Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mark Minasi What’S New In Active Directory For Windows 7 Server 2008 R2


Published on

  • Be the first to comment

Mark Minasi What’S New In Active Directory For Windows 7 Server 2008 R2

  1. 1. What's New in Active Directory for Windows Server 2008 R2 Presented by Mark Minasi forum, seminars at copyright 2009 Mark Minasi 1
  2. 2. Topics • 70+ PowerShell cmdlets • Managed Service • AD Web Service Accounts • AD Recycle Bin • Best Practices Analyzer • New DFL/FFL • AD Admin Center • AD quot;optional featurequot; • Authentication architecture change Mechanism Assurance • Offline Domain Join 2
  3. 3. AD Gets PowerShell why? many separate tools to create/manipulate things • Over 70 cmdlets mean you can easily learn how to create quot;objectsquot; (single users, OUs, groups etc): example: • New-ADUser -SamAccountName Joe -Name quot;Joequot; -AccountPassword (ConvertTo- SecureString -AsPlainText quot;Pasw0rdquot; -Force) - Enabled $true -Path 'cn=users,DC=bigfirm,DC=com' 3
  4. 4. AD Gets PowerShell getting it • Easiest way is to use the PS shortcut in Administrative Tools to get a good PS prompt – the one on the Taskbar doesn't load that AD stuff • Or load Powershell 2.0 and type Import- Module ActiveDirectory • Also will ship with RSAT to run on Vista and Win 7 4
  5. 5. AD Gets PowerShell more details • Cmdlets to create, delete, filter and modify AD objects • None for working with subnets and sites, unfortunately, and setting AD permissions is dicey • Does not work via LDAP, RPC and the like protocols; instead, cmdlets send their requests to ADWS (quot;AD Web Servicequot;), a new interface 5
  6. 6. AD Gets PowerShell why? automation possibilities • PowerShell allows you to build more complex scripts on the order of complete applications • PS 2.0 lets you build scripts with GUI interfaces • PS 2.0 lets you control remote systems • PS is easier to learn than most command-line interfaces you've met because of its regularity in naming conventions 6
  7. 7. AD Gets PowerShell why? pipeline makes automation easy • Pipeline means you can stick commands together to (1) operate on many objects and (2) use filters to select which objects to operate upon • The idea is like this: • [list all user accounts]|[filter to keep only the disabled accounts] | [delete accounts] 7
  8. 8. AD Gets PowerShell how this will work (1) Active Directory AD Web Service quot;all users please!quot; The Pipeline get-aduser 8
  9. 9. AD Gets PowerShell how this will work (2) quot;Wherequot; command The Pipeline The Pipeline criterion: only disabled users! 9
  10. 10. AD Gets PowerShell how this will work (3) AD-Removeuser I'll explain this soon… but it's The Pipeline some good news! 10
  11. 11. AD Gets PowerShell Really? It's that easy? • Not exactly, and there are lots of ways to do this, but here's one generic (but longer than necessary) approach: • get-aduser -filter 'samaccountname -like quot;*quot;' | where {-not $_.enabled} |remove-aduser –whatif • Let's pick it apart: • (1) the get-aduser produces a list of all user accounts 11
  12. 12. AD Gets PowerShell step two: winnow out just the disabled user accts • (2) The quot;|quot; is the quot;pipelinequot; symbol; it means, quot;take the output of the command on the left and stuff it into the command on the rightquot; • The command on the right is quot;where,quot; and its job is to (a) take whatever you give it and (b) some criterion and produce a smaller set of output winnowed from the input based on that criterion… put simply, it's a filter, and this one only lets disabled accounts through • quot;$_quot; means quot;what's currently in the pipeline,quot; and so $_.enabled is the value of quot;enabledquot; (true or false) on whatever object's in the pipeline 12
  13. 13. AD Gets PowerShell (reference only): side note • I'm using the first two commands (get-aduser and where) to illustrate a generic approach to getting a big whack of data and filtering out most of it • In fact, though, quot;wherequot; isn't necessary, as get- aduser has its own built-in quot;-filterquot; option • I could have used that and saved a command, but many PS cmdlets do not have a –filter option, and so making you depend on a built-in –filter option seemed a bad idea – but if it's there, -filter is faster than piping to quot;where!quot; 13
  14. 14. AD Gets PowerShell step three: delete those user accounts (but not really) • (3) Again we've got a pipeline command, and the list of user names that made it through the quot;wherequot; filter are given to the last command, quot;remove-aduserquot; • As you'd guess, remove-aduser deletes accounts • I added quot;-whatifquot; because it says, quot;don't really do this; just show what would happen if you did;quot; it's great for testing 14
  15. 15. AD Gets PowerShell the point of all this • That example provided a blueprint for the many, many times you'll want to say, quot;take all of the users (or machines, OUs etc) in my domain that meet X criteria and do Y to them,quot; and what we've seen here will work for all of that • The only hard part now is in figuring out how to describe X (e.g. quot;{-not $_.enabled}quot;), and what command will do Y (e.g. quot;remove-aduserquot;) 15
  16. 16. AD Gets PowerShell a warning and more info • Again, quot;wherequot; is less efficient than quot;-filterquot; • Search quot;active directory module for windows powershell cookbookquot; for tons of examples on MSDN • Online help: – get-help <command> [-detailed] [-examples] • PS for AD is a time-saver… start learning it 16
  17. 17. AD Gets PowerShell the AD provider • set-location AD:quot;dc=bigfirm,dc=comquot; • Makes your command prompt show not your current folder on the file system, but instead a location on the AD; responds to CD like the file system: – sl AD:quot;dc=bigfirm,dc=comquot; – md quot;ou=testquot; – cd quot;ou=testquot; 17
  18. 18. AD Gets PowerShell more AD provider examples • cd .. (backs up one level) • rd quot;ou=testquot; • dir -filter objectclass=organizationalunit (list all child objects that are OUs) • dir cn=users –name (only shows names) • There are move, copy, erase etc commands 18
  19. 19. AD Web Service powershell's replacement for ldap • Recall my note that PowerShell doesn't communicate with AD via LDAP or ADSI, it uses something called the quot;AD Web Servicequot; • My first thought was, quot;Oh, no… another protocol to secure? More ports to worry about?quot; • When examined more closely, though, it seems to be a potentially good thing 19
  20. 20. AD Web Service why a web service? • Reason #1: Web services are here to stay • Lots of other programming platforms use a web services model and – the important part – there are lots of programming tools, which means we'll see more AD apps w/web services 20
  21. 21. AD Web Service why a web service? • Reason #2: it's a new protocol • On the WMI side, we're seeing RPC being slowly replaced by winrm, another Web services-based protocol – modern protocols tend to be more secure – standards-based – platform-independent 21
  22. 22. AD Web Service details • DC listens on TCP port 9389 • Every 2008 R2 DC runs ADWS • Needed for PowerShell and some other new AD items • This does not mean that you have to run IIS on your DC, nor need you offer access to port 80 (unless you need winrm, which is another story) 22
  23. 23. Powershell Goes GUI: AD's New Administrative Center 23
  24. 24. AD Admin Center (ADAC) • New GUI tool aiming at the same sorts of things that AD Users and Computers (ADUC) does • Actually all PowerShell 2.0 GUI application… under the hood, when you click a button, ADAC generates and executes PowerShell AD commands 24
  25. 25. AD Admin Center (ADAC) what you'll like • quot;Navigation Nodesquot; let you administer multiple forests, domains, OUs etc simultaneously • Global search lets you search multiple quot;nodesquot; simultaneously, and it does the search on the server • Local queries do client-side filtering and let you build a query with the GUI and get back the LDAP equivalent of the query 25
  26. 26. AD Admin Center (ADAC) what you'll like • ADUC's heavily tabbed interface replaced with a somewhat crisper (albeit a bit slower) interface 26
  27. 27. AD Admin Center (ADAC) what they didn't get to • ADAC's plan was to include quot;reflectivity,quot; a notion whereby when you click a button to get something done, it would show you what command-line Powershell command would do the same thing • It'd be sort of a launching pad for writing procedures, batch files and the like • Didn't make it in this one 27
  28. 28. AD Recycle Bin • We all make mistakes, and some of us have experienced the quot;oops!quot; feeling once we realize we've deleted an AD object • Authoritative restores and tombstone reanimation can bring back dead things, but they're cumbersome or require third-party tools • 2008 R2 brings an undelete ability for AD objects 28
  29. 29. 2008 R2 DFL/FFL, Optional Features • AD Recycle Bin requires that your forest be in 2008 R2 Forest Functional Level… • Yup, that's right, we've got a new DFL/FFL • AD Recycle Bin needs that… but it needs more as well • R2 inaugurates a new aspect of AD, quot;optional featuresquot; – the idea is that if you don't use a feature, why enlarge the schema for something you don't use? 29
  30. 30. Enabling AD Recycle Bin • AD Recycle Bin is optional, so turn it on… • Enable-ADOptionalFeature -Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=bigfirm,DC =com' -Scope Forest -Target '' • Change the colored stuff to match your forest's name; need only do the above command once • Note that as I write this (beta 1), the help is way off about single quotes – only use this:' not this:` 30
  31. 31. Enabling AD Recycle Bin Objects deleted before you enable this feature cannot be undeleted with the Recycle Bin, even if you were in 2008 R2 FFL! 31
  32. 32. AD Recycle Bin making it work • I knew this would be the most popular R2 AD feature, but I covered PowerShell first because, well, you can only get to it with PowerShell • The command to restore a deleted AD object is quot;restore-adobjectquot; • The problem is in specifying the LDAP distinguished name (DN) of the user 32
  33. 33. AD Recycle Bin making it work • Simple DN for a user quot;janequot; in a domain quot;;CN=Jane,CN=Users,DC=bigfirm, DC=comquot; • DN after jane's deleted: quot;CN=jane 0ADEL: ce076811-4a8b-49bb-b332-9695ed786ba6, CN=Deleted Objects, DC=bigfirm, DC=com • Now, we could undelete jane by giving restore- adobject that entire DN… but how to find it? • Answer: get-adobject 33
  34. 34. AD Recycle Bin making it work • Put them together: • get-adobject -filter {samaccountname -eq quot;janequot;} –includedeletedobject|restore- adobject • This will restore Jane; replacing –eq quot;Janequot; with –like quot;*quot; would undelete all deleted objects 34
  35. 35. AD Recycle Bin details • Objects can be recycled up to 180 days after they've been deleted; after that, they are quot;tombstonedquot; (and cannot be recycled) for 180 days, and then finally scavenged from AD • You can only undelete an object if its container is not deleted; for example, if I deleted an OU and its users, I'd have to undelete the OU before I could undelete its users 35
  36. 36. AD Recycle Bin details • There isn't a –recurse switch on Restore- ADObject; thus, if I deleted an OU that contained users and OUs, which contained users and OUs etc, then I'd have to hand- undelete the tree from the top down • Microsoft intends to write PowerShell script to solve this by RTM 36
  37. 37. Offline Domain Join • What it does: – Lets you join a member server or workstation even if the member is not connected to the network – You can do this either to a system that's up and running, or you can essentially quot;inject domain membershipquot; to a system that's not running but has been mounted, like a non-running VHD 37
  38. 38. Offline Domain Join • What it doesn't do – You can't join a quot;Syspreppedquot; (that is, a system that you've run sysprep on – the quot;newquot; phrase is quot;generalizedquot;) – system offline – Machine needs to be specialized and needs a name 38
  39. 39. Offline Domain Join • How it works, step one: – First, you run a command-line app quot;djoin /provisionquot; on a Win7-level DC/domain member – Creates a machine account (so clearly you need the right to do this) on the domain – Creates a bit of data written to a text file (it's binary data represented in base64, known as quot;the blobquot;) that you'll need to move to the machine to be joined to the domain 39
  40. 40. Offline Domain Join • How it works, step two: – Move the text file containing the blob to the prospective domain member (must be Win 7- level) – As local administrator, run djoin /requestODJ – System reads the blob, incorporates it into the SYSTEM/SECURITY hives in the Registry, and it is now a domain member 40
  41. 41. Offline Domain Join example • I'll join a system named quot;WSquot; to a domain named quot;bigfirm.comquot; • To start, I open an elevated command prompt at, a bigfirm DC (again, needn't be at a DC) • type: • djoin /provision /domain /machine ws /savefile c:wsblob.txt 41
  42. 42. Offline Domain Join looking at the example command • djoin /provision /domain /machine ws /savefile c:wsblob.txt – /machine needs just the hostname/NetBIOS name, not an FQDN; had I typed quot;/machine,quot; AD would have created a machine account named quot;!quot; – /domain takes either or bigfirm – physically transport wsblob.txt to WS 42
  43. 43. Installing the Blob: 3 Scenarios • Install it to WS while WS is up and running with the /localos option • Apply to WS offline by – booting the OS from some other OS – booting an • Build the blob into a WSIM script for Sysprep and then use that script to image a system and allow Sysprep to specialize that system 43
  44. 44. Offline Domain Join scenario one: apply to running system • Assume I've got wsblob.txt on a USB stick that I insert into WS and the stick is drive E: • From an elevated command prompt on WS: • djoin /requestODJ /loadfile e:wsblob.txt /windowspath c:windows /localos • Significant point: djoin /requestodj really wants to noodle with a set of Registry hives that are not locked, as they are on running systems; quot;/localosquot; warns djoin that it's modifying a running, locked Registry 44
  45. 45. Offline Domain Join scenario two: on an offline system • Mount the C: drive of a specialized VHD with machine name quot;WSquot; onto some system TECHPC as, say, c:mountwin • Assume WS's Windows folder is windows • Assume I've got wsblob.txt on a USB stick that I insert into TECHPC and the stick is drive E: • From an elevated command prompt on TECHPC: • djoin /requestODJ /loadfile e:wsblob.txt /windowspath c:mountwinwindows 45
  46. 46. Offline Domain Join scenario three: WSIM script • Using WAIK 2.0 and WSIM… need WSIM from WAIK 2 or later! • There's a location for offline domain join info in pass 4 • You insert the blob • Can be used for installing new systems, or as a Sysprep script 46
  48. 48. Offline Domain Join scenario three: using it • Create blob for a machine named quot;wsquot; • Use WSIM to create an XML answer file named quot;autounattend.xmlquot; that creates a machine named quot;wsquot; with the blob value in the WSIM answer file (more details in Newsletter #60) • Pop the autounattend.xml file on a USB stick, connect it to the new system, put the Win 7 DVD into the new system's drive, turn the system on and walk away… 48
  49. 49. Managed Service Accounts background: what problem does this solve? • Services must run under an account, and LocalSystem/LocalService/NetworkService can't always do the job • IIS, Exchange, SQL are some common examples • In that case, techies need to create accounts to act as service accounts • That works fine, except for the issue of passwords: they need regular changing or services stop working 49
  50. 50. Managed Service Accounts background: what problem does this solve? • Basically, it's a pain to manage passwords for the user accounts that we happen to use for services • Also, introducing new user accounts into services means having to develop expertise with setspn, a tool that basically informs Kerberos that account quot;Aquot; is now the quot;authentication pointquot; for network service quot;Bquot; • Additionally, you've got to be a domain admin to modify SPNs… MSAs let you delegate this to others 50
  51. 51. Managed Service Accounts answer: managed service accounts • New class of accounts • Sorta user accounts, sorta machine accounts (new icon) • You: – Create one on the domain – quot;Installquot; it on the member server – Configure the service so that it logs on as that account, and from there password updates etc are automatic • Need one account / member 51
  52. 52. Managed Service Accounts password details • 240-character passwords created • Ignore group policies about passwords and ignore fine-grained password policies • Automatically handle password changes every 30 days 52
  53. 53. Managed Service Accounts requirements/details • Requires at least one 2008 R2 DC (which means a 2008 R2 schema on the forest) • Requires AD Powershell (and therefore AD Web Service) to create accounts • Live in their own new folder (not an OU) called quot;Managed Service Accountsquot; 53
  54. 54. Managed Service Accounts create the domain on the domain • new-adserviceaccount -samaccountname svc1 • Finding info: • get-adserviceaccount -identity svc1, or • get-adserviceaccount -identity quot;cn=svc1, cn=managed service accounts, dc=bigfirm, dc=comquot; • Remove with remove-adserviceaccount • There's also a set-adserviceaccount to modify aspects of an existing AD service account 54
  55. 55. Managed Service Accounts quot;installquot; the account to a service on a member • More specifically, quot;servicequot; means either a svchost.exe, or an IIS application pool • On the member, ensure that you've got Powershell (RSAT will provide) and the AD Powershell AD module • Introduce the AD account to the member that the service runs on: • install-adserviceaccount -identity svc1 55
  56. 56. Managed Service Accounts attach the account to a service on a member • Verify that the account's attached to the given member with get-adserviceaccount; example: • quot;get-adserviceaccount –identity svc1quot; will, when run, show • HostComputers: {CN=s2,CN=Computers…quot; which is the DN of the member server that we just joined it to – before install- adserviceaccount, the line would be blank 56
  57. 57. Managed Service Accounts attach the account to a service on a member • Now that the account's been quot;installedquot; on the member, find the service in ther Services snap-in and change the account the service runs under just as we've been able to since NT 3.1 – go to Properties, choose the quot;Log onquot; tab, and fill in the account name like domainserviceaccountname$, and leave the password blank 57
  58. 58. Managed Service Accounts or user sc.exe • sc config svc obj= domainaccountname$ • Example: • sc config mysvc obj= bigfirmacct3 • REMEMBER to put a space after the equals sign! • Again, you can alternatively use IIS Admin to associate an MSA to an IIS application pool 58
  59. 59. Managed Service Accounts reviewing… • Punch in the account as domainusername • Put a $ at the end, as technically it's more of a machine account than a user account • Clear out the password field • And if you're experimenting, understand that this won't work on many built-in services; I demonstrate it on quot;SNMP Trap…quot; but I don't have any intention of using SNMP trap! 59
  60. 60. Managed Service Accounts SPN management • As mentioned, you can control who can administer SPNs rather than needing to be a domain admin • If you rename a machine account, the SPN gets fixed automatically • If you change a DNS host name, the SPN gets fixed automatically 60
  61. 61. Managed Service Accounts forcing a password reset • Reset-ADServiceAccountPassword [-Identity] <ADServiceAccount> • Probably never need it, but just in case! 61
  62. 62. Best Practices Analyzer • A sort of graphical dcdiag/netdiag, a set of quot;sanity checksquot; • Access from Server Manager: Roles / Active Directory Domain Services / in the right-hand pane, scroll down below Events and System Services • Click quot;Scan This Rolequot; 62
  63. 63. AD Best Practices Analyzer 63
  64. 64. AD Best Practices Analyzer • You can run this remotely now that Server Manager is remote-able • There are a fixed set of tests, can't be changed (although MS may change them now and then via Windows Update) • In my experience this can offer some quot;false positivequot; errors, so double-check before freaking out about a red circle with a white cross in it 64
  65. 65. Authentication Mechanism Assurance • New feature for users of the current quot;passivequot; ADFS or the upcoming quot;activequot; ADFS (quot;Genevaquot;) • ADFS simplifies maintaining authentication between secure Web-based applications from completely disconnected forests, like Microsoft's SharePoint talking to HP's SharePoint 65
  66. 66. Authentication Mechanism Assurance • When someone from (for example) HP signs onto a trusted (different meaning from AD) Microsoft site, information about them (e.g. group memberships) gets passed to the Microsoft server • What's new is now it's possible for the HP server to tell the Microsoft server how the user authenticated in the first place 66
  67. 67. Authentication Mechanism Assurance what good is that? • Different logon methods are stronger or weaker – e.g. smart cards are a fairly strong method • Only works with Kerberos, no NTLM • Shows up as a group membership • Really needs smart cards to be of any value 67
  68. 68. Thank You! • Please fill in an evaluation • Visit my site for free tech forum, newsletters etc; I'm at • My two-day Windows Server 2008 seminar comes to Philadelphia next week and Chicago at the end of April • Info on all of it at • Enjoy the rest of the show! 68