sia319 what's windows server 2008 r2 going to do for your active directory?
DESCRIPTION
Windows Server 2008 R2 is here, with new tools and utilities for the directory service IT pro to help you manage and maximise the potential of your Active Directory. What's going to be your favourite new feature? Maybe it's the Best Practice Analyser that will scan your infrastructure and point out both compliant and noncompliant aspects of your environment together with suggestions for improvements. Do you want tools to simplify your day-to-day management of the AD? There's a new kid on the block, the Active Directory Administrative Center. Built on Windows PowerShell technology it provides a rich GUI allowing you to perform common Active Directory tasks through both data-driven and task-driven navigation. Not a GUI fan? Then R2 brings you more than 85 PowerShell Cmdlets to allow you to manage, diagnose, and automate AD tasks from the command-line or PowerShell scripts. Maybe your favourite will be the recycle bin allowing you to recover deleted objects while the directory is online or the ability to perform offline domain join allowing you to streamline your deployments. There are more choices, come to this high-energy, fast paced, demo rich presentation and get all the detailsTRANSCRIPT
What's Windows Server 2008 R2 Going to Do for Your Active Directory? John Craddock
Infrastructure & Security ArchitectXTSeminars LtdSession Code: SIA319
Agenda
AD module for Windows PowerShell AD Administrative CenterAD Best Practice AnalyserManaged Service AccountsOffline domain joinAuthentication mechanism assuranceAD Recycle Bin
Windows PowerShell for AD
PowerShell v2 includes an AD ModuleComprehensive set of AD cmdlets for AD DS and AD LDS administration, configuration and diagnostic tasksEasy to compose and manage complex tasksPowerShell drives for AD
Simple navigation in AD DS, AD LDS and AD Snapshots
Certain tasks can only be achieved through PowerShell
Example
Import-module ActiveDirectory
New-ADUser -Name “Craddock John” -SamAccountName “jcraddock" -AccountPassword (ConvertTo-SecureString -AsPlainText “Temp0Pwd0!" -Force) -Enabled $true -ChangePasswordAtLogon $true -GivenName “John" -Surname “Craddock" -UserPrincipalName “[email protected]”-Path “OU=Admins,OU=UK,DC=example,DC=com"
AD Web Services (ADWS)
ADWS is automatically installed with AD DS and AD LDS
Port 9389 must be open for remote administration
Active Directory Management Gateway (ADMG) service available for Windows Server 2003 and 2008
Does not support instances of AD Mounting Tool
ADWS
PowerShell Cmdlets
AD / GC
9389
389 3268
WS-*
AD LDSinstance
MountedAD instance
LDAP LDAP LDAP
AD Administrative Center
Task-oriented model
Progressive disclosure of data Powerful Searching
Simultaneously connectto other domains
Built on PowerShell Cmdlets
Best Practice Analyser
Compares current configuration on DC to best practice recommendationsScan started via Server Manager or PowerShell
Results through UI and PowerShell outputProvides guidance, does not fix problems
Red EyeWarningInformation
Quarterly updates
Collecting and Analysing Data
BPA Run Time
AD DS BPAPowerShell Script
Collects data
XML Schema
XML Results document
AD DS BPAguidance
AD DS BPArule set Analysis
Validation
AD DS BPAReport
Domain
Service Accounts
Using built in accounts for services does not provide service isolationWhat’s the alternative?
Run the services using standard user accountsHow many of you change services account passwords on a regular basis?
Any problems?
Username: SRV1Password: *****
User
Domain accountUsername: SRV1Password: *****
Password changesmust be updatedon the service account
Managed Service Accounts
Domain
Username: Password:
Domain:example.com
SERVER1
example\svc1$Configure service:Append $ to accountname
Server automatically resets based on “Max machine account password age”
Install-ADServiceAccount svc12
Domain accountname: SVC1
Created in domain:New-ADServiceAccount svc1
1
3
Can reset password withReset-ADServiceAccountPassword svc1
4
Accounts must be created and managedthrough Windows PowerShell
Requirements & Caveats
Service / application requiring managed account must be running on Windows 7 or 2008 R2
Requires AD Module for Windows PowerShell to be installed
Forest and domain must be prepared for 2008 R2adprep /forestprep & adprep /domianprep
2008 R2 domain functional level adds SPN managementManaged accounts cannot be shared across multiple servers
Offline Domain Joins
Allows a Windows 7 or Windows 2008 R2 machines to be joined to a domain while offline
On start up, the machine is already domain joined and there is no reboot requirement
Speeds up deployment of VMs and scripted installsNew section in unattended.xml supports offline domain joinsSimplifies domain joins to RODCs
Online VHD orPhysical systemRequires reboot
Requires /localos
Offline VHD orPhysical system
Djoin.exe
Windows 7 or 2008 R2 required for Computers running djoin Computers being joined to domain
Domain
Computeraccount object
Computer account metadata.Base-64 encoded, treat as security sensitive
djoin /requestODJ /loadfile <ms1.txt> /windowspath <Windows directory>
Djoin /provision /domain example.com / machine ms1 /savefile ms1.txt
Unattended.xml
Add accountmetadata
Authentication Mechanism Assurance
Allows applications to control access to resources based on authentication strength
For example only allow access to a resource if the user has been authenticated using a SmartCard
Require Windows 2008 R2 domain functionality
Strong authenticationNormal authentication
Restricted access Fullaccess
Resource Access Control
When a certificate based logon method is used an administrator-designated universal group is added to the user’s Kerberos token
This group is then used to control access to resources
It is possible to add different groups based on the type of certificate used to logon
Access to resources can consequently be based on the certificate type
Recycle Bin for AD
Requires 2008 R2 Forest functionalityPowerShell driven
Enable-ADOptionalFeature ‘Recycle Bin Feature’ –Scope ForestOrConfigurationSet –Target ‘forest’
Once enabled cannot be disabledGet-ADObject –LDAPFilter {} –IncludeDeletedObjectsRestore-ADObject –Identity <id>Parent object must be restored in advance of child object
Restores all attributes including linked Attributes
No Recycle Bin
Re-animate API restores objects while on-lineMany attributes missing
Re-animation does not restore multi-valued linked attributes such as group membership
Live object
TombstoneobjectDelete
Majority of attributes deleted
Garbagecollection X
Purged fromdirectory
Tombstone lifetime (180 days)Offline authoritative restore
Recycle Bin Enabled
All attributes restored
Live object
Garbagecollection X
Purged fromdirectory
Recycledobject
Deleted object lifetime (180 days)
Tombstone lifetime (180 days)
DeleteDeletedobject
All attributes retained
Online undelete
Other Thoughts
Backups are valid for max of smallest value of DOL or TSL
Best practice recommendation DOL = TSLAnticipated database growth 5-10%On deletion, regulatory compliance may not allow retained of full copy of deleted object
Permanently delete with Get-Adobject –LDAPFilter {} –IncludeDeletedObjects | Remove-ADObject
What to Know More?
Come to my sessionSIA402Online Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle Bin Friday 13/11/2009 13:00-14:15 Budapest - Hall 7-2b
The Path to Windows Server 2008 R2
Prep forest and domain for Windows 2008 R2Windows 7 clients can be provision with offline domain joins against existing 2003/2008 infrastructureInstall Active Directory Management Gateway (ADMG) service on Windows 2003/2008 servers
Use AD PowerShell and ADAC running on Windows 7Upgraded servers can use Managed Service Accounts
Functional Levels
Switches to R2 domain and forest functionality are reversible
Use PowerShell to reverseCannot be reversed once Recycle Bin is enabled
2008 R2 domain functionality for:Authentication Mechanism AssuranceSPN management for Manage Service Accounts
2008 R2 forest functionality allows Recycle Bin to be enabled
What’s your Favourite?
AD module for Windows PowerShell AD Administrative CenterAD Best Practice AnalyserManaged Service AccountsOffline domain joinAuthentication mechanism assuranceAD Recycle Bin
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Related Content
Breakout Sessions:SIA402 Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle BinSVR317 Managing Windows Server 2008 R2 and Windows 7 with Windows PowerShell V2
Interactive Theater Sessions :SIA02-IS Active Directory: What's New in R2
Hands-on Labs:WSV03-HOL Advanced Windows PowerShell ScriptingWSV20-HOL Windows Server 2008 R2: What's New in Microsoft Active Directory
My Sessions at TechEd
Breakout Sessions:SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?SIA402 Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle BinSVR401 DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and Transition TechnologiesSVR402 DirectAccess Technical Drilldown, Part 2 of 2: Putting It All Together
Interactive Theater Sessions:SVR08-IS End-to-End Remote Connectivity with DirectAccess
Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.