Windows 2000 Active Directory


The most important change in Windows 2000 is the inclusion of Active Directory, a fully qualified directory service. It's so important that if you're a systems administrator, you're likely to find coming to grips with Active Directory to be one of your biggest headaches. But it doesn't have to be that way, thanks to Windows 2000 Active Directory.

Written by a participant in the Windows 2000 Rapid Deployment Program, Windows 2000 Active Directory delivers the practical, hands-on ...

See more details below
Available through our Marketplace sellers.
Other sellers (Paperback)
  • All (17) from $1.99   
  • New (3) from $23.16   
  • Used (14) from $1.99   
Sort by
Page 1 of 1
Showing 1 – 2 of 3
Note: Marketplace items are not eligible for any coupons and promotions
Seller since 2008

Feedback rating:



New — never opened or used in original packaging.

Like New — packaging may have been opened. A "Like New" item is suitable to give as a gift.

Very Good — may have minor signs of wear on packaging but item works perfectly and has no damage.

Good — item is in good condition but packaging may have signs of shelf wear/aging or torn packaging. All specific defects should be noted in the Comments section associated with each item.

Acceptable — item is in working order but may show signs of wear such as scratches or torn packaging. All specific defects should be noted in the Comments section associated with each item.

Used — An item that has been opened and may show signs of wear. All specific defects should be noted in the Comments section associated with each item.

Refurbished — A used item that has been renewed or updated and verified to be in proper working condition. Not necessarily completed by the original manufacturer.


Ships from: fallbrook, CA

Usually ships in 1-2 business days

  • Standard, 48 States
  • Standard (AK, HI)
Seller since 2008

Feedback rating:


Condition: New

Ships from: Chicago, IL

Usually ships in 1-2 business days

  • Standard, 48 States
  • Standard (AK, HI)
Page 1 of 1
Showing 1 – 2 of 3
Sort by
Sending request ...


The most important change in Windows 2000 is the inclusion of Active Directory, a fully qualified directory service. It's so important that if you're a systems administrator, you're likely to find coming to grips with Active Directory to be one of your biggest headaches. But it doesn't have to be that way, thanks to Windows 2000 Active Directory.

Written by a participant in the Windows 2000 Rapid Deployment Program, Windows 2000 Active Directory delivers the practical, hands-on information you need to manage your site. Instead of filling pages with a screen-by-screen description of the graphical user interface, it focuses on the tasks you need to perform to manage your organization's directory effectively. The heavy emphasis on scripting with the ADSI will help you automate tasks to achieve greater reliability and save time.

Windows 2000 Active Directory is divided into three sections:

  • The Basics, which provides an overview of the Active Directory technology and a detailed introduction to AD features.
  • Design, which describes mapping your organization's typology into the Active Directory schema; specific topics include the AD namespace and DNS, AD objects such as sites and domains, replication, group policies, and migration issues.
  • Scripting, which covers the powerful capabilities of the Active Directory Services Interface (ADSI), including ADSI's use with ActiveX Data Objects (ADO), Active Server Pages (ASP), and Visual Basic (VB).

Windows 2000 Active Directory is a practical guide to the new technology for the overworked system or network administrator. Whether you're working regularly in the Windows 2000 environment or just evaluating Windows 2000 in order to understand the design issues involved, this book builds the solid foundation you need to understand Active Directory and use it effectively.

Read More Show Less

Editorial Reviews

A guide for system administrators to designing a reliable, scalable, and manageable Active Directory on the software for any size organization. Rather than describing the graphical user interface screen by screen, Lowe-Norris, who was part of the Windows 2000 Rapid Deployment Program, focuses on the tasks needed to manage an organization's directory effectively, heavily emphasizing scripting with the ADSI for automation. There is no index. Annotation c. Book News, Inc., Portland, OR (
Read More Show Less

Product Details

  • ISBN-13: 9781565926387
  • Publisher: O'Reilly Media, Incorporated
  • Publication date: 1/28/2000
  • Edition description: Older Edition
  • Edition number: 1
  • Pages: 648
  • Product dimensions: 7.10 (w) x 9.25 (h) x 1.22 (d)

Meet the Author

Alistair G. Lowe-Norris is an Architectural Enterprise Strategy Consultant for Microsoft UK. He worked for Leicester University as the project manager and technical lead of the Rapid Deployment Program for Windows 2000, responsible for rolling out one of the world's largest deployments of Windows 2000 preceding release of the final product. Since 1998 he has been the technical editor and a monthly columnist for the Windows Scripting Solutions magazine and a technical editor and author for Windows & .NET Magazine (previously Windows NT Magazine and Windows 2000 Magazine).

Read More Show Less

Read an Excerpt

Chapter 7: Sites and Replication Topologies

As I mentioned in Chapter 4, Active Directory Replication, there are two aspects to replication:
  • How data gets replicated around an existing network of links between DCs
  • How the Knowledge Consistency Checker (KCC) generates and maintains the replication links between servers, both intrasite and intersite
I covered the former in Chapter 4, and I'll cover the latter here, leading to an explanation of how to properly design a representation of your organization's physical infrastructure within Active Directory.

Intrasite and Intersite Topologies

Two distinct types of replication links exist with Windows 2000 sites: intrasite (within sites) and intersite (between sites). A Windows 2000 service known as the Knowledge Consistency Checker (KCC) is responsible for automatically generating the replication links between intrasite DCs. The KCC will create intersite links automatically for you but only when an administrator has specified that two sites should be connected. Every aspect of the KCC and the links that are created is configurable, so you can manipulate what has been automatically created and what will be automatically created via manipulation of the various options. You can even disable the KCC if you wish and manually create all links.

Note that there is a large distinction between the KCC (the process that runs every 15 minutes and creates the replication topology) and the replication process itself. The KCC is not involved in the regular work of replicating the actual data in any way. Intrasite replication along the links created by the KCC uses a notification process to announce that changes have occurred. If no changes occur at all within a six-hour period the replication process is kicked off automatically anyway just to make sure. Intersite replication on the other hand does not use a notification process. Instead it uses a replication schedule to transfer updates, using compression to reduce the total traffic size.

The KCC uses a fairly simple algorithm to create the topologies, and the topologies it creates work well in their default configurations. However, I don't think as a Windows 2000 administrator you should just accept the topologies it creates without examining them in detail. You should investigate and understand what has been done by the KCC. If you then look over the topology and are happy with it, you have actively, rather than passively, accepted what has been done. While letting the KCC do its own thing is fine, every organization is different, and you may have requirements for the site and link design that it is not aware of and cannot build automatically.

Other administrators will want to delve into the internals of Active Directory and turn off the KCC entirely, doing everything by hand, This approach is valid, as long as you know what you're doing, but I prefer to let the KCC do its work, helping it along with a guiding hand every now and then. I cover all these options in the design section later.


DCs within sites have links created between them by the KCC. These links use the DC's GUID as the unique identifier. These links exist in Active Directory as connection objects and only use the Directory Service Remote Procedure Call (DSRPQ transport to replicate with one another. No other replication transport mechanism is available. However, when you need to connect two sites, you manually create a site link via the Sites and Services Manager (SSM) and specify a replication transport to use. When you do this, intersite link connection objects are automatically created by the KCC in Active Directory. There are two replication transports to choose from: standard DS-RPC or Inter-Site Mechanism Simple Mail Transport Protocol (ISM-SMTP). The latter means sending updates via the mail system using certificates and encryption for security.

There are two reasons that the KCC cannot automatically create links between two sites. First, the KCC has no idea which sites you will want to connect. Second, the KCC does not know which replication transport protocol you will want to use.

The KCC runs locally every 15 minutes on each DC. The default time period can be changed, and it can be started manually on demand if required. If I create two servers in a new domain called Server A and Server B, the KCC will run on each server to create links. Each KCC is tasked with creating a link to define incoming replication only. The KCC on Server A will define an incoming link from Server B, and Server B's KCC will define an incoming link from Server A. The KCC creates only one incoming link per replication partner, so Server A will never have two incoming links from Server B, for example.

The KCC does not create one topology for all NCs, nor one topology per NC. The Configuration and Schema NCs share one replication topology, so the KCC creates a topology for these two together. The KCC also creates another topology on a per-domain basis. Because the Schema and Configuration are enterprise wide in scope, the KCC needs to replicate changes to these items across site links. The KCC needs to maintain a forest-wide topology spanning all domains for these two NCs together. However, unless a domain is set up to span multiple sites, the topology for a particular domain will be made up of only intrasite connections. If the domain does span sites, then the KCC needs to create a replication topology across those sites.

The GC is not a Naming Context in its own right, and so it can't really have its own replication topology. As the GC is formed from a selection of attributes on those servers that host the GC in each domain, the GC replication becomes part of the replication for each domain. As two partners replicate a domain NC, the GC is replicated as well. There is no replication of the GC between different domains.

Automatic Intrasite Topology Generation by the KCC

For each NC, the KCC builds a bidirectional ring of links between the DCs in a site. However, while upstream and downstream links are created between partners around a ring, the KCC creates links across the ring as well. It does this to make sure that it stays within the following guidelines:

  • Every DC must be within three hops from any other DC. This is known as the three-hop rule.
  • The default latency (maximum time for replication between any two DCs) for replication is five minutes.
  • The maximum convergence (maximum time for an update to reach all DCs) is 15 minutes.
Technically speaking, due to the three-hop rule, when you put in your eighth DC the KCC will start adding branches across the circular ring.

Assuming you have five servers in a ring and you add a sixth, the other servers around the ring add and delete connection objects in order to accommodate the newcomer. So if Server C and Server D are linked and Server F interposes itself between them, Server C and Server D delete their interconnections and create connections to Server F instead. Server F also creates connections to Server C and Server D. Let's now take a look at this process in more detail...

Read More Show Less

Table of Contents

Intended Audience;
Contents of the Book;
Conventions in This Book;
We’d Like Your Feedback!;
The Basics;
Chapter 1: A Brief Introduction;
1.1 Major Features;
1.2 How Objects Are Stored in Active Directory;
1.3 Uniquely Identifying Objects;
1.4 Summary;
Chapter 2: Active Directory Overview;
2.1 A Simple View of How It All Works;
2.2 A More Detailed View of How It All Works;
2.3 Windows NT Versus Windows 2000;
2.4 Summary;
Chapter 3: Active Directory Schema;
3.1 The Structure of the Schema;
3.2 Attribute Classes (Attribute-Schema Objects);
3.3 The Syntax of Attributes;
3.4 Object Classes (Class-Schema Objects);
3.5 Summary;
Chapter 4: Active Directory Replication;
4.1 Sites;
4.2 Data Replication;
4.3 Summary;
Chapter 5: TCP/IP and DDNS;
5.1 How TCP/IP and DDNS Are Used;
5.2 How You Already Use TCP/IP and DNS;
5.3 Integrated DNS;
5.4 How DNS Affects Design;
5.5 Summary;
Designing the Directory Hierarchy;
Chapter 6: Designing the Namespace;
6.1 The Complexities of a Design;
6.2 Where to Start;
6.3 Overview of the Design Process;
6.4 Domain Namespace Design;
6.5 Design of the Internal Domain Structure;
6.6 Other Design Considerations;
6.7 Design Examples;
6.8 Designing for the Real World;
6.9 Summary;
Chapter 7: Sites and Replication Topologies;
7.1 Intrasite and Intersite Topologies;
7.2 Designing Sites and Links for Replication;
7.3 Examples;
7.4 Summary;
Chapter 8: Profiles and Group Policy Primer;
8.1 A Profile Primer;
8.2 Capabilities of GPOs;
8.3 Summary;
Chapter 9: Designing Organization-Wide Policies;
9.1 How Windows 2000 GPOs Work;
9.2 Using the Group Policy Editor Tool;
9.3 Using GPOs to Help Design the Organizational Unit Structure;
9.4 Debugging Group Policies;
9.5 Summary;
Chapter 10: Active Directory Security: Permissions and Auditing;
10.1 Using Windows 2000’s GUI to Examine Permissions;
10.2 Using Windows 2000’s GUI to Examine Auditing;
10.3 Designing Permission Schemes;
10.4 Designing Auditing Schemes;
10.5 Real-World Examples;
10.6 Summary;
Chapter 11: Designing Schema Changes;
11.1 Nominating Responsible People in Your Organization;
11.2 Thinking of Changing the Schema;
11.3 Managing and Modifying the Schema;
11.4 Wreaking Havoc with Your Schema;
11.5 Summary;
Chapter 12: Windows NT 4.0 Migration;
12.1 Consolidating, Migrating, and Upgrading from NT;
12.2 The Principles of Upgrading Windows NT Domains;
12.3 Summary;
Chapter 13: Directory Interoperability;
13.1 Background to Interoperability with Other Directory Services;
13.2 Solutions for Interoperability with Other Directory Services;
13.3 Exchange and the Active Directory Connector;
13.4 A Word About Windows 2000 and Unix;
13.5 Summary;
Scripting the Active Directory with ADSI;
Chapter 14: Scripting with ADSI;
14.1 What Are All These Buzzwords?;
14.2 Writing and Running ADSI Scripts Under Windows 2000;
14.3 ADSI;
14.4 Simple Manipulation of ADSI Objects;
14.5 Summary;
Chapter 15: IADs and the Property Cache;
15.1 The IADs Properties;
15.2 Manipulating the Property Cache;
15.3 Checking for Errors in VBScript;
15.4 Summary;
Chapter 16: Users;
16.1 Creating a Standard User Account;
16.2 Creating a Fully Featured User Account;
16.3 Creating Many User Accounts;
16.4 Creating an Account Unlocker Utility;
16.5 Automatically Creating Exchange Mailboxes for Users;
16.6 Summary;
Chapter 17: Manipulating Persistent and Dynamic Objects;
17.1 The Interface Methods and Properties;
17.2 Manipulating Services with ADSI;
17.3 Creating and Manipulating Shares with ADSI;
17.4 Enumerating Sessions and Resources;
17.5 Manipulating Print Queues and Print Jobs;
17.6 Summary;
Chapter 18: Permissions and Auditing;
18.1 How to Create an ACE Using ADSI;
18.2 A Simple ADSI Example;
18.3 A Complex ACE Example;
18.4 Creating Security Descriptors;
18.5 Listing ACEs to a File for All Objects in an OU and Below;
18.6 Adding Many USER Groups to DRUP Groups;
18.7 Summary;
Chapter 19: Extending the Schema and the GUI;
19.1 Modifying the Schema with ADSI;
19.2 Extending Active Directory GUI to Meet Business and Organizational Needs;
19.3 Summary;
Chapter 20: Enhancing ADSI via an ASP or VB Interface;
20.1 VBScript Limitations and Solutions;
20.2 How to Avoid Problems When Using ADSI and ASP;
20.3 Combining VBScript and HTML;
20.4 Binding to Objects via Authentication;
20.5 Migrating Your ADSI Scripts from VBScript to VB;
20.6 Summary;
Chapter 21: Scripting Fast Searches Using ADO;
21.1 The First Search;
21.2 Other Ways of Connecting and Retrieving Results;
21.3 Understanding Search Filters;
21.4 Incorporating Searches into Active Server Pages;
21.5 A Significant Problem;
21.6 A More Advanced Search Function—SearchAD;
21.7 Summary;

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)