Active Directory 2008 R2 Updates

  • 2,023 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • nice to get this info
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
2,023
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
1
Likes
3

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Install - http://www.quest.com/activeroles-server/arms.aspxRun - add-PSSnapinquest.activeroles.admanagementGet-QADUser -ou zhrdomain.co.il/DemoGet-QADUser -ou zhrdomain.co.il/demo |Set-QADUser -City TLV | Format-Table name,cityNew-QADUser -ouzhrdomain.co.il/demo -name ‘Amit Gatenyo' -LogonName ‘amit.g' -City TLV -Description ‘Have a great day‘Get-QADUser -ouzhrdomain.co.il/demo | export-csv DemoOU.csvImport-Csv DemoOU.csv |ForEach-Object {New-QADUser -ouzhrdomain.co.il/demo -name $_.Name -Description$_.Description -City $_.City}

Transcript

  • 1. Active Directory Windows Server 2008 R2 Updates
    Amit Gatenyo
    Infrastructure & Security Manager, Dario
    Microsoft Regional Director – Windows Server & Security
    054-2492499
    Amit.g@dario.co.il
  • 2. Session Objectives And Takeaways
    Describe Active Directory features in Windows Server 2008 R2
    Discuss the importance of these features to our customers
    Demonstrate how some of these features will benefit our customers
  • 3. Agenda
    What’s new in Active Directory for Windows Server 2008 R2?
    PowerShell Cmdlets
    Active Directory Administrative center
    Best Practice Analyzer
    Recycle Bin for AD
    Managed Service accounts
    Offline Domain Join
    Authentication Assurance
    Health Model and Management Packs
    Active Directory Tour demonstration
    Conclusion
  • 4. Powershell for ADCommand line scripting for administrative, configuration and diagnostic tasks
    Past limitations
    30+ command line tools for administering AD are not consistent in their usage
    Difficult to compose these tools to achieve complex tasks
    Feature takeaway
    85+ AD cmdlets for comprehensive AD DS and AD LDS administration and configuration
    Communicates using Web Service protocols
    Can be used to manage Windows Server 2008 and 2003 domain controllers, using future AD Web Service download
  • 5. Powershell Advantages
    Consistent vocabulary and syntax
    Predictable discovery
    Flexible output formatting
    Cmdlets can be easily composed (pipe) to build complex operations
    End-to-End manageability with Exchange, Group Policy, etc
  • 6. PowerShell Provider Model
    Provides sessions, server context, security context and path context
    Enables best practices sharing across connections
    Combination of cmdlets & provider means familiar model for users
    Perform operations in AD that are similar to the file system or registry, such as rename, move, etc
  • 7. Get-Command -CommandTypeCmdlet *-AD*
    Add-ADComputerServiceAccount
    Add-ADDomainControllerPasswordReplicationPolicy
    Add-ADFineGrainedPasswordPolicySubject
    Add-ADGroupMember
    Add-ADPrincipalGroupMembership
    Clear-ADAccountExpiration
    Disable-ADAccount
    Disable-ADOptionalFeature
    Enable-ADAccount
    Enable-ADOptionalFeature
    Get-ADAccountAuthorizationGroup
    Get-ADAccountResultantPasswordReplicationPolicy
    Get-ADComputer
    Get-ADComputerServiceAccount
    Get-ADDefaultDomainPasswordPolicy
    Get-ADDomain
    Get-ADDomainController
    Get-ADDomainControllerPasswordReplicationPolicy
    Get-ADDomainControllerPasswordReplicationPolicyUsage
    Get-ADFineGrainedPasswordPolicy
    Get-ADFineGrainedPasswordPolicySubject
    Get-ADForest
    Get-ADGroup
    Get-ADGroupMember
    Get-ADObject
    Get-ADOptionalFeature
    Get-ADOrganizationalUnit
    Get-ADPrincipalGroupMembership
    Get-ADRootDSE
    Get-ADServiceAccount
    Get-ADUser
    Get-ADUserResultantPasswordPolicy
    Install-ADServiceAccount
    Move-ADDirectoryServer
    Move-ADDirectoryServerOperationMasterRole
    Move-ADObject
    New-ADComputer
    New-ADFineGrainedPasswordPolicy
    New-ADGroup
    New-ADObject
    New-ADOrganizationalUnit
    New-ADServiceAccount
    New-ADUser
    Remove-ADComputer
    Remove-ADComputerServiceAccount
    Remove-ADDomainControllerPasswordReplicationPolicy
    Remove-ADFineGrainedPasswordPolicy
    Remove-ADFineGrainedPasswordPolicySubject
    Remove-ADGroup
    Remove-ADGroupMember
    Remove-ADObject
    Remove-ADOrganizationalUnit
    Remove-ADPrincipalGroupMembership
    Remove-ADServiceAccount
    Remove-ADUser
    Rename-ADObject
    Reset-ADServiceAccountPassword
    Restore-ADObject
    Search-ADAccount
    Set-ADAccountControl
    Set-ADAccountExpiration
    Set-ADAccountPassword
    Set-ADComputer
    Set-ADDefaultDomainPasswordPolicy
    Set-ADDomain
    Set-ADDomainMode
    Set-ADFineGrainedPasswordPolicy
    Set-ADForest
    Set-ADForestMode
    Set-ADGroup
    Set-ADObject
    Set-ADOrganizationalUnit
    Set-ADServiceAccount
    Set-ADUser
    Uninstall-ADServiceAccount
    Unlock-ADAccount
  • 8. Administrative Center for ADIncrease the productivity of IT Pros by providing a scalable, task-oriented UX for managing Active Directory
    Past limitations
    Non task-oriented UI causes customer pain
    Example: resetting user passwords
    Representation in MMC not scalable for large datasets
    Feature takeaway
    Tasks executed through PowerShell Cmdlets
    Task oriented administration model, with support for larger datasets
    Consistency between CLI and UI management capabilities
    Navigation experience designed to support multi-domain, multi-forest environments
  • 9. Progressive disclosure
    Task oriented
    Powershell based instrumentation
    Multi-Domains/Multi-Forests
  • 10. Best Practice Analyzer Identify deviations from best practices to help our customers better manage their Active Directory deployments
    Past limitations
    No easy and automated validation of AD configuration against best practices
    Feature takeaway
    Analyzes AD settings that cause most unexpected behavior in customer environments
    Leverages PowerShellcmdlets to gather run-time data
    Makes recommendations in the context of the deployment
    Available through Server Manager BPA runtime tool
  • 11. Best Practice Analyzer first set of scenarios
    Version 1.0 of the BPA focuses mostly on common DNS issues
    Checking SRV records for DC are registered with its DNS Server
    A/AAAA records of a DC are registered with its DNS Server
    DC has a valid host name
    Schema Naming Master and Domain Naming Master FSMO are recommended to be on same machine
    RID and PDC recommended to be on same machine
    Each domain is recommended to have at least two DCs
  • 12. Windows Server 2008
    Windows Server 2008 R2
    Additions
    GUI
    GUI
    CLIENT
    ADUC/ADSS/ADDT
    ADMUX
    BPA
    CLI
    WSH
    MMC
    CLI
    ADSI
    AD PS
    MUX
    .NET
    .NET
    LDAP
    DS RPC-Based Protocols
    WCF
    WPF


    DSR
    SAM
    .NET
    WCF
    SERVER
    AD Web Service
    .NET
    S.DS.P/S.DS.AM/S.DS.AD
    DS RPC-Based Protocols
    LDAP


    DSR
    SAM
    AD Core
    AD Core
  • 13. Recycle Bin for ADCustomer can undo an accidental deletion in Active Directory
    Past limitations
    Accidental object deletion causes business downtime – deleted users cannot logon or access corporate resources
    Accidental deletions are the number #1 cause of AD DisasterRecovery scenarios
    Feature takeaway
    Recycle bin for AD DS and AD LDS objects
    Feature enabled with a new forest functional level
    Requires all DCs in the forest to be Windows Server 2008 R2 DCs
    For AD LDS, all replicas must be running in a new ‘application mode’
  • 14. Recycle Bin for AD Object Life-cycle
    180 Days
    Tombstone Object
    Garbage collection
    Live Object
    Windows Server 2008
    Returns Tombstones
    LDAP OID 1.2.840.113556.1.4.417
    Windows Server 2008 R2 with Recycle Bin enabled
    (If not enabled, behavior is similar to Windows Server 2008)
    LDAP OID 1.2.840.113556.1.4.2064
    Returns Deleted
    Returns Deleted and Recycled
    Garbage collection
    Live Object
    Deleted Object
    Recycled Object
    180 Days
    180 Days
  • 15. Managed Service AccountsSimple management of service accounts
    Past limitations
    Management of individual accounts for services is cumbersome
    Periodic maintenance often causes outages
    Example: resetting service account password
    Feature takeaway
    A manageable solution that addresses isolation needs for services
    Better SPN management in Win7 Domain Functional Mode
    Lower TCO from reduced service outages (for manual password resets and related issues)
    One Managed Service Account per Service per box
    No human intervention for password management!
  • 16. Offline Domain JoinEnable easier provisioning of machines in the data center
    Past limitations
    Reboot needed after domain join
    Inability to prepare the machine to be domain joined while offline
    Feature takeaway
    Ability to pre-provision machine accounts in the domain to prepare OS images for mass deployment
    Machines are domain joined on initial boot
    Reduces steps and time needed to deploy in the data center
  • 17. Authentication AssuranceApplications can control resource access based on authentication strength and method
    Past limitations
    Customers cannot use authentication type or authentication strength to protect corporate data
    Example: control access to resources based on claims such as use of smartcard for logon or the certificate used 2048 bit encryption
    Feature takeaway
    Administrators can map various properties, including authentication type and authentication strength to an identity
    Based on information during authentication, these identities are added to Kerberos tickets for use by applications
    Feature is enabled with a new domain functional level
    All domain controllers in the domain need to be Window Server 2008 R2 DCs
  • 18. Health ModelEnable IT administrators to better diagnose and resolve Active Directory issues
    Past limitations
    Diagnostic information is incomplete and inconsistent
    Feature takeaway
    Continued investment towards completing the health model
    A single authoritative source for information used in Management Packs, Best Practice Analyzer and online documentation
  • 19. Management PackProvide proactive monitoring of availability and performance of Active Directory
    Past limitations
    Current management pack lacks support for Windows Server 2008 and MOM 2007
    Feature takeaway
    Support for Windows Server 2008 domain controllers
    Multiple replication latency groups
    Ability to monitor multiple forests from a single management group
    Management pack for MOM 2007
  • 20. The journey to Windows Server 2008 R2
    Upgrading to Windows 7 client while keeping existing servers, you can use:
    Off-line domain join
    Once AD Web-service is available for existing servers, if you upgrade to Windows 7 client, you can use:
    AD Powershell and ADAC with all your servers
    Upgrading to Windows 7 client while installing one or more Windows Server 2008 R2 (one per domain), you can use:
    Managed service account
    If you change the domain functional level to Windows Server 2008 R2, you can use:
    Authentication Assurance
    Managed service account with an enhanced SPN management experience
    If you change the Forest functional level to Windows Server 2008 R2, you can use:
    AD Recycle-bin
  • 21. Thanks for listening!
    Amit Gatenyo
    Infrastructure & Security Manager, Dario
    Microsoft Regional Director – Windows Server & Security
    054-2492499
    Amit.g@dario.co.il