What's Windows Server 2008 R2 Going to Do for Your Active Directory? John Craddock

Infrastructure & Security ArchitectXTSeminars LtdSession Code: SIA319

Agenda

AD module for Windows PowerShell AD Administrative CenterAD Best Practice AnalyserManaged Service AccountsOffline domain joinAuthentication mechanism assuranceAD Recycle Bin

Windows PowerShell for AD

PowerShell v2 includes an AD ModuleComprehensive set of AD cmdlets for AD DS and AD LDS administration, configuration and diagnostic tasksEasy to compose and manage complex tasksPowerShell drives for AD

Simple navigation in AD DS, AD LDS and AD Snapshots

Certain tasks can only be achieved through PowerShell

Example

Import-module ActiveDirectory

New-ADUser -Name “Craddock John” -SamAccountName “jcraddock" -AccountPassword (ConvertTo-SecureString -AsPlainText “Temp0Pwd0!" -Force) -Enabled $true -ChangePasswordAtLogon $true -GivenName “John" -Surname “Craddock" -UserPrincipalName “jcraddock@example.com”-Path “OU=Admins,OU=UK,DC=example,DC=com"

AD Web Services (ADWS)

ADWS is automatically installed with AD DS and AD LDS

Port 9389 must be open for remote administration

Active Directory Management Gateway (ADMG) service available for Windows Server 2003 and 2008

Does not support instances of AD Mounting Tool

ADWS

PowerShell Cmdlets

AD / GC

9389

389 3268

WS-*

AD LDSinstance

MountedAD instance

LDAP LDAP LDAP

AD Administrative Center

Task-oriented model

Progressive disclosure of data Powerful Searching

Simultaneously connectto other domains

Built on PowerShell Cmdlets

Best Practice Analyser

Compares current configuration on DC to best practice recommendationsScan started via Server Manager or PowerShell

Results through UI and PowerShell outputProvides guidance, does not fix problems

Red EyeWarningInformation

Quarterly updates

Collecting and Analysing Data

BPA Run Time

AD DS BPAPowerShell Script

Collects data

XML Schema

XML Results document

AD DS BPAguidance

AD DS BPArule set Analysis

Validation

AD DS BPAReport

Domain

Service Accounts

Using built in accounts for services does not provide service isolationWhat’s the alternative?

Run the services using standard user accountsHow many of you change services account passwords on a regular basis?

Any problems?

Username: SRV1Password: *****

User

Domain accountUsername: SRV1Password: *****

Password changesmust be updatedon the service account

Managed Service Accounts

Domain

Username: Password:

Domain:example.com

SERVER1

example\svc1$Configure service:Append $ to accountname

Server automatically resets based on “Max machine account password age”

Install-ADServiceAccount svc12

Domain accountname: SVC1

Created in domain:New-ADServiceAccount svc1

1

3

Can reset password withReset-ADServiceAccountPassword svc1

4

Accounts must be created and managedthrough Windows PowerShell

Requirements & Caveats

Service / application requiring managed account must be running on Windows 7 or 2008 R2

Requires AD Module for Windows PowerShell to be installed

Forest and domain must be prepared for 2008 R2adprep /forestprep & adprep /domianprep

2008 R2 domain functional level adds SPN managementManaged accounts cannot be shared across multiple servers

Offline Domain Joins

Allows a Windows 7 or Windows 2008 R2 machines to be joined to a domain while offline

On start up, the machine is already domain joined and there is no reboot requirement

Speeds up deployment of VMs and scripted installsNew section in unattended.xml supports offline domain joinsSimplifies domain joins to RODCs

Online VHD orPhysical systemRequires reboot

Requires /localos

Offline VHD orPhysical system

Djoin.exe

Windows 7 or 2008 R2 required for Computers running djoin Computers being joined to domain

Domain

Computeraccount object

Computer account metadata.Base-64 encoded, treat as security sensitive

djoin /requestODJ /loadfile <ms1.txt> /windowspath <Windows directory>

Djoin /provision /domain example.com / machine ms1 /savefile ms1.txt

Unattended.xml

Add accountmetadata

Authentication Mechanism Assurance

Allows applications to control access to resources based on authentication strength

For example only allow access to a resource if the user has been authenticated using a SmartCard

Require Windows 2008 R2 domain functionality

Strong authenticationNormal authentication

Restricted access Fullaccess

Resource Access Control

When a certificate based logon method is used an administrator-designated universal group is added to the user’s Kerberos token

This group is then used to control access to resources

It is possible to add different groups based on the type of certificate used to logon

Access to resources can consequently be based on the certificate type

Recycle Bin for AD

Requires 2008 R2 Forest functionalityPowerShell driven

Enable-ADOptionalFeature ‘Recycle Bin Feature’ –Scope ForestOrConfigurationSet –Target ‘forest’

Once enabled cannot be disabledGet-ADObject –LDAPFilter {} –IncludeDeletedObjectsRestore-ADObject –Identity <id>Parent object must be restored in advance of child object

Restores all attributes including linked Attributes

No Recycle Bin

Re-animate API restores objects while on-lineMany attributes missing

Re-animation does not restore multi-valued linked attributes such as group membership

Live object

TombstoneobjectDelete

Majority of attributes deleted

Garbagecollection X

Purged fromdirectory

Tombstone lifetime (180 days)Offline authoritative restore

Recycle Bin Enabled

All attributes restored

Live object

Garbagecollection X

Purged fromdirectory

Recycledobject

Deleted object lifetime (180 days)

Tombstone lifetime (180 days)

DeleteDeletedobject

All attributes retained

Online undelete

Other Thoughts

Backups are valid for max of smallest value of DOL or TSL

Best practice recommendation DOL = TSLAnticipated database growth 5-10%On deletion, regulatory compliance may not allow retained of full copy of deleted object

Permanently delete with Get-Adobject –LDAPFilter {} –IncludeDeletedObjects | Remove-ADObject

What to Know More?

Come to my sessionSIA402Online Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle Bin Friday 13/11/2009 13:00-14:15 Budapest - Hall 7-2b

The Path to Windows Server 2008 R2

Prep forest and domain for Windows 2008 R2Windows 7 clients can be provision with offline domain joins against existing 2003/2008 infrastructureInstall Active Directory Management Gateway (ADMG) service on Windows 2003/2008 servers

Use AD PowerShell and ADAC running on Windows 7Upgraded servers can use Managed Service Accounts

Functional Levels

Switches to R2 domain and forest functionality are reversible

Use PowerShell to reverseCannot be reversed once Recycle Bin is enabled

2008 R2 domain functionality for:Authentication Mechanism AssuranceSPN management for Manage Service Accounts

2008 R2 forest functionality allows Recycle Bin to be enabled

What’s your Favourite?

AD module for Windows PowerShell AD Administrative CenterAD Best Practice AnalyserManaged Service AccountsOffline domain joinAuthentication mechanism assuranceAD Recycle Bin

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

Related Content

Breakout Sessions:SIA402 Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle BinSVR317 Managing Windows Server 2008 R2 and Windows 7 with Windows PowerShell V2

Interactive Theater Sessions :SIA02-IS Active Directory: What's New in R2

Hands-on Labs:WSV03-HOL Advanced Windows PowerShell ScriptingWSV20-HOL Windows Server 2008 R2: What's New in Microsoft Active Directory

My Sessions at TechEd

Breakout Sessions:SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?SIA402 Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle BinSVR401 DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and Transition TechnologiesSVR402 DirectAccess Technical Drilldown, Part 2 of 2: Putting It All Together

Interactive Theater Sessions:SVR08-IS End-to-End Remote Connectivity with DirectAccess

Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.