Paperback
-
PICK UP IN STORECheck Availability at Nearby Stores
Available within 2 business hours
Related collections and offers
Overview
Product Details
ISBN-13: | 9780072123234 |
---|---|
Publisher: | McGraw-Hill/Osborne Media |
Publication date: | 04/13/2000 |
Series: | Network Professional's Library |
Pages: | 564 |
Product dimensions: | 7.32(w) x 9.11(h) x 1.63(d) |
About the Author
Joe Casad is an MCSE, engineer, and consultant who has authored and co-authored more than a dozen books on computer networking and systems administration. He is the former managing editor of Network Administrator magazine and is currently the technical editor of SysAdmin magazine.
Read an Excerpt
Chapter 1: The Active Directory Environment
Active Directory is a vast and intricate architecture designed to simplify the life of the network administrator. Microsoft insists that Active Directory makes a Windows 2000 network easier to understand and manage. But what is it? According to Microsoft, Active Directory is a directory service, and a directory service is "an information source and the services required for making that information source available to users." But this is only part of what Microsoft means by Active Directory. The real Active Directory is a structure-a paradigm for the network and a way of doing business.Simply put, Active Directory is three things:
A database
A collection of services that access that database A network environment that exploits the possibilities of that database to provide better, more manageable, and more logical Microsoft networks The rest is details, and those details are the subject of this book. Active Directory is so big, so all encompassing, and so different from anything that preceded it, that it is difficult to know where to begin to describe it. Most descriptions begin with a long list of terms and concepts related to the Active Directory infrastructure. Those terms and concepts are certainly important, and you'll be learning more about them in later chapters. But concepts are of little use without a context, and the best context to begin this study of Active Directory is the context from which it arose: the Windows NT domain.
Active Directory grew out of Windows NT's domain architecture, and many elements of the NT domain are present in its framework. But Active Directory is something more than NT domain architecture. It isn't just an update-it's a whole new approach to networking.
Windows NT went far for an operating system developed wholly from scratch only a few years ago. Windows NT Server 4 was a huge seller that captured a large percent of the corporate networking market. And yet, Microsoft was well aware that NT had certain limitations, like these: Inflexible security system The permission system offered only limited granularity. It was difficult to organize the domain into smaller units. NT did allow resource domains, in which an administrator could control the resources in a local area, but the domain trust system was confusing and anything but seamless, and all the little clouds with one-way arrows in NT Enterprise classes ultimately did not clear up the confusion.
- Outdated naming system The NetBIOS naming system built into Microsoft networks was out of step with the world. Microsoft supporters and detractors often share the presumption that Microsoft's conventions will someday become the world's conventions, but when it comes to naming resources, the world and the Internet were too big even for Microsoft. The growth of the Web-based technologies has made it increasingly difficult for Microsoft to justify basing its networks around NetBIOS rather than universally accepted and Internet-ready Domain Name System (DNS).
- Insufficient fault tolerance and bandwidth management The special status of the primary domain controller (PDC) caused special problems when the PDC went offline. A backup domain controller (BDC) could be promoted, but promoting the BDC required human intervention. The PDC/BDC system also posed additional limitations for domains with multiple sites connected through slow wide area network (WAN) links.
- No informational context The NT domain, with its focus on network security, did only part of what a modern directory service is capable of doing and suffered from the missed opportunity to use its elaborate structure and services to support other types of functions. Inelegant interface Objects, and the tools that managed objects, were confusing and conceptually inconsistent.
Flexible Security
As Figure 1-1 shows, Active Directory supports a new feature that was entirely missing from Windows NT: the organizational unit or OU. An OU is a container that you can create at any time just because you need a container. This container concept is reminiscent of Novell NetWare. You can place many different types of objects inside an OU container: printers, computers, domain controllers, and even users.
OUs create opportunities for subgrouping within a domain that were missing from Windows NT. You can place all users and computers of a single office into a separate OU and delegate authority for those objects to an OU administrator. The OU administrator can then manage users and resources even though he or she may not have access to similar resources in other parts of the domain. Alternatively, you can create position-based OUs, in which users and resources are organized by department rather than by geography...
Table of Contents
Acknowledgments | xxi | |
Introduction | xxiii | |
Part I | Introducing Active Directory | |
1 | The Active Directory Environment | 3 |
What is Active Directory? | 4 | |
Flexible Security | 6 | |
DNS Integration | 8 | |
Fault Tolerance and Bandwidth Management | 10 | |
The Data Storehouse | 12 | |
Uniform Interface | 15 | |
Summary | 16 | |
2 | Active Directory Concepts | 17 |
Mixed Mode and Native Mode | 19 | |
A Closer Look at the Active Directory Network | 21 | |
Operations Masters | 23 | |
Multiple Domains | 27 | |
Naming Objects in Active Directory | 31 | |
Summary | 36 | |
Part II | Setting Up Your Network | |
3 | Active Directory with TCP/IP and DNS | 39 |
Active Directory and DNS | 40 | |
How DNS Works | 40 | |
The DNS Namespace | 45 | |
Understanding Zones | 46 | |
Active Directory--Integrated Zones | 48 | |
Dynamic Updates | 48 | |
How Active Directory Uses DNS | 50 | |
Installing DNS Server | 52 | |
Configuring DNS | 53 | |
Migrating DNS Data to Windows 2000 DNS Server | 67 | |
Interoperating with Other DNS Servers | 68 | |
Sites and Subnets in Active Directory | 69 | |
Subnets and Sites | 70 | |
Configuring Active Directory Sites | 71 | |
Defining Active Directory Subnets | 74 | |
Placing Servers in Sites | 76 | |
Summary | 79 | |
4 | Understanding Replication | 81 |
Replication and Active Directory | 82 | |
Replication Topology | 91 | |
Replication and the KCC | 92 | |
Connection Objects | 93 | |
Managing Intrasite Replication | 94 | |
Viewing Connection Objects and Properties | 96 | |
Creating a New Connection Object | 98 | |
Checking the Replication Topology | 100 | |
Forcing Replication Manually | 101 | |
Intersite Replication | 102 | |
Configuring Site Links | 104 | |
Configuring Site Link Bridges | 109 | |
Configuring a Preferred Bridgehead Server | 113 | |
Managing and Monitoring Replication | 115 | |
Repadmin | 115 | |
Replication Monitor | 117 | |
Performance Monitor | 129 | |
Network Monitor | 131 | |
Summary | 132 | |
5 | Users and Groups | 133 |
A Quick Look at Windows NT and Windows 2000 Security | 134 | |
Understanding Groups | 135 | |
Distribution Groups | 136 | |
Security Groups | 136 | |
Predefined and Built-In Groups | 140 | |
Managing Users and Groups | 142 | |
Creating New Users | 143 | |
Adding or Removing Users from Groups | 146 | |
Viewing and Modifying User Properties | 149 | |
Moving Users | 154 | |
Deleting, Disabling, and Renaming User Accounts | 156 | |
Creating or Deleting a User Principal Name (UPN) Suffix | 157 | |
Creating Groups | 159 | |
Adding or Removing Groups from Other Groups | 161 | |
Viewing and Modifying Group Properties | 162 | |
Moving Groups | 163 | |
Deleting Groups | 163 | |
Assigning Permissions | 164 | |
Ownership | 167 | |
Setting Inheritance | 168 | |
Delegation of Control | 170 | |
Summary | 172 | |
6 | Group Policy | 173 |
What Is Group Policy? | 174 | |
A Look at Policy in Active Directory | 176 | |
Local Policy | 176 | |
Default Policy | 178 | |
Group Policy Objects | 179 | |
System Policy | 179 | |
Setting Up Group Policy | 180 | |
How Group Policies Are Processed | 184 | |
Where Group Policies Are Stored | 186 | |
How Group Policies Interact | 187 | |
Creating a Group Policy Snap-In | 188 | |
Understanding Group Policy Options | 191 | |
Templates | 192 | |
Links | 194 | |
Filtering Group Policy | 195 | |
Setting Group Policies that Control Group Policy | 197 | |
Specifying a Domain Controller | 197 | |
Group Policy Strategies | 201 | |
Summary | 203 | |
7 | Setting Up Active Directory | 205 |
The Deployment Process | 206 | |
Do You Really Need Active Directory? | 207 | |
Planning and Implementing a Test Site | 209 | |
Planning and Implementing a Pilot Site | 211 | |
Planning Your Active Directory Network | 212 | |
Axioms, Tips, and Best Practices | 215 | |
Planning Your Active Directory Rollout | 222 | |
Executing Your Active Directory Rollout | 230 | |
Active Directory System Requirements | 231 | |
Installing Windows 2000 | 232 | |
Important Setup Procedures | 250 | |
Installing the Windows 2000 Support Tools | 250 | |
Switching to Native Mode | 251 | |
Configuring Global Catalog Servers | 252 | |
Creating an OU | 252 | |
Delegating Control of an OU | 253 | |
Moving Objects | 254 | |
Demoting a Domain Controller | 254 | |
Summary | 255 | |
8 | Managing Active Directory | 257 |
Backing Up and Restoring the Active Directory | 258 | |
Backing Up System State Data | 260 | |
Replication Restore | 261 | |
Nonauthoritative Restore | 262 | |
Authoritative Restore | 264 | |
Modifying the Directory | 265 | |
Managing Files and Folders in Active Directory | 280 | |
Publishing Folders | 280 | |
Managing Files and Folders through Group Policy | 283 | |
Managing Printers in Active Directory | 286 | |
Managing Software in Active Directory | 289 | |
Assigning Software | 291 | |
Publishing Software | 293 | |
Creating a .zap File | 294 | |
Configuring Software Installation Policy Properties | 295 | |
Managing the User Desktop Through Group Policy | 297 | |
Folder Redirection | 298 | |
Managing Operations Masters | 300 | |
Reassigning the Schema Master | 300 | |
Reassigning the Domain Naming Master | 301 | |
Reassigning the RID Master, PDC Emulator, or Infrastructure Master | 302 | |
Summary | 303 | |
9 | Active Directory Clients | 305 |
Understanding Client Options | 306 | |
Windows 2000 Professional Hardware Requirements | 308 | |
Windows 2000 Clients | 311 | |
Windows NT Clients | 312 | |
Windows 95/98 Clients | 312 | |
Clients from Other Networking Systems | 314 | |
Address Book | 315 | |
Managing Clients | 316 | |
Computer Management Tool | 317 | |
AD Users and Computers | 318 | |
Managing the Network from Clients | 331 | |
Summary | 333 | |
Part III | Mastering Active Directory | |
10 | Active Directory Schema | 337 |
What Is the Schema? | 338 | |
Attributes, Syntaxes, and Schema Classes | 341 | |
The Schema Cache | 346 | |
Modifying the Schema | 349 | |
Schema Changes and the Schema Master | 351 | |
Generating an X.500 Object ID | 354 | |
Working with Active Directory Schema | 356 | |
Working with ADSI Editor | 372 | |
Summary | 376 | |
11 | Active Directory Security | 377 |
Kerberos | 378 | |
What Is Kerberos? | 379 | |
How Does Kerberos Work in Windows 2000? | 384 | |
Configuring Kerberos | 387 | |
Interoperating Windows 2000 Kerberos | 394 | |
What Kerberos Doesn't Prevent | 397 | |
Understanding Security Policy | 398 | |
Account Policies | 400 | |
Local Policies | 402 | |
Event Log | 405 | |
Restricted Groups | 405 | |
System Services | 407 | |
Registry | 408 | |
File System | 410 | |
Public Key Policies | 411 | |
IP Security Policies | 411 | |
Summary | 432 | |
12 | Scripting Active Directory | 433 |
Scripting in the Active Directory Environment | 434 | |
Interfaces | 435 | |
What Is Windows Scripting Host? | 438 | |
Configuring Script Files | 439 | |
cscript.exe | 442 | |
wscript.exe | 443 | |
Setting the Default Scripting Host | 444 | |
Debugging Scripts | 444 | |
Logon Scripts | 446 | |
User Logon Scripts | 447 | |
Policy Scripts | 448 | |
Built-in Scripts | 451 | |
Executing Scripts Automatically | 452 | |
Running UNIX Scripts in Windows 2000 | 457 | |
Summary | 458 | |
13 | Interoperating Windows 2000 | 459 |
Windows 2000 and NetWare | 460 | |
Configuring Windows 2000 for NetWare | 460 | |
Services for NetWare | 473 | |
Windows 2000 and UNIX-Based Systems | 474 | |
Connectivity Utilities | 476 | |
Interoperating Printers with UNIX | 488 | |
Telnet Server | 490 | |
Simple TCP/IP Services | 496 | |
Services for UNIX | 497 | |
Windows 2000 and Macintosh | 498 | |
File Services for Macintosh | 500 | |
Print Services for Macintosh | 510 | |
Supporting AppleTalk | 515 | |
Active Directory in the Microsoft Exchange Environment | 519 | |
Organizing and Optimizing Connection Agreements | 524 | |
Implementing an Exchange Server Connection | 525 | |
Managing the Active Directory Connector | 532 | |
Summary | 535 | |
Index | 537 |