Installation and Adminstration of AD_MVP Padman

1,610 views

Published on

Published in: Education, Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,610
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
123
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • [BUILD2] Connect to one or several domains or domain controllers in the same Active Directory Administrative Center instance, and view or manage the directory information for those domains or domain controllers. You can also use filters by using query-building search.In addition to using it for these tasks, you can use the enhanced Active Directory Administrative Center GUI to customize Active Directory Administrative Center to your particular requirements for directory service administration. This can help improve your productivity and efficiency as you perform common Active Directory object management tasks.Slide Transition: Before we present our first demonstration, let’s look at the environment in which we’ll be working.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/library/dd378856.aspx
  • Slide Title: Demonstration EnvironmentKeywords: Demonstration EnvironmentKey Message: Prior to starting the demonstration, lets go over the environment that the demonstration will be running in.Slide Builds: 0Slide Script: The demonstrations in this session consists of an environment of four machines named SEA-DC-01, SEA-CS-01, SEA-WRK-001, and SEA-WRK-002. SEA-DC-01 is a Windows Server 2008 R2 machine, with the role of Active Directory Services enabled. This machine will also serve as the DNS server for all of the demonstrations to follow. The name of the domain is Contoso.com.The workstations SEA-WRK-001 and SEA-WRK-002 will be used in the last demonstration, where each workstation has the Windows 7 operating system on it. SEA-WRK-002 will not initially be connected to the domain.Slide Transition: Now let’s view the actual demonstration of the Active Directory Administrative Center.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information:
  • Slide Title: Active Directory Recycle BinKeywords: AD Recycle Bin, Windows Server 2008 R2Key Message: Accidental deletion of Active Directory objects is a common occurrence for users of Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).Slide Builds: 2Slide Script: In Windows Server 2008 Active Directory domains, AD objects could be recovered from accidental deletion from backups of AD DS that were taken by Windows Server Backup. The ntdsutil authoritative restore command could be used to mark objects as authoritative to ensure that the restored data was replicated throughout the domain. The drawback to the authoritative restore solution was that it had to be performed in Directory Services Restore Mode (DSRM). During DSRM, the domain controller being restored had to remain offline. Therefore, it was not able to service client requests. In Windows Server 2008 R2, after Active Directory Recycle Bin is enabled, all link-valued and non-link-valued attributes of the deleted Active Directory objects are preserved and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion. For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion—both within and across domains. Active Directory Recycle Bin is functional for both AD DS and Active Directory Lightweight Directory Services (AD LDS) environments. Windows Server 2008 R2 Active Directory Recycle Bin helps minimize directory service downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects without restoring Active Directory data from backups, restarting AD DS, or rebooting domain controllers.
  • When Active Directory objects are deleted, they are placed in the Deleted Objects container. By default, the CN=Deleted Objects container is not displayed. You can use the Ldp.exe administration tool in Active Directory Domain Services (AD DS) to display the Deleted Objects container. Ldp.exe is used to restore a single, deleted Active Directory object. For multiple restores, Windows PowerShell scripts would be utilized.[BUILD1] By default, Active Directory Recycle Bin in Windows Server 2008 R2 is disabled. To enable it, the AD DS requirements must be met and then raise the forest functional level of your AD DS or AD LDS environment to Windows Server 2008 R2, which in turn requires all forest domain controllers or all servers that host instances of AD LDS configuration sets to be running Windows Server 2008 R2. If performing a clean installation of a Windows Server 2008 R2 Active Directory forest, Adprep, an Active Directory schema with the necessary Active Directory Recycle Bin attributes, does not need to be run, and your Active Directory schema will automatically contain all the necessary attributes for the Active Directory Recycle Bin to function properly. If, however, you are introducing a Windows Server 2008 R2 domain controller into your existing Windows Server 2003 or Windows Server 2008 forest and, subsequently, upgrading the rest of the domain controllers to Windows Server 2008 R2, you must run Adprep to update your Active Directory schema with the attributes that are necessary for Active Directory Recycle Bin to function correctly.[BUILD2] The process of enabling Active Directory Recycle Bin is irreversible. After you enable Active Directory Recycle Bin in your environment, you cannot disable it.Slide Transition: By using LDP.exe, let’s see how the AD Recycle Bin can restore objects.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/library/dd391916.aspx
  • Slide Title: Best Practices AnalyzerKeywords: Best Practices Analyzer, Windows Server 2008 R2Key Message: Administrators can filter or exclude results from BPA reports that they don’t need to see.Slide Builds: 5Slide Script: In Windows management, best practices are guidelines that are considered the ideal way, under normal circumstances, to configure a server, as defined by experts. Best Practices Analyzer (BPA) is a server management tool that is available in Windows Server 2008 R2 for Active Directory Domain Services (AD DS), Active Directory Certificate Services (AD CS), DNS Server, and Terminal Services.[BUILD1] BPA is installed by default on all editions of Windows Server 2008 R2. There is no need to install additional tools or packages to use BPA. However, to run BPA scans of multiple roles at one time and to perform BPA tasks in the command-line environment, the computer on which you are running BPA must also be running Windows PowerShell. Server Manager in Windows Server 2008 R2 includes a BPA engine that can run the AD DS BPA service.[BUILD2] The AD DS BPA scan verifies the following AD DS configuration settings: Domain Name System (DNS)-related rules, which verify conditions Operations master role connectivity and ownership rules, Number of controllers in the domain rule, which verifies the domain has at least two functioning domain controllers Required services-related rules Replication configuration rules Windows Time service (W32time) configuration rulesA virtual machine (VM) configuration rule, which verifies that the domain controller is running on Hyper-V and provides best practice guidelines for running AD DS in a VM environment
  • [BUILD3] As the AD DS BPA service scans and verifies, the BPA runtime uses the AD DS BPA Windows PowerShell script to collect AD DS configuration data and stores it in an XML document. The BPA run time then validates the XML document against the XML schema. The schema defines the format, which follows the logical structure of the directory of the XML document that the AD DS BPA Windows PowerShell script produces.[BUILD4] The BPA run time then applies the AD DS BPA rules, which define the best-practice configuration for an AD DS environment, against the xml document.[BUILD5] From there, the AD DS BPA guidance, which is information that can help administrators make adjustments to their AD DS environment to comply with the best practice configuration, is used to produce the ADS BPA Report.While best practice violations, even critical ones, are not necessarily problematic, they indicate server configurations that can result in poor performance, poor reliability, unexpected conflicts, increased security risks, or other potential problems. Slide Transition: In the following demonstration, an AD BPA scan can show an administrator how the scan is performed. Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://go.microsoft.com/fwlink/?LinkId=134007http://technet.microsoft.com/en-us/library/dd378893.aspx
  • Slide Title: Offline Domain JoinKeywords: Offline Domain Join, Windows Server 2008 R2Key Message: The Offline Domain join feature is a new process that joins computers running Windows 7 or Windows Server 2008 R2 to a domain in Active Directory Domain Services (AD DS)—without any network connectivity. Slide Builds: 2Slide Script: Offline Domain joins can be used to join computers to a domain without contacting a domain controller over the network. Computers join the domain during the initial startup after an operating system installation. No additional restart is necessary to complete the domain join. This helps reduce the time and effort required to complete a large-scale computer deployment in places such as data centers. For example, an organization might need to deploy many virtual machines within a data center. Offline Domain joins make it possible for the virtual machines to be joined to the domain when they initially start following the operating system installation. This can significantly reduce the overall time required for wide-scale virtual machine deployments.Performing an Offline Domain join establishes a trust relationship between a computer running a Windows operating system and an Active Directory domain. This operation requires state changes to AD DS and state changes on the computer that is joining the domain. In the past, to complete a domain join using previous Windows operating systems, the computer that joined the domain had to be running, and it had to have network connectivity to contact a domain controller. [BUILD1] Offline Domain joins provides the following advantages over the previous requirements: The Active Directory state changes are completed without any network traffic to the computer. The computer state changes are completed without any network traffic to a domain controller. Each set of changes can be completed at a different time.
  • [BUILD2] When running Djoin, be aware of the special considerations. Djoin only runs on computers that run Windows 7 or Windows Server 2008 R2. The computer on which you run Djoin to provision computer account data into AD DS must be running Windows 7 or Windows Server 2008 R2. The computer that you want to join to the domain must also run Windows 7 or Windows Server 2008 R2. To perform an offline domain join, you must have the user rights that are necessary to join workstations to the domain. By default, members of the Domain Admins group have the user rights to join workstations to a domain. If you are not a member of the Domain Admins group, you must either be granted or delegated these user rights. By default, the Djoin commands target a domain controller that runs Windows Server 2008 R2. However, you can specify an optional /downlevel parameter if you want to target a domain controller that is running a version of Windows Server that is earlier than Windows Server 2008 R2.Djoin is included in both Windows 7 and Windows Server 2008 R2, and it is available in both 32-bit and 64-bit versions. However, the 64-bit-encoded text file that results from the provisioning command is architecture independent. Therefore, you can run Djoin on either a 32-bit computer or a 64-bit computer to provision computer account data in AD DS. Slide Transition: Let’s examine the process of an Offline Domain join.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/library/dd391977.aspxhttp://go.microsoft.com/fwlink/?LinkId=134704
  • Slide Title: Authentication Mechanism AssuranceKeywords: Windows Server 2008 R2, Authentication Mechanism Assurance, Federated Services, Active DirectoryKey Message: Active Directory Federated Services in Windows Server 2008 R2 includes a new feature known as authentication mechanism assurance.Slide Builds: 3Slide Script: Authentication mechanism assurance allows administrators to secure resources (including applications) such that only users who logged on with a certificate-based mechanism are granted access. This feature allows administrators to establish authentication policies for accounts that are authenticated in federated domains. This enables a variety of advanced authentication scenarios, such as smart cards. This feature is not enabled by default and requires a domain functional level of Windows Server 2008 R2, along with a certificate-based authentication infrastructure and additional configuration.Authentication mechanism assurance makes it possible for access to network resources to be controlled to recognize certificate-based logons using certificates that were issued by specific certificate issuance policies. Ultimately, authentication mechanism assurance makes it possible for resource administrators to secure resources by using group memberships that recognize that a user was authenticated with a certificate-based authentication method that used a certificate issued from a particular certificate issuance policy.This feature is intended for organizations that use certificate-based authentication methods, such as smart card or token-based authentication systems. Organizations that do not use certificate-based authentication methods will not be able to use authentication mechanism assurance, even if they have Windows Server 2008 R2 domain controllers with their domain functional level set to Windows Server 2008 R2.
  • [BUILD1] Let’s consider this scenario of three certificate policies: Confidential, Secret, and Top Secret. Now, assume that these policies are mapped to three different security groups:Confidential Users are mapped to a Confidential certificate policy, Secret Users are mapped to a Secret certificate policy, and Top Secret Users are mapped to a Top Secret certificate policy.[BUILD2] Now, consider there are three different types of smart cards (they could all be the same type of smart card). Imagine they are categorized differently (as in, they have different colors). [BUILD3] Each card receives a certificate issued from a certificate template that is associated with the specific certificate policy.The resource administrator has the ability to secure resources considered Confidential by granting access to groups: Confidential Users, Secret Users, and Top Secret Users. Resources considered Secret can be granted access to only the following groups: Secret Users and Top Secret Users. Resources considered Top Secret can be granted access to only the Top Secret Users group.The users who log on using a username and password will not be able to access any of the resources described above. Therefore, the authentication mechanism assurance allows administrators to secure resources (including applications) such that only users who logged on with a certificate based mechanism are granted access. Further, whether the user is able to gain access to specific resources also depends on the type of certificate (indicated by the certificate template and policy) that the user presents during logon.Slide Transition: If the organization uses certificate-based authentication, authentication mechanism assurance has further requirements prior to implementation. Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/library/dd391847.aspx
  • Slide Title: Prerequisites for Authentication AssuranceKeywords: Windows Server 2008 R2, Prerequisites, Authentication Mechanism AssuranceKey Message: Being aware and setting up the prerequisites can facilitate a smoother transition of management when using authentication mechanism assurance.Slide Builds: 3Slide Script: If you want to implement authentication mechanism assurance, the domain functional level has to be increased to Windows Server 2008 R2. [BUILD1] An organization must also have or establish a certificate-based authentication method. [BUILD2] Once the method is established, the certificates to be used for logon must be distributed from a certificate issuance policy, because it is the certificate issuance policy OID that is linked to a universal security group membership. [BUILD3] The authentication mechanism assurance is available in Standard, Enterprise, and Datacenter editions of Windows Server 2008 R2 (including editions without Hyper-V).Windows Web Server 2008 R2 does not include Active Directory Domain Services (AD DS). Therefore, Windows Web Server 2008 R2 cannot be used to enable or implement authentication mechanism assurance. However, any client or server operating system that is able to interpret Windows access tokens, including Windows Web Server 2008 R2, can be used to grant or deny access based on the group membership or memberships that are added to a user's token by authentication mechanism assurance.Slide Transition: Creating accounts and managing them, is a common issue concerning IT professionals. Now Windows Server 2008 R2 has two new managed service accounts.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/library/dd391847.aspx
  • Slide Title: Management of Service AccountsKeywords: Windows Server 2008 R2, Service Accounts, managementKey Message: One of the security challenges for critical network applications, such as Exchange and Internet Information Services (IIS), is selecting the appropriate type of account for the application to use.Slide Builds: 3Slide Script: Windows Server 2008 R2 allows domain-based service accounts to have passwords that are managed by Active Directory. These new type of accounts reduce the recurrent administrative task of having to update passwords on processes running with these accounts. Internet Information Services (IIS) 7.5 supports the use of managed service accounts for application pool identities. On a local computer, an administrator can configure the application to run as Local Service, Network Service, or Local System. These service accounts are simple to configure and use, but they are typically shared among multiple applications and services and cannot be managed on a domain level. If you configure the application to use a domain account, you can isolate the privileges for the application, but you need to manually manage passwords or create a custom solution for managing these passwords. Many SQL Server and IIS applications use this strategy to enhance security, but they do so at a cost of additional administration and complexity. In these deployments, service administrators spend a considerable amount of time in maintenance tasks, such as managing service passwords and service principal names (SPNs), which are required for Kerberos authentication. In addition, these maintenance tasks can disrupt service. [BUILD1] Two new types of service accounts are available in Windows Server 2008 R2 and Windows 7. The first is called a managed service account. The managed service account is designed to provide crucial applications, such as SQL Server and IIS, with the isolation of their own domain accounts, while eliminating the need for an administrator to manually administer the service principal name (SPN) and credentials for these accounts.
  • [BUILD2] The second type of account, virtual accounts, in Windows Server 2008 R2 and Windows 7 are "managed local accounts" that can use a computer's credentials to access network resources.[BUILD3] In addition to the enhanced security that is provided by having individual accounts for critical services, there are four important administrative benefits associated with managed service accounts: Managed service accounts allow administrators to create a class of domain accounts that can be used to manage and maintain services on local computers. Unlike with regular domain accounts in which administrators must reset passwords manually, the network passwords for these accounts will be reset automatically. Unlike normal local computer and user accounts, the administrator does not have to complete complex SPN management tasks to use managed service accounts. Administrative tasks for managed service accounts can be delegated to non-administrators.To use managed service accounts and virtual accounts, the client computer on which the application or service is installed must be running Windows Server 2008 R2 or Windows 7. Windows Server 2008 R2 domains provide native support for both automatic password management and SPN management. This means that if the domain controller is running Windows Server 2008 R2 and the schema has been upgraded to support managed service accounts, both automatic password and SPN management are available. Slide Transition: Now that we have explored Windows Server 2008 R2 Active Directory features that enhance Identity Management and simplified management, let’s summarize some key points.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: http://technet.microsoft.com/en-us/library/dd367859.aspxWindows 2008 R2 Reviewers Guide
  • Slide Title: TechNet Plus Direct SubscriptionKeywords: Technet, Subscription, Plus, Direct, BenefitsKey Message: TechNet Plus has some new benefits.Slide Builds: 0Slide Script: TechNet Plus is an essential premium web-enabled and live support resource that provides IT Professionals with fast and easy access to Microsoft experts, software and technical information, enhancing IT productivity, control and planning.With convenient access to all these resources in one online location, TechNet Plus provides what you need to help you:Evaluate products & learn new skillsPlan for & deploy new technologiesAnd support & maintain your IT environmentFor evaluation and learning you get access to all Microsoft full-version software for evaluation without time limits. This includes Microsoft Server, Client, and Application software titles. With full-version software, you can make informed decisions about new technologies at your own pace.You also receive access to the latest betas before public release. Be the first to try out the latest pre-release versions of Microsoft operating systems, servers and business applications.TechNet Plus also offers quarterly training resources including select Microsoft E-Learning courses for free so you can keep your skills current, prepare for a certification exam or get ready for a specific project.For planning and deployment the TechNet Library includes resources to help you plan for and deploy new technologies in your IT environment including a complete Knowledge Base, resource kits, utilities and technical training.You also get exclusive tools like System Center Capacity Planner to accurately plan for and deploy Exchange Server and System Center Operations Manager.For support and maintenance TechNet Plus comes with two complimentary Professional Support incidents. You can talk to a Microsoft Support Professional to quickly resolve your mission-critical technical issues fast.TechNet Plus also provides access to over 100 Managed Newsgroups. You can exchange ideas with other professionals and get expert answers to your technical questions within the next business day — guaranteed.You also get access to TechNet Library resources to help you support and maintain your IT environment including security updates and service packs.TechNet Plus offers proven value that far exceeds its cost. The two complimentary Professional Support incidents alone more than offset the cost of a TechNet Plus subscription. Add to that the evaluation and beta software and other technical resources, and TechNet Plus clearly boosts productivity. Every IT Professional on the team needs one.For more information or to purchase a TechNet Plus subscription, please visit: technet.microsoft.com/subscriptions.Slide Transition: Thank you for attending this TechNet event and we hope that you enjoyed learning about the new Microsoft Technologies.Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information: technet.microsoft.com/subscriptions
  • Slide Title: FeedbackKeywords: Key Message: Slide Builds: 0Slide Script: Slide Comment: To Send feedback on this slide, use the hyperlink on the feedback slide at the start and end of this deck.Additional Information:
  • Installation and Adminstration of AD_MVP Padman

    1. 1. Active Directory Domain Services in Windows Server 2008 R2 Technical Overview<br />Padman De Silva<br />MBCS CITP, MCSE,MSTS, MCSA, CCNA, MVP- Exchange Server<br />
    2. 2. Agenda<br />Active Directory Overview <br />Active Directory Management <br />Managing Active Directory Deployments<br />Identity and Access Management <br />
    3. 3. What’s New in Active Directory? <br /> Recycle Bin<br />Module for Windows PowerShell™ and Windows PowerShell cmdlets <br />Management Pack<br />Administrative Center<br />Manage Service Accounts<br />AD Domain Services<br />Best Practices Analyzer<br />Offline Domain Join<br />Web Services<br />Authentication Assurance<br />
    4. 4. What’s New in Active Directory?—Notes <br /> Recycle Bin<br />Module for Windows PowerShell™ and Windows PowerShell cmdlets <br />Management Pack<br />Administrative Center<br />Manage Service Accounts<br />AD Domain Services<br />Best Practices Analyzer<br />Offline Domain Join<br />Web Services<br />Authentication Assurance<br />
    5. 5. Solutions That Address IT Pro Challenges<br />Windows Server 2008 R2 <br />Forest Functional Level<br />New Windows PowerShell cmdlets<br />Console Enhancements<br />Deals with Accidental Object Deletion<br />Deals with Mapping of Various Properties<br />Deals with Pre-Provisioning of Computer Accounts<br />Deals with Managed Service Accounts<br />Task-Oriented<br />Better Management <br />Analyzers Expanded to All Core Windows Server 2008 R2 Roles<br />
    6. 6. Solutions That Address IT Pro Challenges—Notes<br />Windows Server 2008 R2 <br />Forest Functional Level<br />New Windows PowerShell cmdlets<br />Console Enhancements<br />Deals with Accidental Object Deletion<br />Deals with Mapping of Various Properties<br />Deals with Pre-Provisioning of Computer Accounts<br />Deals with Managed Service Accounts<br />Task-Oriented<br />Better Management <br />Analyzers Expanded to All Core Windows Server 2008 R2 Roles<br />
    7. 7. Agenda<br />Active Directory Overview <br />Active Directory Management<br />Managing Active Directory Deployments<br />Identity and Access Management <br />
    8. 8. Active Directory Administrative Center<br />Customizable GUI <br />
    9. 9. Active Directory Administrative Center —Notes<br />Customizable GUI <br />
    10. 10. Demonstration Environment<br />
    11. 11. Create an Organizational Unit<br />Create a User<br />Create a New Group and Add a User<br />Demonstration: Creating Objects Using Active Directory Administrative Center<br />
    12. 12. Automating Administrative Activities with Windows PowerShell<br />Active Directory Module in Windows Server 2008 R2<br />A Windows PowerShell module<br />Manage AD domains and Lightweight Directory Services (LDS) configuration sets<br />AD Database Mounting Tool instance<br />New Functionality<br />Special Considerations<br />Only installs on Windows Server 2008 R2<br />At least one Windows Server 2008 R2 domain controller or LDS configuration set<br />Windows 7 and Report Server Administration Tools (RSAT)<br />Active Directory module provider <br />Active Directory module cmdlets<br />Windows PowerShell Integrated Scripting Environment (ISE)<br />Out-GridView cmdlet<br />Performance counters<br />
    13. 13. Automating Administrative Activities with Windows PowerShell —Notes<br />Active Directory Module in Windows Server 2008 R2<br />A Windows PowerShell module<br />Manage AD domains and Lightweight Directory Services (LDS) configuration sets<br />AD Database Mounting Tool instance<br />New Functionality<br />Special Considerations<br />Only installs on Windows Server 2008 R2<br />At least one Windows Server 2008 R2 domain controller or LDS configuration set<br />Windows 7 and Report Server Administration Tools (RSAT)<br />Active Directory module provider <br />Active Directory module cmdlets<br />Windows PowerShell Integrated Scripting Environment (ISE)<br />Out-GridView cmdlet<br />Performance counters<br />
    14. 14. Display Domain Information<br />Create a New Organizational Unit<br />Demonstration: Using the Active Directory Module in PowerShell<br />
    15. 15. Active Directory Recycle Bin<br />Reduces Downtime and Effort<br />AD Objects Are Preserved<br />Functional for AD DS and AD LDS<br />Use LDP.exe or Windows PowerShell Cmdlets<br />Setup Requirements<br />Adprep must be used for Windows Server 2003 and Windows Server 2008 forest<br />All domain controllers in your Active Directory forest are running Windows Server 2008 R2<br />Raise the functional level of your Active Directory forest to Windows Server 2008 R2<br />The process of enabling Active Directory Recycle Bin is irreversible. After you enable Active Directory Recycle Bin in your environment, you cannot disable it.<br />
    16. 16. Active Directory Recycle Bin—Notes<br />Reduces Downtime and Effort<br />AD Objects Are Preserved<br />Functional for AD DS and AD LDS<br />Use LDP.exe or Windows PowerShell Cmdlets<br />Setup Requirements<br />Adprep must be used for Windows Server 2003 and Windows Server 2008 forest<br />All domain controllers in your Active Directory forest are running Windows Server 2008 R2<br />Raise the functional level of your Active Directory forest to Windows Server 2008 R2<br />The process of enabling Active Directory Recycle Bin is irreversible. After you enable Active Directory Recycle Bin in your environment, you cannot disable it.<br />
    17. 17. Enable Active Directory Recycle Bin<br />View Objects That Are in the Deleted Objects Container<br />Restore Deleted Objects<br />Demonstration: Working with the Active Directory Recycle Bin<br />
    18. 18. Agenda<br />Active Directory Overview <br />Active Directory Management <br />Managing Active Directory Deployments<br />Identity and Access Management <br />
    19. 19. AD DS BPA scans verify:<br /><ul><li>DNS rules
    20. 20. Operation master connectivity rules
    21. 21. Operation master ownership rules
    22. 22. Number of controllers in the domain
    23. 23. Required services rules
    24. 24. Replication configurations rules
    25. 25. W32time configuration rules
    26. 26. Virtual machine configuration rules</li></ul>Best Practices Analyzer<br />Schema<br />2<br />BPA Run Time<br />AD DS BPA<br /> Windows PowerShell<br />Script<br />Document<br />3<br />BPA Run Time<br />AD DS BPA<br />Report<br />AD DS BPA<br />Rules Set<br />1<br />BPA Run Time<br />AD DS BPA<br />Guidance<br />
    27. 27. Best Practices Analyzer—Notes<br />AD DS BPA scans verify:<br /><ul><li>DNS rules
    28. 28. Operation master connectivity rules
    29. 29. Operation master ownership rules
    30. 30. Number of controllers in the domain
    31. 31. Required services rules
    32. 32. Replication configurations rules
    33. 33. W32time configuration rules
    34. 34. Virtual machine configuration rules</li></ul>Schema<br />2<br />BPA Run Time<br />AD DS BPA<br /> Windows PowerShell<br />Script<br />Document<br />3<br />BPA Run Time<br />AD DS BPA<br />Report<br />AD DS BPA<br />Rules Set<br />1<br />BPA Run Time<br />AD DS BPA<br />Guidance<br />
    35. 35. Run AD DS BPA Scan <br />Run BPA on a Remote Server<br />Demonstration: Active Directory Domain Service Best Practices Analyzer Scans<br />
    36. 36. Agenda<br />Active Directory Overview <br />Active Directory Management <br />Managing Active Directory Deployments<br />Identity and Access Management <br />
    37. 37. Offline Domain Join<br />Djoin.exe<br />Reduces time and effort for large-scale deployments<br />Establishes trust between operating system and Active Directory Domain<br />Advantages<br />AD state changes are completed without network traffic to the computer<br />Computer state changes are completed without any network traffic to a domain controller<br />Each change can be completed at different times<br />Special Considerations<br />Run on Windows® 7 or Windows Server 2008 R2<br />Must have user rights to join workstation to the domain<br />Defaults target domain controller running a version of Windows Server 2008 R2<br />
    38. 38. Offline Domain Join —Notes<br />Djoin.exe<br />Reduces time and effort for large-scale deployments<br />Establishes trust between operating system and Active Directory Domain<br />Advantages<br />AD state changes are completed without network traffic to the computer<br />Computer state changes are completed without any network traffic to a domain controller<br />Each change can be completed at different times<br />Special Considerations<br />Run on Windows® 7 or Windows Server 2008 R2<br />Must have user rights to join workstation to the domain<br />Defaults target domain controller running a version of Windows Server 2008 R2<br />
    39. 39. Perform an Offline Domain Join<br />Demonstration: Using Offline Domain Join<br />
    40. 40. Authentication Mechanism Assurance <br />Features<br />Network resource administrators can control access to resources<br />Distinction in the access token of a user who logs on with certificate-based authentication and a user who logs on with a different method of authentication<br />Special Considerations<br />For organizations that use certificate-based authentication<br />
    41. 41. Authentication Mechanism Assurance—Notes <br />Features<br />Network resource administrators can control access to resources<br />Distinction in the access token of a user who logs on with certificate-based authentication and a user who logs on with a different method of authentication<br />Special Considerations<br />For organizations that use certificate-based authentication<br />
    42. 42. Prerequisites for Authentication Mechanism Assurance<br />Available in the <br />following editions:<br /><ul><li> Windows Server 2008 R2</li></ul> with or without Hyper-V™<br /><ul><li> Standard, Enterprise, and</li></ul> Datacenter<br />Increase the Domain Functional <br />Level to Windows Server 2008 R2<br />Established a Certificate-Based<br />Authentication Method<br />The Certificates for Logon Must Be Distributed <br />from a Certificate Issuance Policy<br />
    43. 43. Management of Service Accounts<br />Less Disruption of Service<br />Reduce Recurrent Administrative Tasks<br />Domain-Based Service Accounts Managed by AD<br />Enhanced Security<br />Administrative Benefits<br />Create class domain accounts<br />Accounts are now reset automatically<br />SPN management tasks are not completed<br />Can be delegated to non-administrators<br />Managed Service<br />Account<br />Virtual Accounts<br />Local Accounts<br />SQL<br />IIS<br />
    44. 44. Management of Service Accounts—Notes<br />Less Disruption of Service<br />Reduce Recurrent Administrative Tasks<br />Domain-Based Service Accounts Managed by AD<br />Enhanced Security<br />Administrative Benefits<br />Create class domain accounts<br />Accounts are now reset automatically<br />SPN management tasks are not completed<br />Can be delegated to non-administrators<br />Managed Service<br />Account<br />Virtual Accounts<br />Local Accounts<br />SQL<br />IIS<br />
    45. 45. Session Summary<br />Active Directory Domain Services improves management capabilities that automate Active Directory tasks<br />The new Active Directory Administrative Console and Windows PowerShell module allow for flexible discovery and output<br />Use and implement the new features of Windows Server 2008 R2 Domain Services<br />
    46. 46. Where to Find More Information?<br />Visit TechNet at technet.microsoft.com<br />Also check out TechNet Edge <br /> edge.technet.com<br />Or just visit http://go.microsoft.com/?linkid=9662652<br /> for additional information on this session.<br />
    47. 47. For the more titles, visit<br />http://go.microsoft.com/?linkid=9662652<br />Supporting Publications<br />
    48. 48. For more training information http://go.microsoft.com/?linkid=9662652<br />Training Resources<br />
    49. 49. Become a Microsoft Certified Professional <br />What are MCP certifications?<br />Validation in performing critical IT functions.<br />Why Certify?<br />WW recognition of skills gained via experience.<br />More effective deployments with reduced costs<br />What Certifications are there for IT Pros?<br />MCTS, MCITP.<br />www.microsoft.com/certification<br />
    50. 50. Microsoft TechNet Plus<br />TechNet Plus is an essential premium web-enabled and live support resource that provides IT Professionals with fast and easy access to Microsoft experts, software and technical information, enhancing IT productivity, control and planning. <br />Evaluate & Learn<br />Plan & Deploy<br />Support & Maintain<br />2 complimentaryProfessional Support incidents for use 24/7 (20% discount on additional incidents)<br />Access over 100 managed newsgroups and get next business day response--guaranteed<br />Use the TechNet Library to maintain your IT environment with security updates, service packs and utilities<br />Use the TechNet Library to plan for deployment using the Knowledge Base, resource kits, and technical training<br />Use exclusive tools like System Center Capacity Planner to accurately plan for and deploy Exchange Server and System Center Operations Manager<br />Evaluate full versions of all Microsoft commercial software for evaluation—without time limits. This includes all client, server and Office applications.<br />Try out all the latest betas before public release<br />Keep your skills current with quarterly training resources including select Microsoft E-Learning courses<br />Get all these resources and more with a TechNet Plus subscription.<br />For more information visit: technet.microsoft.com/subscriptions<br />
    51. 51. Your potential. Our Passion<br />
    52. 52. Do Not Delete This Slide<br />We appreciate hearing from you. To send your feedback, click the following link and type your comments in the message body. <br />Note: The subject-line information is used to route your feedback. If you remove or modify the subject line we may be unable to process your feedback. Your feedback may be used to improve our products, technologies and services.<br />Send feedback<br />

    ×