46933book.fm Page v Saturday, May 10, 2008 9:30 AM
Thank you for choosing Mastering Active Directory for Windows Server 2008. This book is part of a
family of premium quality Sybex books, all written by outstanding authors who combine practical
experience with a gift for teaching.
Sybex was founded in 1976. More than thirty years later, we’re still committed to producing consistently exceptional books. With each of our titles we’re working hard to set a new standard for the
industry. From the paper we print on, to the authors we work with, our goal is to bring you the best
I hope you see all that reflected in these pages. I’d be very interested to hear your comments and
get your feedback on how we’re doing. Feel free to let me know what you think about this or any
other Sybex book by sending me an email at firstname.lastname@example.org, or if you think you’ve found a technical error in this book, please visit http://sybex.custhelp.com. Customer feedback is critical to
our efforts at Sybex.
Vice President and Publisher
Sybex, an Imprint of Wiley
46933book.fm Page vi Saturday, May 10, 2008 9:30 AM
For Jul, my best friend—I love you.
46933book.fm Page vii Saturday, May 10, 2008 9:30 AM
I want to start by thanking my wife and daughter for their patience while I work on yet another
project. You two are the motivation to do all the things that I do. I know that I would not be where
I am today if it weren't for the love and support you have given me, whether it is for writing, starting a new company, deciding to remodel the house, or some goofy “computer project” that you
don’t even want to understand. You both make me laugh on a daily basis. Your smiles, hugs, and
laughter are all I need to keep me going at this breakneck pace day after day.
I would like to thank my family for giving me support throughout the writing process. There
were times when the typical “let’s meet in town for dinner” was not an option as deadlines were
looming (and often missed). Mom and Dad always understood and were always more than willing
to babysit in a crunch. Brian—thank you for taking my mind out of the book and getting me back
to reality with random phone calls and lunches to talk about the important stuff in life, like supercharging my GTO or starting a restoration on a diamond-in-the-rough Camaro.
Professionally, I want to thank my brother Brad. Brad—we’ve worked on a lot of books together,
and we’ve always talked about going into business together. Throughout everything, you’ve been
a great brother, friend, and business partner, and I can’t wait to see where this road leads us. A very
big thank-you goes out to Scott Fenstermacher and Robin Wright. Both of these talented authors
stepped up to provide some great material, most of which was with very tight deadlines. Both of
you are amazing and the book is a better product because of your knowledge and writing ability.
To the Sybex crew—a HUGE thank you. Thanks to Tom Cirtin for going to bat and getting the
new edition approved and working with us in the early stages; Pete Gaughan for keeping us on
schedule and making sure we were not overloading the other editors' schedules; Jim Kelly for making sure everything is technically accurate; and last but certainly not least, Karen L. Lew. Karen is
a master at taking my rambling thoughts and actually making me sound like I can write. I called
Karen a showoff for taking a paragraph of mine that was close to 30 words and knocking it down
to a 9-word sentence that had more power than my initial attempt.
— John Price
The work that I did on this book wouldn’t have been possible if not for the support of my family.
DeAnn—you have been very patient and understanding when it comes to my long workdays and
weeks away from home. One of these days I am going to repay you for all that you have done for me.
To my beautiful daughters, Jami and Becca—you both make me so very proud to be your dad. You
were great kids and have you have grown up to be intelligent, kindhearted, and honest adults. You
have bright futures ahead of you. To Dad and Mom—thanks for your support through everything.
It should come as no surprise that I think the world of you. To John—thanks for being the best friend
a brother could have. To the rest of my family—I am glad I can call each and every one of you family.
First I would like to thank the brothers Price for asking me once again to share the book-writing experience with them. They're a couple of really smart guys, so you would think they’d have learned their
lesson by now. And you can’t write a book without a great publisher and people like Tom Cirtin, Pete
Gaughan, Jim Kelly, and Karen Lew, who make it tick, so a big thanks go out to the entire John Wiley
& Sons staff for the too-often thankless job of actually producing the book that you now hold in your
hands. It’s a task with details beyond my comprehension, so I’ll just stick to the easy things, like beta
46933book.fm Page viii Saturday, May 10, 2008 9:30 AM
The biggest thanks go out to my wife Lori for being supportive through all these late nights at the
computer. Between the endless hours of her own job and the endless hours of managing a family,
she has managed to keep things together while I mumble incoherently at operating systems and
software products that aren’t always what they claim to be (perils of beta software). I owe you bigtime, and one of these days I know you’re going to make me pay for it.
More thanks go out to the mess-makers of the house, Jaina and Shelby. Sometimes I think my
best idea was putting your playroom next to my office so I can see you while I work. I said it in the
last book, and the sentiment still holds true: you might not have contributed words to the book or
work around the house, but everyday you manage to put a smile on my face without even trying.
Now go pick up those toys; they wake me up when I’m sleepwalking.
Of course, I wouldn’t be who I am today without the molding at the hands of my parents. To
Carol, my mother, the words escape me sometimes, but always know that I am proud to call you
Mom. To Craig, my father, I miss you. You taught me lessons about life that I’m still just realizing.
Your time with us was too short, but you made every moment count. Happy hunting.
And last but not least, the friends that probably think I’m just naturally not right in the head
(usually Linux is involved in those conversations), if for nothing else than simply putting up with
me. To Jeff Miller and Ken Ratliff for the constant stream of jobs to do. To Michelle Ingram and
Penny Morgan for keeping me entertained with the soap opera. To “Fun Aunt Susan” for always
being the voice of encouragement. To Phil Feese for the constant stream of jokes to my inbox. And
finally to Jay Howerter, Chris King, Tim O’Brien, Paul Emery, Doug Sims, Darrin Bentley, and
Mark Feleccia just for being a great bunch of guys to work with.
46933book.fm Page ix Saturday, May 10, 2008 9:30 AM
About the Authors
John A. Price is the Lead Architect for a Microsoft Gold consulting firm in the Midwest. He has
11 years of experience with several Microsoft products, specializing in Active Directory, Exchange
Server, and the System Center line of products.
Brad Price is an MCT with 16 years of experience in the IT field, specializing in Active Directory,
Exchange Server, Systems Management Server, and Operation Manager. He is the author of several
books on Active Directory.
Scott Fenstermacher holds a degree in Computer Science, along with Microsoft certifications for
Systems Engineer, Database Administrator and Solutions Developer. Somewhere in there, he even
managed to squeak in a Cisco certification. He has worked with networks from Linux to Novell to
Windows, and with programming languages from Assembly to C# and Visual Basic.NET. Prior
to his current position as a network engineer for a Fortune 500 software and consulting company,
Scott taught classes for a Microsoft CPLS ranging from application and database development to
Windows and Linux system administration.
46933book.fm Page x Saturday, May 10, 2008 9:30 AM
46933book.fm Page xxiv Saturday, May 10, 2008 9:30 AM
46933book.fm Page xxv Saturday, May 10, 2008 9:30 AM
As I contemplate what I am going to say in this introduction, I find myself thinking, “Why would
I want to buy this book?” And the first thing that comes to mind is a conversation I had with my
acquisitions editor Tom Cirtin over the summer. We were discussing the upcoming release of
Windows Server 2008 and an update to the Mastering Active Directory book. Just as we have done
in the past with this book, we went the route of an all-inclusive Active Directory book rather than
highlighting just the changes or new features that Windows Server 2008 brings to the table.
This book is a labor of love. I really do enjoy going through the new material and learning what
I can do with an operating system. And I didn’t have to go through all of it myself. Truth be told,
I am not qualified for some of this, especially the scripting section. C+ programming courses in college told me that I am not a programmer or a scripter; I dreaded those courses. On the front of this
book there are three authors listed: Brad Price, John Price, and Scott Fenstermacher. We divided
up the chores, with Brad and me writing the core of the book, which includes the designing, planning, managing, and troubleshooting sections, while Scott’s scripting expertise was being applied
to the final section on scripting.
Who Should Read This Book
Anyone responsible for Active Directory, or at least part of an Active Directory installation, needs
to learn the lessons taught in this book. If the title alone intrigued you, this is probably the book for
you. These pages provide detailed coverage of Active Directory as it is used in Windows Server
2000, 2003, 2003 R2, and now 2008. The topics covered range from the design options you need to
consider before deploying Active Directory to management and troubleshooting.
If you are responsible for the day-to-day operations of Active Directory, this book is for you.
If you are responsible for designing a new Active Directory rollout for a company, this book is
for you. If you need to learn some troubleshooting tips and want to see how some of the utilities
work, this book is for you.
But most important, the final part of this book delves into scripting. Smart administrators
know that any shortcut you can take to perform an action is helpful, especially because we usually don’t have all the time we would like to perform all of the duties for which we are responsible, let alone for the emergencies that arise. These administrative shortcuts can be as simple as
creating a Microsoft Management Console (MMC) that includes all the administrative tools you
use regularly so that you don’t have to open each administrative tool in its own window, or as
involved as writing scripts and batch files that will perform those repetitive tasks.
If you have been hesitant to jump into the scripting side of administration, check out Part 5
of this book, “Streamlining Management with Scripts.” It starts with the basics and leads you
46933book.fm Page xxvi Saturday, May 10, 2008 9:30 AM
through the steps to create your very own scripts. Scott has included several examples you can use
in your environment. What you learn from Part 5 alone will save you more in administrative costs
than this book will set you back.
The first part of this book (Part 1, “Active Directory Design”) deals with designing and planning
your Active Directory rollout. This part is not geared solely toward Windows Server 2008. As a
matter of fact, you could use the book’s first five chapters to help you design and plan an Active
Directory implementation based on either Windows Server 2003 or Windows Server 2008. If you
are already familiar with the Active Directory and are ready to introduce it into your organization,
check out the chapters dedicated to design and planning. The information in these chapters will
help you build a rock-solid design. You will learn the best method of naming your forest, trees, and
domains; how to organize objects using containers and organizational units; and how to plan your
Group Policy implementation. The following chapters make up Part 1:
Chapter 1: Active Directory Fundamentals
Chapter 2: Domain Name System Design
Chapter 3: Active Directory Domain Services Forest and Domain Design
Chapter 4: Organizing the Physical and Logical Aspects of AD DS
Chapter 5: Flexible Single Master Operations Design
The second part and third parts of the book deal with managing your Active Directory implementation once it is in place. The day-to-day operations of Active Directory rely on you knowing
how to manage Active Directory objects. In Part 2, “Active Directory Object Management,” we start
with information about Active Directory objects then introduce ways to manage these objects with
organizational units and Group Policy, and we finish with securing these objects. The more you
know, the easier it is for you to effectively manage your environment. But even more important, the
more you know about the inner workings and interoperability of the features, the easier it will be
for you to troubleshoot issues effectively. The following chapters are in Part 2:
Chapter 6: Managing Accounts: User, Group, and Computer
Chapter 7: Maintaining Organizational Units
Chapter 8: Managing Group Policy
Chapter 9: Managing Active Directory Security
Active Directory Service Management is the core of the Part 3. With the announcement of Windows
Server 2008, Microsoft placed all of its “identity” products under the Active Directory umbrella. This
includes Rights Management Services, Certificate Services (thanks to the expertise of Robin Wright),
Active Directory Lightweight Directory Services, and Active Directory Federation Services. For this
reason we have decided to give service management its own part, “Active Directory Service Management,” which consists of the following chapters:
Chapter 10: Managing Access with Active Directory Services
Chapter 11: Managing Active Directory Rights Management Services
Chapter 12: Managing Active Directory Certificate Services
46933book.fm Page xxvii Saturday, May 10, 2008 9:30 AM
Chapter 13: Managing the Flexible Single Master Operations Roles
Chapter 14: Maintaining the Active Directory Database
Part 4 is “Active Directory Best Practices and Troubleshooting.” As we all know, there is no perfect
operating system. And the more complex the operating system, the more likely the chance of something
breaking. Your best friend during a crisis is knowledge. If you possess the necessary troubleshooting
skills and tools when something goes wrong, you will be able to fix the problem faster than if you were
stumbling around in the dark. The chapters in this part cover the tools at your disposal, and provide tips
you’ll find useful when faced with problems. The following chapters are in this part:
Chapter 15: Microsoft’s Troubleshooting Methodology for Active Directory
Chapter 16: Troubleshooting Problems Related to Network Infrastructure
Chapter 17: Troubleshooting Problems Related to the Active Directory Database
As we have already mentioned, the final part of this book is dedicated to administrative scripting. Scott Fenstermacher has brought his scripting expertise to this part. He did a great job on the
last revision of the book, and we asked him to work with us on this version as well, adding a chapter
on PowerShell scripting.
Building and understanding how scripts work and how they affect Active Directory can make
you stand out in the crowd, as well as make your life easier. Using administrative scripts, you can
run a script to create several users, have a script inform users who never log off that their password
is about to expire, manipulate a groups membership so only authorized users are members, and
much more. Once you’re comfortable with the scripting basics and the administrative options, you
can move on and use scripts to affect other services, not just Active Directory. Following are the
final chapters of the book:
Chapter 18: ADSI Primer
Chapter 19: Active Directory Scripts
Chapter 20: Monitoring Active Directory
Chapter 21: Managing Active Directory with PowerShell
Throughout the book you will see references to zygort.com. Zygort is the fictional company that we
have used in all of the books we have written. We decided to capitalize on the name and use it as
a central repository for our Active Directory and Windows Server knowledge.
While our website, http://zygort.com, will not duplicate the information from this book, we
will post updates to the Active directory information presented in the book. Additionally, we’ll use
the site as a portal to great new Active Directory information we find. We’ll also include other topics that might make your life easier, such as tips for anything from server virtualization to application virtualization to product integration. We understand how fast the computing world changes,
and we want to keep you as up-to-date as possible.
So sit back and enjoy this ride into the wondrous adventure known as Active Directory. We
hope this book helps you in all of your Active Directory endeavors. And we hope we can minimize
the amount of time it takes you to perform administrative tasks. We know how much time administrators put in just to stay on top of things; if this book can make your life a little easier and give
you a little more free time, we have done our jobs.
46933book.fm Page xxviii Saturday, May 10, 2008 9:30 AM
49833c01.fm Page 1 Monday, May 12, 2008 3:38 PM
Active Directory Design
In this part:
◆ Chapter 1: Active Directory Fundamentals
◆ Chapter 2: Domain Name System Design
◆ Chapter 3: Active Directory Forest and Domain Design
◆ Chapter 4: Organizing the Physical and Logical Aspects of AD DS
◆ Chapter 5: Flexible Single Master Operations Design
49833c01.fm Page 2 Monday, May 12, 2008 3:38 PM
49833c01.fm Page 3 Monday, May 12, 2008 3:38 PM
Active Directory Fundamentals
Since the inception of network operating systems, the men and women who are responsible for administering and managing them have wanted an easy way to do so. Networks have gone through a natural
evolution from peer-to-peer networks to directory-based networks. Directory-based networks have
become the preferred type of network because they can ease an administrator’s workload.
To address the needs of organizations, the Institute of Electrical and Electronics Engineers (IEEE)
developed a set of recommendations that defined how a directory service should address the needs
of administrators and efficiently allow management of network resources. These recommendations,
known as the X.500 recommendations, were originally envisioned to include a large centralized
directory that would encompass the entire world, divided by geopolitical boundaries. Even though
X.500 was written to handle a very large amount of data, designers reviewing the drafts of these recommendations saw merit in the directory and soon the recommendations were adopted by several
companies, including the two best known, Novell and Microsoft.
Active Directory is Microsoft’s version of the X.500 recommendations. Battles rage between
directory services camps, each one touting its directory service as the most efficient one. Because
some of the directory services, such as Novell Directory Services (NDS) and eDirectory, have been
around longer than Active Directory, those that are familiar with NDS will attack Active Directory.
Their attacks are usually focused on the idea that Active Directory does not perform functions the
same way that NDS does.
When it is all said and done, companies that develop X.500-based directory services can interpret the recommendations and implement them to fit their design needs. Microsoft interpreted and
employed the X.500 recommendations to effectively manage a Windows-based network. Novell
did the same for a Novell-based network, and the two for years have been at odds over which is
more efficient. All that notwithstanding, Microsoft has enjoyed great success with Active Directory. It has been adopted by thousands of organizations and will more than likely continue to be
used for many years to come.
Do I Need Active Directory?
Active Directory is the database (think of a directory as a collection of information, like a phone
book), whereas a domain controller is a single computer or server that controls Active Directory.
There are typically multiple domain controllers that host Active Directory.
How do you know if you need Active Directory? There are factors that you should address to
determine whether you should defer installation of a domain controller. Following are some of the
questions you should ask:
Do I want to centrally manage access to resources such as printers, users, and groups?
Do I want to control user accounts from one location?
Do I have applications that rely on Active Directory?
49833c01.fm Page 4 Monday, May 12, 2008 3:38 PM
ACTIVE DIRECTORY FUNDAMENTALS
If you answered “yes” to any of these questions, you undoubtedly will want to take advantage of
the features that Active Directory provides. Taking each one of the questions into account, you will
find that your life as an administrator will be much easier if you use Active Directory over using no
directory service whatsoever. The tools that become available when you implement Active Directory
will ease your administrative load, although there is an inherent learning curve associated with any
If you answered “yes” to the last of the three questions just posed, you have no choice but to
implement Active Directory. Most of the Active Directory–enabled applications on the market rely
on the installation of a full version of Active Directory within your network. There are some Active
Directory–enabled applications that can take advantage of using Active Directory Lightweight
Directory Services (AD LDS) –based systems. AD LDS is discussed later in this chapter.
The first two questions relate to something for which administrators have strived over the years.
Having one central location to manage users and resources makes an administrator’s life easier. If you
have to continually move from server to server to administer the resources contained on them, you
will spend more time tracking down the resources than you would performing your job. If you have
to maintain user accounts on several systems, you must make sure you have an efficient method of
cataloging the accounts so that you know where they reside.
With Windows 2000 Server, Windows Server 2003, and now Windows Server 2008, you can use
Active Directory Domain Services (AD DS) as the central repository for user, group, and computer
accounts as well as for shared folders and printers. Having the ability to manage these resources
from any domain controller within your domain allows you to greatly reduce your administrative
When you break it down, Active Directory is a type of database, but one built as a “directory.” The
difference between a relational database and a directory is that the former is optimized for updating, while the latter is optimized for reading. In this manner, Active Directory was developed with
the understanding that the objects contained within the directory would not be changing often, but
would be used for users, computers and administrators to control, manage, and discover the organization’s resources.
One of Active Directory's most basic functions is that it provides a centralized repository for
user account information. When an administrator creates a user account, the account information
is held on a domain controller within the domain in which the user resides. All of the domain controllers within the domain will receive an identical copy of the user account so that the user is able
to authenticate using any domain controller in the domain.
Any changes to the user account are made on one of the domain controllers and then sent to every
other domain controller within the domain. This transfer of data is called replication. Replication of
information can be a burden on the network, especially in environments with several thousand users,
groups, computers, and other objects. To alleviate the replication burden on the network, Active
Directory replicates only the attributes that have been changed, and not the entire object.
To get a good understanding of how Active Directory works, you must first understand what
the schema is and the role it plays in the directory service. The following section will outline the
major roles of the schema.
The schema (i.e., a structured framework or plan) acts as the building blocks of Active Directory,
much like DNA molecules are the building blocks for our bodies. Just as our DNA holds all of the
49833c01.fm Page 5 Monday, May 12, 2008 3:38 PM
information necessary to build our leg, ears, hair, ear hair, etc., the schema holds all of the information needed to create users, groups, computers, and so on within Active Directory. The schema
defines how each attribute can be used and the properties associated with the attribute. Take, for
instance, a child’s toy that we have grown up with: LEGOs. When you first take a look at LEGO
bricks, you see hundreds of tiny pieces that really don’t seem to represent anything. Some are short,
some are long, and some are special shapes. These are the individual pieces, or building blocks, that
will go into creating the buildings, cars, airplanes, and dioramas.
The Active Directory schema is pretty much the same thing. If you look within the Active Directory
Schema snap-in you will see hundreds of entries that are used when creating objects within Active
Directory. As you expand the Active Directory Schema section of the tool, shown in Figure 1.1, you will
see the window that contains classes and attributes. The entries known as attributes allow you to create
new objects or modify existing objects within your directory.
To add the Active Directory Schema snap-in to a Microsoft Management Console (MMC), you
will first need to register the dynamic link library. To do so, open the Run line or use a command
prompt on the domain controller and type in regsvr32 schmmgmt.dll.
To standardize Active Directory, the schema defines the attributes that can be used when creating
objects. Unlike our LEGO bricks, however, these attributes are defined only once and can be used
for any object. Defining the attribute once and using it for multiple objects allows for a standardized
approach of defining objects, especially when searching for the attribute. Take the name attribute,
for example; whenever an object uses the name attribute you know that the name has to be at least
one character in length and cannot exceed 255 characters. You would know this because of the syntax and rules that are applied to the attribute.
The Properties page of the name attribute is shown in Figure 1.2. There is a lot of information
within this page, but right now we are interested only in the Syntax and Range area. Notice that the
attribute is a Unicode string that has to be at least one character in length and cannot exceed 255
characters. Each attribute within the schema is defined in such a manner, although the syntax for
each of the attributes could be different.
49833c01.fm Page 6 Monday, May 12, 2008 3:38 PM
ACTIVE DIRECTORY FUNDAMENTALS
The properties for Bad-Pwd-Count are shown In Figure 1.3. This is another attribute that makes up
a user object. Notice that the X.500 Object Identifier (OID) is different from that of the name attribute.
Each attribute within the schema has to have a unique OID. These are registered and maintained by
the Internet Assigned Numbers Authority (IANA). Once assigned, the OID should not be used by
any other attribute. Within Active Directory, the default attributes are already assigned OIDs, and
those OIDs are protected in a way that will not allow another application to overwrite them.
New attributes will need to be assigned an OID. If you are adding an attribute for use in an
object, you should register it with the IANA to safeguard the attribute and to make sure that it does
not step on any other attributes. Registration is free, and as long as your OID is unique, you should
be issued an OID for your attribute. The attributes that Microsoft uses are all within their own OID
range, which starts with 1.2.840.113556. For a complete list of the registered OIDs, visit http://
asn1.elibel.tm.fr/oid/index.htm and perform a search on the OID. If you have registered an
OID, it will appear in this database once the entry is added.
49833c01.fm Page 7 Monday, May 12, 2008 3:38 PM
Within an attribute’s properties, you will find several check boxes that you can select. Each of
them is described in the following list:
Attribute Is Active You can deactivate attributes that you no longer need within Active Directory. Note that the default attributes cannot be deactivated, nor can attributes that are still in use
within an object.
Index This Attribute If this is an attribute on which you are going to allow searches, you may
want to index the attribute to increase the search responsiveness.
Ambiguous Name Resolution (ANR) When you select this option, you allow a Lightweight
Directory Access Protocol (LDAP)–based client to resolve a request when only partial data is
Replicate This Attribute to the Global Catalog Not every attribute needs to reside within the
global catalog. The rule of thumb is, if you need to locate an object based on an attribute or if the
object’s attribute is needed within another domain, you should add it. Otherwise, to reduce the total
size of the domain partition you should not add in any superfluous attributes.
Attribute Is Copied When Duplicating a User When you copy a user account, several attributes
are copied from the original account to the new account. If you want the attribute to copy, select the
box. Do note that many attributes are unique to a user, so select this option with care.
Index This Attribute for Containerized Searches If you select this option, the attribute can be
indexed for searches within containers, such as organizational units (OUs), in Active Directory.
An object class is a defined grouping of attributes that make up a unique resource type. One of the
most common object classes is the user class. Use the user object class as the template for a user
account. When you create a user account, the attributes that are defined for the user object class are
used to define the new account. Information that you populate within the Add User wizard or enter
within the dsadd command line become the properties within the attributes.
If we go back for a minute to the LEGO metaphor, you can use some of the brown blocks available to create a roof on a house, some red bricks to make the walls, and tan bricks to make a door.
The clear pieces can be used as windows and the white pieces form the porch. Each of these individual items (the bricks, the color of the bricks, the shape of the bricks, and the placement of the
bricks) is considered an attribute. Putting these attributes together forms the object class “house.”
When you build your first house, you have built your first object. Subsequent houses will have the
same attributes, but you may build the porch with tan pieces instead of white ones.
So, when I create a user account for Maria, that user account will have unique values stored within
the attributes for her user account. Bob’s user account will be created using identical attributes, but
will not have the same values within each attribute. Maria’s phone number may be 555.1234, and
Not all of the attributes that make up an object class are shown within the administrative tools.
Many of them hide behind the scenes and will rarely, if ever, need to be changed. One such attribute
is the user’s Security Identifier or SID. The user’s SID will change when a user is moved from one
domain to another, but will not change while the user remains within a domain. The Active Directory Users and Computers management tool does not have the ability to change this attribute. A
default set of attribute fields appears within the utilities, and if you decide to make an attribute
available for updating, you may need to programmatically add the fields to the utilities.