------

strServer = "<DNSServerName>" ' e.g. dc1.adatum.com

' ------ END CONFIGURATION --------



set objDNS = GetObject("winmgmts:\\" & strServer & "\root\MicrosoftDNS")

set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")

set objDNSCache = objDNS.Get("MicrosoftDNS_Cache.ContainerName=""..Cache""" & _

                             ",DnsServerName=""" & objDNSServer.Name & _

                             """,Name=""..Cache""")

objDNSCache.ClearCache

WScript.Echo "Cleared server cache"

Using PowerShell

$cache = Get-WmiObject -Class MicrosoftDNS_Cache -computer "<Server FQDN>"

-namespace root\MicrosoftDNS

$cache.ClearCache()

The client resolver cache is populated whenever a DNS lookup is performed on a workstation or server (e.g., with

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Verifying That a Domain Controller Can Register Its Resource Records

Inhaltsvorschau

You want to verify DNS is configured correctly so that a domain controller can register its resource records, which are needed for clients to be able to locate various AD .

Using a command-line interface

This test is available only with the Windows Server 2003 and newer versions of dcdiag.

With the following dcdiag command, replace dc1 with the DNS name of the domain that the domain controller is in. This command has to be run from the domain controller you want to test, not from an administrative workstation:

> dcdiag /test:RegisterInDNS /DnsDomain:dc1



Starting test: RegisterInDNS

  DNS configuration is sufficient to allow this domain controller to

  dynamically register the domain controller Locator records in DNS.



  The DNS configuration is sufficient to allow this computer to dynamically

  register the A record corresponding to its DNS name.



......................... dc1 passed test RegisterInDNS

With the default setup, domain controllers attempt to dynamically register the resource records necessary for them to be located by Active Directory clients and other domain controllers. Domain controllers must have their resource records populated in DNS in order to function, but it can be very tedious and error-prone to register all of the records manually. This is why allowing the domain controllers to use dynamic DNS (DDNS) to automatically register and update their records can be much easier from a support standpoint.

The Windows Server 2003 and newer versions of dcdiag provide a RegisterInDNS switch that allows you to test whether or not the DC can register its records. In the solution above, we showed the output if the domain controller passes the test.

Here is the output if an error occurs:

Starting test: RegisterInDNS

   This domain controller cannot register domain controller Locator DNS

   records. This is because either the DNS server with IP address

   6.10.45.14 does not support dynamic updates or the zone adatum.com is

   configured to prevent dynamic updates.



   In order for this domain controller to be located by other domain members

   and domain controllers, the domain controller Locator DNS records must be

   added to DNS. You have the following options:



   1. Configure the adatum.com zone and the DNS server with IP address

   6.10.45.14 to allow dynamic updates. If the DNS server does not

   support dynamic updates, you might need to upgrade it.



   2. Migrate the adatum.com zone to a DNS server that supports dynamic

   updates (for example, a Windows 2000 DNS server).



   3. Delegate the zones _msdcs.adatum.com, _sites.adatum.com,

   _tcp.adatum.com, and _udp.adatum.com to a DNS server that supports

   dynamic updates (for example, a Windows 2000 DNS server); or



   4. Manually add to the DNS records specified in the

   systemroot\system32\config\netlogon.dns file.



   DcDiag cannot reach a conclusive result because it cannot interpret the

   following message that was returned: 9501.



   ......................... dc1 failed test RegisterInDNS

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling DNS Server Debug Logging

Inhaltsvorschau

You want to enable DNS debug logging to troubleshoot issues related to DNS queries or updates.

Using a graphical user interface

From the Administrative Tools, open the DNS Management snap-in.
Connect to the DNS Server you want to modify. In the left pane, right-click on DNS and select “Connect to DNS Server.” Select “The following computer” and enter the target server name. Click OK.
Right-click on the server and select Properties.
Click on the Debug Logging tab (or the Logging tab in Windows 2000).
Select what you want to log and the location of the logfile (in Windows 2000, the logfile location is hardcoded to %systemroot%\system32\dns\dns.log).
Click OK.

Using a command-line interface

Use the following four commands to enable debug logging. For the log level, you have to add together the event codes you want logged and specify the result in hex. The available event codes can be found in :

> dnscmd <ServerName> /Config /LogLevel <EventFlagSumInHex>

Use the following command to specify the location of the logfile:

> dnscmd <ServerName> /Config /LogFilePath <DirectoryAndFilePath>

Use the following command to log only entries that pertain to certain IP addresses:

> dnscmd <ServerName> /Config /LogIPFilterList <IPAddress1>[,<IPAddress2>...]

Use the following command to specify the maximum logfile size:

> dnscmd <ServerName> /Config /LogFileMaxSize <NumberOfBytesInHex>

Use the following command to disable debug logging:

> dnscmd <ServerName> /Config /LogLevel 0

Using VBScript

' This code enables

' DNS debug logging.

' ------ SCRIPT CONFIGURATION -------

strServer = "<ServerName>" ' e.g. dc1

' The log level must be in decimal, not hex like dnscmd

intLogLevel = <EventFlagSumInDecimal> ' e.g. 65535

arrFilterList = Array("<IPAddress1>") ' e.g. 192.168.1.12

strFilePath = <DirectoryAndFilePath> ' e.g. c:\dnslog.txt

intFileSize = <NumberOfBytesInDecimal> ' e.g. 50000000

' ------ END CONFIGURATION ---------



set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS")

set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")

objDNSServer.LogLevel = intLogLevel

objDNSServer.LogIPFilterList = arrFilterList



objDNSServer. LogFilePath = strFilePath

objDNSServer.LogFileMaxSize = intFileSize

objDNSServer.Put_

WScript.Echo "Enabled DNS  Debug Logging on " & strServer



' To disable debug logging, set the intLogLevel variable to 0

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Registering a Domain Controller’s Resource Records

Inhaltsvorschau

You want to manually force registration of a domain controller’s resource records. This may be necessary if you’ve made some configuration changes on your DNS servers to allow your domain controllers to start dynamically registering resource records.

Using a command-line interface

> nltest /dsregdns /server:<DomainControllerName>

Beginning with the Windows Server 2003 version of nltest, a /dsregdns switch allows you to force registration of the domain-controller-specific resource records. You can also force reregistration of its resource records by restarting the NetLogon service on the domain controller. The NetLogon service automatically attempts to reregister a domain controller’s resource records every hour, so if you can wait that long, you do not need to use nltest.

for verifying if a domain controller is registering its resource records

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Deregistering a Domain Controller’s Resource Records

Inhaltsvorschau

You want to manually deregister a domain controller’s resource records.

Using a command-line interface

With the following nltest command, replace <DomainControllerName> with the FQDN of the domain controller you want to deregister and <DomainDNSName> with the FQDN of the domain of which the domain controller is a member:

> nltest /dsderegdns: <DomainControllerName> /dom:<DomainDNSName>

When a domain controller is demoted from a domain, it dynamically deregisters its resource records. This is a nice feature of the demotion process because it means you do not have to manually remove all of the resource records or wait for scavenging to remove them. If, however, you have a domain controller that crashes and you do not plan on bringing it back online, you’ll need to remove the records manually or wait for the scavenging process to take place.

You can use the DNS Mgmt MMC snap-in and even the dnscmd.exe utility to manually remove them one by one, or you can use nltest, as shown in the solution.

The /dsderegdns switch also has /DomGUID and /DsaGUID options if you want to delete the records that are based on the domain GUID and DSA GUID, respectively. You need to know the actual GUIDs of the domain and domain controller to use those switches, so if you don’t have them handy, it would be easier to delete them using the DNS Management MMC snap-in.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Preventing a Domain Controller from Dynamically Registering All Resource Records

Inhaltsvorschau

You want to prevent a domain controller from dynamically registering its resource records using DDNS. If you manually register a domain controller’s resource records, you’ll want to prevent those domain controllers from attempting to dynamically register them. If you do not disable them from sending dynamic update requests, you may see annoying error messages on your DNS servers that certain DDNS updates are failing.

Using a command-line interface

> reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v

UseDynamicDNS /t REG_DWORD /d 0

The operation completed successfully.



> net stop netlogon

The Net Logon service is stopping.

The Net Logon service was stopped successfully.



> del %SystemRoot%\system32\config\netlogon.dnb



> net start netlogon

The Net Logon service is starting.......

The Net Logon service was started successfully.

Using VBScript

' This code prevents a DC from registering resource records dynamically.

' It must be run directly on the server.



' Create Registry Value

const HKLM = &H80000002

set oReg=GetObject("winmgmts:root\default:StdRegProv")

strKeyPath = "System\CurrentControlSet\Services\Netlogon\Parameters"

if oReg.SetDWORDValue(HKLM,strKeyPath,"UseDynamicDNS",0) <> 0 then

   WScript.Echo "Error creating registry value"

else

   WScript.Echo "Created registry value successfully"

end if



' Stop Netlogon service

strService = "Netlogon"

set objService = GetObject("WinMgmts:root/cimv2:Win32_Service.Name='" & _

                           strService & "'")

if objService.StopService <> 0 then

   WScript.Echo "Error stopping " & strService & " service"

else

   WScript.Echo "Stopped " & strService & " service successfully"

end if



' Delete netlogon.dnb file

set WshShell = CreateObject("WScript.Shell")

set objFSO = CreateObject("Scripting.FileSystemObject")

set objFile = objFSO.GetFile( _

                    WshShell.ExpandEnvironmentStrings("%SystemRoot%") _

                    & "\system32\config\netlogon.dnb" )



objFile.Delete

WScript.Echo "Deleted netlogon.dnb successfully"



' Start Netlogon service

if objService.StartService <> 0 then

   WScript.Echo "Error starting " & strService & " service"

else

   WScript.Echo "Started " & strService & " service successfully"

end if



WScript.Echo

WScript.Echo "Done"

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Preventing a Domain Controller from Dynamically Registering Certain Resource Records

Inhaltsvorschau

You want to prevent a domain controller from dynamically registering certain resource records. It is sometimes advantageous to prevent certain resource records from being dynamically registered. For example, if you want to reduce the load on the PDC Emulator for a domain, you can prevent some of its SRV records from being published, which would reduce the amount of client traffic the server receives.

Using a graphical user interface

This is only available on Windows Server 2003 and higher domain .

Open the Group Policy Management Console.
Create a GPO linked to the Domain Controllers OU, or else edit an existing GPO.
Navigate to Computer Configuration→Administrative Templates→System→Net Logon→DC Locator DNS Records (in Windows Server 2003 and R2) or Computer Configuration→Policies→Administrative Templates→System→Net Logon→DC Locator DNS Records (in Windows Server 2008).
Enable the “DC Locator DNS records not registered by the DCs” setting, and list one or more of the following SRV record types that should not be registered:
- Dc
- DcByGuid
- Gc
- GcIpAddress
- GenericGc
- Kdc
- Ldap
- LdapIpAddress
- Rfc1510Kdc
- Rfc1510Kpwd
- Rfc1510UdpKdc
- Rfc1510UdpKpwd

Using a command-line interface

This command will disable the Ldaps’ Gc, and GcIpAddress resource records from being dynamically registered:

> reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v

DnsAvoidRegisterRecords /t REG_MULTI_SZ /d Ldap\0Gc\0GcIpAddress

The operation completed successfully.



> net stop netlogon

The Net Logon service is stopping.

The Net Logon service was stopped successfully.



> del %SystemRoot%\system32\config\netlogon.dnb



> net start netlogon

The Net Logon service is starting.......

The Net Logon service was started successfully.

Using VBScript

' This code prevents a DC from registering the resource records

' associated with the Ldap, Gc, and GcIpAddress mnemonics and must be run

' directly on the server.



' Create Registry Value

const HKLM = &H80000002

set objReg = GetObject("winmgmts:root\default:StdRegProv")

strKeyPath = "System\CurrentControlSet\Services\Netlogon\Parameters"

' prevent Ldap, Gc, and GCIpAddress records from being registered

arrValues = Array("Ldap","Gc","GcIpAddress")

if objReg.SetMultiStringValue(HKLM,strKeyPath,"DnsAvoidRegisterRecords", _

                              arrValues) <> 0 then

   WScript.Echo "Error creating registry value"

else

   WScript.Echo "Created registry value successfully"

end if



' Stop Netlogon service

strService = "Netlogon"

set objService = GetObject("WinMgmts:root/cimv2:Win32_Service.Name='" & _

                           strService & "'")

if objService.StopService <> 0 then

   WScript.Echo "Error stopping " & strService & " service"

else

   WScript.Echo "Stopped " & strService & " service successfully"

end if



' Delete netlogon.dnb file

On Error Resume Next

set WshShell = CreateObject("WScript.Shell")

set objFSO = CreateObject("Scripting.FileSystemObject")

set objFile = objFSO.GetFile( _

                      WshShell.ExpandEnvironmentStrings("%systemroot%") _

                      & "\system32\config\netlogon.dnb")

objFile.Delete

if (Err.Number <> 0) then

   WScript.Echo "Error deleting netlogon.dnb: " & Err.Description

else

   WScript.Echo "Deleted netlogon.dnb successfully"

end if



' Start Netlogon service

if objService.StartService <> 0 then

   WScript.Echo "Error starting " & strService & " service"

else

   WScript.Echo "Started " & strService & " service successfully"

end if



WScript.Echo

WScript.Echo "Done"

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Allowing Computers to Use a Different Domain Suffix Than Their AD Domain

Inhaltsvorschau

You want to allow computers to use a different domain suffix than their AD domain.

The following solutions work only for Windows Server 2003 domains. Read for a workaround for Windows 2000.

Using a graphical user interface

Open ADSI Edit.
Connect to the domain you want to edit.
Right-click on the domainDNS object and select Properties.
Edit the msDS-AllowedDNSSuffixes attribute and the DNS suffix you want to add.
Click OK.

Using a command-line interface

Create an LDIF file called add_dns_suffix.ldf with the following contents:

dn: <DomainDN>

changetype: modify

add: msDS-AllowedDNSSuffixes

msDS-AllowedDNSSuffixes: <DNSSuffix>

-

Then run the following command:

> ldifde -v -i -f add_dns_suffix.ldf.ldf

You can also make this change using AdMod, as follows:

> admod -b <DomainDN> msDS-AllowedDNSSuffixes:+:<DNSSuffix>

Using VBScript

' This code adds a domain suffix that can be used by clients in the domain.

' ------ SCRIPT CONFIGURATION ------

strDNSSuffix = "<DNSSuffix>"  ' e.g. othercorp.com

strDomain = "<DomainDNSName>" ' e.g. amer.adatum.com

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")

set objDomain = GetObject("LDAP://" & objRootDSE.Get("defaultNamingContext") )

objDomain.Put "msDS-AllowedDNSSuffixes", strDNSSuffix

objDomain.SetInfo



WScript.Echo "Added " & strDNSSuffix & " to suffix list."

Using PowerShell

You can modify the list of allowed DNS suffixes for a domain using the Quest cmdlets or ADSI, as follows:

set-QADObject -Identity "<Domain DN>" -ObjectAttributes @{msDS-

AllowedDNSSuffixes="<DomainDNSName>"}



$objDom = [ADSI] "LDAP://<Domain DN>"

$strSuffix = "<DomainDNSName>"

$objDom.PutEx(3, "msDS-AllowedDNSSuffixes", @($strSuffix))

$objDom.SetInfo()

Windows 2000, Windows XP, and Windows Server 2003 member computers dynamically maintain the dNSHostName and servicePrincipalName attributes of their corresponding computer object in Active Directory with their current hostname. By default, those attributes can only contain hostnames that have a DNS suffix equal to the Active Directory domain the computer is a member of.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Authorizing a DHCP Server

Inhaltsvorschau

You want to permit (i.e., authorize) a DHCP server to process DHCP requests from clients. This is necessary only if the DHCP server is a member of an Active Directory domain.

Using a graphical user interface

Windows 2000 DHCP servers cannot be authorized with the Windows Server 2003 version of the DHCP snap-in unless the DHCP server has Service Pack 2 or higher installed.

Open the DHCP snap-in.
In the left pane, right-click on DHCP and select Add Server.
Type in the name of the DHCP server you want to target and click OK.
Click on the server entry in the left pane.
Right-click on the server and select Authorize.

If the DHCP server is not a member of an Active Directory domain, you will not see the Authorize option.

Using a command-line interface

The following command authorizes a DHCP server in Active Directory:

> netsh dhcp add server <DHCPServerName> <DHCPServerIP>

This example shows how to authorize the DHCP server named dhcp01.adatum.com with IP 192.168.191.15:

> netsh dhcp add server dhcp01.adatum.com 192.168.191.15

Windows-based DHCP servers that belong to an Active Directory domain must be authorized before they can give leases to clients. This feature helps reduce the danger of a rogue Windows DHCP server that an end user sets up, perhaps even .

However, this still doesn’t prevent someone from plugging in a non-Windows DHCP server (e.g., a Linksys router with the DHCP server enabled) and causing clients to receive bad leases. A rogue DHCP server can provide incorrect lease information or deny lease requests altogether, ultimately causing a denial of service for clients on your network.

If the DHCP server service is enabled on a domain controller, it is automatically authorized. A DHCP server that is a member server of an Active Directory domain a query in Active Directory to determine whether it is authorized. If it is, it will respond to DHCP requests; if not, it will not respond to requests.

A standalone Windows DHCP server that is not a member of an Active Directory domain sends out a DHCPINFORM message when it first initializes. If an authorized DHCP server responds to the message, the standalone server will not respond to any further DHCP requests. If it does not receive a response from a DHCP server, it will respond to client requests and distribute leases.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Locating Unauthorized DHCP Servers

Inhaltsvorschau

You want to locate any unauthorized or rogue DHCP servers on your network.

Using a command-line interface

Here’s how to search for rogue DHCP servers from a workstation with an IP address of 10.0.0.101 while disregarding a known, valid DHCP server residing on 10.0.0.200:

> dhcploc 10.0.0.101 10.0.0.200

The DHCP authorization process in Active Directory will prevent any newer Windows DHCP servers from offering up IP addresses without first being authorized by a member of the Enterprise Admins group. However, this mechanism does not extend to Windows NT 4.0 DHCP servers or non-Windows devices, such as a Linksys router that also functions as a DHCP server. The dhcploc utility in the Windows Support Tools in Windows 2000 and Windows Server 2003 will display an output of all DHCP traffic that it receives, with a *** displayed next to traffic that it receives from unauthorized servers, as follows:

14:24:28 (IP)0.0.0.0     NACK    (S)10.0.0.40    ***



14:24:28 (IP)10.0.0.103  OFFER   (S)10.0.0.60    ***



14:24:28 (IP)10.0.0.201  ACK     (S)10.0.0.30



14:24:23 (IP)10.0.0.203  ACK     (S)10.0.0.30



14:24:25 (IP)10.0.0.4    OFFER   (S)10.0.0.30



14:24:35 (IP)10.0.0.2    OFFER   (S)10.0.0.40



14:24:36 (IP)10.0.0.3    OFFER   (S)10.0.0.26    ***

The dhcploc utility is no longer available in Windows Server 2008.

for more on authorizing DHCP servers in Active Directory

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Restricting DHCP Administrators

Inhaltsvorschau

You want to restrict who can administer your DHCP servers in your domain.

Using a graphical user interface

Open the Active Directory Users and Computers MMC snap-in.
In the console tree, click Active Directory Users and Computers→Domain-Name→Users.
In the details pane, click DHCP Administrators.
Click Action→Properties→Members.
Remove all users and groups you do not want to have administering your DHCP server by clicking their names and then clicking Remove.
To add new DHCP administrators, click Add, provide the user or group name, and then click OK.
Click OK.

Using a command-line interface

Add a member to a group with DSMod by passing the -addmbr option:

> dsmod group "<GroupDN>" -addmbr "<MemberDN>"

To add a group member with AdMod, use the following syntax:

> admod -b "<GroupDN>" member:+:"<MemberDN>"

Remove a member from a group with DSMod by passing the -rmmbr option:

> dsmod group "<GroupDN>" -rmmbr "<MemberDN>"

To remove a group member with AdMod, use the following syntax:

> admod -b "<GroupDN>" member:-:"<MemberDN>"

Replace the complete membership list with DSMod by passing the -chmbr option:

> dsmod group "<GroupDN>" -chmbr "<Member1DN Member2DN ...>"

To replace the membership of a group with AdMod, use the following command:

> admod -b "<GroupDN>" member:+-:"<Member1DN>;<Member2DN>;<Member3DN>"

Using VBScript

' This code adds a member to the DHCP Administrators group.

' ------ SCRIPT CONFIGURATION ------

strGroupDN = "<GroupDN>" ' e.g. "cn=

DHCP Administrators,cn=Users,<DomainDN>

strMemberDN = "<MemberDN>" ' e.g. cn=jsmith,cn=users,dc=adatum,dc=com

' ------ END CONFIGURATION --------



set objGroup = GetObject("LDAP://" & strGroupDN)

' Add a member

objGroup.Add("LDAP://" & strMemberDN)



' This code removes a member from the

' DHCP Administrators group.



set objGroup = GetObject("LDAP://" & strGroupDN)

objGroup.Remove("LDAP://" & strMemberDN)

Using PowerShell

You can modify the membership of the DHCP Administrators group using the Quest AD cmdlets or using ADSI methods, as follows:

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Chapter 14: Security and Authentication

Inhaltsvorschau

The default Windows 2000 installation of Active Directory was not as secure as it could have been out of the box. It allowed anonymous queries to be executed, which could take up valuable processing resources, and it did not place any requirements on or signing traffic between clients and domain controllers. As a result, usernames, passwords, and search results could be sent over the network in clear text. Fortunately, beginning with Windows Server 2003, things have been tightened up significantly. LDAP traffic is signed by default, and anonymous queries are disabled by default. Additionally, Transport Layer Security (TLS), the more flexible cousin of Sockets Layer (SSL), is supported, allowing for end-to-end encryption of traffic between domain controllers and clients.

Active Directory’s ACL model provides ultimate flexibility for securing objects throughout a forest; you can restrict access down to the attribute level if you need to. With this flexibility comes increased complexity. An object’s ACL is initially generated from the default ACL for the object’s class, inherited permissions, and permissions directly applied on the object.

An ACL is a collection of ACEs, which defines the permission and properties that a security principal can use on the object to which the ACL is applied. Defining these entries and populating the ACL is the foundation of Active Directory security and .

In this chapter, we will explore some of the common tasks of managing permissions in Active Directory. If you are looking for a detailed guide to Active Directory permissions, we suggest reading Active Directory, Fourth Edition, by Brian Desmond et al. ().

In order for ACLs to be of use, a user must first authenticate to Active Directory. Kerberos is the primary network authentication system used by Active Directory. Kerberos is a standards-based system originally developed at MIT that has been widely implemented at universities. We will also be covering some Kerberos-related tasks in this chapter that you will be likely to encounter in an Active Directory environment. For a complete review of Kerberos, we recommend

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Introduction

Inhaltsvorschau

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling SSL/TLS

Inhaltsvorschau

You want to enable SSL/TLS access to your domain controllers so clients can encrypt LDAP traffic to the servers.

Using a graphical user interface in Windows 2000 Server and Windows Server 2003

Open the Control Panel on a domain controller.
Open the “Add or Remove Programs” applet.
Click on Add/Remove Windows Components.
Check the box beside Certificate Services and click Yes to verify.
Click Next.
Select the type of authority you want the domain controller to be (select “Enterprise root CA” if you are unsure) and click Next.
Type the common name for the CA, select a validity period, and click Next.
Enter the location for certificate database and logs, and click Next.
After the installation completes, click Finish.
Now open the Domain Controller Security Policy GPO.
Navigate to Computer Configuration→Windows Settings→Security Settings→Public Key Policies.
Right-click on Automatic Certificate Request Settings and select New→Automatic Certificate Request.
Click Next.
Under Certificate Templates, click on Domain Controller and click Next.
Click Finish.
Right-click on Automatic Certificate Request Settings and select New→Automatic Certificate Request.
Click Next.
Under Certificate Templates, click on Computer and click Next.
Click Finish.

Using a graphical user interface in Windows Server 2008

Open Server Manager.
Click Add Roles, and then click Next.
Check the box beside Active Directory Certificate Services and click Next.
The Select Role Services screen appears. Ensure that there is a checkmark next to Certification Authority and then click Next.
Select the setup type that you want (select “Enterprise” if you are unsure) and click Next.
Select the CA type that you want the domain controller to be (select “Root CA” if you are unsure) and click Next.
The Set Up Private Key screen appears. Click Next.
The Configure Cryptography for CA screen appears. Click Next.
Type the common name for the CA, and click Next.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Encrypting LDAP Traffic with SSL, TLS, or Signing

Inhaltsvorschau

You want to encrypt LDAP traffic using SSL, TLS, or signing.

Using a graphical user interface

Most of the GUI-based tools, beginning with Windows 2000 Server Service Pack 3 running on both workstation and server computers, will automatically sign and encrypt traffic between the server and client. This includes the following tools:

Active Directory Domains and Trusts
Active Directory Sites and Services
Active Directory Schema
Active Directory Users and Computers
ADSI Edit
Group Policy Management Console
Object Picker

With ADSI Edit, you can also specify the port number to use when browsing a partition. View the settings for a connection by right-clicking on the partition and selecting Settings. Click the Advanced button and enter 636 for LDAP over SSL or 3269 for the global catalog over SSL.

Starting with Windows Server 2003, LDAP supports encryption using the StartTLS and StopTLS operations, which are available from the Options→TLS menu. With the Windows 2000 version, you can use SSL by going to Connection→Connect and entering 636 or 3269 for the port.

Using a command-line interface

The DS command-line tools support LDAP signing and encryption when run from Windows Server 2003, Windows Server 2008, Windows XP, or Windows Vista against Windows 2000 SP3 or newer domain controllers. This includes DSAdd, DSMod, DSrm, DSMove, DSGet, and DSQuery. The joeware utilities also support connecting using SSL security.

Using VBScript

' Constants taken from ADS_AUTHENTICATION_ENUM



ADS_SECURE_AUTHENTICATION = 1

ADS_USE_SSL = 2



'This code shows how to enable SSL and secure authentication using ADSI.

set objLDAP = GetObject("LDAP:")

set objOU = objLDAP.OpenDSObject("LDAP://ou=Sales,dc=adatum,dc=com", _

                                 "administrator@adatum.com", _

                                 "MyAdminPassword", _

                                 ADS_SECURE_AUTHENTICATION + ADS_USE_SSL)

WScript.Echo objOU.Get("ou")

' This code shows how to enable SSL and secure authentication using ADO.

set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Properties("User ID") = "administrator@adatum.com"

objConn.Properties("Password") = "MyAdminPassword"

objConn.Properties("Encrypt Password") = True

objConn.Properties("ADSI Flag") = ADS_SECURE_AUTHENTICATION + ADS_USE_SSL

objConn.Open "Active Directory Provider"

set objRS = objConn.Execute("<LDAP://cn=users,dc=adatum,dc=com>;" & _

                            "(cn=*);" & "cn;" & "onelevel")

objRS.MoveFirst

while Not objRS.EOF

    Wscript.Echo objRS.Fields(0).Value

    objRS.MoveNext

wend

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Disabling LDAP Signing or Encryption

Inhaltsvorschau

You want to disable LDAP signing and/or encryption.

Using the Registry

If you need to temporarily disable LDAP encryption or signing for troubleshooting purposes, browse to the HKLM\Software\Microsoft\Windows\CurrentVersion\AdminDebug\ADsOpenObjectFlags key on the client that is running the administrative tool. Create a DWORD entry called ADsOpenObjectFlags and set it to one of the following values:

1: To disable LDAP signing
2: To disable LDAP encryption
3: To disable both LDAP signing and LDAP encryption

Using PowerShell

$strRegPath =

"HKLM:\Software\Microsoft\Windows\CurrentVersion\AdminDebug\ADsOpenObjectFlags"

new-ItemProperty -path $strRegPath -name "ADsOpenObjectFlags" -type DWORD

set-ItemProperty -path $strRegPath -name " ADsOpenObjectFlags" -value

"<Signing/Encryption Setting>"

If you want to take advantage of some of the new features of the Active Directory administration tools, but have not installed SP3 on your Windows 2000 domain yet, you can disable signing on the Windows XP/Vista or Windows Server 2003/2008 machine. It is worth stating the obvious that this is insecure and defeats one of the major benefits of the new tools, but you may have no other choice.

to enable LDAP signing and encryption

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling Anonymous LDAP Access

Inhaltsvorschau

You want to enable anonymous LDAP access for clients. In Windows 2000 Active Directory, anonymous queries were enabled by default, although they were restricted. With Windows Server 2003 Active Directory, anonymous queries are disabled by default except for querying the RootDSE.

Using a graphical user interface

Open ADSI Edit.
In the Configuration partition, browse to cn=Services→cn=Windows NT→cn=Directory Service.
In the left pane, right-click on the Directory Service object and select Properties.
Double-click on the dSHeuristics attribute.
If the attribute is empty, set it with the value 0000002.
If the attribute has an existing value, make sure the seventh digit is set to 2.
Click OK twice.

Using VBScript

' This code enables or disables anonymous query mode for a forest.

' ------ SCRIPT CONFIGURATION -----

boolEnableAnonQuery = 2 ' e.g. 2 to enable, 0 to disable

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://RootDSE")

set objDS = GetObject( _

             "LDAP://cn=Directory Service,cn=Windows NT,cn=Services," _

             & objRootDSE.Get("configurationNamingContext") )

strDSH = objDS.Get("dSHeuristics")



for i = len(strDSH) to 6

   strDSH = strDSH & "0"

next



strNewDSH = Left(strDSH,6) & boolEnableAnonQuery

strNewDSH = strNewDSH & Right(strDSH, len(strDSH) - 7 )



WScript.Echo "Old value: " & strDSH

WScript.Echo "New value: " & strNewDSH

if strDSH <> strNewDSH then

   objDS.Put "

dSHeuristics", strNewDSH

   objDS.SetInfo

   WScript.Echo "Successfully set anon query mode to " & boolEnableAnonQuery

else

   WScript.Echo "Anon query mode already set to " & boolEnableAnonQuery

end if

Using PowerShell

$root = [ADSI]"LDAP://RootDSE"

$obj  = [ADSI]("LDAP://cn=Directory Service,cn=Windows NT,cn=Services," +

        $root.configurationNamingContext)



$dsHeuristics = $obj.dsHeuristics.value

if ($dsHeuristics -eq $null)

{

    "dsHeuristics was null (not previously set)"

    $dsHeuristics = "0000000"    # seven zeroes

}



$len = $dsHeuristics.Length

if ($len -lt 7)

{

    $dsHeuristics = $dsHeuristics + ("0000000").SubString(0, (7 - $len))

    $len = 7

}



# we've ensured that $dsHeuristics is AT LEAST seven chars long now

# it may be 13 chars or more. we really don't care about that!



$char = $dsHeuristics.SubString(6, 1)

if ($char -eq "2")

{

    "Anonymous query mode already set to 2"

}

else

{

    $upd =  $dsHeuristics.SubString(0, 6) + "2"

    if ($dsHeuristics.Length -gt 7)

    {

        $dsHeuristics.SubString(7, $len)

    }



    $obj.dsHeuristics = $upd

    $obj.SetInfo()



    "Anonymous query mode set to 2"

    "New value of dsHeuristics equal to $upd"

}

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Restricting Anonymous Access to Active Directory

Inhaltsvorschau

You want to enable or disable anonymous access to the information stored in the Active Directory database.

Using a graphical user interface

Open the Active Directory Users and Computers (ADUC) snap-in.
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select “Connect to Domain,” enter the domain name, and click OK.
Navigate to the Builtin container. Double-click on the Pre-Windows 2000 Compatible Access group.
Click the Members tab.
Select the Everyone group and click the Remove button. Click Yes and then OK to confirm.
Select the Anonymous Logon user and click the Remove button. Click Yes and then OK to confirm.
If the Authenticated Users group is not present in the group membership list, click Add to include it and then click OK.

Using a command-line interface

You have three command-line choices to modify the Pre-Windows 2000 Access security group:

net

        localgroup

, DSMod, or AdMod.

net

        localgroup

takes the following syntax:

> net localgroup "Pre-Windows 2000 Compatible Access" Everyone /delete

> net localgroup "Pre-Windows 2000 Compatible Access" "Anonymous Logon" /delete

> net localgroup "Pre-Windows 2000 Compatible Access" "Authenticated Users" /add

To update the group membership using DSMod so that it only includes Authenticated Users, enter the following:

> dsmod group "cn=Pre-Windows 2000 Compatible Access,cn=Builtin,

<DomainDN>" -chmbr "cn=S-1-5-11,cn=ForeignSecurityPrincipals,<DomainDN>"

To use AdMod, use the following syntax:

> admod -b "cn=Pre-Windows 2000 Compatible Access,cn=Builtin,

<DomainDN>" member::"cn=S-1-5-11,cn=ForeignSecurityPrincipals,<DomainDN>"

Using VBScript

' This code clears the membership of the Pre-Windows 2000 Compatible Access group

' and then adds "Authenticated Users" back as the only member.

' ------ SCRIPT CONFIGURATION ------

strAnonAccessDN = "cn=Pre-Windows 2000 Compatible Access," & _

  cn=Builtin,<DomainDN>"

strAuthUsersDN = "cn=S-1-5-11,cn=ForeignSecurityPrincipals,<

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Using the Delegation of Control Wizard

Inhaltsvorschau

You want to delegate control over objects in Active Directory to a user or group.

Using a graphical user interface

Open the Active Directory Users and Computers (ADUC) or Active Directory Sites and Services snap-in, depending on the type of object you want to delegate.
In the left pane, browse to the object you want to delegate control on.
Right-click on the object and select Delegate Control. Only certain objects support the “Delegation of Control Wizard,” so this option will not show up for every type of object.
Click Next.
Click the Add button and use the Object Picker to select the users or groups you want to delegate control to.
Click Next.
If the task you want to delegate is an option under “Delegate the following common tasks,” place a checkmark next to it and click Next. If the task is not present, select “Create a custom task to delegate” and click Next. If you selected the latter option, you will need to perform four additional steps:
1. Select the object type you want to delegate.
2. Click Next.
3. Select the permissions you want to delegate.
4. Click Next.

Click Finish.

Using a command-line interface

To grant permissions from the command line, use the following syntax:

> dsacls <ObjectDN> /g <Permissions>

For example, the following syntax will delegate the permission to read and write information to the description property:

> dsacls <ObjectDN> /g RPWP;description;

Using PowerShell

The following syntax will delegate read permission to the description property of a single object, without delegating permissions to any child objects:

Add-QADPermission -Identity <ObjectDN> -Account <Delegated User/Group DN> -Rights

'ReadProperty' -Property 'description' -ApplyTo 'ThisObjectOnly'

The Delegation of Control Wizard is Microsoft’s attempt to ease the pain of trying to set permissions for common tasks. Because Active Directory permissions are so granular, they can also be cumbersome to configure. The Delegation of Control Wizard helps in this regard, but it is still limited in functionality. The default tasks that can be delegated are fairly minimal, although you can add more tasks as described in . Another limitation is that you can only add new permissions; you cannot undo or remove permissions that you previously set with the wizard. To do that, you have to use the ACL Editor directly as described in or use

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Customizing the Delegation of Control Wizard

Inhaltsvorschau

You want to add or remove new delegation options in the Delegation of Control .

Open the Delegation of Control Wizard INF file (%SystemRoot%\Inf\Delegwiz.inf) in Windows Server 2000 and Windows Server 2003, and %SystemRoot%\System32\Delegwiz.inf in Windows Server 2008) on the computer you want to modify the wizard for.

Under the [DelegationTemplates] section, you’ll see a line like the following:

Templates = template1, template2, template3, template4, template5, template6,

template7, template8, template9,template10, template11, template12, template13

You need to append a new template name. In this case, we’ll follow the same naming convention and create a template named template14. The line now looks like this:

Templates = template1, template2, template3, template4, template5, template6,

template7, template8, template9,template10, template11, template12, template13,

template14

Scroll to the end of the file and append a new template section. You can use the other template sections as examples. Here is the generic format:

[<TemplateName>]

AppliesToClasses = <CommaSeparatedOfObjectClassesInvokedFrom>



Description = "<DescriptionShownInWizard>"



ObjectTypes = <CommaSeparatedListOfObjectClassesThatAreSet>



[<TemplateName>.SCOPE]<Permission entries for Scope>



[<TemplateName>.<ObjectClass1>]<Permission entries for ObjectClass1>



[<TemplateName>.<ObjectClass2>]<Permission entries for ObjectClass2>



...

<TemplateName> is the same as what we used in the [DelegationTemplates] section—i.e., template14.

In the AppliesToClasses line, replace <CommaSeparatedObjectClassesInvokedFrom> with a comma-separated list of LDAP display names of the classes that can be delegated. This delegation action will show up on the classes listed here only when you select Delegate Control from a snap-in. To make our new template entry apply to domain objects, OUs, and containers, we would use this line:

AppliesToClasses = domainDNS,organizationalUnit,container

In the Description line, replace <DescriptionShownInWizard>

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Revoking Delegated Permissions

Inhaltsvorschau

You want to remove permissions that you’ve delegated to a domain or an OU.

Using a graphical user interface

Open the Active Directory Users and Computers MMC snap-in (dsa.msc). Right-click on the object that you wish to modify and select Properties.
From the Security tab, highlight the permissions entry that you wish to revoke and click Remove, then OK.

Using a command-line interface

The following command will remove any permissions that have been delegated directly to the ADATUM\jsmith user over the Finance Organizational Unit:

> dsrevoke /remove "/root:ou=Finance,dc=adatum,dc=com" ADATUM\jsmith

Using PowerShell

The following will retrieve all ACLs assigned to a particular user for an Active Directory object, and then will remove those ACEs using the remove-QADPermission cmdlet:

Get-QADPermission -Identity <ObjectDN> -Account (<User DN>) | remove-QADPermission

-Identity <ObjectDN>

While the Delegation of Control wizard makes it trivial to grant permissions to objects within Active Directory, one thing that it lacks is an Undo button. To help address this, Microsoft has made the dsrevoke command-line utility a free download from its site (http://www.microsoft.com/downloads/details.aspx?FamilyID=77744807-c403-4bda-b0e4-c2093b8d6383&DisplayLang=en). The dsrevoke utility will remove any permissions that have been delegated to a security principal on a domain or an OU, with the following limitations:

You can use dsrevoke only on a domain or an OU; if you’ve delegated permissions over individual objects, you’ll need to remove these manually.
dsrevoke removes only object permissions; if you’ve assigned any user rights through Group Policy, they’ll need to be removed separately.
You can’t use dsrevoke to remove any permissions that have been delegated to the Schema or Configuration NCs.

Best Practices for Delegating Active Directory Administration, located at http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing the ACL for an Object

Inhaltsvorschau

You want to view the ACL for an object.

Using a graphical user interface

Open the ACL Editor. You can do this by viewing the properties of an object (right-click on the object and select Properties) with a tool such as ADUC or ADSI Edit. Select the Security tab. To see the Security tab with ADUC, you must select View→Advanced Features from the menu.
Click the Advanced button to view a list of the individual ACEs.

Using a command-line interface

> dsacls <ObjectDN>

Using VBScript

Unfortunately, the code to view the ACEs in an ACL is quite messy and long. This will be included as part of the code on the website for the book (http://www.oreilly.com/catalog/9780596521103).

Using PowerShell

get-QADObject -Identity <ObjectDN> -SecurityMask DACL | Get-QADPermission 

-Inherited -SchemaDefault

Viewing an object’s ACL is a common task and should already be familiar to most administrators. The ACL Editor is useful for checking the permissions that have been set on objects, especially after running the Delegation of Control Wizard. In addition to viewing permissions, the options available in the GUI include viewing auditing settings and the owner of the object. Knowing the owner of an object is important because ownership confers certain inherent rights.

Because the ACL Editor is the same for NTFS permissions and properties as it is for Active Directory objects, you should feel comfortable with the look and feel of the interface; it is exactly the same as file and folder permissions. We also highly recommend getting familiar with the Advanced View of the ACL Editor, as this is truly the view in which you can determine what is going on with permissions. The Basic view presents a list of security principals that have permissions configured, but it will not always show every configured ACE entry. The Advanced view will show the complete picture, including the scope of permissions for ACEs down to the object and even the attribute level.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Customizing the ACL Editor

Inhaltsvorschau

You want to set permissions on attributes that do not show up in the default Active Directory Users and Computers ACL Editor.

The ACL Editor in ADUC shows only a subset of the object’s attributes on which permissions can be set. These can be seen in the ACL Editor by clicking the Advanced button, adding or editing a permission entry, and selecting the Properties tab.

An attribute can have a read permission, write permission, or both, either of which can be set to Allow or Deny. If the attribute you want to secure is not in the list, you will need to modify the dssec.dat file on the computer that you’re running the ACL Editor from.

There are sections for each object class represented in square brackets—e.g., [user]. Underneath that heading is a list of attributes that you can configure to display or not display in the ACL Editor.

These are the first few lines for the [user] section:

[user]

aCSPolicyName=7

adminCount=7

allowedAttributes=7

The value to the right of the attribute determines whether it is shown in the ACL Editor. The valid values include the following:

0: Both Read Property and Write Property are displayed for the attribute.
1: Write property is displayed for the attribute.
2: Read property is displayed for the attribute.
7: No entries are displayed for the attribute.

If the attribute is not defined, then the default value (specified by @, if present) is used.

Much like the Delegation of Control Wizard, you can customize the attributes that are shown in the ACL Editor, but you still need to distribute the dssec.dat file to all computers that need to see the change.

A good example of when this recipe is needed is for delegating the ability to unlock accounts. This is common in larger organizations when you want to assign this task to the help desk without giving them additional rights on user objects. In this case, you need to set the lockoutTime to 0 in the [user] section of the dssec.dat file.

MS KB 296490 (How to Modify the Filtered Properties of an Object) and MS KB 294952 (How to Delegate the Unlock Account Right)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing the Effective Permissions on an Object

Inhaltsvorschau

You want to view the effective permissions that a user or group has for a particular object.

Using a graphical user interface

Open the ACL Editor. You can do this by viewing the properties of an object (right-click on the object and select Properties) with a tool such as ADUC or ADSI Edit. Select the Security tab. To see the Security tab with ADUC, you must select View→Advanced Features from the menu.
Click the Advanced button.
Select the Effective Permissions tab.
Click the Select button to bring up the Object Editor.
Find the user or group for which you want to see the effective permissions.
The results will be shown under Effective Permissions.

The Effective Permissions tab is available beginning with the Windows Server 2003 version of the ACL Editor. For Windows 2000, you’ll need to use the acldiag command-line solution. acldiag is not available in Windows Server 2008.

Using a command-line interface

> acldiag <ObjectDN> /geteffective:<UserOrGroup>

Viewing the permissions on an object does not tell the whole story as to what the actual translated permissions are for a user or group on that object. The effective of an object take into account all group membership and any inherited permissions that might have been applied further up the tree. While this is a useful tool to analyze permissions, it is still unfortunately only a best guess; there are still some situations in which certain permissions will not be reflected.

MS KB 323309 (Effective Permissions Are Displayed Incorrectly)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Configuring Permission Inheritance

Inhaltsvorschau

You want to configure permission inheritance on an Active Directory container to determine whether a child object should automatically receive any permissions that you’ve granted to its parent object.

Open the ACL Editor. You can do this by viewing the properties of an object (right-click on the object and select Properties) with a tool such as Active Directory Users and Computers (ADUC) or ADSI Edit. Select the Security tab. If the Security tab is not visible within ADUC, you must select View→Advanced Features from the menu.
Click the Advanced button to view a list of the individual ACEs.
To turn off inheritance, remove the checkmark next to “Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries defined explicitly here.”
You will be given the option to “Copy the existing permissions onto the object as explicitly assigned permissions,” to “Remove all inherited permissions (all explicitly assigned permissions will remain in place),” or to “Cancel the operation.”
To re-enable permission inheritance from objects further up the directory structure, reinsert the checkmark listed in Step 3.

Using a VBScript

To disable permission inheritance (i.e., to configure an object such that only explicitly assigned permissions apply), use the following syntax:

> dsacls <ObjectDN> /P:Y

To enable permission inheritance, do the following:

> dsacls <ObjectDN> /P:N

Using VBScript

' This code enables or disables the "Allow inheritable permissions..."

' setting on an AD object.

' ------ SCRIPT CONFIGURATION ------

Const SE_DACL_PROTECTED = &H1000 ' set to 0 to enable inheritance

strObject = "<ObjectDN>" ' e.g. ou=Finance,dc=adatum,dc=com

' ------ END CONFIGURATION ---------



Set objObject = GetObject("LDAP://" & strObject

Set objntSD = objObject.Get("nTSecurityDescriptor")

intNTSDControl = objNtSD.Control



' Disable the bit for "allow inheritable permissions".

intNTSDControl = intNTSDControl And SE_DACL_PROTECTED

objntSD.Control = intNTSDControl

objObject.Put "nTSecurityDescriptor", objntSD

objObject.SetInfo



Wscript.Echo "Inheritable permissionss disabled!"

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Changing the ACL of an Object

Inhaltsvorschau

You want to change the ACL on an object to grant or restrict access to it for a user or group.

Using a graphical user interface

Open the ACL Editor. You can do this by viewing the properties of an object (right-click on the object and select Properties) with a tool such as ADUC or ADSI Edit. Select the Security tab. To see the Security tab with ADUC, you must select Views→Advanced Features from the menu.
Click the Advanced button to view a list of the individual ACEs.
Click Add to specify a new user or group, then place checkmarks next to the permissions that you want to assign and click OK.
To remove an ACE, highlight the entry and click Remove. If the Permissions entry is inherited from further up the directory tree, the option to remove the permission will not be available unless you remove the checkmark next to “Allow inheritable permissions from the parent to propagate to this object and all child objects…”. With this checkmark in place, you will only have the option to remove any permissions that have <not inherited> listed in the “Inherited From” column.

Using a command-line interface

To grant permissions from the command line, use the following syntax:

> dsacls <ObjectDN> /g <Permissions>

To deny permissions, replace /g with /d.

Using VBScript

See , , , and for several examples of modifying an ACL with VBScript.

Using PowerShell

To add an entry to the ACL of an object, use the Add-QADPermission Quest AD cmdlet. To remove an existing ACL entry, use the Remove-QADPermission cmdlet.

Changing the ACL of an object is a common task for administrators in any but the most basic AD implementations because, as shown in Recipes and , the Delegation of Control Wizard is limited and cumbersome to extend and deploy. The GUI and command-line methods are useful for one-off changes to permissions, but for making global changes to a number of objects, you should consider using a script to automate the process.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Changing the Default ACL for an Object Class

Inhaltsvorschau

You want to change the default ACL for an object class in the schema.

Using a graphical user interface

Open the Active Directory Schema snap-in.
In the left pane, browse to the class you want to modify.
Right-click on it and select Properties.
Select the Default Security tab.
Use the ACL Editor to change the ACL.
Click OK.

The Default Security tab is available only in the Windows Server 2003 and newer versions of the Active Directory Schema snap-in. See MS KB 265399 for the manual approach that is needed with Windows 2000.

Each instantiated object in Active Directory has an associated structural class that defines a default security descriptor (the defaultSecurityDescriptor attribute). When an object is created and a security descriptor isn’t specified, the default security descriptor is applied to it. This, along with inheritable permissions from the parent container, determines how an object’s security descriptor is initially defined. If you find that you are modifying the default security descriptor on a particular type of object every time it is created, you may want to modify its default security descriptor. (Another option would be to use a script that would modify the individual object’s ACL at the same time that the object was created.)

for more on registering the Active Directory Schema snap-in, for comparing the ACL of an object to the default defined in the schema, for resetting the ACL of an object to the default defined in the schema, and MS KB 265399 (How to Change Default Permissions for Objects That Are Created in the Active Directory)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Comparing the ACL of an Object to the Default Defined in the Schema

Inhaltsvorschau

You want to determine if an object has the permissions defined in the schema for its object class as part of its ACL.

Using a command-line interface

> acldiag <ObjectDN> /schema

For more on the default security descriptor (SD), see . acldiag will determine if the object possesses the security descriptor that’s defined in the schema—if you’ve modified the security descriptor, acldiag will compare the object’s SD against the currently defined SD, not the Active Directory default.

The acldiag tool is available in the Windows Server 2003 Resource Kit; it is not supported in Windows Server 2008.

for resetting an object’s ACL to the default defined in the schema

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Resetting an Object’s ACL to the Default Defined

Inhaltsvorschau

You want to reset an object’s ACL to the one defined in the schema for the object’s object class.

Using a graphical user interface

This is available only in the Windows Server 2003 and newer versions of the ACL Editor.

Open the ACL Editor. You can do this by viewing the properties of an object (right-click on the object and select Properties) with a tool such as ADUC or ADSI Edit. Select the Security tab. To see the Security tab with ADUC, you must select View→Advanced Features from the menu.
Click the Advanced button.
Click the Default button.
Click OK twice.

Using a command-line interface

> dsacls <ObjectDN> /s

For more on the default security descriptor, see .

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Preventing the LM Hash of a Password from Being Stored

Inhaltsvorschau

You want to prevent the LM hash for new passwords from being stored in Active Directory. The LM hash is primarily used for backward compatibility with Windows 95 and 98 clients; it is susceptible to brute force attacks.

For Windows 2000, you need to create the following Registry key on all domain controllers: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash. Note that this is a key and not a value entry. Also, this is supported only on Windows 2000 SP2 and later domain controllers.

For Windows Server 2003, the NoLMHash key has turned into a DWORD value entry under the HKLM\SYSTEM\CurrentControlSet\Control\Lsa key. This value should be set to 1. You can accomplish this by modifying the Default Domain Controller Security Policy as described next.

Using a graphical user interface

Open the Default Domain Controller Group Policy Object in the GPMC.
In the left pane, expand Computer Configuration→Policies→Windows Settings→Security Settings→Local Policies→Security Options.
In the right pane, double-click on “Network security: Do not store LAN Manager hash value on next password change.”
Check the box beside “Define this policy setting.”
Click the Enabled radio button.

If you do not have Windows 98 or older clients in your domain, you should disable the storage of the LM password hash for users. The LM hash uses an old algorithm (pre-Windows NT 4.0) and is considered to be relatively weak compared to the NT hash that is also stored.

The LM hash is generated only for passwords that are shorter than 15 characters. So if you have a password longer than this, the LM hash is not stored for you.

In addition to making this change on the server side, you should configure your network clients as described in . Finally, to clear any existing LM hashes that have already been stored in AD, you will need to force a password change for the users in question.

MS KB 299656 (How to Prevent Windows from Storing a LAN Manager Hash of Your Password in Active Directory and Local SAM Databases)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling Strong Domain Authentication

Inhaltsvorschau

You want to ensure that users can only authenticate to Active Directory using strong authentication protocols.

Using a graphical user interface

Open the Group Policy Management Console snap-in.
In the left pane, expand the Forest container, expand the Domains container, browse to the domain you want to administer, and expand the Group Policy Objects container.
Right-click on the GPO that controls the configuration of your domain controllers and select Edit. (By default, this is the Default Domain Controller Policy, but it may be a different GPO in your environment.) This will bring up the Group Policy Object Editor.
Browse to Computer Configuration→Policies→Windows Settings→Security Settings→Local Policies→Security Options.
Double-click on “Network security: LAN Manager Authentication Level.” Place a checkmark next to “Define this policy setting.”
Select “Send NTLMv2 responses only/refuse LM & NTLM.” Click OK.
Wait for Group Policy to refresh, or type gpupdate /force from the command prompt of a Windows Server 2003 or higher domain controller. On a Windows 2000 DC, use the secedit command with the /refreshpolicy switch.

Microsoft operating systems have supported different flavors of LM and NT LAN Manager (NTLM) authentication since the earliest days of Windows. LM authentication is an extremely old and weak authentication protocol that should no longer be used in production environments unless absolutely necessary. By default, Windows 2000 Active Directory supported client authentication attempts using LM, NTLM, or NTLMv2; Windows Server 2003 and above supports only NTLM and NTLMv2 out of the box.

The strongest NTLM authentication scheme you can select is to refuse LM and NTLM authentication from any client, and to only respond to clients using NTLMv2. Depending on your client configuration, though, enabling this option may require changes on the client side as well. You can apply the same setting to a GPO linked to your Active Directory domain to ensure that all of your clients will use NTLMv2 instead of older, weaker protocols.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling List Object Access Mode

Inhaltsvorschau

You want to prevent any authenticated user from being able to browse the contents of Active Directory by default. Enabling List Object Access mode means that users will need explicit permissions to see directory listings of containers.

Using a graphical user interface

Open ADSI Edit.
In the Configuration partition, browse to cn=Services→cn=Windows NT→cn=Directory Service.
In the left pane, right-click on the Directory Service object and select Properties.
Double-click on the dSHeuristics attribute.
If the attribute is empty, set it with the value 001. If the attribute has an existing value, make sure the third digit (from the left) is set to 1.
Click OK twice.

Using VBScript

On Error Resume Next ' necessary if dsHeuristics is not

                     ' already set



' This code enables or disables list object mode for a forest.

' ------ SCRIPT CONFIGURATION -----

boolEnableListObject = 1 ' e.g. 1 to enable, 0 to disable

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://RootDSE")

set objDS = GetObject( _

                "LDAP://cn=Directory Service,cn=Windows NT,cn=Services," _

                & objRootDSE.Get("configurationNamingContext") )

strDSH = objDS.Get("dSHeuristics")

if len(strDSH) = 1 then

   strDSH = strDSH & "0"

end if

strNewDSH = Left(strDSH,2) & boolEnableListObject

if len(strDSH) > 3 then

   strNewDSH = strNewDSH & Right(strDSH, len(strDSH) - 3)

end if



WScript.Echo "Old value: " & strDSH

WScript.Echo "New value: " & strNewDSH



if strDSH <> strNewDSH then

   objDS.Put "

dSHeuristics", strNewDSH

   objDS.SetInfo

   WScript.Echo "Successfully set list object mode to " & _

                boolEnableListObject

else

   WScript.Echo "List object mode already set to " & boolEnableListObject

end if

List Object Access mode is useful if you want your users to view only a subset of objects when doing a directory listing of a particular container, or you do not want them to be able to list the objects in a container at all. By default, the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Modifying the ACL on Administrator Accounts

Inhaltsvorschau

You want to modify the ACL for user accounts that are members of one of the administrative groups.

Using one of the methods described in , modify the ACL on the cn=AdminSDHolder,cn=Systems,<DomainDN> object in the domain that the administrator accounts reside in. The ACL on this object gets applied every hour to all user accounts that are members of the administrative groups.

If you’ve ever tried to directly modify the ACL on a user account that was a member of one of the administrative groups in Active Directory, or you modified the ACL on the OU containing an administrative account, and then wondered why the account’s ACL was overwritten later, you’ve come to the right place. The Admin SD Holder feature of Active Directory is one that many administrators stumble upon after much grinding of teeth. However, after you realize the purpose for it, you’ll understand it is a necessary feature.

Once an hour, a process on the PDC Emulator that we’ll refer to as the Admin SD Holder process compares the ACL on the AdminSDHolder object to the ACL on the accounts that are in administrative groups in the domain as well as the groups themselves. If it detects a difference, it will overwrite the account or Group ACL and disable inheritance.

If you later remove a user from an administrative group, you will need to reapply any inherited permissions and enable inheritance if necessary. The Admin SD Holder process will not take care of this for you.

The Admin SD Holder process is intended to subvert any malicious activity by a user that has been delegated rights over an OU or container that contains an account that is in one of the administrative groups. An OU administrator could, for example, modify permissions inheritance on an OU to attempt to lock out the Domain Admins group; this permission change would be reverted the next time the AdminSDHolder thread runs.

These are the groups included as part of the Admin SD Holder processing:

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing and Purging Your Kerberos Tickets

Inhaltsvorschau

You want to view and possibly purge your Kerberos tickets.

Both the kerbtray and klist utilities can be found in the Windows Server 2003 Resource Kit.

The kerbtray utility is not supported under Windows Server 2008. Klist is supported under Windows Server 2008 and is built into the Active Directory Domain Services role.

Using a graphical user interface

Run kerbtray.exe from the command line or Start→Run.
A new icon (green) should show up in the system tray. Double-click on that icon. This will allow you to view your current tickets.
To purge your tickets, right-click on the kerbtray icon in the system tray and select Purge Tickets.
Close the kerbtray window and reopen it by right-clicking on the kerbtray icon and selecting List Tickets.

Using a command-line interface

Run the following command to list your current tickets:

> klist tickets

Run the following command to purge your tickets:

> klist purge

Active Directory uses Kerberos as its preferred network authentication system. When you authenticate to a Kerberos Key Distribution Center (KDC), which in Active Directory terms is a domain controller, you are issued one or more tickets. These tickets identify you as a certain principal in Active Directory and can be used to authenticate you to other Kerberized services. This type of ticket is known as a ticket-granting ticket, or TGT. Once you’ve obtained a TGT, the client can use the TGT to gain access to a Kerberized service by querying the Ticket Granting Service on the KDC; if the KDC verifies that the user is authorized to access the service in question, it will issue a service ticket that allows the client to use the particular service.

Kerberos is a fairly complicated system and we can’t do it justice in a single paragraph. If you want more information on tickets and how the Kerberos authentication system works, see Jason Garman’s Kerberos: The Definitive Guide (O’Reilly).

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Forcing Kerberos to Use TCP

Inhaltsvorschau

Clients are experiencing authentication problems, and you’ve determined it is due to UDP fragmentation of Kerberos traffic. You want to force Kerberos traffic to use the TCP protocol instead.

Using a graphical user interface

Run regedit.exe from the command line or from Start→Run.
In the left pane, expand HKEY_LOCAL_MACHINE→System→Current-→Control→Lsa→Kerberos→Parameters.
Right-click on Parameters and select New→DWORD value. Enter MaxPacketSize for the value name.
In the right pane, double-click on MaxPacketSize and enter 1.
Click OK.

Using a command-line interface

> reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" /v

"MaxPacketSize" /t REG_DWORD /d 1

Using VBScript

' This code forces Kerberos to use TCP.

' ------ SCRIPT CONFIGURATION -----

strComputer = "<ComputerName>" ' e.g. rallen-w2k3

' ------ END CONFIGURATION --------



const HKLM = &H80000002

strRegKey = "SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters"

set objReg = GetObject("winmgmts:\\" & strComputer & _

                       "\root\default:StdRegProv")

objReg.SetDwordValue HKLM, strRegKey, "MaxPacketSize", 1

WScript.Echo "Kerberos forced to use TCP for " & strComputer

Using PowerShell

$strRegPath = "HKLM:\System\CurrentControlSet\Lsa\Kerberos\Parameters"

New-ItemProperty -path $strRegPath -name "MaxPacketSize" -type DWORD

Set-ItemProperty -path $strRegPath -name "MaxPacketSize" -value "1"

If you have users that are experiencing extremely slow logon times (especially over VPN) or they are seeing the infamous “There are currently no logon servers available to service the logon request” message, then they may be experiencing UDP fragmentation of Kerberos traffic. This occurs because UDP is a connectionless protocol, so UDP packets that arrive out of order will be dropped by the destination router. One way to help identify if there is a problem with Kerberos is to have the users run the following command:

> netdiag /test:kerberos

Another source of information (such as in Windows Server 2008 where

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Modifying Kerberos Settings

Inhaltsvorschau

You want to modify the default Kerberos settings that define things, such as maximum ticket lifetime.

Using a graphical user interface

Open the Default Domain Group Policy Object, or another domain-linked GPO, in the Group Policy Management Console.
Navigate to Computer Configuration→Policies→Account Policies→Kerberos .
In the right pane, double-click on the setting you want to modify.
Enter the new value and click OK.

There are several Kerberos-related settings you can customize, most of which revolve around either increasing or decreasing the maximum lifetime for Kerberos user and service tickets. In most environments, the default settings are sufficient, but the ones you can modify are listed in .

Change the default Kerberos policy settings with caution, as doing so can cause operational problems and compromise security if done .

Table : Kerberos policy settings
Setting	Default value
Enforce user logon restrictions	Enabled
Maximum lifetime for service ticket	600 minutes
Maximum lifetime for user ticket	10 hours
Maximum lifetime for user ticket renewal	7 days
Maximum tolerance for computer clock synchronization	5 minutes

MS KB 231849 (Description of Kerberos Policies in Windows 2000) and MS KB 232179 (Kerberos Administration in Windows 2000)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing Access Tokens

Inhaltsvorschau

You want to view the access tokens that are created for a user account that has authenticated to Active Directory.

Using a command-line interface

> tokensz /compute_tokensize /

package:negotiate /target_server:host/<DCName>

/user:<Username> /domain:<DomainName> /password:<Password> /dumpgroups

When an Active Directory security principal receives a TGT from the Kerberos Key Distribution Center, the TGT contains a Privilege Attribute Certificate (PAC). This PAC contains several pieces of authentication data, such as the groups that a user belongs to (including all nested group memberships). In the majority of AD environments, this PAC is created without issue, but some larger environments can run into instances of token bloat. This occurs when a user belongs to a large number of groups (estimates start around 70 to 120), and the size of the PAC becomes too large for the TGT to handle. This issue can manifest itself through authentication issues or through Group Policy Objects not applying properly. You can use the tokensz.exe utility, downloadable from http://go.microsoft.com/fwlink/?LinkId=25830, to compute the token size for a user relative to the maximum allowable size, as well as to list the groups that a user belongs to.

You can resolve this issue by streamlining the number of groups that the user or users belong to, which has the added benefit of simplifying the process of assigning permissions and applying Group Policy Objects. If this isn’t possible, you can apply the hotfix referenced in MS KB 327825 or modify the HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize DWORD value on your domain computers. This issue is more relevant on Windows 2000 domain controllers, since Windows Server 2003 has made a number of improvements to alleviate the need to modify this value.

If you determine that you need to modify the MaxTokenSize value, use the following formula as an approximate guideline:

1200 + 40d + 80s

In this equation, 1200 denotes a suggested amount of overhead that’s used by the PAC; you can use the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Chapter 15: Logging, Monitoring, and Quotas

Inhaltsvorschau

This chapter deals with tracking the activity and usage of various Active Directory components. When you need to troubleshoot a problem, often the first place you look is the logfiles. With Active Directory, there are several different logfiles, and each has different ways to increase or decrease the verbosity of the information that is logged. Viewing log messages can be a useful troubleshooting step, but you should also look at performance metrics to determine if system hardware or a particular service is being overutilized. In this chapter, we’ll review a couple of ways you can view performance metrics, as well as monitor Active Directory performance. For more extensive monitoring, we suggest looking at NetPro’s Active Directory monitoring tools (http://www.netpro.com/), Microsoft System Center Operations Manager (http://microsoft.com/scom/), or similar products from other vendors such as NetIQ or Quest. In addition to the typical items that you would monitor on a Windows Server (e.g., disk space usage, physical and virtual memory errors, processor utilization), you should also monitor AD-specific performance metrics. This extends to monitoring replication activity, Event Log information, and the status of services like the File Replication Service (FRS).

We’ll also cover a somewhat-related topic called quotas, which allow you to monitor and limit the number of objects that a security principal (user, group, or computer) can create within a partition. This feature, introduced in Windows Server 2003, attempts to close a hole that existed in Windows 2000 where users who had access to create objects in Active Directory could create as many of those objects as they wanted. These users could even cause a denial-of-service attack by creating objects until the disk drive on the domain controllers filled to capacity. This kind of attack is not likely to happen in most environments, but you should still consider the possibility and protect against it.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Introduction

Inhaltsvorschau

Quota objects became available in Windows Server 2003. They are stored in the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling Extended dcpromo Logging

Inhaltsvorschau

You want to enable extended dcpromo logging. This can be useful if you are experiencing problems during the Domain Controller promotion or demotion process and the dcpromo logfiles are not providing enough information to indicate the problem.

These solutions are slightly different on Windows 2000. See for more information. To enable the maximum amount of logging, use 16711683 (FF0003 in hexadecimal) as the flag value. For a complete description of the possible bit values, see MS KB 221254.

Using a graphical user interface

Run regedit.exe from the command line or Start→Run.
In the left pane, expand HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\AdminDebug\dcpromoui.
If the LogFlags value does not exist, right-click on dcpromoui in the left pane and select New→DWORD Value. For the name, enter LogFlags.
In the right pane, double-click on the LogFlags value and enter the flag value you want to set.
Click OK.

Using a command-line interface

In the following command, <FlagValue> needs to be the decimal version (not hexadecimal) of the flag value:

> reg add HKLM\Software\Microsoft\Windows\CurrentVersion\AdminDebug\dcpromoui /v

"LogFlags" /t REG_DWORD /d <FlagValue>

Using VBScript

' This code sets the dcpromoui logging flag (for Windows Server 2003 only).

' ------ SCRIPT CONFIGURATION ------

strDC = "<DomainControllerName>" ' e.g. dc01

intFlag = <FlagValue>            ' Flag value in decimal, e.g. 16711683

' ------ END CONFIGURATION --------



const HKLM = &H80000002

strDcpromoReg =

"Software\Microsoft\Windows\CurrentVersion\AdminDebug\dcpromoui\LogFlags"

set objReg = GetObject("winmgmts:\\" & strDC & "\root\default:StdRegProv")

objReg.SetDwordValue HKLM, strDcpromoReg, "LogFlags", intFlag

WScript.Echo "Dcpromoui flag set to " & intFlag

Using PowerShell

$strRegPath =

"HKLM:\Software\Microsoft\Windows\CurrentVersion\AdminDebug\dcpromoui\LogFlags"

New-ItemProperty -path $strRegPath -name "LogFiles" -type DWORD

Set-ItemProperty -path $strRegPath -name "LogFiles" -value "

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling Diagnostics Logging

Inhaltsvorschau

You want to enable diagnostics event logging because the current level of logging is not providing enough information to help pinpoint the problem you are troubleshooting.

Using a graphical user interface

Run regedit.exe from the command line or Start→Run.
In the left pane, expand the following Registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\ Diagnostics.
In the right pane, double-click on the diagnostics logging entry you want to increase, and enter a number (0–5) based on how much you want logged.
Click OK.

Using a command-line interface

> reg add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v

"<LoggingSetting>" /t REG_DWORD /d <0-5>

Using VBScript

' This code sets the specified

' diagnostics logging level.

' ------ SCRIPT CONFIGURATION ------

strDC = "<DomainControllerName>"   ' e.g. dc01

strLogSetting = "<LoggingSetting>" ' e.g. 1 Knowledge Consistency Checker

intFlag = <FlagValue>              ' Flag value in decimal, e.g. 5

' ------ END CONFIGURATION ---------



const HKLM = &H80000002

strRegKey = "SYSTEM\CurrentControlSet\Services\NTDS\

Diagnostics"

set objReg = GetObject("winmgmts:\\" & strDC & "\root\default:StdRegProv")

objReg.SetDwordValue HKLM, strRegKey, "LogFlags", intFlag

WScript.Echo "

Diagnostics logging for " & strLogSetting _

             & " set to " & intFlag

Using PowerShell

$strRegPath = "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics"

Set-ItemProperty -path $strRegPath -name "<LoggingSetting>" -value "<FlagValue>"

A useful way to troubleshoot specific problems you are encountering with Active Directory is to increase the diagnostics logging level. Diagnostics logging can be enabled for individual components of AD. For example, if you determine the KCC is not completing every 15 minutes, you can enable diagnostics logging for the “1 Knowledge Consistency Checker” setting.

These settings are stored under HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics. By default, all settings are set to 0, which disables diagnostic logging, but you can increase it by setting it to a number from 1 through 5. As a general rule, a value of 1 is used for minimum logging, 3 for medium logging, and 5 for maximum logging. It is a good practice to ease your way up to 5 because some diagnostics logging settings can generate a bunch of events in the event log, which may make it difficult to read, along with increasing resource utilization on the domain controller.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling NetLogon Logging

Inhaltsvorschau

You want to enable NetLogon logging to help with troubleshooting client account logon, lockout, or domain-controller location issues.

Using a command-line interface

To enable NetLogon logging, use the following command:

> nltest /dbflag:0x2080ffff

To disable NetLogon logging, use the following command:

> nltest /dbflag:0x0

The netlogon.log file located in %SystemRoot%\Debug can be invaluable for troubleshooting client logon and related issues. When enabled at the highest setting (0x2080ffff), it logs useful information such as the site the client is in, the domain controller the client authenticated against, additional information related to the DC Locator process, account password expiration information, account lockout information, and even Kerberos failures.

The NetLogon logging level is stored in the following registry value:

HKLM\System\CurrentControlSet\Services\Netlogon Parameters\DBFlag

If you set that registry value manually instead of using nltest, you’ll need to restart the NetLogon service for it to take effect.

One of the issues with the netlogon.log file is that it can quickly grow to several megabytes, which makes it difficult to peruse. A new tool available for Windows XP, Windows Server 2003 and Windows Server 2008 called nlparse can filter the contents of the netlogon.log file so that you’ll see only certain types of log entries. The nlparse tool is part of the Account Lockout and Management Tools that Microsoft made available from the following web page (assuming the tools haven’t moved):

http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&DisplayLang=en

MS KB 109626 (Enabling Debug Logging for the Netlogon Service), MS KB 247811 (How Domain Controllers Are Located in Windows), and MS KB 273499 (Description of Security Event 681)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling GPO Client Logging

Inhaltsvorschau

You want to troubleshoot GPO processing issues on a client or server by enabling additional logging in the Application event log.

Using a graphical user interface

Run regedit.exe from the command line or Start→Run.
In the left pane, expand the appropriate key from the table in .
Create and populate the appropriate key value.
Click OK.

Using a command-line interface

> reg add "<Key Value>" /v "<Value Name>" /t REG_DWORD /d <Value>

Using VBScript

' This code enables

' GPO logging on a target computer.

' ------ SCRIPT CONFIGURATION ------

strComputer = "<ComputerName>" ' e.g. rallen-w2k3

strRegKey = "<Key Name>"

strValueName = "<Value Name>"

strValue = "<Value>"

' ------ END CONFIGURATION ---------



const HKLM = &H80000002

strRegKey = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics"

set objReg = GetObject("winmgmts:\\" & strComputer _

                       & "\root\default:StdRegProv")

objReg.SetDwordValue HKLM, strRegKey, strValueName, strValue

WScript.Echo "Enabled

GPO logging for " & strComputer

If you experience problems with client GPO processing, such as a GPO not getting applied even though you think it should, there are a number of different Registry keys that can help you troubleshoot the problem. One way to get detailed information about what GPOs are applied on a client is by enabling additional GPO event logging. lists a number of Registry settings that can be configured to enable Group Policy logging, as well as the files that are created when these settings are enabled.

Table : Registry settings to enable Group Policy logging
	Located		…to this registry key
Group Policy core (UserEnv) and registry CSE	%windir%\debug\usermode\UserEnv.log	UserEnvDebugLevel = REG_DWORD 30002	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Security CSE	%windir%\security\logs\winlogon.log	ExtensionDebugLevel = REG_DWORD 0x2	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GpExtensions\{827d319e-6eac-11d2-a4ea-00c04f79f83a}\

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling Kerberos Logging

Inhaltsvorschau

You want to enable Kerberos logging on a domain controller to troubleshoot authentication problems.

Using a graphical user interface

Run regedit.exe from the command line or Start→Run.
In the left pane, expand HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters.
If the LogLevel value doesn’t already exist, right-click on Parameters and select New→DWORD value. Enter LogLevel for the value name and click OK.
In the right pane, double-click on LogLevel and enter 1.
Click OK.

Using a command-line interface

> reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v

"LogLevel" /t REG_DWORD /d 1

Using VBScript

' This code enables Kerberos logging for the specified domain controller.

' ------ SCRIPT CONFIGURATION ------

strDC = "<DomainControllerName>" ' e.g. dc01

' ------ END CONFIGURATION ---------



const HKLM = &H80000002

strRegKey = "SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters"

set objReg = GetObject("winmgmts:\\" & strDC & "\root\default:StdRegProv")

objReg.SetDwordValue HKLM, strRegKey, "LogLevel", 1

WScript.Echo "Enable Kerberos logging for " & strDC

Using PowerShell

$strRegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters"

New-ItemProperty -path $strRegPath -name "LogLevel" -type DWORD

Set-ItemProperty -path $strRegPath -name "LogLevel" -value "1"

If you are experiencing authentication problems or would like to determine whether you are experiencing any Kerberos-related issues, enabling Kerberos logging will cause Kerberos errors to be logged in the System event log. The Kerberos events can point out if the problem is related to clock skew, an expired ticket, an expired password, etc. For a good overview of some of the Kerberos error messages, see MS KB 230476.

Here is a sample event:

Event Type:       Error

Event Source:     Kerberos

Event Category:   None

Event ID:         3

Date:             5/26/2003

Time:             5:53:43 PM

User:             N/A

Computer:         DC01

Description:

A Kerberos Error Message was received:

         on logon session

 Client Time:

 Server Time: 0:53:43.0000 5/27/2003 Z

 Error Code: 0xd KDC_ERR_BADOPTION

 Extended Error: 0xc00000bb KLIN(0)

 Client Realm:

 Client Name:

 Server Realm: ADATUM.COM

 Server Name: host/dc01.adatum.com

 Target Name: host/dc01.adatum.com@ADATUM.COM

 Error Text:

 File: 9

 Line: ab8

 Error Data is in record data.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing DNS Server Performance Statistics

Inhaltsvorschau

You want to view DNS Server performance statistics.

Using a graphical user interface

Open the Performance Monitor.
Click on System Monitor in the left pane.
In the right pane, click the + button. This will bring up the page to add counters.
Under “Select counters from computer,” enter the DNS server you want to target.
Select the DNS performance object.
Select the counters you want to add and click the Add button.
Click Close.

Using a command-line interface

> dnscmd <DNSServerName> /statistics

Using VBScript

' This code displays all statistics for the specified DNS server.

' ------ SCRIPT CONFIGURATION ------

strServer = "<DNSServerName>" ' e.g. dc1.adatum.com

' ------ END CONFIGURATION ---------



set objDNS = GetObject("winmgmts:\\" & strServer & "\root\MicrosoftDNS")

set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")

set objStats = objDNS.ExecQuery("Select * from MicrosoftDNS_Statistic ")

for each objStat in objStats

   WScript.Echo " " & objStat.Name & " : " & objStat.Value

next

Using PowerShell

get-eventlog | where-object { $_.logDisplayName = "DNS Server"}

The Microsoft DNS Server keeps track of dozens of performance metrics. These metrics include the number of queries, updates, transfers, directory reads, and directory writes processed by the server. If you can pump these metrics into an enterprise management system, you can track DNS usage and growth over time.

These statistics can also be useful to troubleshoot load-related issues. If you suspect a DNS Server is being overwhelmed with DNS update requests, you can look at the Dynamic Update Received/sec counter and see if it is processing an unusually high number of updates.

Using a command-line interface

You can obtain a subset of the statistics by providing a statid after the /statistics option. Each statistics category has an associated number (i.e., statid). For a complete list of categories and their statids, run the following command:

> dnscmd /statistics /?

Here is an example of viewing the

Query

        (statid = 2)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Monitoring the File Replication Service

Inhaltsvorschau

You want to monitor the performance of the File Replication Service (FRS).

Using a graphical user interface

Double-click on frsdiag.exe in the Windows Resource Kit.
Under Target Server(s), select Local Machine, or click Browse to select a remote machine to diagnose.
Click GO.

Using a command-line interface

The following will display the polling interval for dc1.adatum.com:

> ntfrsutl poll dc1.adatum.com

The sets parameter will display all active replication sets on dc1.adatum.com, as :

> ntfrsutl sets dc1.adatum.com

Windows 2000, Windows Server 2003, and Windows Server 2008 use FRS by default to replicate the contents of the SYSVOL shared folder, as well as any Distributed File System (DFS) folders you’ve configured on pre-Windows Server 2003 R2 servers. R2 and Windows Server 2008 provide the new DFS-R file replication mechanism, which is a significant improvement over FRS in terms of scalability and manageability. While DFS-R cannot be used for replicating SYSVOL in Windows Server 2003 R2, it is the preferred replication mechanism for SYSVOL in Windows Server 2008.

Anytime FRS detects a change that’s been made to a file or folder within one of these shared folders, it will replicate the updated object to other servers within the replica set. Because FRS allows for multimaster file replication (similar to the database replication performed by AD itself), any server in the replica set is able to make changes to SYSVOL or DFS folders, and the File Replication Service will distribute those changes accordingly.

You can monitor the File Replication Service using either frsdiag from the Windows Server 2003 Resource Kit, or the Ultrasound utility, which is a free download from the Microsoft website. Ultrasound requires access to a database to store its information: either a SQL server instance or the free MSDE database that can also be downloaded from the Microsoft site.

MS KB 221111 (Description of FRS Entries in the Registry), MS KB 319553 (How to Restrict FRS Replication Traffic to a Specific Static Port), and MS KB 272279 (How to Troubleshoot the File Replication Service and the Distributed File System)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Monitoring the Windows Time Service

Inhaltsvorschau

You want to verify the correct functioning of the Windows Time Service.

Using a command-line interface

The following syntax verifies that the Windows Time Service is functioning on dc1.adatum.com and dc2.adatum.com:

> w32tm /monitor /computers:dc1.adatum.com,dc2.adatum.com

Because Active Directory relies on Kerberos for authentication, it’s critical that all of your domain controllers, member servers, and clients maintain a consistent time across the network; if any computer’s clock is off by more than five minutes by default, it will not be able to authenticate to Active Directory. You can use the w32tm utility to verify time synchronization on one or more computers using the /monitor switch, as well as using the /resync switch to prompt a computer to immediately resynchronize its clock with its authoritative time source.

to configure a DC to use an external time source, MS KB 257187 (RPC Error Messages Returned for Active Directory Replication When Time Is Out of ), and MS KB 816042 (How to Configure an Authoritative Time Server in Windows Server 2003)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling Inefficient and Expensive LDAP Query Logging

Inhaltsvorschau

You want to log inefficient and expensive LDAP queries to the Directory Services event log.

To log a summary report about the total number of searches, total expensive searches, and total inefficient searches to the Directory Services event log, set the 15 Field Engineering diagnostics logging setting to 4. This summary is generated every 12 hours during the garbage collection cycle.

To log an event to the Directory Services event log every time an expensive or inefficient search occurs, set the 15 Field Engineering diagnostics logging setting to 5.

See for more on enabling diagnostics logging.

A search is considered expensive if it has to visit a large number of objects in Active Directory. The default threshold for an expensive query is 10,000. That means any search that visits 10,000 or more objects would be considered expensive. A search is considered inefficient if it returns less than 10 percent of the total objects it visits. If a query visited 10,000 objects and only returned 999 of them (less than 10 percent), it would be considered inefficient. The default bottom limit for an inefficient query is 1,000. If the query returned 1,000 instead, it would not be considered inefficient. To summarize, with 1,000 as the default bottom threshold, no search that visits less than 1,000 entries (even if it visited 999 and returned 0) would be considered inefficient.

Here is a sample summary report event that is logged when 15 Field Engineering is set to 4:

Event Type:        Information

Event Source:      NTDS General

Event Category:    Field Engineering

Event ID:          1643

Date:              5/24/2003

Time:              7:24:24 PM

User:              NT AUTHORITY\ANONYMOUS LOGON

Computer:          DC1

Description:

Internal event:    Active Directory performed the following number of search

operations

within this time interval.



Time interval (hours): 9

Number of search operations: 24679



During this time interval, the following number of search operations were

characterized as either expensive or inefficient.



Expensive search operations: 7

Inefficient search operations: 22

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Using the STATS Control to View LDAP Query Statistics

Inhaltsvorschau

You want to use the STATS LDAP control to test the efficiency of a query.

Using a graphical user interface

Open LDP from the Windows Support Tools. (In Windows Server 2008, LDP is built into the AD DS binaries.)
From the menu, select Connection→Connect.
For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
For Port, enter 389.
Click OK.
From the menu, select Connection→Bind.
Enter the credentials of a user to perform the search.
Click OK.
From the menu, select Options→Control.
For the Windows Server 2003 or Windows Server 2008 versions of LDP, you can select Search Stats from the Load Predefined selection. For Windows 2000, add a control with the OID 1.2.840.113556.1.4.970.
Click OK.
From the menu, select Browse→Search.
Enter your search criteria and then click the Options button.
Under Search Call Type, be sure that Extended is selected.
Click OK and then click Run.

Using a command-line interface

The AdFind command-line utility has four switches that will display efficiency statistics for any query:

-stats: Enables the STATS control to return statistics about the query, along with the actual results of the query.
-statsonly: Returns only the statistics about the query, and suppresses the actual query results.
-stats+: Similar to -stats, but also displays additional advanced analysis about the query.
-stats+only: Just like -stats+, but will suppress the actual results of the query and only display the query statistics.

The STATS control is a useful way to obtain statistics about the performance of an LDAP query. With the STATS control, you can find out information such as the amount of time it took the server to process the query, how many entries were visited versus returned, what the search filter expanded to, and if any indexes were used. Here is an example of what the STATS control returns for a search for all group objects in the cn=Users

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Monitoring the Performance of AD

Inhaltsvorschau

You want to use the Performance Monitor to examine the performance of Active .

Using a graphical user interface

Open the Performance Monitor (Reliability and Performance Monitor in Windows Server 2008).
Click on System Monitor in the left pane (Performance Monitor in Windows Server 2008).
Press Ctrl-I. This will bring up the page to add counters.
Under “Select counters from computer,” enter the name of the domain controller you want to target.
Select the NTDS performance object.
Select the counters you want to monitor.
After you’re done with your selections, click Close.

There are several Performance Monitor counters that can be very valuable for monitoring and troubleshooting Active Directory. The NTDS performance object has counters for address book lookups; inbound and outbound replication; LDAP reads, writes, and searches; Kerberos authentication; and the Security Account Manager (SAM).

Here is a list of some of the most useful NTDS counters. We’ve also included their Performance Monitor explanation, which you can view by clicking on the Explain button in the Add Counters dialog box:

DRA Inbound Bytes Total/sec: Shows the total number of bytes replicated in. It is the sum of the number of uncompressed bytes (never compressed) and the number of compressed bytes (after compression).
DRA Inbound Objects/sec: Shows the number of objects received from neighbors through inbound replication. A neighbor is a domain controller from which the local domain controller replicates locally.
DRA Inbound Values Total/sec: Shows the total number of object property values received from inbound replication partners. Each inbound object has one or more properties, and each property has zero or more values. A zero value indicates property removal.
DRA Outbound Bytes Total/sec: Shows the total number of bytes replicated out. It is the sum of the number of uncompressed bytes (never compressed) and the number of compressed bytes (after compression).

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Using Perfmon Trace Logs to Monitor AD

Inhaltsvorschau

You want to enable Trace Logs to view system-level calls related to Active Directory.

Using Windows 2000 and Windows Server 2003

Open the Performance Monitor.
In the left pane, expand Performance Logs and Alerts.
Right-click on Trace Logs and select New Log Settings.
Enter a name for the log and click OK.
Click the Add button.
Highlight one or more of the Active Directory providers and click OK.
Use the tabs to configure additional settings about the log.
When you are done, click OK.
Unless you’ve scheduled it to run at a different time, the Trace Log you created should show up in the right pane next to a green icon, which indicates that it is running.
To stop the Trace Log, right-click on it in the right pane and select Stop.
Now open up a command prompt (cmd.exe).
Use cd to change into the directory where the Trace Log files are stored (c:\perflogs by default).
Run the following command:
```
> tracerpt <LogFileName>
```

Using Windows Server 2008

Open Reliability and Performance Monitor.
In the left pane, expand Data Collector Sets.
Right-click Event Trace Sessions and click New → Data Collector Sets.
In the Name: field, enter AD Trace Log. Click Next.
Click Add. In the Event Trace Providers screen, click Active Directory Domain Services: Core. Click OK.
Click Next twice. Click the “Start this data collector set now” radio button and click Finish.
Right-click on AD Trace Log and click Properties. On the File tab, take note of the location of the .etl file. Click OK.
Open a command prompt and run the following command:
```
tracerpt <LogFileName>
```

Trace Logs capture detailed system- and application-level events. Applications support Trace Log capability by developing a Trace Log Provider. Active Directory supports several providers that log low-level system calls related to Kerberos, LDAP, and DNS, to name a few. This can be an extremely valuable tool for debugging or just exploring the inner workings of Active Directory. Trace Logs can be resource-intensive, so you should enable them with care.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating an Administrative Alert

Inhaltsvorschau

You want to define a threshold for a performance counter that should cause an alert to be generated.

Using Windows 2000 or Windows Server 2003

Open the Performance Monitor.
In the left pane, expand “Performance Logs and Alerts.”
Right-click on Alerts and select New Alert Settings.
Enter a name for the alert and click OK.
On the General tab, enter a description for the alert in the Comment field.
Click the Add button.
Highlight one or more of the Active Directory providers and click OK.
For each counter, for “Alert when the value is…,” specify Under or Over. For Limit, specify the threshold value that should trigger the alert.
For “Sample data every,” specify how often the performance counter should be updated.
On the Schedule tab, specify the time that the scan should begin and end.
On the Action tab, specify the action that the OS should take when the alert is generated. You can choose from one or more of the following:
- Log an entry in the application event log.
- Send a network message.
- Start a performance data log.
- Run an external program.
Click OK.

Using Windows Server 2008

Open the Reliability and Performance Monitor.
Expand Data Collector Sets. Right-click User-Defined and click New→Data Collector Set.
In the Name text box, enter “AD Performance Alert.” Select the Create manually radio button and click Next.
Click the Performance Counter Alert radio button and click Next.
Click Add. Select the counter that you wish to be alerted about. Click Add and click OK.
In the “Alert when:” drop-down box, click Above or Below. In the Limit text box, enter the threshold value that you wish to monitor. Click Next.
Click the “Start this data collector now” radio button. Click Finish.

There are any number of options for monitoring the ongoing performance of the Windows operating system, whether the machine in question is a domain controller, member server, or workstation. For larger environments, you can look into add-on tools like the SCOM or third-party utilities from NetPro, NetIQ, and others. For a built-in solution, however, the Performance MMC snap-in can monitor performance metrics and send various administrative alerts.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Emailing an Administrator on a Performance Alert

Inhaltsvorschau

You want to create an alert that will notify an administrator via email if a performance alert is generated.

Using VBScript

' This code will send a simple email message

' from a computer that is running its own SMTP server



'------------Script Configuration--------------------

strSubject = "Low hard disk space on server dc1."

strFromLine = "admin@adatum.com"

strToLine = "oncall@adatum.com"

strText = "Available disk space on the C:\ drive of dc1." & _

  "adatum.com has gone below 100MB."

'----------------------------------------------------



Set objMessage = CreateObject("CDO.Message")

objMessage.Subject = strSubject

objMessage.From = strFromLine

objMessage.To = strToLine

objMessage.TextBody = strText

objMessage.Send

Using PowerShell

#send-mail.ps1

param ([string]$SMTPserver    = "<SMTP Server IP Address>",

    [string]$SMTPport         = "<SMTP Port>",

    [string]$From             = "from@example.com",

    [string]$To               = "to@example.com",

    [string]$Subject          = "simple subject",

    [string]$Body             = "simple body"

)



$var = (new-object net.mail.smtpclient($SMTPserver, $SMTPport))

$var.Send($From, $To, $Subject, $Body)

A common request among Windows system administrators is to have the ability to email an on-call administrator when a critical performance alert is generated—for example, when a domain controller is experiencing a critical hardware failure. It is a relatively simple matter to send email through VBScript using Collaborative Data Objects (CDOs), which are built into Windows XP and Windows Server 2003. You can either hardcode the appropriate alert messages into the VBScript code and maintain multiple scripts for the various alerts that you create, or you can generate command-line arguments within the Performance Alert and use those alerts to customize the output of a single, more generic script. Using the Performance MMC or the Reliability and Performance Monitor, you can submit one or more of the following as command-line arguments to a script that’s been fired in response to an alert:

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling Auditing of Directory Access

Inhaltsvorschau

You want to enable auditing of directory access and modifications. Audit events are logged to the Security event log.

Using a graphical user interface

Open the Domain Controller Security Policy snap-in.
In the left pane, expand Local Policies and click on Audit Policy.
In the right pane, double-click “Audit directory service access.”
Make sure the box is checked beside “Define these policy settings.”
Check the box beside Success and/or Failure.
Click OK.

Using a command-line interface

> auditpol \\<DomainControllerName> /enable /directory:all

You can log events to the Security event log for every successful and/or failed attempt to access or modify the directory, which is referred to as auditing. Auditing is enabled via the Security Settings section of a GPO that’s linked to the Domain Controllers OU, using the “Audit directory service access” setting. Once this is enabled, you need to use the ACL Editor to define auditing in the SACL of the objects and containers you want to monitor.

By default, the domain object has an inherited audit entry for the Everyone security principal for all object access and modifications. That means once you enable auditing in the Domain Controller Security Policy and this configuration change replicates out, domain controllers will log events for any directory access or modification to any part of the directory. As you can imagine, auditing every access to Active Directory can generate a lot of events, so you’ll either want to disable auditing of the Everyone group and apply more specific auditing instead, or else keep a close eye on your domain controllers to ensure that they are not adversely affected while auditing is enabled.

Here is a sample event that was logged after the Administrator account created a contact object called foobar in the Sales OU:

Event Type:        Success Audit

Event Source:      Security

Event Category:    Directory Service Access

Event ID:          566

Date:              5/26/2007

Time:              7:24:10 PM

User:              ADATUM\administrator

Computer:          DC1

Description:

Object Operation:

         Object Server:        DS

         Operation Type:       Object Access

         Object Type:          organizationalUnit

         Object Name:          OU=Sales,DC=adatum,DC=com

         Handle ID:            -

         Primary User Name:    DC1$

         Primary Domain:       ADATUM

         Primary Logon ID:     (0x0,0x3E7)

         Client User Name:     administrator

         Client Domain:        ADATUM

         Client Logon ID:      (0x0,0x3B4BE)

         Accesses:             Create Child



          Properties:

         Create Child

         contact



         Additional Info:        CN=foobar,OU=Sales,DC=adatum,DC=com

         Additional Info2:       CN=foobar,OU=Sales,DC=adatum,DC=com

         Access Mask:            0x1

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling Auditing of Registry Keys

Inhaltsvorschau

You want to enable auditing of any changes to one or more Registry keys.

Using a graphical user interface

To enable auditing of a Registry key on an individual domain controller, do the :

Create a Group Policy Object (or enable an existing GPO) that enables the following settings under Computer Configuration→Window Settings→Security Settings→Local Policies→Audit Policy:
- Audit object access: Success
- Audit object access: Failure
Link the GPO to the container containing the DC you wish to audit.
On the DC you want to audit, open regedit.exe from the command line or from Start→Run.
Navigate to the Registry key that you want to enable auditing on.
Right-click on the key and select Permissions. Click Advanced and select the Auditing tab.
Click Add to select a user or group to audit, then click OK. For Apply Onto, select “This key only,” “This key and subkeys,” or “Subkeys only.”
Under Access, select the actions that should be audited, and click OK.

If you need to enable auditing of the same Registry keys on multiple computers, a much more efficient solution would be to use a GPO as follows:

Create a Group Policy Object (or modify an existing GPO) that enables the following settings under Computer Configuration → Window Settings → Security Settings → Local Policies → Audit Policy:
- Audit object access: Success
- Audit object access: Failure
Navigate to Computer Configuration→Windows Settings→Security Settings→.
Right-click on Registry and select “Add key.” On the “Select Registry key” screen, navigate to the key that you want to audit and click OK.
Right-click on the key and select Permissions. Click Advanced and select the Auditing tab.
Click Add to select a user or group to audit, then click OK. For Apply Onto, select “This key only,” “This key and subkeys,” or “Subkeys only.”
Under Access, select the actions that should be audited, and click OK.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Quota

Inhaltsvorschau

This recipe requires a Windows Server 2003 or newer domain .

You want to limit the number of objects a security principal can create in a partition by creating a quota.

Using a command-line interface

> dsadd

quota -part <PartitionDN> -qlimit <QuotaLimit> -acct <PrincipalName>

[-rdn <QuotaName>]

The following command creates a quota specification that allows the ADATUM\rallen user to create only five objects in the dc=adatum,dc=com partition:

> dsadd quota -part dc=adatum,dc=com -qlimit 5 -acct ADATUM\rallen

Quotas were introduced in Windows Server 2003; they allow an administrator to limit the number of objects that a user (or group of users) can create. This is similar in nature to the quota for creating computer objects found in Windows 2000 (see for more details), except that the quotas in Windows Server 2003 apply to the creation of all object types.

There are three things that need to be set when creating a quota specification, including:

Partition: Currently, quotas can apply only to an entire partition. You cannot create a quota that pertains only to a subtree in a partition. You can create quotas for any partition, including application partitions, except for the schema naming context. The reasoning behind this restriction is that the schema is a highly protected area of the directory, and you shouldn’t need to restrict how many objects get created there.
Target security principal: A quota can be defined for any type of security principal. The msDS-QuotaTrustee attribute on the quota object stores the target principal in the form of an SID.
Limit: This determines how many objects the target security principal can create.

The quota limit is a combination of the new objects that a user creates plus any tombstone objects that are created by that user. If a user creates an object and then deletes another object, that would still count as two objects toward any quotas that apply to the user. This is because when an object is deleted, it isn’t removed; it is simply marked as tombstoned. Once the tombstone object is removed from Active Directory, which happens after 60 days by default (or 180 in an AD forest created on a 2003 Service Pack 1 server), the user’s quota will be decremented accordingly. By default, a tombstone object counts as one object, but that is configurable. See for more on changing the tombstone quota factor.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding the Quotas Assigned to a Security Principal

Inhaltsvorschau

This recipe requires a Windows Server 2003 or newer domain .

You want to find the quotas that have been configured for a security principal (i.e., user, group, or computer).

Using a command-line interface

> dsquery quota <PartitionDN> -acct <PrincipalName>

The following command searches for quotas that have been assigned to the ADATUM\rallen user in the dc=adatum,dc=com partition:

> dsquery quota dc=adatum,dc=com -acct ADATUM\rallen

The DSQuery solution will find only quotas that have been directly assigned to a security principal; it will not list quotas that have been assigned to any group objects that the principal may be a member of. The msDS-QuotaTrustee attribute on quota objects defines a SID that the quota applies to. The dsquery quota command will look up the SID for the specified account and match that against quota objects that reference that SID. Unfortunately, this doesn’t quite show the whole picture. A user could have a quota assigned directly, which the DSQuery command would show, but the user could also be part of one or more groups that have quotas assigned. These won’t show up using DSQuery.

A more robust solution would entail retrieving the tokenGroups attribute of the user, which contains a list of SIDs for all expanded group memberships, and then querying each of those groups to determine whether any of them have quotas assigned. This is actually the type of algorithm that is used to determine a user’s effective quota, as shown in .

for creating a quota and

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Changing How Tombstone Objects Count Against

Inhaltsvorschau

This recipe requires a Windows Server 2003 or newer domain .

You want to change the relative weight of tombstone objects in quota calculations.

Using a graphical user interface

Open ADSI Edit.
Connect to the partition on which you want to modify this setting (this setting must be changed for each partition that you want to configure).
In the left pane, expand the root of the partition.
Right-click on cn=NTDS Quotas and select Properties.
Set the msDS-TombstoneQuotaFactor attribute to a value between 0 and 100.
Click OK.

Using a command-line interface

Create an LDIF file called change_ tombstone_quota.ldf with the following contents:

dn: cn=NTDS Quotas,<PartitionDN>

changetype: modify

replace:

msDs-TombstoneQuotaFactor

msDs-

TombstoneQuotaFactor: <0-100>

-

Then run the following command:

> ldifde -v -i -f

change_tombstone_quota.ldf

You can also make the change using DSMod or AdMod. DSMod takes the following syntax:

> dsmod partition <PartitionDN> -qtmbstawt <0-100>

You can make the change with AdMod, as follows:

> admod -b <PartitionDN> msDs-TombstoneQuotaFactor::<0-100>

Using VBScript

' This code modifies the

' tombstone quota factor for the specified partition.

' ------ SCRIPT CONFIGURATION ------

strPartitionDN = "<PartitionDN>" ' e.g. dc=adatum,dc=com

intTombstoneFactor = <0-100>     ' e.g. 50

' ------ END CONFIGURATION ---------



set objPart = GetObject("LDAP://cn=NTDS Quotas," & strPartitionDN )

objPart.Put "msDs-TombstoneQuotaFactor", intTombstoneLifetime

objPart.SetInfo

WScript.Echo "Set the tombstone quota factor for " & _

             strPartitionDN & " to " & intTombstoneFactor

Using PowerShell

You can modify the tombstone quota factor using the Quest AD cmdlets or else using native PowerShell commands, as follows:

Set-QADObject -Identity <PartitionDN> -ObjectAttributes @{msDs-

TombstoneQuotaFactor='<QuotaValue>'}



$obj = [ADSI] "LDAP://<PartitionDN>"

$obj.Put("msDS-TombstoneQuotaFactor", "<QuotaValue>")

$obj.SetInfo()

The tombstone quota factor is a percentage that determines how much each tombstone object counts against a security principal’s quota usage. By default, tombstone objects count as one object. This means if a user’s quota is set to 10 and the user deletes 10 objects, that user will not be able to create or delete any other objects until those tombstone objects have been purged from Active Directory.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Setting the Default Quota for All Security Principals

Inhaltsvorschau

This recipe requires a Windows Server 2003 or newer domain .

You want to set a default quota for all security principals.

Using a graphical user interface

Open ADSI Edit.
Connect to the partition you want to modify (this setting must be changed for each partition that you want to configure).
In the left pane, expand the root of the partition.
Right-click on cn=NTDS Quotas and select Properties.
Set the msDS-DefaultQuota attribute to the number of objects that security principals should be allowed to create if they are not assigned another quota.
Click OK.

Using a command-line interface

Create an LDIF file called set_default_quota.ldf with the following contents:

dn: cn=NTDS Quotas,<NTDS Quotas DN>

changetype: modify

replace: msDs-

DefaultQuota

msDs-

DefaultQuota: <NumberOfObjects>

-

Then run the following command:

> ldifde -v -i -f set_default_quota.ldf

You can also make the change using DSMod or AdMod. DSMod takes the following syntax:

> dsmod partition <NTDS Quotas DN> -qdefault <DefaultQuota>

You can make the change with AdMod, as follows:

> admod -b <NTDS Quotas DN>

msDs-DefaultQuota::<DefaultQuota>

Using VBScript

' This code sets the

' default quota for the specified partition.

' ------ SCRIPT CONFIGURATION ------

strPartitionDN = "<PartitionDN>"        ' e.g. dc=adatum,dc=com

intDefaultQuota = <NumberOfObjects>     ' e.g. 10

' ------ END CONFIGURATION ---------



set objPart = GetObject("LDAP://cn=NTDS Quotas," & strPartitionDN )

objPart.Put "msDs-DefaultQuota", intDefaultQuota

objPart.SetInfo

WScript.Echo "Set the default quota for " & _

             strPartitionDN & " to " & intDefaultQuota

Using PowerShell

You can modify the tombstone quota factor using the Quest AD cmdlets or else using native PowerShell commands, as follows:

set-QADObject -Identity "cn=NTDS Quotas,<PartitionDN>" 

-ObjectAttributes @{msDs-DefaultQuota='QuotaValue'}



$obj = [ADSI] "LDAP://cn=NTDS Quotas,<PartitionDN>"

$obj.Put("msDS-DefaultQuota", "<QuotaValue>")

$obj.SetInfo()

The easiest way to apply a default quota to all of your users is to modify the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding the Quota Usage for a Security Principal

Inhaltsvorschau

This recipe requires a Windows Server 2003 or newer domain .

You want to find the quota usage for a certain security principal.

The quota usage of a security principal can be determined a few different ways. First, you can use DSGet. Here is an example:

> dsget user "<UserDN>" -part <PartitionDN> -qlimit -qused

This displays the effective quota limit and how much of the quota has been used for a particular user. You can use similar parameters with dsget computer and dsget group to find the quota usage for those types of objects.

Users can find their own quota usage by querying the msDs-QuotaUsed and msDs-QuotaEffective attributes on the cn=NTDS Quotas container for a partition. These two attributes are constructed, which means they are dynamically calculated based on the user that is accessing them (see for more on constructed attributes). The msDs-QuotaUsed attribute returns how much of the quota has been used by the user, and the msDs-QuotaEffective attribute contains the quota limit.

Alternatively, view the msDs-TopQuotaUsage attribute on a partition’s cn=NTDS Quotas container, which contains the users with the top quota usage. This attribute is multivalued, with each value being XML-like text that contains the SID and how much of the quota the principal has used. See for an example.

If you implement quotas, you’ll certainly need to tell users what their quotas are (or provide instructions on how they can find out for themselves). Currently, there are a few ways to determine quota usage, as outlined in .

Perhaps the most interesting is obtaining the top-quota usage. Each value of the msDs-TopQuotaUsage attribute contains an entry that details the top quota users in the database, listed in decreasing order of quota usage. Each value of the msDs-TopQuotaUsage attribute contains blocks of data formatted in an XML-like language. Each block has the SID of the security principal (<ownerSID>), quota used (<quotaUsed>), number of tombstone objects created (

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Chapter 16: Backup, Recovery, DIT Maintenance, and Deleted Objects

Inhaltsvorschau

The AD Directory Information Tree (DIT) is implemented as a transactional database using the Extensible Storage Engine (ESE). The primary database file is named ntds.dit and is stored in the %SystemRoot%\NTDS folder by default, but can be relocated during the initial promotion process or manually via ntdsutil (see for more details).

Each database write transaction is initially stored in a logfile called edb.log, which is stored in the same directory as ntds.dit by default, though you can modify this either during or after the initial dcpromo process. That logfile can grow to 10 MB in size, after which additional logfiles are created (e.g., edb00001.log), each of which can also grow to up to 10 MB in size. After the transactions in the logfiles are committed to the database, the logfiles are purged, beginning with the log containing the oldest transactions. (This process is referred to as circular logging.) These logfiles are useful when a domain controller is shut down unexpectedly because when the DC comes back online, Active Directory can replay the logfiles and apply any transactions that might not have been written to disk before the DC shut down. The edb.chk file stores information about the last transaction that was actually committed to the database; AD uses this information to determine which transactions in the logfiles still need to be committed. Finally, two 10 MB files called res1.log and res2.log are used as placeholders in case the disk runs out of space; if this happens, these files are deleted to free up enough space to allow Active Directory to commit any final changes before the DC is shut down.

In order to recover portions of Active Directory, or the entire directory itself, you need to have a solid backup strategy in place. You can back up Active Directory while it is online, which means you do not need to worry about scheduling regular downtime simply to perform backups. Restoring Active Directory is also a relatively simple process. To do any type of restore in Windows 2000 and Windows Server 2003, you have to boot into offline mode, more commonly referred to as Directory Services (DS) Restore Mode, in which the Active Directory database is not active. You can then restore a single object, an entire subtree, or the entire database if necessary. For a detailed discussion on backing up and restoring Active Directory, see

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Introduction

Inhaltsvorschau

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Backing Up Active Directory in Windows 2000 Server 2003

Inhaltsvorschau

You want to back up Active Directory to tape or disk in Windows 2000 or Windows Server 2003.

Back up the System State, which includes, among other things, the Active Directory-related files on the domain controller. Here are the directions for backing up the System State using the NTBackup utility that comes installed on Windows 2000 and Windows Server 2003 computers.

Using a graphical user interface

Go to Start→All Programs (or Programs for Windows 2000)→Accessories→System Tools→Backup.
Click the Advanced Mode link.
Click the Backup tab.
Check the box beside System State.
Check the box beside any other files, directories, or drives you would also like to back up.
For “Backup destination,” select either File or Tape, depending on where you want to back up the data to.
For “Backup media or file name,” type either the name of a file or select the tape to save the backup to.
Click the Start Backup button twice.

Using a command-line interface

The NTBackup utility supports several command-line parameters that you can use to initiate backups without ever bringing up the GUI.

For the complete list of supported commands on Windows 2000, see MS KB 300439 (How to Use Command Line Parameters With the “NTbackup” Command).

For the complete list of supported commands on Windows Server 2003, see MS KB 814583 (How to Use Command-Line Parameters with the NTbackup Command in Windows Server 2003).

Fortunately, domain controllers can be backed up while online. Having the ability to perform online backups makes the process very easy. And since Active Directory is included as part of the System State on domain controllers, you are required to back up only the System State, although you can back up other folders and drives as necessary. (As a best practice, it is also a good idea to back up the system drive as well.) On a domain controller, the System State includes the following:

Boot files
Registry
COM+ class registration database

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Backing Up Active Directory in Windows Server 2008

Inhaltsvorschau

You want to back up the Active Directory database in Windows Server 2008.

This recipe applies to Windows Server 2008 domain controllers only.

Using a command-line interface

> wbadmin start systemstatebackup –backuptarget:<BackupTarget>

New to Windows Server 2008, the wbadmin command is used to create a System State Backup of the Active Directory Database. The steps in this recipe assume that you have installed the Windows Server Backup feature in Windows Server 2008. To install the Windows Server Backup command-line tools, you will also need to install Windows PowerShell.

for information on creating Active Directory snapshots and for more on mounting and using snapshots

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating an Active Directory Snapshot

Inhaltsvorschau

You want to create a snapshot of the Active Directory database.

This recipe applies to Windows Server 2008 domain controllers only.

Using a command-line interface

> ntdsutil

> ntdsutil: activate instance ntds

> ntdsutil: snapshot

> snapshot: create

New to Windows Server 2008, the Active Directory Domain Services snapshot feature leverages the Volume Shadow Copy Service (VSS) to allow administrators to create “shadow copies” of the Active Directory database from previous points in time. Once a snapshot has been created, you can use the ntdsutil and dsamain command-line utilities to mount the snapshot as a read-only copy of the Active Directory database. Once the snapshot is mounted, you can view it using customary tools such as ADSI Edit and LDP, as well as using third-party tools to copy information from a snapshot into the live Active Directory Database.

for more on mounting and using snapshots

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Mounting an Active Directory Snapshot

Inhaltsvorschau

You want to mount a snapshot of the Active Directory database that you created previously using either ntdsutil or a System State backup.

This recipe applies to Windows Server 2008 domain controllers only.

Using a command-line interface

If you want to view a snapshot in ntdsutil, you must first mount the snapshot within ntdsutil as follows:

> ntdsutil

> ntdsutil: activate instance ntds

> ntdsutil: snapshot

> snapshot: list all

The list all command generates a list of snapshots that have been created on the domain controller in question, each with a corresponding number. You will then issue the mount<Number> command to mount the snapshot that you want. Once the snapshot is mounted, ntdsutil will list the physical path that the database has been mounted to, such as C:\$SNAP_200808011002_VOLUMEC$\.

Once you have mounted the snapshot you want, you’ll use the dsamain command to expose the snapshot as an LDAP server. When using dsamain, you will need to provide an alternate LDAP port since 389 is in use by the live AD database. You can also specify an alternate LDAPS port, Global Catalog port, and secure Global Catalog port. Use the dsamain tool as follows:

> dsamain /dbpath <Path to database file> /ldapport <Port #>

The mounted snapshot will be exposed as an LDAP server as long as the command window remains open. Use Ctrl-C to “switch off” the snapshot functionality.

The dsamain utility can be used to expose an Active Directory snapshot that has been created using ntdsutil, or it can use the contents of a System State backup that has been restored to an alternate location on the local hard drive. (Network or UNC paths are not supported.) Once a snapshot or restored backup is exposed using dsamain, it can be accessed in a read-only manner using Active Directory tools such as LDP or ADSI Edit, as well as scripts and PowerShell.

for more on creating snapshots and for more on accessing and manipulating information contained in a

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Accessing Active Directory Snapshot Data

Inhaltsvorschau

You want to access data contained within a snapshot of the Active Directory database that you created previously using either ntdsutil or a System State backup.

This recipe applies to Windows Server 2008 domain controllers only.

Using VBScript

' The following code will extract a user's description field

' from an AD snapshot, and then inserts it into the "live"

' copy of Active Directory

'---------------- SCRIPT CONFIGURATION ----------------

strComputerName = "<ComputerName>" ' Use "localhost" for the local DC

strPort = "<PortNumber>"           ' the snapshot port number to connect to

strObjDN = "<ObjectDN>"            ' the DN of the object to connect to

'-------------------------------------------------------



Set objSnapshot = GetObject("LDAP://" & strComputerName & _

                          ":" & strPort & "/" & strObjDN)

Set objLive = GetObject("LDAP://" & strObjDN)



strSnapshotDesc = objSnapshot.description

objLive.put("description", strSnapshotDesc)

ObjLive.SetInfo()

Using PowerShell

$objSnapshot = [ADSI] "LDAP://<DC Name>:<PortNumber>/<ObjectDN>"

$objLive = [ADSI] "LDAP://<ObjectDN>"

$strDesc = $objSnapshot.Description

$objLive.Put("description", $strDesc)

$objLive.SetInfo()

An Active Directory snapshot provides a read-only view of the Active Directory database as it existed at a particular point in time, whether the snapshot was created using ntdsutil or whether you are using dsamain to mount the ntds.dit contained in a System State backup. While the current release of Windows Server 2008 does not provide a simple “cut-and-paste” GUI interface to insert values from a snapshot into the live Active Directory database, you can do so using scripting, PowerShell, or a third-party tool. You can also view the contents of a snapshot using tools such as LDP or ADSI Edit by simply indicating the alternate LDAP port number that you specified when you mounted the snapshot.

for more on mounting and using snapshots

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Restarting a Domain Controller in Directory Services Restore Mode

Inhaltsvorschau

You want to restart a domain controller in DS Restore Mode.

To enter DS Restore Mode, you must reboot the server at the console. Press F8 after the power-on self test (POST), which will bring up a menu, as shown in . From the menu, select Directory Services Restore Mode.

Figure : Boot options

In Windows Server 2008, you can also enable DSRM prior to rebooting a server by entering the following command:

> bcdedit /set safeboot dsrepair

Once you have completed the maintenance on the DC and wish to return to a normal startup mode, enter the following prior to rebooting:

> bcdedit /deletevalue safeboot

The Active Directory database is live and locked by the system whenever a domain controller is booted into normal mode. In Windows 2000 and Windows Server 2003, if you want to perform integrity checks, restore part of the database, or otherwise manipulate the Active Directory database in some way, you have to reboot into DS Restore Mode. In this mode, Active Directory does not start up and the database files (e.g., ntds.dit) are not locked. In Windows Server 2008, you have a new Restartable AD DS service that allows you to perform certain maintenance tasks, such as performing an offline defrag, without needing to reboot the domain controller into DSRM. Even in 2008, though, certain critical operations such as an authoritative restore will still need to be performed in Directory Services Restore Mode.

It is not always practical to be logged into the console of the server when you need to reboot it into DS Restore Mode. You can work around this by modifying the boot.ini file for a Windows 2000 or Windows Server 2003 server to automatically boot into DS Restore Mode after reboot. You can then use Terminal Services to log on to the machine remotely while it is in that mode. See MS KB 256588 for more information on how to enable this capability. Be careful if you try to access DS Restore Mode via Terminal Services. Unless you have configured everything properly, you may end up with the domain controller booted into DS Restore Mode and not be able to access it via Terminal Services.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Resetting the Directory Service Restore Mode Administrator Password

Inhaltsvorschau

You want to reset the DS Restore Mode administrator password. This password is set individually (i.e., not replicated) on each domain controller and is initially configured when you promote the domain controller into a domain.

Using a graphical user interface

For this to work you must be booted into DS Restore Mode (see for more information):

Go to Start→Run.
Type compmgmt.msc and press Enter.
In the left pane, expand System Tools→Local Users and Computers.
Click on the Users folder.
In the right pane, right-click on the Administrator user and select Set Password.
Enter the new password and confirm, then click OK.

Using a command-line interface

With the Windows Server 2003 and Windows Server 2008 version of ntdsutil, you can change the DS Restore Mode administrator password of a domain controller while it is live (i.e., not in DS Restore Mode). Another benefit of this new option is that you can run it against a remote domain controller. Here is the command sequence as used in Windows Server 2003 (in Windows Server 2008, you will need to enter the

activate instance

        ntds

command prior to the

auth

        restore

command):

> ntdsutil

> set dsrm password

> reset password on server DC1

Microsoft added a new utility called setpwd in Windows 2000 Service Pack 2 and later to reset the DSRM password in Windows 2000. It works similarly to the Windows Server 2003 and 2008 versions of ntdsutil by allowing you to reset the DS Restore Mode password while a domain controller is live. It can also be used remotely.

You may be thinking that having a separate DS Restore Mode administrator password can be quite a pain. Yet another thing you have to maintain and update on a regular basis, right? But if you think about it, you’ll see that it is quite necessary.

Generally, you boot a domain controller into DS Restore Mode when you need to perform some type of maintenance on the Active Directory database. To do this, the database needs to be offline. But if the database is offline, then there is no way to authenticate against it. Because of this, the system has to use another user repository, so it reverts back to the legacy SAM database. The DS Restore Mode administrator account and password are stored in the SAM database, just as with standalone Windows servers.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Performing a Nonauthoritative Restore

Inhaltsvorschau

You want to perform a nonauthoritative restore of a domain controller. This can be useful if you want to quickly restore a domain controller that failed due to a hardware problem.

Using a graphical user interface (for Windows 2000 and Windows Server 2003)

You must first reboot into Directory Services Restore Mode (see for more information).
Open the NT Backup utility; go to Start→All Programs (or “Programs for Windows 2000”)→Accessories→System Tools→Backup.
Click the Advanced Mode link.
Under the Welcome tab, click the Restore Wizard button and click Next.
Check the box beside System State and any other drives you want to restore and click Next.
Click the Advanced button.
Select “Original location” for “Restore files to.”
For the “How to Restore” option, select “Replace existing files” and click Next.
For the Advanced Restore Options, be sure that the following are checked: “Restore Security Settings,” “Restore junction points,” and “Preserve existing mount volume points.” Then click Next.
Click Finish.
Restart the computer.

Using a command-line interface (for Windows Server 2008)

To perform a system state recovery in Windows Server 2008, you will need to know the date and timestamp of the system state backup that you want to recover from. You can perform a nonauthoritative restore by rebooting the DC into DSRM, or else by stopping the Active Directory Domain Services service; you can stop this service from the Services MMC snap-in, from Server Manager, or by using the net stop command-line utility:

> wbadmin start systemstaterecovery -version:<BackupDate>-<BackupTime>

If you encounter a failed domain controller that you cannot bring back up (e.g., multiple hard disks fail), you have two options for restoring it. One option is to remove the domain controller completely from Active Directory (as outlined in ) and then repromote it back in. This is known as the restore from replication

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Performing an Authoritative Restore of an Object

Inhaltsvorschau

You want to perform an authoritative restore of one or more objects, but not the entire Active Directory database.

Follow the same steps as , except that once the restore has completed, do not restart the computer.

In Windows Server 2008, activate the appropriate database instance by typing activate instance ntds and then pressing Enter again before entering the auth restore command. To restore a single object, run the following:

> ntdsutil

> auth restore

> restore object cn=jsmith,ou=Sales,dc=adatum,dc=com

> q

To restore an entire subtree, run the following:

> ntdsutil

> auth restore

> restore subtree ou=Sales,dc=adatum,dc=com

> q

Restart the computer.

There are some issues related to restoring user, group, computer, and trust objects that you should be aware of. See MS KB 216243 and MS KB 280079 for more information.

If an administrator or user accidentally deletes an important object or entire subtree from Active Directory, you can restore it. Fortunately, the process isn’t very painful. The key is having a good backup that contains the objects you want to restore. If you don’t have a backup with the objects in it, you are, for the most part, out of luck. (See for another option to restore deleted objects in Windows Server 2003.)

To restore one or more objects, you need to follow the same steps as when performing a nonauthoritative restore. The only difference is that after you do the restore, you need to use ntdsutil to mark the objects in question as authoritative on the restored domain controller. After you reboot the domain controller, it will then receive information from its replication partners and process updates for any objects that have been changed since the backup that was restored on the machine, except for the objects or subtree that were marked as authoritative. For those objects, Active Directory modifies the restored objects in such a way that they will become authoritative and replicate out to the other domain controllers.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Performing a Complete Authoritative Restore

Inhaltsvorschau

You want to perform a complete authoritative restore of the Active Directory database because a significant failure has occurred.

Follow the same steps as in , except that after the restore has completed, do not restart the computer.

Run the following command to restore the entire database (in Windows Server 2008, you will need to enter the activate instance ntds command prior to the auth restore command):

> ntdsutil

> auth restore

> restore database

> q

Restart the computer.

In a production environment, you should never have to perform an authoritative restore of the entire Active Directory database unless you have encountered a drastic situation such as a forest recovery scenario. It is a drastic measure, and you will almost inevitably lose data as a result. Before you even attempt such a restore, you may want to contact Microsoft Support to make sure that all options have been exhausted. However, you should still test the authoritative restore process in a lab environment and make sure that you have the steps properly documented in case you ever do need to use it.

Even with the new “restartable Active Directory” functionality in Server 2008, an authoritative restore is a sufficiently sensitive operation that you must still reboot a 2008 domain controller into Directory Services Restore mode before performing the restore.

for getting into Directory Services Restore Mode, MB KB 216243 (Authoritative Restore of Active Directory and Impact on Trusts and Computer Accounts), MS KB 241594 (How to Perform an Authoritative Restore to a Domain Controller in Windows 2000), and MS KB 280079 (Authoritative Restore of Groups Can Result in Membership Information Across Domain Controllers)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Checking the DIT File’s Integrity

Inhaltsvorschau

You want to check the integrity and semantics of the DIT file to verify that there is no corruption or bad entries.

Using a command-line interface

On a Windows 2000 or Windows Server 2003 domain controller, reboot into Directory Services Restore Mode. On a Windows Server 2008 DC, this recipe can be performed while the Active Directory Domain Services service is in the Stopped state; it is not necessary to reboot the DC into DSRM.

In Windows Server 2008, activate the appropriate database instance by typing

activate instance

          ntds

and then pressing Enter before running the files and the semantic database analysis commands.

Once the DC is prepared as needed, run the following commands:

> ntdsutil

> files

> integrity

> q

> q

> ntdsutil

> semantic database analysis

> verbose on

> go

The Active Directory DIT file (ntds.dit) is implemented as a transactional database. Microsoft uses the ESE database (also called Jet Blue) for Active Directory, which has been used for years in other products such as Microsoft Exchange.

Since the Active Directory DIT is ultimately a database, it can suffer from many of the same issues as traditional databases. The ntdsutil integrity command checks for any low-level database corruption and ensures that the database headers are correct and the tables are in a consistent state. It reads every byte of the database and can take quite a while to complete, depending on how large your DIT file is. The time it takes is also greatly dependent on your hardware, but some early estimates from Microsoft for Windows 2000 put the rate at 2 GB an hour.

Whereas the ntdsutil integrity command verifies the overall structure and health of the database files, the ntdsutil semantics command looks at the contents of the database. It will verify, among other things, reference counts, replication metadata, and security descriptors. If any errors are reported back, you can run

go

      fixup

to attempt to correct them. You should have a recent backup handy before doing this and perform this step only as a troubleshooting option, preferably under the direction of a Microsoft PSS engineer, since in the worst case the corruption cannot be fixed or the state of your AD database may even become worse after the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Moving the DIT Files

Inhaltsvorschau

You want to move the Active Directory DIT files to a new drive to improve performance or capacity.

Using a command-line interface

Once the DC is prepared as needed, run the following commands, in which <DriveAndFolder> is the new location where you want to move the files (e.g., d:\NTDS):

> ntdsutil

> files

> move db to <DriveAndFolder>

> q

> q

> ntdsutil

> files

> move logs to <DriveAndFolder>

> q

> q

In Windows Server 2008, activate the appropriate database instance by typing

activate instance

          ntds

and then pressing Enter before running the file commands.

You can move the Active Directory database file (ntds.dit) independently of the logfiles. The first command in the solution moves the database, and the second moves the logs. You may also want to consider running an integrity check against the database after you’ve moved it to ensure that nothing went wrong during the move. See for more details.

for booting into Directory Services Restore Mode, for checking DIT file integrity, MS KB 257420 (How to Move the Ntds.dit File or logfiles), MS KB 315131 (How to Use Ntdsutil to Manage Active Directory Files from the Command Line in Windows 2000), and MS KB 816120 (How to Use Ntdsutil to Manage Active Directory Files from the Command Line in Windows Server 2003)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Repairing or Recovering the DIT

Inhaltsvorschau

You need to repair or perform a soft recovery of the Active Directory DIT because a power failure or some other failure caused the domain controller to enter an unstable state.

Using a command-line interface

Once the DC is prepared as appropriate, open a command prompt, type ntdsutil and press Enter.

Run the following command to perform a soft recovery of the transaction logfiles:

In Windows Server 2008, activate the appropriate database instance by typing

activate instance

          ntds

and then pressing Enter again before entering the files command.

> ntdsutil

> files

> recover

> q

> q

If you continue to experience errors, you may need to run a repair, which does a low-level repair of the database but can result in loss of data:

> ntdsutil

> files

> repair

> q

> q

The repair option from the ntdsutil files menu is not available in Windows Server 2008.

If either the recover or repair operations are successful, you should then check the integrity of the AD database (see ).

You should (hopefully) never need to recover or repair your Active Directory database. A recovery may be needed after a domain controller unexpectedly shuts down, perhaps due to a power loss, and certain changes were never committed to the database. When it boots back up, a soft recovery is automatically done in an attempt to reapply any changes that were contained in the transaction logfiles. Since Active Directory does this automatically, it is unlikely that running the ntdsutil recover command will be of much help. ntdsutil repair, on the other hand, can fix low-level problems, but it can also result in a loss of data, which cannot be predicted.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Performing an Online Defrag Manually

Inhaltsvorschau

This recipe must be run against a Windows Server 2003 or newer domain controller.

You want to initiate an online defragmentation to optimize the disk space that’s being used by the ntds.dit file.

Using a graphical user interface

Open LDP from the Windows Support Tools. (LDP is installed natively with Active Directory Domain Services in Windows Server 2008.)
From the menu, select Connection→Connect.
For Server, enter the name of the target domain controller.
For Port, enter 389.
Click OK.
From the menu, select Connection→Bind.
Enter the credentials of a user from one of the administrator groups.
Click OK.
From the menu, select Browse→Modify.
Leave the Dn blank.
For Attribute, enter “DoOnlineDefrag”.
For Values, enter “oy, sor180”.
For Operation, select Add.
Click Enter.
Click Run.

Using a command-line interface

Create an LDIF file called online_defrag.ldf with the following contents:

dn:

changetype: modify

replace:

DoOnlineDefrag

DoOnlineDefrag: 180

-

Then run the following command:

> ldifde -v -i -f online_defrag.ldf

You can also perform an online defrag using AdMod:

> admod -b "" doOnlineDefrag::180

Using VBScript

' This code kicks off an online defrag to run for up to 180 seconds.

' ------ SCRIPT CONFIGURATION ------

strDC = "<DomainControllerName>" ' e.g. dc01

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://" & strDC & "/RootDSE")

objRootDSE.Put "DoOnlineDefrag", 180

objRootDSE.SetInfo

WScript.Echo "Successfully initiated an online defrag"

Using PowerShell

$rootDSE = [ADSI] "LDAP://<DomainControllerName>/RootDSE"

$rootDSE.put("DoOnlineDefrag", "180")

$rootDSE.SetInfo()

Starting in Windows Server 2003 we were given the ability to initiate an online defragmentation. By default, the online defrag process runs every 12 hours on each domain controller after the garbage collection process completes. This process defrags the Directory database (ntds.dit) by combining whitespace generated from deleted objects, but does not reduce the size of the database file.

To start an online defrag, simply write the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Performing a Database Recovery

Inhaltsvorschau

You want to perform a recovery of the Active Directory database when other methods have failed.

Using a command-line interface

Once the DC is prepared as needed, to perform an integrity check of the Active Directory database, enter the following:

> esentutl /g "<PathToNTDS.DIT>"/!10240 /8 /o

To perform a recovery of the AD database, enter the following:

> esentutl /r "<PathToNTDS.DIT>" /!10240 /8 /o

To perform a repair of the database, use the following syntax:

> esentutl /p "<PathToNTDS.DIT>" /!10240 /8 /o

When attempting to recover the ntds.dit database, you may occasionally encounter a situation where ntdsutil is unable to repair whatever damage has occurred. You may run into error messages similar to the following:

Operation failed because the database was inconsistent.



Initialize jet database failed; cannot access file.



Error while performing soft recovery.

Because the AD database is based on the ESE, you also have access to the esentutl database utility, which can perform a number of operations against the ntds.dit file, including defragmentation, database recovery or repair, and integrity checks. (For a complete description of each operation, type

esentutl

      /?

at the command line.)

If the ntdsutil recovery options listed elsewhere in this chapter fail, you can attempt to repair AD using this ESE utility. Many of the operations that you can perform with esentutl have the potential to exacerbate data loss, so be certain that you have a viable backup in place before attempting any of them. In fact, in some cases it may actually be simpler and quicker to simply restore from a known good backup to get your domain or forest back online again.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Reserve File

Inhaltsvorschau

You want to create another reserve file on the disk containing the ntds.dit file to guard against AD failures caused by disk space shortages.

Using a command-line interface

The following command will create an empty reserve file, 250 MB in size, in the same directory as the ntds.dit file:

> fsutil file createnew <PathToNTDS.DIT>\reservefile 256000000

For example, the following will create the reserve file in c:\windows\ntds:

> fsutil file createnew c:\windows\ntds\reservefile 256000000

By default, Active Directory creates two files called res1.log and res2.log in the same directory as the ntds.dit database. Each of these files is 10 MB in size and is used to hold in reserve the last 20 MB of space on the drive hosting the AD database files. If a domain controller runs out of space on that drive, Active Directory will use the space being held by res1.log and res2.log to commit any uncommitted transactions before shutting down so that no information is lost. If you wish to set aside more space than this, you can create a reserve file to set aside additional space; this reserve file can then be manually deleted to free up disk space. This can provide an additional safeguard against a user or administrator inadvertently filling up the drive that’s hosting the ntds.dit file, or to guard against a virus or a malicious user performing a denial-of-service attack by intentionally filling up the drive.

To prevent accidental or malicious bloating of the ntds.dit file itself, you can also establish quotas to restrict the number of objects that can be created by a user.

for more on creating Active Directory quotas and for configuring how tombstoned objects affect quotas

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Determining How Much Whitespace Is in the DIT

Inhaltsvorschau

You want to find the amount of whitespace in your DIT. A lot of whitespace in the DIT may mean that you could regain enough space on the disk to warrant performing an offline defrag.

Using a graphical user interface

Run regedit.exe from the command line or Start→Run.
Expand HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics.
In the right pane, double-click on 6 Garbage Collection.
For Value data, enter 1.
Click OK.

Using a command-line interface

> reg add HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics /v "6 Garbage

Collection" /t REG_DWORD /d 1

Using VBScript

' This code enables logging of DIT

' whitespace information in the event log.

' ------ SCRIPT CONFIGURATION ------

strDCName = "<DomainControllerName>" ' e.g. dc1

' ------ END CONFIGURATION --------



const HKLM = &H80000002

strNTDSReg = "SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics"

set objReg = GetObject("winmgmts:\\" & strDCName & "\root\default:StdRegProv")

objReg.SetDWORDValue HKLM, strNTDSReg, "6 Garbage Collection", 1

WScript.Echo "Garbage Collection logging set to 1"

Using PowerShell

$strRegPath = "HKLM:\System\CurrentControlSet\Services\NTDS\Parameters"

Set-ItemProperty -path $strRegPath -name "6 Garbage Collection" -value "1"

By setting the 6 Garbage Collection diagnostics logging option, event 1646 will get generated after the garbage collection process runs. Here is a sample 1646 event:

Event Type:         Information

Event Source:       NTDS Database

Event Category:     Garbage Collection

Event ID:           1646

Date:               5/25/2003

Time:               9:52:46 AM

User:               NT AUTHORITY\ANONYMOUS LOGON

Computer:           DC1

Description:

Internal event:     The Active Directory database has the following amount of free 

hard disk space remaining.



Free hard disk space (megabytes): 100

Total allocated hard disk space (megabytes): 1024

This shows that domain controller Dc1 has a 1 GB DIT file with 100 MB that is free (i.e., whitespace).

for performing an offline defrag

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Performing an Offline Defrag to Reclaim Space

Inhaltsvorschau

You want to perform an offline defrag of the Active Directory DIT to reclaim whitespace in the DIT file.

Using a command-line interface

Once the DC is prepared as necessary, check the integrity of the DIT as outlined in .
Now, you are ready to perform the defrag operation. Run the following command to create a compacted copy of the DIT file. You should check to make sure the drive on which you create the copy has plenty of space. A rule of thumb is that it should have at least 115 percent of the size of the current DIT available:
```
> ntdsutil files "compact to <TempDriveAndFolder>" q q
```
Next, you need to delete the transaction logfiles in the current NTDS directory:
```
> del <CurrentDriveAndFolder>\*.log
```
You may want to keep a copy of the original DIT file for a short period of time to ensure that nothing catastrophic happens to the compacted DIT. This does not replace the need for a System State backup and a backup of the domain controller’s system drive; it is simply a temporary measure to provide a fallback if the move process itself goes wrong. If you are going to copy or move the original version, be sure you have enough space in its new location:
```
> move <CurrentDriveAndFolder>\ntds.dit <TempDriveAndFolder>\ntds_orig.dit

> move <TempDriveAndFolder>\ntds.dit <CurrentDriveAndFolder>\ntds.dit
```
Repeat the steps in to ensure the new DIT is not corrupted. If it is clean, reboot into normal mode and monitor the event log. If no errors are reported in the event log, make sure the domain controller is backed up as soon as possible.

Performing an offline defragmentation of your domain controllers can reclaim disk space if you’ve deleted a large number of objects from Active Directory. You should perform an offline defrag when (and if) this occurs only if you actively require the disk space back—e.g., when following a spin-off in which you’ve migrated a large number of objects into a separate domain. The database will reuse whitespace and grow organically as required. Typically, the database grows year over year as more objects are added, so an offline defrag should seldom be required. An offline defrag always carries a small element of risk, so it should not be done unnecessarily.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Changing the Garbage Collection Interval

Inhaltsvorschau

You want to change the default garbage collection interval.

Using a graphical user interface

Open ADSI Edit.
In the left pane, expand cn=Configuration → cn=Services → cn=Windows NT.
Right-click on cn=Directory Service and select Properties.
Edit the garbageColPeriod attribute and set it to the interval in hours that the garbage collection process should run (the default is 12 hours).
Click OK.

Using a command-line interface

Create an LDIF file called change_garbage_period.ldf with the following contents:

dn: cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,<ForestRootDN>

changetype: modify

replace: garbageCollPeriod

garbageCollPeriod: <IntervalInHours>

-

Then run the following command:

> ldifde -v -i -f change_garbage_period.ldf

You can also modify the garbage collection period using AdMod:

> adfind -config -rb "cn=Directory Servce,cn=Windows NT,cn=Services" -s base -dsq |

admod garbageCollPeriod::<IntervalInHours>

Using VBScript

' This code changes the default garbage-collection interval.

' ------ SCRIPT CONFIGURATION ------

intGarbageColl = <IntervalInHours>

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://RootDSE")

set objDSCont = GetObject("LDAP://cn=Directory Service,cn=Windows NT," & _

             "cn=Services," & objRootDSE.Get("configurationNamingContext") )

objDSCont.Put "garbageCollPeriod", intGarbageColl

objDSCont.SetInfo

WScript.Echo "Successfully set the garbage collection interval to " & _

             intGarbageColl

Using PowerShell

set-QADObject -Identity "cn=Directory Service,cn=Windows

NT,cn=Services,cn=Configuration,<ForestRootDN> -ObjectAttributes

@{garbageCollPeriod=<IntervalInHours>}



$ds = [ADSI] "LDAP:// cn=Directory Service,cn=Windows

NT,cn=Services,cn=Configuration,<ForestRootDN>"

$ds.Put("garbageCollPeriod", "<IntervalInHours>"

$ds.SetInfo()

When an object is deleted from the Configuration naming context, a Domain naming context, or an application partition, the object is tombstoned by renaming the object, moving it to the Deleted Object container, and clearing the value of most of its attributes to save space in the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Logging the Number of Expired Tombstone Objects

Inhaltsvorschau

You want to log the number of expired tombstone objects that are removed from Active Directory during each garbage collection cycle.

Using a graphical user interface

Run regedit.exe from the command line or Start→Run.
Expand HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics.
In the right pane, double-click on 6 Garbage Collection.
For Value data, enter 3.
Click OK.

Using a command-line interface

> reg add HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics /v "6 Garbage

Collection" /t REG_DWORD /d 3

Using VBScript

' This code enables garbage-collection logging.

' ------ SCRIPT CONFIGURATION ------

strDCName = "<DomainControllerName>"

intValue = 3

' ------ END CONFIGURATION --------



const HKLM = &H80000002

strNTDSReg = "SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics"

set objReg = GetObject("winmgmts:\\" & strDCName & "\root\default:StdRegProv")

objReg.SetDWORDValue HKLM, strNTDSReg, "6 Garbage Collection," intValue

WScript.Echo "Garbage Collection logging enabled"

Using PowerShell

$strRegPath = "HKLM:\System\CurrentControlSet\Services\NTDS\Parameters"

Set-ItemProperty -path $strRegPath -name "6 Garbage Collection" -value "3"

Here is a sample event that is logged when the 6 Garbage Collection diagnostics logging level is set to 3 or higher:

Event Type:          Information

Event Source:        NTDS General

Event Category:      Garbage Collection

Event ID:            1006

Date:                6/24/2008

Time:                11:29:31 AM

User:                NT AUTHORITY\ANONYMOUS LOGON

Computer:            DC1

Description:

Internal event: Finished removing deleted objects that have expired (garbage

collection). Number of expired deleted objects that have been removed: 229.

for more on diagnostics logging and for more on the garbage collection process

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Determining the Size of the Active Directory Database

Inhaltsvorschau

You want to determine the size of the Active Directory database.

Using a command-line interface in Windows Server 2003

If you are in DS Restore Mode, you can use ntdsutil to report the size of the Active Directory database:

> ntdsutil files info

If you are not in DS Restore Mode and run this command, you will receive the following error message:

*** Error: Operation only allowed when booted in DS restore mode

"set SAFEBOOT_OPTION=DSREPAIR" to override - NOT RECOMMENDED!

As you can see, it is possible to override this failure by setting the SAFEBOOT_OPTION environment variable to DSREPAIR, but we do not recommend this unless you know what you are doing. By setting this environment variable, the ntdsutil command will not stop you from performing other commands that should not be done while the database is online. This can obviously be quite dangerous.

Using a command-line interface in Windows Server 2008

In Windows Server 2008, you can obtain the file size information without booting into Directory Services Restore Mode by temporarily stopping the Active Directory Domain Services service, as follows:

net stop "active directory domain services"

You will receive a message indicating that the following four dependent services will also be stopped:

Key Distribution Center
Intersite Messaging
DNS Server
DFS Replication

Once the AD DS service has been stopped, you can display file information using the following syntax:

ntdsutil

ntdsutil: activate instance "ntds"

ntdsutil: files

file maintenance: info

file maintenance: quit

ntdsutil: quit

When you are finished, don’t forget to restart the AD DS service, as well as any dependent services that halted when you stopped Active Directory Domain Services.

The size of the Active Directory database on a domain controller is the size of the ntds.dit file. This file can vary slightly in size between domain controllers, even within the same domain, due to unreplicated changes, differences with nonreplicated data, and whitespace from purged objects.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Searching for Deleted Objects

Inhaltsvorschau

You want to search for deleted objects.

Using a graphical user interface

Open LDP from the Windows Support Tools.
From the menu, select Connection→Connect.
For Server, enter the name of a domain controller you want to target (or leave blank to do a serverless bind).
For Port, enter 389.
Click OK.
From the menu, select Connection→Connect.
Enter credentials of a user who is an administrator for the domain.
Click OK.
From the menu, select Options→Controls.
For Windows Server 2003, select the Return Deleted Objects control under Load Predefined. For Windows 2000, type 1.2.840.113556.1.4.417 for the Object Identifier and click the Check In button.
Click OK.
From the menu, select Browse→Search.
For BaseDN, enter “cn=Deleted Objects,<DomainDN>”.
For Scope, select One Level.
For Filter, enter “(isDeleted=TRUE)”.
Click the Options button.
Under Search Call Type, select Extended.
Click OK.
Click Run.

Using a command-line interface

To view all of the deleted objects in the current domain, use the following syntax:

> adfind -default -rb "cn=Deleted Objects" -showdel

You can also use the adrestore.exe utility from the Microsoft website by simply typing adrestore from the command line.

Using VBScript

It is currently not possible to search for deleted objects with ADSI or ADO.

Using PowerShell

You can search for tombstoned objects using the SDM AD Tombstone Reanimation cmdlets, which are freeware cmdlets available from http://www.sdmsoftware.com, using the following syntax:

Get-SDMADTombstone

When an object is deleted in Active Directory, it is not really deleted, at least not immediately. The object is renamed, most of its attributes are cleared, and it is moved to the Deleted Objects container within the naming context that it was deleted from. See for more on tombstone objects.

Not all objects are moved to the Deleted Objects container. If you are unable to find a given deleted object, open the search scope to the whole naming context the object previously existed in.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Undeleting a Single Object

Inhaltsvorschau

You want to undelete or reanimate an object that has been deleted from your Windows Server 2003 Active Directory domain.

This recipe requires Windows Server 2003 or newer Active Directory.

Using a graphical user interface

Open LDP from the Windows Support Tools.
From the menu, select Connection→Connect.
For Server, enter the name of a domain controller or domain that contains the object.
For Port, enter 389.
Click OK.
From the menu, select Connection→Bind.
Enter the credentials of a user who can view deleted objects.
Click OK.
Click on Options→Controls. In the Load Pre-defined drop-down box, select “Return deleted objects.” Click OK.
From the menu, select View→Tree.
For BaseDN, type “<CN=Deleted Objects,<DomainDN>”.
Click OK.
Click the + sign next to the Deleted Objects container in the righthand pane to browse the deleted objects in your domain.
Double-click on the object that you want to undelete.
Right-click on the object and select Modify.
In the Edit Entry Attribute box, enter “isDeleted.” Leave the Value box blank. Select Delete from the Operation radio buttons, and then click Enter.
Enter “distinguishedName” in the Edit Entry Attribute box, and enter the DN that the restored object should have. Select Replace from the Operation radio buttons, and then click Enter.
Once you’ve entered both changes, click Run.

Using a command-line interface

adfind -default -f "name=<ObjectRDN>*" -showdel -dsq | admod -undel

When an Active Directory object is deleted, it is placed in the cn=Deleted Objects container within the domain naming context. To save space in the ntds.dit file, most of the object’s attribute values are cleared; only a small subset are actually retained, including:

SID
ObjectGUID
LastKnownParent
sAMAccountName
SIDHistory (Windows Server 2003 SP1 and later)

Once you’ve manually reanimated an object, you’ll need to manually restore any additional attributes that were not saved when the object was tombstoned; e.g., for a user object, you’ll want to reconfigure their home directory, logon script information, and the like. You’ll also need to re-enter the user into any necessary security and distribution groups so that she can receive the necessary access to resources that she possessed before her account was deleted.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Undeleting a Container Object

Inhaltsvorschau

You want to undelete a container object such as an OU that contained other objects when it was deleted.

This recipe requires Windows Server 2003 or newer Active Directory.

Using a graphical user interface

Use the steps in to first undelete the container object. Then undelete each individual child object that was contained within the container, specifying the container’s DN in the restored object’s DN. Alternately, perform a System State restore and use ntdsutil to mark the restored OU as authoritative, as described in .

Performing an authoritative restore of user or group objects will require additional considerations, as detailed in MS KB 280079 (Authoritative Restore of Groups Can Result in Inconsistent Membership Information Across Domain Controllers).

Using a command-line interface

> adfind -default -rb "cn=Deleted Objects" -f "(name=<ContainerRDN>*)"

 -showdel -dsq | admod -undel

> adfind -default -rb "cn=Deleted Objects" -f

("lastKnownParent=<ParentContainerDN>") -showdel -dsq | admod -undel

When you delete an Active Directory container object, it also deletes any child objects that are housed within that container. Restoring an entire OU, for example, therefore requires you to restore both the container itself as well as all of the child objects contained within it. This is relatively simple to perform from the command line since you can restrict your query to those objects that have the appropriate value listed in the lastKnownParent attribute. However, just as when you reanimate an individual object, each of these child objects will need to have its individual attributes re-established. Therefore, when restoring a container object, your most efficient method will be to perform a System State restore and to use ntdsutil to mark the restored OU as .

MSDN: Restoring Deleted Object [Active Directory]

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Modifying the Tombstone Lifetime for a Domain

Inhaltsvorschau

You want to change the default tombstone lifetime for a domain.

Using a graphical user interface

Open ADSI Edit.
In the left pane, expand cn=Configuration→cn=Services→cn=Windows NT.
Right-click on “cn=Directory Service” and select Properties.
Set the tombstoneLifetime attribute to the number of days that tombstone objects should remain in Active Directory before getting removed completely (the default is 60 days in Windows Server 2003, and 180 days for AD environments installed from scratch on a Service Pack 1 server).
Click OK.

Using a command-line interface

Create an LDIF file called change_tombstone_lifetime.ldf with the following contents:

dn: cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,<ForestRootDN>

changetype: modify

replace: tombstoneLifetime

tombstoneLifetime: <NumberOfDays>

-

Then run the following command:

> ldifde -v -i -f change_tombstone_lifetime.ldf

You can also make this change using AdMod, as follows:

> admod -b "cn=Directory Service,cn=Windows

NT,cn=Services,cn=Configuration,<ForestRootDN> tombstoneLifetime::<NumberOfDays>

Using VBScript

' This code modifies the default

' tombstone lifetime.

' ------ SCRIPT CONFIGURATION ------

intTombstoneLifetime = <NumberOfDays>

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://RootDSE")

set objDSCont = GetObject("LDAP://cn=Directory Service,cn=Windows NT," & _

                "cn=Services," & objRootDSE.Get("configurationNamingContext") )

objDSCont.Put "tombstoneLifetime", intTombstoneLifetime

objDSCont.SetInfo

WScript.Echo "Successfully set the

tombstone lifetime to " & _

             intTombstoneLifetime

Using PowerShell

Set-QADObject -Identity LDAP://cn=Directory

Service,cn=WindowsNT,cn=Services,cn=Configuration,<ForestRootDN>" -ObjectAttributes

@{tombstoneLifetime=<NumberOfDays>}



$ds = [ADSI] "LDAP://cn=Directory

Service,cn=WindowsNT,cn=Services,cn=Configuration,<ForestRootDN>"

$ds.put("tombstoneLifetime", <NumberOfDays>)

$ds.SetInfo()

In Windows Server 2003 RTM and Windows Server 2003 R2, the default tombstone lifetime for Active Directory is 60 days. This was increased to 180 days in Service Pack 1 due to numerous customers needing to extend this value from its original default, but you will see this value populated automatically only in a forest that was created from scratch on a server that already has Windows Server 2003 Service Pack 1 or Service Pack 2 installed, as well as Windows Server 2008 RTM and beyond. If you upgrade an existing 2003 or R2 domain controller to an updated service pack level or to Windows Server 2008, the tombstone lifetime will stay at 60 days unless you manually increase it using one of the solutions in this recipe.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Chapter 17: Application Partitions

Inhaltsvorschau

Active Directory domain controllers, when first installed, host three predefined partitions. The Configuration naming context is replicated to all domain controllers in the forest, and contains information that is needed forest-wide, such as the site topology and LDAP query policies. The Schema naming context is also replicated forest-wide and contains all of the schema objects that define how data is stored and structured in Active Directory. The third partition is the Domain naming context, which is replicated to all of the domain controllers that host a particular domain.

Windows Server 2003 introduced a new type of partition, called an application partition, which is very similar to the other naming contexts except that you can configure which domain controllers in the forest will replicate the data that’s contained within it. Examples include the DomainDnsZones partition, which is replicated across all AD-Integrated DNS servers in the same domain, and ForestDnsZones, which is replicated across all AD-integrated DNS servers in the forest. This capability gives administrators much more flexibility over how they can store and replicate the data that is contained in Active Directory. If you need to replicate a certain set of data to only two different sites, for example, you can create an application partition that will only replicate the data to the domain controllers in those two sites rather than replicating the data to additional DCs that have no need of it.

See for more on DNS-related management tasks, as well as Active Directory, Fourth Edition, by Brian Desmond et al. (O’Reilly) for more details on application .

Application partitions are new to Windows Server 2003, so this entire chapter applies only to Windows Server 2003 and Windows Server 2008 domain controllers. Windows 2000 domain controllers cannot host application partitions.

Application partitions are stored in Active Directory in a similar fashion as a Domain NC. In fact, application partitions and Domain NCs consist of the same two types of objects: a

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Introduction

Inhaltsvorschau

See for more on DNS-related management tasks, as well as Active Directory, Fourth Edition, by Brian Desmond et al. (O’Reilly) for more details on application .

Application partitions are stored in Active Directory in a similar fashion as a Domain NC. In fact, application partitions and Domain NCs consist of the same two types of objects: a

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating and Deleting an Application Partition

Inhaltsvorschau

You want to create or delete an application partition. Application partitions are useful if you need to replicate data to a subset of locations where you have domain controllers. Instead of replicating the application data to all domain controllers in a domain, you can use an application partition to replicate the data to only the domain controllers of your choosing.

Using a command-line interface

Use the following command to create an application partition on a domain controller:

On a Windows Server 2008 domain controller, enter the command activate instance ntds prior to entering the dom man command.

> ntdsutil

> ntdsutil: dom man

> domain management: conn

> connections: conn to se <DomainControllerName>

> connections: q

> domain management: create nc <AppPartitionDN> NULL

> domain management: q

> ntdsutil: q

Use the following command to delete an application partition:

On a Windows Server 2008 domain controller, enter the command activate instance ntds prior to entering the dom man command.

> ntdsutil

> ntdsutil:dom man

> domain management: conn

> connections: conn to se <DomainControllerName>

> connections: q

> domain management: delete nc <AppPartitionFQDN>

> domain management: q

> ntdsutil: q

To create an application partition, you’ll use the ntdsutil utility to create a domainDNS object that serves as the root container for the partition. A crossRef object is automatically created in the Partitions container in the Configuration NC. Conversely, when removing an application partition, you only need to remove the crossRef object and the domainDNS is automatically deleted. When you delete an application partition, all objects within the partition also get deleted. Tombstone objects are not created for any of the objects within the application partition or for the application partition itself.

MS KB 322669 (How to Manage the Application Directory Partition and Replicas in Windows Server 2003), MSDN: Creating an Application Directory Partition, and MSDN: Deleting an Application Directory Partition

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding the Application Partitions in a Forest

Inhaltsvorschau

You want to find the application partitions that have been created in a forest.

Using a graphical user interface

Open LDP from the Windows Support Tools. (LDP is installed by default with the Active Directory Domain Services role in Windows Server 2008.)
From the menu, select Connection→Connect.
For Server, enter the name of a DC.
For Port, enter 389.
Click OK.
From the menu, select Connection→Bind.
Enter a user and password with the necessary credentials.
Click OK.
From the menu, select Browse→Search.
For BaseDN, type the DN of the Partitions container (for example, cn=partitions,cn=configuration,dc=adatum,dc=com).

For Filter, enter:

(&(objectcategory=crossRef)(systemFlags:1.2.840.113556.1.4.803:=5))

For Scope, select One Level.
Click the Options button.
For Attributes, type dnsRoot.
Click OK.
Click Run.

Using a command-line interface

Use the following command to find all of the application partitions in a forest:

> dsquery * cn=partitions,cn=configuration,<ForestDN> -filter

"(&(objectcategory=crossRef)(systemFlags:1.2.840.113556.1.4.803:=5))"

-scope onelevel -attr dnsRoot

You can also find application partitions in a forest using AdFind:

> adfind -sc appparts+

Using VBScript

' This code displays the application partitions contained in the

' default forest



set objRootDSE = GetObject("LDAP://RootDSE")

strBase    =  "<LDAP://cn=Partitions," & _

              objRootDSE.Get("ConfigurationNamingContext") & ">;"

strFilter  = "(&(objectcategory=crossRef)" & _

             "(systemFlags:1.2.840.113556.1.4.803:=5));"



strAttrs = "cn,ncName;"

strScope = "onelevel"



set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)



objRS.MoveFirst

while not objRS.EOF

   Wscript.Echo objRS.Fields("nCName").Value

   objRS.MoveNext

wend

Using PowerShell

The following example will search for application partitions within an Active Directory domain using the Quest get-QADObject cmdlet:

Get-QADObject -ldapfilter

"(&(objectcategory=crossRef)(systemFlags:1.2.840.113556.1.4.803:=5))"

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Adding or Removing a Replica Server for an Application Partition

Inhaltsvorschau

You want to add or remove a replica server for an application partition. After you’ve created an application partition, you should make at least one other server a replica server in case the first server fails.

Using a command-line interface

Use the following command to add a replica server for an application partition:

> ntdsutil "dom man" conn "co to se <DomainControllerName>" q "add nc

replica<AppPartitionDN> <DomainControllerName>" q q

Use the following command to remove a replica server for an application partition:

> ntdsutil "dom man" conn "co to se <DomainControllerName>" q "remove nc

replica <AppPartitionDN> <DomainControllerName>" q q

You can also add a replica using AdMod:

> adfind -partitions -f "(dnsRoot=<PartitionDNSName>)" -dsq | admod

msDS-NC-Replica-Locations:+:"cn=ntds settings,

cn=<DCName>,cn=servers,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>"

Using VBScript

' This code adds or removes a replica server for the

' specified application partition

' ------ SCRIPT CONFIGURATION -----

strAppPart = "<AppPartitionFQDN>" ' DNS name of the application partition



' Hostname of server to add as replica for app partition.

' This needs to match the common name for the DC's server object.

strServer = "<DomainControllerName>" ' e.g. dc01



' Set to True to add server as new replica or False to remove

boolAdd = True

' ------ END CONFIGURATION --------



' Constants taken from ADS_PROPERTY_OPERATION_ENUM

const ADS_PROPERTY_APPEND = 3

const ADS_PROPERTY_DELETE = 4



set objRootDSE = GetObject("LDAP://RootDSE")



' ---------------------------------------------------------

' First find the NTDS Settings object for the server

' ---------------------------------------------------------

strBase    = "<LDAP://cn=Sites," & _

             objRootDSE.Get("ConfigurationNamingContext") & ">;"

strFilter  = "(&(objectcategory=server)(cn=" & strServer & "));"

strAttrs   = "cn,distinguishedName;"

strScope   = "subtree"

set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)

if objRS.RecordCount <> 1 then

   WScript.Echo "Did not find a match for server " & strServer

       WScript.Quit



else

   objRS.MoveLast

   strServerDN = "cn=NTDS Settings," & _

                 objRS.Fields("distinguishedName").Value

   ' Make sure the NTDS Settings object actually exists

   set objNTDSDSA = GetObject("LDAP://" & strServerDN)

   Wscript.Echo "Found server: "

   WScript.Echo strServerDN

   Wscript.Echo

end if



' ------------------------------------------------------------------

' Now need to find the crossRef object

' for the application partition

' ------------------------------------------------------------------

strBase = "<LDAP://cn=Partitions," & _

          objRootDSE.Get("ConfigurationNamingContext") & ">;"

strFilter  = "(&(objectcategory=crossRef)" & _

             "(dnsRoot=" & strAppPart & "));"

strAttrs   = "cn,distinguishedName;"

strScope   = "onelevel"

set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)

if objRS.RecordCount <> 1 then

   WScript.Echo "Did not find a match for application partition " & _

                strAppPart

   WScript.Quit

else

   objRS.MoveLast

   set objAppPart = GetObject("LDAP://" & _

                    objRS.Fields("distinguishedName").Value )

   Wscript.Echo "Found app partition: "

   WScript.Echo objRS.Fields("distinguishedName").Value

   WScript.Echo

end if



' -----------------------------------------------

' Lastly, either add or remove the replica server

' -----------------------------------------------

if boolAdd = TRUE then

   objAppPart.PutEx ADS_PROPERTY_APPEND, "msDS-NC-Replica-Locations", _

                    Array(strServerDN)

   objAppPart.SetInfo

   WScript.Echo "Added server to replica set"

else

   objAppPart.PutEx ADS_PROPERTY_DELETE, "msDS-NC-Replica-Locations", _

                    Array(strServerDN)

   objAppPart.SetInfo

   WScript.Echo "Removed server from replica set"

end if

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding the Replica Servers for an Application Partition

Inhaltsvorschau

You want to find the replica servers for an application partition.

Using a graphical user interface

Open ADSI Edit.
Connect to the configuration naming context of the forest the application partition is in, if it is not already present in the left pane.
Expand the configuration naming context and click on the Partitions container.
In the right pane, right-click on the crossRef object that represents the application partition and select Properties.
Under Attributes, select the msDS-NC-Replica-Locations attribute.

Using a command-line interface

> ntdsutil "dom man" conn "co to se <DomainControllerName>" q "list nc

replicas <AppPartitionDN>" q q

You can also list replica servers using AdFind:

> adfind -partitions -f "(dnsRoot=<PartitionDNSName>)" dnsRoot msDS-NC-

Replica-Locations

Using VBScript

' This code displays the DN of each domain controller's

' nTDSDSA object that is a replica server for the

' specified app partition

' ------ SCRIPT CONFIGURATION ------

' Fully qualified DNS name of app partition

strAppPart = "<AppPartitionFQDN>" ' e.g. apps.adatum.com

' ------ END CONFIGURATION ---------



set objRootDSE = GetObject("LDAP://RootDSE")

strBase    =  "<LDAP://cn=Partitions," & _

              objRootDSE.Get("ConfigurationNamingContext") & ">;"

strFilter  = "(&(objectcategory=crossRef)(dnsRoot=" & strAppPart & "));"

strAttrs   = "

msDS-NC-Replica-Locations;"

strScope   = "onelevel"

set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)

if objRS.RecordCount <> 1 then

   WScript.Echo "Did not find a match for application partition " & _

                strAppPart

   WScript.Quit

else

   objRS.MoveLast

   if objRS.Fields("msDS-NC-Replica-Locations").Properties.Count > 0 then

      Wscript.Echo "There are no replica servers for app partition " & _

strAppPart

   else

      Wscript.Echo "Replica servers for app partition " & strAppPart & ":"

      for each strNTDS in objRS.Fields("msDS-NC-Replica-Locations").Value

         WScript.Echo " " & strNTDS

      next

   end if

end if

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Finding the Application Partitions Hosted by a Server

Inhaltsvorschau

You want to find the application partitions that a particular server is hosting. Before you decommission a server, it is good to check to see if it hosts any application partitions and if so, to add another replica server to replace it.

Using a graphical user interface

Open LDP from the Windows Support tools. (On a Windows Server 2008 DC, LDP is installed by default.)
From the menu, select Connection→Connect.
For Server, enter the name of a DC.
For Port, enter 389.
Click OK.
From the menu, select Connection→Bind.
Enter a user and password with the necessary credentials.
Click OK.
From the menu, select Browse→Search.
For BaseDN, type the DN of the Partitions container (for example, cn=partitions,cn=configuration,dc=adatum,dc=com).

For Filter, enter:

(&(objectcategory=crossRef)(systemFlags:1.2.840.113556.1.4.803:=5)

(msDS-NC-Replica-Locations=cn=NTDS Settings,cn=<DomainControllerName>,

cn=servers,cn=<SiteName>,cn=sites,cn=configuration,<ForestDN>))

For Scope, select One Level.
Click the Options button.
For Attributes, type dnsRoot.
Click OK.
Click Run.

Using a command-line interface

Use the following command to find all of the application partitions hosted by a domain controller. To run this command, you need the distinguished name of the forest root domain (<ForestDN>), the common name of the DC’s server object (<DomainControllerName>), and the common name of the site object the server is in (<SiteName>):

> dsquery * "cn=partitions,cn=configuration,<ForestDN>" -scope onelevel -attr

dnsRoot -filter "(&(objectcategory=crossRef)(systemFlags:1.2.840.113556.1.4.803:=5)

(msDS-NC-Replica-Locations=cn=NTDS Settings,cn=<DomainControllerName>,

cn=servers,cn=<SiteName>,cn=sites,cn=configuration,<ForestDN>))"

You can also display the application partitions hosted by a particular DC using AdFind:

> adfind -partitions -s onelevel -bit -f

"(&(objectcategory=crossRef)(systemFlags:AND:=5)(msDS-NC-Replica-Locations=cn=NTDS

Settings,cn=<DomainControllerName>,cn=servers,cn=<SiteName>

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Verifying Application Partitions Are Instantiated

Inhaltsvorschau

You want to verify that an application partition is instantiated on a replica server. After you add a domain controller as a replica server for an application partition, the data in the application partition needs to fully replicate to that domain controller before it can be used on that domain controller.

Using a command-line interface

Use the following command to determine if there are any problems with application partitions on a domain controller:

> dcdiag /test:checksdrefdom /test:verifyreplicas /test:crossrefvalidation

/s:<DomainControllerName>

These tests are valid only with the Windows Server 2003 and newer versions of dcdiag.

You can also verify the state of a particular application partition by using ntdsutil as follows:

Type “ntdsutil”.
If you are running these commands on a Windows Server 2008 domain controller, type “activate instance ntds”.
Type “domain management” (or just “do ma”) to go to the Domain Management menu.
Type “connections” (or just “co”) to go to the Connections menu.
Type “connect to server <ServerName>.”
Type “q” to return to the Domain Management menu.
Type “list nc replicas <AppPartitionDN>.” (You can shorten “list nc replicas” to just “li nc rep”.)

The dcdiag CheckSDRefDom, VerifyReplicas, and CrossRefValidation tests can help determine if an application partition has been instantiated on a server and if there are any problems with it. Here is the dcdiag help information for those three tests:

CrossRefValidation: This test looks for cross-references that are in some way invalid.
CheckSDRefDom: This test checks that all application directory partitions have appropriate security descriptor reference domains.
VerifyReplicas: This test verifies that all application directory partitions are fully instantiated on all replica servers.

Another way you can check to see if a certain application partition has been instantiated on a domain controller yet is to look at the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Setting the Replication Notification Delay for an Application Partition

Inhaltsvorschau

Two replication-related settings that you can customize for application partitions (or any naming context for which change notification is enabled) include the first and subsequent replication delay after a change to the partition has been detected. The first replication delay is the time that a domain controller waits before it notifies its first replication partner that there has been a change. The subsequent replication delay is the time that the domain controller waits after it has notified its first replication partner before it will notify its next partner. You may need to customize these settings so that replication happens as quickly as you need it to for data in the application partition.

Using a graphical user interface

Open ADSI Edit.
Connect to the configuration naming context of the forest that the application partition is in if a connection is not already present in the left pane.
Expand the configuration naming context and click on the Partitions container.
In the right pane, right-click on the crossRef object that represents the application partition and select Properties.
Set the msDS-Replication-Notify-First-DSA-Delay and msDS-Replication-Notify-Subsequent-DSA-Delay attributes to the number of seconds you want for each delay (see for more details).
Click OK.

Using a command-line interface

The Windows Server 2003 and newer versions of repadmin support setting the notification delays:

> repadmin /notifyopt <AppPartitionDN> /first:<FirstDelayInSeconds>

/subs:<NextDelayInSeconds>

You can also change both of these parameters using AdMod, as follows:

> admod -b <AppPartitionCrossRefDN>

msDS-Replication-Notify-First-DSA-Delay::<FirstDelayInSeconds> msDS-Replication-

Notify-Subsequent-DSA-Delay::<NextDelayInSeconds>

Using VBScript

' This code sets the

' replication delay for an application partition

' ------ SCRIPT CONFIGURATION ------

strAppPartDN = "<AppPartitionDN>" ' e.g. dc=apps,dc=adatum,dc=com

intFirstDelay =

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Setting the Reference Domain for an Application Partition

Inhaltsvorschau

Whenever you create an object in Active Directory, the default security descriptor that’s defined in the schema for the object’s class is applied to the object. This default security descriptor may reference specific groups, such as Domain Admins, but it is not specific to a domain. This makes a lot of sense for domain naming contexts, where the Domain Admins group in question would be the one that’s defined in the domain in question. But for application partitions that don’t contain a Domain Admins group, it is not so straightforward. Which domain’s Domain Admins group do you use? To work around this issue, you can set a default security descriptor reference domain for an application partition by setting the msDS-SDReferenceDomain attribute of the partition’s crossRef object.

Using a graphical user interface

Open ADSI Edit.
Connect to the Configuration naming context of the forest the application partition is in if it is not already present in the left pane.
Expand the Configuration naming context and click on the Partitions container.
In the right pane, right-click on the crossRef object that represents the application partition and select Properties.
Under Attributes, select the msDS-SDReferenceDomain attribute.
Enter the Distinguished Name for the appropriate domain and click OK.

Using a command-line interface

> ntdsutil "dom man" conn "co to se <DomainControllerName>" q "set nc ref domain

<AppPartitionDN> <DomainDN>" q q

You can also set the reference domain using AdMod:

> adfind -partitions -f "(dnsRoot=<PartitionDNSName>)" -dsq | admod

msDS-SDReferenceDomain::"<DomainDN>"

Using VBScript

' This code sets the SD

' reference domain for the specified app partition

' ------ SCRIPT CONFIGURATION -----

' DN of reference domain

strRefDomainDN = "<DomainDN>"       ' e.g. dc=emea,dc=adatum,dc=com

' Fully qualified DNS name of app partition

strAppPart = "<AppPartitionFQDN>"   ' e.g. app.adatum.com

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://RootDSE")

strBase = "<LDAP://cn=Partitions," & _

          objRootDSE.Get("ConfigurationNamingContext") & ">;"

strFilter  = "(&(objectcategory=crossRef)(dnsRoot=" & _

             strAppPart & "));"

strAttrs   = "nCName,

msDS-SDReferenceDomain,distinguishedName;"

strScope   = "onelevel"

set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)

if objRS.RecordCount <> 1 then

   WScript.Echo "Did not find a match for application partition " & _

                strAppPart

   WScript.Quit

else

   objRS.MoveLast

   WScript.Echo "Current Reference Domain: " & _

                objRS.Fields("msDS-SDReferenceDomain").Value

   set objCrossRef = GetObject("LDAP://" & _

                     objRS.Fields("distinguishedName").Value )

   objCrossRef.Put "msDS-SDReferenceDomain", strRefDomainDN

   objCrossRef.SetInfo

   WScript.Echo "New Reference Domain: " & _

                objCrossRef.Get("msDS-SDReferenceDomain")

end if

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Delegating Control of Managing an Application Partition

Inhaltsvorschau

You want to delegate control over the management of an application partition.

Using a graphical user interface

Open ADSI Edit.
Connect to the Configuration naming context of the forest the application partition is in if it is not already present in the left pane.
Expand the Configuration naming context and click on the Partitions container.
In the right pane, right-click on the crossRef object that represents the application partition and select Properties.
Click the Security tab.
Click the Advanced button.
Click the Add button.
Use the object picker to find the user or group you want to delegate control to and click OK.
Click the Properties tab.
Under Allow, check the boxes beside Write msDS-NC-Replica-Locations, Write msDS-SDReferenceDomain, Write msDS-Replication-Notify-First-DSA-Delay, and Write msDS-Replication-Notify-Subsequent-DSA-Delay.
Click OK.

Using a command-line interface

> dsacls <AppPartitionCrossRefDN> /G <UserOrGroup>:RPWP;msDS-NC-Replica-Locations

> dsacls <AppPartitionCrossRefDN> /G <UserOrGroup>:RPWP;msDS-SDReferenceDomain

> dsacls <AppPartitionCrossRefDN> /G <UserOrGroup>:RPWP;msDS-Replication-Notify-

First-DSA-Delay

> dsacls <AppPartitionCrossRefDN> /G <UserOrGroup>:RPWP;msDS-Replication-Notify-

Subsequent-DSA-Delay

As is the case with most permissions, you should exercise care when delegating the ability to create or modify application partitions. Because application partitions reside within Active Directory, allowing them to be placed indiscriminately or setting the initial and subsequent replication delays too low can bring your network to a grinding halt.

Using VBScript

' This script delegates control over the four key attributes

' of an app partition to the specified user or group.

' ------ SCRIPT CONFIGURATION ------

' Fully qualified DNS name of app partition

strAppPart = "<AppPartitionFQDN>" ' e.g. apps.adatum.com

' User or group to delegate control to

strUser = "<UserOrGroup>" ' e.g. joe@adatum.com or ADATUM\joe

' ------ END CONFIGURATION ---------



'############################

' Constants

'############################



' ADS_ACETYPE_ENUM

Const ADS_ACETYPE_ACCESS_ALLOWED        = &h0

Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5



' ADS_FLAGTYPE_ENUM

Const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1



' ADS_RIGHTS_ENUM

Const ADS_RIGHT_DS_WRITE_PROP = &h20

Const ADS_RIGHT_DS_READ_PROP  = &h10



' schemaIDGUID values

Const REPLICA_LOCATIONS           = "{97de9615-b537-46bc-ac0f-10720f3909f3}"

Const SDREFERENCEDOMAIN           = "{4c51e316-f628-43a5-b06b-ffb695fcb4f3}"

Const NOTIFY_FIRST_DSA_DELAY      = "{85abd4f4-0a89-4e49-bdec-6f35bb2562ba}"

Const NOTIFY_SUBSEQUENT_DSA_DELAY = "{d63db385-dd92-4b52-b1d8-0d3ecc0e86b6}"



'############################

' Find App Partition

'############################





set objRootDSE = GetObject("LDAP://RootDSE")

strBase = "<LDAP://cn=Partitions," & _

          objRootDSE.Get("ConfigurationNamingContext") & ">;"

strFilter  = "(&(objectcategory=crossRef)(dnsRoot=" & _

             strAppPart & "));"

strAttrs   = "cn,distinguishedName;"

strScope   = "onelevel"

set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"



Set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)

if objRS.RecordCount <> 1 then

   WScript.Echo "Did not find a match for " & strAppPart

else

   objRS.MoveLast

   set objAppPart = GetObject("LDAP://" & _

                    objRS.Fields("distinguishedName").Value )

end if



'############################

' Create ACL

'############################



set objSD = objAppPart.Get("ntSecurityDescriptor")

set objDACL = objSD.DiscretionaryAcl



' Read/Write Property: msDS-NC-Replica-Locations

set objACE1 = CreateObject("AccessControlEntry")

objACE1.Trustee    = strUser

objACE1.AccessMask = ADS_RIGHT_DS_WRITE_PROP Or ADS_RIGHT_DS_READ_PROP

objACE1.AceFlags   = 0

objACE1.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT

objACE1.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT

objACE1.ObjectType = REPLICA_LOCATIONS '



' Read/Write Property: msDS-SDReferenceDomain

set objACE2 = CreateObject("AccessControlEntry")

objACE2.Trustee    = strUser

objACE2.AccessMask = ADS_RIGHT_DS_WRITE_PROP Or ADS_RIGHT_DS_READ_PROP

objACE2.AceFlags   = 0

objACE2.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT

objACE2.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT

objACE2.ObjectType = SDREFERENCEDOMAIN



' Read/Write Property: msDS-Replication-Notify-First-DSA-Delay

set objACE3 = CreateObject("AccessControlEntry")

objACE3.Trustee    = strUser

objACE3.AccessMask = ADS_RIGHT_DS_WRITE_PROP Or ADS_RIGHT_DS_READ_PROP

objACE3.AceFlags   = 0

objACE3.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT

objACE3.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT

objACE3.ObjectType = NOTIFY_FIRST_DSA_DELAY



' Read/Write Property: msDS-Replication-Notify-Subsequent-DSA-Delay

set objACE4 = CreateObject("AccessControlEntry")

objACE4.Trustee    = strUser

objACE4.AccessMask = ADS_RIGHT_DS_WRITE_PROP Or ADS_RIGHT_DS_READ_PROP

objACE4.AceFlags   = 0

objACE4.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT

objACE4.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT

objACE4.ObjectType = NOTIFY_SUBSEQUENT_DSA_DELAY



objDACL.AddAce objACE1

objDACL.AddAce objACE2



objDACL.AddAce objACE3

objDACL.AddAce objACE4



'############################

' Set ACL

'############################

objSD.DiscretionaryAcl = objDACL

objAppPart.Put "ntSecurityDescriptor", objSD

objAppPart.SetInfo

WScript.Echo "Delegated control of " & strAppPart & " to " & strUser

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Chapter 18: Active Directory Application Mode Directory Lightweight Directory Service

Inhaltsvorschau

Active Directory Application Mode (ADAM) was released in November 2003 on the Microsoft website. ADAM is a lightweight LDAP platform that allows developers and administrators to work with AD objects such as users, groups, and organizational units, without worrying about the overhead of running a full-blown copy of the Active Directory directory service. ADAM can run on Windows XP or Windows 2003 computers, and you can run multiple instances of ADAM on a single machine. Because ADAM runs as a standalone service, you can start, stop, install, or remove ADAM instances without affecting or interfering with any underlying AD infrastructure. ADAM can leverage domain authentication, local machine users and groups, or it can authenticate users based on security principals that you’ve created within ADAM itself. (It’s important to note that these are separate from Active Directory security principals, which cannot be created within an ADAM instance.) ADAM can also be used to replicate data between non-domain-joined computers such as ISA configuration between a farm of ISA 2004 servers configured as a workgroup.

With the release of Windows Server 2008, along with several other technologies, Microsoft renamed ADAM. The new name for ADAM is Active Directory Lightweight Directory Service (AD LDS). (Except where explicitly mentioned, the names ADAM and AD LDS will be used interchangeably.) The second version of version of ADAM, ADAM Service Pack 1, was packaged with Windows Server 2003 R2; it contained a number of improvements over the initial release of ADAM, including:

Creating user objects in the Configuration partition: By default, any ADAM user object you create is scoped to only the partition it was created in. By creating user objects in the Configuration partition, you can grant them permissions to resources in any partition within an ADAM instance. This also allows you to configure an ADAM user to administer ADAM, rather than requiring a Windows user to do so.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Introduction

Inhaltsvorschau

Creating user objects in the Configuration partition: By default, any ADAM user object you create is scoped to only the partition it was created in. By creating user objects in the Configuration partition, you can grant them permissions to resources in any partition within an ADAM instance. This also allows you to configure an ADAM user to administer ADAM, rather than requiring a Windows user to do so.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Installing ADAM/AD LDS

Inhaltsvorschau

You want to install a new instance of ADAM.

Using a graphical user interface

To install AD LDS on a Windows Server 2008 server, do the following:

Click Start→Server Manager.
Browse to Roles. Click Add Roles. Click Next.
Place a checkmark next to Active Directory Lightweight Directory Services.
Click Next twice, and then click Install.

To install ADAM on a Windows Server 2003 R2 server, do the following:

Click Start→Control Panel→Add/Remove Programs.
Click Add/Remove Windows Components.
Select Active Directory Services, and click Details.
Place a checkmark next to Active Directory Application Mode (ADAM). Click OK and then Next to continue.
If prompted, provide the path to the Windows Server 2003 R2 Disc 2 media.
Click Finish when all files have copied.

To install ADAM on Windows XP or Windows Server 2003, do the following:

Double-click on the ADAM installer. Click Next to begin.
After reading the License Agreement, select the radio button next to “I agree” and click Next.
Click Finish when all files have copied.

Using a command-line interface

To perform a command-line install of AD LDS on Windows Server 2008, use the following syntax:

> servermanagercmd -install adlds

To perform a silent install of ADAM on 2003, R2, or XP, use the following syntax:

> <ADAM Installer File> /q

The /q switch is not supported by the ADAM installer that is included with R2; to perform an unattended install of an ADAM instance on R2, see Recipes and .

At its most basic level, an ADAM installation will simply copy the necessary program files and DLLs to the machine in question without creating an ADAM instance or performing any other configuration steps. This can be useful if you want to include AD LDS as part of a base image that you deploy to your application developers, while allowing them to create their own instances and configuration sets as they see fit. By using the /q switch on the ADAM installation file or using the servermanagercmd

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a New ADAM/AD LDS Instance

Inhaltsvorschau

You want to create a new ADAM/AD LDS instance.

Using a graphical user interface

Click on Start→All Programs→ADAM→Create an ADAM instance. Click Next to begin.
In Windows Server 2008, you will select Start→Administrative Tools→Active Directory Lightweight Directory Services Setup and then click Next.

Select the radio button next to “A unique instance” and click Next.
Enter the name of the instance and click Next.
Enter the LDAP and SSL port numbers that will be used to access this instance; these default to 50000 and 50001 on a domain controller or any computer that is already listening on the default LDAP port. Otherwise, the LDAP and SSL ports that ADAM/AD LDS chooses during the installation will be 389 and 636.
If you’ve already installed an ADAM/AD LDS instance on ports 50000 and 50001, the ADAM installer will choose the next two ports available; the second ADAM instance would choose ports 50002 and 50003, then 50004 and 50005, and so on.

Click Next to continue.
Specify whether you want to create an Application Directory Partition for this instance. You can use any partition name isn’t already being used, such as cn=IntranetApplication,dc=adatum,dc=com. Click Next to continue.
Specify the directory that will house the instance data as well as its data recovery files. These will both default to c:\Program Files\Microsoft ADAM\<instance name>\data. Click Next.
On the Service Account Selection screen, configure the account under whose security context this instance will run. By default, the Network Service Account is selected, or you can click the radio button next to “This account” and specify a different account.
On the ADAM (or AD LDS) administrator’s screen, specify the user or group account that will have administrative rights to this ADAM instance. This defaults to the currently logged-on user, or you can click the radio button next to “This account” and specify a different user or group. Click Next.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a New Replica of an ADAM/AD LDS

Inhaltsvorschau

You want to create a new replica of an existing ADAM or AD LDS configuration set.

Using a graphical user interface

Click on Start→All Programs→ADAM→Create an ADAM instance. Click Next to begin. (In Windows Server 2008 you will click Start→Administrative Tools→Active Directory Lightweight Directory Services Setup and then click Next.)
Select the radio button next to “A replica of an existing instance” and click Next.
Enter the name of the instance that you want to connect to and click Next.
Enter the LDAP and SSL port numbers that will be used to access this instance; these default to 50000 and 50001 on a domain controller or any computer that is already listening on the default LDAP port. Otherwise, the LDAP and SSL ports that ADAM chooses during the installation will be 389 and 636.
If you’ve already installed an ADAM instance on ports 50000 and 50001, the ADAM installer will choose the next two ports available; the second ADAM instance would choose ports 50002 and 50003, then 50004 and 50005, and so on.

On the Join a Configuration Set screen, enter the name of a server hosting an existing replica of this instance, and the port number used to connect to it. Click Next to continue.
On the Administrative Credentials for the Configuration Set screen, specify a user or group account that has administrative rights to this ADAM instance. This defaults to the currently logged-on user, or you can click the radio button next to “This account” and specify a different user or group. Click Next.
On the Copy Application Partitions screen, select the application directory partitions that you would like to replicate to the local server. Use the Add, Remove, Select All, and Remove All buttons to select the appropriate partitions. Click Next to continue.
Specify the directory that will house the instance data as well as its data recovery files. These will both default to

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Stopping and Starting an ADAM/AD LDS Instance

Inhaltsvorschau

You want to start or stop an ADAM instance.

Using a graphical user interface

Open the Services MMC snap-in.
Select the name of the ADAM or AD LDS instance that you want to manage.
Right-click on the instance name and select Start, Stop, Pause, Resume, or Restart, as needed.

Using a command-line interface

To stop an ADAM or AD LDS instance, enter the following:

> net stop <instance_name>

To start an ADAM or AD LDS instance, enter the following:

> net start <instance_name>

Using VBScript

' The following code will stop or start an ADAM or AD LDS instance

'---------------- SCRIPT CONFIGURATION ----------------

strComputer = "."

strInstanceName = "<ADAM/AD LDS Instance>" ' ie "ADAM_IntranetApplication"

'-------------------------------------------------------

Set objWMIService = GetObject("winmgmts:" _

    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colServiceList = objWMIService.ExecQuery _

    ("Select * from Win32_Service where Name='" & strInstanceName & "'")



For Each objService in colServiceList

    errReturn = objService.StartService() ' change this method name to

                                          ' .StopService() to stop the

                                          ' ADAM instance.



Next

Using PowerShell

Start-Service "<ADAM/AD LDS Instance>"

Stop-Service "<ADAM/AD LDS Instance>"

When you install an ADAM or AD LDS instance on a computer (regardless of whether it is a new or replica instance), the instance will advertise itself as a typical Windows service with the naming convention of ADAM_<InstanceName>, where <InstanceName> is the name you specified when you installed the instance. If you need to modify the display name of the service after you’ve installed the ADAM instance, you can use the built-in sc utility as follows:

> sc \\<servername> config <servicename> displayname = "<display name>"

for listing the ADAM instances installed on a computer, MSDN: Service-ControllerStatusEnumeration, MSDN: Service Control Utilities [SDK Tools], and Chapter 20 of

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Changing the Ports Used by an ADAM/AD LDS Instance

Inhaltsvorschau

You want to change the LDAP or SSL ports that are being used by a particular ADAM instance.

> dsdbutil

    > activate instance <instancename>

    > LDAP port <port>

    > SSL port <port>

> quit

If you need to change the LDAP and/or SSL port that an instance is using to communicate, you must first stop the instance using one of the methods specified in . Once the instance has stopped, use dsdbutil as shown in .

for more on starting and stopping ADAM/AD LDS instances and Active Directory

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Listing the ADAM Instances Installed on a Computer

Inhaltsvorschau

You want to list all of the ADAM instances installed on a computer.

Using a command-line interface

To list all ADAM instances installed on a computer, enter the following:

> dsdbutil

From the dsbutil: prompt, enter the following:

> list instances

Using VBScript

' The following code will list all instances whose name begins with

' "ADAM_" on the local computer

'---------------- SCRIPT CONFIGURATION ----------------

strComputer = "."

'------------------------------------------------------

Set objWMIService = GetObject("winmgmts:" _

    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")



Set services = objWMIService.ExecQuery _

    ("Select * from Win32_Service where Name Like '% ADAM_%'")



If services.Count = 0 Then

   Wscript.Echo "No ADAM instances found."

Else

   For Each service in services

       Wscript.Echo service.Name & " -- " & service.State

   Next

End If

Using PowerShell

The following code will list all ADAM/AD LDS instances whose name begins with "ADAM_" on the local computer:

Get-Service -include "ADAM_*"

As we discussed in , a single computer can host multiple ADAM instances running on different ports, each of which will advertise itself as a typical Windows service. In Windows Server 2003, R2, and XP, these services will have a naming convention of ADAM_<InstanceName>, where <InstanceName> is the name that you specified when you installed the instance. (The name of the service will remain the same even if you change the display name or description of the service at a later time, which can make the services.msc snap-in a less-than-desirable option for stopping and starting ADAM instances if you make a habit of renaming them.) By querying for service names that include the string “ADAM” using something like '%ADAM_%' in the WQL query, you can return the ADAM instances that are installed on a local or remote computer. The method discussed in this recipe will not help you, however, if someone has modified the Registry key containing the name of the ADAM instance. Locating ADAM services can be a difficult task if someone in your organization is trying to hide his ADAM instances. One possible solution if you are having difficulty with this type of information gathering would be to perform a port scan on one or more target ; once you’ve obtained a list of listening ports, you can connect to each one in turn and look for an LDAP response.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Extending the ADAM/AD LDS Schema

Inhaltsvorschau

You want to extend the ADAM/AD LDS Schema with new classes or attributes.

Using a command-line interface

To extend the ADAM/AD LDS Schema from the command line, you’ll need to create an LDIF file containing the necessary schema extensions, and then import it using the LDIFDE command, or use a tool like AdMod to perform the changes. ADAM comes with a number of such LDIF files pre-installed that you can import during the ADAM installation process. If you did not import these files during installation, you can do so after the fact using the following syntax:

> ldifde -i -f <driveletter>:\<pathname>\contact.ldf -s <servername>:<portnumber> 

-k -j . -c "CN=Schema,CN=Configuration" #schemaNamingContext

The schema that you receive when you install ADAM/AD LDS contains a subset of the classes and attributes that exist in the Active Directory Schema. You have the same ability to extend the schema in ADAM as you do in AD, which means that you can expand and modify the schema to be the same as the AD Schema, or to match any changes made by your third-party or home-grown applications. Because of this, ADAM is a great place to test potential schema modifications that you want to make in Active Directory. Because the schema extension process works the same in both AD and ADAM, and because you can easily install, uninstall, and reinstall ADAM instances, you can use ADAM to quickly test new extensions, tweaking the definitions until you get exactly what you want.

Every instance of ADAM will have at least two partitions: the Configuration partition and the Schema partition; you can create additional application partitions during or after installation, as described in Active Directory. Similar to the Active Directory Schema NC, the ADAM Schema partition contains definitions of classes and attributes that can be used to create objects within a particular ADAM instance. An ADAM Schema is unique to an individual ADAM instance; changes to the schema in one instance will not affect the schema in other, separate instances. ADAM comes with a number of pre-configured LDIF files that you can import to create common object types such as

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Managing ADAM/AD LDS Application Partitions

Inhaltsvorschau

You want to add or remove an application partition to house ADAM data.

Using a graphical user interface

To add an application partition, do the following:

Open ldp.exe from the %windir%\ADAM folder. (LDP is installed by default on a Windows Server 2008 server running the AD LDS role.) Click Connection→Connect to bind to the desired instance, and Connection→Bind to provide credentials to bind to the instance.
Click on Browse→Add child.
For DN, enter a distinguished name for the application partition.
Under “Edit entry,” enter “ObjectClass” in the Attribute box and “container” in the Values box and then click Enter.
Under “Edit entry,” enter “instanceType” for the Attribute and “5” in the Values box, and then click Enter.
Click Run.

To remove an application partition, do the following:

Open ADAM ADSI Edit in Windows Server 2003, R2, or XP; in Windows Server 2008, simply open ADSI Edit. If necessary, create and bind to a connection of your ADAM/AD LDS instance.
Browse to the Partitions container (CN=Partitions). Right-click on the application directory partition that you want to delete, and then click Delete.
Click Yes to confirm.

Using a command-line interface

Use the following sequence of commands to create an ADAM application partition:

> dsmgmt

    >  create nc <ApplicationPartitionDN> container <ComputerName>:<PortNumber>

    >  quit

> quit

Use the following command to delete an application partition:

> dsmgmt

    >  delete nc <ApplicationPartitionDN>

    >  quit

> quit

Using VBScript

' This code creates an application partition off of the

' root of the default forest.

' ------ SCRIPT CONFIGURATION ------

strAppPart = "<AppPartitionName>" ' DN of the app partition to delete

strServer = "<DomainControllerName>" ' DNS name of DC to host app partition

strDescr = "<Description>" ' Descriptive text about the app partition

' ------ END CONFIGURATION --------



set objRootDSE = GetObject("LDAP://" & strServer & "/RootDSE")

set objLDAP = GetObject("LDAP://" & strServer & "/" & _

                        objRootDSE.Get("rootDomainNamingContext") )

set objAppPart = objLDAP.Create("domainDNS", "dc=" & strAppPart)

objAppPart.Put "instancetype", 5

objAppPart.Put "description", strDescr

objAppPart.SetInfo

WScript.Echo "Created application partition: " & strAppPart



' This code deletes the specified application partition

' ------ SCRIPT CONFIGURATION ------

strAppPart = "

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Managing ADAM/AD LDS Organizational Units

Inhaltsvorschau

You want to create or delete OUs within an ADAM or AD LDS instance.

Using a graphical user interface

Open ADAM ADSI Edit. If necessary, create and bind to a connection of your instance.
Right-click on the instance and select New→Object.
Under “Select a class,” click on organizationalUnit and click Next.
For the value of the ou attribute, type AdamUsers and click Next.
Click Finish.
To delete an OU, right-click on the object in question and select Delete.

Using a command-line interface

To create an ADAM OU from the command line, use the following syntax:

> admod -h <ComputerName>:<PortNumber> -b <OU DN>

objectClass::organizationalUnit -add

To delete an OU, replace the –add switch with –del in the previous statement.

A useful option in AdFind and AdMod for working with ADAM is the ability to create environment variables to specify long or often-used switches. In this example, it would be quite useful to define an environment variable of adam-h that has a value of <ComputerName>:<PortNumber> and then that portion of the command can be shorted to -e adam. See the AdFind usage screens for more information. If you work with multiple ADAM instances, you can specify multiple environment variables such as adam1-h, adam2-h, and adam3-h and then specify -e adam1,

-e

          adam2

, or -e adam3 to access the different instances. You can even specify adamx-u and adamx-up environment variables to specify alternate credentials to connect to the various ADAM instances.

Using VBScript

' The following code will add a new OU to an

' ADAM or AD LDS instance

'---------------- SCRIPT CONFIGURATION ----------------

strComputerName = "<ComputerName>" ' Use "localhost" for the local computer

strPort = "<PortNumber>"           ' the LDAP port number to connect to

strAppPart = "<Application Partition DN>"

'-------------------------------------------------------



Set objDomain = GetObject("LDAP://" & strComputerName & _

                          ":" & strPort & "/" & strAppPart)

Set objOU = objDomain.Create("organizationalUnit", "ou=Finance")

objOU.SetInfo



' The following code will delete the OU you just created

objOU.Delete "organizationalUnit", "ou=Finance"

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Managing ADAM Users

Inhaltsvorschau

You want to create or delete user objects within an ADAM instance.

Using a graphical user interface

Open ADAM ADSI Edit, or ADSI Edit in Windows Server 2008. If necessary, create a connection and bind to the necessary ADAM or AD LDS instance.
Right-click on the container that should house the user and select New→Object.
Under “Select a class,” click on “user” and click Next.
For the value of the cn attribute, type Joe Smith and click Next.
Click Finish.

Using a command-line interface

> admod -h <ComputerName>:<PortNumber> -b <User DN>

objectClass::user -add

Using VBScript

' The following code will add a new OU to an ADAM instance

'---------------- SCRIPT CONFIGURATION ----------------

strComputerName = "<ComputerName>" ' Use "localhost" for the local computer

strPort = "<PortNumber>"           ' the LDAP port number to connect to

strAppPart = "<Application Partition DN>" ' ie "o=adatum,c=us"

strUserDN = "<UserDN>"             ' ie "Joe Smith"

strUPN = "<UserPrincipalName>"     ' ie "joe@adatum.com"

'-------------------------------------------------------



Set objOU = GetObject("LDAP://" & strComputerName & _ ":" & strPort & _

                      "/" & strAppPart))

Set objUser = objOU.Create("user", strUserDN)

objUser.Put "displayName", strUserDN

objUser.Put "userPrincipalName", strUPN

objUser.SetInfo

Using PowerShell

To create a new ADAM/AD LDS user with the Quest AD cmdlets, use the following syntax:

new-QADUser -service "<Computer Name>:<Port Number>" -name '<User CN>' -

parentContainer '<Application Partition DN/<Parent DN>' -UserPrincipalName '<User

UPN>' -UserPassword "<Password>"

To create a new Active Directory user with System.DirectoryServices, use the :

$objParent = [ADSI]

"LDAP://<ComputerName>:<PortNumber>/<ApplicationPartitionDN>/<ParentDN>")

$objUser = $objParent.Create("user", "cn=<User CN>")

$objUser.Put("userPrincipalName", "<UserUPN>")

$objUser.Put("displayName", "<UserFirstName> <UserLastName>")

$objUser.SetInfo()

$objUser.Put("userPassword", "<Password>"

$objUser.SetInfo()

Creating users in ADAM or AD LDS is quite similar to creating users in Active Directory. The most significant difference is that ADAM/AD LDS users do not have the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Changing the Password for an ADAM or AD LDS User

Inhaltsvorschau

You want to change the password for an ADAM or AD LDS user.

Using a graphical user interface

Open LDP from the Windows Support Tools. (In Windows Server 2008, LDP is installed by default on a server that is running the AD DS or AD LDS server roles.)
Click Connection→Connect, and then enter the server name and port number used by your ADAM or AD LDS instance.
Click Options→Connection Options.
In the Option Name drop-down, select LDAP_OPT_SIGN, type “1” in Value, and then click Set.
Select LDAP_OPT_ENCRYPT, type “1” in Value, click Set and then Close.
Click Connection→Bind, and then enter a username and password to bind to the ADAM or AD LDS instance.
Click on View→Tree. Leave the BaseDN value blank and click OK.
Navigate to the DN of the container within the application partition containing the ADAM or AD LDS user in question.
Right-click the CN=<UserName> user object, and then click Modify.
Enter “userpassword” as the attribute to be modified, and then enter the new password under Values.
Click Enter, and then click Run.

Using VBScript

' The following code will set the password for an ADAM user

'---------------- SCRIPT CONFIGURATION -----------------

Const ADS_SECURE_AUTHENTICATION = 1

Const ADS_USE_SSL               = 2



Const ADS_USE_SIGNING           =  64

Const ADS_USE_SEALING           = 128



Const ADS_OPTION_PASSWORD_PORTNUMBER = 6

Const ADS_OPTION_PASSWORD_METHOD     = 7



Const ADS_PASSWORD_ENCODE_REQUIRE_SSL = 0

Const ADS_PASSWORD_ENCODE_CLEAR       = 1



strComputerName = "<ComputerName>" ' Use "localhost" for the local computer

strPort = "<PortNumber>"           ' the LDAP port number to connect to

intPort = CInt(strPort) 

strUserDN = "<UserDN>"



lngAuth = ADS_USE_SIGNING Or ADS_USE_SEALING Or _

          ADS_SECURE_AUTHENTICATION

'-------------------------------------------------------



' Bind to the user whose password you want to change

Set objUser = GetObject _

    ("LDAP://" & strComputerName & ":" & strPort & "/" & strUserDN, _

      vbNullString, vbNullString, lngAuth)



' Set the password for the user.

objUser.SetOption ADS_OPTION_PASSWORD_PORTNUMBER, intPort

objUser.SetOption ADS_OPTION_PASSWORD_METHOD, _

                      ADS_PASSWORD_ENCODE_CLEAR



' In a production script, this should be read in as a script argument

' rather than being embedded in clear-text

' within the script itself

objUser.SetPassword "

ADAMComplexPassword1234"



If Err.Number <>0 Then

    WScript.Echo "Error:     Set password failed with error " _

                             & Hex(Err.Number)

Else

   WScript.Echo "Success:    Password set for user"

   WScript.Echo "            " & objUser.ADsPath

End If

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling and Disabling an ADAM User

Inhaltsvorschau

You want to enable or disable an ADAM user object.

Using a graphical user interface

Open ADAM ADSI Edit, or ADSI Edit in Windows Server 2008. If necessary, create and bind to a connection of your ADAM or AD LDS instance.
Navigate to the user in question, right-click, and select Properties.
Scroll to the msDS-UserAccountDisabled attribute and click Edit.
Click True, and then click OK.
To re-enable the ADAM user account, modify the msDS-UserAccountDisabled attribute to have a value of False.

Using a command-line interface

To disable an ADAM user from the command line, enter the following syntax:

> admod -h <ComputerName>:<PortNumber> -b <User DN>

msDS-UserAccountDisabled::TRUE

To enable or re-enable a user account, change TRUE to FALSE in the previous command.

When configuring this attribute, TRUE and FALSE are case-sensitive and must be specified using all uppercase letters.

Using VBScript

' The following code will enable

' or disable an ADAM user

'---------------- SCRIPT CONFIGURATION ----------------

strComputerName = "<ComputerName>" ' Use "localhost" for the local computer

strPort = "<PortNumber>"           ' the LDAP port number to connect to

strUserDN = "<UserDN>"

'-------------------------------------------------------



Set objUser = GetObject _

    ("LDAP://" & strComputerName & ":" & strPort & "/" & strUserDN)



objUser.Put " msDS-UserAccountDisabled", "FALSE" ' set this to TRUE to disable 

objUser.SetInfo

Using PowerShell

Enable-QADUser -Identity <User DN> -Service "<ComputerName>:<PortNumber>"

Disable-QADUser -Identity <User DN> -Service "<ComputerName>:<PortNumber>"



$objUser = GetObject("LDAP://<ComputerName>:<PortNumber>/<UserDN>")

$objUser.Put("msDS-UserAccountDisabled", "FALSE")

$objUser.SetInfo()

ADAM or AD LDS users can be enabled or disabled by modifying the msDS-UserAccountDisabled property. A new user will be enabled by default when you first create it, unless the password you’ve assigned for it doesn’t meet the requirements of the password policy, which is in effect on the machine. This restriction doesn’t apply to ADAM instances that are being housed on Windows XP Professional computers. Since ADAM support on XP is primarily intended for standalone development tasks rather than hosting enterprise-caliber applications it doesn’t enforce password policies.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating ADAM or AD LDS Groups

Inhaltsvorschau

You want to create or delete a group object within ADAM.

Using a graphical user interface

Open ADAM ADSI Edit or ADSI Edit on Windows Server 2008. If necessary, create and bind to a connection of your ADAM instance.
Right-click on the instance and select New→Object.
Under “Select a class,” click on group and click Next.
For the value of the cn attribute, type “AdamGroup” and click Next.
Leave the value of the groupType attribute blank to create a security-enabled global group and click Next.
Click Finish.
To delete a group object, right-click on the object in question and select Delete.

Using a command-line interface

To create an ADAM or AD LDS group from the command line, enter the following syntax:

> admod -h <ComputerName>:<PortNumber> -b <Group DN>

objectClass::group -add

To delete a group object, change -add to -del in the previous command.

Using VBScript

' The following code will create a group object

'---------------- SCRIPT CONFIGURATION ----------------

strComputerName = "<ComputerName>" ' Use "localhost" for the local computer

strPort = "<PortNumber>"           ' the LDAP port number to connect to

strOUDN = "<OUDN>"                 ' ie "ou=AdamUsers,o=adatum,c=us"

strGroupName = "<GroupName>"       ' ie "cn=FinanceGroup"

'-------------------------------------------------------



Set objOU = GetObject("LDAP://" & strComputerName _

                       & ":" & strPort & "/" & strOUDN)

Set objGroup = objOU.Create("group", strGroupName)

objGroup.SetInfo



' The following code snippet will delete the group you just created

objOU.delete "group", strGroupName

Using PowerShell

To create a group object using the Quest AD cmdlets, use the following syntax:

new-QADObject -Service "<Computer Name>:<Port Number>" -parentcontainer '<Parent

Container DN>' -type 'group' -name 'MarketingGroup'

To create an OU using System.DirectoryServices, use the following:

$objParentDN = [ADSI] "LDAP://<ComputerName>:<PortNumber>/<Parent Container DN>"

$objNewGroup = $objParentDN.Create("group", "cn=SalesGroup")

$objNewGroup.setInfo()

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Managing ADAM or AD LDS Group Memberships

Inhaltsvorschau

You want to manage the groups that an AD, ADAM, or AD LDS user is a member of.

Using a graphical user interface

Open ADAM ADSI Edit or ADSI Edit in Windows Server 2008. Connect and bind to the instance you want to manage.
Navigate to the group in question, right-click, and select Properties.
Scroll to the member attribute and click Edit.
To add a Windows user to the group, click Add Windows Account and enter the name of the Windows account. To add an ADAM or AD LDS user, click Add ADAM Account and enter the DN of the user you wish to add. Repeat this to add additional users.
To remove members, click on the CN of the object you wish to remove, and then click Remove. Repeat this to remove additional users from the group.

Using a command-line interface

To add a Windows user to a group from the command line, enter the following syntax:

> admod -h <ComputerName>:<PortNumber> -b <Group DN>

member:+:"<SID=<UserSID>>"

To add multiple users at one time, change + to ++ in the previous command and separate the User DNs with a semicolon.

To remove a single user, change + to – in the previous command.

To remove multiple users, change + to –– in the previous command and separate the User DNs with a semicolon.

Using VBScript

' The following code will modify an

' ADAM or AD LDS group membership

'---------------- SCRIPT CONFIGURATION -----------------

Const ADS_PROPERTY_DELETE = 4

strComputerName = "<ComputerName>" ' Use "localhost" for the local computer

strPort = "<PortNumber>"           ' the LDAP port number to connect to

strGroupDN = "<GroupDN>"       ' ie "cn=FinanceGroup,ou=..."

strUserDN = "<UserDN>"         ' ie "cn=Joe Smith,

                                               ' ou=AdamUsers,o=adatum,c=us" 

'------------------------------------------------------------------------



Set objGroup = GetObject _

        ("LDAP://" & strComputerName & ":" & strPort & "/" & strGroupDN)

Set objUser = GetObject _

        ("LDAP://" & strComputerName & ":" & strPort & "/" & strUserDN)



' the following code will add a user object to a group

objGroup.Add objUser.AdsPath



' the following code will remove a user object from a group

objGroup.PutEx ADS_PROPERTY_DELETE, "member", _ Array(strUserDN)

objGroup.SetInfo



' the following code will enumerate all members of a group

For Each objUser in objGroup.Members

    Wscript.Echo objUser.Name

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing and Modifying ADAM Object Attributes

Inhaltsvorschau

You want to view the attributes of an object within an ADAM instance.

Using a graphical user interface

Open ADAM ADSI Edit. If necessary, create and bind to a connection of your ADAM instance.
Navigate to the object in question, right-click, and select Properties. To view only the mandatory attributes for an object, remove the checkmark next to “Show optional attributes.” To view only the optional attributes for an object, place a checkmark next to “Show optional attributes” and remove the checkmark next to “Show mandatory attributes.”
Scroll through the object’s properties. To modify a particular property, select the property and select Edit.
To insert a value into a single-valued attribute, enter the value and click OK. To remove a value from a single-valued attribute, click Clear.
To insert one or more values into a multivalued attribute, enter each value and click Add. To remove one or more values from a multivalued attribute, select the value and click Remove.

Using a command-line interface

To view the attributes of an object, enter the following:

> adfind -h <ComputerName>:<PortNumber> -b <Object DN> -s base

To restrict the AdFind output to only a few attributes, specify the name of each attribute you want to view after the ObjectDN; to view multiple attributes, separate each one with spaces in between. You can also use the -excl switch to display all but one or two attributes.

To insert a value into a single-valued attribute, enter the following syntax:

> admod -h <ComputerName>:<PortNumber> -b <Object DN> <AttributeName>::<Value>

To insert multiple values into a multivalued attribute, change + to ++ in the previous command and separate the values with a semicolon.

To clear an attribute’s value (whether a single- or a multivalued attribute), enter the following:

> admod -h <ComputerName>:<PortNumber> -b <Object DN> <AttributeName> :-

To remove a single value from a multivalued attribute, change

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Importing Data into an ADAM or AD LDS Instance

Inhaltsvorschau

You want to perform a bulk import of object data into an ADAM or AD LDS instance.

Using a command-line interface

To import objects using the ldifde utility, you must first create an LDIF file with the objects to add, modify, or delete. Here is an example LDIF file that adds three users to an ADAM or AD LDS application partition:

dn: cn=Joe Smith,cn=users,ou=AdamUsers,o=adatum,c=us

changetype: add

objectClass: user

cn: Joe Smith

name: Joe Smith



dn: cn=Richard Mahler,cn=users,ou=AdamUsers,o=adatum,c=us

changetype: add

objectClass: user

cn: Richard Mahler

name: Richard Mahler



dn: cn=Doug Martin,cn=users,ou= AdamUsers,o=adatum,c=us 

changetype: add

objectClass: user

cn: Doug Martin

name: Doug Martin

Once you’ve created the LDIF file, you just need to run ldifde to import the new objects:

> ldifde -i -f c:\import.ldf -s <servername>:<portnumber> -k -j

Be sure to use the most current version of ldifde available.

For more information on the LDIF format, check RFC 2849.

Using a command-line interface

for information on importing data using LDIF files, RFC 2849 (The LDAP Data Interchange Format [LDIF]—Technical Specification), MS KB 237677 (Using LDIFDE to Import and Export Directory Objects to Active Directory), and Chapter 20 of Active Directory

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Configuring Intra-site Replication

Inhaltsvorschau

You want to create a replication schedule for an ADAM or AD LDS application partition that is hosted on multiple computers within a single site.

Using a graphical user interface

In Windows Server 2003 R2, open ADAM ADSI Edit. In Windows Server 2008, open Active Directory Sites and Services. If necessary, create and bind to a connection of your ADAM instance.
In order to use the AD Sites & Services MMC snap-in to manage AD LDS replication in Windows Server 2008, you must use the MS-ADLDS-DisplaySpecifiers.LDF file to extend the schema of the configuration set that you are managing.

Navigate to the Sites container and the name of the site you need to modify.
Right-click on CN=NTDS Site Settings, and then click Schedule.
Select the block of time that should be available for replication; for every available block of time, you can configure the replication frequency to None, Once per Hour, Twice per Hour, or Four Times per Hour. Click OK when you’re finished.

Discussion

Like Active Directory, ADAM and AD LDS use multimaster replication to copy information between replicas of each member of a configuration set. By default, all ADAM/AD LDS instances that you create will be placed within a single site, Default-First-Site-Name. Similar to AD, ADAM/AD LDS’s intra-site replication takes place through update notifications, where replication partners are notified as changes occur.

MSDN: Active Directory Application Mode Schema [ADAM], MSDN: Using Application Directory Partitions [ADAM], and Chapter 20 of Active Directory

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Forcing ADAM/AD LDS Replication

Inhaltsvorschau

You want to force immediate replication of an ADAM or AD LDS application partition.

Using a command-line interface

> repadmin /syncall <servername>:<port> <AppPartitionDN>

The repadmin command-line tool that comes with both AD and ADAM is primarily used to display and manage the replication topology of multiple directory servers. But repadmin can do much more, such as allowing you to view object metadata, update Service Principal Names (SPNs), and display information on trust relationships. You can see all of the basic options that are available by typing

repadmin

      /?

at a command prompt. Once you’ve familiarized yourself with these switches, you can then start learning about the more advanced features available by typing repadmin/experthelp. repadmin is one of those indispensable tools for an AD or ADAM administrator; it’s well worth the time to learn its ins and outs to help you monitor and troubleshoot your network.

MS KB 229896 (Using Repadmin.exe to Troubleshoot Active Directory Replication), MS KB 905739 (TechNet Support WebCast: Troubleshooting Active Directory replication using the Repadmin tool), and Chapter 20 of Active Directory

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Managing AD LDS Replication Authentication

Inhaltsvorschau

You want to manage the security of AD LDS replication.

Using a graphical user interface

Open ADSI Edit. Connect and bind to the Configuration container of the AD LDS instance that you wish to manage.
Double-click on Configuration [<ComputerName>:<PortNumber>].
Right-click on CN=Configuration,<ApplicationDN> and click Properties.
Scroll to msDS-ReplAuthenticationMode. Double-click on the attribute and enter one of the following values:
2
Mutual authentication with Kerberos
1
Negotiated authentication
0
Negotiated pass-through authentication

Using a command-line interface

> admod -h <ComputerName>:<PortNumber> -b <ConfigDN>

msDS-ReplAuthenticationMode::<AuthenticationMode>

Using VBScript

' The following code will modify the replication authentication mode of a 

' configuration set

'---------------- SCRIPT CONFIGURATION ----------------

strComputerName = "<ComputerName>" ' Use "localhost" for the local computer

strPort = "<PortNumber>"           ' the LDAP port number to connect to

strConfigPart = "<Configuration Partition DN>" ' ie "cn=configuration,cn=adatum,c=us"

'-------------------------------------------------------



Set objConfig = GetObject("LDAP://" & strComputerName & _ ":" & strPort & _

                      "/" & strConfigPart))

objConfig.put("msDS-ReplAuthenticationMode", <AuthenticationMode>"

objConfig.SetInfo

Using PowerShell

set-QADObject -Service <ComputerName>:<PortNumber> -Identity <ConfigDN> 

-ObjectAttributes @{"msDS-ReplAuthenticationMode"="<AuthenticationMode>"}



$objConfig = [ADSI] "LDAP://<ComputerName>:<PortNumber>/<ConfigDN>"

$objConfig.Put("msDS-ReplAuthenticationMode", "<AuthenticationMode>")

$objConfig.SetInfo()

To ensure replication security, AD LDS will authenticate replication partners within a configuration set before replication begins. The method used for replication authentication will depend on the value of the msDS-ReplAuthenticationMode attribute on the configuration directory partition. After replication partners have successfully authenticated, all replication traffic between the two partners is encrypted. AD LDS uses Security Support Provider Interface (SSPI) to establish the appropriate authentication security level between replication partners, and replication authentication always occurs over a secure channel.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Managing ADAM/AD LDS Permissions

Inhaltsvorschau

You want to manage permissions within an ADAM instance.

Using a graphical user interface

Open the version of LDP that was installed with ADAM, either ADAM SP1, the ADAM that is installed with Windows Server 2003 R2, or the version of LDP that is installed along with the AD LDS server role in Windows Server 2008.
Connect and bind to the object or container that you wish to modify.
Right-click on the object or container and select Advanced/Security Descriptor. To display and edit auditing information in addition to the Discretionary Access Lists (DACLs) associated with the object, place a checkmark next to SACL.
Click OK.
To delete an Access Control Entry (ACE), highlight the entry and click Delete.
To add an entry, click Add.
In the Trustee text box, enter the name of the user or group object that you wish to apply permissions to. In the ACE mask section, select whether you are creating Allow ACE or Deny ACE.
In the Access mask section, place checkmarks next to the permissions that you are allowing or denying.
Click OK when you are finished.

Using a command-line interface

To view the effective permissions on an ADAM object, use the following syntax:

> dsacls \\<servername>:<port>\<ObjectDN>

To grant permissions on an ADAM object, use the following:

> dsacls "\\<servername>:<port>\<ObjectDN>" /G <User or Group Receiving

Permissions>:<Permission Statement>

To deny permissions on an ADAM object, use the following:

> dsacls "\\<servername>:<port>\<ObjectDN>" /D <User or Group Receiving

Permissions>:<Permission Statement>

One of the great new features introduced with ADAM SP1 was the version of the LDP utility included with it, which provides you the ability to modify both DACL and SACL entries at an extremely granular level; this feature has been carried over into the version of LDP installed with Windows Server 2008. You also have the familiar dsacls utility that will allow you to delegate permissions from the command line. When delegating permissions, you must first determine whether you are delegating permission over an entire container and all objects contained therein, or whether you are only going to delegate control over specific child objects. (For example, you can delegate control over all ADAM/AD LDS user objects within an OU.) Once you’ve made this determination, you’ll then specify the specific permissions that you’re delegating; you can delegate anything from full control of the entire object down to granting read permissions on a single attribute.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling Auditing of AD LDS Access

Inhaltsvorschau

You want to enable auditing of directory access and modifications. Audit events are logged to the Security event log.

Using a graphical user interface

Open the Group Policy Object (GPO) that is linked to the computer(s) hosting the AD LDS instance that you wish to audit.
In the left pane, expand Local Policies and click on Audit Policy.
In the right pane, double-click “Audit directory service access.”
Make sure the box is checked beside “Define these policy settings.”
Check the box beside Success and/or Failure.
Click OK.

Using a command-line interface

> auditpol \\<DomainControlerName> /enable /directory:all

Windows Server 2008 also enables additional auditing functionality of Directory Services events, including capturing "before" and "after" values on changes and deletions to Active Directory objects. You can enable this functionality using the auditpol.exe tool discussed earlier, using syntax similar to the following:

Auditpol /set /subcategory:"directory service changes"

Here is a sample event that was logged after the Administrator account created a user object called foobar in the Sales OU:

Event Type:        Success Audit

Event Source:      Security

Event Category:    Directory Service Access

Event ID:          566

Date:              5/26/2003

Time:              7:24:10 PM

User:              ADATUM\administrator

Computer:          DC1

Description:

Object Operation:

         Object Server:        DS

         Operation Type:       Object Access

         Object Type:          organizationalUnit

         Object Name:          OU=Sales,DC=adatum,DC=com

         Handle ID:            -

         Primary User Name:    DC1$

         Primary Domain:       ADATUM

         Primary Logon ID:     (0x0,0x3E7)

         Client User Name:     administrator

         Client Domain:        ADATUM

         Client Logon ID:      (0x0,0x3B4BE)

         Accesses:             Create Child



         Properties:

         Create Child

         user



         Additional Info:        CN=foobar,OU=Sales,DC=adatum,DC=com

         Additional Info2:       CN=foobar,OU=Sales,DC=adatum,DC=com

         Access Mask:            0x1

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Chapter 19: Active Directory Federation Services

Inhaltsvorschau

Active Directory Federation Services (AD FS) was introduced in Windows Server 2003 R2, and updated for Windows Server 2008. It is used to allow single sign-on (SSO) capabilities to web applications hosted by multiple organizations without the need to configure an Active Directory trust relationship between them. This task is performed by using AD FS servers to separate the process of authentication (proving who a user is) from that of authorization (specifying what a user can do). AD FS allows this separation by configuring account partners to authenticate users and groups, and then providing claims to resource partners that control the actual access to resources.

This relationship between account partners and resource partners is called a federated trust. This verbiage can sometimes lead to confusion, since it seems to imply that AD FS requires an Active Directory trust relationship to exist between account and resource partners. In this case, the word trust merely refers to a business agreement between two organizations that have agreed to this type of distributed authentication and authorization arrangement. A federated trust refers to a scenario in which the AD FS Federation Service has been properly configured by both the organization that performs user authentication and the organization that controls access to web resources.

While an Active Directory trust relationship is not a requirement to configure AD FS, you can, however, combine AD FS with an Active Directory forest trust to create a Federated Web SSO with Forest Trust configuration. This is typically used within a single organization that has one forest configured in a perimeter network or DMZ, and a second forest configured on an internal network. In this case, AD FS allows users on the internal network to be able to access resources on the perimeter network without needing to maintain two separate accounts. The other common AD FS configuration, Federated Web SSO, will be more commonly used by two separate organizations (most notably in a B2B relationship) for whom an Active Directory forest trust would create too much access for users on both sides of the equation or where Selective Authentication would require too much ongoing maintenance.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Introduction

Inhaltsvorschau

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Installing AD FS Prerequisites for Windows Server 2003 R2

Inhaltsvorschau

You want to install the necessary prerequisites to configure AD FS on a Windows Server 2003 R2 server.

Using a graphical user interface

To install IIS on a Windows Server 2003 R2 server, follow these steps:

Click Start→Control Panel→Add or Remove Programs.
Select Add/Remove Windows Components.
Click on the Application Server checkbox and select Details.
Place a checkmark next to ASP.NET and Internet Information Service (IIS), then click OK.
Click Next to begin installing the necessary components, then click Finish.

To enable SSL for the Default Web Site, do the following:

Open the Internet Service Manager snap-in.
Navigate to the server that you want to manage, and click on Web Sites.
Right-click the Default Web site and select Properties.
On the Directory Security tab, select Server Certificate in the Secure Communications section. Click Next to begin the wizard.
Select “Create a new certificate” and click Next.
Select “Prepare the request now, but send it later” and then click Next.
Enter a name for the certificate, and the bit length of the certificate. Select Server Gated Cryptography if your users will be accessing your site from countries that have any sort of encryption restrictions.
Enter your organization name and organizational unit, and then click Next.
Enter the FQDN of the server name and click Next.
Enter your location information, and then click Next.
Enter the path and filename that you want to save the certificate information to, and then click Next to continue.
Click Next to create the certificate request.

Once you have submitted the certificate request to a Certification Authority and have received a .CER file in return, use these steps to install the certificate:

Right-click on the Default Web Site and select Properties.
On the Directory Security tab, click Server Certificate. Click Next to continue.
Select “Process the pending request,” install the certificate, and click Next.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Installing AD FS Prerequisites for Windows Server 2008

Inhaltsvorschau

You want to install the necessary prerequisites to configure AD FS on a Windows Server 2008 server.

Using a graphical user interface

To install IIS on a Windows Server 2008 server, follow these steps:

Click Start→Server Manager.
In the lefthand pane, click Roles.
In the righthand pane, click “Add roles” and then click Next.
Place a checkmark next to Web Server (IIS). If prompted, click Add Required Features. Click Next twice.
Place a checkmark next to ASP.NET and Windows Authentication. If prompted, click Add Required Role Services.
Click Next, and then click Install.
When the installation completes, click Close.

To enable SSL for the Default Web Site, do the following:

Open the Internet Information Service (IIS) Manager snap-in.
Drill down to <server name>. In the righthand pane, double-click on Server .
Click on Create Certificate Request. Enter the identifying information for the certificate request. Click Next.
Select the desired Cryptographic Service Provider and Bit length, and then click Next.
Specify a name for the Certificate request and then click Next.

Once you have submitted the certificate request to a Certification Authority and have received a .CER file in return, use these steps to install the certificate:

Navigate to <server name> if you have not done so already. Click “Complete certificate request.”
Browse to the appropriate CER file, and enter the FQDN of the server in the Friendly name field. Click OK.
Browse to Sites→Default Web Site. Right-click on Default Web Site and click Edit Bindings….
Click Add. In the Type: drop-down box, select https. In the IP Address: drop-down box, select the IP address of the server. Confirm that the Port text box reads 443. In the “SSL certificate:” drop-down box, select the SSL certificate that you installed in steps 1 and 2.
Click OK, then click Close.
In the middle pane, double-click on SSL Settings. On the SSL Settings page, place a checkmark next to Require SSL. In the “client certificates:” radio buttons, select Accept. Click Apply.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Installing the Federation Service in Windows Server

Inhaltsvorschau

You want to install the AD FS Federation Service on a Windows Server 2003 R2 .

Installing the Federation Service assumes that the server in question is joined to an Active Directory domain.

Using a graphical user interface

Click Start→Control Panel→Add or Remove Programs.
Select Add/Remove Windows Components.
Click on the Active Directory Services checkbox, and select Details.
Click on Active Directory Federation Services (ADFS) and select Details.
Place a checkmark next to Federation Service, then click OK.
If you have not enabled ASP.NET 2.0, you will receive a warning message asking if you want to enable it. Click Yes to continue.
Click OK twice and then Next to begin the installation.
In the token-signing certificate section, select either “Create a self-signed token-signing certificate” or “Select token-signing certificate” to browse for an existing one.
In the Trust policy section, select either “Create a new trust policy” or “Use an existing trust policy” to browse for an existing one.
Click Next and then Finish to complete the installation.

Using a command-line interface

To perform an unattended install of the AD FS Federation Services, you must create an answer file containing a [Components] section, an [ADFS] section, and an [ADFSFederationServer] section, similar to the following:

[Components]

ADFSFederationServer = On



[ADFS]

UseASPNet = 1



[ADFSFederationServer]

SignCertificateThumbprintFS = ""

TrustPolicyPath = "d:\ADFS\TrustPolicies\defaulttrust.xml"

Save the unattended file as unattended.txt, then run the following command:

> sysocmgr /i:sysoc.inf /u:<PathToUnattendedFile>

In an AD FS environment, federation servers are servers that have the Federation Service component installed on them. These servers are responsible for routing authentication requests between the different organizations involved in a federated trust, or from external (i.e., Internet) clients accessing a Web SSO application.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Installing the Federation Service on Windows Server 2008

Inhaltsvorschau

You want to install the AD FS Federation Service on a Windows Server 2008 computer.

Installing the Federation Service assumes that the server in question is joined to an Active Directory domain.

Using a graphical user interface

Click Start→Server Manager.
In the lefthand pane, click Roles.
In the righthand pane, click “Add roles” and then click Next.
Place a checkmark next to Active Directory Federation Services. If prompted, click Add Required Features. Click Next twice.
Place a checkmark next to Federation Service.
Click Next. Select an existing token-signing certificate, or select the option to create a self-signed token-signing certificate if you are working in a test environment.
Click Next through the remaining wizard screens, then click Install.
When the installation completes, click Close.

Using a command-line interface

> servermanagercmd -i ADFS-Federation

The functionality of the AD FS Federation Service in Windows Server 2008 is fundamentally identical to the same service running on a 2003 R2 server. To add the AD FS server role in 2008, you will once again use the Server Manager console or the servermanagercmd.exe command-line utility.

and Windows Server Tech Center: AD FS Server Roles

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Configuring an Active Directory Account Store

Inhaltsvorschau

You want to configure an AD FS account partner to use Active Directory for .

Using a graphical user interface

Open the ADFS MMC snap-in. Navigate to Federation Service→Trust Policy→My Organization.
Right-click on Account Stores. Select New→Account Store… and click Next.
Select Active Directory for the type of account store and then click Next.
Click Finish to add the Active Directory account store.

AD FS account partners rely on account stores to authenticate users and to retrieve whatever security claims are configured for a particular user. You can configure one or multiple account stores for any account partner that you’ve configured, and you can define relative priorities between multiple stores. When you configure an Active Directory account store, AD FS can examine attributes of Active Directory user objects in addition to simply authenticating the user. AD logon requests can be in the UPN format, like jsmith@adatumadatum.com, or in a domain\username format such as ADATUM\jsmith.

If you’ve configured multiple account stores, AD FS will attempt to process incoming authentication requests against each account store in order. You can modify this order by navigating to Federation Service→Trust Policy→My Organization. Right-click on Account Stores and select Store Priority, then use the Up or Down buttons to modify the priority order of the account stores.

You can only configure one Active Directory account store per account partner, but multiple ADAM or AD LDS account stores.

for information on Configuring an ADAM or AD LDS Account Store and MSDN: System.Web.Security.SingleSignOn

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Configuring an ADAM or AD LDS Account Store

Inhaltsvorschau

You want to configure an AD FS account partner to use an instance of ADAM or AD LDS for authentication.

Using a graphical user interface

Open the ADFS MMC snap-in. Navigate to Federation Service→Trust Policy→My Organization.
Right-click on the Account Stores node, then select New→Account Store…. Click Next to bypass the initial Welcome screen.
Select Active Directory Application Mode (ADAM) for the Account Store Type for Windows Server 2003 R2; in Windows Server 2008, select Active Directory Lightweight Directory Services (AD LDS).Click Next.
Enter a display name and a Uniform Resource Identifier (URI) for the ADAM account store and click Next.
Specify the FQDN or IP address of the ADAM server, and the TCP/IP port that this instance is listening on.
For “LDAP search base distinguished name,” enter the search base that should be used for any LDAP queries made against this ADAM instance; for example, dc=adatum,dc=us.
Enter the name of the ADAM username attribute, i.e., userPrincipalName.
Click Next to continue.
On the Identity Claims page, place a checkmark next to one or more of the :
UPN
Enter the LDAP attribute name that stores the UPN.
Email
Enter the LDAP attribute name that stores the user’s email address.
Common name
Enter the LDAP attribute name that stores the user’s CN.
Click Next and then Finish to enable the account store.

ADAM/AD LDS account stores are configured quite similarly to Active Directory stores; but unlike an AD account store, you can configure multiple ADAM/AD LDS account stores on a given federation server. Configuring an ADAM/AD LDS account store requires the following configuration information:

Server name/IP address of a server hosting the ADAM instance.
Port number that the instance is using to communicate.
LDAP search base, such as dc=IntranetApp,dc=adatum,dc=com.
Username attribute, such as userPrincipalName

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating Organizational Claims

Inhaltsvorschau

You want to add a new type of claim that can be used by claims-aware or token-based web applications.

Using a graphical user interface

Open the ADFS MMC snap-in. Navigate to Federation Service→Trust Policy→My Organization.
Right-click on Organization Claims, then select New→Organizational Claim.
Enter a name for the claim, then select Group Claim or Custom Claim and click OK.
To map a Group Claim to an existing group, right-click on the claim that you just created and select Properties. On the Resource Group tab, place a checkmark next to “Map this claim to the following resource group.” Manually enter the DN of the group or use the browse button to select it from the Active Directory tree. Click OK when you’re done.

AD FS claims are the foundation of authentication and authorization in federated applications. Administrators in account partners will configure organizational claims that will be presented by these users when accessing applications that are hosted by resource partners. There are three types of claims that are currently supported by the AD FS Federation Service: identity claims, group claims, and custom claims.

An identity claim refers to some type of identifier that’s used to establish a user’s identity within the account partner organization: this can be a UPN, an E-Mail address, or a Common Name. UPN and E-Mail claims are formatted in the familiar user@adatum.com format, while a Common Name claim is made up of an arbitrary string like Adatum Employees or Joe Smith. For this reason, you should avoid using Common Name claims as identity claims unless UPN or E-Mail claims are unfeasible in your .

Although you can send multiple claim types from an account partner to a resource partner, you can only send one UPN and one E-Mail claim at a time. You can use custom claims if you need to configure additional claim types using E-Mail or UPN information.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating an Account Partner

Inhaltsvorschau

You want to configure an account partner to allow the organization’s users to access applications that are managed by an AD FS resource partner.

Using a graphical user interface

Open the ADFS MMC snap-in. Navigate to Federation Service→Trust Policy→Partner Organizations.
Right-click on Account Partners, and select New→Account Partner.
To create an account partner manually, click No on the Import Policy File page and click Next.
On the Account Partner Details screen, enter the display name of the account partner, the Federation Service URI (such as http://www.adatum.com/adfs), and the Federation Service endpoint URL (such as https://www.adatum.com/adfs/ls/clientlogon.aspx). Click Next to continue.
On the Account Partner Verification Certificate screen, browse to or manually enter the path to the verification certificate and click Next.
For Federation Scenario, select one of the following:
Federated Web SSO
Choose this for a scenario with an external organization or one where you’re not using a forest trust. To use this option, simply click Next to continue.
Federated Web SSO with Forest Trust
To configure this option, click Next, then select “All Active Directory domains and forests” to allow users from any domain in the organization to authenticate. To restrict the domains that can submit requests, click on “The following Active Directory domains and forests.” Select the domain or forest that you want to accept logons from and click Add. Click Next to continue.
On the Account Partner Identity Claims screen, select one or more of the following:
UPN Claim
This will take you to the Accepted UPN Suffixes page. From here you can select All UPN Suffixes, or else specify a suffix and click Add. Click Next to continue.
E-Mail Claim
This will take you to the Accepted E-mail Suffixes page. From here you can select All E-mail Suffixes, or specify an accepted suffix and click Add. Click Next to continue.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Configuring a Resource Partner

Inhaltsvorschau

You want to configure a resource partner to allow access to a resource by users defined within an AD FS Federation Service account partner.

Using a graphical user interface

Open the ADFS MMC snap-in. Navigate to Federation Service→Trust Policy→Partner Organizations.
Right-click on Account Partners, and select New→Resource Partner.
To create a resource partner manually, click No on the Import Policy File page and click Next.
On the Resource Partner Details screen, enter the display name of the resource partner, the Federation Service URI (such as http://www.adatum.com/adfs), and the Federation Service endpoint URL (such as https://www.adatum.com/adfs/ls/clientlogon.aspx). Click Next to continue.
For Federation Scenario, select one of the following:
Federated Web SSO
Choose this for a scenario with an external organization or one where you’re not using a forest trust. To use this option, simply click Next to continue.
Federated Web SSO with Forest Trust
Use this for federated trusts within the same organization.
Select one or more of the following on the Resource Partner Identity Claims screen:
UPN Claim
This will bring up the Select UPN Suffixes screen. From here, either select “Pass all UPN Suffixes through unchanged” or “Replace all UPN suffixes with the following:,” and specify the UPN suffix that you want to replace all incoming suffixes with. Click Next to continue.
E-Mail Claim
This will bring up the Select E-Mail Suffixes screen. From here, either select “Pass all E-Mail Suffixes through unchanged” or “Replace all E-Mail Suffixes with the following:,” and specify the email suffix that you want to replace all incoming suffixes with. Click Next to continue.
Common Name Claim
This type of claim just denotes a string such as “Joe Smith” or “Adatum .”

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Configuring an Application

Inhaltsvorschau

You want to add a claims-based or token-based application to AD FS.

Using a graphical user interface

Open the ADFS MMC Snap-in. Browse to Federation Service→Trust Policy→My Organization.
Right-click on Applications and select New→Application. Click Next to continue.
On the Application Type screen, select either “Claims-aware application” or “Windows NT token-based application” and click Next.
On the “Application details” screen, enter the name of the application and the URL used to access the application. Click Next to continue.
On the Accepted Identity Claims page, place a checkmark next to one or more of the following:
- UPN
- E-Mail
- Common Name (only available with a claims-aware application)
Click Next and then Finish to add the new application.

You can use the AD FS Web Agent for two different types of web applications: claims-aware applications and Windows NT token-based applications. As the names imply, claims-aware applications can make authorization decisions based on claims submitted to them by the AD FS server in the account partner organization, while token-based applications can use only traditional Windows-based authorization mechanisms. Claims-aware applications can use a combination of identity claims, group claims, and custom claims to gain access to applications hosted by the resource partner. Windows NT token-based applications are not capable of handling AD FS claims, and instead use traditional Windows authorization. For a user to access a token-based application, the user needs to have an account in the resource web server’s domain or any domain that is trusted by that domain; in many cases this will be a “shadow account” that maps back to the user’s account in the account partner. In other words, token-based applications are far less flexible and far more limiting than claims-aware applications when used in AD FS implementations.

for more on configuring a claim and for more on configuring the AD FS Web Agent

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Configuring a Forest Trust

Inhaltsvorschau

You want to create a forest trust to enable AD FS to use the Web SSO with Forest Trust configuration.

Using a graphical user interface

Open the Active Directory Domains and Trusts snap-in.
In the left pane, right-click the forest root domain and select Properties.
Click on the Trusts tab.
Click the New Trust button.
After the New Trust Wizard opens, click Next.
Type the DNS name of the AD forest and click Next.
Select “Forest trust” and click Next.
Complete the wizard by stepping through the rest of the configuration screens.

Using a command-line interface

> netdom trust <Forest1DNSName> /Domain:<Forest2DNSName> /Twoway /Transitive /ADD

               [/UserD:<Forest2AdminUser> /PasswordD:*]

               [/UserO:<Forest1AdminUser> /PasswordO:*]

For example, to create a two-way forest trust from the AD forest adatum.com to the AD forest othercorp.com, use the following command:

> netdom trust adatum.com /Domain:othercorp.com /Twoway /Transitive /ADD

         /UserD:administrator@othercorp.com /PasswordD:*

         /UserO:administrator@adatum.com /PasswordO:*

Using PowerShell

$localFor = [System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest()

$strRemoteFor = 'treyresearch.net'

$strRemoteUser = 'administrator'

$strRemotePass = 'P@ssw0rd'

$remoteCon = New-Object

System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest',$strRemoteFor,

$strRemoteUser,$strRemotePass)$trustDirection = 'Bidirectional'

$localFor.CreateTrustRelationship($remoteFor, $trustDirection)

A new type of trust called a forest trust was introduced in Windows Server 2003. Under Windows 2000, if you wanted to create a fully trusted environment between two forests, you would have to set up individual external two-way trusts between every domain in both forests. If you have two Windows 2000 forests with three domains each and wanted to set up a fully trusted model, for example, you would need to set up nine individual one-way trusts.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Configuring an Alternate UPN Suffix

Inhaltsvorschau

You want to modify or add a new UPN suffix for the users in an Active Directory forest.

Using a graphical user interface

Open the Active Directory Domains and Trusts snap-in.
In the left pane, right-click Active Directory Domains and Trusts and select .
Under Alternate UPN suffixes, type the name of the suffix you want to add.
Click Add and OK.

Using a command-line interface

> admod -config -rb cn=Partitions uPNSuffixes:+:treyresearch.com

The attributeName :+: attributeValue syntax will add an additional value to an existing list of values in a multivalued attribute. Using attributeName::attributeValue would add the value you specify and remove all other values.

Using VBScript

' This code adds a new UPN suffix.

' ------ SCRIPT CONFIGURATION -----

strNewSuffix = "<NewSuffix>" ' e.g. othercorp.com

strDomain = "<DomainDNSName>" ' e.g. adatum.com

' ------ END CONFIGURATION ---------

set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")

set objPartitions = GetObject("LDAP://cn=Partitions," & _

                              objRootDSE.Get("ConfigurationNamingContext"))

objPartitions.PutEx ADS_PROPERTY_APPEND, " 

uPNSuffixes", Array(strNewSuffix)



objPartitions.SetInfo

Using PowerShell

set-variable -name $ADS_PROPERTY_APPEND -value 3 -option constant

$strDN = "LDAP://cn=Partitions,cn=Configuration,<ForestDN>"

$strNewSuffix = "<NewSuffix>"

$objPart = [ADSI] $strDN

$objPart.PutEx($ADS_PROPERTY_APPEND, "uPNSuffixes", @($strNewSuffix))

$objPart.SetInfo()

The UPN allows users to log on with a friendly name that may or may not correspond to their email address. Also, UPN logons do not require the domain to be known, so that it can be abstracted away from the user. You may need to create an additional UPN suffix (e.g., @adatum.com) if you want UPNs to map to email addresses, but your AD forest is rooted at a different domain name (e.g., ad.adatum.com) than the domain name used in email addresses (e.g., adatum.com). In the case of AD FS identity claims, only one UPN claim can be used for a given application, so it may also be necessary to configure additional UPN suffixes to meet this requirement as well.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Configuring the AD FS Web Agent

Inhaltsvorschau

You want to install and configure the AD FS Web Agent to allow or deny access to an AD FS-aware web application.

Using a graphical user interface

To install the AD FS Web Agent in Windows Server 2003 R2, do the following:

Click Start→Control Panel→Add or Remove Programs.
Select Add/Remove Windows Components.
Click on the Active Directory Services checkbox, and select Details.
Click on Active Directory Federation Services (ADFS) and select Details.
Place a checkmark next to ADFS Web Agent, and then click OK.
Click OK twice and then Next to begin the installation.

To install the AD FS Web Agent in Windows Server 2008, do the following:

Click on Start→Server Manager. In the lefthand pane, click Roles.
Click Add Roles and then click Next twice to continue.
Place a checkmark next to “Claims-aware agent and/or Windows Token-based Agent.” If prompted, click Add Required Role Services.
In order to install the Windows Token-based Agent, the web server needs to be a member of an Active Directory domain. The Claims-aware agent does not have this requirement.

Click Next through the remainder of the wizard and then click Install.
When the installation completes, click Close.

To configure a website to use Windows NT token-based authentication, do the :

Open the Internet Service Manager MMC snap-in.
Right-click on the Web Sites folder and select Properties. On the ADFS Web Agent tab, specify the Federation Service URL, for example, http://www.adatum.com/adfs/service.asmx.
Next, right-click on the specific website you wish to configure and select Properties.
On the ADFS Web Agent tab, place a checkmark next to “Enable the ADFS Web Agent for Windows NT token-based applications.” If needed, specify the cookie path, cookie domain, and the return URL being used by the application.
Click Apply and then OK to save your changes.
To configure claims-based applications, you’ll need to modify the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling Logging for the AD FS Web Agent

Inhaltsvorschau

You want to enable logging for an application running on a web server in a resource partner’s organization.

Using the registry

To enable auditing for a Windows NT token-based application, create or modify the following Registry keys:

HKLM\System\CurrentControlSet\Control\Lsa\WebSSO\Parameters\DebugLevel

DWORD - "FFFFFFFF"



HKLM\System\CurrentControlSet\Control\Lsa\ifssvc\Parameters\DebugPrintLevel

DWORD - "FFFFFFFF"



HKLM\Software\Microsoft\ADFS\WebServerAgent\DebugPrintLevel

DWORD - "FFFFFFFF"

To modify the auditing level for a claims-based application, you need to modify the appropriate web.config file.

Using VBScript

' The following script creates the necessary DWORD values to

' configure logging for a token-based application



'-------------SCRIPT CONFIGURATION--------------------------

Const HKEY_LOCAL_MACHINE = &H80000002

strComputer = "."

'-----------------------------------------------------------



Set oRegistry=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _

    strComputer & "\root\default:StdRegProv")



strKeyPath = "System\CurrentControlSet\Control\Lsa\WebSSO\Parameters"



strValueName = "DebugLevel"

dwValue = FFFFFFFF

oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue



strKeyPath = "System\CurrentControlSet\Control\Lsa\ifssvc\Parameters"

strValueName = "DebugPrintLevel"

oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue



strKeyPath = "Software\Microsoft\ADFS\WebServerAgent"

oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue

Using PowerShell

$strRegPath = "HKLM\System\CurrentControlSet\Control\Lsa\WebSSO\Parameters"

New-ItemProperty -path $strRegPath -name "DebugLevel" -type DWORD

Set-ItemProperty -path $strRegPath -name "DebugLevel" -value "FFFFFFFF"



$strRegPath = "HKLM\System\CurrentControlSet\Control\Lsa\ifssvc\Parameters"

New-ItemProperty -path $strRegPath -name "DebugPrintLevel" -type DWORD

Set-ItemProperty -path $strRegPath -name "DebugPrintLevel" -value "FFFFFFFF"



$strRegPath = "HKLM\Software\Microsoft\ADFS\WebServerAgent"

New-ItemProperty -path $strRegPath -name "DebugPrintLevel" -type DWORD

Set-ItemProperty -path $strRegPath -name "DebugPrintLevel" -value "FFFFFFFF"

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Chapter 20: Microsoft Exchange Server 2007 Server 2003

Inhaltsvorschau

Microsoft Exchange Server is Microsoft’s flagship messaging and collaboration server application. Exchange manages email messages through a proprietary MAPI protocol for rich use with Microsoft Outlook clients as well as the Internet standard protocols of POP3, IMAP4, and SMTP. It is a scalable enterprise solution from gateway to mailbox with expected functionality including backup and recovery, message hygiene, and mailbox management. Several features that have evolved over the years are still present in the latest version, including Outlook Web Access (OWA), Public Folders, cached Exchange mode, and Mobile device synchronization with ActiveSync. Other features have been added or improved significantly for 2007, such as message flow control with transport rules and new message hygiene options.

Exchange has a set of APIs that can be used to integrate custom applications or access specific Exchange data. Exchange can be an important component of a business collaboration system. We are not going to cover every single PowerShell cmdlet or all possible recipes for configuring Exchange Server, but we will introduce a good cross section of common tasks that Exchange implementers or administrators may need to perform their duties.

Even with all the major changes in Exchange Server, one of the mainstays over the last three versions is the use of Windows Active Directory as the Directory Services provider. Exchange 2000 Server was one of the first AD-aware applications. Indeed, AD is partly based on the Exchange directory used in Exchange 5.5 and earlier. Installing Exchange requires first extending the AD schema with Exchange-specific attributes. A successful implementation of Microsoft Exchange Server is dependent therefore on a successful implementation of Active Directory. In addition, Exchange 2007 routing is now on AD Site topology instead of its own routing engine as was present in 2000 and 2003.

This deep integration also means that AD topology design should also consider Exchange messaging requirements. If Exchange 2000 or 2003 is already installed, AD design is still a consideration for migration to Exchange 2007. The AD and Exchange relationship also makes an Exchange chapter a suitable addition to this book.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Introduction

Inhaltsvorschau

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Exchange Server and Active Directory

Inhaltsvorschau

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Exchange Server 2007 Architecture

Inhaltsvorschau

Microsoft has made sweeping changes to Exchange Server with Exchange Server 2007. The whole underlying architecture for the latest version is radically different from 2000/2003 and as a result, so are the mechanisms for deploying and administering Exchange. Exchange no longer relies on Windows Server and Internet Information Services (IIS) for basic SMTP support. Exchange 2007 requires the 64-bit of Windows Server 2003 or 2008. Exchange 2007 has embraced modularity by separating functionality into different server roles. It is no longer necessary to install the entire application and then lock it down specific to its intended use—mailbox server, bridgehead, etc.

There are five main Exchange 2007 roles to choose from at installation:

Client Access Server
Mailbox Server
Hub Transport Server
Unified Messaging Server
Edge Transport Server

Only the selected roles are installed. Other installation options include Clustered Mailbox Roles and the Management Console. The Edge Transport role is a special independent role installed on a server that is not a domain member and typically resides in a perimeter network (DMZ). The other roles can share residence on a single server within an Active Directory domain structure or be placed on separate servers or even virtual machines as part of a deployment strategy.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Exchange Administration Tools

Inhaltsvorschau

With the changes in Exchange from 2003 to 2007, a good rule of thumb is to use the Exchange 2003 tools to administer and configure objects on an Exchange 2003 server and use the Exchange 2007 tools to administer and configure objects on an Exchange 2007 server. The tools provided between the two versions are very different.

There are two main GUIs for administering Exchange Server 2003. Exchange configuration is done primarily through the Exchange System Manager (ESM). User and group administration is performed with Active Directory Users and Computers (ADUC), with additional Exchange tabs in object properties. These Exchange 2003 tools both use the Microsoft Management Console and are installed with the Exchange System Management Tools. The Exchange version of the ADUC is installed on machines that have the Exchange System Management tools installed. The ESM is used to configure global exchange settings, connectors, protocols, information store properties, mail policies, message queues, and more.

There really isn’t a fully compatible command-line interface equivalent to the GUIs for Exchange 2003 administration. There are some command-line tools that can be used for a variety of user and group administrative tasks. These include AD tools such as ldifde and csvde, which we covered in .

WMI and Collaboration Data Objects for Exchange Management (CDOEXM) provide interfaces to Exchange Server information and data. VBScript can be used to access this content, especially to automate tasks. ADSI is used to return information from AD, and VBScript can call that interface as well.

PowerShell can be used to call WMI objects, though, which may be used to manage Exchange 2003 configuration. If you are still on Exchange 2003 and starting to use PowerShell, the Get-WMIObject cmdlet can be an alternative for accessing Exchange WMI providers:

Get-WmiObject -ComputerName <Exchange_Server> -Class <Exchange_WMI_Class>

Exchange Server 2007 administration is shared between the Exchange Management Shell (EMS) and the Exchange Management Console (EMC); however, the EMC is built upon the EMS. Every configuration performed in the console has an equivalent command-line entry using the shell. This is a big change from previous versions.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Preparing Active Directory for Exchange

Inhaltsvorschau

You want to prepare your Active Directory forest and domains for the installation of your first Exchange Server.

Using a graphical user interface

The first phase of the installation is ForestPrep and it needs to be run once on the Schema FSMO domain controller:

Log on to the Schema FSMO forest root domain controller with an account that has both Enterprise Admin and Schema Admin rights.
Per your corporate standards, create either a global or a universal group for the initial Exchange administration delegation. Name the group in a descriptive way like ExchangeRootAdmins. See for assistance on creating groups.
Insert the Exchange Server CD into the CD-ROM drive if needed.
On the Start menu, click Run, and type:
```
<driveletter>:\setup\i386\setup.exe /forestprep
```
where <driveletter> is the drive letter of your CD-ROM drive or installation file location.
This path may vary for certain versions of Exchange Server such as MSDN or Select versions.
On the Welcome screen, click Next.
On the License Agreement screen, read through the agreement and if you agree, click “I agree” and click Next. Of course, agreement is mandatory for installation to continue.
If the Product Identification screen is presented, enter your Exchange Server product key and click Next.
This screen may not appear for certain versions of Exchange Server, such as the MSDN or Select versions.
On the Component Selection screen, verify that the action specified is Forest-Prep, and click Next.
On the Server Administrator Account screen, enter the group created in step 2 and click Next.
On the Completing the Microsoft Exchange Wizard screen, click Finish.

The second phase is DomainPrep and it needs to be run once for the forest root domain and once for every domain in the forest that will contain mail-enabled objects. Preferably, you will run this process on every domain in the forest. You will want to wait for the schema updates from the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Installing the First Exchange Server in an Organization

Inhaltsvorschau

You want to install the first Exchange Server for a new Exchange organization.

Using a graphical user interface

Install and configure prerequisite services. See for more on these services.
Log on to a server that is a member of an Exchange-enabled domain with an account that is a member of the delegated group in . This account should also be a local administrator of the server.
Go to the Windows Update site and install any critical security patches, or use your organization’s existing patch management solution, such as WSUS. Click on Start→All Programs→Windows Update.
Insert the Exchange Server CD into the CD-ROM drive or point to the file installation source.
On the Start menu, click Run, type <driveletter>:\setup\i386\setup.exe, and click OK. <driveletter> is the drive letter of your CD-ROM drive. The path to setup.exe may vary for certain versions of Exchange Server such as MSDN or Select versions.
On the Welcome screen, click Next.
On the License Agreement screen, read through the agreement and if you agree, click “I agree” and click Next.
If presented, on the Product Identification screen, enter your Exchange Server product key and click Next.
This screen may not appear for certain versions of Exchange Server, such as the MSDN or Select versions.

On the Component Selection screen in the Action column, verify that the action selected is Typical. Verify the install path is correct for your installation and click Next. It is a common practice to load Exchange onto a drive other than the system drive.
On the Installation Type screen, verify that Create a new Exchange Organization is selected, and click Next.
On the Organization Name screen, enter the name you want for your Exchange organization, and click Next. You can leave the default name of “First Organization” or name it something specific to your installation (e.g., “ADATUMAIL”).

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating Unattended Installation Files

Inhaltsvorschau

You want to create an unattended installation file for command-line installations and upgrades of Exchange Server.

Using a graphical user interface

Follow the procedures for a standard Exchange Server installation, Exchange Server Management Tools installation (), or Exchange Server service pack installation to the point where you enter the setup or update commands.
Append this option to the run command: /createunattend <driveletter>:\<path>\ <filename> .ini. Note that <filename> should be descriptive of the install or update. Examples include:
- e2k3-unattended-sp2-install.ini
- e23k-tools-install.ini
Follow all of the screen prompts of the normal installation or upgrade.
On the Completing the Microsoft Exchange Wizard screen, click Finish.

The unattended installation is in the location specified in the /createunattend option.

Using a command-line interface

Exchange 2007 can be installed in unattended mode simply using the command-line setup options. Some of the Setup.com switches can be listed within a text file that in turn is called by the /AnswerFile parameter. The Setup.com switches that can reside in an unattended installation answer file are EnableLegacyOutlook, LegacyRoutingServer, ServerAdmin, ForeignForestFQDN, OrganizationName, DoNotStartTransport, UpdatesDir, EnableErrorReporting, NoSelfSignedCertificates, AdamLdapPort, and AdamSslPort. These switches are listed in a text file without the backslash and saved as a text file such as UnattendParams.txt.

Setup.com references the answer file as follows:

Setup.com /Mode:Install /Roles:Mailbox /AnswerFile:C:\UnattendParams.txt

Using unattended installation is a great way to install Exchange on many servers, deploy the Exchange tools to many admin workstations, update service packs for Exchange on many servers, or maintain consistency in installation configurations.

The basic process in Exchange 2003 is simply to add the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Installing Exchange Management Tools

Inhaltsvorschau

You want to install Exchange Management Tools onto a workstation or server that isn’t running Exchange.

Using a graphical user interface

Install and configure prerequisite services. See for the list of these services.
Go to the Windows Update site and install any critical security patches.
Load the Exchange Server CD into your CD-ROM drive or point to the installation source file location.
On the Start menu, click Run and then type “<driveletter>:\setup\i386\setup.exe” and click OK. <driveletter> is the drive letter of your CD-ROM drive or network share. This path may vary for certain versions of Exchange Server such as MSDN or Select versions.
On the Welcome screen, click Next.
On the License Agreement screen, read through the agreement and if you agree, select “I agree” and click Next.
If the Product Identification screen is presented, enter your Exchange Server product key and click Next.
This screen may not appear for certain versions of Exchange Server such as the MSDN or Select versions.

On the Component Selection screen, select Custom in the top row of the Action column. Next to Microsoft Exchange System Management Tools, select Install. Verify that the install path is correct for your installation and click Next.
Review the Installation Summary screen and click Next.
On the Completing the Microsoft Exchange Wizard screen, click Finish.
Download and install the latest Exchange 2003 service pack. As of the time of this writing, it is Service Pack 2.

Using a command-line interface

Any Exchange Management Tools installations can be handled through the command line with the unattended installation process. You will need to generate and use the appropriate unattended install INI file. See for more on creating an INI file.

Once you have an unattended file, use the following command to install:

> <driveletter>:\setup\i386\setup.exe /unattendfile

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Stopping and Starting Exchange Server

Inhaltsvorschau

You want to stop or start Exchange Server.

Stopping and starting Exchange consists of stopping and starting the Exchange-related services through the Services MMC snap-in or the net stop/net start command-line utilities. See for the list of Exchange services.

Using a graphical user interface

Open the Computer Management MMC snap-in (compmgmt.msc).
Navigate to Services.
Scroll to and select the service that you wish to manage.
Click Stop, Start, or Restart.

Using a command-line interface

The following command will stop a service:

> net stop <ServiceName>

The following command will start a service:

> net start <ServiceName>

The following will stop and start a service in a single command:

> net stop <ServiceName> && net start <ServiceName>

Net start and stop commands can easily be assembled in a batch file (.bat) as well. Calling the .bat file from the command line may be easier than waiting for individual net start or net stop commands.

Using VBScript

'-------------SCRIPT CONFIGURATION----------------------

strComputer = "<ComputerName>"

strServiceName = "<ServiceName>"



Set objWMIService = GetObject("winmgmts:" _

    & "{impersonationLevel=impersonate}!\\" & strComputer _

    & "\root\cimv2")



Set colServiceList = objWMIService.ExecQuery _

    ("Select * from Win32_Service where Name='" & strServiceName _

_ & "'")



' The following code will start a service



For Each objService in colServiceList

    errReturn = objService.StartService()

Next



' The following code will stop a service



For Each objService in colServiceList

    errReturn = objService.StopService()

Next

Using PowerShell

Stopping and starting Exchange 2007 services is a little easier because almost every service has the term “exchange” in its name. The Microsoft Speech Engine required for Unified Messaging and the Edge Credential Service used by an Edge Transport Server are the only ones that are not captured by these scripts.

For a list of all of the services on the server with exchange in their display name:

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Mail-Enabling a User

Inhaltsvorschau

You want to mail-enable an existing user.

Using a graphical user interface

Open the Users and Computers (ADUC) snap-in.
This needs to be run on a workstation or server that has the Exchange Management Tools loaded (see ).

If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, browse to the parent container of the user, right-click on the user, and select Exchange Tasks.
On the Welcome screen, click Next.
Select Establish E-mail Address and click Next.
Verify the mail alias is what you want.

Click Modify, select external email address type (generally SMTP Address), click OK, enter an external email address, and click OK.
There is an Advanced tab on the Internet Address Properties screen. On this tab, you have the option to override the default handling of email sent to this recipient (e.g., you can force all email to be delivered as HTML or plain text, etc.).

On the Completion screen, click Finish.

Using a command-line interface

> exchmbx -b "<User DN>" -me <smtp email address>

Replace <User DN> with the user’s distinguished name and <smtp email address> with the user’s external email address.

To mail-enable the user joe with the email address joe@zimbra.adatum.com, execute the following command. The command should be contained on one line:

> exchmbx -b "cn=joe,cn=users,dc=adatum,dc=com" -me joe@zimbra.adatum.com

For an alternative Microsoft-native tool method, create an LDIF file called mailenable_user.ldf with the following contents:

dn: <User DN>

changetype: modify

replace: targetAddress

targetaddress: SMTP:<smtp email address>

-

replace: mailNickName

mailNickname: <mail nickname>

-

replace: mAPIRecipient

mAPIRecipient: FALSE

-

replace: legacyExchangeDN

legacyExchangeDN: <legacy exchange DN>

-

replace: internetEncoding

internetEncoding: 1310720

-

Replace

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Mail-Disabling a User

Inhaltsvorschau

You want to mail-disable a user.

Using a graphical user interface

Open the Active Directory Users and Computers (ADUC) snap-in.
This needs to be run on a workstation or server that has the Exchange Management Tools loaded (see ).
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, browse to the parent container of the user, right-click on the user, and select Exchange Tasks.
On the Welcome screen, click Next.
Select Remove Exchange Attributes and click Next.
Read the warning and click Next.
On the Completion screen, click Finish.

Using a command-line interface

> exchmbx -b "<User DN>" -clear

Replace <User DN> with the user’s distinguished name.

For an alternative Microsoft-native tool method, create an LDIF file called clearmailattribs.ldf with the following contents:

dn: <UserDN>

changetype: modify

replace: altRecipient

altRecipient:

-

replace: authOrig

authOrig:

-

...<SEE DISCUSSION, NOT A COMPLETE LDIF FILE>

...

Replace <UserDN> with the user’s distinguished name. Note that this is not a complete LDIF file, as there are many attributes that must be cleared; see for further details. Once you’ve created the LDIF file, run the following command:

> ldifde -i -f clearmailattribs.ldf

Using VBScript

' This code mail disables a user.

' ------ SCRIPT CONFIGURATION ------

strUserDN = "<UserDN>"   ' e.g. cn=jsmith,cn=Users,dc=adatum,dc=com

' ------ END CONFIGURATION ---------

set objUser = GetObject("LDAP://" & strUserDN)

objUser.MailDisableobjUser.SetInfo()

Wscript.Echo "Successfully mail-disabled user."

Using a graphical user interface

Open the EMC by clicking Start→All Programs→Microsoft Exchange Server 2007→Exchange Management Console.
Navigate to the Recipient Configuration container and select Mail Contact. (You can use either the Recipient Configuration list or the Mail Contact list.)
Select the user to mail-disable.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Mailbox-Enabling a User

Inhaltsvorschau

You want to create a mailbox for a user. This is also known as mailbox-enabling a user.

Using a graphical user interface

Open the Active Directory Users and Computers (ADUC) snap-in.
This needs to be run on a workstation or server that has the Exchange Management Tools loaded (see ).
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, browse to the parent container of the user, right-click on the user, and select Exchange Tasks.
On the Welcome screen, click Next.
Select Create Mailbox and click Next.
Verify the mail alias is what you want, select the server you want the mailbox on, select which store you want the mailbox in, and click Next.
On the Completion screen, click Finish.

Using a command-line interface

> exchmbx -b "<UserDN>" -cr "<server>:<storage group>:<mail store>"

Or alternatively, run the following command:

> exchmbx -b <UserDN> -cr "<Home MDB URL>"

To mailbox-enable the user joe with a mailbox on Exchange Server SRV1, storage group SG1, and mailbox store DB1, execute the following command:

> exchmbx -b "cn=joe,cn=users,dc=adatum,dc=com" -cr "srv1:sg1:db1"

It is recommended that you keep your storage group and mailbox store names short, simple, and space-free. Spaces are troublesome to deal with at the command prompt and have caused many administrators unneeded grief. If you do not use spaces or other special characters, you can dispense with the quotes in all of the command-line examples.

Replace <UserDN> with the user’s distinguished name, <server> with the Exchange server name, <storage group> with the storage group, <mail store> with the mail store, and <Home MDB URL> with the full homeMDB URL for the desired mailbox store.

Using VBScript

' This code creates a mailbox for a user.

' ------ SCRIPT CONFIGURATION ------

strUserDN = "

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Deleting a User’s Mailbox

Inhaltsvorschau

You want to delete a user’s mailbox. This is also known as mailbox-disabling a user.

Using a graphical user interface

Open the Active Directory Users and Computers (ADUC) snap-in.
This needs to be run on a workstation or server that has the Exchange Management Tools loaded (see ).
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, browse to the parent container of the user, right-click on the user, and select Exchange Tasks.
On the Welcome screen, click Next.
Select Remove Exchange Attributes and click Next.
Read the warning and click Next.
On the Completion screen, click Finish.

Using a command-line interface

See the command-line example for .

Using VBScript

' This code mail-disables a user.

' ------ SCRIPT CONFIGURATION ------

strUserDN = "<UserDN>" ' e.g. cn=jsmith,cn=Users,dc=adatum,dc=com

' ------ END CONFIGURATION --------

set objUser = GetObject("LDAP://" & strUserDN)

objUser.DeleteMailbox

objUser.SetInfo()

Wscript.Echo "Successfully deleted user's mailbox."

Using a graphical user interface

Open the EMC by clicking Start→All Programs→Microsoft Exchange Server 2007→Exchange Management Console.
Navigate to the Recipient Configuration container and select Mailbox. (You can use either the Recipient Configuration list or the Mailbox list.)
Select the user to mailbox-disable.
Click Disable in the Action pane to remove the Exchange properties from the existing user.
Select Yes to confirm.

This process disconnects the mailbox from the user object by removing the Exchange-specific attributes. In the EMC action pane, there is the option to Disable and also Remove. The latter will disconnect the mailbox and also delete the user from AD.

Using PowerShell

Disable-Mailbox -Identity <User_ID_Parameter>

A basic example might be:

Disable-Mailbox ray@adatum.com

It really is that easy. As with the other cmdlets, the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Moving a Mailbox

Inhaltsvorschau

You want to move a mailbox to a new database, storage group, or server.

Using a graphical user interface

Open the Users and Computers (ADUC) snap-in.
This needs to be run on a workstation or server that has the Exchange Management Tools loaded (see ).

If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, browse to the parent container of the user, right-click on the user, and select Exchange Tasks.
On the Welcome screen, click Next.
Select Move Mailbox and click Next.
Select new values for Server and Mailbox Store and click Next.
Select how you want to handle corrupted messages and click Next.
Specify when to start processing the move task and click Next.
When the Completed screen is shown, click Finish. If there are errors, select the View Detailed Report checkbox to get a failure report.

Using a command-line interface

> exchmbx -b <UserDN> -move "<server>:<storage group>:<mail store>"

Or alternatively, run the following command:

> exchmbx -b <UserDN> -move "<Home MDB URL>"

To move an existing mailbox for the user joe to Exchange server Srv1, Storage group SG1, and mailbox store DB1, execute the following command.

> exchmbx -b "cn=joe,cn=users,dc=adatum,dc=com" -move "srv1:sg1:db1"

Using VBScript

' This code moves a mailbox.

' ------ SCRIPT CONFIGURATION ------

strUserDN = "<UserDN>" ' e.g. cn=jsmith,cn=Users,dc=adatum,dc=com

strServer = "<Exchange Server>"           ' e.g. Srv1

strSGName = "<Storage Group Name>"        ' e.g. SG1

strMailStoreName = "<MailBox Store Name>" ' e.g. DB1

' ------ END CONFIGURATION --------

' Find Storage Group URL and Generate Mailbox Store URL

strSearch = "cn=" & strSGName & ","

set objSrv = CreateObject("CDOEXM.ExchangeServer")

objSrv.DataSource.Open strServer

for each strSg in objSrv.StorageGroups

   if (instr(1,strSg,strSearch,1)>0) then

      strSGUrl = strSg

      exit for

   end if

next

strMBUrl = "LDAP://cn=" & strMailStoreName & "," & strSGUrl



' Attach to user and move mailbox

set objUser = GetObject("LDAP://" & strUserDN)

objUser.MoveMailbox(strMBUrl)

Wscript.Echo "Successfully moved mailbox."

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Viewing Mailbox Sizes and Message Counts

Inhaltsvorschau

You want to view the sizes and message counts of all mailboxes on a server.

Using a graphical user interface

Open the Exchange System Manager (ESM) snap-in.
In the left pane, browse to the mailboxes container of the server, storage group, and database you want to view mailboxes in.
In the right pane, scroll down through the list of mailboxes, noting the Size and Total Items columns.

Using VBScript

' This code displays all mailboxes and their sizes

' ------ SCRIPT CONFIGURATION ------

strComputer = "<Exchange Server>" 'e.g. Svr2

' ------ END CONFIGURATION ---------



set objWMI = GetObject("winmgmts:\\" & strComputer & _

                       "\root\MicrosoftExchangeV2")

set objMbxs = objWMI.ExecQuery("Select * from Exchange_Mailbox",,48)

for each objMbx in objMbxs

  Wscript.Echo objMbx.MailBoxDisplayName & " " & objMbx.size & "KB " _

               & objMbx.TotalItems & " items"

Next

Wscript.Echo "Script completed successfully."

Using PowerShell

Again, this is another scenario where the EMS simplifies Exchange management. An important reporting cmdlet for mailbox reporting is Get-MailboxStatistics. It quantifies mailbox size, item count, last logon time, and more (see for the list). To get summary statistics for a specific server, run the following:

Get-MailboxStatistics -Server <Server_name>

This lists the mailboxes and their size and message counts on the server specified. Data is easily sorted in ascending or descending order by any value in the Get-MailboxStatistics output. For example, to sort the list by mailbox size, and easily identify the largest mailboxes, we can use:

Get-MailboxStatistics -Server <Server_name> | Sort-Object TotalItemSize 

-Descending | ft

Administrators often need to act on this information and need it in a timely manner. It is easy to write this information to file and attach it to a scheduled email using a script.

This script assigns parts of the email message to variables, collects the data with Get-MailboxStatistics

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Configuring Mailbox Limits

Inhaltsvorschau

You want to enable storage limits for user mailboxes on an Exchange server.

Using a graphical user interface

Open the Exchange System Manager (ESM) snap-in.
In the left pane, browse to the mailboxes container of the server, storage group, and database you want to configure a storage limit for.
Right-click the mailbox store. Select Properties, and then select the Limits tab.
Select one or more of the following checkboxes:
Issue warning at
Warns users that they have exceeded the storage limit, but their mailbox will continue to function.
Prohibit send at
Warns users that they have exceeded the storage limit and then prevents them from sending new messages until their mailboxes are brought back underneath the configured storage limit. Users can still receive messages.
Prohibit send and receive at
Warns users that they have exceeded the storage limit and then prevents them from both sending and receiving messages until they have corrected the .
Specify the appropriate values for these settings in kilobytes (KB).
The maximum value that you can configure for these items through the ESM is 2 GB (2,097,151 KB). To establish larger values than that, you need to use ADSIEdit or the command-line or script solutions listed next.

Using a command-line interface

To configure the size at which a warning will be issued, we call on the joeware utilities AdFind and AdMod. We use the following syntax:

> adfind -config -rb "cn=<StorageGroup>,cn=InformationStore,cn=<ServerName>,

cn=Servers,cn=<Administrative Group>,cn=Administrative Groups,cn=<ExchangeOrg>,

cn=Microsoft Exchange,cn=Services" -dsq | admod mDBStorageQuota::<LimitinKB>

To configure the size at which a user can receive mail but not send, use:

> adfind -config -rb "cn=<StorageGroup>,cn=InformationStore,cn=<ServerName>,

cn=Servers,cn=<Administrative Group>,cn=AdministrativeGroups,cn=<ExchangeOrg>,

cn=Microsoft Exchange,cn=Services" -dsq | admod mDBOverQuotaLimit::

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating an Address List

Inhaltsvorschau

You want to create an Address List.

Using a graphical user interface

Open the Exchange System Manager (ESM) snap-in.
In the left pane, browse to the Recipients→All Address Lists container.
Right-click on the All Address Lists container and select New→Address List.
Enter the Address List name.

Click on Filter Rules, configure the filter settings, and click OK.
The filter should be a standard LDAP filter; for example, (&(objectcategory=person)(objectclass=user)(homeMDB=*)(employeeType=FT)).

Click Finish.

Using a command-line interface

First, create an LDIF file called add_al.ldf with the following contents:

dn: CN=<Address List Name>,<ParentDN>

changetype: add

cn: <Address List Name>

displayName: <Address List Name>

objectClass: addressBookContainer

purportedSearch: <LDAP Filter>

systemFlags: 1610612736

Replace <Address List Name> with the name of the Address List and <ParentDN> with the distinguished name of the Address Lists container in Active Directory, for example:

cn=All Address Lists,cn=Address Lists Container,cn=ADATUMMAIL,cn=Microsoft Exchange,

cn=Services,cn=Configuration,dc=adatum,dc=com

Then run the following command:

>ldifde -i -f add-al.ldf

Using VBScript

' This code creates an Address List.

' ------ SCRIPT CONFIGURATION ------

strParentDN  = "<DN to All Address Lists Container>"

' e.g CN=All Address Lists,CN=Address Lists Container,

' CN=ADATUMMAIL,CN=Microsoft Exchange,

' CN=Services,CN=Configuration,DC=adatum,DC=com"



strObjClass = "addressBookContainer"

strALName = "<Address List Name>"   ' e.g. Sales Dept

strFilterAttrib = "purportedSearch"

strFilter = "<LDAP Filter>"   ' e.g. (&(department=sales)(homemdb=*))"



' ------ END CONFIGURATION ---------

' Set Dynamic values

set objOU = GetObject("LDAP://" & strParentDN)

set objNewObj = objOU.Create(strObjClass,"cn=" & strALName)

objNewObj.Put "displayName",strALName

objNewObj.Put strFilterAttrib,strFilter



' Set static values

objNewObj.Put "systemFlags",1610612736



' Save object

objNewObj.SetInfo

Wscript.Echo "Successfully created address list."

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Storage Group

Inhaltsvorschau

You want to create a new storage group to allow for more mailbox stores, faster backups, or a logical organization of mailboxes.

Using a graphical user interface

Open the Exchange System Manager (ESM) snap-in.
In the left pane, browse to the server that you want to create a new storage group for.
Right-click on the server and select New→Storage Group.
Enter a name, transaction log location, system path location for storage of temporary and recovered files, and click OK.

Using a command-line interface

First, create an LDIF file called add_sg.ldf with the following contents:

dn: CN=<Storage Group Name>,<ParentDN>

changetype: add

objectClass: msExchStorageGroup

cn: <Storage Group Name>

showInAdvancedViewOnly: TRUE

systemFlags: 1610612736

msExchESEParamEnableIndexChecking: TRUE

msExchESEParamEnableOnlineDefrag: TRUE

msExchESEParamSystemPath: <Path to store system files>

msExchESEParamPageFragment: 8

msExchESEParamPageTempDBMin: 0

msExchRecovery: TRUE

msExchESEParamZeroDatabaseDuringBackup: 0

msExchESEParamBaseName: E01

msExchESEParamCircularLog: 0

msExchESEParamEventSource: MsExchangeIS

msExchESEParamCheckpointDepthMax: 20971520

msExchESEParamCommitDefault: 0

msExchESEParamLogFilePath: <Path to log files>

msExchESEParamDbExtensionSize: 256

msExchESEParamLogFileSize: 5120

Replace <Storage Group Name> with the name of the storage group, <ParentDN> with the distinguished named for the storage groups container for the appropriate server, <Path to store system files> with the filesystem path where you want system files (temporary and recovered files), and <Path to log files> with the filesystem path where you want Exchange logfiles. Then run the following command:

>ldifde -i -f add-sg.ldf

Using VBScript

' This code creates a Storage Group.

' ------ SCRIPT CONFIGURATION ------

strServer = "<Exchange Server>"   ' e.g. ExchServer2

strName = "<Storage Group Name>"  ' e.g. SG1

strPath = "<File Path>" & strName ' e.g. D:\Program Files\ExchSrvr

' ------ END CONFIGURATION ---------



' Create URL to Storage Group

Set objSrv = CreateObject("CDOEXM.ExchangeServer")

objSrv.DataSource.Open strServer



' This for loop is a bit of a hack to retrieve the first Storage Group

' in the collection. VBScript doesn't let you access specific elements

' of a collection the way Jscript can.

for each strSg in objSrv.StorageGroups

   strTemp = strSg

   exit for

next

strTemp = mid(strTemp,instr(2,strTemp,"cn",1))

strSGUrl = "LDAP://cn=" & strName & "," & strTemp



' Create/configure Storage Group and save it 

set objSG = CreateObject("CDOEXM.StorageGroup")

objSG.MoveSystemFiles(strPath)

objSG.MoveLogFiles(strPath)

objSG.DataSource.SaveTo strSGUrl

Wscript.Echo "Successfully created storage group."

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Mailbox Store

Inhaltsvorschau

You want to create a mailbox store. The primary reason for creating additional mailbox stores is to decrease the size of the individual stores while supporting many users on one server.

Using a graphical user interface

Open the Exchange System Manager (ESM) snap-in.
In the left pane, browse to the server and storage group that you want to create a new mailbox store on.
Right-click on the storage group and select New→Mailbox Store.
Enter a name for the store, configure the settings on each tab, and click OK.
When prompted to mount the store, click Yes.

Using VBScript

' This code creates a Mailbox Store.

' ------ SCRIPT CONFIGURATION ------

strServer = "<Exchange Server>"          ' e.g. ExchServer2

strSGName = "<Storage Group Name>"       ' e.g. SG1

strMailStoreName = "<MailBox Store Name>" ' e.g. DB1

' ------ END CONFIGURATION ---------



' Find Storage Group URL

strSearch = "CN=" & strSGName & ","

set objSrv = CreateObject("CDOEXM.ExchangeServer") 

objSrv.DataSource.Open strServer

for each strSg in objSrv.StorageGroups

   if (instr(1,strSg,strSearch,1)>0) then strSGUrl = strSg

next



' Generate Mailbox Store URL  

strMBUrl = "LDAP://CN=" & strMailStoreName & "," & strSGUrl



' Create/configure Mailbox Store and save it

set objMb = CreateObject("CDOEXM.MailBoxStoreDB")

objMb.DataSource.SaveTo strMBUrl



' Mount DataBase

objMB.Mount

Wscript.Echo "Successfully created mailbox store."

Using a graphical user interface

Open the EMC by clicking Start→All Programs→Microsoft Exchange Server 2007→Exchange Management Console.
Navigate to the Server Configuration container and select Mailbox.
Select the desired server in the top of the middle pane.
The Database Management tab in the bottom of the middle pane will show the current storage groups and databases.
Select the desired Storage Group to host the new Mailbox database.
Right-click on the Storage Group and select New Mailbox Database from the context menu or highlight the New Storage Group and select New Mailbox Database toward the bottom of the Action pane.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Installing Anti-Spam Agents on the Hub

Inhaltsvorschau

You want to install the Exchange 2007 anti-spam agents for SP1 on a hub transport server because you are not using an Edge Transport Server at this time.

Using the command-line interface

The anti-spam transport agents are installed as part of the Edge Transport role; however, not all Exchange 2007 deployments will use an Edge server. The anti-spam agents are not installed by default on a Hub Transport server, but can be added manually.

Within the scripts folder on any Exchange 2007 Server, there is a pre-canned PowerShell script to install the anti-spam transport agents. This is found in the scripts folder located by default at c:\program files\Microsoft\exchange server\scripts\. You can navigate to this folder from within the EMS and run:

.\install-AntispamAgents.ps1

Alternatively, you can run install-AntispamAgents using the command line from any folder as the scripts folder is added to the Windows Path environment variable at installation. Open a command prompt, type Path, and hit Enter to show the different folders held in the Path variable.

Finally, the transport service needs to be restarted to apply the anti-spam agents:

Restart-Service MSExchangeTransport

If you are using another SMTP Server product to provide gateway services, you must designate that IP address as an internal SMTP Server. This is required for Connection Filtering to work correctly:

Set-TransportConfig -InternalSMTPServers <IP_Address>

After the anti-spam agents are installed on a Hub Transport Server, the agents are available on all Hub Transports Servers. They are stored in Active Directory.

To confirm the installation, open up the EMC and navigate to the Hub Transport object under the Organization Configuration container. In the middle pane, a new tab should appear entitled “Anti-spam.” That tab should show the set of installed and enabled transport agents as:

Content Filtering
IP Allow List
IP Allow List Providers
IP Block List

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling Message Tracking

Inhaltsvorschau

You want to enable Message Tracking on an Exchange Server 2003 or Exchange 2007 computer.

Using a graphical user interface

Prepare a directory on the local hard drive (preferably on a separate physical disk from the Exchange stores) to accept the tracking log directory.
Open the Exchange System Manager (ESM) snap-in.
In the lefthand pane, browse to the server for which you wish to enable message tracking.
Right-click the Server object and select Properties.
On the General tab, place a checkmark next to “Enable message tracking” and “Remove log files.” Enter the number of days you wish to retain the logfiles for and click Apply.
Click OK once you’ve read the warning message.
Ensure that the process has created a share called %servername%.log and that the share is accessible to those users whose responsibilities involve running message traces.

Using a command-line interface

> adfind -config -rb "<cn=ServerName>,cn=Servers,cn=<Administrative Group Name>,

cn=Administrative Groups,cn=<Exchange Organization>,cn=Microsoft

Exchange,cn=Services" -dsq | admod messageTrackingEnabled::TRUE

msExchTrkLogCleaningInterval::<Cleanup Interval in Days>

Once you have enabled these two settings in Active Directory, you should modify the following Registry key on the Exchange server in question to prevent the Message Tracking Logs from being stored in the same directory as the Information Store:

HKLM\System\CurrentControlSet\Services\MSExchangeSA\Parameters\<ServerName>]

LogDirectory - REG_SZ:<PathToLoggingDirectory>

Using VBScript

' This code enables  

' Message Tracking for an Exchange Server.

' ------ SCRIPT CONFIGURATION ------

strConnectionDN = "<Server Name><ParentDN>"

strLogPath = "<LogFilePath>" ' e.g. D:\Program Files\ExchangSrvr\Logs

strCleanupInterval = "<CleanupInterval>" ' From 1 - 99

                                         ' Set to 0 to retain indefinitely



Const HKEY_LOCAL_MACHINE = &H80000002 ' For configuring the Registry

strComputer = "<ComputerName>

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Summary

Inhaltsvorschau

Exchange Server 2003 administration is focused on the Exchange System Manager and the Active Directory Users and Computers interfaces. For many tasks, there are scripting or command-line solutions using a number of different APIs or even third-party applications to access configuration information and data. Exchange 2007 makes significant changes to architecture and design, resulting in a new set of management tools. Exchange 2007 is the first Microsoft application to extend PowerShell for administration. This chapter shows some uses of the EMC and EMS in Exchange 2007 Management while still covering some common Exchange 2003 tasks.

As an Exchange 2007 administrator, you are going to have to learn the Exchange Shell at least at the cmdlet level. It is not that difficult—my 20-month-old daughter already speaks in cmdlets: Get-Milk and Eat-Cereal. We have only scratched the surface for recipes and how-tos for configuring and administering Exchange Servers. With the Exchange Management Shell especially, this chapter could be its own book, and probably is.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Chapter 21: Microsoft Identity Lifecycle Manager

Inhaltsvorschau

Microsoft Identity Lifecycle Manager (ILM) 2007 is a suite of application servers that includes the successor to the Microsoft Identity Integration Server (MIIS) 2003. The ILM 2007 product set also contains a separate but complementary server product called Certificate Lifecycle Manager (CLM), which is used to provide self-service for environments with a Public Key Infrastructure (PKI) that need to provide self-service and policy-based certificate management. While CLM is typically thought of as a solution for smart card enrollment and lifecycle management, it excels at providing policy management for any certificate type; however, the CLM components of the ILM 2007 suite are not covered in this chapter. In the light of the rename, the MIIS community has struggled to differentiate between what was the MIIS synchronization engine from the ILM suite itself, not wishing to drag CLM into what has typically been an MIIS . In cases where differentiation is important, the two server products are usually referred to as the “synch engine” and CLM; however, for the purposes of simplification within this chapter, the term ILM is used to only refer to the synch engine from this point forward.

ILM is a robust .NET application platform built on Microsoft’s highly successful platform—SQL Server. ILM provides services for the synchronization and reconciliation of identity data, and in some cases passwords, between multiple disparate repositories, including:

Enterprise directories
- Active Director/Active Directory Application Mode
- Novell eDirectory
- Sun Directory Server
- IBM Tivoli Directory Server

Databases
- Microsoft SQL
- Oracle
- IBM DB2
Mainframe
- IBM RACF and iSeries (OS/400)
- CA ACF2 and Top Secret
Email
- Microsoft Exchange Server
- Lotus Notes
Flat text files
- DSML
- LDIF
- Attribute Value Pair
- CSV
- Delimited
- Fixed width

While ILM no longer provides a metadirectory service, ILM is nonetheless considered to be in a class of products known as metadirectory synchronization tools. This is in contrast to other products like virtual directories that have no central reconciliation or synchronization mechanism.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Introduction

Inhaltsvorschau

Enterprise directories
- Active Director/Active Directory Application Mode
- Novell eDirectory
- Sun Directory Server
- IBM Tivoli Directory Server

Databases
- Microsoft SQL
- Oracle
- IBM DB2
Mainframe
- IBM RACF and iSeries (OS/400)
- CA ACF2 and Top Secret
Email
- Microsoft Exchange Server
- Lotus Notes
Flat text files
- DSML
- LDIF
- Attribute Value Pair
- CSV
- Delimited
- Fixed width

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating the HR Database MA

Inhaltsvorschau

You want to get employee records from the HR Database into ILM so that they can be used as the source for new accounts in AD.

You need to start by creating an MA for the HR Database (refer to (12) in ):

Open Identity Manager.
Click the Management Agents button on the toolbar.
In the Actions pane on the right, click Create.
In the Create Management Agent Designer, select SQL Server 7.0 or 2000 from the “Management Agent for” drop-down list.
Type HR Database into the Name text box.
Type a description in the Description field—this is where you can be creative.
Click Next.
In the Connect to Database pane on the right side:
1. Type the SQL server name into the Server Name text box.
2. Type the name of the database in the Database text box.
3. Type the name of the table or view that contains the employee records in the Table/View text box.
4. Leave the Delta View and Multivalue Table text boxes blank.
5. Select the radio button for the type of authentication the SQL Server is set up to use.
6. Fill in the User Name, Password, and Domain text boxes with the credentials of a user who has permissions to read and update the table we will create.
Click Next.
On the Configure Columns page:
1. Click the Set Anchor button. This will display the Set Anchor dialog box.
2. In the Set Anchor dialog box, select Badge Number and press the Add button.
3. Click OK to save the anchor attribute definition.
On the Configure Connector Filter page, click Next.
On the Configure Join and Projection Rules page, click Next.
On the Configure Attribute Flow page, click Next.
On the Configure Deprovisioning page, click the “Make them disconnectors” radio button in the lefthand pane.
Click Next.
In the Configure Extensions page, click Finish.

Following these steps will create an SQL Server management agent. Associated with the MA is a namespace known as the connector space. ILM will store the data from the relevant columns of the HR Database here and use them to provision, synchronize, and deprovision user accounts in Active Directory. Creating the HR Database MA is the first of several steps to get the data into ILM. You should now see a management agent in the management agent pane of the Identity Manager with the name and comments displayed.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating an Active Directory MA

Inhaltsvorschau

You want to provision user accounts into Active Directory from the records in the HR Database.

The first step to accomplish this is to create an Active Directory management agent (in , see (13) of ):

Open Identity Manager.
Click the Management Agents button on the toolbar.
In the Actions pane on the right side, click Create.
In the Management Agent Designer, select Active Directory from the “Management Agent for” drop-down list.
In the Name box, type a name. The forest name is usually a good choice.
If you feel creative, type a meaningful description into the Description text box.
Click Next.
In the Connect to Active Directory Forest pane on the right side:
1. Type the fully qualified DNS name of the forest into the Forest Name text box.
2. Fill in the username, password, and domain name of an appropriate user account. The account must have sufficient access permissions. See for more details.
3. Click Next.
In the Configure Directory Partitions pane on the right side:
1. Select the domain(s) you wish to manage in the Select Directory Partitions field.
2. Click the Containers button in the lower-left portion of the dialog box.
3. In the Select Container dialog, select the containers you wish to manage.
4. Click OK.
5. Click Next.
In the Select Attributes pane on the right side, select the attributes you wish to manage from the Attributes field. You can check the Show All checkbox to display a full list of all attributes in the AD. Some AD attributes are mandatory; a typical minimal list would be: cn, displayName, employeeID, givenName, sAMAccountName, sn, userAccountControl, userPrincipalName, and unicodePwd (you need to select the Show All checkbox to see the unicodePwd attribute). Click Next to save the selected attributes.

In the Select Object Types pane on the right side, select “user” in the Object Types field and click Next.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Setting Up a Metaverse Object Deletion Rule

Inhaltsvorschau

You have decided on a single authoritative source for new employees: the HR Database. When a user record is deleted from it, you want ILM to delete the corresponding Active Directory account.

One of the configuration options required to have deletions propagated from the HR Database to Active Directory is the metaverse object deletion rule:

Open Identity Manager.
Click the Metaverse Designer button on the toolbar.
In the Actions pane on the far right side, click Configure Object Deletion Rule.
Select the “Delete metaverse object when connector from this management agent is disconnected” radio button and ensure the HR Database MA is selected in the drop-down list.
Click OK.

The object deletion rule informs ILM of when to delete metaverse objects. Deleting a metaverse object does not necessarily cause anything to happen in the connected data source, but it does disconnect any connected objects in all of the connector spaces. This will cause the deprovisioning rule to fire for each disconnected object. The rule is configured for each management agent in the Configure Deprovisioning page for the management agent.

It is critical to plan accordingly for the lifecycle of every object. In many cases, deleting the MV object is not desirable if not all of the connectors are to be deleted. If you find yourself needing to maintain objects in other connected directories even after an authoritative source object has changed to an inactive status or been removed entirely (HR very rarely deletes records), consider leaving the connectors in place and allowing the default metaverse object deletion rule to prevail. This is incredibly helpful if you are doing any sort of reporting based off of aggregated identity data derived from the metaverse.

, for deleting data in the connector space and metaverse, and for the provisioning run profile

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Setting Up Simple Import Attribute Flow—HR Database MA

Inhaltsvorschau

You have already created the MAs needed, but you want to flow the column data from the HR Database to attributes in Active Directory.

You need to configure the ADMA’s attribute flow rules page (in , refer to (5) in ):

Open Identity Manager.
Click the Management Agents button on the toolbar.
In the Management Agents pane, double-click the HR Database MA.
In the Management Agent Designer pane on the lefthand side, select Configure Attribute Flow.
Ensure “person” is selected in the data source object type drop-down list.
Ensure “person” is selected in the metaverse object type drop-down list.
In the Data Source attribute list, select the attribute whose data you wish to flow into the metaverse (see for some suggestions).
In the Metaverse attribute list, select the attribute you want the data to flow into (see for some suggestions).
In the Mapping Type section of the dialog, select Direct.
In the Flow Direction section of the dialog, select Import.
Click New. The new attribute mapping will appear in the attribute mapping list, with an arrow indicating that it is an import attribute flow.
Click OK.

ILM has been configured to flow an attribute from the HR Database MA’s connector space into the metaverse. In general, we can map any attribute from the connected system to any attribute in the metaverse. However, if a Mapping Type of Direct is issued, the attributes in the MA and the metaverse must be of the same data type (e.g., string or integer). To map from one data type to another, configure the advanced attribute flow (see ).

Here are some typical simple mappings:

FirstName→givenName
LastName→sn
Dept→department
StaffNumber→employeeID
TelNo→telephoneNumber

You need to make your own decisions about what data in the HR Database maps onto what data in the metaverse attributes, but these are usually fairly obvious. If you want to construct a name—for example, you’d like the sAMAccountName to be derived from the first character of the first name prepended to the last name—you need an advanced flow.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Setting Up a Simple Export Attribute Flow to AD

Inhaltsvorschau

You want to flow attributes in the metaverse to attributes in AD. For example, the givenName field in the metaverse needs to map to the givenName field in AD.

You need to configure the attribute flow pages on the ADMA (in , refer to (8) in ):

Open Identity Manager.
Click the Management Agents button on the toolbar.
In the Management Agents pane, double-click the ADMA.
In the Management Agent Designer pane on the lefthand side, select Configure Attribute Flow.
Ensure “user” is selected in the data source object type drop-down list.
Ensure “person” is selected in the metaverse object type drop-down list.
In the data source attribute list, select the connector space attribute you want to flow data into. See for some suggestions.
In the Metaverse attribute list, select the attribute you want to flow data from. See for some suggestions.
In the Mapping Type section of the dialog, select Direct.
In the Flow Direction section of the dialog, select Export.
Click New. The new attribute mapping will appear in the attribute mapping list, with an arrow indicating that it is an export attribute flow.
Click OK.

This will configure a simple export attribute flow from the metaverse to the ADMA. You need to determine what attributes in the metaverse should flow to AD attributes.

Here are some typical simple mappings:

givenName→givenName
sn→sn
department→department
employeeID→employeeID
telephoneNumber→telephoneNumber
cn→displayName
cn→cn
uid→sAMAccountName

In many ILM scenarios, data is manipulated on its way in to the metaverse, and then copied on its way out to other connected systems. In the above example, the cn comes from the displayName. This is because you will later create an advanced import flow that will write the first name followed by a space and the last name into the displayName in the metaverse. Something similar will be done for uid, only you will take the first character of the first name and append the last name; e.g., Fred Smith gets a

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Defining an Advanced Import Attribute Flow—HR Database MA

Inhaltsvorschau

You want to create an Active Directory username using the first and last name from the HR Database. Simple attribute-to-attribute mapping is not sufficient. You need to take partial strings from different attributes and combine them to form a new name.

This will involve writing some VB or C# for an advanced attribute flow, which is covered in . To start with, you must define the flow rule—an entity that connects the UI elements to the coding we will do later (refer to (5) in ):

Open Identity Manager.
Click the Management Agents button on the toolbar.
In the Management Agents pane, double-click the HR Database MA.
In the Management Agent Designer pane on the lefthand side, select Configure Attribute Flow.
Ensure “person” is selected in the data source object type drop-down list.
Ensure “person” is selected in the metaverse object type drop-down list.
In the Mapping Type section of the dialog, select Advanced.
In the Flow Direction section of the dialog, select Import.
Select FirstName and LastName from the data source attributes text box (to select multiple entries, hold down the Ctrl key).
Select cn from the Metaverse attribute list.
Click New.
In the Advanced Attribute Flow Options dialog, delete the default name, type cn, and then click OK. The flow rule name you defined here will appear in the VB or C# you will write later. A convention among MIIS developers is to use the name of the destination attribute (in this case, cn).
Notice that in the Type column in the upper pane, the newly created attribute mapping is detailed as Rules-Extension. A rules extension is a unit of managed .NET code.
Select First Name and Last Name from the Data Source attribute mapping list (remember to use the Ctrl key to select multiple attributes).
Select uid from the Metaverse attribute mapping list.
Click New.
In the Advanced Import Attribute Flow Options dialog, type uid into the “Flow rule name” text box and click OK.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Implementing an Advanced Attribute Flow Rules Extension—HR Database MA

Inhaltsvorschau

You want to perform advanced attribute flow on the HR Database MA.

You’ve already defined an advanced attribute flow rule for the MA in the Identity Manager console. You now need to write the code and produce the DLL that implements that flow rule (refer to (5) in ):

Open Identity Manager.
Click the Management Agents button on the toolbar.
Select the HR Database MA in the Management Agents pane.
Click Create Extension Project in the Action pane on the far right side.
Ensure the dialog box is filled in similar to (you can specify your own name and location).

Figure : Create Extension Project dialog

Click OK. This will launch Visual Studio.
This recipe assumes that you have already installed Visual Studio 2005 or better on the machine running ILM. If you are doing your development on another machine, you have two choices. You can map a drive to the ILM server and modify the code through the mapped drive, or you can copy the entire project to your development machine and work on it there. In any case, you will have to be sure to copy the resulting DLL back to the ILM server anytime you make a code change.

In the Solution Explorer in the far righthand pane in Visual Studio, double-click the HR DatabaseExtension.vb node. This file contains the source code for your rules extension.
The main code window should show the automatically generated code (this auto-code generation is provided for VB and C#). The first few lines of code should look like this:
```
Imports Microsoft.MetadirectoryServices

Public Class MAExtensionObject

    Implements IMASynchronization
```

Scroll to the code section that looks like this:

Public Sub MapAttributesForImport(ByVal FlowRuleName As String, ByVal csentry As

    CSEntry, ByVal mventry As MVEntry) Implements

    IMASynchronization.MapAttributesForImport

        ' TODO: write your import

attribute flow code

        Select Case FlowRuleName

            Case "uid"

                ' TODO: remove the following statement and add your scripted

                   ' import attribute flow here

                Throw New EntryPointNotImplementedException()



            Case "cn"

                ' TODO: remove the following statement and add your scripted

                   ' import

attribute flow here

                Throw New EntryPointNotImplementedException()



            Case Else

                ' TODO: remove the following statement and add your default

                   ' script here

                Throw New EntryPointNotImplementedException()



         End Select

End Sub

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Setting Up Advanced Export Attribute Flow in Active Directory

Inhaltsvorschau

Simple attribute-to-attribute mapping is not flexible enough to create the attribute values you want. You want to set constant values on some attributes. In this case, there is a bit mask of great interest—the mask used to set properties for accounts, such as whether the account is disabled.

This will involve writing some VB or C#, like the script for advanced attribute flow covered in , but we must set up flow rule names for the code in this section (refer to (8) in ):

Open Identity Manager.
Click the Management Agents button on the toolbar.
In the Management Agents pane, double-click the ADMA.
In the Management Agent Designer pane on the lefthand side, select Configure Attribute Flow.
Ensure “user” is selected in the data source object type drop-down list.
Ensure “person” is selected in the metaverse object type drop-down list.
In the Mapping Type section of the dialog, select Advanced.
In the Flow Direction section of the dialog, select Export.
Select userAccountControl from the Data Source attributes list.
Click New.
In the Advanced Attribute Flow Options dialog, select Constant.
Type 512 into the Value text box, and then click OK.
Notice in the Type column in the upper pane, the newly created attribute mapping is detailed as Constant, with an arrow indicating export attribute flow.
Click OK to close the Management Agent Designer.

Active Directory requires a minimal set of attributes in order to create normal, usable, enabled accounts. In this recipe we have set the required attributes. We set the userAccountControl flag to 512 (bit 9 set), which indicates that this account is a normal account. In other cases we might use a rules extension and set bit 1 to disable the account, e.g., if there was an employee status field in the HR Database that indicated the employee was inactive.

, , and for writing a rules extension to provision user objects to the ADMA from objects in the HR Database MA, and the code examples in the “Simple Account Provisioning” walkthrough (

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Configuring a Run Profile to Do an Initial Load of Data from the HR Database MA

Inhaltsvorschau

You need to get the data from the HR Database to its connector space.

Before you can run a management agent, you must create a run profile for it (refer to (9) in , which shows data being loaded from AD to the AD connector space):

Open Identity Manager.
Click the Management Agents button on the toolbar.
In the Management Agents pane, click the HR Database MA.
In the Actions pane on the far right side, click Configure Run Profiles.
In the Configure Run Profiles for HR Database, click New Profile.
In the Name text box, type Full Import (Stage Only), then click Next.
Ensure Full Import (Stage Only) is selected in the Type drop-down list, then click Next.
Ensure “default” is showing in the Partition drop-down list, then click Finish.
Ensure the details in the Step Details field looks like .

Figure : Configure Run Profiles dialog for the HR Database MA

Click OK to create the run profile.

There are three steps required to get data into the HR Database MA connector space:

Create the MA.
Create a run profile to run the MA.
Execute the run profile. In this recipe you have created the run profile.

It is generally a good idea to give the run profiles exactly the same names as the step-type they represent. You will later create scripts that call run profiles. It is possible to give a run profile a name such as “Complete Cycle” and combine many steps in the run profile. However, when calling such entities from scripts, the calling script isn’t self-documenting, in that it hides what it is doing. It is also much easier to debug scripts when you know exactly what step is being called. Hence, you have created a run profile called Full Import (Stage Only), which consists of a single step of type Full Import (Stage Only). The one exception to this general rule is discussed in .

for more on how to use the run profile to load data and

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Loading Initial HR Database Data into ILM Using

Inhaltsvorschau

With the MA and run profile created, you now want to load the data into ILM.

You need to execute the run profile to load the data. Refer to (1) in , which shows data being loaded from the HR Database to the HR Database connector space:

Open Identity Manager.
Click the Management Agents button on the toolbar.
In the Management Agents pane, click the HR Database MA.
In the Actions pane on the far right side, click Run.
In the Run Management Agent dialog, select Full Import (Stage Only) and click OK.
You’ll have to be quick if there is only a small amount of data in the database. Notice the MA says “Running” in the State column of the Management Agents pane.
In the Synchronization Statistics pane in the bottom lefthand corner, statistics showing the number of adds are displayed. If you click the hyperlink, you can navigate the information that was loaded.

The HR Database you are importing from must have records in it before ILM can import any data.

When designing a large system, work with a very small, representative set of data during development (maybe 10 records). This is because you will frequently find errors in your rules, and set about deleting everything in ILM, reconfiguring your rules, and starting again. It is much better to do these initial data loads with 10 or so records rather than 100,000 records, which will take a long time to load. When you are convinced your rules are good, start working with larger datasets.

and for how this run profile was configured

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Configuring a Run Profile to Load the Container

Inhaltsvorschau

Before you can provision and synchronize data in the AD connector space, you need to build the container structure in the connector space to reflect the container structure of Active Directory.

To do this, you have to create an appropriate run profile for the ADMA and import the AD container structure into the connector space.

The fact that you have to separately import the container structure from AD into the MA’s connector space is not obvious, and is frequently overlooked by even the most experienced ILM developers. If you fail to perform this step, the synchronization process will fail when it tries to provision new objects into the AD connector space.

Refer to (9) in , which shows data being loaded from AD to the AD connector space:

Open Identity Manager.
Click the Management Agents button on the toolbar
In the Management Agents pane, click the ADMA.
In the Actions pane on the far right side, click Configure Run Profiles.
In the Configure Run Profiles dialog click New Profile.
In the Name text box, type Full Import (Stage Only), then click Next.
Ensure Full Import (Stage Only) is selected in the Type drop-down list, then click Next.
Ensure the correct domain partition is showing in the Partition drop-down list, then click Finish.
Ensure the details in the Step Details field looks like (note: your partition name may be different).
Click OK.

Figure : Configure Run Profiles dialog for the ADMA

There are three steps required to get data into the ADMA connector space:

Create the MA.
Create the run profile.
Execute the run profile. In this recipe you create the run profile.

When you create an ADMA, you specify which partitions (naming contexts) you wish to synchronize. When creating a run profile, you must be careful to select the correct partition (Naming Context in AD terms, but you will usually be after the domain NC) from which to load the container structure.

A common mistake among ILM novices is to get “object does not have a parent” errors when running a synchronization step. This is because the container structure for Active Directory isn’t loaded into the ADMA’s connector space.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Loading the Initial AD Container Structure into ILM Using a Run Profile

Inhaltsvorschau

With the ADMA and run profile created, you need to get the data into ILM.

You now need to run the ADMA run profile to import the AD container structure (refer to (9) in , which shows the data being loaded from AD into the AD connector space):

Open Identity Manager.
Click the Management Agents button on the toolbar.
In the Management Agents pane, click the ADMA.
In the Actions pane on the far right side, click Run.
In the Run Management Agent dialog, select Full Import (Stage Only) and click OK.
You'll have to be quick if there is only a small amount of data in AD. Notice the MA briefly says “Running” in the State column of the Management Agents pane.
Notice in the Synchronization Statistics pane in the bottom lefthand corner, where statistics showing the number of adds are displayed. If you click the hyperlink, you can navigate the information that was loaded.

The first time you load the container structure into ILM, you need to use a full import step. Once the container structure is loaded, subsequent imports can use delta import steps, which in normal daily operations will be considerably faster to execute, and will consume less resources on the ILM server, the AD domain controller, and the network.

and for more on how to configure the run profile that was used in this recipe

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Setting Up the HR Database MA to Project Objects

Inhaltsvorschau

The objects in the HR Database connector space now need to be projected into the metaverse. There are three steps:

Configuring the MA for projection.
Creating a synchronization run profile.
Executing the synchronization run profile.

Refer to (3) in , which shows objects being provisioned from the HR Database MA’s connector space to the metaverse:

Open Identity Manager.
Click the Management Agents button on the toolbar.
In the Management Agents pane, double-click the HR Database MA.
In the Management Agent Designer pane on the lefthand side, select Configure Join and Projection Rules.
Click the New Projection Rule… button.
In the Projection dialog, ensure Declared is selected and that the drop-down list shows “person,” and then click OK.
Notice in the “Join and Projection Rules for person” frame, the columns are detailed thus:
- Mapping Group: 1
- Action: Project
- Metaverse Object Type: person
Click OK.

The synchronization process projects (or creates) metaverse objects that are joined to objects in the HR Database MA connector space. When projected, ILM can provision new objects to the ADMA’s connector space. Hence, in our demonstration it is projection that initiates provisioning; however, it is perfectly legal for changes in attribute states to trigger provisioning if you have written your provisioning extensions to observe such workflows. The most common example would be looking for a change in an HR employee status attribute to trigger creation of a new account in AD. While novices often use the terms project and provision interchangeably, they mean quite different things.

From the ILM perspective, provision means “to create a new CS object in a CS where there was no object previously.” From an AD administrator’s perspective, provision generally means creation of an AD account complete with all of the standard accoutrements (home directory, terminal server profile, and so on) so it is important to be clear, depending on your audience.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Writing a Rules Extension to Provision User Objects

Inhaltsvorschau

This recipe specifically covers writing a rules extension to provision user objects to the ADMA from Objects in the HR Database MA. You want ILM to provision objects to the ADMA’s connector space based on objects in the HR Database MA.

There are three steps to provisioning:

Write a rules extension.
Configure a run profile.
Execute the run profile.

In this recipe, you will write a Provisioning-Rules-Extension. ILM will help you with the initial project creation. Refer to (6) in , which shows objects being provisioned from the metaverse to the AD connector space:

Open Identity Manager.
From the menu select Tools→Options.
In the Options dialog click the Create Rules Extension Project button.
Ensure the Create Extension Project dialog looks like .

Figure : Dialog for creating the metaverse Provisioning-Rules-Extension

Click OK.
In Visual Studio, double-click MVExtension in the Solution Explorer.

The first few lines of the code pane should look like this:

Imports Microsoft.MetadirectoryServices



Public Class MVExtensionObject

    Implements IMVSynchronization

Navigate to the section that looks like this:

Public Sub Provision(ByVal mventry As MVEntry) Implements

IMVSynchronization.Provision

        ' TODO: Remove this throw statement if you implement this method

        Throw New EntryPointNotImplementedException()

    End Sub

Modify it to contain the following code:

Public Sub Provision(ByVal mventry As MVEntry) Implements _

IMVSynchronization.Provision



    Dim container As String

    Dim rdn As String

    Dim ADMA As ConnectedMA

    Dim numConnectors As Integer



    Dim myConnector As CSEntry

    Dim csentry As CSEntry

    Dim dn As ReferenceValue



    ' Ensure that the cn attribute is present.

    If Not mventry("cn").IsPresent Then

        Throw New UnexpectedDataException("cn attribute is not present.")

    End If

    ' Calculate the container and RDN.

    container = "CN=users,DC=rallencorp,DC=com"

    rdn = "CN=" & mventry("cn").Value



    ADMA = mventry.ConnectedMAs("rallencorp.com")

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Run Profile for Provisioning

Inhaltsvorschau

You need to synchronize data using the management agent to provision new accounts in the AD connector space. Before you can run the MA, you have to create a run profile that will synchronize the MA’s connector space with the metaverse.

You now need to create a provisioning run profile for the HR Database MA to synchronize user objects from it to the ADMA’s connector space. The run profile step is of type synchronization:

Open Identity Manager.
Click the Management Agents button on the toolbar.
In the Management Agents pane, click the HR Database MA.
In the Actions pane on the far right side, click Configure Run Profiles.
In the Configure Run Profiles dialog, click New Profile.
In the Name text box, type Full Synchronization, then click Next.
Ensure Full Synchronization is selected in the Type drop-down list, then click Next.
Ensure “default” is showing in the Partition drop-down list, then click Finish.
Ensure the details in the Step Details field looks like .
Notice in the Management Agent run profiles list, the Full Import (Stage Only) profile you created earlier is still there.
Click OK.

Figure : Dialog showing a Full Synchronization run profile added to the HR Database MA

There are two types of synchronization run profiles: full and delta. A full synchronization will process every object in the connector space. This is obviously necessary when it is the very first synchronization on the data. But in normal daily operations, you only want to perform delta synchronization steps because they only process objects that have changed since the last synchronization.

Full synchronization is also used when you have made a change to management agent configuration, e.g., you have added a new attribute flow. Usually you will want to run the reconfigured MA against all of the objects in the connector space. A delta would only apply the rule to objects that had changed since the last .

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Executing the Provisioning Rule

Inhaltsvorschau

You need to provision new objects to the AD connector space.

You need to run the provisioning run profile. The provisioning run profile triggers projection ((3) in ). The arrival of new objects in the metaverse ((4) in ) in turn triggers provisioning ((6) in ) and creates new objects ((7) in ) in the AD connector space. Follow these steps:

Open Identity Manager.
Click the Management Agents button on the toolbar.
In the Management Agents pane, click the HR Database MA.
In the Actions pane on the far right side, click Run.
In the Run Management Agent dialog, select Full Synchronization, and click OK.
Notice the MA says “Running” in the State column of the Management Agents pane, and then says “Idle.”
Notice in the Synchronization Statistics pane in the bottom lefthand corner, statistics showing the number of projections and provisioned entries are displayed. If you click one of the hyperlinks, you can navigate the information that was projected and provisioned.

Inbound attribute flow is only processed on the MA that the run profile is executed against. That includes joins and projections, and since we have to have an MV object from which to provision, we will need to run a synchronization run profile against the HR MA in order to trigger provisioning to create the objects in the ADMA. If you were to run a synchronization run profile against the ADMA at this stage, nothing would be provisioned.

, for setting up the HR Database MA to project objects to the metaverse, for writing a rules extension to provision user objects to the ADMA from objects in the HR Database MA, and for creating the run profile that was executed in this recipe

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Run Profile to Export Objects from the ADMA to Active Directory

Inhaltsvorschau

You want to create the new accounts in Active Directory.

There are two steps to get the data from an MA to a connected system: creating an export run profile and executing the profile. This is the first step (the second step is in ):

Open Identity Manager.
Click the Management Agents button on the toolbar.
In the Management Agents pane, click the ADMA.
In the Actions pane on the far right side, click Configure Run Profiles.
In the “Configure Run Profiles for…” pane, click New Profile.
In the Name text box, type Export, then click Next.
Ensure Export is selected in the Type drop-down list, then click Next.
Ensure the correct domain partition is showing in the Partition drop-down list, then click Finish.
Click New Step.
In the Configure Step dialog, ensure Delta Import (Stage Only) is selected in the Type drop-down list, then click Next.
Ensure the correct domain is selected in the Partition drop-down list, then click Finish.
Ensure the details in the Step Details field look like (note: your partition name may be different).
Click OK.

Figure : ADMA Export run profile showing an Export step followed by a Delta Import (Stage Only) step

It was mentioned earlier that it is a good idea to name the run profiles you create exactly the same as the run profile steps; i.e., a run profile of type Full Import (Stage Only) is named Full Import (Stage Only). The one exception to this general rule applies to export run profiles. When an export is completed, the only way the MA can truly know the data was successfully written to the target data store is to reimport the changes and compare them with what it believes was written out. This is known as a confirming import. In AD, for example, if we programmatically create a user account without a password, AD will automatically disable the user account by setting a flag in the userAccountControl attribute. For ILM to maintain knowledge of this state, the confirming import brings this knowledge back into ILM. Therefore, exports need to include a confirming import stage. If the system we are exporting to supports some form of change logging (as AD does through USNs), then the type of confirming import can be a delta import (stage only). If the system doesn’t expose any form of change logging (e.g., Novell eDirectory and NT4), a full import (stage only) step will be necessary.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Exporting Objects to AD Using an Export Run Profile

Inhaltsvorschau

You need to execute the export run profile.

The second step is executing the export run profile to get the data into AD (the first step is in ). Refer to (9) in , which shows the objects being exported to AD; (10) in the same figure shows the objects created in AD. Follow these steps:

Open Identity Manager.
Click the Management Agents button on the toolbar.
In the Management Agents pane, click the ADMA.
In the Actions pane on the far right side, click Run.
In the Run Management Agent dialog, select Export and click OK.
You’ll have to be quick if there is only a small amount of data in the ADMA. Notice the MA says “Running” in the State column of the Management Agents pane.
Notice in the Synchronization Statistics pane in the bottom lefthand corner, statistics showing the number of adds are displayed. If you click a hyperlink, you can navigate the information that was written to AD.
Open Active Directory Users and Computers.
Navigate to the Users container.
Ensure the user objects have been created.

User accounts in Active Directory may be flagged as disabled even though you think they should be active. Assuming you set the userAccountControl attribute correctly, the usual reason for this is that some other attribute has not been set correctly and Active Directory has disabled the account. For example, if you do not set a password on an account, or the password you set does not meet the domain password requirements, Active Directory will disable the account.

If you do not set a password on a user object using the Active Directory Users and Computers MMC snap-in, you will receive a warning. If you do it programmatically, as ILM does, the account will be disabled.

By performing all the previous recipes successfully, you have provisioned user accounts from employee records in the HR Database to AD.

and for how to configure the run profile that was used in this recipe

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Testing Provisioning and Deprovisioning of User Accounts in AD

Inhaltsvorschau

You want to test that new and deleted employee records in the HR Database propagate correctly to Active Directory.

You will add a new employee record and delete an existing employee record from the HR Database. You will then execute a series of run profiles that will perform the necessary operations:

Add and delete records from the HR Database (using SQL Server Management Studio).
1. Open SQL Server Management Studio.
2. When prompted with the Connect to Server dialog, ensure that Database Engine is selected for Server type and then enter the name of the SQL Server your ILM database resides on. Then click the Connect button.
3. In the Object Explorer pane, expand the Databases folder by clicking the plus sign.
4. Navigate down to the HR database and expand the entry by clicking the plus sign.
5. Expand the Tables folder by clicking the plus sign and then select the Employees table in Object Explorer.
6. Right-click the Employees table and select Open Table.
7. Add a new row (you can type directly into the table at the marker in the extreme lefthand edge of the column labeled *). Make sure you create a unique number in the Badge Number column and when you have completed the data for the column, ensure that you select another row to save the new row into the table.
8. Delete a row by clicking one of the gray unlabeled buttons on the extreme left-hand edge of the table contents to select the row, and then press the Delete key. Note the name of the employee you deleted.
Add and delete records from the HR Database.
1. Open SQL Server Enterprise Manager.
2. In the lefthand pane, drill down in to Console Root\Microsoft SQL Servers\SQL Server\SQL Server Group\(local)(Windows NT)\Databases\HR\Tables.
  The same operation can be accomplished with SQL Server 2005 Server Management Studio by expanding the Root Node\Databases\HR\Tables

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Run Profile Script

Inhaltsvorschau

It is impractical to continually use the UI every time you wish to execute a run profile. You want to automate the process by calling ILM run profiles to perform the required actions.

You need to create a run profile script:

Open Identity Manager.
Click the Management Agents button on the toolbar.
In the Management Agents pane, click the HR Database MA.
In the Actions pane on the far right side, click Configure Run Profiles.
In the Configure Run Profiles dialog, select the Export run profile.
Click the Script button.
In the “File name” text box, type HR Database MA Export.
In the “Save as type” text box, select VB Script.
Click the Save button.
Repeat Steps 3–9 for the other run profiles in the HR Database MA and the ADMA. Follow the same file-naming convention.

The scripts free you from the UI and can also form the building blocks of an ILM implementation that runs unattended. You have several options, including:

Submit the scripts to the Windows Task Scheduler Service to run on a specified daily schedule. To do this, open the Task Scheduler, double-click Add Scheduled Task, and follow the steps in the wizard.
Create a Windows service that calls the scripts according to your own criteria, perhaps by submitting them to the task scheduler using its APIs.
Use the SQL Server Agent process to invoke run profiles on the ILM server. This approach is especially useful if you are using a SQL Server cluster and need your profiles to follow the active node in case of a failure condition.
If you already have a script execution environment, incorporate the new scripts.

to create a controlling script, the MSDN walkthrough about creating a Windows Service Application (http://msdn.microsoft.com/library/en-us/vbcon/html/vbwlkwalkthroughcreatingwindowsserviceapplication.asp), and the Task Scheduler API reference (http://msdn.microsoft.com/library/en-us/taskschd/taskschd/task_scheduler_reference.asp)

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Creating a Controlling Script

Inhaltsvorschau

You want a self-contained script that controls an entire sequence of operations, e.g., import the HR Database, synchronize, and then export to AD.

Open Notepad.

Type this script (or copy and paste the contents of the GroupPopulatorSync.cmd file from the MIIS Scenarios, referenced in ):

@echo off

rem

rem Copyright (c) Microsoft Corporation. All rights reserved.

rem



setlocal

set zworkdir=%~dp0

pushd %zworkdir%



set madata="C:\Program Files\Microsoft Identity Integration Server\MaData"



rem Full Import of HR Dzatabase Employee Records

rem -------------------------------------------

cscript runMA.vbs /m:"HR Database" /p:"Full Import (Stage Only)"

if {%errorlevel%} NEQ {0} (echo Error[%errorlevel%]: command file failed) _

& (goto exit_script)



rem Full Sync of HR Database Employee Records

rem ----------------------------------------

cscript runMA.vbs /m:"HR Database" /p:"Full Sync"

if {%errorlevel%} NEQ {0} (echo Error[%errorlevel%]: command file failed) _

& (goto exit_script)



rem Export users in to AD

rem --------------------

cscript runMA.vbs /m:"rallencorp.com" /p:"Export"

if {%errorlevel%} NEQ {0} (echo Error[%errorlevel%]: command file failed) _

& (goto exit_script)



:exit_script

popd

endlocal

In this case, HR Database is the name of the MA and Full Import (Stage Only) is the name of the run profile.
It is the same for the highlighted entries on the other two lines.
Save the file with a .cmd file extension.
Close Notepad.
Open Notepad.

Type the following script (or copy and paste the contents of the RunMA.vbs file in the ILM scenarios, referenced in ):

option explicit

on error resume next



'=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

'SCRIPT:        runMA.vbs

'DATE:           2003-02-05

'=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

'= Copyright (C) 2003 Microsoft Corporation. All rights reserved.

'=

'******************************************************************************

'* Function: DisplayUsage

'*

'* Purpose:  Displays the usage of the script and exits the script

'*

'******************************************************************************

Sub DisplayUsage()

        WScript.Echo ""

        WScript.Echo "Usage: runMa </m:ma-name> </p:profile-name>"



        WScript.Echo "                [/s:mms-server-name]"

        WScript.Echo "                [/u:user-name]"

        WScript.Echo "                [/a:password]"

        WScript.Echo "                [/v] Switch on Verbose mode"

        WScript.Echo "                [/?] Show the Usage of the script"

        WScript.Echo ""

        WScript.Echo "Example 1: runMa /m:adma1 /p:fullimport"

        WScript.Echo "Example 2: runMa /m:adma1 /p:fullimport /u:domain\user

/a:mysecret /v"

             WScript.Quit (-1)

End Sub



'******************************************************************************

' Script Main Execution Starts Here

'******************************************************************************

'--Used Variables--------------------------

dim s

dim runResult

dim rescode

dim managementagentName

dim profile

dim verbosemode

dim wmiLocator

dim wmiService

dim managementagent

dim server

dim username

dim password

'-----------------------------------------



rescode = ParamExists("/?")

if rescode = true then call DisplayUsage

verbosemode = ParamExists("/v")



managementagentName = ParamValue("/m")

if managementagentName = "" then call DisplayUsage



profile = ParamValue("/p")

if profile = "" then call DisplayUsage



if verbosemode then wscript.echo "%Info: Management Agent and Profile is _

<"& managementagentName &":"& profile &">"

if verbosemode then wscript.Echo "%Info: Getting WMI Locator object"



set wmiLocator = CreateObject("WbemScripting.SWbemLocator")

if err.number <> 0 then

        wscript.echo "%Error: Cannot get WMI Locator object"

        wscript.quit(-1)

end if



server = ParamValue("/s")

password = ParamValue("/a")

username = ParamValue("/u")



if server = "" then server = "." ' connect to WMI on local machine



if verbosemode then



        wscript.Echo "%Info: Connecting to MMS WMI Service on <" & server &">"

        if username <> "" then wscript.Echo _

        "%Info: Accessing MMS WMI Service as <"& username &">"

end if



if username = "" then

        set wmiService = wmiLocator.ConnectServer _

        (server, "root/MicrosoftIdentityIntegrationServer")

else

        set wmiService = wmiLocator.ConnectServer_

        (server, "root/MicrosoftIdentityIntegrationServer", username, password)

end if



if err.number <> 0 then

        wscript.echo "%Error: Cannot connect to MMS WMI Service <" _

        & err.Description & ">"

        wscript.quit(-1)

end if



if verbosemode then wscript.Echo "%Info: Getting MMS Management Agent via WMI"



Set managementagent = wmiService.Get( "

MIIS_ManagementAgent.Name='" & _

managementagentName & "'")

if err.number <> 0 then

        wscript.echo _

        "%Error: Cannot get Management Agent with specified WMI Service <" & _

        err.Description & ">"

        wscript.quit(-1)

end if



wscript.echo "%Info: Starting Management Agent with Profile <"& _

managementagent.name &":"& profile &">"

runResult = managementagent.Execute(profile)

if err.number <> 0 then

        wscript.Echo "%Error: Running MA <"& err.Description & _

        ">. Make sure the correct profile name is specified."

        wscript.quit(-1)

end if



wscript.Echo "%Info: Finish Running Management Agent"

wscript.Echo "%Result: <" & CStr(runResult) & ">"

wscript.quit(0)



'******************************************************************************

'* Function: ParamValue

'*

'* Purpose: Parses the command line for an argument and

'*          returns the value of the argument to the caller

'*          Argument and value must be seperated by a colon

'*

'* Arguments:



'* [in]      parametername      name of the parameter

'*

'* Returns:

'*           STRING      Parameter found in commandline

'*           ""         Parameter NOT found in commandline

'*

'******************************************************************************

Function ParamValue(ParameterName)



        Dim i                   '* Counter

        Dim Arguments           '* Arguments from the command-line command

        Dim NumberofArguments   '* Number of arguments from the command-line

        Dim ArgumentArray       '* Array to store arguments from command-line

        Dim TemporaryString     '* Utility string



        '* Initialize Return Value to e the Empty String

        ParamValue = ""



        '* If no ParameterName is passed into the function exit

        if ParameterName = "" then exit function



        '* Check if Parameter is in the Arguments and return the value



Set Arguments = WScript.Arguments

        NumberofArguments = Arguments.Count - 1



        For i=0 to NumberofArguments

                TemporaryString = Arguments(i)

                ArgumentArray = Split(TemporaryString,":",-1,vbTextCompare)



                If ArgumentArray(0) = ParameterName Then

                      ParamValue = ArgumentArray(1)

                      exit function

                End If

        Next

end Function



'******************************************************************************

'* Function: ParamExists

'*

'* Purpose:  Parses the command line for an argument and

'*           returns the true if argument is present

'*

'* Arguments:

'* [in]      parametername      name of the paramenter

'*

'* Returns:

'*           true       Parameter found in commandline

'*           false      Parameter NOT found in commandline

'*

'******************************************************************************



Function ParamExists(ParameterName)



        Dim i                   '* Counter



        Dim Arguments           '* Arguments from the command-line command

        Dim NumberofArguments   '* Number of arguments from the command-line

        Dim ArgumentArray       '* Array to store arguments from command-line

        Dim TemporaryString     '* Utility string



        '* Initialize Return Value to e the Empty String

        ParamExists = false



        '* If no ParameterName is passed into the function exit

        if ParameterName = "" then exit function



        '* Check if Parameter is in the Arguments and return the value

        Set Arguments = WScript.Arguments

        NumberofArguments = Arguments.Count - 1



        For i=0 to NumberofArguments

                TemporaryString = Arguments(i)

                If TemporaryString = ParameterName Then

                      ParamExists = true

                      exit function

                End If

        Next

end Function

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Enabling Directory Synchronization from AD

Inhaltsvorschau

You want AD to become the authoritative source for the telephoneNumber attribute of Active Directory users.

You need to configure both the import attribute flow from the ADMA connector space to the metaverse, as well as the export attribute flow from the metaverse to the HR Database MA connector space (refer to (5) and (8) in , which show where the rules will be configured):

Open Identity Manager.
Click the Management Agents button on the toolbar.
In the Management Agents pane, double-click the ADMA.
In the Management Agent Designer pane on the lefthand side, highlight Select Attributes.
In the Attributes pane on the right side, select “telephoneNumber.”
In the Management Agent Designer pane on the lefthand side, highlight Configure Attribute Flow.
In the Mapping Type section of the dialog, select Direct.
In the Flow Direction section of the dialog, select Import.
Ensure “user” is selected in the data source object type drop-down list.
Ensure “person” is selected in the metaverse object type drop-down list.
In the data source object type drop-down list, select “telephoneNumber.”
In the metaverse object type drop-down list, select “telephoneNumber.”
Click New.
Notice that in the Attribute Flow pane, the arrow for this mapping indicates an import attribute flow. Click OK.
In the Management Agents pane, double-click the HR Database MA.
In the Management Agent Designer pane on the lefthand side, highlight Configure Attribute Flow.
In the Mapping Type section of the dialog, select Direct.
In the Flow Direction section of the dialog, select Export.
Ensure “person” is selected in the data source object type drop-down list.
Ensure “person” is selected in the metaverse object type drop-down list.
In the data source object type drop-down list, select “telephoneNumber.”
In the metaverse object type drop-down list, select “telephoneNumber.”
Click New.
Notice in the Attribute Flow pane, the arrow for this mapping indicates an export attribute flow. Click OK.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Configuring a Run Profile to Load the telephoneNumber from AD

Inhaltsvorschau

You need to get the AD telephoneNumber attribute into ILM and synchronize it.

Configure a run profile that combines import and synchronization as demonstrated in this recipe, then execute it (see ):

Open Identity Manager.
Click the Management Agents button on the toolbar.
In the Management Agents pane, click the ADMA.
In the Actions pane on the far right side, click Configure Run Profiles.
In the Configure Run Profiles for “rallencorp.com” (the name in quotes will reflect the name you chose when creating the ADMA), click New Profile.
In the Name text box, type Delta Import and Delta Synchronization, then click Next.
Ensure Delta Import and Delta Synchronization is selected in the Type drop-down list and then click Next.
Ensure the correct domain partition is showing in the Partition drop-down list, and then click Finish.
Ensure the details in the Step Details field look like (note: your partition name may be different and the assumption is that you have completed the previous recipes).
Click OK.

Figure : Dialog showing Delta Import and Delta Synchronization run profile added to the existing ADMA run profiles

Because a previous import step was completed in an earlier recipe, you can use the combined Delta Import and Delta Synchronization step so that ILM imports and synchronizes changes that have occurred in AD since the last time it connected. You can use this run profile from now on since it keeps track of changes internally using the DirSync control.

The Delta Import (Stage Only) step in the AD Export run profile (the confirming import from ) also imports changes, which suggests you could simply configure a delta synchronization run profile to process those changes in this recipe. Such an approach will work. The decision about which approach to use will depend on the service-level agreements you make. If it is two hours since the last AD import, your service-level agreement might force you to import and synchronize the changes that have occurred over the last two hours and feed them to the HR Database; however, you may only need to export to AD every four hours. If you only rely on the changes detected in the confirming import step, you will only be able to update the HR Database with changes every four hours.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Loading telephoneNumber Changes from AD into ILM Using a Delta Import and Delta Synchronization Run Profile

Inhaltsvorschau

You need to pull the data from AD into ILM.

With the MA and run profile created, you can now load telephoneNumber attribute data into ILM by executing the run profile.

In , (11) in shows the telephoneNumber data being loaded into the AD connector space. The synchronization process then flows the data to the metaverse ((6) in ) and from there to the AD connector space ((3) in ).

Open Active Directory Users and Computers.
Navigate to a user in the container you are managing with ILM.
Double-click the user object.
Ensure the General tab is selected and then type a telephone number into the Telephone Number text box and click OK.
Open Identity Manager.
Click the Management Agents button on the toolbar.
In the Management Agents pane, click the ADMA.
In the Actions pane on the far right side, click Run.
In the Run Management Agent dialog, select Delta Import and Delta Synchronization and click OK.
Because you have changed the rules but not yet run a full synchronization on all the existing objects, a Run Step Warning dialog appears, as shown in . Click No.
Notice the MA briefly says “Running” in the State column of the Management Agents pane.

Figure : Run Step Warning dialog box

Notice the Synchronization Statistics pane in the bottom lefthand corner displays statistics showing the number of updates and connectors with flow updates. If you click one of the hyperlinks, you can navigate the information that was loaded.

The Run Step Warning dialog will pop up to annoy you anytime you change any of the ILM rules or configuration settings. Even changing (adding, updating, or deleting) files in the Extensions directory will cause this warning to pop up on all run profile executions until every MA undergoes a full synchronization. This is done to force you into reconciling the state of every connector whenever there is a policy change. In this manner, ILM is one of the few Identity Management products that place such a serious emphasis on complete reconciliation and convergence of identity—often at the cost of some performance.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Exporting telephoneNumber Data to the HR Database

Inhaltsvorschau

You need to export the data from the HR Database MA connector space into the HR Database.

You need to configure and execute an export run profile. First, create the run profile:

Open Identity Manager.
Click the Management Agents button on the toolbar.
In the Management Agents pane, click the HR Database MA.
In the Actions pane on the far right side, click Configure Run Profiles.
In the Configure Run Profiles for HR Database pane, click New Profile.
In the Name text box, type Export and then click Next.
Ensure Export is selected in the Type drop-down list and then click Next.
Ensure default is showing in the Partition drop-down list and then click Finish.
Click New Step.
In the Configure Step dialog, ensure Full Import (Stage Only) is selected in the Type drop-down list and then click Next.
Ensure default is selected in the Partition drop-down list and then click Finish.
Ensure the details in the Step Details field look like .

Figure : Export Run Profile added to the existing HR Database MA run profiles

Click OK

You had to select Full Import (Stage Only) for the confirming import step in this run profile because the HR Database hasn’t been configured to provide deltas.

for similarities in how a run profile is configured to export objects to AD

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Using the HR Database MA Export Run Profile to Export the Telephone Number to the HR Database

Inhaltsvorschau

The run profile is configured, but you need to actually move the data from ILM to the HR Database.

You need to execute the run profile (refer to (12) in , which shows the telephoneNumber data being exported to the HR Database):

Open Identity Manager.
Click the Management Agents button on the toolbar.
In the Management Agents pane, click the HR Database MA.
In the Actions pane on the far right side, click Run.
In the Run Management Agent dialog, select Export and click OK.
Notice the MA briefly says “Running” in the State column of the Management Agents pane.
Notice that in the Synchronization Statistics pane in the bottom lefthand corner, statistics showing the number of updates are displayed. If you click the hyperlink, you can navigate the information that was written to the HR Database.
Edit the Employees table in SQL:
1. Open SQL Enterprise Manager.
2. In the lefthand pane, drill down to Console Root\Microsoft SQL Servers\SQL Server\SQL Server Group\(local)(Windows NT)\Databases\HR\Tables.
  The same operation can be accomplished with SQL Server 2005 Server Management Studio by expanding Root Node\Databases\HR\Tables.
3. Right-click the Employees table in the righthand pane, and select Open Table→Return all rows.
4. Find the record of the user you added the telephoneNumber to in AD and ensure the [telephoneNumber] column has been updated.

Now is a good time to add the last two run profiles you created to the controlling script in . Then we can make multiple changes to AD and the HR Database and watch the effects by simply running the script. We could even put a simple loop into the script so that it is executing continuously and watch new users, deleted users, and telephoneNumber change as they propagate around the systems.

, for similarities in how a run profile is used to export objects to AD, and

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Searching Data in the Connector Space

Inhaltsvorschau

You have started to use ILM, but things aren’t going according to plan. You want to see if the changes you made to either the HR Database or AD have made it into the associated connector space.

Open Identity Manager.
Click the Management Agents button on the toolbar.
In the Management Agents pane, click the MA you wish to search.
In the Actions pane on the far right side, click Search Connector Space.
In the Search Connector Space dialog, click the Search button.
You will notice records returned in the main search pane.
If this is the HR Database MA, the DN of each record will be the Badge Number—the primary key in the database that ensures uniqueness in the recordset. If this is the ADMA, the DN will be the object’s DN in LDAP format (e.g., CN=Steve Plank,OU=oreilly,DC=rallencorp,DC=com).
Record the RDN of a record from the step above. If it’s the HR Database MA, the RDN is the same as the DN. If it’s the ADMA, it’s the element that contains the least-significant object in the DN (e.g., CN=Steve Plank).
Select RDN in the Scope drop-down list.
Type the RDN you have recorded into the text box (e.g., CN=Steve Plank).
Click Search.
You will notice a single record returned, which matches the RDN you have .
If you double-click any of the returned records, you can examine the object in detail.

You will see in the Scope drop-down list that there are more entries than just Subtree and RDN. The error collections are useful when trying to debug records that give errors from a large connector space with many thousands of objects in it. We find it particularly useful to use the Pending Export scope to look at outbound changes whenever performing a change to a production system. The Pending Export scope allows you to filter additionally by selecting Add, Modify, or Delete to include in the result set. It’s very reassuring to verify that there are no delete operations pending when you make a new change.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Searching Data in the Metaverse

Inhaltsvorschau

You are troubleshooting and want to view a metaverse object.

You need to search the metaverse:

Open Identity Manager.
Click the Metaverse Search button on the toolbar.
Click the Search button.
Records from the metaverse are returned in the Search Results pane.
Double-click a record in the Search Results pane.
You can see which MA contributed data to this metaverse object. If you double-click the object that you added a telephoneNumber to in AD, you should see its attributes detailed in the pane below the Attributes tab.
Click the Connectors tab.
You can see which MAs this metaverse object is joined to.

The Connectors tab highlights the difference between projection and provisioning. You should see that the link between the metaverse object and the connector space entries was created because of projection rules for the HR Database MA and provisioning rules for the ADMA. That is because you configure the HR Database MA to project objects to the metaverse, and then you wrote a rules extension to provision objects from the metaverse to the AD connector space.

for searching data in the connector space and the ILM 2007 help file section Microsoft Identity Lifecycle Manager 2007/Concepts/Using Microsoft Identity Lifecycle Manager 2007/Using Management Agents/Using Metaverse Search

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Deleting Data in the Connector Space and Metaverse

Inhaltsvorschau

You want to clear out the connector space or the metaverse, perhaps so you can perform another complete run-through of all these recipes to consolidate learning.

Open Identity Manager.
Click the Metaverse Designer button on the toolbar.
In the Actions pane on the far right side, click Configure Object Deletion Rule.
Ensure the “Delete metaverse object when connector from this management agent is disconnected” radio button is selected.
Select the HR Database MA from the drop-down list, then click OK.
Click the Management Agents button on the toolbar.
In the Management Agents pane, click the MA you wish to delete objects from—do the ADMA first.
In the Actions pane on the far right side, click Delete.
This is important: you risk deleting the whole MA if you do not perform the following step correctly.

Ensure the “Delete connector space only” radio button is selected.
When prompted that you are sure you want to delete the connector space, click Yes.
A message box appears with details of how many records were deleted. Click OK.
Perform steps 7–11 again on the HR Database MA.

You configured the metaverse object deletion rule so that when objects from the HR Database MA were deleted, the related metaverse objects would also be deleted. That is why you deleted objects from the ADMA first. When you performed steps 7–11 the second time, the metaverse objects were also deleted. You can prove this by searching the metaverse in between delete operations.

There is no metaverse delete; ILM ensures that objects in the metaverse always have a join to at least one object in a connector space from at least one MA. The object deletion rule is the configuration that tells ILM what to do with metaverse objects when connector space objects get deleted.

For more control, you can specify that a rules extension should be used to make the decision for you.

It is impossible to end up in the situation where ILM has an object in the metaverse, but no corresponding object in any connector space.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Extending Object Types to Include a New Attribute

Inhaltsvorschau

You want to add a new attribute to an existing object type in the metaverse so you can hold data specific to your implementation.

Open Identity Manager.
Click the Metaverse Designer button on the toolbar.
In the “Object type” pane, select the object type you wish to modify (e.g., Person).
In the lower Actions pane, click the Add Attribute listing.
In the Add Attribute To Object Type dialog box, click the “New attribute” button.
In the New Attribute dialog box, fill in the following properties:
1. Attribute name (the name of the attribute as you will see it in the metaverse attributes list)
  Choosing a nonindexed value will let you store a much larger value here but it cannot be indexed and should never be used for purposes of a join.
2. Attribute type (the type of attribute data you can store; it defaults to String (indexable))
3. Multi-values (check this if you intend this attribute to be multivalued)
4. Indexed (check this if you intend the value to be used during join operations)
Click the OK button twice to accept the changes.

Once an attribute is created and attached to an object type, it can be linked to any other object type by following steps 1–4 and then checking off the attribute(s) that you wish to add.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Previewing Changes to the ILM Configuration

Inhaltsvorschau

You want to make changes to one or more flows and you would like to confirm the exact effect the change will have before you roll it out.

The solution involves the use of the Preview function, which is accessed as a property of an individual connector space object:

Open Identity Manager.
Locate the connector space object you would like to preview changes against by using the recipe for searching the connector space—you need to pick the connector in the MA that you would run the full or delta synchronization against.
On the Connector Space Object Properties dialog, click the Preview button (see ).
On the Preview dialog, under the “Select preview mode” section, select between a Full Synchronization or a Delta Synchronization; select the radio button accordingly and then click the Generate Preview button (see ).
In the contents pane, you can now browse each step and follow from Source Object Details all the way through, provisioning to Export Attribute flow on individual connectors.

Figure : Connector Space Object Properties dialog—Preview

Figure : Preview dialog—Select preview mode

Preview is one of the most useful aspects of the ILM product; it allows you to do what if scenarios and ascertain the exact effect any configuration change will have on the state of all identities. Incidentally, the Preview function is actually a side effect of basing ILM on SQL Server. Under normal circumstances, any given run profile step is wrapped in a SQL transaction (one transaction for every connector space object in the MA of the run profile), and as each identity is converged across all connectors, that transaction is committed to the database. In the event of an exception, only that transaction is rolled back and the next identity is processed. Given this feature, the Preview ability simply rolls back the transaction for the given object. This means that ILM is not simply simulating what a run would look like; it’s actually executing the process exactly as it would be under normal circumstances, with the exception that the changes are not committed.

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Committing Changes to Individual Identities Using

Inhaltsvorschau

You want to make changes to a rules extension or flow but you would like to confirm the exact effect the change will have before you roll it out. In addition, you want to commit the changes to only a handful of records that need the changes to go into effect right away and you can’t afford to run a full synchronization to get them.

Open Identity Manager.
Locate the connector space object you would like to preview changes against by using the recipe for searching the connector space—you need to pick the connector in the MA that you would run the full or delta synchronization against.
On the Connector Space Object Properties dialog, click the Commit Preview button (see ).
On the Preview dialog, under the Select preview mode section, select between a Full Synchronization or a Delta Synchronization; select the radio button accordingly and then click the Commit Preview button (see ).
In the contents pane, you can now browse each step and follow from Source Object Details all the way through provisioning to Export Attribute flow on individual connectors!

Commit Preview functions like the Preview button; however, it actually commits the transaction at the end for the given connector. This allows you to atomically apply new policies to specific connectors; you should only used this strategy when you absolutely cannot afford (from a time perspective) to run a full sync. Using Commit Preview during testing and certification is recommended when you want to follow a change across data sources.

for searching data in the connector space, , and the ILM 2007 help file section Microsoft Identity Lifecycle Manager 2007 Feature Pack1/Concepts/Using Microsoft Identity Lifecycle Manager 2007/Using Management Agents/Using Metaverse Search

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Passing Data Between Rules Extensions Using Transaction Properties

Inhaltsvorschau

You are tracking an event that occurs in an authoritative data source and want to pass a message or a data element to one of the other extensions.

Open Visual Studio and open your rules extension project solution.
You first need to set a transaction property, and while these properties can be set anywhere, you will most likely set them in ShouldProjectToMV, MapAttributesForJoin, ResolveJoinSearch, MapAttributesForImport, MapAttributesForExport, and Deprovision, or within the Provisioning rules extensions. The following example shows two ways of setting different types of Transaction Properties:
```
' String

Dim strWF As String = "foobar"

Utils.TransactionProperties.Add("WORKFLOW", strWF)



' Boolean

Utils.TransactionProperties.Add("DELETE", True)
```

Once you have one or more properties set, you can query for them elsewhere:

If (Utils.TransactionProperties.Contains("DELETE") AndAlso

Utils.TransactionProperties("DELETE").Equals(True)) Then

    ' This allows for a typesafe way to query for the existence of a property

End If



If (Utils.TransactionProperties.Contains("WORKFLOW") AndAlso

Utils.TransactionProperties("WORKFLOW").ToString.Contains("foo")) Then

    ' This allows you to search the contents of a string property

    ' You can then do an assignment

      Dim strWFResponse As String = Utils.TransactionProperties("WORKFLOW").ToString

End If



If (Utils.TransactionProperties.Contains("WORKFLOW") AndAlso

Utils.TransactionProperties("WORKFLOW").Equals("foobar")) Then

    ' This allows you to do a simple comparison

End If

A Transaction Property is only good for as long as the current ILM transaction is running. This makes it relevant only to the identity you are processing and is available across all extensions that are touched as part of the synchronization of that identity; when the next identity is loaded for processing, all Transaction Properties are .

Recipes and

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Using a Single Rules Extension to Affect Multiple Attribute Flows

Inhaltsvorschau

You have several attributes that you would like to apply the same block of code to and you don’t want to duplicate the same block of code or call the same function from multiple case statements.

Open Visual Studio and open your rules extension project solution.

Add a code block like this (before your main select case FlowRuleName statement):

If FlowRuleName.StartsWith("Trim:") Then

    ' Trim String

    '

    ' Reusable code to convert an attribute to its string format

    ' FlowRuleName will be passed as "Trim:srcAttribute,destAttribute"

    '

    Dim strAttributeName, strSrcAttribute, strDestAttribute, arrAttribs() 

    As String



    ' Replace the beginning of the flowrulename with nothing

      strAttributeName = FlowRuleName.Replace("Trim:", "")

      arrAttribs = strAttributeName.Split(","c)   ' Splits the string 

                                                  ' on a comma

      trSrcAttribute = arrAttribs(0)              ' Assigns the first value

      strDestAttribute = arrAttribs(1)            ' Assigns the second value



    ' Now we can assign the value and trim any whitespace at the front and back

      mventry(strDestAttribute).Value = 

      csentry(strSrcAttribute).Value.ToString.Trim



Else If FlowRuleName.StartsWith("MyFunction:") Then

    ' Apply custom function

    '

    ' Reusable code to apply a custom function to an attribute

    ' FlowRuleName will be passed as

"MyFunction:sourceAttribute,destinationAttribute"

    '

    Dim strAttributeName, strSrcAttribute, strDestAttribute, arrAttribs() 

    As String



    ' Replace the beginning of the flowrulename with nothing

    strAttributeName = FlowRuleName.Replace("MyFunction:", "")

    arrAttribs = strAttributeName.Split(","c)   ' Splits the string on a comma

    strSrcAttribute = arrAttribs(0)             ' Assigns the first value

    strDestAttribute = arrAttribs(1)            ' Assigns the second value



    ' Now we can apply your custom function prior to the assignment

    Dim strSrcAttributeValue As String

    strSrcAttributeValue =

MySharedCodeLib.MyFunction(csentry(strSrcAttribute).Value)

    mventry(strDestAttribute).Value = strSrcAttributeValue



Else

    ' Continue on as you normally do

    Select case FlowRuleName

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Flowing a Null Value to a Data Source

Inhaltsvorschau

You need to delete or “flow a null” to an attribute in another data source.

Open Identity Manager.
Click the Management Agents button on the toolbar.
In the Management Agents pane, double-click the ADMA.
In the Management Agent Designer pane on the lefthand side, select Configure Attribute Flow.
Ensure “user” is selected in the data source object type drop-down list.
Ensure “person” is selected in the metaverse object type drop-down list.
In the Mapping Type section of the dialog, select Advanced.

In the Flow Direction section of the dialog, select Export, and then check the box to Allow Nulls.
If you don’t check the box to Allow Nulls, the rule value will never be contributed.

Select telephoneNumber from the data source attributes list.
Select <object-id> from the Metaverse attributes list.
Selecting <object-id> here ensures that the source value will always be present; otherwise the rule will not fire if the source value in the metaverse is null.
Click New.
In the Advanced Attribute Flow Options dialog, type “Delete:telephoneNumber”.
Open Visual Studio and open your rules extension project solution.

If you are using the recipe from , insert the following before the final Else; otherwise, only the final line is needed in a standard Case block:

Else If FlowRuleName.StartsWith("Delete") Then

    '

    ' Reusable code to delete the referenced attribute

    ' FlowRuleName will be passed as "Delete:Attribute"

    '

    Dim strAttributeName As String



    ' Replace the beginning of the flowrulename with nothing

    ' to find the attribute to be deleted

    strAttributeName = FlowRuleName.Replace("Delete:", "")



    ' This is whre we delete the value

    csentry(strAttributeName).Delete()

You never have to actually set a “null value” to contribute a delete to another data source. This is partially due to the fact that different systems handle null values differently and in order to contribute the proper value, the

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Contributing a UTCCodedTime Attribute in Active Directory

Inhaltsvorschau

You need to contribute a date/time value to Active Directory and the attribute type in AD is UTC coded time syntax. You have likely extended the schema, or are working with a product that has extended the schema, and need to contribute this value.

Open Identity Manager.
Click the Management Agents button on the toolbar.
In the Management Agents pane, double-click the ADMA.
In the Management Agent Designer pane on the lefthand side, select Configure Attribute Flow.
Ensure “user” is selected in the data source object type drop-down list.
Ensure “person” is selected in the metaverse object type drop-down list.
In the Mapping Type section of the dialog, select Advanced.
In the Flow Direction section of the dialog, select Export.
Select the UTC Coded Time attribute to contribute to from the data source attributes list.
Select the string-formatted date attribute from the Metaverse attributes list.
Click New.
In the Advanced Attribute Flow Options dialog, type the name of your rules extension: “UTCCodedTime”.

Open Visual Studio and open your rules extension project solution.

Case "UTCCodedTime"

    ' Formatting strings for writing UTC Coded Time to Active Directory

    ' For use with AD Attributes of the String(Generalized Time)/UTC Coded Time

syntax (2.5.5.11)



    Dim strDate As String

    Dim strUTC As String



    ' data source records midnight local time

    strDate = mventry("StartDate").Value      ' Look like "2007-08-28 00:00:00"

    strUTC =

System.DateTime.Parse(strDate).ToUniversalTime.ToString("yyyyMMddHHmmss.0Z")



    csentry("UTCAttribute").Value = strUTC

UTC coded time allows you to store a date/time value in the directory in universal time format also known as Zulu time (GMT 0:00). Storing the date and time in this format allows the user interface to interpret the time relative to the time zone configured in the local operating system.

Visit http://www.identitychaos.com/2007/08/writing-utc-coded-time-to-ad.html for more information on writing to

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Importing and Decoding the accountExpires Attribute

Inhaltsvorschau

You want to import the accountExpires attribute into the metaverse as a string formatted date/time value. This could be any of the Large Integer/Interval syntax attributes, such as accountExpires, badPasswordTime, lastLogoff, lastLogon, lastLogonTimestamp, lockoutTime, or pwdLastSet.

Open Identity Manager.
See to add a new metaverse attribute if necessary.
Click the Management Agents button on the toolbar.
In the Management Agents pane, double-click the ADMA.
In the Management Agent Designer pane on the lefthand side, select Configure Attribute Flow.
Ensure “user” is selected in the data source object type drop-down list.
Ensure “person” is selected in the metaverse object type drop-down list.
In the Mapping Type section of the dialog, select Advanced.
In the Flow Direction section of the dialog, select Import.
Select accountExpires from the data source attributes list.
Select the attribute created in step 2 or an existing String attribute from the Metaverse attributes list (e.g., AccountExpirationDate).
Click New.
In the Advanced Attribute Flow Options dialog, type “accountExpires,AccountExpirationDate”.
Open Visual Studio and open your rules extension project solution.

If you are using the recipe from insert the following before the final Else; otherwise, only the final line is needed in a standard Case block:

ElseIf FlowRuleName.StartsWith("ConvertFileTime:") Then

    '

    ' Reusable code to convert generalized time into string format

    ' FlowRuleName will be passed as

"ConvertFileTime:sourceAttribute,destinationAttribute"

    '

    Dim strAttributeName, strSourceAttribute, strDestinationAttribute, arrAttribs()

As String



    ' Replace the beginning of the flowrulename with nothing to find the attribute

to be deleted

    strAttributeName = FlowRuleName.Replace("ConvertFileTime:", "")

    arrAttribs = strAttributeName.Split(","c)

    strSourceAttribute = arrAttribs(0)

    strDestinationAttribute = arrAttribs(1)



    ' NOTE: The value will be invalid if it was never set

    ' (9223372036854775807 (0x7FFFFFFFFFFFFFFF))

    ' or 0 if it was set and then later cleared



    Const AD_ACCOUNT_NO_EXPIRATION As Long = 9223372036854775807



    If (strSourceAttribute = "accountExpires") Then

         If (csentry(strSourceAttribute).Value = 0 OrElse

csentry(strSourceAttribute).Value = AD_ACCOUNT_NO_EXPIRATION) Then

              ' The value was cleared or never set

              mventry(strDestinationAttribute).Value = "Never"

        Else

              ' The value has been set

              Dim dtFileTime As DateTime =

DateTime.FromFileTime(DateTime.Parse(csentry(strSourceAttribute).Value).ToFileTme)



              mventry(strDestinationAttribute).Value = Format(dtFileTime, "yyyy-MM-

dd")

         End If

    Else

         ' We are not dealing with the accountExpires attribute, just decode it

         Dim dtFileTime As DateTime =

DateTime.FromFileTime(DateTime.Parse(csentry(strSourceAttribute).Value).ToFileTime)



        mventry(strDestinationAttribute).Value = Format(dtFileTime, "yyyy-MM-dd")

    End If

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Exporting and Encoding the accountExpires Attribute

Inhaltsvorschau

You want to export to the accountExpires attribute from a string-formatted date/time value in the metaverse. This could be any of the Large Integer/Interval syntax attributes, such as accountExpires, badPasswordTime, lastLogoff, lastLogon, lastLogonTimestamp, lockoutTime, or pwdLastSet.

Open Identity Manager.
Click the Management Agents button on the toolbar.
In the Management Agents pane, double-click the ADMA.
In the Management Agent Designer pane on the lefthand side, select Configure Attribute Flow.
Ensure “user” is selected in the data source object type drop-down list.
Ensure “person” is selected in the metaverse object type drop-down list.
In the Mapping Type section of the dialog, select Advanced.
In the Flow Direction section of the dialog, select Export.
Select accountExpires from the data source attributes list.
Select an existing String attribute from the Metaverse attributes list (e.g., AccountExpirationDate).
Click New.
In the Advanced Attribute Flow Options dialog, type “ConvertFileTime:accountExpires,AccountExpirationDate”.
Open Visual Studio and open your rules extension project solution.

If you are using the recipe from , insert the following before the final Else; otherwise, only the final line is needed in a standard Case block:

ElseIf FlowRuleName.StartsWith("ConvertFileTime:") Then

    '

    ' Reusable code to convert generalized time into string format

    ' FlowRuleName will be passed as

"ConvertFileTime:sourceAttribute,destinationAttribute"

    '

    Dim strAttributeName, strSourceAttribute, strDestinationAttribute, arrAttribs()

As String



    ' Replace the beginning of the flowrulename with nothing to find the attribute

to be deleted

    strAttributeName = FlowRuleName.Replace("ConvertFileTime:", "")

    arrAttribs = strAttributeName.Split(","c)

    strSourceAttribute = arrAttribs(0)

    strDestinationAttribute = arrAttribs(1)



    ' NOTE: The value will be invalid if it was never set

    ' (9223372036854775807 (0x7FFFFFFFFFFFFFFF))

    ' or 0 if it was set and then later cleared



    Const AD_ACCOUNT_NO_EXPIRATION As Long = 9223372036854775807



    If (strDestinationAttribute = "accountExpires") Then

         If (mventry(strSourceAttribute).IsPresent = False) Then

              ' The value in the metaverse is empty so remove the account

expiration

              csentry(strDestinationAttribute).IntegerValue = 0

         Else

              ' We should have a date value present to enforce

              Dim dtFileTime As DateTime =

DateTime.Parse(mventry(strSourceAttribute).Value)



              csentry(strDestinationAttribute).IntegerValue =

dtFileTime.ToFileTimeUtc()

         End If

    Else

         ' We are not dealing with the accountExpires attribute, just encode it

         Dim dtFileTime As DateTime =

DateTime.Parse(mventry(strSourceAttribute).Value)



         csentry(strDestinationAttribute).IntegerValue = dtFileTime.ToFileTimeUtc()

    End If

Ende der Inhaltsvorschau. Der weiterere Inhalt dieses Abschnitts ist hier nicht einsehbar.

Zurück zu Active Directory Cookbook