Date post: | 17-May-2015 |
Category: |
Technology |
Upload: | spiffy |
View: | 3,895 times |
Download: | 2 times |
Agenda
Introducing Windows Server
2008R2 into Active Directory
Windows Server 2008R2 Setup
Requirements
Windows Server 2008R2 Upgrade
Scenarios
Preparing Active Directory
DC Promo
3
New AD Features in Windows Server 2008R2
Server Versions
System Requirements
Full versus Core Installation
Upgrade Scenarios
Time Configuration Registry Changes
Well Known TCP / UDP Dynamic Port Changes
Kerberos Improvements
Implementing Windows Server 2008R2
4
Active Directory Domain Services role in Windows Server 2008/2008R2
includes many new features that are not available in previous versions
of Windows Server Active Directory:
Auditing Enhancements
Fine-Grain Password Policies
Read-Only Domain Controllers (RODC)
Restartable Active Directory Domain Services
Database Mounting Tool
DFSR Replication for SYSVOL
AES(Advance Encryption Standard) Support for Kerberos
User Interface Improvements
Preventing Accidental Deletion
Group Policy Changes (central store, admx, preferences)
ADLDS
New AD Features in Windows Server 2008R2
5
Windows Server 2008R2 Foundation
Available through OEMs only on selected single processor servers, limited to
15 user accounts
Windows Server 2008R2 Standard
Provides most server roles / features and supports Server Core Installation
Windows Server 2008R2 Enterprise
Provides Failover Clustering and Active Directory Federation Services
Windows Server 2008R2 Datacenter
Additional memory and processors, and unlimited virtual image use rights
Windows 2008R2 Web Server
Provides Web / Application / DNS server functionality. Other server roles not
available.
Server Versions (only x64 available!)
6
500 MB for Active Directory transaction logs.
500 MB for the drive containing the SYSVOL share.
1.5 GB to 2 GB for the Windows Server 2008R2 operating system files
0.4 GB for every 1,000 users in the directory for the NTDS.dit drive
+ 50% of Recommended Disk space for each additional Domain
Additional storage for each application partition
Consider pagefile and dump files as well
Recommended reading:
Step D1: Determine Domain Controller Configuration
http://technet.microsoft.com/en-us/library/cc268214.aspx
Performance Tuning Guidelines for Windows Server 2008 R2
http://www.microsoft.com/whdc/system/sysperf/Perf_tun_srv-R2.mspx
Assess hardware requirements
http://technet.microsoft.com/en-us/library/cc753439(WS.10).aspx
How to reclaim space after applying Windows 7/2008 R2 Service Pack 1
http://blogs.technet.com/b/joscon/archive/2011/02/15/how-to-reclaim-space-after-applying-service-
pack-1.aspx
Minimum Storage Requirements for DCs
7
Windows Server Core installation provides an environment for
running one or more of the following server roles:
Active Directory Directory Services (AD DS)
Active Directory Lightweight Directory Services (AD LDS)
Active Directory Certificate Services (ADCS)
Branch Cache Hosted Cache
Dynamic Host Configuration Protocol (DHCP) Server
Domain Name System (DNS) Server
Hyper-V
File server
Print Services
Windows Media Services
Web Services
Full versus Core Installation
8
Cross Platform Upgrades (32 bit to 64 bit) are not
supported
In-place upgrade from Windows 2000 is not supported
Upgrading existing OS to Server Core is not supported
Application compatibility issues Exchange Server Supportability Matrix (Supported AD environments)
http://technet.microsoft.com/en-us/library/ee338574.aspx
Supported Active Directory Environments by Office Communications Server Version
http://technet.microsoft.com/en-us/library/ee692314(office.13).aspx
Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2
Application Compatibility Update through Dynamic Update: June 2010
http://support.microsoft.com/kb/982520/en-us
Application Considerations When Upgrading to Windows Server 2008
http://technet.microsoft.com/en-us/library/cc771576.aspx
Known Issues When Upgrading to Windows Server 2008
http://technet.microsoft.com/en-us/library/cc731003.aspx
Upgrade Scenarios
9
MaxPosPhaseCorrection (DWORD) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
The new default value for domain members and domain controllers is 172,800
(48 hours)
MaxNegPhaseCorrection (DWORD) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
The new default value for domain members and domain controllers is 172,800
(48 hours)
This is true for OS clean install and in-place upgrade as well…
be aware of:
The Windows Time Group Policy has incorrect defaults after you enable the
Windows Time Service Group Policy in Windows Server 2008 or Windows Vista
Service Pack 1 (961027)
Time Configuration Registry Changes
10
Windows Server 2008+ aligns port ranges with IANA standards
The default dynamic port range for TCP/IP has changed in Vista and 2008
http://support.microsoft.com/kb/929851
The default dynamic ports ranges are now:
Win2008+/Vista+: 49152 through 65535
Win2003: 1025 through 5000
To adjust dynamic ports:
netsh int <ipv4|ipv6> set dynamicportrange <tcp|udp> start=number num=range
Root domain connectivity needed
Logoff takes several minutes if there is no LDAP connectivity to the forest root domain
http://support.microsoft.com/default.aspx?scid=kb;EN-US;971198
Cannot install AD if the DNS and LDAP traffic to the forest root domain is blocked
http://support.microsoft.com/kb/975142/en-us
TCP / UDP Port Considerations
11
Changes in default encryption type cause security audit
events 675 and 680 on Windows Server 2003 DCs
It is possible to start pre-authentication with RC4 by
modifying the DefaultEncryptionType registry value to
0x17 hex (0x18 hex is AES).
Kerberos changes (AES)
http://blogs.technet.com/instan/archive/2009/10/12/changes-in-default-encryption-type-for-kerberos-pre-
authentication-on-vista-and-windows-7-clients-cause-security-audit-events-675-and-680-on-windows-server-2003-
dc-s.aspx
12
Other Known Issues
Topic 2003 2008R2 Comment
AllowNT4Crypto N/A Disabled Third-party Server Message Block (SMB) clients may be incompatible with the secure default settings on Windows
Server 2008 and Windows Server 2008 R2 domain controllers. Article 942564
DES Enable
d
Disabled The security principals and the services that use only DES encryption for Kerberos authentication are incompatible with
the default settings on a computer that is running Windows 7 or Windows Server 2008 R2
Article 977321 Article 978055
CBT/Extended Protection
for Integrated Authentication
N/A Enabled See Microsoft Security Advisory (937811) and article 976918
Control Extended Protection for Authentication using Security Policy
http://blogs.technet.com/b/askds/archive/2009/12/10/control-extended-protection-for-authentication-using-security-
policy.aspx
LMv2 Enable
d
Disabled Computers that are running Windows 7 and Windows Server 2008 R2 may fail to be authenticated by non-Windows
NTLM or Kerberos-based servers
Article 976918
You may experience one or more of the following symptoms:
1. Windows clients that support channel binding fail to be authenticated by a non-Windows Kerberos server.
2. NTLM authentication failures from Proxy servers.
3. NTLM authentication failures from non-Windows NTLM servers.
4. NTLM authentication failures when there is a time difference between the client and DC or workgroup server.
LMhash Enable
d
Disabled If you add Windows Server 2008 as the domain controller to an existing domain by using the default domain policy, the
NoLMHash policy of the existing domain controller is disabled. Additionally, the NoLMHash policy in Windows Server
2008 is enabled. Article 946405
Signing required No Yes Domain controllers that run Windows Server 2008 and Windows Server 2008 R2 require (by default) that all client
computers attempting to authenticate to them perform Server Message Block (SMB) packet signing and secure channel
signing. http://technet.microsoft.com/en-us/library/cc731654(WS.10).aspx
EDNS N/A
N/A
Some DNS name queries are unsuccessful after you deploy a 2003 or 2008 R2-based DNS server
http://support.microsoft.com/kb/832223
PDC lockouts, lmcompat ? 3 When you see massive account lockouts from transitive NTLM authentication, there is likely a mismatch of the lanman
authentication level between the clients and DCs in the path.
http://blogs.technet.com/b/askds/archive/2011/02/22/i-moved-my-pdce-role-and-accounts-started-locking-out.aspx
Hotfix List N/A N/A For a sample list with recommended hotfixes, see askds Blog or evaluate SP1 (recommended).
13
Create a lab first!
Trigger garbage collection on all DCs
Locate Schema Master and disable outbound replication
Forestprep: Prepare an existing forest for a Windows Server 2008R2 DC
Domainprep: Prepare an existing domain for a Windows Server 2008R2 DC
Rodcprep: prepare an existing forest for Windows Server 2008R2 RODC
Verify adprep logs
Enable outbound replication
Note
Use adprep32 on 32-bit systems instead
Location of ADPREP debug logs has moved from %systemroot%\system32\debug to %systemroot%\debug\adprep
ADPREP error lists can be found at:
http://technet.microsoft.com/en-us/library/ee522994(WS.10).aspx#BKMK_AdprepErrors
http://blogs.technet.com/askds/archive/2008R2/12/15/troubleshooting-adprep-errors.aspx
Upgrade Domain Controllers: Microsoft Support Quick Start for Adding Windows Server 2008 or Windows Server
2008 R2 Domain Controllers to Existing Domains
http://technet.microsoft.com/en-us/library/upgrade-domain-controllers-to-windows-server-2008-r2(WS.10).aspx
For creating a lab see: Testing for Active Directory Schema Extension Conflicts
http://technet.microsoft.com/en-us/library/testing-for-active-directory-schema-extension-conflicts(WS.10).aspx
SP1 and Directory Services (added on 14-Jan 2011):
http://blogs.technet.com/b/askds/archive/2011/01/14/sp1-and-directory-services-what-s-new.aspx
Preparing AD Environment for Windows Server 2008R2
14
For the deployment of RODC: FFL must be 2003 or
higher, so that linked-value replication is available
If the RODC will be a global catalog server, you must
also run adprep /domainprep in all domains in the
forest.
The first Windows Server 2008R2 domain controller in
an existing Windows 2000, Windows Server 2003 or
Windows Server 2008R2 domain cannot be created as a
RODC
Be aware of KB 949257 (invalid fsmoroleowner)
RODC Considerations with ADPREP
15
Determine the current version of the Active Directory schema by
checking the value ObjectVersion attribute of the
dn=schema,cn=configuration,dc=<root_domain> partition
Example:
dsquery * cn=schema,cn=configuration,dc=<root_domain> -scope base -attr
objectVersion
o Applications track schema changes differently, you need to query
different object each time.
For example Exchange:
dsquery * CN=ms-Exch-Schema-Version-Pt,cn=schema,cn=configuration,
dc=<root_domain> -scope base -attr rangeUpper
Identify Schema Version
16
Checking the value ObjectVersion attribute of the
dn=schema,cn=configuration,dc=<root_domain>
partition
Schema Versions
Operating System Schema Version
Windows 2000 Server 13
Windows Server 2003 30
Windows Server 2003 R2 31
Windows Server 2008 44
Windows Server 2008R2 47
17
New Installation Options
DCPROMO Enhancements
Adding the DC Role using Server Manager
Unattended Installation Options
Global Catalog Options
DNS Options
Active Directory Installation
18
Pick Source Domain Controller
Pick Destination Site
DNS installed automatically (cover later in this module
and in detail in the DNS module)
Optional Global Catalog install
Automatic reboot on completion
Installs GPMC by default.
New DCPROMO Installation Options