Active Directory Windows Server 2008 R2 Updates

8/8/2019 Active Directory Windows Server 2008 R2 Updates

http://slidepdf.com/reader/full/active-directory-windows-server-2008-r2-updates 1/23

1

Active DirectoryWindows Server 2008 R2

Updates



2

Session Objectives And Takeaways

Describe Active Directory features inWindows Server 2008 R2

Discuss the importance of these features

to our customersDemonstrate how some of these featureswill benefit our customers



3

Agenda

Whats new in Active Directory for WindowsServer 2008 R2?

PowerShell Cmdlets

Active Directory Administrative center

Best Practice Analyzer

Recycle Bin for AD

Managed Service accounts

Offline Domain Join

Authentication Assurance

Health Model and Management Packs

Active Directory Tour demonstration

Conclusion



4

Powershell for ADCommand line scripting for administrative, configuration and diagnostic tasks

Past limitations

30+ command line tools for administeringAD are not consistent in their usage

Difficult to compose these tools toachieve complex tasks

Feature takeaway

85+ AD cmdlets for comprehensive AD DS and

AD LDS administration and configurationCommunicates using Web Service protocols

Can be used to manage Windows Server 2008and 2003 domain controllers, using future AD

Web Service download



5

Powershell Advantages

Consistent vocabulary and syntax

Predictable discovery

Flexible output formatting

Cmdlets can be easily composed (pipe)to build complex operations

End-to-End manageability with Exchange,

Group Policy, etc



6

PowerShell Provider Model

Provides sessions, server context, security context and path contextEnables best practices sharing across connections

Combination of cmdlets & provider means familiar model for users

Perform operations in AD that are similar to the file system orregistry, such as rename, move, etc



7

Get-Command -CommandType Cmdlet *-AD*

Add-ADComputerServiceAccountAdd-ADDomainControllerPasswordReplicationPolicy

Add-ADFineGrainedPasswordPolicySubject

Add-ADGroupMember

Add-ADPrincipalGroupMembership

Clear-ADAccountExpiration

Disable-ADAccount

Disable-ADOptionalFeature

Enable-ADAccount

Enable-ADOptionalFeature

Get-ADAccountAuthorizationGroupGet-ADAccountResultantPasswordReplicationPolicy

Get-ADComputer

Get-ADComputerServiceAccount

Get-ADDefaultDomainPasswordPolicy

Get-ADDomain

Get-ADDomainController

Get-ADDomainControllerPasswordReplicationPolicy

Get-ADDomainControllerPasswordReplicationPolicyUsage

Get-ADFineGrainedPasswordPolicy

Get-ADFineGrainedPasswordPolicySubject

Get-ADForest

Get-ADGroup

Get-ADGroupMember

Get-ADObject

Get-ADOptionalFeature

Get-ADOrganizationalUnit

Get-ADPrincipalGroupMembership

Get-ADRootDSE

Get-ADServiceAccountGet-ADUser

Get-ADUserResultantPasswordPolicy

Install-ADServiceAccount

Move-ADDirectoryServer

Move-ADDirectoryServerOperationMasterRole

Move-ADObject

New-ADComputer

New-ADFineGrainedPasswordPolicy

New-ADGroup

New-ADObjectNew-ADOrganizationalUnit

New-ADServiceAccount

New-ADUser

Remove-ADComputer

Remove-ADComputerServiceAccount

Remove-ADDomainControllerPasswordReplicationPolicy

Remove-ADFineGrainedPasswordPolicy

Remove-ADFineGrainedPasswordPolicySubject

Remove-ADGroup

Remove-ADGroupMember

Remove-ADObject

Remove-ADOrganizationalUnit

Remove-ADPrincipalGroupMembership

Remove-ADServiceAccount

Remove-ADUser

Rename-ADObject

Reset-ADServiceAccountPassword

Restore-ADObject

Search-ADAccount

Set-ADAccountControlSet-ADAccountExpiration

Set-ADAccountPassword

Set-ADComputer

Set-ADDefaultDomainPasswordPolicy

Set-ADDomain

Set-ADDomainMode

Set-ADFineGrainedPasswordPolicy

Set-ADForest

Set-ADForestMode

Set-ADGroupSet-ADObject

Set-ADOrganizationalUnit

Set-ADServiceAccount

Set-ADUser

Uninstall-ADServiceAccount

Unlock-ADAccount



8

Administrative Center for ADIncrease the productivity of IT Pros by providing a scalable, task-

oriented UX for managing Active Directory

Past limitations

Non task-oriented UI causes customer pain

Example: resetting user passwords

Representation in MMC not scalable for large datasets

Feature takeaway

Tasks executed through PowerShell Cmdlets

Task oriented administration model, with support

for larger datasets

Consistency between CLI and UI management capabilities

Navigation experience designed to support multi-domain,multi-forest environments



9

Progressive disclosure

Task oriented

Powershell based instrumentation

Multi-Domains/Multi-Forests



10

Best Practice AnalyzerIdentify deviations from best practices to help our customers

better manage their Active Directory deployments

Past limitations

No easy and automated validation of AD configurationagainst best practices

Feature takeaway

Analyzes AD settings that cause most unexpected behavior incustomer environments

Leverages PowerShell cmdlets to gather run-time data

Makes recommendations in the context of the deploymentAvailable through Server Manager BPA runtime tool



11

Best Practice Analyzer first set of scenarios

Version 1.0 of the BPA focuses mostly on common DNS issues

Checking SRV records for DC are registered with its DNS Server

A/AAAA records of a DC are registered with its DNS Server

DC has a valid host name

Schema Naming Master and Domain Naming Master FSMO arerecommended to be on same machine

RID and PDC recommended to be on same machineEach domain is recommended to have at least two DCs



12

AD Core

ADUC/ADSS/ADDTADUC/ADSS/ADDT

LDAPLDAP

WSHWSH

ADSIADSI

LDAPLDAPDS RPCDS RPC--Based ProtocolsBased Protocols

MMCMMC

AD Web ServiceAD Web Service

S.DS.P/S.DS.AM/S.DS.AD

CLI

AD PSAD PSCLI

WCF.NET

MUXMUX

WPF.NET

.NET

DSRSAM

GUI

S

E

R

V

E

R

C

L

I

E

N

T

WCF.NET

DS RPCDS RPC--Based ProtocolsBased ProtocolsDSRSAM

ADADMUXMUX

GUI

BPABPA

AD CoreAD Core



Recycle Bin for ADCustomer can undo an accidental deletion in Active Directory

Past limitations

Accidental object deletion causes business downtime deleted users cannot logon or access corporate resources

Accidental deletions are the number #1 cause of AD

Disaster\Recovery scenariosFeature takeaway

Recycle bin for AD DS and AD LDS objects

Feature enabled with a new forest functional level

Requires all DCs in the forest to be Windows Server 2008 R2 DCsFor AD LDS, all replicas must be running in a new application mode



14

Recycle Bin for AD Object Life-cycle

Live Object Deleted Object Recycled Object

Tombstone Object

180 Days 180 Days

180 Days

Garbage collection

Garbage collection

Live Object

Windows Server 2008

Windows Server 2008 R2 with Recycle Bin enabled

(If not enabled, behavior is similar to Windows Server 2008)

LDAP OID 1.2.840.113556.1.4.417

LDAP OID 1.2.840.113556.1.4.2064

Ret

rns Tombstones

Ret ¡ rns Deleted and Recycled

Ret ¡ rns Deleted



Managed Service AccountsSimple management of service accounts

Past limitations

Management of individual accounts for servicesis cumbersome

Periodic maintenance often causes outages

Example: resetting service account password

Feature takeaway

A manageable solution that addresses isolationneeds for services

Better SPN management in Win7 Domain Functional ModeLower TCO from reduced service outages (for manualpassword resets and related issues)

One Managed Service Account per Service per box

No human intervention for password management!



Offline Domain JoinEnable easier provisioning of machines in the data center

Past limitations

Reboot needed after domain join

Inability to prepare the machine to

be domain joined while offlineFeature takeaway

Ability to pre-provision machine accounts in thedomain to prepare OS images for mass deployment

Machines are domain joined on initial boot

Reduces steps and time needed to deployin the data center



Authentication AssuranceApplications can control resource access based

on authentication strength and methodPast limitations

Customers cannot use authentication type or authentication strengthto protect corporate data

Example: control access to resources based on claims such as use of

smartcard for logon or the certificate used 2048 bit encryption

Feature takeaway

Administrators can map various properties, including authenticationtype and authentication strength to an identity

Based on information during authentication, these identities are

added to Kerberos tickets for use by applicationsFeature is enabled with a new domain functional level

All domain controllers in the domain need to be Window Server 2008 R2 DCs



18

Health ModelEnable IT administrators to better diagnose

and resolve Active Directory issues

Past limitations

Diagnostic information isincomplete and inconsistent

Feature takeaway

Continued investment towards completingthe health model

A single authoritative source for informationused in Management Packs, Best PracticeAnalyzer and online documentation



Management PackProvide proactive monitoring of availability

and performance of Active Directory

Past limitations

Current management pack lacks supportfor Windows Server 2008 and MOM 2007

Feature takeawaySupport for Windows Server 2008 domain controllers

Multiple replication latency groups

Ability to monitor multiple forests from a single

management group

Management pack for MOM 2007



The journey to Windows Server 2008 R2

Upgrading to Windows 7 client while keeping existing servers, you can use:

Off-line domain join

Once AD Web-service is available for existing servers, if you upgrade toWindows 7 client, you can use:

AD Powershell and ADAC with all your servers

Upgrading to Windows 7 client while installing one or more Windows Server2008 R2 (one per domain), you can use:

Managed service account

If you change the domain functional level to Windows Server 2008 R2,you can use:

Authentication AssuranceManaged service account with an enhanced SPN management experience

If you change the Forest functional level to Windows Server 2008 R2,you can use:

AD Recycle-bin



Tuesday, November 4Tuesday, November 4thth

Identity Lifecycle Manager 2 (Part 1): Empowering users with self Identity Lifecycle Manager 2 (Part 1): Empowering users with self--service identity management solutionsservice identity management solutions 10:4510:45--12:00pm12:00pm

Windows Server 2008 R2 Active Directory: What's Coming Up?Windows Server 2008 R2 Active Directory: What's Coming Up? 1:301:30--2:45pm2:45pm

Chalk & Talk:Chalk & Talk: Windows Server Active Directory (IDA03Windows Server Active Directory (IDA03--IS)IS) 3:153:15--4:30pm4:30pm

Windows Vista PKI Enhancement in Windows 7 and Windows Server 2008 R2Windows Vista PKI Enhancement in Windows 7 and Windows Server 2008 R2 3:153:15--4:30pm4:30pm

Going Virtual with the Intelligent Application Gateway and a Sneak Peak at the Future!Going Virtual with the Intelligent Application Gateway and a Sneak Peak at the Future! 3:153:15--4:30pm4:30pm

Forefront Security for Exchange Server: Advanced Spam and AntiMalware Scanning Today and TomorrowForefront Security for Exchange Server: Advanced Spam and AntiMalware Scanning Today and Tomorrow 5:005:00--6:15pm6:15pm

Active Directory Rights Management Services (AD RMS)Active Directory Rights Management Services (AD RMS) -- End to EndEnd to End 5:005:00--6:15pm6:15pm

Wednesday, November 5thWednesday, November 5th

Microsoft Forefront Security for SharePoint: The Next Generation of Collaboration SecurityMicrosoft Forefront Security for SharePoint: The Next Generation of Collaboration Security 9:009:00--10:15am10:15am

Ask The ExpertsAsk The Experts 12:1512:15--12:45pm12:45pm

Identity Lifecycle Manager 2 (Part 2): Expressing and enforcing business policyIdentity Lifecycle Manager 2 (Part 2): Expressing and enforcing business policy 1:301:30--2:45pm2:45pm

Introduction to Microsoft Forefront Codename StirlingIntroduction to Microsoft Forefront Codename Stirling 1:301:30--2:45pm2:45pm

Connecting Active Directory to Microsoft Cloud ServicesConnecting Active Directory to Microsoft Cloud Services 3:453:45--5:00pm5:00pm

Hybrid Messaging Security for Exchange ServerHybrid Messaging Security for Exchange Server 3:453:45--5:00pm5:00pm

Using Active Directory Domain Services for Linux ServersUsing Active Directory Domain Services for Linux Servers 5:305:30--6:45pm6:45pm

Related Content

Visit the Identity & Security booths for a detailed guide to activities at TechEd EMEA



22

Related ContentThursday, November 6thThursday, November 6th

Windows Server 2008 Active Directory BestWindows Server 2008 Active Directory Best Practices (IDA08)Practices (IDA08) 8:308:30--9:45pm9:45pm

Notes from the Field: Deploying MicrosoftNotes from the Field: Deploying Microsoft Identity Lifecycle Manager 2007 Certificate ManagementIdentity Lifecycle Manager 2007 Certificate Management 10:1510:15--11:30am11:30am

Ask The ExpertsAsk The Experts 12:1512:15--12:45pm12:45pm

Successful deployment tips for Security and Strong AuthenticationSuccessful deployment tips for Security and Strong Authentication 1:001:00--2:15pm2:15pm

Using Network Access Protection (NAP) in combination with FCSUsing Network Access Protection (NAP) in combination with FCS 1:001:00--2:15pm2:15pm

Identity Lifecycle Manager 2 (Part 3): Extensibility and provisioning with ILM 2Identity Lifecycle Manager 2 (Part 3): Extensibility and provisioning with ILM 2 2:402:40--3:55pm3:55pm

Universal signUniversal sign--inin utilizingutilizing AD, CardSpace and federation technologies: How to sign in any user, in any kind of AD, CardSpace and federation technologies: How to sign in any user, in any kind of

application, in any scenario, using 'Zermatt' and claimsapplication, in any scenario, using 'Zermatt' and claims--based identitybased identity4:204:20--5:35pm5:35pm

WindowsWindows Server 2008 R2 Active Directory: Whats Coming Up? (IDA309Server 2008 R2 Active Directory: Whats Coming Up? (IDA309 REPEAT)REPEAT) 6:006:00--7:15pm7:15pm

Friday, November 7thFriday, November 7th

Active Directory Information SecurityActive Directory Information Security -- Where is the boundary?Where is the boundary? 9:009:00--10:15am10:15am

A Technical Preview and Deep Dive of Next Generation ISA ServerA Technical Preview and Deep Dive of Next Generation ISA Server 9:009:00--10:15am10:15am

A DS Geek's Notes from the FieldA DS Geek's Notes from the Field -- Active Directory UncoveredActive Directory Uncovered 10:4510:45--12:00pm12:00pm

Infrastructure services for SOA security and federation:Infrastructure services for SOA security and federation: 'Geneva''Geneva' Security Token ServicesSecurity Token Services 3:153:15--4:30pm4:30pm

Visit the Identity & Security booths for a detailed guide to activities at TechEd EMEA



23

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista a nd other product names are or may be registered trademarks and/or trademarks in the U.S. a nd/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should

not be interpreted to be a commitment on the part of M icrosoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Date post:	10-Apr-2018
Category:	Documents
Upload:	sriravi38277
View:	222 times
Download:	0 times

Active Directory Windows Server 2008 R2 Updates

Documents