Although forests constitute the security boundary in an Active Directory environment, you can split up your AD infrastructure into separate domains to create smaller administrative or replication boundaries within a large-scale network. In Windows 2000 and Windows Server 2003 Active Directory, domains can also constitute a policy boundary, as certain Group Policy settings such as password policies and account lockout policies can only be applied at the domain level. (Windows Server 2008 introduces the concept of a Fine-Grained Password Policy, which allows administrators to configure multiple password and account lockout policies within a single domain.)
Domains are represented in Active Directory by domainDNS objects. The distinguished name (DN) of a domainDNS object directly corresponds to the fully qualified DNS name of the domain. For example, the amer.adatum.com domain would have a DN of
dc=amer,dc=adatum,dc=com.
Table 2-4 contains a list of some of the interesting attributes that are available on domainDNS objects.
Attribute |
Description |
dc | The domain component of the domain distinguished name (e.g., amer). |
distinguishedName | The DN of the domain (e.g., dc=adatum,dc=com). |
fSMORoleOwner |
The NTDS Settings object DN of the domain controller on which the schema can be modified. |
gPLink |
List of GPOs that have been applied to the domain. By default it will contain a reference to the Default Domain Policy GPO. |
lockoutDuration |
A 64-bit integer representing the time an account will be locked out before being automatically unlocked in the absence of any applicable Fine-Grained Password Policies.
|
lockoutObservationWindow |
A 64-bit integer representing the time after a failed logon attempt that the failed logon counter for the account will be reset to 0 in the absence of any applicable Fine-Grained Password Policies. |
lockoutThreshold |
Number of failed logon attempts after which an account will be locked in the absence of any applicable Fine-Grained Password Policies. |
Attribute |
Description |
maxPwdAge |
A 64-bit integer representing the maximum number of days a password can be used before a user must change it, in the absence of any applicable Fine-Grained Password Policies. |
minPwdAge |
A 64-bit integer representing the minimum number of days a password must be used before it can be changed, in the absence of any applicable Fine-Grained Password Policies. |
minPwdLength |
Minimum number of characters allowed in a password in the absence of any applicable Fine-Grained Password Policies. |
msDS-Behavior-Version |
Number that represents the functional level of the domain. This attribute was first introduced in Windows Server 2003. |
msDS-LogonTimeSyncInterval |
Controls how often the lastLogonTimestamp attribute is updated. Defaults to 14 days with a 0–5 day randomization value, which means that lastLogonTimestamp will be updated for a given account every 9 to 14 days to prevent excessive replication of lastLogonTimestamp. |
ms-DS-MachineAccountQuota |
The number of computer accounts a nonadministrator user account can join to the domain. |
nTMixedDomain |
Number that represents the mode of a domain. |
pwdHistoryLength |
Number of passwords to remember before a user can reuse a previous password in the absence of any applicable Fine-Grained Password Policies. |
pwdProperties |
Bit flag that represents different options that can be configured for passwords used in the domain, including password complexity and storing passwords with reversible encryption.
|
subRefs |
Multivalue attribute containing the list of subordinate naming contexts and application partitions, such as DC=ForestDnsZones,DC=adatum,DC=com within the adatum.com domain. |
wellKnownObjects |
GUIDs for well-known objects, such as the default computer container. |
Beginning with Windows Server 2003, you can also use the dsadd.exe command-line utility to create Active Directory objects. To add a single user to Active Directory, simply type dsadd user UserDN at the command line, where UserDN refers to the distinguished name of the user object, such as cn=smith, dc=example, dc=com. dsadd allows you to set a huge number of user attributes at the command line by using any of the following parameters: