it pro connections 2009 the cutting edge event for it pros active directory in depth Χρήστος...
TRANSCRIPT
IT Pro Connections 2009The cutting edge event for IT pros
Active Directory in Depth
Χρήστος Σπανουγάκης MCT, MVP
Agenda
AD module for Windows PowerShell AD Administrative Center AD Best Practice Analyser Managed Service Accounts Offline domain join Authentication mechanism assurance AD Recycle Bin AD Troubleshooting - Discussion
Windows Evolution
Windows PowerShell for AD PowerShell v2 includes an AD Module Comprehensive set of AD cmdlets for AD DS
and AD LDS administration, configuration and diagnostic tasks
Easy to compose and manage complex tasks PowerShell drives for AD
Simple navigation in AD DS, AD LDS and AD Snapshots
Certain tasks can only be achieved through PowerShell
Example (and demo)Import-module ActiveDirectory
New-ADUser -Name “Spanougakis Chris” -SamAccountName “chris" -AccountPassword (ConvertTo-SecureString -AsPlainText “Temp0Pwd0!" -Force) -Enabled $true -ChangePasswordAtLogon $true -GivenName “Chris" -Surname “Spanougakis" -UserPrincipalName “[email protected]”-Path “OU=Admins,OU=UK,DC=itproconnections,DC=local"
AD Web Services (ADWS) Demo ADWS is automatically
installed with AD DS and AD LDS
Port 9389 must be open for remote administration
Active Directory Management Gateway (ADMG) service available for Windows Server 2003 and 2008
Does not support instances of AD Mounting Tool
ADWS
PowerShell Cmdlets
AD / GC
9389
389 3268
WS-*
AD LDSinstance
MountedAD instance
LDAP LDAP LDAP
AD Administrative Center
Task-oriented model
Progressive disclosure of data Powerful Searching
Simultaneously connectto other domains
Built on PowerShell Cmdlets
Best Practice Analyser Compares current configuration on DC to best
practice recommendations Scan started via Server Manager or PowerShell
Results through UI and PowerShell output Provides guidance, does not fix problems
Red EyeWarningInformation
Quarterly updates
Domain
Service Accounts
Using built in accounts for services does not provide service isolation
What’s the alternative?Run the services using standard user accounts
How many of you change services account passwords on a regular basis?
Any problems?
Username: SRV1Password: *****
User
Domain accountUsername: SRV1Password: *****
Password changesmust be updatedon the service account
Managed Service Accounts (demo)
Domain
Username: Password:
Domain:example.com
SERVER1
example\svc1$Configure service:Append $ to accountname
Server automatically resets based on “Max machine account password age”
Install-ADServiceAccount svc12
Domain accountname: SVC1
Created in domain:New-ADServiceAccount svc1
1
3
Can reset password withReset-ADServiceAccountPassword svc1
4
Accounts must be created and managedthrough Windows PowerShell
Requirements & Caveats Service / application requiring managed account
must be running on Windows 7 or 2008 R2Requires AD Module for Windows PowerShell to be installed
Forest and domain must be prepared for 2008 R2adprep /forestprep & adprep /domainprep
Managed accounts cannot be shared across multiple servers
In other words.. Use them LOCALLY...
Offline Domain Joins Allows a Windows 7 or Windows 2008 R2
machines to be joined to a domain while offlineOn start up, the machine is already domain joined and there is no reboot requirement
Speeds up deployment of VMs and scripted installs
New section in unattended.xml supports offline domain joins
Simplifies domain joins to RODCs
Online VHD orPhysical systemRequires reboot
Requires /localos
Offline VHD orPhysical system
Djoin.exe (demo)
Windows 7 or 2008 R2 required for Computers running djoin Computers being joined to domain
Domain
Computeraccount object
Computer account metadata.Base-64 encoded, treat as security sensitive
djoin /requestODJ /loadfile <ms1.txt> /windowspath <Windows directory>
Djoin /provision /domain example.com / machine ms1 /savefile ms1.txt
Unattended.xml
Add accountmetadata
Authentication Mechanism Assurance
Allows applications to control access to resources based on authentication strength
For example only allow access to a resource if the user has been authenticated using a SmartCard
Require Windows 2008 R2 domain functionality
Strong authenticationNormal authentication
Restricted access Fullaccess
Resource Access Control When a certificate based logon method is used
an administrator-designated universal group is added to the user’s Kerberos token
This group is then used to control access to resources It is possible to add different groups based on
the type of certificate used to logonAccess to resources can consequently be based on the certificate type
Recycle Bin for AD Requires 2008 R2 Forest functionality PowerShell driven
Enable-ADOptionalFeature ‘Recycle Bin Feature’ –Scope ForestOrConfigurationSet –Target ‘forest’
Once enabled cannot be disabledGet-ADObject –LDAPFilter {} –IncludeDeletedObjectsRestore-ADObject –Identity <id>Parent object must be restored in advance of child object
Restores all attributes including linked Attributes
No Recycle Bin
Re-animate API restores objects while on-lineMany attributes missing
Re-animation does not restore multi-valued linked attributes such as group membership
Live object
TombstoneobjectDelete
Majority of attributes deleted
Garbagecollection X
Purged fromdirectory
Tombstone lifetime (180 days)Offline authoritative restore
Recycle Bin Enabled (demo)
All attributes restored
Live object
Garbagecollection X
Purged fromdirectory
Recycledobject
Deleted object lifetime (180 days)
Tombstone lifetime (180 days)
DeleteDeletedobject
All attributes retained
Online undelete
The Path to Windows Server 2008 R2
Prep forest and domain for Windows 2008 R2 Windows 7 clients can be provision with offline
domain joins against existing 2003/2008 infrastructure
Install Active Directory Management Gateway (ADMG) service on Windows 2003/2008 servers
Use AD PowerShell and ADAC running on Windows 7 Upgraded servers can use Managed Service
Accounts
Functional Levels Switches to R2 domain and forest functionality
are reversibleUse PowerShell to reverseSet-ADForestMode -Identity itproconnections.local -ForestMode Windows2008ForestCannot be reversed once Recycle Bin is enabled
2008 R2 domain functionality for:Authentication Mechanism AssuranceSPN management for Manage Service Accounts
2008 R2 forest functionality allows Recycle Bin to be enabled