Embed Size (px)
Citation preview
1
Active Directory Windows Server 2008 R2 Updates
2
Session Objectives And Takeaways
Describe Active Directory features in Windows Server 2008 R2Discuss the importance of these features to our customersDemonstrate how some of these features will benefit our customers
3
Agenda
What’s new in Active Directory for Windows Server 2008 R2?
PowerShell CmdletsActive Directory Administrative centerBest Practice AnalyzerRecycle Bin for ADManaged Service accountsOffline Domain JoinAuthentication AssuranceHealth Model and Management Packs
Active Directory Tour demonstrationConclusion
4
Powershell for ADCommand line scripting for administrative, configuration and diagnostic tasks
Past limitations30+ command line tools for administering AD are not consistent in their usageDifficult to compose these tools to achieve complex tasks
Feature takeaway85+ AD cmdlets for comprehensive AD DS and AD LDS administration and configurationCommunicates using Web Service protocolsCan be used to manage Windows Server 2008 and 2003 domain controllers, using future AD Web Service download
5
Powershell Advantages
Consistent vocabulary and syntaxPredictable discoveryFlexible output formattingCmdlets can be easily composed (pipe) to build complex operationsEnd-to-End manageability with Exchange, Group Policy, etc
6
PowerShell Provider ModelProvides sessions, server context, security context and path contextEnables best practices sharing across connectionsCombination of cmdlets & provider means familiar model for usersPerform operations in AD that are similar to the file system or registry, such as rename, move, etc
7
Get-Command -CommandType Cmdlet *-AD*
Add-ADComputerServiceAccountAdd-ADDomainControllerPasswordReplicationPolicyAdd-ADFineGrainedPasswordPolicySubjectAdd-ADGroupMemberAdd-ADPrincipalGroupMembershipClear-ADAccountExpirationDisable-ADAccountDisable-ADOptionalFeatureEnable-ADAccountEnable-ADOptionalFeatureGet-ADAccountAuthorizationGroupGet-ADAccountResultantPasswordReplicationPolicyGet-ADComputerGet-ADComputerServiceAccountGet-ADDefaultDomainPasswordPolicyGet-ADDomainGet-ADDomainControllerGet-ADDomainControllerPasswordReplicationPolicyGet-ADDomainControllerPasswordReplicationPolicyUsageGet-ADFineGrainedPasswordPolicyGet-ADFineGrainedPasswordPolicySubjectGet-ADForestGet-ADGroupGet-ADGroupMemberGet-ADObjectGet-ADOptionalFeatureGet-ADOrganizationalUnitGet-ADPrincipalGroupMembershipGet-ADRootDSE
Get-ADServiceAccountGet-ADUserGet-ADUserResultantPasswordPolicyInstall-ADServiceAccountMove-ADDirectoryServerMove-ADDirectoryServerOperationMasterRoleMove-ADObjectNew-ADComputerNew-ADFineGrainedPasswordPolicyNew-ADGroupNew-ADObjectNew-ADOrganizationalUnitNew-ADServiceAccountNew-ADUserRemove-ADComputerRemove-ADComputerServiceAccountRemove-ADDomainControllerPasswordReplicationPolicyRemove-ADFineGrainedPasswordPolicyRemove-ADFineGrainedPasswordPolicySubjectRemove-ADGroupRemove-ADGroupMemberRemove-ADObjectRemove-ADOrganizationalUnitRemove-ADPrincipalGroupMembershipRemove-ADServiceAccountRemove-ADUserRename-ADObjectReset-ADServiceAccountPasswordRestore-ADObjectSearch-ADAccount
Set-ADAccountControlSet-ADAccountExpirationSet-ADAccountPasswordSet-ADComputerSet-ADDefaultDomainPasswordPolicySet-ADDomainSet-ADDomainModeSet-ADFineGrainedPasswordPolicySet-ADForestSet-ADForestModeSet-ADGroupSet-ADObjectSet-ADOrganizationalUnitSet-ADServiceAccountSet-ADUserUninstall-ADServiceAccountUnlock-ADAccount
8
Administrative Center for ADIncrease the productivity of IT Pros by providing a scalable, task-oriented UX for managing Active Directory
Past limitationsNon task-oriented UI causes customer pain
Example: resetting user passwordsRepresentation in MMC not scalable for large datasets
Feature takeawayTasks executed through PowerShell CmdletsTask oriented administration model, with support for larger datasetsConsistency between CLI and UI management capabilitiesNavigation experience designed to support multi-domain, multi-forest environments
9
Progressive disclosureTask orientedPowershell based instrumentationMulti-Domains/Multi-Forests
10
Best Practice Analyzer Identify deviations from best practices to help our customers better manage their Active Directory deployments
Past limitationsNo easy and automated validation of AD configuration against best practices
Feature takeawayAnalyzes AD settings that cause most unexpected behavior in customer environmentsLeverages PowerShell cmdlets to gather run-time dataMakes recommendations in the context of the deploymentAvailable through Server Manager BPA runtime tool
11
Best Practice Analyzer first set of scenariosVersion 1.0 of the BPA focuses mostly on common DNS issues
Checking SRV records for DC are registered with its DNS ServerA/AAAA records of a DC are registered with its DNS ServerDC has a valid host nameSchema Naming Master and Domain Naming Master FSMO are recommended to be on same machineRID and PDC recommended to be on same machineEach domain is recommended to have at least two DCs
12
AD Core
ADUC/ADSS/ADDT
LDAP
WSH
ADSI
LDAPDS RPC-Based Protocols
MMC
AD Web Service
S.DS.P/S.DS.AM/S.DS.AD
CLI
AD PSCLI
WCF.NET
MUX
WPF.NET
.NET
……DSRSAM
Windows Server 2008 Windows Server 2008 R2 Additions
GUI
SERVER
CLIENT
WCF.NET
DS RPC-Based Protocols……DSRSAM
ADMUX
GUI
BPA
AD Core
Recycle Bin for ADCustomer can undo an accidental deletion in Active Directory
Past limitationsAccidental object deletion causes business downtime – deleted users cannot logon or access corporate resourcesAccidental deletions are the number #1 cause of AD Disaster\Recovery scenarios
Feature takeawayRecycle bin for AD DS and AD LDS objectsFeature enabled with a new forest functional level
Requires all DCs in the forest to be Windows Server 2008 R2 DCsFor AD LDS, all replicas must be running in a new ‘application mode’
14
Recycle Bin for AD Object Life-cycle
Live Object Deleted Object Recycled Object
Tombstone Object
180 Days 180 Days
180 Days
Garbage collection
Garbage collection
Live Object
Windows Server 2008
Windows Server 2008 R2 with Recycle Bin enabled(If not enabled, behavior is similar to Windows Server 2008)
LDAP OID 1.2.840.113556.1.4.417
LDAP OID 1.2.840.113556.1.4.2064
Returns Tombstones
Returns Deleted and Recycled
Returns Deleted
Managed Service AccountsSimple management of service accounts
Past limitationsManagement of individual accounts for services is cumbersomePeriodic maintenance often causes outages
Example: resetting service account password
Feature takeawayA manageable solution that addresses isolation needs for services Better SPN management in Win7 Domain Functional Mode Lower TCO from reduced service outages (for manual password resets and related issues)One Managed Service Account per Service per box
No human intervention for password management!
Offline Domain JoinEnable easier provisioning of machines in the data center
Past limitationsReboot needed after domain joinInability to prepare the machine to be domain joined while offline
Feature takeawayAbility to pre-provision machine accounts in the domain to prepare OS images for mass deploymentMachines are domain joined on initial bootReduces steps and time needed to deploy in the data center
Authentication AssuranceApplications can control resource access based on authentication strength and method
Past limitationsCustomers cannot use authentication type or authentication strength to protect corporate data
Example: control access to resources based on claims such as use of smartcard for logon or the certificate used 2048 bit encryption
Feature takeawayAdministrators can map various properties, including authentication type and authentication strength to an identityBased on information during authentication, these identities are added to Kerberos tickets for use by applicationsFeature is enabled with a new domain functional level
All domain controllers in the domain need to be Window Server 2008 R2 DCs
18
Health ModelEnable IT administrators to better diagnose and resolve Active Directory issues
Past limitationsDiagnostic information is incomplete and inconsistent
Feature takeawayContinued investment towards completing the health modelA single authoritative source for information used in Management Packs, Best Practice Analyzer and online documentation
Management PackProvide proactive monitoring of availability and performance of Active Directory
Past limitationsCurrent management pack lacks support for Windows Server 2008 and MOM 2007
Feature takeawaySupport for Windows Server 2008 domain controllers
Multiple replication latency groupsAbility to monitor multiple forests from a single management groupManagement pack for MOM 2007
The journey to Windows Server 2008 R2
Upgrading to Windows 7 client while keeping existing servers, you can use:Off-line domain join
Once AD Web-service is available for existing servers, if you upgrade to Windows 7 client, you can use:
AD Powershell and ADAC with all your servers
Upgrading to Windows 7 client while installing one or more Windows Server 2008 R2 (one per domain), you can use:
Managed service account
If you change the domain functional level to Windows Server 2008 R2, you can use:
Authentication Assurance Managed service account with an enhanced SPN management experience
If you change the Forest functional level to Windows Server 2008 R2, you can use:
AD Recycle-bin
Tuesday, November 4th
Identity Lifecycle Manager 2 (Part 1): Empowering users with self-service identity management solutions 10:45-12:00pm
Windows Server 2008 R2 Active Directory: What's Coming Up? 1:30-2:45pm
Chalk & Talk: Windows Server Active Directory (IDA03-IS) 3:15-4:30pm
Windows Vista PKI Enhancement in Windows 7 and Windows Server 2008 R2 3:15-4:30pm
Going Virtual with the Intelligent Application Gateway and a Sneak Peak at the Future! 3:15-4:30pm
Forefront Security for Exchange Server: Advanced Spam and AntiMalware Scanning Today and Tomorrow 5:00-6:15pm
Active Directory Rights Management Services (AD RMS) - End to End 5:00-6:15pm
Wednesday, November 5th
Microsoft Forefront Security for SharePoint: The Next Generation of Collaboration Security 9:00-10:15am
Ask The Experts 12:15-12:45pm
Identity Lifecycle Manager 2 (Part 2): Expressing and enforcing business policy 1:30-2:45pm
Introduction to Microsoft Forefront Codename Stirling 1:30-2:45pm
Connecting Active Directory to Microsoft Cloud Services 3:45-5:00pm
Hybrid Messaging Security for Exchange Server 3:45-5:00pm
Using Active Directory Domain Services for Linux Servers 5:30-6:45pm
Related Content
Visit the Identity & Security booths for a detailed guide to activities at TechEd EMEA
22
Related ContentThursday, November 6th
Windows Server 2008 Active Directory Best Practices (IDA08) 8:30-9:45pm
Notes from the Field: Deploying Microsoft Identity Lifecycle Manager 2007 Certificate Management 10:15-11:30am
Ask The Experts 12:15-12:45pm
Successful deployment tips for Security and Strong Authentication 1:00-2:15pm
Using Network Access Protection (NAP) in combination with FCS 1:00-2:15pm
Identity Lifecycle Manager 2 (Part 3): Extensibility and provisioning with ILM 2 2:40-3:55pm
Universal sign-in utilizing AD, CardSpace and federation technologies: How to sign in any user, in any kind of application, in any scenario, using 'Zermatt' and claims-based identity 4:20-5:35pm
Windows Server 2008 R2 Active Directory: What’s Coming Up? (IDA309–REPEAT) 6:00-7:15pm
Friday, November 7th
Active Directory Information Security - Where is the boundary? 9:00-10:15am
A Technical Preview and Deep Dive of Next Generation ISA Server 9:00-10:15am
A DS Geek's Notes from the Field - Active Directory Uncovered 10:45-12:00pm
Infrastructure services for SOA security and federation: 'Geneva' Security Token Services 3:15-4:30pm
Visit the Identity & Security booths for a detailed guide to activities at TechEd EMEA
23
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED
OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
