Académique Documents
Professionnel Documents
Culture Documents
tm tm
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
IntroductiontoRealtimePublishers
by Don Jones, Series Editor
Forseveralyearsnow,Realtimehasproduceddozensanddozensofhighqualitybooks thatjusthappentobedeliveredinelectronicformatatnocosttoyou,thereader.Weve madethisuniquepublishingmodelworkthroughthegeneroussupportandcooperationof oursponsors,whoagreetobeareachbooksproductionexpensesforthebenefitofour readers. Althoughwevealwaysofferedourpublicationstoyouforfree,dontthinkforamoment thatqualityisanythinglessthanourtoppriority.Myjobistomakesurethatourbooksare asgoodasandinmostcasesbetterthananyprintedbookthatwouldcostyou$40or more.Ourelectronicpublishingmodeloffersseveraladvantagesoverprintedbooks:You receivechaptersliterallyasfastasourauthorsproducethem(hencetherealtimeaspect ofourmodel),andwecanupdatechapterstoreflectthelatestchangesintechnology. Iwanttopointoutthatourbooksarebynomeanspaidadvertisementsorwhitepapers. Wereanindependentpublishingcompany,andanimportantaspectofmyjobistomake surethatourauthorsarefreetovoicetheirexpertiseandopinionswithoutreservationor restriction.Wemaintaincompleteeditorialcontrolofourpublications,andImproudthat weveproducedsomanyqualitybooksoverthepastyears. Iwanttoextendaninvitationtovisitusathttp://nexus.realtimepublishers.com,especially ifyouvereceivedthispublicationfromafriendorcolleague.Wehaveawidevarietyof additionalbooksonarangeoftopics,andyouresuretofindsomethingthatsofinterestto youanditwontcostyouathing.WehopeyoullcontinuetocometoRealtimeforyour educationalneedsfarintothefuture. Untilthen,enjoy. DonJones
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
IntroductiontoRealtimePublishers.................................................................................................................i Chapter1:ANonIntroductiontoActiveDirectory..................................................................................1 ABriefADHistoryandBackground............................................................................................................1 InventoryingYourAD........................................................................................................................................2 ForestsandTrusts..........................................................................................................................................3 DomainsandTrusts.......................................................................................................................................4 DomainControllers........................................................................................................................................6 GlobalCatalogs................................................................................................................................................7 . FSMOs..................................................................................................................................................................8 Containers..........................................................................................................................................................8 Subnets,Sites,andLinks.............................................................................................................................9 . DNS.....................................................................................................................................................................12 WhatsAhead......................................................................................................................................................12 ADTroubleshooting...................................................................................................................................12 ADSecurity.....................................................................................................................................................13 ADAuditing....................................................................................................................................................13 ADBestPractices.........................................................................................................................................13 ADLDS..............................................................................................................................................................13 LetsGetStarted!...............................................................................................................................................13 DownloadAdditionaleBooksfromRealtimeNexus!........................................................................14
ii
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Copyright Statement
2010 Realtime Publishers. All rights reserved. This site contains materials that have been created, developed, or commissioned by, and published with the permission of, Realtime Publishers (the Materials) and this site and any such Materials are protected by international copyright and trademark laws. THE MATERIALS ARE PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. The Materials are subject to change without notice and do not represent a commitment on the part of Realtime Publishers or its web site sponsors. In no event shall Realtime Publishers or its web site sponsors be held liable for technical or editorial errors or omissions contained in the Materials, including without limitation, for any direct, indirect, incidental, special, exemplary or consequential damages whatsoever resulting from the use of any information contained in the Materials. The Materials (including but not limited to the text, images, audio, and/or video) may not be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any way, in whole or in part, except that one copy may be downloaded for your personal, noncommercial use on a single computer. In connection with such use, you may not modify or obscure any copyright or other proprietary notice. The Materials may contain trademarks, services marks and logos that are the property of third parties. You are not permitted to use these trademarks, services marks or logos without prior written consent of such third parties. Realtime Publishers and the Realtime Publishers logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. If you have any questions about these terms, or if you would like information about licensing materials from Realtime Publishers, please contact us via e-mail at info@realtimepublishers.com.
iii
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Chapter1:ANonIntroductiontoActive Directory
TheworldhasbeenusingActiveDirectory(AD)formorethanadecadenow,sotheres probablylittlepointindoingatraditionalintroductionforthisbook.However,theresstill abitofcontextthatweshouldcoverbeforewegetstarted,andweshoulddefinitelythink aboutADshistoryasitappliestoourtopicsoftroubleshooting,auditing,andbest practices. TherealpointofthischapteristoidentifykeyelementsofADthatyouneedtocompletely inventoryinyourenvironmentbeforeproceedinginthisbook.Muchofthematerialinthe followingchapterswillrefertospecificinfrastructureelements,andwillmake recommendationsbasedonspecificsincommonADenvironmentsandscenarios.Tomake themostofthoserecommendations,youllneedtoknowthespecificsofyourown environmentsothatyouknowexactlywhichrecommendationsapplytoyouanda complete,uptodateinventoryisthebestwaytogainthatfamiliarity.Toconcludethis chapter,Illbrieflyoutlinewhatscomingupinthechaptersahead.
ABriefADHistoryandBackground
ADwasintroducedwithWindows2000Server,andreplacedtheNTDomainServices (NTDS)thathadbeenusedsinceWindowsNT3.1.ADisMicrosoftsfirstrealdirectory; NTDSwasprettymuchjustaflatuseraccountdatabase.ADwasdesignedtobemore scalable,moreefficient,morestandardsbased,andmoremodernthatitspredecessor. However,ADwas(andis)stillbuiltontheWindowsoperatingsystem(OS),andassuch sharessomeoftheOSsparticularpatterns,technologies,eccentricities,andother characteristics. ADalsointegratedasuccessortoMicrosoftsthennascentregistrybasedmanagement tools.KnowntodayasGroupPolicy,thisnewfeatureaddedsignificantrolestothe directorybeyondthenormaloneofauthentication.WithGroupPolicy,youcancentrally defineandassignliterallythousandsofconfigurationsettingstoWindowscomputers(and evennonWindowscomputers,withtherightaddins)belongingtothedomain.
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
WhenADwasintroduced,securityauditingwassomethingthatrelativelyfewcompanies worriedabout.Since2000,numerouslegislativeandindustryregulationsthroughoutthe worldhavemadesecurityandprivacyauditingmuchmorecommonplace,althoughADs nativeauditingcapabilitieshavechangedverylittlethroughoutthattime.Becauseofits centralroleinauthenticationandconfigurationmanagement,ADoccupiesacriticalrolefor securityoperations,management,andreviewwithinorganizations. Wealsohavetorecognizethat,outsidefromgoverningpermissionsonitsownobjects,AD doesntplayacentralroleinauthorization.Thatis,permissionsonthingslikefiles,folders, mailboxes,databases,andsofortharentmanagedwithinAD.Instead,thosepermissions aremanagedattheirpoint,meaningtheyremanagedonyourfileservers,mailservers, databaseservers,andsoforth.Thoseserversmayassignpermissionstoidentitiesthatare authenticatedbyAD,butthoseserverscontrolwhoactuallyhasaccesstowhat.This divisionoflaborbetweenauthenticationandauthorizationmakesforahighlyscalable, robustenvironment,butitalsocreatessignificantchallengeswhenitcomestosecurity managementandauditingbecausetheresnocentralplacetocontrolorreviewallofthose permissions. Overthepastdecade,wevelearnedalotabouthowADshouldbebuiltandmanaged.Gone arethedayswhenconsultantsroutinelystartedanewforestbycreatinganemptyroot domain;alsogonearethedayswhenwebelievedthedomainwastheultimatesecurity boundaryandthatorganizationswouldonlyeverhaveasingleforest.Inadditionto coveringtroubleshootingandauditing,thisbookwillpresentsomeofthecurrentindustry bestpracticesaroundmanagingandarchitectingAD. Wevealsolearnedthat,althoughdifficulttochange,yourADdesignisntnecessarily permanent.ToolsandtechniquesoriginallycreatedtohelpmigratetoADarenowusedto restructureAD,ineffectmigratingtoanewversionofadomainasourbusinesseschange, merge,andevolve.Thisbookdoesntspecificallyfocusonmergersandrestructures,but keepinmindthatthosetechniques(andtoolstosupportthem)areavailableifyoudecide thatadirectoryrestructureisthebestwaytoproceedforyourorganization.
InventoryingYourAD
Beforewegetstarted,itsimportantthatyouhaveanuptodate,accuratepictureofwhat yourdirectorylookslike.Thisdoesntmeanturningtothegiantdirectorydiagramthatyou probablyhavetapedtothewallinyourdatacenterorserverroom,unlessyouvedouble checkedtomakesurethatthingisuptodateandaccurate!Throughoutthisbook,Illbe referringtospecificelementsofyourADinfrastructure,andinsomecases,youmighteven wanttoconsiderimplementingchangestothatinfrastructure.Inordertobestfollowalong, andmakedecisions,youllwanttohaveallofthefollowingelementsinventoried.
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
ForestsandTrusts
Mostorganizationshaverealizedthat,giventhepoweroftheforestlevelEnterprise Adminsgroup,theADforestisinfactthetoplevelsecurityboundary.Manycompanies havemultipleforests,simplybecausetheyhaveresourcesthatcantallbeunderthedirect controlofasinglegroupofadministrators.However,toensuretheabilityforusers,with theappropriatepermissionsofcourse,toaccessresourcesacrossforests,crossforest trustsareusuallydefined.Yourfirstinventoryshouldbetodefinetheforestsinyour organization,determinewhocontrolseachforest,anddocumentthetruststhatexist betweenthoseforests. Crossforesttrustscanbeoneway,meaningthatifForestAtrustsForestB,theconverseis notnecessarilytrueunlessaseparatetrusthasbeenestablishedsothatForestBexplicitly trustsForestA.Twowaytrustsarealsopossible,meaningthatForestAandForestBcan trusteachotherthroughasingletrustconnection.Foresttrustsarealsonontransitive:If ForestAtrustsForestB,andForestBtrustsForestC,thenForestAdoesnottrustForestC unlessaseparate,explicittrustiscreateddirectlybetweenAandC. Whenwetalkabouttrust,weresayingthatthetrustingforestwillacceptuseraccounts fromthetrustedforest.Thatis,ifForestAtrustsForestB,thenuseraccountsfromForestB canbeassignedpermissionsonresourceswithinForestA.Foresttrustsautomatically includeeverydomainwithintheforestsothatifForestAcontainsfivedomains,thenevery oneofthosedomainswouldbeabletoassignpermissionstouseraccountsfromForestB. Eachforestconsistsofarootdomainandmayalsoincludeoneormorechilddomains. Figure1.1showshowyoumightdocumentyourforests.Keyelementsincludemeta directorysynchronizationlinks,foresttrusts,andageneralindicationofwhateachforestis usedfor(suchasforusersorforresources).
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
DomainsandTrusts
Domainsactasakindofsecurityboundary.Althoughsubjecttothemanagementof membersoftheEnterpriseAdminsgroup,andtoadegreetheDomainAdminsoftheforest rootdomain,domainsareotherwiseindependentlymanagedbytheirownDomainAdmins group(orwhatevergroupthosepermissionshavebeenassignedordelegatedto). Accountdomainsarethosethathavebeenconfiguredtocontainuseraccountsbutwhich containnoresourceserverssuchasfileservers.Resourcedomainscontainonlyresources suchasfileservers,anddonotcontainuseraccounts.Neitherofthesedesignationsis strict,andneitherexistswithinADitself.Forexample,anyresourcedomainwillhaveat leastafewadministratoruseraccounts,usergroups,andsoforth.Thetypeofdomain designationisstrictlyahumanconvenience,usedtoorganizedomainsinourminds.Many companiesalsousemixeddomains,inwhichbothuseraccountsandresourcesexist.
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Domainsaretypicallyorganizedintoatree,beginningwiththerootdomainandthen throughdomainsthatareconfiguredaschildrenoftheroot.Domainnamesreflectthis hierarchy:Company.commightbethenameofarootdomain,andWest.Company.com, East.Company.com,andNorth.Company.commightbechilddomains.Withinsuchatree,all domainsautomaticallyestablishatransitiveparentchildtwowaytrust,effectively meaningthateachdomaintrustseachotherdomainwithinthesametree. Forests,asthenameimplies,cancontainmultipledomaintrees.Bydefault,therootofeach treehasatwoway,transitivetrustwiththeforestrootdomain(whichistherootofthe firsttreecreatedwithinthatforest),effectivelymeaningthatalldomainswithinaforest trusteachother.Thatsthemainreasoncompanieshavemultipleforests,becausethefull trustmodelwithinaforestgivestoplevelforestwidecontroltotheforestsEnterprise Adminsgroup. Evenifyourelyentirelyonthesedefaultinterdomaintrusts,itsstillimportantto documentthem,alongwiththedomainsnames.Figure1.2showshowyoumightbuilda domaindiagraminaprogramlikeMicrosoftOfficeVisio.Theemphasisinthisdiagramis onthelogicaldomainstructure.
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
DomainControllers
Domaincontrollers(DCs)arewhatmakeADwork.TheyretheserversthatrunADs services,makingthedirectoryareality.Itsabsolutelycrucial,asyoustartreadingthis book,thatyouknowhowmanyDCsyouhave,wheretheyrelocated,whatdomainstheyre in,andtheirindividualIPaddresses. Inmanyenvironments,DCsalsoprovideotherservices,mostfrequentlyDomainName Service(DNS).OtherrolesheldbyDCsmayincludeWINSandDHCPservices. ADCsmainroleistoprovideauthenticationservicesfordomainusersandforresources withinthedomain.Wetypicallythinkofthisauthenticationstuffashappeningmainly whenusersshowupforworkinthemorningandinmostcases,thatiswhenthebulkof theauthenticationtrafficoccurs.However,asusersattempttoaccessresourcesthroughout theday,theircomputerwillautomaticallycontactaDCtoobtainaKerberosticketforthose resources.Inotherwords,authenticationtrafficcontinuesthroughoutthedayalbeitata somewhatslower,moreevenlydistributedpacethanthemorningrush. Thatmorningrushcanbesignificant:EachuserscomputermustcontactaDCtologitself ontothedomain,andthenagainwhentheuserisreadytologon.Usersalmostalwaysstart thedaywithafewmappeddrives,eachofwhichmayrequireaKerberosticket,andthey usuallyfireupOutlook,requiringyetanotherticket.SomeoftheorganizationsIve consultedwithhaveeachuserinteractingwithaDCmorethanadozentimeseach morning,andthenseveraldozenmoretimesthroughouttheday. WetendtosizeourDCsforthatmorningrush,andthatcapacitygenerallyseesus throughoutthedayevenifwetaketheoddDCofflinemiddayforpatchingorother maintenance. EachDCmaintainsacomplete,read/writecopyoftheentiredirectory(theonlyexception beingnewfangledreadonlydomaincontrollersRODCs,whichasthenameimplies, containonlyareadablecopyofthedirectory).Multimasterreplicationensuresthatany changemadeonanyDCwilleventuallypropagatetoeveryotherDCinthedomain. ReplicationisoftenoneofthetrickiestbitsofAD,andisoneofthethingswetendtospend themosttimemonitoringandtroubleshooting.Notalldomaindataiscreatedequally: Somehighprioritydata,suchasaccountlockouts,replicatealmostimmediately(oratleast asquicklyaspossible),whilelesscriticalinformationcantakemuchlongertomakeitsway throughouttheorganization. Figure1.3showswhataDCinventorymightlooklike.Notetheemphasisonphysical details:IPaddresses,DNSconfiguration,domainmembership,andsoforth.
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
GlobalCatalogs
Aglobalcatalog(GC)isaspecificservicethatcanbeofferedbyaDCinadditiontoitsusual DCduties.TheGCcontainsasubsetofinformationabouteveryobjectinanentireforest, andenablesusersineachdomaintodiscoverinformationfromotherdomainsinthesame forest.EachdomainneedsatleastoneGC;however,giventhepopularityofExchange ServeranditsheavydependenceonGCs(Outlook,forexample,reliesonGCstodoemail addressresolution),itsnotunusualtoseeamajority,orevenall,DCsinadomain configuredasGCservers. MakesureyouknowexactlywhereyourGCsarelocated.Numerousnetworkoperations canbehinderedbyapaucityofGCs,buthavingtoomanyGCscansignificantlyincreasethe replicationburdenonyournetwork. Note InFigure1.3,GCisusedtoindicateDCsthatarealsohostingtheGCserver role. 7
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
FSMOs
Certainoperationswithinadomain,andwithinaforest,needasingleDCtobeincharge.It isabsolutelyessentialformosttroubleshootingprocessesthatyouknowwherethese FlexibleSingleMasterofOperation(FSMO)roleholderssitwithinyourinfrastructure: TheRIDMasterisinchargeofhandingoutRelativeIDs(RIDs)withinasingle domain(andsoyoullhaveoneRIDMasterperdomain).RIDsareusedtouniquely identifynewADobjects,andtheyareassignedinbatchestoDCs.IfaDCrunsoutof RIDsandcantgetmore,thatDCcantcreatenewobjects.Itscommontoputthe RIDMasterroleonaDCthatsusedbyadministratorstocreatenewaccountsso thatthatDCwillalwaysbeabletorequestRIDs. TheInfrastructureMastermaintainssecurityidentifiersforobjectsreferencedin otherdomainstypically,thatmeansupdatinguserandgrouplinks.Youhaveone oftheseperdomain. ThePDCEmulatorprovidesbackwardcompatibilitywiththeoldNTDS,andisthe onlyplacewhereNTDSstylechangescanbemade(anyDCprovidesreadaccessfor NTDSclients).GiventhatNTDSclientsarebecomingextinctinmostorganizations, thePDCEmulator(youllhaveoneineachofyourdomains,bytheway)doesntget usedalotforthatpurpose.Fortunately,ithasafewotherthingstokeepitbusy.For example,passwordchangesprocessedbyotherDCstendtoreplicatetothePDC Emulatorfirst,andthePDCEmulatorservesastheauthoritativetimesourcefor timesynchronizationwithinadomain. EachforestwillcontainasingleSchemaMaster,whichisresponsibleforhandling schemamodificationsfortheforest. EachforestalsohasaDomainNamingMaster,whichkeepstrackofthedomainsin theforest,andwhichisrequiredwhenaddingorremovingdomainstoorfromthe forest.TheDomainNamingMasteralsoplaysaroleinmaintaininggroup membershipacrosstheforest.
Containers
ThelogicalstructureofADisdividedintoasetofhierarchicalcontainers.ADsupportstwo maintypes:containersandorganizationalunits(OUs).Acoupleofbuiltincontainers(such astheUserscontainer)existbydefaultwithinadomain,andyoucancreatealltheOUsthat youwanttohelporganizeyourdomainsobjectsandresources.Again,aninventoryhereis critical,asseveraloperationsmostespeciallyGroupPolicyapplicationworkprimarily basedonthingslikeOUmembership. Figure1.4showsonewayinwhichyoumightdocumentyourOUandcontainerhierarchy. Dependingonthesizeanddepthofyourhierarchy,youcouldalsojustgrabascreenshot fromaprogramlikeActiveDirectoryUsersandComputers. 8
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Subnets,Sites,andLinks
InADterms,asubnetisanentryinthedirectorythatdefinesasinglenetworksubnet,such as192.168.1.0/8.Asiteisacollectionofsubnetsthatallsharelocalareanetwork(LAN) styleconnectivity,typically100Mbpsorfaster.Inotherwords,asiteconsistsofallthe subnetsinagivengeographiclocation. Links,orsitelinks,definethephysicalorlogicalconnectivitybetweensites.ThesetellADs replicationalgorithmswhichDCsareabletophysicallycommunicateacrosswidearea network(WAN)linkssothatreplicateddatacanmakeitswaythroughouttheorganization. Documentingyoursubnets,sites,andlinksisquiteprobablythemostimportantinventory youcanhaveforageographicallydisperseddomain.
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
10
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
Figure1.6:Configuringasitelinkbridge. Asyoudocumentyoursites,thinkagainaboutnumbers:Howmanycomputersareineach site?Howmanyusers?Makeanotationofthesenumbers,alongwithanotationofhow manyDCsexistateachsite. Sitesshould,asmuchaspossible,reflectthephysicalrealityofyournetwork;theydont correspondtothelogicalstructureofthedomaininanyway.OnesitemaycontainDCs fromseveraldomainsorforests,andanygivendomainmayeasilyspanmultiplesites. However,sitelinksarekindofapartofthedomainslogicalstructurebecausethoselinks aredefinedwithinthedirectoryitself.Ifyouhavemultipledomains,itsworthbuildinga diagram(likeFigure1.5or1.6)foreachdomaineveniftheylooksubstantiallythesame. Infact,anygroupofdomainsthatspansthesamephysicalsitesshouldhaveidentical lookingsitediagramsbecausethephysicalrealityofyournetworkisntchanging.Going throughtheexerciseofcreatingthediagramswillhelpensurethateachdomainhasits linksandbridgesconfiguredproperly.
11
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
DNS
ThelastcriticalpieceofyourinventoryconsistsofyourDNSservers.Youshouldclearly documentwhereeachserverphysicallysitsandthinkaboutwhichclientsitserves.Most companieshaveatleasttwoDNSservers,althoughhavingmore(anddistributingthem throughoutyournetwork)canprovidebetterDNSperformancetodistantclients.AD absolutelycannotfunctionwithoutDNS,soitsimportantthatbothserversandclients havereadyaccesstoahighperformanceDNSserver.MostADproblemsarerootedinDNS issues,meaningmuchofourtroubleshootingdiscussionwillbeaboutDNS,andthat discussionwillbemoremeaningfulifyoucanquicklylocateyourDNSserversonyour network. Alsotrytomakesomenotationofwhichusers,andhowmanyusers,utilizeeachDNS servereitherasaprimary,secondary,orotherserver.Thatwillhelpgiveyouanata glanceviewofeachDNSserversworkload,andgiveyouanideaofwhichusersarerelying onaparticularserver. PuttingYourInventoryintoVisualForm AtoollikeMicrosoftOfficeVisioisoftenutilizedtocreateADinfrastructure diagrams,oftenshowingboththelogicalstructure(domains,forests,and trusts)andthephysicaltopology(subnets,sites,links,andsoforth).There arealsothirdpartytoolsthatcanautomaticallydiscoveryourinfrastructure elementsandcreatetheappropriatechartsanddiagramsforyou.Thebenefit ofsuchtoolsisthattheyrealwaysrightbecausetheyrereflectingreality notsomeonesmemoryofreality.Theycanusuallycatchchangesandcreate updateddiagramsmuchfasterandmoreaccuratelythanyoucan. Ilovetousethosekindsoftoolsincombinationwithmyownhanddrawn diagrams.Ifthetoolgeneratedpictureofmytopologydoesntmatchmyown picture,IknowIvegotaproblem,andthatcantriggeraninvestigationanda change,ifneeded.
WhatsAhead
Letswrapupthisbriefintroductionwithalookatwhatscomingupinthenextseven chapters.
ADTroubleshooting
Chapters2and3willconcernthemselvesprimarilywithtroubleshooting.InChapter2, wellfocusonthewaysandmeansofmonitoringAD,includingnativeeventlogs,system tools,commandlinetools,networkmonitors,andmore.Illalsopresentdesirable capabilitiesavailableinthirdpartytools(bothfreeandcommercial),withagoalofhelping youtobuildasortofshoppinglistoffeaturesthatmaysupporttroubleshooting,security, auditing,andotherneeds.
12
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
ADSecurity
InChapter4,welldiveintoanddiscussthebasearchitectureforADsecurity.Welllook moreattheissueofdistributedpermissionsmanagement,anddiscusssomeofthe problemsthatitpresentsandsomeoftheadvantagesitoffers.Welllookatsomedoit yourselftoolsforcentralizingpermissionschangesandreporting,andexplorewhetheryou shouldrethinkyourADsecuritydesign.Wellalsolookatthirdpartycapabilitiesthatcan makesecuritymanagementeasier,anddiveintothelittleunderstoodtopicofDNS security.
ADAuditing
Chapter5willcoverauditing,discussingADsnativeauditingarchitectureandlookingat howwellthatarchitecturehelpstomeetmodernauditingrequirements.Illalsopresent capabilitiesthatareofferedbythirdpartytoolsandhowwellthosecanmeettodays businessrequirementsandgoals.
ADBestPractices
Chapter6willbearoundupofbestpracticesforAD,includingaquicklookatwhetheryou shouldreconsideryourcurrentADdomainandforestdesign(and,ifyoudo,howyoucan migratetothatnewdesignwithminimumriskandeffort).Wellalsolookatbestpractices fordisasterrecovery,restoration,security,replication,FSMOplacement,DNSdesign,and more.IllpresentnewideasforvirtualizingyourADinfrastructure,andlookatbest practicesforongoingmaintenance.
ADLDS
Chapter7givesmeanopportunitytocoveradditionalinformation:ADssmallercousin, ActiveDirectoryLightweightDirectoryServices(ADLDS).Welllookatwhatitis,whento useit,whennottouseit,andhowtotroubleshootandauditthisvaluableservice.
LetsGetStarted!
WithyourADinventoryupdatedandinhand,werereadytobegin.Thenextchapterwill introduceyoutothemajorityofthetoolsthatyoullneedtopryvaluableinformationoutof ADsothatyoucanstartassemblingyoursecurityandtroubleshootingutilitybelt.
13
TheDefinitiveGuidetoActiveDirectoryTroubleshooting,Auditing,andBestPractices2011Edition
DownloadAdditionaleBooksfromRealtimeNexus!
RealtimeNexusTheDigitalLibraryprovidesworldclassexpertresourcesthatIT professionalsdependontolearnaboutthenewesttechnologies.IfyoufoundthiseBookto beinformative,weencourageyoutodownloadmoreofourindustryleadingtechnology eBooksandvideoguidesatRealtimeNexus.Pleasevisit http://nexus.realtimepublishers.com.
14