• Save
Mark Minasi   What’S New In Active Directory For Windows 7   Server 2008 R2
Upcoming SlideShare
Loading in...5

Mark Minasi What’S New In Active Directory For Windows 7 Server 2008 R2






Total Views
Views on SlideShare
Embed Views



2 Embeds 7

http://www.slideshare.net 6
http://localhost 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Get to see how a user object changes before and after deletion withget-adobject –filter {samaccountname –eq \"Joe\"} –includedeletedobject | flNote the changes in the GUID etc.
  • http://technet.microsoft.com/en-us/library/dd548356.aspx

Mark Minasi   What’S New In Active Directory For Windows 7   Server 2008 R2 Mark Minasi What’S New In Active Directory For Windows 7 Server 2008 R2 Presentation Transcript

  • What's New in Active Directory for Windows Server 2008 R2 Presented by Mark Minasi help@minasi.com forum, seminars at www.minasi.com copyright 2009 Mark Minasi 1
  • Topics • 70+ PowerShell cmdlets • Managed Service • AD Web Service Accounts • AD Recycle Bin • Best Practices Analyzer • New DFL/FFL • AD Admin Center • AD quot;optional featurequot; • Authentication architecture change Mechanism Assurance • Offline Domain Join 2
  • AD Gets PowerShell why? many separate tools to create/manipulate things • Over 70 cmdlets mean you can easily learn how to create quot;objectsquot; (single users, OUs, groups etc): example: • New-ADUser -SamAccountName Joe -Name quot;Joequot; -AccountPassword (ConvertTo- SecureString -AsPlainText quot;Pasw0rdquot; -Force) - Enabled $true -Path 'cn=users,DC=bigfirm,DC=com' 3
  • AD Gets PowerShell getting it • Easiest way is to use the PS shortcut in Administrative Tools to get a good PS prompt – the one on the Taskbar doesn't load that AD stuff • Or load Powershell 2.0 and type Import- Module ActiveDirectory • Also will ship with RSAT to run on Vista and Win 7 4
  • AD Gets PowerShell more details • Cmdlets to create, delete, filter and modify AD objects • None for working with subnets and sites, unfortunately, and setting AD permissions is dicey • Does not work via LDAP, RPC and the like protocols; instead, cmdlets send their requests to ADWS (quot;AD Web Servicequot;), a new interface 5
  • AD Gets PowerShell why? automation possibilities • PowerShell allows you to build more complex scripts on the order of complete applications • PS 2.0 lets you build scripts with GUI interfaces • PS 2.0 lets you control remote systems • PS is easier to learn than most command-line interfaces you've met because of its regularity in naming conventions 6
  • AD Gets PowerShell why? pipeline makes automation easy • Pipeline means you can stick commands together to (1) operate on many objects and (2) use filters to select which objects to operate upon • The idea is like this: • [list all user accounts]|[filter to keep only the disabled accounts] | [delete accounts] 7
  • AD Gets PowerShell how this will work (1) Active Directory AD Web Service quot;all users please!quot; The Pipeline get-aduser 8
  • AD Gets PowerShell how this will work (2) quot;Wherequot; command The Pipeline The Pipeline criterion: only disabled users! 9
  • AD Gets PowerShell how this will work (3) AD-Removeuser I'll explain this soon… but it's The Pipeline some good news! 10
  • AD Gets PowerShell Really? It's that easy? • Not exactly, and there are lots of ways to do this, but here's one generic (but longer than necessary) approach: • get-aduser -filter 'samaccountname -like quot;*quot;' | where {-not $_.enabled} |remove-aduser –whatif • Let's pick it apart: • (1) the get-aduser produces a list of all user accounts 11
  • AD Gets PowerShell step two: winnow out just the disabled user accts • (2) The quot;|quot; is the quot;pipelinequot; symbol; it means, quot;take the output of the command on the left and stuff it into the command on the rightquot; • The command on the right is quot;where,quot; and its job is to (a) take whatever you give it and (b) some criterion and produce a smaller set of output winnowed from the input based on that criterion… put simply, it's a filter, and this one only lets disabled accounts through • quot;$_quot; means quot;what's currently in the pipeline,quot; and so $_.enabled is the value of quot;enabledquot; (true or false) on whatever object's in the pipeline 12
  • AD Gets PowerShell (reference only): side note • I'm using the first two commands (get-aduser and where) to illustrate a generic approach to getting a big whack of data and filtering out most of it • In fact, though, quot;wherequot; isn't necessary, as get- aduser has its own built-in quot;-filterquot; option • I could have used that and saved a command, but many PS cmdlets do not have a –filter option, and so making you depend on a built-in –filter option seemed a bad idea – but if it's there, -filter is faster than piping to quot;where!quot; 13
  • AD Gets PowerShell step three: delete those user accounts (but not really) • (3) Again we've got a pipeline command, and the list of user names that made it through the quot;wherequot; filter are given to the last command, quot;remove-aduserquot; • As you'd guess, remove-aduser deletes accounts • I added quot;-whatifquot; because it says, quot;don't really do this; just show what would happen if you did;quot; it's great for testing 14
  • AD Gets PowerShell the point of all this • That example provided a blueprint for the many, many times you'll want to say, quot;take all of the users (or machines, OUs etc) in my domain that meet X criteria and do Y to them,quot; and what we've seen here will work for all of that • The only hard part now is in figuring out how to describe X (e.g. quot;{-not $_.enabled}quot;), and what command will do Y (e.g. quot;remove-aduserquot;) 15
  • AD Gets PowerShell a warning and more info • Again, quot;wherequot; is less efficient than quot;-filterquot; • Search quot;active directory module for windows powershell cookbookquot; for tons of examples on MSDN • Online help: – get-help <command> [-detailed] [-examples] • PS for AD is a time-saver… start learning it 16
  • AD Gets PowerShell the AD provider • set-location AD:quot;dc=bigfirm,dc=comquot; • Makes your command prompt show not your current folder on the file system, but instead a location on the AD; responds to CD like the file system: – sl AD:quot;dc=bigfirm,dc=comquot; – md quot;ou=testquot; – cd quot;ou=testquot; 17
  • AD Gets PowerShell more AD provider examples • cd .. (backs up one level) • rd quot;ou=testquot; • dir -filter objectclass=organizationalunit (list all child objects that are OUs) • dir cn=users –name (only shows names) • There are move, copy, erase etc commands 18
  • AD Web Service powershell's replacement for ldap • Recall my note that PowerShell doesn't communicate with AD via LDAP or ADSI, it uses something called the quot;AD Web Servicequot; • My first thought was, quot;Oh, no… another protocol to secure? More ports to worry about?quot; • When examined more closely, though, it seems to be a potentially good thing 19
  • AD Web Service why a web service? • Reason #1: Web services are here to stay • Lots of other programming platforms use a web services model and – the important part – there are lots of programming tools, which means we'll see more AD apps w/web services 20
  • AD Web Service why a web service? • Reason #2: it's a new protocol • On the WMI side, we're seeing RPC being slowly replaced by winrm, another Web services-based protocol – modern protocols tend to be more secure – standards-based – platform-independent 21
  • AD Web Service details • DC listens on TCP port 9389 • Every 2008 R2 DC runs ADWS • Needed for PowerShell and some other new AD items • This does not mean that you have to run IIS on your DC, nor need you offer access to port 80 (unless you need winrm, which is another story) 22
  • Powershell Goes GUI: AD's New Administrative Center 23
  • AD Admin Center (ADAC) • New GUI tool aiming at the same sorts of things that AD Users and Computers (ADUC) does • Actually all PowerShell 2.0 GUI application… under the hood, when you click a button, ADAC generates and executes PowerShell AD commands 24
  • AD Admin Center (ADAC) what you'll like • quot;Navigation Nodesquot; let you administer multiple forests, domains, OUs etc simultaneously • Global search lets you search multiple quot;nodesquot; simultaneously, and it does the search on the server • Local queries do client-side filtering and let you build a query with the GUI and get back the LDAP equivalent of the query 25
  • AD Admin Center (ADAC) what you'll like • ADUC's heavily tabbed interface replaced with a somewhat crisper (albeit a bit slower) interface 26
  • AD Admin Center (ADAC) what they didn't get to • ADAC's plan was to include quot;reflectivity,quot; a notion whereby when you click a button to get something done, it would show you what command-line Powershell command would do the same thing • It'd be sort of a launching pad for writing procedures, batch files and the like • Didn't make it in this one 27
  • AD Recycle Bin • We all make mistakes, and some of us have experienced the quot;oops!quot; feeling once we realize we've deleted an AD object • Authoritative restores and tombstone reanimation can bring back dead things, but they're cumbersome or require third-party tools • 2008 R2 brings an undelete ability for AD objects 28
  • 2008 R2 DFL/FFL, Optional Features • AD Recycle Bin requires that your forest be in 2008 R2 Forest Functional Level… • Yup, that's right, we've got a new DFL/FFL • AD Recycle Bin needs that… but it needs more as well • R2 inaugurates a new aspect of AD, quot;optional featuresquot; – the idea is that if you don't use a feature, why enlarge the schema for something you don't use? 29
  • Enabling AD Recycle Bin • AD Recycle Bin is optional, so turn it on… • Enable-ADOptionalFeature -Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=bigfirm,DC =com' -Scope Forest -Target 'bigfirm.com' • Change the colored stuff to match your forest's name; need only do the above command once • Note that as I write this (beta 1), the help is way off about single quotes – only use this:' not this:` 30
  • Enabling AD Recycle Bin Objects deleted before you enable this feature cannot be undeleted with the Recycle Bin, even if you were in 2008 R2 FFL! 31
  • AD Recycle Bin making it work • I knew this would be the most popular R2 AD feature, but I covered PowerShell first because, well, you can only get to it with PowerShell • The command to restore a deleted AD object is quot;restore-adobjectquot; • The problem is in specifying the LDAP distinguished name (DN) of the user 32
  • AD Recycle Bin making it work • Simple DN for a user quot;janequot; in a domain quot;bigfirm.com:quot;CN=Jane,CN=Users,DC=bigfirm, DC=comquot; • DN after jane's deleted: quot;CN=jane 0ADEL: ce076811-4a8b-49bb-b332-9695ed786ba6, CN=Deleted Objects, DC=bigfirm, DC=com • Now, we could undelete jane by giving restore- adobject that entire DN… but how to find it? • Answer: get-adobject 33
  • AD Recycle Bin making it work • Put them together: • get-adobject -filter {samaccountname -eq quot;janequot;} –includedeletedobject|restore- adobject • This will restore Jane; replacing –eq quot;Janequot; with –like quot;*quot; would undelete all deleted objects 34
  • AD Recycle Bin details • Objects can be recycled up to 180 days after they've been deleted; after that, they are quot;tombstonedquot; (and cannot be recycled) for 180 days, and then finally scavenged from AD • You can only undelete an object if its container is not deleted; for example, if I deleted an OU and its users, I'd have to undelete the OU before I could undelete its users 35
  • AD Recycle Bin details • There isn't a –recurse switch on Restore- ADObject; thus, if I deleted an OU that contained users and OUs, which contained users and OUs etc, then I'd have to hand- undelete the tree from the top down • Microsoft intends to write PowerShell script to solve this by RTM 36
  • Offline Domain Join • What it does: – Lets you join a member server or workstation even if the member is not connected to the network – You can do this either to a system that's up and running, or you can essentially quot;inject domain membershipquot; to a system that's not running but has been mounted, like a non-running VHD 37
  • Offline Domain Join • What it doesn't do – You can't join a quot;Syspreppedquot; (that is, a system that you've run sysprep on – the quot;newquot; phrase is quot;generalizedquot;) – system offline – Machine needs to be specialized and needs a name 38
  • Offline Domain Join • How it works, step one: – First, you run a command-line app quot;djoin /provisionquot; on a Win7-level DC/domain member – Creates a machine account (so clearly you need the right to do this) on the domain – Creates a bit of data written to a text file (it's binary data represented in base64, known as quot;the blobquot;) that you'll need to move to the machine to be joined to the domain 39
  • Offline Domain Join • How it works, step two: – Move the text file containing the blob to the prospective domain member (must be Win 7- level) – As local administrator, run djoin /requestODJ – System reads the blob, incorporates it into the SYSTEM/SECURITY hives in the Registry, and it is now a domain member 40
  • Offline Domain Join example • I'll join a system named quot;WSquot; to a domain named quot;bigfirm.comquot; • To start, I open an elevated command prompt at dc1.bigfirm.com, a bigfirm DC (again, needn't be at a DC) • type: • djoin /provision /domain bigfirm.com /machine ws /savefile c:wsblob.txt 41
  • Offline Domain Join looking at the example command • djoin /provision /domain bigfirm.com /machine ws /savefile c:wsblob.txt – /machine needs just the hostname/NetBIOS name, not an FQDN; had I typed quot;/machine ws.bigfirm.com,quot; AD would have created a machine account named quot;ws.bigfirm.com!quot; – /domain takes either bigfirm.com or bigfirm – physically transport wsblob.txt to WS 42
  • Installing the Blob: 3 Scenarios • Install it to WS while WS is up and running with the /localos option • Apply to WS offline by – booting the OS from some other OS – booting an • Build the blob into a WSIM script for Sysprep and then use that script to image a system and allow Sysprep to specialize that system 43
  • Offline Domain Join scenario one: apply to running system • Assume I've got wsblob.txt on a USB stick that I insert into WS and the stick is drive E: • From an elevated command prompt on WS: • djoin /requestODJ /loadfile e:wsblob.txt /windowspath c:windows /localos • Significant point: djoin /requestodj really wants to noodle with a set of Registry hives that are not locked, as they are on running systems; quot;/localosquot; warns djoin that it's modifying a running, locked Registry 44
  • Offline Domain Join scenario two: on an offline system • Mount the C: drive of a specialized VHD with machine name quot;WSquot; onto some system TECHPC as, say, c:mountwin • Assume WS's Windows folder is windows • Assume I've got wsblob.txt on a USB stick that I insert into TECHPC and the stick is drive E: • From an elevated command prompt on TECHPC: • djoin /requestODJ /loadfile e:wsblob.txt /windowspath c:mountwinwindows 45
  • Offline Domain Join scenario three: WSIM script • Using WAIK 2.0 and WSIM… need WSIM from WAIK 2 or later! • There's a location for offline domain join info in pass 4 • You insert the blob • Can be used for installing new systems, or as a Sysprep script 46
  • Offline Domain Join scenario three: using it • Create blob for a machine named quot;wsquot; • Use WSIM to create an XML answer file named quot;autounattend.xmlquot; that creates a machine named quot;wsquot; with the blob value in the WSIM answer file (more details in Newsletter #60) • Pop the autounattend.xml file on a USB stick, connect it to the new system, put the Win 7 DVD into the new system's drive, turn the system on and walk away… 48
  • Managed Service Accounts background: what problem does this solve? • Services must run under an account, and LocalSystem/LocalService/NetworkService can't always do the job • IIS, Exchange, SQL are some common examples • In that case, techies need to create accounts to act as service accounts • That works fine, except for the issue of passwords: they need regular changing or services stop working 49
  • Managed Service Accounts background: what problem does this solve? • Basically, it's a pain to manage passwords for the user accounts that we happen to use for services • Also, introducing new user accounts into services means having to develop expertise with setspn, a tool that basically informs Kerberos that account quot;Aquot; is now the quot;authentication pointquot; for network service quot;Bquot; • Additionally, you've got to be a domain admin to modify SPNs… MSAs let you delegate this to others 50
  • Managed Service Accounts answer: managed service accounts • New class of accounts • Sorta user accounts, sorta machine accounts (new icon) • You: – Create one on the domain – quot;Installquot; it on the member server – Configure the service so that it logs on as that account, and from there password updates etc are automatic • Need one account / member 51
  • Managed Service Accounts password details • 240-character passwords created • Ignore group policies about passwords and ignore fine-grained password policies • Automatically handle password changes every 30 days 52
  • Managed Service Accounts requirements/details • Requires at least one 2008 R2 DC (which means a 2008 R2 schema on the forest) • Requires AD Powershell (and therefore AD Web Service) to create accounts • Live in their own new folder (not an OU) called quot;Managed Service Accountsquot; 53
  • Managed Service Accounts create the domain on the domain • new-adserviceaccount -samaccountname svc1 • Finding info: • get-adserviceaccount -identity svc1, or • get-adserviceaccount -identity quot;cn=svc1, cn=managed service accounts, dc=bigfirm, dc=comquot; • Remove with remove-adserviceaccount • There's also a set-adserviceaccount to modify aspects of an existing AD service account 54
  • Managed Service Accounts quot;installquot; the account to a service on a member • More specifically, quot;servicequot; means either a svchost.exe, or an IIS application pool • On the member, ensure that you've got Powershell (RSAT will provide) and the AD Powershell AD module • Introduce the AD account to the member that the service runs on: • install-adserviceaccount -identity svc1 55
  • Managed Service Accounts attach the account to a service on a member • Verify that the account's attached to the given member with get-adserviceaccount; example: • quot;get-adserviceaccount –identity svc1quot; will, when run, show • HostComputers: {CN=s2,CN=Computers…quot; which is the DN of the member server that we just joined it to – before install- adserviceaccount, the line would be blank 56
  • Managed Service Accounts attach the account to a service on a member • Now that the account's been quot;installedquot; on the member, find the service in ther Services snap-in and change the account the service runs under just as we've been able to since NT 3.1 – go to Properties, choose the quot;Log onquot; tab, and fill in the account name like domainserviceaccountname$, and leave the password blank 57
  • Managed Service Accounts or user sc.exe • sc config svc obj= domainaccountname$ • Example: • sc config mysvc obj= bigfirmacct3 • REMEMBER to put a space after the equals sign! • Again, you can alternatively use IIS Admin to associate an MSA to an IIS application pool 58
  • Managed Service Accounts reviewing… • Punch in the account as domainusername • Put a $ at the end, as technically it's more of a machine account than a user account • Clear out the password field • And if you're experimenting, understand that this won't work on many built-in services; I demonstrate it on quot;SNMP Trap…quot; but I don't have any intention of using SNMP trap! 59
  • Managed Service Accounts SPN management • As mentioned, you can control who can administer SPNs rather than needing to be a domain admin • If you rename a machine account, the SPN gets fixed automatically • If you change a DNS host name, the SPN gets fixed automatically 60
  • Managed Service Accounts forcing a password reset • Reset-ADServiceAccountPassword [-Identity] <ADServiceAccount> • Probably never need it, but just in case! 61
  • Best Practices Analyzer • A sort of graphical dcdiag/netdiag, a set of quot;sanity checksquot; • Access from Server Manager: Roles / Active Directory Domain Services / in the right-hand pane, scroll down below Events and System Services • Click quot;Scan This Rolequot; 62
  • AD Best Practices Analyzer 63
  • AD Best Practices Analyzer • You can run this remotely now that Server Manager is remote-able • There are a fixed set of tests, can't be changed (although MS may change them now and then via Windows Update) • In my experience this can offer some quot;false positivequot; errors, so double-check before freaking out about a red circle with a white cross in it 64
  • Authentication Mechanism Assurance • New feature for users of the current quot;passivequot; ADFS or the upcoming quot;activequot; ADFS (quot;Genevaquot;) • ADFS simplifies maintaining authentication between secure Web-based applications from completely disconnected forests, like Microsoft's SharePoint talking to HP's SharePoint 65
  • Authentication Mechanism Assurance • When someone from (for example) HP signs onto a trusted (different meaning from AD) Microsoft site, information about them (e.g. group memberships) gets passed to the Microsoft server • What's new is now it's possible for the HP server to tell the Microsoft server how the user authenticated in the first place 66
  • Authentication Mechanism Assurance what good is that? • Different logon methods are stronger or weaker – e.g. smart cards are a fairly strong method • Only works with Kerberos, no NTLM • Shows up as a group membership • Really needs smart cards to be of any value 67
  • Thank You! • Please fill in an evaluation • Visit my site for free tech forum, newsletters etc; I'm at help@minasi.com • My two-day Windows Server 2008 seminar comes to Philadelphia next week and Chicago at the end of April • Info on all of it at www.minasi.com • Enjoy the rest of the show! 68