What&apos;s Windows Server 2008 R2 Going to Do for Your Active Directory?<br />John Craddock<br />Infrastructure & Securit...
Agenda	<br />AD module for Windows PowerShell <br />AD Administrative Center<br />AD Best Practice Analyser<br />Managed S...
Windows PowerShell for AD<br />PowerShell v2 includes an AD Module<br />Comprehensive set of AD cmdlets for AD DS and AD L...
Example<br />Import-module ActiveDirectory<br />New-ADUser -Name “Craddock John” -SamAccountName “jcraddock&quot; -Account...
AD Web Services (ADWS)<br />ADWS is automatically installed with AD DS and AD LDS<br />Port 9389 must be open for remote a...
AD Administrative Center<br />Built on PowerShell Cmdlets<br />Task-oriented model<br />Simultaneously  connectto other do...
Best Practice Analyser<br />Compares current configuration on DC to best practice recommendations<br />Scan started via Se...
Collecting and Analysing Data<br />XML Schema<br />Validation<br />AD DS BPAPowerShell Script<br />Collects data<br />XML ...
Service Accounts<br />Username: SRV1<br />Password: *****<br />Password changesmust be updatedon the service account<br />...
Managed Service Accounts<br />Configure service:<br />Append $ to accountname<br />examplesvc1$<br />Username: Password:<b...
Requirements & Caveats<br />Service / application requiring managed account must be running on Windows 7 or 2008 R2<br />R...
Offline  Domain Joins<br />Allows a Windows 7 or Windows 2008 R2 machines to be joined to a domain while offline<br />On s...
Djoin.exe<br />Djoin /provision /domain example.com / machine ms1 /savefile ms1.txt<br />Computer account  metadata.<br />...
Authentication Mechanism Assurance<br />Restricted access<br />Fullaccess<br />Strong authentication<br />Normal authentic...
Resource Access Control<br />When a certificate based logon method is used an administrator-designated universal group is ...
Recycle Bin for AD<br />Requires 2008 R2 Forest functionality<br />PowerShell driven<br />Enable-ADOptionalFeature ‘Recycl...
No Recycle Bin<br />Majority of attributes deleted<br />Garbagecollection<br />X<br />Live object<br />Tombstoneobject<br ...
Recycle Bin Enabled<br />All attributes retained<br />Live object<br />Deletedobject<br />Delete<br />Deleted object lifet...
Other Thoughts	<br />Backups are valid for max of smallest value of DOL or TSL<br />Best practice recommendation DOL = TSL...
What to Know More?<br />Come to my session<br />SIA402<br />Online Recovery of Active Directory Deleted Objects and the Wi...
The Path to Windows Server 2008 R2<br />Prep forest and domain for Windows 2008 R2<br />Windows 7 clients can be provision...
Functional Levels<br />Switches to R2 domain and forest functionality are reversible<br />Use PowerShell to reverse<br />C...
What’s your Favourite?<br />AD module for Windows PowerShell <br />AD Administrative Center<br />AD Best Practice Analyser...
Required Slide<br />Speakers, <br />TechEd 2009 is not producing <br />a DVD. Please announce that <br />attendees can acc...
Related Content<br />Required Slide<br />Speakers, <br />please list the Breakout Sessions, TLC Interactive Theaters and L...
My Sessions at TechEd<br />Required Slide<br />Speakers, <br />please list the Breakout Sessions, TLC Interactive Theaters...
Required Slide<br />Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!<br />
Required Slide<br />© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product...
Upcoming SlideShare
Loading in …5
×

SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?

1,775 views

Published on

Windows Server 2008 R2 is here, with new tools and utilities for the directory service IT pro to help you manage and maximise the potential of your Active Directory. What's going to be your favourite new feature? Maybe it's the Best Practice Analyser that will scan your infrastructure and point out both compliant and noncompliant aspects of your environment together with suggestions for improvements. Do you want tools to simplify your day-to-day management of the AD? There's a new kid on the block, the Active Directory Administrative Center. Built on Windows PowerShell technology it provides a rich GUI allowing you to perform common Active Directory tasks through both data-driven and task-driven navigation. Not a GUI fan? Then R2 brings you more than 85 PowerShell Cmdlets to allow you to manage, diagnose, and automate AD tasks from the command-line or PowerShell scripts. Maybe your favourite will be the recycle bin allowing you to recover deleted objects while the directory is online or the ability to perform offline domain join allowing you to streamline your deployments. There are more choices, come to this high-energy, fast paced, demo rich presentation and get all the details

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,775
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
79
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?

  1. 1.
  2. 2. What&apos;s Windows Server 2008 R2 Going to Do for Your Active Directory?<br />John Craddock<br />Infrastructure & Security Architect<br />XTSeminars Ltd<br />Session Code: SIA319 <br />
  3. 3. Agenda <br />AD module for Windows PowerShell <br />AD Administrative Center<br />AD Best Practice Analyser<br />Managed Service Accounts<br />Offline domain join<br />Authentication mechanism assurance<br />AD Recycle Bin<br />
  4. 4. Windows PowerShell for AD<br />PowerShell v2 includes an AD Module<br />Comprehensive set of AD cmdlets for AD DS and AD LDS administration, configuration and diagnostic tasks<br />Easy to compose and manage complex tasks<br />PowerShell drives for AD<br />Simple navigation in AD DS, AD LDS and AD Snapshots <br />Certain tasks can only be achieved through PowerShell<br />
  5. 5. Example<br />Import-module ActiveDirectory<br />New-ADUser -Name “Craddock John” -SamAccountName “jcraddock&quot; -AccountPassword (ConvertTo-SecureString-AsPlainText “Temp0Pwd0!&quot; -Force) -Enabled $true -ChangePasswordAtLogon $true -GivenName “John&quot; -Surname “Craddock&quot; -UserPrincipalName “jcraddock@example.com”-Path “OU=Admins,OU=UK,DC=example,DC=com&quot;<br />
  6. 6. AD Web Services (ADWS)<br />ADWS is automatically installed with AD DS and AD LDS<br />Port 9389 must be open for remote administration<br />Active Directory Management Gateway (ADMG) service available for Windows Server 2003 and 2008<br />Does not support instances of AD Mounting Tool<br />PowerShell Cmdlets<br />WS-*<br />9389<br />ADWS<br />LDAP<br />LDAP<br />LDAP<br />3268<br />389<br />AD / GC<br />AD LDSinstance<br />MountedAD instance<br />
  7. 7. AD Administrative Center<br />Built on PowerShell Cmdlets<br />Task-oriented model<br />Simultaneously connectto other domains<br />Progressive disclosure of data<br />Powerful Searching<br />
  8. 8. Best Practice Analyser<br />Compares current configuration on DC to best practice recommendations<br />Scan started via Server Manager or PowerShell<br />Results through UI and PowerShell output<br />Provides guidance, does not fix problems<br />Red Eye<br />Warning<br />Information<br />Quarterly updates<br />
  9. 9. Collecting and Analysing Data<br />XML Schema<br />Validation<br />AD DS BPAPowerShell Script<br />Collects data<br />XML Results document<br />AD DS BPArule set<br />AD DS BPAReport<br />Analysis<br />BPA Run Time<br />AD DS BPAguidance<br />
  10. 10. Service Accounts<br />Username: SRV1<br />Password: *****<br />Password changesmust be updatedon the service account<br />Domain accountUsername: SRV1<br />Password: *****<br />Using built in accounts for services does not provide service isolation<br />What’s the alternative?<br />Run the services using standard user accounts<br />How many of you change services account passwords on a regular basis?<br />Any problems? <br />
  11. 11. Managed Service Accounts<br />Configure service:<br />Append $ to accountname<br />examplesvc1$<br />Username: Password:<br />Domain:<br />example.com<br />Domain accountname: SVC1<br />3<br />1<br />Created in domain:<br />New-ADServiceAccount svc1<br />2<br />Install-ADServiceAccount svc1<br />4<br />Server automatically resets based on “Max machine account password age”<br />Can reset password withReset-ADServiceAccountPassword svc1<br />Accounts must be created and managedthrough Windows PowerShell<br />SERVER1<br />
  12. 12. Requirements & Caveats<br />Service / application requiring managed account must be running on Windows 7 or 2008 R2<br />Requires AD Module for Windows PowerShell to be installed <br />Forest and domain must be prepared for 2008 R2<br />adprep /forestprep & adprep /domianprep<br />2008 R2 domain functional level adds SPN management<br />Managed accounts cannot be shared across multiple servers<br />
  13. 13. Offline Domain Joins<br />Allows a Windows 7 or Windows 2008 R2 machines to be joined to a domain while offline<br />On start up, the machine is already domain joined and there is no reboot requirement<br /> Speeds up deployment of VMs and scripted installs<br />New section in unattended.xml supports offline domain joins<br />Simplifies domain joins to RODCs <br />
  14. 14. Djoin.exe<br />Djoin /provision /domain example.com / machine ms1 /savefile ms1.txt<br />Computer account metadata.<br />Base-64 encoded, treat as security sensitive<br />Computeraccount object<br />djoin /requestODJ /loadfile &lt;ms1.txt&gt; /windowspath &lt;Windows directory&gt;<br />Requires /localos<br />Add accountmetadata<br />Online VHD or<br />Physical system<br />Requires reboot<br />Offline VHD or<br />Physical system<br />Unattended.xml<br />Windows 7 or 2008 R2 required for <br />Computers running djoin<br />Computers being joined to domain<br />
  15. 15. Authentication Mechanism Assurance<br />Restricted access<br />Fullaccess<br />Strong authentication<br />Normal authentication<br />Allows applications to control access to resources based on authentication strength<br />For example only allow access to a resource if the user has been authenticated using a SmartCard<br />Require Windows 2008 R2 domain functionality<br />
  16. 16. Resource Access Control<br />When a certificate based logon method is used an administrator-designated universal group is added to the user’s Kerberos token<br />This group is then used to control access to resources<br />It is possible to add different groups based on the type of certificate used to logon<br />Access to resources can consequently be based on the certificate type<br />
  17. 17. Recycle Bin for AD<br />Requires 2008 R2 Forest functionality<br />PowerShell driven<br />Enable-ADOptionalFeature ‘Recycle Bin Feature’ –Scope ForestOrConfigurationSet –Target ‘forest’<br />Once enabled cannot be disabled<br />Get-ADObject –LDAPFilter {} –IncludeDeletedObjects<br />Restore-ADObject –Identity &lt;id&gt;<br />Parent object must be restored in advance of child object<br />Restores all attributes including linked Attributes<br />
  18. 18. No Recycle Bin<br />Majority of attributes deleted<br />Garbagecollection<br />X<br />Live object<br />Tombstoneobject<br />Delete<br />Purged fromdirectory<br />Offline authoritative restore<br />Tombstone lifetime (180 days)<br />Re-animate API restores objects while on-line<br />Many attributes missing<br />Re-animation does not restore multi-valued linked attributes such as group membership<br />
  19. 19. Recycle Bin Enabled<br />All attributes retained<br />Live object<br />Deletedobject<br />Delete<br />Deleted object lifetime (180 days)<br />Online undelete<br />Garbagecollection<br />Recycledobject<br />X<br />Purged fromdirectory<br />Tombstone lifetime (180 days)<br />All attributes restored<br />
  20. 20. Other Thoughts <br />Backups are valid for max of smallest value of DOL or TSL<br />Best practice recommendation DOL = TSL<br />Anticipated database growth 5-10%<br />On deletion, regulatory compliance may not allow retained of full copy of deleted object<br />Permanently delete with <br />Get-Adobject –LDAPFilter {} –IncludeDeletedObjects | Remove-ADObject<br />
  21. 21. What to Know More?<br />Come to my session<br />SIA402<br />Online Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle Bin <br />Friday 13/11/2009 <br />13:00-14:15 <br />Budapest - Hall 7-2b <br />
  22. 22. The Path to Windows Server 2008 R2<br />Prep forest and domain for Windows 2008 R2<br />Windows 7 clients can be provision with offline domain joins against existing 2003/2008 infrastructure<br />Install Active Directory Management Gateway (ADMG) service on Windows 2003/2008 servers <br />Use AD PowerShell and ADAC running on Windows 7<br />Upgraded servers can use Managed Service Accounts<br />
  23. 23. Functional Levels<br />Switches to R2 domain and forest functionality are reversible<br />Use PowerShell to reverse<br />Cannot be reversed once Recycle Bin is enabled<br />2008 R2 domain functionality for:<br />Authentication Mechanism Assurance<br />SPN management for Manage Service Accounts<br />2008 R2 forest functionality allows Recycle Bin to be enabled<br />
  24. 24. What’s your Favourite?<br />AD module for Windows PowerShell <br />AD Administrative Center<br />AD Best Practice Analyser<br />Managed Service Accounts<br />Offline domain join<br />Authentication mechanism assurance<br />AD Recycle Bin<br />
  25. 25. Required Slide<br />Speakers, <br />TechEd 2009 is not producing <br />a DVD. Please announce that <br />attendees can access session <br />recordings at TechEd Online. <br />www.microsoft.com/teched<br />Sessions On-Demand & Community<br />www.microsoft.com/learning<br />Microsoft Certification & Training Resources<br />http://microsoft.com/technet<br />Resources for IT Professionals<br />http://microsoft.com/msdn<br />Resources for Developers<br />Resources<br />
  26. 26. Related Content<br />Required Slide<br />Speakers, <br />please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session.<br />Breakout Sessions:<br />SIA402 Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle Bin<br />SVR317 Managing Windows Server 2008 R2 and Windows 7 with Windows PowerShell V2<br />Interactive Theater Sessions :<br />SIA02-IS Active Directory: What&apos;s New in R2<br />Hands-on Labs:<br />WSV03-HOL Advanced Windows PowerShell Scripting<br />WSV20-HOL Windows Server 2008 R2: What&apos;s New in Microsoft Active Directory<br />
  27. 27. My Sessions at TechEd<br />Required Slide<br />Speakers, <br />please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session.<br />Breakout Sessions:<br />SIA319 What&apos;s Windows Server 2008 R2 Going to Do for Your Active Directory?<br />SIA402 Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle Bin<br />SVR401 DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and Transition Technologies<br />SVR402 DirectAccess Technical Drilldown, Part 2 of 2: Putting It All Together<br />Interactive Theater Sessions:<br />SVR08-IS End-to-End Remote Connectivity with DirectAccess<br />
  28. 28. Required Slide<br />Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!<br />
  29. 29.
  30. 30. Required Slide<br />© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.<br />The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.<br />

×