Oh Kenny, something I intended to mention but forgot to...
You mention your "hobby" of spinning up new domains, etc. By domain do you
mean a new Windows NT Authentication Realm or Kerberos Realm or just a new
LDAP Hierarchy?
If the latter, AD/AM can be quite useful here as well since you can have
multiple writeable partitions with completely different roots. In AD if you
need a new root, you need to spin up another domain tree which means a whole
other machine (virtual or real).
For instance, here is one of my Adam test instances
F:\Dev\CPP\AdMod>adfind -h . -b -s base namingcontexts
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
Using server: 2k38500
Directory: Active Directory Application Mode
dn:
>namingContexts: CN=Configuration,CN={3BF96A23-C621-442F-8FA4-46452D708C97}
>namingContexts:
CN=Schema,CN=Configuration,CN={3BF96A23-C621-442F-8FA4-46452D708C97}
>namingContexts: DC=adam,DC=joeware2,DC=net
>namingContexts: DC=joe,DC=local
>namingContexts: CN=testcontainer
1 Objects returned
You will note the standard config and schema NCs. But I also have 3 other
writeable NCs each with a different root. DC=adam,DC=joeware2,DC=net -
DC=joe,DC=local - CN=testcontainer.
That last "CN=testcontainer" can't be done on AD.
To create a new NC you simply do an object add. I believe you can use any
container type objectclass for the NC root. So I could spin up a new NC that
was say an organizational unit on a given server and port like so
admod -h server:port -b ou=newroot objectclass::organizationalunit
instancetype::5 -betaadd
F:\Dev\CPP\AdMod>admod -h 2k38500:389 -b ou=newroot
objectclass::organizationalunit instancetype::5 -betaadd
AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
DN Count: 1
Using server: 2k38500
Adding specified objects...
DN: ou=newroot...
The command completed successfully
[Mon 03/07/2005 22:46:59.73]
F:\Dev\CPP\AdMod>adfind -h . -b -s base namingcontexts
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
Using server: 2k38500
Directory: Active Directory Application Mode
dn:
>namingContexts: CN=Configuration,CN={3BF96A23-C621-442F-8FA4-46452D708C97}
>namingContexts:
CN=Schema,CN=Configuration,CN={3BF96A23-C621-442F-8FA4-46452D708C97}
>namingContexts: DC=adam,DC=joeware2,DC=net
>namingContexts: DC=joe,DC=local
>namingContexts: CN=testcontainer
>namingContexts: OU=newroot
1 Objects returned
[Mon 03/07/2005 22:47:05.60]
F:\Dev\CPP\AdMod>adfind -h . -b ou=newroot -dn
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
Using server: 2k38500
Directory: Active Directory Application Mode
dn:OU=newroot
dn:CN=LostAndFound,OU=newroot
dn:CN=NTDS Quotas,OU=newroot
dn:CN=Roles,OU=newroot
dn:CN=Administrators,CN=Roles,OU=newroot
dn:CN=Users,CN=Roles,OU=newroot
dn:CN=Readers,CN=Roles,OU=newroot
7 Objects returned
[Mon 03/07/2005 22:47:26.52]
F:\Dev\CPP\AdMod>
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, March 07, 2005 4:20 PM
To: [email protected]
Subject: RE: [ActiveDir] Active Directory and LDAP
AD/AM is primarily just the LDAP directory part of AD. It doesn't do
kerberos nor the NSPI stuff. So if you want to play say with Exchange you
have to go to AD. If you want to kerberize authentications, you need AD.
If you are simply playing with adding/removing/reading/querying data for
users in a directory, AD/AM should be fine for you. It is generally easier
to play with because you don't have the DNS requirements behind it and there
is basically less to break down and cause issues. It is really nice because
you don't have much worry about updating the schema as you can quickly wipe
out the instance and rebuild it or you could have multiple instances running
on one single machine listening on different ports, etc.
If you want to learn all about Windows domain functionality, load AD. If you
just want to learn the LDAP pieces, get AD/AM.
joe
-----Original Message----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kenny Mann
Sent: Monday, March 07, 2005 2:33 PM
To: [email protected]
Subject: RE: [ActiveDir] Active Directory and LDAP
I'll probably want programmer side later, when I understand what I'm doing.
BTW, someone posted this link:
http://www.microsoft.com/windowsserver2003/adam/default.mspx
Here is Microsoft's definition:
Windows Server 2003 Active Directory Application Mode
For organizations that require flexible support for directory-enabled
applications, Microsoft has developed Active Directory(r) Application Mode
(ADAM). ADAM is a Lightweight Directory Access Protocol (LDAP) directory
service that runs as a user service, rather than as a system service. Active
Directory Application Mode represents a breakthrough in directory services
technology that provides flexibility and helps organizations avoid increased
infrastructure costs.
My interpreation is:
We use LDAP and some other common nifty stuff, but also have our usual
secret sauce that makes it special.
So, I would then assume that LDAP is a specific section of AD and other
parts can (and probably are/will) be included in most domains.
I guess my next step is to get a 2k3 active directory book and figure out
the different parts of it and get more books from there as needed.
Right now I'm assuming I don't know jack about AD aside from what the GUI
shows (and even then...) and I know AD is allot more powerful that what I'm
using it for where I work.
/curious george mode engages
As for my personal hobby at home, I just want the easiest thing to manage. I
sometimes add a domain, sometimes a user, sometimes an alias.
The reason LDAP appealed to me was that a domain is the root. A user is
under that, and the user's special things (like having SSH access, or their
own website) could be implemented easily through that (given I wrote some
code or did some special things...).
Kenny
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Monday, March 07, 2005 11:56 AM
To: [email protected]
Subject: RE: [ActiveDir] Active Directory and LDAP
Stella has been scrounging the dusty antiquarian bookshops in New York and
London and has managed to snag a few copies. We'll have a handful of my
books available at DEC. For some reason Pearson never wanted to do a 2nd
edition. What a bunch of poopy-heads (according to my 4 year old).
Yeah, it doesn't sound like Kenny is looking for the programmers end of
things.
-gil
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, March 07, 2005 10:39 AM
To: [email protected]
Subject: RE: [ActiveDir] Active Directory and LDAP
I recommend your book a lot as well, in fact there is at least one list
member that has been trying to buy the darn thing based on my recommendation
but can't find it anywhere!!!! I have pointed at a couple of resources, it
was actually ordered from one resource (ebay) and the member got a note back
saying, oh sorry, I haven't had that in stock for over a year.... So get
with it Gil! Reprints! And don't forget about getting me royalties for
people I send that way. ;oP
Anyway, for this person, I am not sure throwing them into AD programming
book is the best course at least initially. :o) It is like someone who
wants to use kerberos and you point them at the MIT dist.
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Monday, March 07, 2005 12:19 PM
To: [email protected]
Subject: RE: [ActiveDir] Active Directory and LDAP
Aww, man... How come my book isn't up there?
-gil
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, March 07, 2005 10:11 AM
To: [email protected]
Subject: RE: [ActiveDir] Active Directory and LDAP
Hey now... Don't forget about Alistair. He did that first edition himself
and did it well. :)
The Cat Book rocks. Actually I should get royalties for that one too, I have
made a bunch of people buy it and have bought and given away multiple copies
myself. I still have my first copy though it is quite dog-eared and I put
laminating plastic on the covers so they wouldn't get too torn up.
Here is the actual AD Org Books link -
http://www.activedir.org/Books.aspx ,
actually it would be kind of cool if we could rate them. How about it Tony?
Have a couple of fields for each, number of people who have the book, number
of people who recommend it, number of people who don't recommend it.
I am surprised AD Developers Reference Library by Iseminger is on the list.
That is a great book but wouldn't expect a lot of the list users to have
read it. I recall reading it back in like 2001 or so and getting a bit
scared at what a really pissed off AD programmer could pull off.
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Monday, March 07, 2005 11:58 AM
To: [email protected]
Subject: RE: [ActiveDir] Active Directory and LDAP
Personally? I like to think of AD as a GUI to Microsoft's implementation of
LDAP. That simplifies a lot of things for me.
However, there is more to it than that and the books you ordered should help
in clarifying that.
You don't need to know LDAP to make AD work, but it helps. It's a great
help to me to understand the differences between Microsoft's AD and Sun's
implementation of LDAP or IBM's implementation or any of the others for the
basics.
When you start getting into managing the directory and the objects in the
directory, Microsoft really differentiates itself with GPO's and the
multi-master replication and the tools to support the infrastructure.
As you're looking at this, remember that name resolution is one of the most
important things you can deal with when making AD a solid enterprise app.
The book from O'Reilly sounds like Robbie's book. I haven't read it, but
have heard good things about it (what can I say Robbie, I don't have a
budget for it :) If it's not Robbie's book for AD, then it would be a good
idea to grab that one as well.
http://www.amazon.com/exec/obidos/ASIN/0596004664/103-8355416-0173405
Sakari Kouti also has written a good book, called, "Inside Active Directory"
that would be worth picking up. http://www.kouti.com/
You should be able to find some other information about books at
http://www.activedir.org
Al
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kenny Mann
Sent: Monday, March 07, 2005 11:41 AM
To: [email protected]
Subject: [ActiveDir] Active Directory and LDAP
I don't understand LDAP and Active Directory as much as I should.
So, I've ordered 2 LDAP books (O'Reilly and another) to learn.
I'm curious as to how much LDAP and Active Directory have in common. Is AD
just a GUI for LDAP?
Perhaps there is a book everyone here recommends or will my LDAP books
hopefully cover enough so I could be able to feel my way around Active
Directory good enough?
Doing a search with the word 'book' gives a ton of irrelvent searches in the
archives.
I saw one book but it's out of print.
Kenny Mann
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
