Active Directory - Api.pageplace.de

28. Using ADSI and ADO from ASP or VB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672VBScript Limitations and SolutionsHow to Avoid Problems When Using ADSI and ASPCombining VBScript and HTMLBinding to Objects via AuthenticationIncorporating Searches into ASPMigrating Your ADSI Scripts from VBScript to VBSummary67367467468069170471229. Scripting with WMI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713Origins of WMIWMI ArchitectureGetting Started with WMI ScriptingWMI ToolsManipulating ServicesQuerying the Event LogsQuerying AD with WMIMonitoring TrustsMonitoring . Manipulating DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735DNS Provider OverviewManipulating DNS Server ConfigurationCreating and Manipulating ZonesCreating and Manipulating Resource RecordsSummary73573774374775231. Getting Started with VB.NET and System.Directory Services . . . . . . . . . . . . 753The .NET FrameworkUsing VB.NETOverview of System.DirectoryServicesDirectoryEntry BasicsSearching with DirectorySearcherManipulating ObjectsSummary753754755757763764767Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 769Table of Contents xi

PrefaceActive Directory is a common repository for information about objects that reside onthe network, such as users, groups, computers, printers, applications, and files. Thedefault Active Directory schema supports numerous attributes for each object classthat can be used to store a variety of information. Access Control Lists (ACLs) arealso stored with each object, which allows you to maintain permissions for who canaccess and manage the object. Having a single source for this information makes itmore accessible and easier to manage; however, to accomplish this requires a significant amount of knowledge on such topics as LDAP, Kerberos, DNS, multi-masterreplication, group policies, and data partitioning, to name a few. This book will beyour guide through this maze of technologies, showing you how to deploy a scalableand reliable Active Directory infrastructure.Windows 2000 Active Directory has proven itself to be very solid in terms of features and reliability, but after several years of real-world deployments, there wasmuch room for improvement. When Microsoft released Windows Server 2003, theyfocused on security, manageability, and scalability enhancements. Windows Server2003 R2 takes this evolution further and combines Windows Server 2003 ServicePack 1 with some feature packs, which makes Windows Server even more secure,manageable, and scalable and also adds considerable new functionality, such as astand-alone LDAP server service and increased Unix system integration functionsright in the box.This book is an update to the very successful second edition. All of the existing chapters have been brought up to date with Windows Server 2003 R2 changes, as well asupdates in concepts and approaches to managing Active Directory and scriptupdates. There are three new chapters (Chapters 15, 18, and 24) to explain featuresor concepts not covered in the second edition, including an entire chapter on ActiveDirectory Application Mode (ADAM) as well as a chapter on scripting commonActive Directory related user and group tasks for Microsoft Exchange 2000/2003.This book describes Active Directory in depth, but not in the traditional way ofgoing through the graphical user interface screen by screen. Instead, the book setsiThis is the Title of the Book, eMatter EditionCopyright 2008 O’Reilly & Associates, Inc. All rights reserved.

out to tell administrators how to design, manage, and maintain a small, medium, orenterprise Active Directory infrastructure. To this end, the book is split up into threeparts.Part I introduces in general terms much of how Active Directory works, giving you athorough grounding in its concepts. Some of the topics include Active Directory replication, the schema, application partitions, group policies, and interaction withDNS.In Part II, we describe in copious detail the issues around properly designing thedirectory infrastructure. Topics include in-depth looks at designing the namespace,creating a site topology, designing group policies for locking down client settings,auditing, permissions, backup and recovery, and a look at Microsoft’s future direction with Directory Services.Part III is all about managing Active Directory via automation with Active DirectoryService Interfaces (ADSI), ActiveX Data Objects (ADO), and Windows ManagementInstrumentation (WMI). This section covers how to create and manipulate users,groups, printers, and other objects that you may need in your everyday managementof Active Directory. It also describes in depth how you can utilize the strengths ofWMI and the .NET System.DirectoryServices namespace to manage Active Directory programmatically via those interfaces.If you’re looking for in-depth coverage of how to use the MMC snap-ins or ResourceKit tools, look elsewhere. However, if you want a book that lays bare the design andmanagement of an enterprise or departmental Active Directory, you need look nofurther.Intended AudienceThis book is intended for all Active Directory administrators, whether you manage asingle server or a global multinational with a farm of thousands of servers. Even ifyou have a previous edition, you will find this third edition to be full of updates andcorrections and a worthy addition to your “good” bookshelf: the bookshelf next toyour PC with the books you really read that are all dog-eared with soda drink spillsand pizza grease on them. To get the most out of the book, you will probably find ituseful to have a server running Windows Server 2003 SP1 or R2 and the SupportTools and Resource Kit tools available so that you can check out various items as wepoint them out.If you have no experience with VBScript, the scripting language we use in Part III,don’t worry. The syntax is straightforward, and you should have no difficulty grasping the principles of scripting with ADSI, ADO, and WMI. For those who want tolearn more about VBScript, we provide links to various Internet sites and otherbooks as appropriate.ii PrefaceThis is the Title of the Book, eMatter EditionCopyright 2008 O’Reilly & Associates, Inc. All rights reserved.

Contents of the BookThis book is split into three parts.Part I, Active Directory BasicsChapter 1, A Brief IntroductionReviews the evolution of the Microsoft NOS and some of the major features andbenefits of Active Directory.Chapter 2, Active Directory FundamentalsProvides a high-level look at how objects are stored in Active Directory andexplains some of the internal structures and concepts that it relies on.Chapter 3, Naming Contexts and Application PartitionsReviews the predefined Naming Contexts within Active Directory, what is contained within each, and the purpose of Application Partitions.Chapter 4, Active Directory SchemaGives you information on how the blueprint for each object and each object’sattributes are stored in Active Directory.Chapter 5, Site Topology and ReplicationDetails how the actual replication process for data takes place between domaincontrollers.Chapter 6, Active Directory and DNSDescribes the importance of the Domain Name System (DNS) and what it isused for within Active Directory.Chapter 7, Profiles and Group Policy PrimerGives you a detailed introduction to the capabilities of both user profiles andGroup Policy Objects.Part II, Designing an Active Directory InfrastructureChapter 8, Designing the NamespaceIntroduces the steps and techniques involved in properly preparing a design thatreduces the number of domains and increases administrative control through theuse of Organizational Units.Chapter 9, Creating a Site TopologyShows you how to design a representation of your physical infrastructure withinActive Directory to gain very fine-grained control over intrasite and intersite replication.Chapter 10, Designing Organization-Wide Group PoliciesExplains how Group Policy Objects function in Active Directory and how youcan properly design an Active Directory structure to make the most effective useof these functions.PrefaceThis is the Title of the Book, eMatter EditionCopyright 2008 O’Reilly & Associates, Inc. All rights reserved. iii

Chapter 11, Active Directory Security: Permissions and AuditingDescribes how you can design effective security for all areas of your Active Directory, in terms of both access to objects and their properties; it includes information on how to design effective security access logging in any areas you choose.Chapter 12, Designing and Implementing Schema ExtensionsCovers procedures for extending the classes and attributes in the Active Directory schema.Chapter 13, Backup, Recovery, and MaintenanceDescribes how you can back up and restore Active Directory down to the objectlevel or the entire directory.Chapter 14, Upgrading to Windows Server 2003Outlines how you can upgrade your existing Active Directory infrastructure toWindows Server 2003.Chapter 15, Upgrading to Windows Server 2003 R2Outlines the process to upgrade your existing Active Directory to WindowsServer 2003 R2.Chapter 16, Migrating from Windows NTGives very basic guidelines on areas to think about when conducting a Windows NT 4.0 migration. This is only an introduction to the subject; readerslooking for step-by-step guides or detailed studies of migration will need to lookelsewhere.Chapter 17, Integrating Microsoft ExchangeCovers some of the important Active Directory–related issues when implementing Microsoft Exchange.Chapter 18, Active Directory Application Mode (ADAM)Introduces Active Directory Application Mode (ADAM), now included withWindows Server 2003 R2, along with information on some of the upgrades fromthe RTW version of ADAM.Chapter 19, Interoperability, Integration, and Future DirectionLooks into what methods exist now and will exist in the future for integratingActive Directory with other directories and data stores.Part III, Scripting Active Directory with ADSI, ADO, and WMIChapter 20, Scripting with ADSIIntroduces ADSI scripting by leading you through a series of step-by-step examples.Chapter 21, IADs and the Property CacheDelves into the concept of the property cache used extensively by ADSI andshows you how to properly manipulate any attribute of any object within it.iv PrefaceThis is the Title of the Book, eMatter EditionCopyright 2008 O’Reilly & Associates, Inc. All rights reserved.

Chapter 22, Using ADO for SearchingDemonstrates how to make use of a technology normally reserved for databasesand now extended to allow rapid searching for objects in Active Directory.Chapter 23, Users and GroupsGives you the lowdown on how to rapidly create users and groups, giving themwhatever attributes you desire.Chapter 24, Basic Exchange TasksTackles common Active Directory related user and group management tasks forMicrosoft Exchange 2000/2003.Chapter 25, Shares and Print QueuesExplains how other persistent objects such as services, shares, and printers maybe manipulated; it also looks at dynamic objects, such as print jobs, user sessions, and resources.Chapter 26, Permissions and AuditingDescribes how each object contains its own list of permissions and auditingentries that governs how it can be accessed and how access is logged. The chapter then details how you can create and manipulate permission and auditingentries as you choose. It closes with a complete script to enumerate the entiresecurity descriptor for any Active Directory object including proper constantnames for all values, perfect for anyone looking to script Active Directory delegation and wanting to know what values should be set.Chapter 27, Extending the Schema and the Active Directory Snap-insCovers creation of new classes and attributes programmatically in the schema,and modification of the existing Active Directory snap-ins to perform additionalcustomized functions.Chapter 28, Using ADSI and ADO from ASP or VBGoes into how you can extend the scripts that have been written by incorporating them into web pages or even converting them to simple VB programs.Chapter 29, Scripting with WMIGives a quick overview of WMI and goes through several examples for managing a system, including services, the registry, and the event log. Accessing ADwith WMI is also covered, along with the new TrustMon and Replication WMIProviders.Chapter 30, Manipulating DNSDescribes how to manipulate DNS server configuration, zones, and resourcerecords with the WMI DNS Provider.Chapter 31, Getting Started with VB.NET and System.Directory ServicesStarts off by providing some background information on the .NET Frameworkand then dives into several examples using the System.DirectoryServicesnamespace with VB.NET.Preface This is the Title of the Book, eMatter EditionCopyright 2008 O’Reilly & Associates, Inc. All rights reserved.v

Conventions Used in This BookThe following typographical conventions are used in this book:Constant widthIndicates command-line elements, computer output, and code examplesConstant width italicIndicates variables in examples and registry keysConstant width boldIndicates user inputItalicIntroduces new terms and indicates URLs, commands, file extensions, filenames,directory or folder names, and UNC pathnamesIndicates a tip, suggestion, or general note. For example, we’ll tell youif you need to use a particular version or if an operation requires certain privileges.Indicates a warning or caution. For example, we’ll tell you if ActiveDirectory does not behave as you’d expect or if a particular operationhas a negative impact on performance.Using Code ExamplesThis book is here to help you get your job done. In general, you may use the code inthis book in your programs and documentation. You do not need to contact us forpermission unless you’re reproducing a significant portion of the code. For example,writing a program that uses several chunks of code from this book does not requirepermission. Selling or distributing a CD-ROM of examples from O’Reilly books doesrequire permission. Answering a question by citing this book and quoting examplecode does not require permission. Incorporating a significant amount of examplecode from this book into your product’s documentation does require permission.We appreciate, but do not require, attribution. An attribution usually includes thetitle, author, publisher, and ISBN. For example: “Active Directory, Third Edition, byRobbie Allen, Joe Richards, and Alistair G. Lowe-Norris. Copyright 2006 O’ReillyMedia, Inc., 0-596-10173-2.”If you feel your use of code examples falls outside fair use or the permission givenabove, feel free to contact us at permissions@oreilly.com.vi PrefaceThis is the Title of the Book, eMatter EditionCopyright 2008 O’Reilly & Associates, Inc. All rights reserved.

How to Contact UsWe have tested and verified the information in this book to the best of our ability,but you might find that features have changed (or even that we have made mistakes!). Please let us know about any errors you find, as well as your suggestions forfuture editions, by writing to:O’Reilly Media, Inc.1005 Gravenstein Highway NorthSebastopol, CA 95472(800) 998-9938 (in the United States or Canada)(707) 829-0515 (international/local)(707) 829-0104 (fax)To ask technical questions or comment on the book, send email to:bookquestions@oreilly.comWe have a web page for this book where we list examples and any plans for futureeditions. You can access this information at:http://www.oreilly.com/catalog/actdir3For more information about books, conferences, Resource Centers, and the O’ReillyNetwork, see the O’Reilly web site at:http://www.oreilly.comSafari EnabledWhen you see a Safari Enabled icon on the cover of your favorite technology book, that means the book is available online through theO’Reilly Network Safari Bookshelf.Safari offers a solution that’s better than e-books. It’s a virtual library that lets youeasily search thousands of top tech books, cut and paste code samples, downloadchapters, and find quick answers when you need the most accurate, current information. Try it for free at http://safari.oreilly.com.AcknowledgmentsFor the Third Edition (Joe)I want to thank Robbie Allen for my introduction into the world of book-writing andfor putting up with my often-grumpy responses to silly issues we encountered on thisproject. Truly, I wouldn’t have worked on this book had it not been for Robbie; if IPrefaceThis is the Title of the Book, eMatter EditionCopyright 2008 O’Reilly & Associates, Inc. All rights reserved. vii

did not say it before, I am happy I had the opportunity to have this experience—thank you.Thanks to Alistair for the first edition. I recall being involved with the decision tomigrate a company of 200k users to W2K and realizing that I knew nothing aboutAD other than it was supposed to be “super-cool” and fixed everything that was broken in NT. “The Cat Book,” the only book on AD around at the time, prepared mewith the essential concepts and ideas to get started. After five years, I am happy to beable to give back some of what I have learned to that very same book.Thanks to the folks who had the onerous task of finding the mistakes. I was lucky tohave very knowledgeable reviewers who spent a lot of time reading every word (oldand new) and bluntly telling me the issues. To Hunter Colman and Stuart Fuller: youguys were afraid you wouldn’t add value. You were completely wrong; you added alot of value. To Lee Flight: thanks for reviewing another edition of this book; yourcomments were invaluable. To Laura Hunter: I will never look at a comma the sameway again; you helped the structure and flow immensely. To Ulf B. Simon-Weidner:your comments and ideas were a great help. Finally, thanks to Dean Wells, a greatsource of information, fear, and humorous English phrases. Dean couldn’t revieweverything but he happily helped me out when I asked. He spent at least 90 minuteson the phone one night just discussing changes that needed to be made to a fewpages of Chapter 5. All of these guys (and gal) are extremely knowledgeable, opinionated, and professional. It was an honor having them tell me what was screwed up.Thanks to my friend Vern Rottman for being an “unofficial” reviewer and runninginterference for me when I worked with him.Thanks to the Microsoft Directory Service Developers: because of you, we have a“super-cool” DS. P.S. AD/AM rocks. Thanks to Dmitri Gavrilov for going above andbeyond by responding to my unsolicited emails. Thanks to Stuart Kwan (of theOttawa Kwan Clan) for being one of the most insanely energetic speakers and, at thesame time, actually listening to what we thought was wrong and working to get corrections

or concepts not covered in the second edition, including an entire chapter on Active Directory Application Mode (ADAM) as well as a chapter on scripting common Active Directory related user and group tasks for Microsoft Exchange 2000/2003. This book describes Active Directory in depth, but not in the traditional way of