Active directory windows server 2008 resource kit

Тут можно читать онлайн книгу Reimer Stan (EN) — Windows Server 2008 Active Directory Resource Kit — бесплатно полную версию (целиком). Жанр книги: Иностранная литература. Вы можете прочесть полную версию (весь текст) онлайн без регистрации и смс на сайте Lib-King.Ru (Либ-Кинг) или прочитать краткое содержание, аннотацию (предисловие), описание и ознакомиться с отзывами (комментариями) о произведении.

• PUBLISHED BY Microsoft Press A Division of Microsoft Corporation
  One Microsoft Way Redmond, Washington 98052-6399

  Copyright 2008 by Stan Reimer and Mike Mulcare

  All rights reserved. No part of the contents of this book may be
  reproduced or transmitted in any form or by any means without the
  written permission of the publisher.

  Library of Congress Control Number: 2008920569

  Printed and bound in the United States of America.

  1 2 3 4 5 6 7 8 9 QWT 3 2 1 0 9 8

  Distributed in Canada by H.B. Fenn and Company Ltd.

  A CIP catalogue record for this book is available from the
  British Library.

  Microsoft Press books are available through booksellers and
  distributors worldwide. For further infor-mation about
  international editions, contact your local Microsoft Corporation
  office or contact Microsoft Press International directly at fax
  (425) 936-7329. Visit our Web site at www.microsoft.com/mspress.
  Send comments to [email protected].

  Microsoft, Microsoft Press, Active Directory, ActiveX, Excel,
  Internet Explorer, Jscript, MS-DOS, Outlook, PowerPoint,
  SharePoint, SQL Server, Visio, Visual Basic, Windows, Windows Live,
  Windows Media, Windows Mobile, Windows NT, Windows PowerShell,
  Windows Server, Windows Server System, and Windows Vista are either
  registered trademarks or trademarks of Microsoft Corporation in the
  United States and/or other countries. Other product and company
  names mentioned herein may be the trademarks of their respective
  owners.

  The example companies, organizations, products, domain names,
  e-mail addresses, logos, people, places, and events depicted herein
  are fictitious. No association with any real company, organization,
  product, domain name, e-mail address, logo, person, place, or event
  is intended or should be inferred.

  This book expresses the authors views and opinions. The
  information contained in this book is provided without any express,
  statutory, or implied warranties. Neither the authors, Microsoft
  Corporation, nor its resellers, or distributors will be held liable
  for any damages caused or alleged to be caused either directly or
  indirectly by this book.

  Acquisitions Editor: Martin DelRe Developmental Editor: Karen
  SzallProject Editor: Maureen ZimmermanEditorial Production: Custom
  Editorial Productions, Inc.Technical Reviewer: Bob Dean, Technical
  Review services provided by Content Master, a member of CM Group,
  Ltd.Cover: Tom Draper Design

  Body Part No. X14-14924

• To the three wonderful women in my lifeRhonda, Angela, and
  Amanda.

  Your love and encouragement keep me going.

  Stan Reimer

  I dedicate this book to the love of my life, Rhonda, and our
  precious sons,

  Brennan and Liam. Thank you for your continuous support and
  for

  being the reason that I do what I do. I also dedicate this
  book

  to the rest of my family, who are still trying to figure out

  what I actually do for a living.

  Conan Kezema

  To my familyNancy, James, Sean, and Patrick. Thanks

  always for your encouragement and support.

  Mike Mulcare

  Tracey, Samantha, and Michelle, you are the reason I keep

  it going. Darrin, thanks for holding down the fort.

  Byron Wright

• vContents at a Glance

  Part I Windows Server 2008 Active Directory Overview1 Whats New
  in Active Directory for Windows Server 2008 . . . . . . . . . . .
  .32 Active Directory Domain Services Components . . . . . . . . . .
  . . . . . . . . . 193 Active Directory Domain Services and Domain
  Name System . . . . . . . 634 Active Directory Domain Services
  Replication . . . . . . . . . . . . . . . . . . . . 95

  Part II Designing and Implementing Windows Server 2008 Active
  Directory

  5 Designing the Active Directory Domain Services Structure . . .
  . . . . . 1436 Installing Active Directory Domain Services . . . .
  . . . . . . . . . . . . . . . . . 2177 Migrating to Active
  Directory Domain Services . . . . . . . . . . . . . . . . . .
  247

  Part III Administering Windows Server 2008 Active Directory

  8 Active Directory Domain Services Security . . . . . . . . . .
  . . . . . . . . . . . . 2739 Delegating the Administration of
  Active Directory

  Domain Services. . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . 32510 Managing Active
  Directory Objects . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . 35711 Introduction to Group Policy . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . 39912 Using Group Policy
  to Manage User Desktops . . . . . . . . . . . . . . . . . . . 45513
  Using Group Policy to Manage Security. . . . . . . . . . . . . . .
  . . . . . . . . . . 513

  Part IV Maintaining Windows Server 2008 Active Directory14
  Monitoring and Maintaining Active Directory . . . . . . . . . . . .
  . . . . . . . 55115 Active Directory Disaster Recovery . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . 583

  Part V Identity and Access Management with Active Directory16
  Active Directory Lightweight Directory Services . . . . . . . . . .
  . . . . . . . 61917 Active Directory Certificate Services. . . . .
  . . . . . . . . . . . . . . . . . . . . . . . 66118 Active
  Directory Rights Management Services . . . . . . . . . . . . . . .
  . . . . 70319 Active Directory Federation Services . . . . . . . .
  . . . . . . . . . . . . . . . . . . . 745

• Table of Contents

  Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  xxi

  Introduction . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . xxiiiOverview of Book . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  xxiii

  Part I Windows Server 2008 Active Directory Overview . . . . . .
  . . . . . . . . . . xxiii

  Part II Designing and Implementing Windows Server 2008 Active
  Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . xxiv

  Part III Administering Windows Server 2008 Active Directory. . .
  . . . . . . . . xxiv

  Part IV Maintaining Windows Server 2008 Active Directory . . . .
  . . . . . . . . xxv

  Part V Identity and Access Management with Active Directory . .
  . . . . . . . xxv

  Document Conventions. . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvi

  Reader Aids . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvi

  Sidebars . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  xxvi

  Command-Line Examples . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . xxvii

  Companion CD . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  xxvii

  Management Scripts . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . xxvii

  Using the Scripts. . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . xxviii

  Find Additional Content Online . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . xxviii

  Resource Kit Support Policy . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix

  Part I Windows Server 2008 Active Directory Overview

  1 Whats New in Active Directory for Windows Server 2008 . . . .
  . . . . . . . .3Whats New in Active Directory Domain Services . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

  Read-Only Domain Controllers (RODC) . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . 3

  Active Directory Domain Services Auditing . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . 6

  Fine-Grained Password Policies . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . 7

  Restartable Active Directory Domain Services. . . . . . . . . .
  . . . . . . . . . . . . . . . . . . 9

  Database Mounting Tool. . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 9

  User Interface Improvements . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . 10

  Microsoft is interested in hearing your feedback so we can
  continually improve our books and learning resources for you. To
  participate in a brief online survey, please visit:

  www.microsoft.com/learning/booksurvey/

  What do you think of this book? We want to hear from you!vii

• viii Table of Contents

  Additional Active Directory Service Roles . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 11

  Active Directory Certificate Services Role . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . 12

  Active Directory Federation Services Role . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . 13

  Active Directory Lightweight Directory Services Role . . . . . .
  . . . . . . . . . . . . . . 15

  Active Directory Rights Management Services Role . . . . . . . .
  . . . . . . . . . . . . . 16

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . 18

  2 Active Directory Domain Services Components . . . . . . . . .
  . . . . . . . . . . 19AD DS Physical Structure . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . 19

  The Directory Data Store . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 20

  Domain Controllers . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 22

  Global Catalog Servers . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 23

  Read-Only Domain Controllers . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . 25

  Operations Masters . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 28

  Transferring Operations Master Roles . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . 32

  The Schema . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

  AD DS Logical Structure . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  41

  AD DS Partitions . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

  Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

  Forests . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  50

  Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  52

  Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  55

  Organizational Units . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 57

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . 60

  Additional Resources . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  61

  Related Tools. . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

  Resources on the CD . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 61

  Related Help Topics . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

  3 Active Directory Domain Services and Domain Name System. . . .
  . . . 63Integration of DNS and AD DS . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

  Service Location (SRV) Resource Records . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . 64

  SRV Records Registered by AD DS Domain Controllers . . . . . . .
  . . . . . . . . . . . 66

  DNS Locator Service . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 69

  Automatic Site Coverage . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 72

  AD DS Integrated Zones . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

  Benefits of Using AD DS Integrated Zones . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . 75

  Default Application Partitions for DNS . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . 76

  Managing AD DS Integrated Zones . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . 78

• Table of Contents ix

  Integrating DNS Namespaces and AD DS Domains . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . 81

  DNS Delegation . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

  Forwarders and Root Hints . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 83

  Troubleshooting DNS and AD DS Integration . . . . . . . . . . .
  . . . . . . . . . . . . . . . . 88

  Troubleshooting DNS. . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 89

  Troubleshooting SRV Record Registration . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . 91

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . 92

  Best Practices. . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . 92

  Additional Resources . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  92

  Related Information . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

  Related Tools . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

  Resources on the CD . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 94

  Related Help Topics . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

  4 Active Directory Domain Services Replication . . . . . . . . .
  . . . . . . . . . . . 95AD DS Replication Model . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . 96

  Replication Process. . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  97

  Update Types . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

  Replicating Changes . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 99

  Replicating the SYSVOL Directory . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 105

  Intrasite and Intersite Replication . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

  Intrasite Replication . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

  Intersite Replication . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

  Replication Latency . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 109

  Urgent Replication . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 110

  Replication Topology Generation. . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 111

  Knowledge Consistency Checker . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . 112

  Connection Objects . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 112

  Intrasite Replication Topology . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . 114

  Global Catalog Replication . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . 118

  Intersite Replication Topology . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . 119

  RODCs and the Replication Topology . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . 120

  Configuring Intersite Replication . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

  Creating Additional Sites. . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 123

  Site Links . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

  Site Link Bridges . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

  Replication Transport Protocols . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . 129

  Configuring Bridgehead Servers . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . 130

• x Table of Contents

  Troubleshooting Replication . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

  Process for Troubleshooting AD DS Replication Failures. . . . .
  . . . . . . . . . . . . 133

  Tools for Troubleshooting AD DS Replication . . . . . . . . . .
  . . . . . . . . . . . . . . . . 134

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . 137

  Best Practices . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  137

  Additional Resources . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  138

  Related Information . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 138

  Related Tools. . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

  Resources on the CD . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 140

  Related Help Topics . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 140

  Part II Designing and Implementing Windows Server 2008 Active
  Directory

  5 Designing the Active Directory Domain Services Structure . . .
  . . . . . 143Defining Directory Service Requirements . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

  Defining Business and Technical Requirements . . . . . . . . . .
  . . . . . . . . . . . . . . 145

  Documenting the Current Environment . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . 150

  Designing the Forest Structure . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

  Forests and AD DS Design . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . 158

  Single or Multiple Forests. . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 159

  Designing Forests for AD DS Security. . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . 161

  Forest Design Models . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 163

  Defining Forest Ownership . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . 166

  Forest Change Control Policies . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . 167

  Designing the Integration of Multiple Forests . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . 167

  Designing Inter-Forest Trusts . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . 168

  Designing Directory Integration Between Forests . . . . . . . .
  . . . . . . . . . . . . . . 172

  Designing the Domain Structure . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 172

  Determining the Number of Domains . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . 174

  Designing the Forest Root Domain. . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . 176

  Designing Domain Hierarchies . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . 177

  Domain Trees and Trusts. . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . 178

  Changing the Domain Hierarchy After Deployment . . . . . . . . .
  . . . . . . . . . . . 180

  Defining Domain Ownership . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . 180

  Designing Domain and Forest Functional Levels . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . 181

  Features Enabled at Domain Functional Levels . . . . . . . . . .
  . . . . . . . . . . . . . . 181

  Features Enabled at Forest Functional Levels . . . . . . . . . .
  . . . . . . . . . . . . . . . . 183Implementing a Domain and Forest
  Functional Level . . . . . . . . . . . . . . . . . . . 183

• Table of Contents xiDesigning the DNS Infrastructure . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . 184

  Namespace Design. . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 184

  Designing the Organizational Unit Structure . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . 192

  Organizational Units and AD DS Design . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . 192

  Designing an OU Structure . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . 193

  Creating an OU Design . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 195

  Designing the Site Topology. . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

  Sites and AD DS Design. . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 198

  Creating a Site Design . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 198

  Creating a Replication Design . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . 202

  Designing Server Locations . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . 206

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . 214

  Best Practices. . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . 214

  Additional Resources . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  215

  Related Information . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 215

  Resources on the CD . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 216

  6 Installing Active Directory Domain Services . . . . . . . . .
  . . . . . . . . . . . . 217Prerequisites for Installing AD DS . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . 217

  Hard Disk Space Requirements . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . 218

  Network Connectivity . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 219

  DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  220

  Administrative Permissions . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . 220

  Operating System Compatibility . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . 221

  Understanding AD DS Installation Options . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . 222

  Installation Configuration Tasks and the Add Roles Wizard . . .
  . . . . . . . . . . . 222

  Server Manager . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 223

  Active Directory Domain Services Installation . . . . . . . . .
  . . . . . . . . . . . . . . . . . 224

  Unattended Installation. . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 225

  Using the Active Directory Domain Services Installation Wizard .
  . . . . . . . . . . . . . . . 225

  Deployment Configuration. . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . 226

  Naming the Domain . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 227

  Setting the Windows Server 2008 Functional Levels . . . . . . .
  . . . . . . . . . . . . . 228

  Additional Domain Controller Options. . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . 232

  File Locations . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

  Completing the Installation . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . 234

  Verifying Installation of AD DS. . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . 235

• xii Table of Contents

  Performing an Unattended Installation . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 236

  Installing from Media . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 237

  Deploying Read-Only Domain Controllers . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . 238

  Server Core Installation Window Server 2008. . . . . . . . . . .
  . . . . . . . . . . . . . . . 239

  Deploying the RODC. . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 239

  Removing AD DS . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  240

  Removing Additional Domain Controllers. . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . 241

  Removing the Last Domain Controller . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . 242

  Unattended Removal of AD DS . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . 243

  Forced Removal of a Windows Server 2008 Domain Controller . . .
  . . . . . . . 243

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . 244

  Additional Resources . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  244

  Related Information . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 244

  Related Tools. . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

  7 Migrating to Active Directory Domain Services . . . . . . . .
  . . . . . . . . . . 247Migration Paths . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . 248

  The Domain Upgrade Migration Path . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . 249

  Domain Restructuring . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 250

  Determining Your Migration Path . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 252

  Upgrading the Domain. . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

  Upgrading from Windows 2000 Server and Windows Server 2003 . . .
  . . . . 255

  Restructuring the Domain . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

  Interforest Migration. . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 258

  Intraforest Migration . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  265

  Configuring Interforest Trusts . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . 268

  Best Practices . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  269

  Additional Resources . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  269

  Related Information . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 269

  Related Tools. . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

  Part III Administering Windows Server 2008 Active Directory

  8 Active Directory Domain Services Security . . . . . . . . . .
  . . . . . . . . . . . . 273AD DS Security Basics . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . 274

  Security Principals . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

  Access Control Lists . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 275

• Table of Contents xiiiAccess Tokens . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . 278

  Authentication . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

  Authorization . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

  Kerberos Security . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  280

  Introduction to Kerberos. . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 281

  Kerberos Authentication . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 283

  Delegation of Authentication. . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . 291

  Configuring Kerberos in Windows Server 2008 . . . . . . . . . .
  . . . . . . . . . . . . . . 293

  Integration with Public Key Infrastructure . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . 294

  Integration with Smart Cards . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . 297

  Interoperability with Other Kerberos Systems . . . . . . . . . .
  . . . . . . . . . . . . . . . . 298

  Troubleshooting Kerberos. . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . 299

  NTLM Authentication . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

  Implementing Security for Domain Controllers. . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . 305

  Decrease the Domain Controller Attack Surface. . . . . . . . . .
  . . . . . . . . . . . . . . 306

  Configuring the Default Domain Controllers Policy . . . . . . .
  . . . . . . . . . . . . . . 308

  Configuring SYSKEY . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 317

  Designing Secure Administrative Practices. . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . 318

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . 321

  Best Practices. . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . 321

  Additional Resources . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  321

  Related Information . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 321

  Related Tools . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

  Resources on the CD . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 323

  Related Help Topics . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 323

  9 Delegating the Administration of Active Directory Domain
  Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . 325

  Active Directory Administration Tasks. . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 326

  Accessing Active Directory Objects . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 327

  Evaluating Deny and Allow ACEs in a DACL . . . . . . . . . . . .
  . . . . . . . . . . . . . . . 329

  Active Directory Object Permissions . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 329

  Standard Permissions . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 330

  Special Permissions . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 331

  Permissions Inheritance. . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 336

  Effective Permissions . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 340

  Ownership of Active Directory Objects. . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . 343

• xiv Table of Contents

  Delegating Administrative Tasks . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

  Auditing the Use of Administrative Permissions . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . 348

  Configuring the Audit Policy for the Domain Controllers. . . . .
  . . . . . . . . . . . 348

  Configuring Auditing on Active Directory Objects . . . . . . . .
  . . . . . . . . . . . . . 351

  Tools for Delegated Administration . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 352

  Customizing the Microsoft Management Console. . . . . . . . . .
  . . . . . . . . . . . . 353

  Planning for the Delegation of Administration. . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . 354

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . 355

  Additional Resources . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  356

  Related Information . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 356

  10 Managing Active Directory Objects . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . 357Managing Users . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . 357

  User Objects . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

  inetOrgPerson Objects . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 363

  Contact Objects . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

  Service Accounts . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 365

  Managing Groups . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  366

  Group Types . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

  Group Scope. . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

  Default Groups in Active Directory . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . 371

  Special Identities . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

  Creating a Security Group Design. . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . 374

  Managing Computers . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

  Managing Printer Objects . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

  Publishing Printers in Active Directory. . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . 380

  Printer Location Tracking . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 383

  Managing Published Shared Folders . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 384

  Automating Active Directory Object Management . . . . . . . . .
  . . . . . . . . . . . . . . . . . . 386

  Command-Line Tools for Active Directory Management . . . . . . .
  . . . . . . . . . 386

  Using LDIFDE and CSVDE. . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . 387

  Using VBScript to Manage Active Directory Objects . . . . . . .
  . . . . . . . . . . . . . 389

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . 395

  Best Practices . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  395

  Additional Resources . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  396

  Related Information . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 396

  Related Tools. . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397

  Resources on the CD . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 397

• Table of Contents xv

  11 Introduction to Group Policy . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . 399Group Policy Overview . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . 400

  How Group Policy Works . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . 401

  Whats New in Windows Server 2008 Group Policy? . . . . . . . . .
  . . . . . . . . . . . 404

  Group Policy Components . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

  Overview of the Group Policy Container . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . 405

  Components of the Group Policy Template . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . 407

  Replication of the Group Policy Object Components. . . . . . . .
  . . . . . . . . . . . . 409

  Group Policy Processing . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

  How Clients Process GPOs . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . 410

  Initial GPO Processing . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 413

  Background GPO Refreshes . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . 415

  How GPO History Relates to Group Policy Refresh . . . . . . . .
  . . . . . . . . . . . . . . 416

  Exceptions to Default Background Processing Interval Times. . .
  . . . . . . . . . . 418

  Implementing Group Policy . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423

  GPMC Overview . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 424

  Using the GPMC to Create and Link GPOs. . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . 426

  Modifying the Scope of GPO Processing . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . 427

  Delegating the Administration of GPOs . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . 436

  Implementing Group Policy Between Domains and Forests . . . . .
  . . . . . . . . . 438

  Managing Group Policy Objects . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 439

  Backing Up and Restoring GPOs . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . 439

  Copying Group Policy Objects . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . 441

  Importing Group Policy Object Settings. . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . 441

  Modeling and Reporting Group Policy Results . . . . . . . . . .
  . . . . . . . . . . . . . . . 442

  Scripting Group Policy Management . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 447

  Planning a Group Policy Implementation. . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . 450

  Troubleshooting Group Policy . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . 453

  Additional Resources . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  453

  Related Information . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 453

  12 Using Group Policy to Manage User Desktops . . . . . . . . .
  . . . . . . . . . . 455Desktop Management Using Group Policy . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  456

  Managing User Data and Profile Settings. . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . 459

  Managing User Profiles . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 459

  Using Group Policy to Manage Roaming User Profiles . . . . . . .
  . . . . . . . . . . . 466

  Folder Redirection . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 469

• xvi Table of Contents

  Administrative Templates . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  477Understanding Administrative Template Files. . . . . . . . . . .
  . . . . . . . . . . . . . . . 478

  Managing Domain-based Template Files . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . 481

  Best Practices for Managing ADMX Template Files . . . . . . . .
  . . . . . . . . . . . . . 482

  Using Scripts to Manage the User Environment . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . 484

  Deploying Software Using Group Policy . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . 485

  Windows Installer Technology . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . 486

  Deploying Applications . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . 486

  Using Group Policy to Distribute NonWindows Installer
  Applications . . . . 490

  Configuring Software Package Properties . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . 491

  Using Group Policy to Configure Windows Installer . . . . . . .
  . . . . . . . . . . . . . 498

  Planning for Group Policy Software Installation . . . . . . . .
  . . . . . . . . . . . . . . . . 500

  Limitations to Using Group Policy to Manage Software . . . . . .
  . . . . . . . . . . . 501

  Overview of Group Policy Preferences . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 503

  Group Policy Preferences vs. Policy Settings . . . . . . . . . .
  . . . . . . . . . . . . . . . . . 503

  Group Policy Preferences Settings . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . 504

  Group Policy Preferences Options . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . 507

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . 510

  Additional Resources . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  510

  Related Information . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 510

  On the Companion CD . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . 511

  13 Using Group Policy to Manage Security. . . . . . . . . . . .
  . . . . . . . . . . . . . 513Configuring Domain Security with Group
  Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  513

  Overview of the Default Domain Policy . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . 514

  Overview of the Default Domain Controllers Policy . . . . . . .
  . . . . . . . . . . . . . 519

  Recreating the Default GPOs for a Domain. . . . . . . . . . . .
  . . . . . . . . . . . . . . . . 526

  Fine-Grained Password Policies . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . 527

  Hardening Server Security Using Group Policy . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . 532

  Software Restriction Policies. . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . 535

  Configuring Network Security Using Group Policy . . . . . . . .
  . . . . . . . . . . . . . . . . . . . 537

  Configuring Wired Network Security . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . 538

  Configuring Wireless Network Security . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . 541

  Configuring Windows Firewall and IPsec Security . . . . . . . .
  . . . . . . . . . . . . . . 541

  Configuring Security Settings Using Security Templates . . . . .
  . . . . . . . . . . . . . . . . . . 543

  Deploying Security Templates . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . 545

• Table of Contents xviiSummary . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . 547

  Additional Resources . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  548

  Related Information . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 548

  Part IV Maintaining Windows Server 2008 Active Directory14
  Monitoring and Maintaining Active Directory . . . . . . . . . . . .
  . . . . . . . 551

  Monitoring Active Directory . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551

  Why Monitor Active Directory . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . 553

  Monitoring Server Reliability and Performance . . . . . . . . .
  . . . . . . . . . . . . . . . 554

  How to Monitor Active Directory . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . 561

  What to Monitor. . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 571

  Monitoring Replication . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 572

  Active Directory Database Maintenance. . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . 575

  Garbage Collection . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 575

  Online Defragmentation . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . 576

  Offline Defragmentation of the Active Directory Database . . . .
  . . . . . . . . . . 577

  Managing the Active Directory Database Using Ntdsutil . . . . .
  . . . . . . . . . . . 578

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . 580

  Additional Resources . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  581

  Related Information . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 581

  15 Active Directory Disaster Recovery . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . 583Planning for a Disaster. . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . 584

  Active Directory Data Storage . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585

  Backing Up Active Directory . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587

  The Need for Backups . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 589

  Tombstone Lifetime . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 589

  Backup Frequency . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 591

  Restoring Active Directory . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591

  Restoring Active Directory by Creating a New Domain Controller .
  . . . . . . . 592

  Performing a Nonauthoritative Restore of Active Directory . . .
  . . . . . . . . . . . 595

  Performing an Authoritative Restore of Active Directory . . . .
  . . . . . . . . . . . . 599

  Restoring Group Memberships . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . 601

  Reanimating Tombstone Objects . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . 605

  Using the Active Directory Database Mounting Tool . . . . . . .
  . . . . . . . . . . . . . 607

  Restoring SYSVOL Information. . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . 610

  Restoring Operations Masters and Global Catalog Servers . . . .
  . . . . . . . . . . . 610

• xviii Table of Contents

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . 614

  Best Practices . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  614

  Additional Resources . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  615

  Related Information . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 615

  Related Tools. . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615

  Part V Identity and Access Management with Active Directory16
  Active Directory Lightweight Directory Services . . . . . . . . . .
  . . . . . . . 619

  AD LDS Overview. . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  620

  AD LDS Features . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 620

  AD LDS Deployment Scenarios . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . 620

  AD LDS Architecture and Components . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . 622

  AD LDS Servers. . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . 622

  AD LDS Instances . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 623

  Directory Partitions . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 624

  AD LDS Replication . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 629

  AD LDS Security . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . 633

  Implementing AD LDS. . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640

  Configuring Instances and Application Partitions . . . . . . . .
  . . . . . . . . . . . . . . 640

  AD LDS Management Tools . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . 643

  Configuring Replication . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 648

  Backing Up and Restoring AD LDS . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . 651

  Configuring AD DS and AD LDS Synchronization . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . 654

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . 657

  Best Practices . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  657

  Additional Resources . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  658

  Related Tools. . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658

  Resources on the CD . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 659

  Related Help Topics . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 659

  17 Active Directory Certificate Services. . . . . . . . . . . .
  . . . . . . . . . . . . . . . . 661Active Directory Certificate
  Services Overview . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . 661

  Public Key Infrastructure Components. . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . 662

  Certification Authorities . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 667

  Certificate Services Deployment Scenarios . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . 670

  Implementing AD CS. . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670

  Installing AD CS Root Certification Authorities. . . . . . . . .
  . . . . . . . . . . . . . . . . 671

  Installing AD CS Subordinate Certification Authorities . . . . .
  . . . . . . . . . . . . . 673

• Table of Contents xix

  Configuring Web Enrollment . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . 673

  Configuring Certificate Revocation . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . 674

  Managing Key Archival and Recovery. . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . 681

  Managing Certificates in AD CS . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . 685

  Configuring Certificate Templates . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . 685

  Configuring Certificate Autoenrollment. . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . 690

  Managing Certificate Acceptance with Group Policy . . . . . . .
  . . . . . . . . . . . . . 692

  Configuring Credential Roaming . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . 693

  Designing an AD CS Implementation . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 694

  Designing a CA Hierarchy . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . 694

  Designing Certificate Templates . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . 697

  Designing Certificate Distribution and Revocation. . . . . . . .
  . . . . . . . . . . . . . . 700

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . 700

  Best Practices. . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . 701

  Additional Resources . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  701

  Related Information . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 701

  Related Tools . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702

  18 Active Directory Rights Management Services . . . . . . . . .
  . . . . . . . . . . 703AD RMS Overview . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . 704

  AD RMS Features . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 704

  AD RMS Components . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . 706

  How AD RMS Works . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . 709

  AD RMS Deployment Scenarios . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . 713

  Implementing AD RMS . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714

  Preinstallation Considerations Before Installing AD RMS . . . .
  . . . . . . . . . . . . 714

  Installing AD RMS Clusters . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . 715

  Configuring the AD RMS Service Connection Point . . . . . . . .
  . . . . . . . . . . . . . 720

  Working with AD RMS Clients . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . 721

  Administering AD RMS . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726

  Managing Trust Policies. . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 726

  Managing Rights Policy Templates . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . 733

  Configuring Exclusion Policies . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . 738

  Configuring Security Policies . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . 739

  Viewing Reports . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . 741

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . 742

  Additional Resources . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  742

  Related Information . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 743

• xx Table of Contents

  19 Active Directory Federation Services . . . . . . . . . . . .
  . . . . . . . . . . . . . . . 745AD FS Overview . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . 746

  Identity Federation . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 746

  Web Services . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . 747

  AD FS Components . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . 749

  AD FS Deployment Designs . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . 753

  Implementing AD FS . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 759

  AD FS Deployment Requirements. . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . 760

  Implementing AD FS in a Federation Web SSO Design . . . . . . .
  . . . . . . . . . . 767

  Configuring the Account Partner Federation Service . . . . . . .
  . . . . . . . . . . . . 774Configuring Resource Partner AD FS
  Components . . . . . . . . . . . . . . . . . . . . . 782

  Configuring AD FS for Windows NT Token-based Applications . . .
  . . . . . . . 787

  Implementing a Web SSO Design. . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . 789

  Implementing a Federated Web SSO with Forest Trust Design . . .
  . . . . . . . . 790

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . 791

  Best Practices . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  791

  Additional Resources . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  792

  Resources on the CD . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . 792

  Related Help Topics . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . 792

  Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . 795

  Microsoft is interested in hearing your feedback so we can
  continually improve our books and learning resources for you. To
  participate in a brief online survey, please visit:

  www.microsoft.com/learning/booksurvey/

  What do you think of this book? We want to hear from you!

• xxi

  Acknowledgments

  by Stan Reimer (for the team):

  First of all, I want thank my coauthors for their hard work on
  this book. When I was first asked to lead this writing project, I
  looked around for the right people to work with me on this book and
  I couldnt have picked a better team.

  Secondly, I want to thank the folks at Microsoft Press. This
  team includes Martin DelRe, the program manager, who kept poking us
  until we agreed to do this project, Karen Szall, the content
  development manager, and Maureen Zimmerman, the content project
  manager. I am sure that the problems we had keeping to the schedule
  on this book caused a few headaches for this group, but they were
  amazingly supportive and encouraging all the way through. Maureen
  had an amazing knack for reminding us when materials were due
  without making it feel like nagging.

  Thanks to Bob Dean, the technical reviewer, for his valuable
  comments. Production for this book was professionally handled by
  Custom Editorial Productions Inc., with Linda Allen as the project
  manager, Cecilia Munzenmaier as the copy editor, and many others
  who toiled away in the background. As writers, we get to have all
  of the fun at the beginning of the process; these folks are still
  working on this long after we are done.

  A Resource Kit doesnt come together without a lot of interaction
  with the product groups at Microsoft, as well as other technical
  experts, such as Directory Services MVPs. All of the chapters in
  this book have been reviewed by these experts and many of these
  experts contrib-uted to the Direct from the Source, Direct from the
  Field, or How It Works sidebars that you will enjoy reading in this
  book. These reviewers and contributors include:

  James McColl, Mike Stephens, Moon Majumdar, Judith Herman, Mark
  Gray, Linda Moore, Greg Robb, Barry Hartman, Christiane Soumahoro,
  Gautam Anand, Michael Hunter, Alain Lissoir, Yong Liang, David
  Hastie, Teoman Smith, Brian Lich, Matthew Rimer, David Fisher, Bob
  Drake, Rob Greene, Andrej Budja, Rob Lane, Gregoire Guetat, Donovan
  Follette, Pavan Kompelli, Sanjeev Balarajan, Fatih Colgar, Brian
  Desmond, Jose Luis Auricchio, Darol Timberlake, Peter Li, Elbio
  Abib, Ashish Sharma, Nick Pierson, Lu Zhao, and Antonio
  Calomeni.

  by Conan Kezema:

  Special thanks to my fellow coauthors for their hard work on
  this book. I would also like to thank Stan for the many
  opportunities he has provided over the years; he is a great friend
  and mentor.

• Introduction

  Welcome to the Windows Server 2008 Active Directory Resource
  Kit, your complete source for the information you need to design
  and implement Active Directory in Windows Server 2008.

  The Windows Server 2008 Active Directory Resource Kit is a
  comprehensive technical resource for planning, deploying,
  maintaining, and troubleshooting an Active Directory infrastructure
  in Windows Server 2008. While the target audience for this Resource
  Kit is experienced IT professionals who work in medium-sized and
  large-sized organizations, anyone who wants to learn how to
  implement and manage Active Directory in Windows Server 2008 will
  find this Resource Kit invaluable.

  One of the new features in Windows Server 2008 Active Directory
  is that the term Active Directory now covers a lot more territory
  than it did in previous iterations of this directory service. What
  was previously called Active Directory in Windows 2000 and Windows
  Server 2003 is now called Active Directory Domain Services (AD DS),
  and several more direc-tory service components have been included
  under the Active Directory umbrella. These include Active Directory
  Lightweight Directory Services (AD LDS), Active Directory
  Certificate Services (AD CS), Active Directory Rights Management
  Services (AD RMS), and Active Directory Federation Services (AD
  FS).

  Within this Resource Kit youll find in-depth technical
  information on how Active Directory works in Windows Server 2008.
  In addition, you will find detailed task-based guidance for
  implementing and maintaining the Active Directory infrastructure.
  Youll also find numerous sidebarscontributed by members of the
  Active Directory product team, other directory experts at
  Microsoft, and directory services MVPsthat provide deep insight
  into how Active Directory works, best practices for designing and
  implementing Active Directory, and invalu-able troubleshooting
  tips. Finally, the companion CD includes deployment tools,
  templates, and many sample scripts that you can use and customize
  to help you automate various aspects of managing Active Directory
  in enterprise environments.

  Overview of BookThis book is divided into the following five
  parts with the following chapters:

  Part I Windows Server 2008 Active Directory Overview Chapter 1
  Whats New in Active Directory for Windows Server 2008 This
  chapter

  provides an overview of the new features that are available in
  Windows Server 2008. If you know Windows Server 2003 Active
  Directory, this is a good place for you to get a quick overview of
  some of the new material that will be covered in this
  book.xxiii

• xxiv Introduction

  Chapter 2 Active Directory Domain Services Components This
  chapter provides an overview of Active Directory Domain Servicesif
  you are somewhat new to Active Directory, this is a great chapter
  to get you started on the terms and concepts that make up AD
  DS.

  Chapter 3 Active Directory Domain Services and Domain Name
  System One of the most critical components that you need in order
  to make AD DS work efficiently is a properly implemented DNS
  infrastructure. This chapter provides information on how to do
  this.

  Chapter 4 Active Directory Domain Services Replication In order
  to work with AD DS, you will need to understand replication. This
  chapter provides all of the details of how AD DS replication works
  and how to configure it.

  Part II Designing and Implementing Windows Server 2008 Active
  Directory

  Chapter 5 Designing the Active Directory Domain Services
  Structure Before deploy-ing AD DS, you need to create a design that
  meets your organizations requirements. This chapter provides the
  in-depth information that you will need to do that planning.

  Chapter 6 Installing Active Directory Domain Services Installing
  AD DS on a Win-dows Server 2008 computer is pretty easy, but there
  several variations on how to per-form the installation. This
  chapter describes all of the options and the reasons for choosing
  each one.

  Chapter 7 Migrating to Active Directory Domain Services Many
  organizations are already running a previous version of Active
  Directory. This chapter provides the details on how to deploy
  Windows Server 2008 domain controllers in this environment, and how
  to migrate the Active Directory environment to Windows Server
  2008.

  Part III Administering Windows Server 2008 Active Directory
  Chapter 8 Active Directory Domain Services Security AD DS provides
  the core net-

  work authentication and authorization services in many
  organizations. This chapter describes how AD DS security works and
  the steps you can take to secure your AD DS environment.

  Chapter 9 Delegating the Administration of Active Directory
  Domain Services One of the options in implementing AD DS is that
  you can delegate many administrative tasks to other administrators
  without granting them domain level permissions. This chapter
  describes how AD DS permissions work and how to delegate them.

  Chapter 10 Managing Active Directory Objects Most of your time
  as an AD DS administrator will be spent managing AD DS objects like
  users, groups and organizational units. This chapter deals with how
  to manage these objects individually, but also provides details on
  how to manage large numbers of these objects by using scripts.

• Introduction xxv Chapter 11 Introduction to Group Policy A
  central component in a Windows Server 2008 network management
  system is Group Policy. With Group Policy, you can manage many
  desktop settings as well as configure security. This chapter begins
  by explaining what Group Policy objects are and shows how to apply
  and filter Group Policy objects.

  Chapter 12 Using Group Policy to Manage User Desktops One of the
  important tasks you can perform with Group Policy is configuring
  user desktops. In Windows Server 2008 and Windows Vista, there are
  several thousand Group Policy settings avail-able. This chapter
  describes not only how to apply the policies, but also which
  policies are most important to apply.

  Chapter 13 Using Group Policy to Manage Security Another
  important task that you can perform with Group Policy is applying
  security settings. This includes settings that will be applied to
  all users and computers in the domain as well as settings that can
  be applied to individual computers or users. This chapter provides
  the details on how to configure security by using Group Policy.

  Part IV Maintaining Windows Server 2008 Active Directory Chapter
  14 Monitoring and Maintaining Active Directory This chapter
  prepares you

  to maintain your Active Directory infrastructure after you
  deploy it. This chapter covers how to monitor your AD DS
  environment, and how to maintain the AD DS domain controllers.

  Chapter 15 Active Directory Disaster Recovery Because of the
  central role that AD DS has in many corporations, it is critical
  that you know how to prepare for and recover from disasters within
  your AD DS environment. This chapter details how you can do
  this.

  Part V Identity and Access Management with Active Directory
  Chapter 16 Active Directory Lightweight Directory Services AD LDS
  is one of the

  new server roles that is included under the Active Directory
  umbrella in Windows Server 2008. AD LDS is designed to be an
  application directorythis chapter describes how you can deploy and
  manage your AD LDS environment.

  Chapter 17 Active Directory Certificate Services AD CS can be
  used to provide the public key infrastructure that provides digital
  certificates that are so critical for many network security
  implementations. This chapter describes how to plan and implement
  AD CS.

  Chapter 18 Active Directory Rights Management Services AD RMS
  provides the tools to apply persistent usage policies to
  information that stays with the information even as it is moved
  around or outside the organization. This chapter details how to
  implement AD RMS.

• xxvi Introduction Chapter 19 Active Directory Federation
  Services AD FS provides a means to enable users to access multiple
  Web-based applications in their organization or in other
  organi-zations while only authenticating once. This chapter
  describes the AD FS deployment scenarios and how to implement
  them.

  Document ConventionsThe following conventions are used in this
  book to highlight special features and usage:

  Reader Aids

  The following reader aids are used throughout this book to point
  out useful details:

  Sidebars

  The following sidebars are used throughout this book to provide
  added insight, tips, and advice concerning Windows Server 2008
  Active Directory:

  Reader Aid Meaning

  Note Underscores the importance of a specific concept or
  highlights a special case that might not apply to every
  situation

  Important Calls attention to essential information that should
  not be disregarded

  Caution Warns you that failure to take or avoid a specified
  action can cause serious problems for users, systems, data
  integrity, and so on

  On the CD Calls attention to a related script, tool, template,
  or job aid on the companion CD that helps you perform a task
  described in the text

  More Info Points out Web sites or other related material that
  you can access to get more details about a topic described in the
  text

  Security Alert Emphasizes information or tasks that are
  essential for maintaining a secure environment or identifies events
  that indicate a potential security incident

  Sidebar Meaning

  Direct from the Source Contributed by experts at Microsoft to
  provide from-the-source insight into how Active Directory in
  Windows Server 2008 works, best practices for planning and
  implementing the Active Directory server roles, and troubleshooting
  tips

  Direct from the Field Contributed by directory service MVPs to
  provide real-world insight into best practices for planning and
  implementing the Active Directory server roles and troubleshooting
  tips

  How It Works Provides unique glimpses of Windows Server 2008
  Active Directory features and how they work

• Introduction xxvii

  Command-Line ExamplesThe following style conventions are used in
  documenting command-line examples through-out this book:

  Companion CDThe companion CD is a valuable addition to this
  book. Many of the tools and resources mentioned in the chapters are
  on the CD itself; you can access other tools and resources via
  links from the CD.

  For documentation of the contents and structure of the companion
  CD, see the Readme.txt file on the CD.

  Management Scripts

  A set of scripts to manage Active Directory is included on the
  CD. Among them are scripts to get information about Active
  Directory objects and scripts to create or modify these objects.
  These scripts all require Windows PowerShell. The following scripts
  are included on the CD:

  AddUserToGroup.ps1 Adds a user account to a group in the same
  OU

  CreateAndEnableUserFromCSV.ps1 Creates an enabled user account
  by reading a .csv file

  CreateGroup.ps1 Creates a group in Active Directory in the OU
  and domain specified

  CreateObjectInAD.ps1 Creates an object in Active Directory

  CreateOU.ps1 Creates an organizational unit in Active
  Directory

  CreateUser.ps1 Creates a user account in Active Directory

  EnableDisableUserSetPassword.ps1 Enables or disables a user
  account and sets the password

  GetDomainPwdSettings.ps1 Obtains the password policy settings
  for a domain

  GetModifiedDateFromAD.ps1 Lists the last modified date of a
  specific user onto a local or remote domain

  Style Meaning

  Bold font Used to indicate user input (characters that you type
  exactly as shown)

  Italic font Used to indicate variables for which you need to
  supply a specific value (for example, filename can refer to any
  valid file name)

  Monospace font Used for code samples and command-line output

  %SystemRoot% Used for environment variables

• xxviii Introduction ListUserLastLogon.ps1 Lists the last logon
  date of a specific user onto a local or remote domain

  LocateDisabledUsers.ps1 Locates disabled user accounts in a
  local or remote domain

  LocateLockedOutUsers.ps1 Locates locked out user accounts a
  local or remote domain

  LocateOldComputersNotLogon.ps1 Locates computer accounts in a
  local or remote domain that have not logged on for a specified
  number of days

  LocateOldUsersNotLogOn.ps1 Scans a local or remote domain for
  user accounts that have not logged onto the domain for an extended
  period of time that is specified in days

  ModifyUser.ps1 Modifies user attributes in Active Directory

  QueryAD.ps1 Queries Active Directory for objects such as users,
  groups, computers, and so on

  UnlockLockedOutUsers.ps1 Unlocks user accounts that are locked
  out

  In addition to these scripts, many of the chapters contain
  references to additional scripts that perform the management tasks
  included in that chapter.

  Full documentation of the contents and structure of the
  companion CD can be found in the Readme.txt file on the CD.

  Using the Scripts

  The companion CD includes scripts that are written in VBScript
  (with a .vbs file extension) and Windows PowerShell (with a .ps1
  file extension).

  The VBScript scripts on the companion CD are identified with the
  .vbs extension. To use those scripts, double-click them or execute
  them directly from a command prompt.

  The Windows PowerShell scripts require that you have Windows
  PowerShell installed and that you have configured Windows
  PowerShell to run unsigned scripts. You can run the Win-dows
  PowerShell scripts on Windows XP SP2, Windows Server 2003 SP1,
  Windows Vista, or Windows Server 2008. In order for the scripts to
  work, all computers must be members of a Windows Server 2008
  domain.

  Note For information about the system requirements for running
  the scripts on the CD, see the System Requirements page at the end
  of the book.

  Find Additional Content OnlineAs new or updated material becomes
  available that complements your book, it will be posted online on
  the Microsoft Press Online Windows Server and Client Web site.
  Based on the final build of Windows Server 2008, the type of
  material you might find includes updates to book

• Introduction xxixcontent, articles, links to companion content,
  errata, sample chapters, and more. This Web site will be available
  soon at
  http://www.microsoft.com/learning/books/online/serverclient, and
  will be updated periodically.

  Resource Kit Support PolicyEvery effort has been made to ensure
  the accuracy of this book and the companion CD content. Microsoft
  Press provides corrections to this book through the Web at the
  following location:

  http://www.microsoft.com/learning/support/search.asp.

  If you have comments, questions, or ideas regarding the book or
  companion CD content, or if you have questions that are not
  answered by querying the Knowledge Base, please send them to
  Microsoft Press by using either of the following methods:

  E-mail:

  [email protected]

  Postal Mail:

  Microsoft Press

  Attn: Windows Server 2008 Active Directory Resource Kit

  One Microsoft Way

  Redmond, WA 98052-6399

  Please note that product support is not offered through the
  preceding mail addresses. For product support information, please
  visit the Microsoft Product Support Web site at the following
  address:

  http://support.microsoft.com

  Digital Content for Digital Book Readers: If you bought a
  digital-only edition of this book, you can enjoy select content
  from the print editions companion CD. Visit
  http://go.microsoft.com/fwlink/?LinkId=109208 to get your
  downloadable content. This content is always up-to-date and
  available to all readers.

• Part IWindows Server 2008 Active Directory Overview

  In this part:

  Chapter 1: Whats New in Active Directory for Windows Server
  2008. . . .3

  Chapter 2: Active Directory Domain Services Components . . . . .
  . . . . . . .19

  Chapter 3: Active Directory Domain Services and Domain Name
  System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . .63

  Chapter 4: Active Directory Domain Services Replication . . . .
  . . . . . . . . .95

• Chapter 1

  Whats New in Active Directory for Windows Server 2008

  In this chapter:

  Whats New in Active Directory Domain Services . . . . . . . . .
  . . . . . . . . . . . . . . . . . . 3

  Additional Active Directory Service Roles . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . 11

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
  18

  Whats New in Active Directory Domain ServicesAlthough much of
  what you will need to know in order to manage an Active Directory
  domain remains the same from previous versions of the directory
  service implementation, such as Windows 2000 and Windows Server
  2003, several new and compelling features will offer the
  administrator greater control and security over the domain
  environment. This chapter will review six enhancements to the
  Active Directory Domain Service (AD DS), as well as four new roles
  that Active Directory can and will play in your enterprise.

  Read-Only Domain Controllers (RODC)

  One of the new features in Windows Server 2008 is the option to
  deploy a read-only domain controller (RODC). This new type of
  domain controller, as its name implies, hosts read-only partitions
  of the Active Directory database.

  An RODC makes it possible for organizations to easily deploy a
  domain controller in scenarios where physical security cannot be
  guaranteed, such as branch office locations, or in scenarios where
  local storage of all domain passwords is considered a primary
  threat, such as in an application-facing role, or when used in
  conjunction with the Windows 2008 Server Core installation
  option.

  Organizations that can guarantee the physical security of a
  branch domain controller might also deploy an RODC because of its
  reduced management requirements that are provided by such features
  as Administrator Role Separation.

  Because RODC administration can be delegated to a domain user or
  security group, an RODC is well suited for a site that should not
  have a user who is a member of the Domain Admins group. RODCs have
  the following characteristics.3

• 4 Part I: Windows Server 2008 Active Directory OverviewRead-Only
  AD DS Database

  Except for account passwords, an RODC holds most of the Active
  Directory objects and attributes that a writable domain controller
  holds. However, changes cannot be made to the database that is
  stored on the RODC. Changes must be made on a writable domain
  controller and then replicated back to the RODC.

  Local applications that request Read access to the directory can
  obtain access. Lightweight Directory Application Protocol (LDAP)
  applications that request Write access receive an LDAP referral
  response. This response directs them to a writable domain
  controller, normally in a hub site.

  RODC Filtered Attribute Set

  Only some attributes are replicated to the RODC. You can
  dynamically configure a set of attributes, called the RODC filtered
  attribute set, so that its attributes are not replicated to an
  RODC. Attributes that are defined in the RODC filtered attribute
  set are not allowed to replicate to any RODCs in the forest.

  A malicious user who compromises an RODC can attempt to
  configure it in such a way that it tries to replicate attributes
  that are defined in the RODC filtered attribute set. If the RODC
  tries to replicate those attributes from a domain controller that
  is running Windows Server 2008, the replication request is denied.
  Therefore, as a security precaution, you should ensure that forest
  functional level is Windows Server 2008 if you plan to configure
  the RODC filtered attribute set. When the forest functional level
  is Windows Server 2008, an RODC that is compromised cannot be
  exploited in this manner because domain controllers that are
  running Windows Server 2003 are not allowed in the forest.

  Unidirectional Replication

  Because no changes are written directly to the RODC, no changes
  originate at the RODC. Accordingly, writable domain controllers
  that are replication partners do not have to pull changes from the
  RODC. This means that any changes or corruption that a malicious
  user might make at branch locations cannot replicate from the RODC
  to the rest of the forest. This also reduces the workload of
  bridgehead servers in the hub and the effort required to monitor
  replication.

  RODC unidirectional replication applies to both AD DS and
  Distributed File System (DFS) Replication. The RODC performs normal
  inbound replication for AD DS and DFS Replication changes.

  Credential Caching

  Credential caching is the storage of user or computer
  credentials, including the user password expressed as a number of
  hashed values. By default, an RODC does not store user or

• Chapter 1: Whats New in Active Directory for Windows Server 2008
  5computer credentials. The exceptions are the computer account of
  the RODC and a special (and unique) krbtgt account that each RODC
  has.

  You can configure credential caching on the RODC by modifying
  the Password Replication Policy for the specific domain controller.
  For example, if you want the RODC to cache the credentials for all
  users in the branch office who routinely log on in the office
  location, you can add all user accounts for users in the branch
  office to the Password Replication Policy. In this way, users will
  be able to log on to the domain controller even if the wide area
  network (WAN) connection to a writable domain controller is
  unavailable. Likewise, you can add all of the branch office
  computer accounts, so that these accounts can authenticate to the
  RODC even when the WAN link is down. In both of the previous
  scenarios, the WAN connection to a writable domain controller must
  be available during the first logon for the credentials to be
  cached to the RODC.

  Administrator Role Separation

  You can delegate local administrative permissions for an RODC to
  any domain user without granting that user any user rights for the
  domain or other domain controllers. This permits a local branch
  user to log on to an RODC and perform maintenance work on the
  server, such as upgrading a driver. However, the branch user cannot
  log on to any other domain controller or perform any other
  administrative task in the domain. In this way, the ability to
  effectively manage the RODC in a branch office can be delegated to
  a branch user without compromising the security of the rest of the
  domain.

  Read-Only DNS

  You can install the DNS Server service on an RODC. An RODC is
  able to replicate all applica-tion directory partitions that DNS
  uses, including ForestDNSZones and DomainDNSZones. If the DNS
  server is installed on an RODC, clients can query it for name
  resolution as they query any other DNS server.

  However, the DNS server on an RODC does not support client
  updates directly. Conse-quently, the RODC does not register name
  server (NS) resource records for a

Get the definitive, in-depth resource for designing, deploying, and maintaining Windows Server 2008 Active Directory in an enterprise environment. Written by experts on directory services and the Active Directory team at Microsoft, this technical resource is packed with concrete, real-world design and implementation guidance. You’ll get in-depth guidance on installation, Active Directory components, replication, security, administration, and more. You also get answers to common questions from network architects, engineers, and administrators about Windows Server 2008 Active Directory—plus scripts, utilities, job aids, and a fully searchable eBook on CD.

A Note Regarding the CD or DVD

The print version of this book ships with a CD or DVD. For those customers purchasing one of the digital formats in which this book is available, we are pleased to offer the CD/DVD content as a free download via O’Reilly Media’s Digital Distribution services. To download this content, please visit O’Reilly’s web site, search for the title of this book to find its catalog page, and click on the link below the cover image (Examples, Companion Content, or Practice Files). Note that while we provide as much of the media content as we are able via free download, we are sometimes limited by licensing restrictions. Please direct any questions or concerns to booktech@oreilly.com.