Session Objectives And Takeaways
Describe Active Directory features in Windows Server 2008 R2 Discuss the importance of these features to our customers Demonstrate how some of these features will benefit our customers
2
Agenda
What s new in Active Directory for Windows Server 2008 R2?
PowerShell Cmdlets Active Directory Administrative center Best Practice Analyzer Recycle Bin for AD Managed Service accounts Offline Domain Join Authentication Assurance Health Model and Management Packs
Active Directory Tour demonstration Conclusion
3
Powershell for AD
Command line scripting for administrative, configuration and diagnostic tasks
Past limitations
30+ command line tools for administering AD are not consistent in their usage Difficult to compose these tools to achieve complex tasks
Feature takeaway
85+ AD cmdlets for comprehensive AD DS and AD LDS administration and configuration Communicates using Web Service protocols Can be used to manage Windows Server 2008 and 2003 domain controllers, using future AD Web Service download
4
Powershell Advantages
Consistent vocabulary and syntax Predictable discovery Flexible output formatting Cmdlets can be easily composed (pipe) to build complex operations End-to-End manageability with Exchange, Group Policy, etc
5
PowerShell Provider Model
Provides sessions, server context, security context and path context Enables best practices sharing across connections Combination of cmdlets & provider means familiar model for users Perform operations in AD that are similar to the file system or registry, such as rename, move, etc
Administrative Center for AD
Increase the productivity of IT Pros by providing a scalable, taskoriented UX for managing Active Directory Past limitations
Non task-oriented UI causes customer pain
Example: resetting user passwords
Representation in MMC not scalable for large datasets
Feature takeaway
Tasks executed through PowerShell Cmdlets Task oriented administration model, with support for larger datasets Consistency between CLI and UI management capabilities Navigation experience designed to support multi-domain, multi-forest environments
8
Progressive disclosure Task oriented Powershell based instrumentation Multi-Domains/Multi-Forests
9
Best Practice Analyzer
Identify deviations from best practices to help our customers better manage their Active Directory deployments Past limitations
No easy and automated validation of AD configuration against best practices
Feature takeaway
Analyzes AD settings that cause most unexpected behavior in customer environments Leverages PowerShell cmdlets to gather run-time data Makes recommendations in the context of the deployment Available through Server Manager BPA runtime tool
10
Best Practice Analyzer first set of scenarios
Version 1.0 of the BPA focuses mostly on common DNS issues
Checking SRV records for DC are registered with its DNS Server A/AAAA records of a DC are registered with its DNS Server DC has a valid host name Schema Naming Master and Domain Naming Master FSMO are recommended to be on same machine RID and PDC recommended to be on same machine Each domain is recommended to have at least two DCs
Recycle Bin for AD
Customer can undo an accidental deletion in Active Directory Past limitations
Accidental object deletion causes business downtime deleted users cannot logon or access corporate resources Accidental deletions are the number #1 cause of AD Disaster\Recovery scenarios
Feature takeaway
Recycle bin for AD DS and AD LDS objects Feature enabled with a new forest functional level
Requires all DCs in the forest to be Windows Server 2008 R2 DCs For AD LDS, all replicas must be running in a new application mode
Recycle Bin for AD Object Life-cycle
180 Days
Live Object Windows Server 2008 Tombstone Object
Ret rns Tombstones
Garbage collection
LDAP OID 1.2.840.113556.1.4.417
Windows Server 2008 R2 with Recycle Bin enabled
(If not enabled, behavior is similar to Windows Server 2008)
Ret rns Deleted
¡ ¡
Ret rns Deleted and Recycled
Live Object
Deleted Object
180 Days
14
LDAP OID 1.2.840.113556.1.4.2064
Recycled Object
Garbage collection
180 Days
Managed Service Accounts
Simple management of service accounts
Past limitations
Management of individual accounts for services is cumbersome Periodic maintenance often causes outages
Example: resetting service account password
Feature takeaway
A manageable solution that addresses isolation needs for services Better SPN management in Win7 Domain Functional Mode Lower TCO from reduced service outages (for manual password resets and related issues) One Managed Service Account per Service per box
No human intervention for password management!
Offline Domain Join
Enable easier provisioning of machines in the data center
Past limitations
Reboot needed after domain join Inability to prepare the machine to be domain joined while offline
Feature takeaway
Ability to pre-provision machine accounts in the domain to prepare OS images for mass deployment Machines are domain joined on initial boot Reduces steps and time needed to deploy in the data center
Authentication Assurance
Applications can control resource access based on authentication strength and method
Past limitations
Customers cannot use authentication type or authentication strength to protect corporate data
Example: control access to resources based on claims such as use of smartcard for logon or the certificate used 2048 bit encryption
Feature takeaway
Administrators can map various properties, including authentication type and authentication strength to an identity Based on information during authentication, these identities are added to Kerberos tickets for use by applications Feature is enabled with a new domain functional level
All domain controllers in the domain need to be Window Server 2008 R2 DCs
Health Model
Enable IT administrators to better diagnose and resolve Active Directory issues
Past limitations
Diagnostic information is incomplete and inconsistent
Feature takeaway
Continued investment towards completing the health model A single authoritative source for information used in Management Packs, Best Practice Analyzer and online documentation
18
Management Pack
Provide proactive monitoring of availability and performance of Active Directory Past limitations
Current management pack lacks support for Windows Server 2008 and MOM 2007
Feature takeaway
Support for Windows Server 2008 domain controllers
Multiple replication latency groups Ability to monitor multiple forests from a single management group Management pack for MOM 2007
The journey to Windows Server 2008 R2
Upgrading to Windows 7 client while keeping existing servers, you can use:
Off-line domain join
Once AD Web-service is available for existing servers, if you upgrade to Windows 7 client, you can use:
AD Powershell and ADAC with all your servers
Upgrading to Windows 7 client while installing one or more Windows Server 2008 R2 (one per domain), you can use:
Managed service account
If you change the domain functional level to Windows Server 2008 R2, you can use:
Authentication Assurance Managed service account with an enhanced SPN management experience
If you change the Forest functional level to Windows Server 2008 R2, you can use:
AD Recycle-bin
Related Content
Tuesday, November 4th Identity Lifecycle Manager 2 (Part 1): Empowering users with self-service identity management solutions selfWindows Server 2008 R2 Active Directory: What's Coming Up? Chalk & Talk: Windows Server Active Directory (IDA03-IS) (IDA03Windows Vista PKI Enhancement in Windows 7 and Windows Server 2008 R2 Going Virtual with the Intelligent Application Gateway and a Sneak Peak at the Future! Forefront Security for Exchange Server: Advanced Spam and AntiMalware Scanning Today and Tomorrow Active Directory Rights Management Services (AD RMS) - End to End Wednesday, November 5th Microsoft Forefront Security for SharePoint: The Next Generation of Collaboration Security Ask The Experts Identity Lifecycle Manager 2 (Part 2): Expressing and enforcing business policy Introduction to Microsoft Forefront Codename Stirling Connecting Active Directory to Microsoft Cloud Services Hybrid Messaging Security for Exchange Server Using Active Directory Domain Services for Linux Servers 9:009:00-10:15am 12:1512:15-12:45pm 1:30-2:45pm 1:301:30-2:45pm 1:303:45-5:00pm 3:453:45-5:00pm 3:455:30-6:45pm 5:3010:45-12:00pm 10:451:301:30-2:45pm 3:153:15-4:30pm 3:153:15-4:30pm 3:153:15-4:30pm 5:005:00-6:15pm 5:005:00-6:15pm
Visit the Identity & Security booths for a detailed guide to activities at TechEd EMEA
Related Content
Thursday, November 6th Windows Server 2008 Active Directory Best Practices (IDA08) Notes from the Field: Deploying Microsoft Identity Lifecycle Manager 2007 Certificate Management Ask The Experts Successful deployment tips for Security and Strong Authentication Using Network Access Protection (NAP) in combination with FCS Identity Lifecycle Manager 2 (Part 3): Extensibility and provisioning with ILM 2 Universal sign-in utilizing AD, CardSpace and federation technologies: How to sign in any user, in any kind of signapplication, in any scenario, using 'Zermatt' and claims-based identity claimsWindows Server 2008 R2 Active Directory: What s Coming Up? (IDA309 REPEAT) Friday, November 7th Active Directory Information Security - Where is the boundary? A Technical Preview and Deep Dive of Next Generation ISA Server A DS Geek's Notes from the Field - Active Directory Uncovered Infrastructure services for SOA security and federation: 'Geneva' Security Token Services 9:009:00-10:15am 9:009:00-10:15am 10:45-12:00pm 10:453:153:15-4:30pm 8:308:30-9:45pm 10:1510:15-11:30am 12:1512:15-12:45pm 1:001:00-2:15pm 1:001:00-2:15pm 2:40-3:55pm 2:404:204:20-5:35pm 6:006:00-7:15pm
Visit the Identity & Security booths for a detailed guide to activities at TechEd EMEA
22