Installation and Adminstration of AD_MVP Padman

  • 1,219 views
Uploaded on

 

More in: Education , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,219
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
113
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • [BUILD2] Connect to one or several domains or domain controllers in the same Active Directory Administrative Center instance, and view or manage the directory information for those domains or domain controllers. You can also use filters by using query-building search.In addition to using it for these tasks, you can use the enhanced Active Directory Administrative Center GUI to customize Active Directory Administrative Center to your particular requirements for directory service administration. This can help improve your productivity and efficiency as you perform common Active Directory object management tasks.Slide Transition: Before we present our first demonstration, let’s look at the environment in which we’ll be working.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/library/dd378856.aspx
  • Slide Title: Demonstration EnvironmentKeywords: Demonstration EnvironmentKey Message: Prior to starting the demonstration, lets go over the environment that the demonstration will be running in.Slide Builds: 0Slide Script: The demonstrations in this session consists of an environment of four machines named SEA-DC-01, SEA-CS-01, SEA-WRK-001, and SEA-WRK-002. SEA-DC-01 is a Windows Server 2008 R2 machine, with the role of Active Directory Services enabled. This machine will also serve as the DNS server for all of the demonstrations to follow. The name of the domain is Contoso.com.The workstations SEA-WRK-001 and SEA-WRK-002 will be used in the last demonstration, where each workstation has the Windows 7 operating system on it. SEA-WRK-002 will not initially be connected to the domain.Slide Transition: Now let’s view the actual demonstration of the Active Directory Administrative Center.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information:
  • Slide Title: Active Directory Recycle BinKeywords: AD Recycle Bin, Windows Server 2008 R2Key Message: Accidental deletion of Active Directory objects is a common occurrence for users of Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).Slide Builds: 2Slide Script: In Windows Server 2008 Active Directory domains, AD objects could be recovered from accidental deletion from backups of AD DS that were taken by Windows Server Backup. The ntdsutil authoritative restore command could be used to mark objects as authoritative to ensure that the restored data was replicated throughout the domain. The drawback to the authoritative restore solution was that it had to be performed in Directory Services Restore Mode (DSRM). During DSRM, the domain controller being restored had to remain offline. Therefore, it was not able to service client requests. In Windows Server 2008 R2, after Active Directory Recycle Bin is enabled, all link-valued and non-link-valued attributes of the deleted Active Directory objects are preserved and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion. For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion—both within and across domains. Active Directory Recycle Bin is functional for both AD DS and Active Directory Lightweight Directory Services (AD LDS) environments. Windows Server 2008 R2 Active Directory Recycle Bin helps minimize directory service downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects without restoring Active Directory data from backups, restarting AD DS, or rebooting domain controllers.
  • When Active Directory objects are deleted, they are placed in the Deleted Objects container. By default, the CN=Deleted Objects container is not displayed. You can use the Ldp.exe administration tool in Active Directory Domain Services (AD DS) to display the Deleted Objects container. Ldp.exe is used to restore a single, deleted Active Directory object. For multiple restores, Windows PowerShell scripts would be utilized.[BUILD1] By default, Active Directory Recycle Bin in Windows Server 2008 R2 is disabled. To enable it, the AD DS requirements must be met and then raise the forest functional level of your AD DS or AD LDS environment to Windows Server 2008 R2, which in turn requires all forest domain controllers or all servers that host instances of AD LDS configuration sets to be running Windows Server 2008 R2. If performing a clean installation of a Windows Server 2008 R2 Active Directory forest, Adprep, an Active Directory schema with the necessary Active Directory Recycle Bin attributes, does not need to be run, and your Active Directory schema will automatically contain all the necessary attributes for the Active Directory Recycle Bin to function properly. If, however, you are introducing a Windows Server 2008 R2 domain controller into your existing Windows Server 2003 or Windows Server 2008 forest and, subsequently, upgrading the rest of the domain controllers to Windows Server 2008 R2, you must run Adprep to update your Active Directory schema with the attributes that are necessary for Active Directory Recycle Bin to function correctly.[BUILD2] The process of enabling Active Directory Recycle Bin is irreversible. After you enable Active Directory Recycle Bin in your environment, you cannot disable it.Slide Transition: By using LDP.exe, let’s see how the AD Recycle Bin can restore objects.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/library/dd391916.aspx
  • Slide Title: Best Practices AnalyzerKeywords: Best Practices Analyzer, Windows Server 2008 R2Key Message: Administrators can filter or exclude results from BPA reports that they don’t need to see.Slide Builds: 5Slide Script: In Windows management, best practices are guidelines that are considered the ideal way, under normal circumstances, to configure a server, as defined by experts. Best Practices Analyzer (BPA) is a server management tool that is available in Windows Server 2008 R2 for Active Directory Domain Services (AD DS), Active Directory Certificate Services (AD CS), DNS Server, and Terminal Services.[BUILD1] BPA is installed by default on all editions of Windows Server 2008 R2. There is no need to install additional tools or packages to use BPA. However, to run BPA scans of multiple roles at one time and to perform BPA tasks in the command-line environment, the computer on which you are running BPA must also be running Windows PowerShell. Server Manager in Windows Server 2008 R2 includes a BPA engine that can run the AD DS BPA service.[BUILD2] The AD DS BPA scan verifies the following AD DS configuration settings: Domain Name System (DNS)-related rules, which verify conditions Operations master role connectivity and ownership rules, Number of controllers in the domain rule, which verifies the domain has at least two functioning domain controllers Required services-related rules Replication configuration rules Windows Time service (W32time) configuration rulesA virtual machine (VM) configuration rule, which verifies that the domain controller is running on Hyper-V and provides best practice guidelines for running AD DS in a VM environment
  • [BUILD3] As the AD DS BPA service scans and verifies, the BPA runtime uses the AD DS BPA Windows PowerShell script to collect AD DS configuration data and stores it in an XML document. The BPA run time then validates the XML document against the XML schema. The schema defines the format, which follows the logical structure of the directory of the XML document that the AD DS BPA Windows PowerShell script produces.[BUILD4] The BPA run time then applies the AD DS BPA rules, which define the best-practice configuration for an AD DS environment, against the xml document.[BUILD5] From there, the AD DS BPA guidance, which is information that can help administrators make adjustments to their AD DS environment to comply with the best practice configuration, is used to produce the ADS BPA Report.While best practice violations, even critical ones, are not necessarily problematic, they indicate server configurations that can result in poor performance, poor reliability, unexpected conflicts, increased security risks, or other potential problems. Slide Transition: In the following demonstration, an AD BPA scan can show an administrator how the scan is performed. Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://go.microsoft.com/fwlink/?LinkId=134007http://technet.microsoft.com/en-us/library/dd378893.aspx
  • Slide Title: Offline Domain JoinKeywords: Offline Domain Join, Windows Server 2008 R2Key Message: The Offline Domain join feature is a new process that joins computers running Windows 7 or Windows Server 2008 R2 to a domain in Active Directory Domain Services (AD DS)—without any network connectivity. Slide Builds: 2Slide Script: Offline Domain joins can be used to join computers to a domain without contacting a domain controller over the network. Computers join the domain during the initial startup after an operating system installation. No additional restart is necessary to complete the domain join. This helps reduce the time and effort required to complete a large-scale computer deployment in places such as data centers. For example, an organization might need to deploy many virtual machines within a data center. Offline Domain joins make it possible for the virtual machines to be joined to the domain when they initially start following the operating system installation. This can significantly reduce the overall time required for wide-scale virtual machine deployments.Performing an Offline Domain join establishes a trust relationship between a computer running a Windows operating system and an Active Directory domain. This operation requires state changes to AD DS and state changes on the computer that is joining the domain. In the past, to complete a domain join using previous Windows operating systems, the computer that joined the domain had to be running, and it had to have network connectivity to contact a domain controller. [BUILD1] Offline Domain joins provides the following advantages over the previous requirements: The Active Directory state changes are completed without any network traffic to the computer. The computer state changes are completed without any network traffic to a domain controller. Each set of changes can be completed at a different time.
  • [BUILD2] When running Djoin, be aware of the special considerations. Djoin only runs on computers that run Windows 7 or Windows Server 2008 R2. The computer on which you run Djoin to provision computer account data into AD DS must be running Windows 7 or Windows Server 2008 R2. The computer that you want to join to the domain must also run Windows 7 or Windows Server 2008 R2. To perform an offline domain join, you must have the user rights that are necessary to join workstations to the domain. By default, members of the Domain Admins group have the user rights to join workstations to a domain. If you are not a member of the Domain Admins group, you must either be granted or delegated these user rights. By default, the Djoin commands target a domain controller that runs Windows Server 2008 R2. However, you can specify an optional /downlevel parameter if you want to target a domain controller that is running a version of Windows Server that is earlier than Windows Server 2008 R2.Djoin is included in both Windows 7 and Windows Server 2008 R2, and it is available in both 32-bit and 64-bit versions. However, the 64-bit-encoded text file that results from the provisioning command is architecture independent. Therefore, you can run Djoin on either a 32-bit computer or a 64-bit computer to provision computer account data in AD DS. Slide Transition: Let’s examine the process of an Offline Domain join.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/library/dd391977.aspxhttp://go.microsoft.com/fwlink/?LinkId=134704
  • Slide Title: Authentication Mechanism AssuranceKeywords: Windows Server 2008 R2, Authentication Mechanism Assurance, Federated Services, Active DirectoryKey Message: Active Directory Federated Services in Windows Server 2008 R2 includes a new feature known as authentication mechanism assurance.Slide Builds: 3Slide Script: Authentication mechanism assurance allows administrators to secure resources (including applications) such that only users who logged on with a certificate-based mechanism are granted access. This feature allows administrators to establish authentication policies for accounts that are authenticated in federated domains. This enables a variety of advanced authentication scenarios, such as smart cards. This feature is not enabled by default and requires a domain functional level of Windows Server 2008 R2, along with a certificate-based authentication infrastructure and additional configuration.Authentication mechanism assurance makes it possible for access to network resources to be controlled to recognize certificate-based logons using certificates that were issued by specific certificate issuance policies. Ultimately, authentication mechanism assurance makes it possible for resource administrators to secure resources by using group memberships that recognize that a user was authenticated with a certificate-based authentication method that used a certificate issued from a particular certificate issuance policy.This feature is intended for organizations that use certificate-based authentication methods, such as smart card or token-based authentication systems. Organizations that do not use certificate-based authentication methods will not be able to use authentication mechanism assurance, even if they have Windows Server 2008 R2 domain controllers with their domain functional level set to Windows Server 2008 R2.
  • [BUILD1] Let’s consider this scenario of three certificate policies: Confidential, Secret, and Top Secret. Now, assume that these policies are mapped to three different security groups:Confidential Users are mapped to a Confidential certificate policy, Secret Users are mapped to a Secret certificate policy, and Top Secret Users are mapped to a Top Secret certificate policy.[BUILD2] Now, consider there are three different types of smart cards (they could all be the same type of smart card). Imagine they are categorized differently (as in, they have different colors). [BUILD3] Each card receives a certificate issued from a certificate template that is associated with the specific certificate policy.The resource administrator has the ability to secure resources considered Confidential by granting access to groups: Confidential Users, Secret Users, and Top Secret Users. Resources considered Secret can be granted access to only the following groups: Secret Users and Top Secret Users. Resources considered Top Secret can be granted access to only the Top Secret Users group.The users who log on using a username and password will not be able to access any of the resources described above. Therefore, the authentication mechanism assurance allows administrators to secure resources (including applications) such that only users who logged on with a certificate based mechanism are granted access. Further, whether the user is able to gain access to specific resources also depends on the type of certificate (indicated by the certificate template and policy) that the user presents during logon.Slide Transition: If the organization uses certificate-based authentication, authentication mechanism assurance has further requirements prior to implementation. Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/library/dd391847.aspx
  • Slide Title: Prerequisites for Authentication AssuranceKeywords: Windows Server 2008 R2, Prerequisites, Authentication Mechanism AssuranceKey Message: Being aware and setting up the prerequisites can facilitate a smoother transition of management when using authentication mechanism assurance.Slide Builds: 3Slide Script: If you want to implement authentication mechanism assurance, the domain functional level has to be increased to Windows Server 2008 R2. [BUILD1] An organization must also have or establish a certificate-based authentication method. [BUILD2] Once the method is established, the certificates to be used for logon must be distributed from a certificate issuance policy, because it is the certificate issuance policy OID that is linked to a universal security group membership. [BUILD3] The authentication mechanism assurance is available in Standard, Enterprise, and Datacenter editions of Windows Server 2008 R2 (including editions without Hyper-V).Windows Web Server 2008 R2 does not include Active Directory Domain Services (AD DS). Therefore, Windows Web Server 2008 R2 cannot be used to enable or implement authentication mechanism assurance. However, any client or server operating system that is able to interpret Windows access tokens, including Windows Web Server 2008 R2, can be used to grant or deny access based on the group membership or memberships that are added to a user's token by authentication mechanism assurance.Slide Transition: Creating accounts and managing them, is a common issue concerning IT professionals. Now Windows Server 2008 R2 has two new managed service accounts.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/library/dd391847.aspx
  • Slide Title: Management of Service AccountsKeywords: Windows Server 2008 R2, Service Accounts, managementKey Message: One of the security challenges for critical network applications, such as Exchange and Internet Information Services (IIS), is selecting the appropriate type of account for the application to use.Slide Builds: 3Slide Script: Windows Server 2008 R2 allows domain-based service accounts to have passwords that are managed by Active Directory. These new type of accounts reduce the recurrent administrative task of having to update passwords on processes running with these accounts. Internet Information Services (IIS) 7.5 supports the use of managed service accounts for application pool identities. On a local computer, an administrator can configure the application to run as Local Service, Network Service, or Local System. These service accounts are simple to configure and use, but they are typically shared among multiple applications and services and cannot be managed on a domain level. If you configure the application to use a domain account, you can isolate the privileges for the application, but you need to manually manage passwords or create a custom solution for managing these passwords. Many SQL Server and IIS applications use this strategy to enhance security, but they do so at a cost of additional administration and complexity. In these deployments, service administrators spend a considerable amount of time in maintenance tasks, such as managing service passwords and service principal names (SPNs), which are required for Kerberos authentication. In addition, these maintenance tasks can disrupt service. [BUILD1] Two new types of service accounts are available in Windows Server 2008 R2 and Windows 7. The first is called a managed service account. The managed service account is designed to provide crucial applications, such as SQL Server and IIS, with the isolation of their own domain accounts, while eliminating the need for an administrator to manually administer the service principal name (SPN) and credentials for these accounts.
  • [BUILD2] The second type of account, virtual accounts, in Windows Server 2008 R2 and Windows 7 are "managed local accounts" that can use a computer's credentials to access network resources.[BUILD3] In addition to the enhanced security that is provided by having individual accounts for critical services, there are four important administrative benefits associated with managed service accounts: Managed service accounts allow administrators to create a class of domain accounts that can be used to manage and maintain services on local computers. Unlike with regular domain accounts in which administrators must reset passwords manually, the network passwords for these accounts will be reset automatically. Unlike normal local computer and user accounts, the administrator does not have to complete complex SPN management tasks to use managed service accounts. Administrative tasks for managed service accounts can be delegated to non-administrators.To use managed service accounts and virtual accounts, the client computer on which the application or service is installed must be running Windows Server 2008 R2 or Windows 7. Windows Server 2008 R2 domains provide native support for both automatic password management and SPN management. This means that if the domain controller is running Windows Server 2008 R2 and the schema has been upgraded to support managed service accounts, both automatic password and SPN management are available. Slide Transition: Now that we have explored Windows Server 2008 R2 Active Directory features that enhance Identity Management and simplified management, let’s summarize some key points.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/library/dd367859.aspxWindows 2008 R2 Reviewers Guide
  • Slide Title: TechNet Plus Direct SubscriptionKeywords: Technet, Subscription, Plus, Direct, BenefitsKey Message: TechNet Plus has some new benefits.Slide Builds: 0Slide Script: TechNet Plus is an essential premium web-enabled and live support resource that provides IT Professionals with fast and easy access to Microsoft experts, software and technical information, enhancing IT productivity, control and planning.With convenient access to all these resources in one online location, TechNet Plus provides what you need to help you:Evaluate products & learn new skillsPlan for & deploy new technologiesAnd support & maintain your IT environmentFor evaluation and learning you get access to all Microsoft full-version software for evaluation without time limits. This includes Microsoft Server, Client, and Application software titles. With full-version software, you can make informed decisions about new technologies at your own pace.You also receive access to the latest betas before public release. Be the first to try out the latest pre-release versions of Microsoft operating systems, servers and business applications.TechNet Plus also offers quarterly training resources including select Microsoft E-Learning courses for free so you can keep your skills current, prepare for a certification exam or get ready for a specific project.For planning and deployment the TechNet Library includes resources to help you plan for and deploy new technologies in your IT environment including a complete Knowledge Base, resource kits, utilities and technical training.You also get exclusive tools like System Center Capacity Planner to accurately plan for and deploy Exchange Server and System Center Operations Manager.For support and maintenance TechNet Plus comes with two complimentary Professional Support incidents. You can talk to a Microsoft Support Professional to quickly resolve your mission-critical technical issues fast.TechNet Plus also provides access to over 100 Managed Newsgroups. You can exchange ideas with other professionals and get expert answers to your technical questions within the next business day — guaranteed.You also get access to TechNet Library resources to help you support and maintain your IT environment including security updates and service packs.TechNet Plus offers proven value that far exceeds its cost. The two complimentary Professional Support incidents alone more than offset the cost of a TechNet Plus subscription. Add to that the evaluation and beta software and other technical resources, and TechNet Plus clearly boosts productivity. Every IT Professional on the team needs one.For more information or to purchase a TechNet Plus subscription, please visit: technet.microsoft.com/subscriptions.Slide Transition: Thank you for attending this TechNet event and we hope that you enjoyed learning about the new Microsoft Technologies.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: technet.microsoft.com/subscriptions
  • Slide Title: FeedbackKeywords: Key Message: Slide Builds: 0Slide Script: Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information:

Transcript

  • 1. Active Directory Domain Services in Windows Server 2008 R2 Technical Overview
    Padman De Silva
    MBCS CITP, MCSE,MSTS, MCSA, CCNA, MVP- Exchange Server
  • 2. Agenda
    Active Directory Overview
    Active Directory Management
    Managing Active Directory Deployments
    Identity and Access Management
  • 3. What’s New in Active Directory?
    Recycle Bin
    Module for Windows PowerShell™ and Windows PowerShell cmdlets
    Management Pack
    Administrative Center
    Manage Service Accounts
    AD Domain Services
    Best Practices Analyzer
    Offline Domain Join
    Web Services
    Authentication Assurance
  • 4. What’s New in Active Directory?—Notes
    Recycle Bin
    Module for Windows PowerShell™ and Windows PowerShell cmdlets
    Management Pack
    Administrative Center
    Manage Service Accounts
    AD Domain Services
    Best Practices Analyzer
    Offline Domain Join
    Web Services
    Authentication Assurance
  • 5. Solutions That Address IT Pro Challenges
    Windows Server 2008 R2
    Forest Functional Level
    New Windows PowerShell cmdlets
    Console Enhancements
    Deals with Accidental Object Deletion
    Deals with Mapping of Various Properties
    Deals with Pre-Provisioning of Computer Accounts
    Deals with Managed Service Accounts
    Task-Oriented
    Better Management
    Analyzers Expanded to All Core Windows Server 2008 R2 Roles
  • 6. Solutions That Address IT Pro Challenges—Notes
    Windows Server 2008 R2
    Forest Functional Level
    New Windows PowerShell cmdlets
    Console Enhancements
    Deals with Accidental Object Deletion
    Deals with Mapping of Various Properties
    Deals with Pre-Provisioning of Computer Accounts
    Deals with Managed Service Accounts
    Task-Oriented
    Better Management
    Analyzers Expanded to All Core Windows Server 2008 R2 Roles
  • 7. Agenda
    Active Directory Overview
    Active Directory Management
    Managing Active Directory Deployments
    Identity and Access Management
  • 8. Active Directory Administrative Center
    Customizable GUI
  • 9. Active Directory Administrative Center —Notes
    Customizable GUI
  • 10. Demonstration Environment
  • 11. Create an Organizational Unit
    Create a User
    Create a New Group and Add a User
    Demonstration: Creating Objects Using Active Directory Administrative Center
  • 12. Automating Administrative Activities with Windows PowerShell
    Active Directory Module in Windows Server 2008 R2
    A Windows PowerShell module
    Manage AD domains and Lightweight Directory Services (LDS) configuration sets
    AD Database Mounting Tool instance
    New Functionality
    Special Considerations
    Only installs on Windows Server 2008 R2
    At least one Windows Server 2008 R2 domain controller or LDS configuration set
    Windows 7 and Report Server Administration Tools (RSAT)
    Active Directory module provider
    Active Directory module cmdlets
    Windows PowerShell Integrated Scripting Environment (ISE)
    Out-GridView cmdlet
    Performance counters
  • 13. Automating Administrative Activities with Windows PowerShell —Notes
    Active Directory Module in Windows Server 2008 R2
    A Windows PowerShell module
    Manage AD domains and Lightweight Directory Services (LDS) configuration sets
    AD Database Mounting Tool instance
    New Functionality
    Special Considerations
    Only installs on Windows Server 2008 R2
    At least one Windows Server 2008 R2 domain controller or LDS configuration set
    Windows 7 and Report Server Administration Tools (RSAT)
    Active Directory module provider
    Active Directory module cmdlets
    Windows PowerShell Integrated Scripting Environment (ISE)
    Out-GridView cmdlet
    Performance counters
  • 14. Display Domain Information
    Create a New Organizational Unit
    Demonstration: Using the Active Directory Module in PowerShell
  • 15. Active Directory Recycle Bin
    Reduces Downtime and Effort
    AD Objects Are Preserved
    Functional for AD DS and AD LDS
    Use LDP.exe or Windows PowerShell Cmdlets
    Setup Requirements
    Adprep must be used for Windows Server 2003 and Windows Server 2008 forest
    All domain controllers in your Active Directory forest are running Windows Server 2008 R2
    Raise the functional level of your Active Directory forest to Windows Server 2008 R2
    The process of enabling Active Directory Recycle Bin is irreversible. After you enable Active Directory Recycle Bin in your environment, you cannot disable it.
  • 16. Active Directory Recycle Bin—Notes
    Reduces Downtime and Effort
    AD Objects Are Preserved
    Functional for AD DS and AD LDS
    Use LDP.exe or Windows PowerShell Cmdlets
    Setup Requirements
    Adprep must be used for Windows Server 2003 and Windows Server 2008 forest
    All domain controllers in your Active Directory forest are running Windows Server 2008 R2
    Raise the functional level of your Active Directory forest to Windows Server 2008 R2
    The process of enabling Active Directory Recycle Bin is irreversible. After you enable Active Directory Recycle Bin in your environment, you cannot disable it.
  • 17. Enable Active Directory Recycle Bin
    View Objects That Are in the Deleted Objects Container
    Restore Deleted Objects
    Demonstration: Working with the Active Directory Recycle Bin
  • 18. Agenda
    Active Directory Overview
    Active Directory Management
    Managing Active Directory Deployments
    Identity and Access Management
  • 19. AD DS BPA scans verify:
    • DNS rules
    • 20. Operation master connectivity rules
    • 21. Operation master ownership rules
    • 22. Number of controllers in the domain
    • 23. Required services rules
    • 24. Replication configurations rules
    • 25. W32time configuration rules
    • 26. Virtual machine configuration rules
    Best Practices Analyzer
    Schema
    2
    BPA Run Time
    AD DS BPA
    Windows PowerShell
    Script
    Document
    3
    BPA Run Time
    AD DS BPA
    Report
    AD DS BPA
    Rules Set
    1
    BPA Run Time
    AD DS BPA
    Guidance
  • 27. Best Practices Analyzer—Notes
    AD DS BPA scans verify:
    • DNS rules
    • 28. Operation master connectivity rules
    • 29. Operation master ownership rules
    • 30. Number of controllers in the domain
    • 31. Required services rules
    • 32. Replication configurations rules
    • 33. W32time configuration rules
    • 34. Virtual machine configuration rules
    Schema
    2
    BPA Run Time
    AD DS BPA
    Windows PowerShell
    Script
    Document
    3
    BPA Run Time
    AD DS BPA
    Report
    AD DS BPA
    Rules Set
    1
    BPA Run Time
    AD DS BPA
    Guidance
  • 35. Run AD DS BPA Scan
    Run BPA on a Remote Server
    Demonstration: Active Directory Domain Service Best Practices Analyzer Scans
  • 36. Agenda
    Active Directory Overview
    Active Directory Management
    Managing Active Directory Deployments
    Identity and Access Management
  • 37. Offline Domain Join
    Djoin.exe
    Reduces time and effort for large-scale deployments
    Establishes trust between operating system and Active Directory Domain
    Advantages
    AD state changes are completed without network traffic to the computer
    Computer state changes are completed without any network traffic to a domain controller
    Each change can be completed at different times
    Special Considerations
    Run on Windows® 7 or Windows Server 2008 R2
    Must have user rights to join workstation to the domain
    Defaults target domain controller running a version of Windows Server 2008 R2
  • 38. Offline Domain Join —Notes
    Djoin.exe
    Reduces time and effort for large-scale deployments
    Establishes trust between operating system and Active Directory Domain
    Advantages
    AD state changes are completed without network traffic to the computer
    Computer state changes are completed without any network traffic to a domain controller
    Each change can be completed at different times
    Special Considerations
    Run on Windows® 7 or Windows Server 2008 R2
    Must have user rights to join workstation to the domain
    Defaults target domain controller running a version of Windows Server 2008 R2
  • 39. Perform an Offline Domain Join
    Demonstration: Using Offline Domain Join
  • 40. Authentication Mechanism Assurance
    Features
    Network resource administrators can control access to resources
    Distinction in the access token of a user who logs on with certificate-based authentication and a user who logs on with a different method of authentication
    Special Considerations
    For organizations that use certificate-based authentication
  • 41. Authentication Mechanism Assurance—Notes
    Features
    Network resource administrators can control access to resources
    Distinction in the access token of a user who logs on with certificate-based authentication and a user who logs on with a different method of authentication
    Special Considerations
    For organizations that use certificate-based authentication
  • 42. Prerequisites for Authentication Mechanism Assurance
    Available in the
    following editions:
    • Windows Server 2008 R2
    with or without Hyper-V™
    • Standard, Enterprise, and
    Datacenter
    Increase the Domain Functional
    Level to Windows Server 2008 R2
    Established a Certificate-Based
    Authentication Method
    The Certificates for Logon Must Be Distributed
    from a Certificate Issuance Policy
  • 43. Management of Service Accounts
    Less Disruption of Service
    Reduce Recurrent Administrative Tasks
    Domain-Based Service Accounts Managed by AD
    Enhanced Security
    Administrative Benefits
    Create class domain accounts
    Accounts are now reset automatically
    SPN management tasks are not completed
    Can be delegated to non-administrators
    Managed Service
    Account
    Virtual Accounts
    Local Accounts
    SQL
    IIS
  • 44. Management of Service Accounts—Notes
    Less Disruption of Service
    Reduce Recurrent Administrative Tasks
    Domain-Based Service Accounts Managed by AD
    Enhanced Security
    Administrative Benefits
    Create class domain accounts
    Accounts are now reset automatically
    SPN management tasks are not completed
    Can be delegated to non-administrators
    Managed Service
    Account
    Virtual Accounts
    Local Accounts
    SQL
    IIS
  • 45. Session Summary
    Active Directory Domain Services improves management capabilities that automate Active Directory tasks
    The new Active Directory Administrative Console and Windows PowerShell module allow for flexible discovery and output
    Use and implement the new features of Windows Server 2008 R2 Domain Services
  • 46. Where to Find More Information?
    Visit TechNet at technet.microsoft.com
    Also check out TechNet Edge
    edge.technet.com
    Or just visit http://go.microsoft.com/?linkid=9662652
    for additional information on this session.
  • 47. For the more titles, visit
    http://go.microsoft.com/?linkid=9662652
    Supporting Publications
  • 48. For more training information http://go.microsoft.com/?linkid=9662652
    Training Resources
  • 49. Become a Microsoft Certified Professional
    What are MCP certifications?
    Validation in performing critical IT functions.
    Why Certify?
    WW recognition of skills gained via experience.
    More effective deployments with reduced costs
    What Certifications are there for IT Pros?
    MCTS, MCITP.
    www.microsoft.com/certification
  • 50. Microsoft TechNet Plus
    TechNet Plus is an essential premium web-enabled and live support resource that provides IT Professionals with fast and easy access to Microsoft experts, software and technical information, enhancing IT productivity, control and planning.
    Evaluate & Learn
    Plan & Deploy
    Support & Maintain
    2 complimentaryProfessional Support incidents for use 24/7 (20% discount on additional incidents)
    Access over 100 managed newsgroups and get next business day response--guaranteed
    Use the TechNet Library to maintain your IT environment with security updates, service packs and utilities
    Use the TechNet Library to plan for deployment using the Knowledge Base, resource kits, and technical training
    Use exclusive tools like System Center Capacity Planner to accurately plan for and deploy Exchange Server and System Center Operations Manager
    Evaluate full versions of all Microsoft commercial software for evaluation—without time limits. This includes all client, server and Office applications.
    Try out all the latest betas before public release
    Keep your skills current with quarterly training resources including select Microsoft E-Learning courses
    Get all these resources and more with a TechNet Plus subscription.
    For more information visit: technet.microsoft.com/subscriptions
  • 51. Your potential. Our Passion
  • 52. Do Not Delete This Slide
    We appreciate hearing from you. To send your feedback, click the following link and type your comments in the message body.
    Note: The subject-line information is used to route your feedback. If you remove or modify the subject line we may be unable to process your feedback. Your feedback may be used to improve our products, technologies and services.
    Send feedback