4762-3 FM.f.qc 10/25/00 4:31 PM Page i
4762-3 FM.f.qc 10/25/00 4:31 PM Page ii
4762-3 FM.f.qc 10/25/00 4:31 PM Page iii
IDG Books Worldwide, Inc.
An International Data Group Company
Foster City, CA ✦ Chicago, IL ✦ Indianapolis, IN ✦ New York, NY
4762-3 FM.f.qc 10/25/00 4:31 PM Page iv
Active Directory™ Bible
For general information on IDG Books Worldwide’s
books in the U.S., please call our Consumer Customer
IDG Books Worldwide, Inc.
Service department at 800-762-2974. For reseller
An International Data Group Company
information, including discounts and premium sales,
919 E. Hillsdale Blvd., Suite 400
please call our Reseller Customer Service
Foster City, CA 94404
department at 800-434-3422.
www.idgbooks.com (IDG Books Worldwide Web site)
For information on where to purchase IDG Books
Copyright © 2001 IDG Books Worldwide, Inc. All
Worldwide’s books outside the U.S., please contact
rights reserved. No part of this book, including
our International Sales department at 317-572-3993
interior design, cover design, and icons, may be
or fax 317-572-4002.
reproduced or transmitted in any form, by any means
For consumer information on foreign language
(electronic, photocopying, recording, or otherwise)
translations, please contact our Customer Service
without the prior written permission of the publisher.
department at 800-434-3422, fax 317-572-4002, or
Printed in the United States of America
For information on licensing foreign or domestic
rights, please phone +1-650-653-7098.
10 9 8 7 6 5 4 3 2 1
For sales inquiries and special prices for bulk
quantities, please contact our Order Services
Distributed in the United States by IDG Books
department at 800-434-3422 or write to the
Distributed by CDG Books Canada Inc. for Canada;
For information on using IDG Books Worldwide’s
by Transworld Publishers Limited in the United
books in the classroom or for ordering examination
Kingdom; by IDG Norge Books for Norway; by IDG
copies, please contact our Educational Sales
Sweden Books for Sweden; by IDG Books Australia
department at 800-434-2086 or fax 317-572-4005.
Publishing Corporation Pty. Ltd. for Australia and
For press review copies, author interviews, or other
New Zealand; by TransQuest Publishers Pte Ltd.
publicity information, please contact our Public
for Singapore, Malaysia, Thailand, Indonesia, and
Relations department at 650-653-7000 or fax
Hong Kong; by Gotop Information Inc. for Taiwan;
by ICG Muse, Inc. for Japan; by Intersoft for South
Africa; by Eyrolles for France; by International
For authorization to photocopy items for corporate,
Thomson Publishing for Germany, Austria, and
personal, or educational use, please contact
Switzerland; by Distribuidora Cuspide for Argentina;
Copyright Clearance Center, 222 Rosewood Drive,
by LR International for Brazil; by Galileo Libros for
Danvers, MA 01923, or fax 978-750-4470.
Chile; by Ediciones ZETA S.C.R. Ltda. for Peru; by
Library of Congress Cataloging-in-Publication Data
WS Computer Publishing Corporation, Inc., for the
Simmons, Curt, 1968-
Philippines; by Contemporanea de Ediciones for
Active directory bible / Curt Simmons.
Venezuela; by Express Computer Distributors
for the Caribbean and West Indies; by Micronesia
ISBN 0-7645-4762-3 (alk. paper)
Media Distributor, Inc. for Micronesia; by Chips
1. Directory services (Computer network
Computadoras S.A. de C.V. for Mexico; by Editorial
technology) 2. Microsoft Windows (Computer file)
Norma de Panama S.A. for Panama; by American
Bookshops for Finland.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND AUTHOR HAVE USED THEIR
BEST EFFORTS IN PREPARING THIS BOOK. THE PUBLISHER AND AUTHOR MAKE NO
REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE
CONTENTS OF THIS BOOK AND SPECIFICALLY DISCLAIM ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. THERE ARE NO WARRANTIES WHICH
EXTEND BEYOND THE DESCRIPTIONS CONTAINED IN THIS PARAGRAPH. NO WARRANTY MAY BE
CREATED OR EXTENDED BY SALES REPRESENTATIVES OR WRITTEN SALES MATERIALS. THE
ACCURACY AND COMPLETENESS OF THE INFORMATION PROVIDED HEREIN AND THE OPINIONS
STATED HEREIN ARE NOT GUARANTEED OR WARRANTED TO PRODUCE ANY PARTICULAR RESULTS,
AND THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY
INDIVIDUAL. NEITHER THE PUBLISHER NOR AUTHOR SHALL BE LIABLE FOR ANY LOSS OF PROFIT OR
ANY OTHER COMMERCIAL DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, INCIDENTAL,
CONSEQUENTIAL, OR OTHER DAMAGES.
Trademarks: All brand names and product names used in this book are trade names, service marks,
trademarks, or registered trademarks of their respective owners. IDG Books Worldwide is not associated
with any product or vendor mentioned in this book.
is a registered trademark or trademark under exclusive license
to IDG Books Worldwide, Inc. from International Data Group, Inc.
in the United States and/or other countries.
4762-3 FM.f.qc 10/25/00 4:31 PM Page v
Welcome to the world of IDG Books Worldwide.
IDG Books Worldwide, Inc., is a subsidiary of International Data Group, the world’s largest publisher of
computer-related information and the leading global provider of information services on information technology.
IDG was founded more than 30 years ago by Patrick J. McGovern and now employs more than 9,000 people
worldwide. IDG publishes more than 290 computer publications in over 75 countries. More than 90 million
people read one or more IDG publications each month.
Launched in 1990, IDG Books Worldwide is today the #1 publisher of best-selling computer books in the
United States. We are proud to have received eight awards from the Computer Press Association in recognition
of editorial excellence and three from Computer Currents’ First Annual Readers’ Choice Awards. Our best-
selling ...For Dummies® series has more than 50 million copies in print with translations in 31 languages. IDG
Books Worldwide, through a joint venture with IDG’s Hi-Tech Beijing, became the first U.S. publisher to
publish a computer book in the People’s Republic of China. In record time, IDG Books Worldwide has become
the first choice for millions of readers around the world who want to learn how to better manage their
Our mission is simple: Every one of our books is designed to bring extra value and skill-building instructions
to the reader. Our books are written by experts who understand and care about our readers. The knowledge
base of our editorial staff comes from years of experience in publishing, education, and journalism —
experience we use to produce books to carry us into the new millennium. In short, we care about books, so
we attract the best people. We devote special attention to details such as audience, interior design, use of
icons, and illustrations. And because we use an efficient process of authoring, editing, and desktop publishing
our books electronically, we can spend more time ensuring superior content and less time on the technicalities
of making books.
You can count on our commitment to deliver high-quality books at competitive prices on topics you want
to read about. At IDG Books Worldwide, we continue in the IDG tradition of delivering quality for more than
30 years. You’ll find no better book on a subject than one from IDG Books Worldwide.
Chairman and CEO
IDG Books Worldwide, Inc.
IDG is the world’s leading IT media, research and exposition company. Founded in 1964, IDG had 1997 revenues of $2.05
billion and has more than 9,000 employees worldwide. IDG offers the widest range of media options that reach IT buyers
in 75 countries representing 95% of worldwide IT spending. IDG’s diverse product and services portfolio spans six key areas
including print publishing, online publishing, expositions and conferences, market research, education and training, and
global marketing services. More than 90 million people read one or more of IDG’s 290 magazines and newspapers, including
IDG’s leading global brands — Computerworld, PC World, Network World, Macworld and the Channel World family of
publications. IDG Books Worldwide is one of the fastest-growing computer book publishers in the world, with more than
700 titles in 36 languages. The “...For Dummies®” series alone has more than 50 million copies in print. IDG offers online
users the largest network of technology-specific Web sites around the world through IDG.net (http://www.idg.net), which
comprises more than 225 targeted Web sites in 55 countries worldwide. International Data Corporation (IDC) is the world’s
largest provider of information technology data, analysis and consulting, with research centers in over 41 countries and more
than 400 research analysts worldwide. IDG World Expo is a leading producer of more than 168 globally branded conferences
and expositions in 35 countries including E3 (Electronic Entertainment Expo), Macworld Expo, ComNet, Windows World
Expo, ICE (Internet Commerce Expo), Agenda, DEMO, and Spotlight. IDG’s training subsidiary, ExecuTrain, is the world’s
largest computer training company, with more than 230 locations worldwide and 785 training courses. IDG Marketing
Services helps industry-leading IT companies build international brand recognition by developing global integrated marketing
programs via IDG’s print, online and exposition products worldwide. Further information about the company can be found
4762-3 FM.f.qc 10/25/00 4:31 PM Page vi
Media Development Specialists
Angela D. Denny
Media Development Coordinator
Graphics and Production Specialists
Proofreading and Indexing
York Production Services
Quality Control Technician
Dina F Quan
4762-3 FM.f.qc 10/25/00 4:31 PM Page vii
About the Author
Curt Simmons, MCSE, MCT, CTT, is a freelance author and technical trainer focus-
ing on Microsoft operating systems and networking solutions. Curt is the author of
almost a dozen high-level technical books on Microsoft products, including Master
Active Directory Visually and MCSE Windows 2000 Server For Dummies. He has been
working closely with Windows 2000 and the Active Directory since Beta 1. Curt lives
with his wife and daughter in a small town outside of Dallas, Texas. You can reach
him at email@example.com or at http://curtsimmons.hypermart.net.
4762-3 FM.f.qc 10/25/00 4:31 PM Page viii
4762-3 FM.f.qc 10/25/00 4:31 PM Page ix
The Active Directory Bibleis your comprehensive resource for planning, installing,
configuring, and managing the Microsoft Active Directory. The Active Directory,
which is the core networking technology in Windows 2000, provides advanced direc-
tory service features that makes your network — regardless of its size — easier to
manage and use.
Welcome to the World of Active Directory
You have heard plenty of things about the Active Directory. Some say the Active
Directory is the best product Microsoft has ever produced — some say the
Active Directory is still a baby that has a lot of maturing to do. No matter your
position, we can all agree that the Active Directory is Microsoft’s flagship product
at the moment and that the Active Directory is here to stay.
The Active Directory is the foundational networking component in Windows 2000.
The Active Directory completely revamps Microsoft networking from the days of
NT and brings Windows networking to a hierarchical, directory service model. This
model modernizes NT and paves the way for the future. With the Active Directory,
you have more manageability, more support for network resources, standardized
naming, and excellent query capabilities. In short, the Active Directory opens an
entire new world for Windows.
Before I get too carried away with the details (which you can jump into in Chap-
ter 1) and before I sound like I’m singing Microsoft’s praises, let me just answer
two questions I am asked quite frequently. The first is simply, “Do you like the
Active Directory?” The answer is — yes, I do. Quite a bit, actually. The second
question is, “Is the Active Directory perfect?” I usually smile and shake my head
because you already know the answer. No — the Active Directory is not perfect,
and there are some serious design issues Microsoft will need to address in the
future. But in Microsoft’s defense, I will say that the first release of the Active
Directory is awfully good — and when you see the potential a live directory
service can bring to a network, I think you will agree.
If you are reading this book, you are likely one of two people. First, you’re a newcomer
to Windows 2000. Perhaps you have joined the ranks of the technical professionals in
search of a better career, and you know that Windows 2000 is a wise move. If that is
you — you have come to right place. This book is all you need to learn all about the
Active Directory and the technologies that make it tick.
4762-3 FM.f.qc 10/25/00 4:31 PM Page x
Second, you may be a systems administrator — someone who has a place in design-
ing an Active Directory implementation and in keeping everything running after it is
in place. You have a lot of work to do, and you need a resource that helps you meet
your goals quickly. You have come to the right place as well.
The Active Directory Bible is a comprehensive look at this new directory service.
You’ll learn how to plan, install, configure, manage, and integrate other technolo-
gies with the Active Directory with this book.
How to Read This Book (Don’t Skip This Part!)
By now, I have read more than a few Active Directory books, white papers, and other
Microsoft documentation. One of my biggest complaints with these resources is the
problem with organization. The Active Directory is often difficult to explain because
you need to know about points A, B, and C at the same time before understanding D.
Likewise, you can’t explain C without A, and you can’t understand B without know-
ing about D ... you get the picture. The problem is that the Active Directory is built
on a number of components that all play an equal role, so structuring a book or
document so that it makes sense is not easy.
I have worked very hard on this book to present a logical, chapter-by-chapter
approach to the Active Directory. If you are already familiar with the Active
Directory, you can turn straight to the chapter you need and get started. If you
are new to the Active Directory, read each chapter in order. I have tried to make
the book as sequential as possible so all of this will be easier to understand.
Along the way, you’ll find many useful step-by-step instructions and sidebars to
give you additional explanations. Be sure to read these as you learn all about
A Little about This Book’s Structure
This book is divided into four parts. The following sections give you an overview of
what you will find in each part.
Part I: Planning an Active Directory Deployment
In Part I, you learn about the Active Directory technology and conceptual framework,
and then you jump right into Active Directory planning. The planning process is
extremely important, and this part teaches you all about the Active Directory names-
pace, constructing forests and trees, developing an OU plan, upgrading and migrating
to the Active Directory, and planning Active Directory sites and replication.