8/8/2019 Active Directory Windows Server 2008 R2 Updates
http://slidepdf.com/reader/full/active-directory-windows-server-2008-r2-updates 1/23
1
Active DirectoryWindows Server 2008 R2
Updates
8/8/2019 Active Directory Windows Server 2008 R2 Updates
http://slidepdf.com/reader/full/active-directory-windows-server-2008-r2-updates 2/23
2
Session Objectives And Takeaways
Describe Active Directory features inWindows Server 2008 R2
Discuss the importance of these features
to our customersDemonstrate how some of these featureswill benefit our customers
8/8/2019 Active Directory Windows Server 2008 R2 Updates
http://slidepdf.com/reader/full/active-directory-windows-server-2008-r2-updates 3/23
3
Agenda
Whats new in Active Directory for WindowsServer 2008 R2?
PowerShell Cmdlets
Active Directory Administrative center
Best Practice Analyzer
Recycle Bin for AD
Managed Service accounts
Offline Domain Join
Authentication Assurance
Health Model and Management Packs
Active Directory Tour demonstration
Conclusion
8/8/2019 Active Directory Windows Server 2008 R2 Updates
http://slidepdf.com/reader/full/active-directory-windows-server-2008-r2-updates 4/23
4
Powershell for ADCommand line scripting for administrative, configuration and diagnostic tasks
Past limitations
30+ command line tools for administeringAD are not consistent in their usage
Difficult to compose these tools toachieve complex tasks
Feature takeaway
85+ AD cmdlets for comprehensive AD DS and
AD LDS administration and configurationCommunicates using Web Service protocols
Can be used to manage Windows Server 2008and 2003 domain controllers, using future AD
Web Service download
8/8/2019 Active Directory Windows Server 2008 R2 Updates
http://slidepdf.com/reader/full/active-directory-windows-server-2008-r2-updates 5/23
5
Powershell Advantages
Consistent vocabulary and syntax
Predictable discovery
Flexible output formatting
Cmdlets can be easily composed (pipe)to build complex operations
End-to-End manageability with Exchange,
Group Policy, etc
8/8/2019 Active Directory Windows Server 2008 R2 Updates
http://slidepdf.com/reader/full/active-directory-windows-server-2008-r2-updates 6/23
6
PowerShell Provider Model
Provides sessions, server context, security context and path contextEnables best practices sharing across connections
Combination of cmdlets & provider means familiar model for users
Perform operations in AD that are similar to the file system orregistry, such as rename, move, etc
8/8/2019 Active Directory Windows Server 2008 R2 Updates
http://slidepdf.com/reader/full/active-directory-windows-server-2008-r2-updates 7/23
7
Get-Command -CommandType Cmdlet *-AD*
Add-ADComputerServiceAccountAdd-ADDomainControllerPasswordReplicationPolicy
Add-ADFineGrainedPasswordPolicySubject
Add-ADGroupMember
Add-ADPrincipalGroupMembership
Clear-ADAccountExpiration
Disable-ADAccount
Disable-ADOptionalFeature
Enable-ADAccount
Enable-ADOptionalFeature
Get-ADAccountAuthorizationGroupGet-ADAccountResultantPasswordReplicationPolicy
Get-ADComputer
Get-ADComputerServiceAccount
Get-ADDefaultDomainPasswordPolicy
Get-ADDomain
Get-ADDomainController
Get-ADDomainControllerPasswordReplicationPolicy
Get-ADDomainControllerPasswordReplicationPolicyUsage
Get-ADFineGrainedPasswordPolicy
Get-ADFineGrainedPasswordPolicySubject
Get-ADForest
Get-ADGroup
Get-ADGroupMember
Get-ADObject
Get-ADOptionalFeature
Get-ADOrganizationalUnit
Get-ADPrincipalGroupMembership
Get-ADRootDSE
Get-ADServiceAccountGet-ADUser
Get-ADUserResultantPasswordPolicy
Install-ADServiceAccount
Move-ADDirectoryServer
Move-ADDirectoryServerOperationMasterRole
Move-ADObject
New-ADComputer
New-ADFineGrainedPasswordPolicy
New-ADGroup
New-ADObjectNew-ADOrganizationalUnit
New-ADServiceAccount
New-ADUser
Remove-ADComputer
Remove-ADComputerServiceAccount
Remove-ADDomainControllerPasswordReplicationPolicy
Remove-ADFineGrainedPasswordPolicy
Remove-ADFineGrainedPasswordPolicySubject
Remove-ADGroup
Remove-ADGroupMember
Remove-ADObject
Remove-ADOrganizationalUnit
Remove-ADPrincipalGroupMembership
Remove-ADServiceAccount
Remove-ADUser
Rename-ADObject
Reset-ADServiceAccountPassword
Restore-ADObject
Search-ADAccount
Set-ADAccountControlSet-ADAccountExpiration
Set-ADAccountPassword
Set-ADComputer
Set-ADDefaultDomainPasswordPolicy
Set-ADDomain
Set-ADDomainMode
Set-ADFineGrainedPasswordPolicy
Set-ADForest
Set-ADForestMode
Set-ADGroupSet-ADObject
Set-ADOrganizationalUnit
Set-ADServiceAccount
Set-ADUser
Uninstall-ADServiceAccount
Unlock-ADAccount
8/8/2019 Active Directory Windows Server 2008 R2 Updates
http://slidepdf.com/reader/full/active-directory-windows-server-2008-r2-updates 8/23
8
Administrative Center for ADIncrease the productivity of IT Pros by providing a scalable, task-
oriented UX for managing Active Directory
Past limitations
Non task-oriented UI causes customer pain
Example: resetting user passwords
Representation in MMC not scalable for large datasets
Feature takeaway
Tasks executed through PowerShell Cmdlets
Task oriented administration model, with support
for larger datasets
Consistency between CLI and UI management capabilities
Navigation experience designed to support multi-domain,multi-forest environments
8/8/2019 Active Directory Windows Server 2008 R2 Updates
http://slidepdf.com/reader/full/active-directory-windows-server-2008-r2-updates 9/23
9
Progressive disclosure
Task oriented
Powershell based instrumentation
Multi-Domains/Multi-Forests
8/8/2019 Active Directory Windows Server 2008 R2 Updates
http://slidepdf.com/reader/full/active-directory-windows-server-2008-r2-updates 10/23
10
Best Practice AnalyzerIdentify deviations from best practices to help our customers
better manage their Active Directory deployments
Past limitations
No easy and automated validation of AD configurationagainst best practices
Feature takeaway
Analyzes AD settings that cause most unexpected behavior incustomer environments
Leverages PowerShell cmdlets to gather run-time data
Makes recommendations in the context of the deploymentAvailable through Server Manager BPA runtime tool
8/8/2019 Active Directory Windows Server 2008 R2 Updates
http://slidepdf.com/reader/full/active-directory-windows-server-2008-r2-updates 11/23
11
Best Practice Analyzer first set of scenarios
Version 1.0 of the BPA focuses mostly on common DNS issues
Checking SRV records for DC are registered with its DNS Server
A/AAAA records of a DC are registered with its DNS Server
DC has a valid host name
Schema Naming Master and Domain Naming Master FSMO arerecommended to be on same machine
RID and PDC recommended to be on same machineEach domain is recommended to have at least two DCs
8/8/2019 Active Directory Windows Server 2008 R2 Updates
http://slidepdf.com/reader/full/active-directory-windows-server-2008-r2-updates 12/23
12
AD Core
ADUC/ADSS/ADDTADUC/ADSS/ADDT
LDAPLDAP
WSHWSH
ADSIADSI
LDAPLDAPDS RPCDS RPC--Based ProtocolsBased Protocols
MMCMMC
AD Web ServiceAD Web Service
S.DS.P/S.DS.AM/S.DS.AD
CLI
AD PSAD PSCLI
WCF.NET
MUXMUX
WPF.NET
.NET
DSRSAM
GUI
S
E
R
V
E
R
C
L
I
E
N
T
WCF.NET
DS RPCDS RPC--Based ProtocolsBased ProtocolsDSRSAM
ADADMUXMUX
GUI
BPABPA
AD CoreAD Core
8/8/2019 Active Directory Windows Server 2008 R2 Updates
http://slidepdf.com/reader/full/active-directory-windows-server-2008-r2-updates 13/23
Recycle Bin for ADCustomer can undo an accidental deletion in Active Directory
Past limitations
Accidental object deletion causes business downtime deleted users cannot logon or access corporate resources
Accidental deletions are the number #1 cause of AD
Disaster\Recovery scenariosFeature takeaway
Recycle bin for AD DS and AD LDS objects
Feature enabled with a new forest functional level
Requires all DCs in the forest to be Windows Server 2008 R2 DCsFor AD LDS, all replicas must be running in a new application mode
8/8/2019 Active Directory Windows Server 2008 R2 Updates
http://slidepdf.com/reader/full/active-directory-windows-server-2008-r2-updates 14/23
14
Recycle Bin for AD Object Life-cycle
Live Object Deleted Object Recycled Object
Tombstone Object
180 Days 180 Days
180 Days
Garbage collection
Garbage collection
Live Object
Windows Server 2008
Windows Server 2008 R2 with Recycle Bin enabled
(If not enabled, behavior is similar to Windows Server 2008)
LDAP OID 1.2.840.113556.1.4.417
LDAP OID 1.2.840.113556.1.4.2064
Ret
rns Tombstones
Ret ¡ rns Deleted and Recycled
Ret ¡ rns Deleted
8/8/2019 Active Directory Windows Server 2008 R2 Updates
http://slidepdf.com/reader/full/active-directory-windows-server-2008-r2-updates 15/23
Managed Service AccountsSimple management of service accounts
Past limitations
Management of individual accounts for servicesis cumbersome
Periodic maintenance often causes outages
Example: resetting service account password
Feature takeaway
A manageable solution that addresses isolationneeds for services
Better SPN management in Win7 Domain Functional ModeLower TCO from reduced service outages (for manualpassword resets and related issues)
One Managed Service Account per Service per box
No human intervention for password management!
8/8/2019 Active Directory Windows Server 2008 R2 Updates
http://slidepdf.com/reader/full/active-directory-windows-server-2008-r2-updates 16/23
Offline Domain JoinEnable easier provisioning of machines in the data center
Past limitations
Reboot needed after domain join
Inability to prepare the machine to
be domain joined while offlineFeature takeaway
Ability to pre-provision machine accounts in thedomain to prepare OS images for mass deployment
Machines are domain joined on initial boot
Reduces steps and time needed to deployin the data center
8/8/2019 Active Directory Windows Server 2008 R2 Updates
http://slidepdf.com/reader/full/active-directory-windows-server-2008-r2-updates 17/23
Authentication AssuranceApplications can control resource access based
on authentication strength and methodPast limitations
Customers cannot use authentication type or authentication strengthto protect corporate data
Example: control access to resources based on claims such as use of
smartcard for logon or the certificate used 2048 bit encryption
Feature takeaway
Administrators can map various properties, including authenticationtype and authentication strength to an identity
Based on information during authentication, these identities are
added to Kerberos tickets for use by applicationsFeature is enabled with a new domain functional level
All domain controllers in the domain need to be Window Server 2008 R2 DCs
8/8/2019 Active Directory Windows Server 2008 R2 Updates
http://slidepdf.com/reader/full/active-directory-windows-server-2008-r2-updates 18/23
18
Health ModelEnable IT administrators to better diagnose
and resolve Active Directory issues
Past limitations
Diagnostic information isincomplete and inconsistent
Feature takeaway
Continued investment towards completingthe health model
A single authoritative source for informationused in Management Packs, Best PracticeAnalyzer and online documentation
8/8/2019 Active Directory Windows Server 2008 R2 Updates
http://slidepdf.com/reader/full/active-directory-windows-server-2008-r2-updates 19/23
Management PackProvide proactive monitoring of availability
and performance of Active Directory
Past limitations
Current management pack lacks supportfor Windows Server 2008 and MOM 2007
Feature takeawaySupport for Windows Server 2008 domain controllers
Multiple replication latency groups
Ability to monitor multiple forests from a single
management group
Management pack for MOM 2007
8/8/2019 Active Directory Windows Server 2008 R2 Updates
http://slidepdf.com/reader/full/active-directory-windows-server-2008-r2-updates 20/23
The journey to Windows Server 2008 R2
Upgrading to Windows 7 client while keeping existing servers, you can use:
Off-line domain join
Once AD Web-service is available for existing servers, if you upgrade toWindows 7 client, you can use:
AD Powershell and ADAC with all your servers
Upgrading to Windows 7 client while installing one or more Windows Server2008 R2 (one per domain), you can use:
Managed service account
If you change the domain functional level to Windows Server 2008 R2,you can use:
Authentication AssuranceManaged service account with an enhanced SPN management experience
If you change the Forest functional level to Windows Server 2008 R2,you can use:
AD Recycle-bin
8/8/2019 Active Directory Windows Server 2008 R2 Updates
http://slidepdf.com/reader/full/active-directory-windows-server-2008-r2-updates 21/23
Tuesday, November 4Tuesday, November 4thth
Identity Lifecycle Manager 2 (Part 1): Empowering users with self Identity Lifecycle Manager 2 (Part 1): Empowering users with self--service identity management solutionsservice identity management solutions 10:4510:45--12:00pm12:00pm
Windows Server 2008 R2 Active Directory: What's Coming Up?Windows Server 2008 R2 Active Directory: What's Coming Up? 1:301:30--2:45pm2:45pm
Chalk & Talk:Chalk & Talk: Windows Server Active Directory (IDA03Windows Server Active Directory (IDA03--IS)IS) 3:153:15--4:30pm4:30pm
Windows Vista PKI Enhancement in Windows 7 and Windows Server 2008 R2Windows Vista PKI Enhancement in Windows 7 and Windows Server 2008 R2 3:153:15--4:30pm4:30pm
Going Virtual with the Intelligent Application Gateway and a Sneak Peak at the Future!Going Virtual with the Intelligent Application Gateway and a Sneak Peak at the Future! 3:153:15--4:30pm4:30pm
Forefront Security for Exchange Server: Advanced Spam and AntiMalware Scanning Today and TomorrowForefront Security for Exchange Server: Advanced Spam and AntiMalware Scanning Today and Tomorrow 5:005:00--6:15pm6:15pm
Active Directory Rights Management Services (AD RMS)Active Directory Rights Management Services (AD RMS) -- End to EndEnd to End 5:005:00--6:15pm6:15pm
Wednesday, November 5thWednesday, November 5th
Microsoft Forefront Security for SharePoint: The Next Generation of Collaboration SecurityMicrosoft Forefront Security for SharePoint: The Next Generation of Collaboration Security 9:009:00--10:15am10:15am
Ask The ExpertsAsk The Experts 12:1512:15--12:45pm12:45pm
Identity Lifecycle Manager 2 (Part 2): Expressing and enforcing business policyIdentity Lifecycle Manager 2 (Part 2): Expressing and enforcing business policy 1:301:30--2:45pm2:45pm
Introduction to Microsoft Forefront Codename StirlingIntroduction to Microsoft Forefront Codename Stirling 1:301:30--2:45pm2:45pm
Connecting Active Directory to Microsoft Cloud ServicesConnecting Active Directory to Microsoft Cloud Services 3:453:45--5:00pm5:00pm
Hybrid Messaging Security for Exchange ServerHybrid Messaging Security for Exchange Server 3:453:45--5:00pm5:00pm
Using Active Directory Domain Services for Linux ServersUsing Active Directory Domain Services for Linux Servers 5:305:30--6:45pm6:45pm
Related Content
Visit the Identity & Security booths for a detailed guide to activities at TechEd EMEA
8/8/2019 Active Directory Windows Server 2008 R2 Updates
http://slidepdf.com/reader/full/active-directory-windows-server-2008-r2-updates 22/23
22
Related ContentThursday, November 6thThursday, November 6th
Windows Server 2008 Active Directory BestWindows Server 2008 Active Directory Best Practices (IDA08)Practices (IDA08) 8:308:30--9:45pm9:45pm
Notes from the Field: Deploying MicrosoftNotes from the Field: Deploying Microsoft Identity Lifecycle Manager 2007 Certificate ManagementIdentity Lifecycle Manager 2007 Certificate Management 10:1510:15--11:30am11:30am
Ask The ExpertsAsk The Experts 12:1512:15--12:45pm12:45pm
Successful deployment tips for Security and Strong AuthenticationSuccessful deployment tips for Security and Strong Authentication 1:001:00--2:15pm2:15pm
Using Network Access Protection (NAP) in combination with FCSUsing Network Access Protection (NAP) in combination with FCS 1:001:00--2:15pm2:15pm
Identity Lifecycle Manager 2 (Part 3): Extensibility and provisioning with ILM 2Identity Lifecycle Manager 2 (Part 3): Extensibility and provisioning with ILM 2 2:402:40--3:55pm3:55pm
Universal signUniversal sign--inin utilizingutilizing AD, CardSpace and federation technologies: How to sign in any user, in any kind of AD, CardSpace and federation technologies: How to sign in any user, in any kind of
application, in any scenario, using 'Zermatt' and claimsapplication, in any scenario, using 'Zermatt' and claims--based identitybased identity4:204:20--5:35pm5:35pm
WindowsWindows Server 2008 R2 Active Directory: Whats Coming Up? (IDA309Server 2008 R2 Active Directory: Whats Coming Up? (IDA309 REPEAT)REPEAT) 6:006:00--7:15pm7:15pm
Friday, November 7thFriday, November 7th
Active Directory Information SecurityActive Directory Information Security -- Where is the boundary?Where is the boundary? 9:009:00--10:15am10:15am
A Technical Preview and Deep Dive of Next Generation ISA ServerA Technical Preview and Deep Dive of Next Generation ISA Server 9:009:00--10:15am10:15am
A DS Geek's Notes from the FieldA DS Geek's Notes from the Field -- Active Directory UncoveredActive Directory Uncovered 10:4510:45--12:00pm12:00pm
Infrastructure services for SOA security and federation:Infrastructure services for SOA security and federation: 'Geneva''Geneva' Security Token ServicesSecurity Token Services 3:153:15--4:30pm4:30pm
Visit the Identity & Security booths for a detailed guide to activities at TechEd EMEA
8/8/2019 Active Directory Windows Server 2008 R2 Updates
http://slidepdf.com/reader/full/active-directory-windows-server-2008-r2-updates 23/23
23
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista a nd other product names are or may be registered trademarks and/or trademarks in the U.S. a nd/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of M icrosoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.