Starts with a 'programmatic identifier' (progID) followed by :// separate each part with a comma prefix each part with dc= (dc stands for domain name component) prl.pbb.local becomes LDAP://dc=pbb,dc=pbb,dc=local
To reference Alice's object in prl_biz ou within the prl ou it would look like this. LDAP://cn=albin,ou=prl_biz,ou=prl,dc=pbb,dc=pbb,dc=local
CN = Common Name L = Locality ST = Street of Province Name O = Organization Name OU = Organization Unit C = County STREET = Street address DC = Domain Component UID = User ID
Schema Master (forest-wide) Only machine allowed to make schema changes. Changes made on other DCs will be refered to the FSMO Domain Naming Master (forest-wide) PDC Emulator (domain-wide) PW synching and PDC legacy compatibility. Browser Master RID Master (domain-wide) Relative ID Master, All security principals have a Security Identifier (SID). Infrastructure Master (domain-wide) Maintains cross-domain object references (phantom references). User is in domainA but a member of a group in domain B
NTDSUTIL: howto:  download: support pack  Allows transfer of FSMO roles to other DCs. If the FSMO server dies you can ungracefully force the role to another dc -- known as 'seizing' the role. 
Domain Global: membership available only within domain. Used to define roles (enterprise admin, backup admin, exchange admins, sql admins, ect.)
LDAP util how to:  download: support tools  LDAP util can be used to view the RootDSE entry. Connection -> Connection -> enter name of DC
Active Directory Service Interfaces (ADSIEdit) how to:  download: support tools  Can be viewed using and AD viewer such as ADSIEdit (MMC snap-in) or LDP
Schema is made of two types of ad objects…
… Very Incomplete
RepAdmin how to:  Command line tool for admining replication
ReplMon how to:  Graphical util for managing and monitoring replication
Each DC maintains its own separate ‘Update Sequence Number’ (USN). It is a 64bit value assigned to each update transication. Each update increments the USN value. Like the serial number in DNS.
Each DC maintains its highest combined USN for all NCs in the highestCommittedUSN value of the RootDSE. The values are always different from DC to DC for a given replication.
If time is off by 5minutes or more on a DC it will not be able to replicate.
Originating Update (write) The point of origin for an update (on which DC was this update made)
Replicated Update (write) A change that did not originate on the DC in question.
Each DC has a GUID called the DSA GUID. It is used to uniquely identify a DC and is the objectGUID of the NTDS settings object for the DC in the configuration container.
The High-WaterMark Vector (HWMV) is a table maintained independently by each DC. Keeps info on where a DC last left off when replicating the NC with a specific partner.
The up-to-dateness vector (UTDV) is a table maintained independently by each DC. It is used for replication dampening to reduce traffic and endless replication.
An example of how an object is modified during replication…
1. A user is created on serverA. 2. The object (user) is replicated to serverB. 3. The object is subsequently modified on serverB. 4. The new changes are replicated back to serverA.
1. Creation of the object on ServerA 1. values are set to defaults defined for user creation 2. users USN is set to 1000 (the USN of this transaction) 3. version number is set to 1. 4. timestamp is set to the time of creation 5. originating-server GUID is set to the GUID of the server 6. originating-server USN is set to 1000 (USN of this transaction)
2. Replication of the object to serverB serverB adds a copy of the object as a replicated write. USN 2500 is assigned to the object. This value is written to the USNCreated and USNChanged attributes of the object.
3. Password changed for user on serverB. 1. Password value is set 2. passwords USN is set to 3777 (USN for this transaction) 3. users version number is set to 2. 4. timestamp is updated 5. originating-server GUID is set to the GUID of serverB 6. originating-server USN is set to 3777 (USN of this transaction)
4. Password change replication to serverA serverA generates a transaction USN of 1333. USNChanged is set to 1333. Originating-server GUID is set to that of serverB
… Incomplete (missing conflict resolution section)
Group Policy Management Console (GPMC) howto:  Allows for editing, viewing resultant set of policies (RSOP) and runing reports.
Three states a policy item can exist in are enabled, disabled or un-configured. unconfigured is the default for everything.
The structure of the templates in the editor looks like…
User Configuration Software Settings Windows Settings Administrative Templates Computer Configuration Software Settings Windows Settings Administrative Templates
These are generated from the Administrative Template (ADM) files in the system volume.
By default workstations and member servers refresh GPOs every 90 minutes and DCs every 5.
On non DCs 1 to 30 minutes (randomly generated) will be added to the refresh time to avoid everyone checking in at once.
GPOs allow admin to remote deploy applications to users OR computers. MSI is the only way this works.
MSIs can be modified for the environment. This process is known as creating a ‘transform’.
You can set an MSI to auto-install when someone attempts to open a file with an extension that an MSI app can read.
If an install is assigned to the user portion of the GPO it will install when the user logs into a machine and uninstall upon log off. If its installed to the computer it is available to any user who logs into it.
MS Windows Installer howto:  Used to generate MSI files
Install Shield site:  The best tools in the installer maker. 3rd party
Installer Design Studio (scriptlogic) site:  The one scriptlogic makes. Looks very easy to use and is fairly inexpensive.
Group Policy Settings Reference (document) : 
Group Policy Homepage : 
MSN docs for Group Policy : 
Common admin tasks: 
Remote Administration: 
All information gleaned from…
Active Directory 3d Edition, O’Reilly Publishing By: Joe Richards, Robbie Allen & Alistair G. Lowe-Norris