what's new in ad for 2008 -deep dive- 4-23-08

8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08

1/33


2/33

Active Directory Investments in Windows Server 2008

Branch OfficeRead-Only Domain Controllers

SecurityAuditing, Password Policies

ManageabilityDeployment, Backup/Restore

Q&A

Group PolicyGroup Policy Preferences


3/33

Active Directory Domain Services (AD DS)Previously Active Directory

Active Directory Lightweight Directory Services(AD LDS)

Previously ADAM, Active Directory Application Mode

Server roles

Server functionalities like AD DS, AD LDS, DNS, DHCP

Centrally managed through Server Manager

Server Core

Minimal server installation option

Reduces attack surface because fewercomponents installed


4/33

Windows Server 2000

Deliver best-of-breed Enterprise NOS Directory

Windows Server 2003Simpler management, easy deployment

Windows Server 2008

Secure Branch Office deployments

Manageability and administration improvementsreduce IT costs

Active Directory Domain ServicesActive Directory Domain Services


5/33

SecuritySecurity ManageabilityManageability

Branch OfficeBranch Office


6/33


ManageabilityManageabilityec rityec rity


7/33

Deployment of domain controllers at remotelocations challenges enterprises

Deployment of domain controllers at

unsecured locations

Delegation of domain administrator privileges toadministrators at branches

Dealing with these challenges

Consolidation of domain controllers in few locations?New option: Introducing the read-only domaincontroller (RODC)

Problem overviewProblem overview


8/33

Impact of stolen RODC limited to accounts withreplicated secrets

Password replication policy, to prevent replication of

secrets to insecure locations

By default, no secrets are replicated

Recommend replication of passwords ofbranch-specific accounts

Read-only Partial Attribute Set (RO PAS) allowscertain schema attributes to be markedas secrets

Applications must be aware that such attributes will not

be available on all domain controllers

DCs in unsecured locationsDCs in unsecured locations


9/33

Incorporating RODCs into your AD design


10/33

Incorporating RODCs into your AD design


11/33

Admin role separation

RODC server administrators do not have to bedomain administrators!

Prevents accidental modifications bymachine administrators

Two-stage DC promotion

First stage: domain administrator pre-creates RODC

computer accountSecond stage: machine administrator at branchpromotes the machine to RODC

Delegated administratorDelegated administrator


12/33

Must be in Windows Server 2003 ForestFunctional Mode

At least one Windows Server 2008 DC required

Multiple Windows Server 2008 DCs recommended forfault tolerance

Application compatibility

Some client updates may be required depending on

deployment scenarios

Deployment requirementsDeployment requirements


13/33

Verify Forest Functional Mode is WindowsServer 2003

ADPREP /ForestPrep

ADPREP /DomainPrep

ADPREP /RodcPrep

Promote a Windows Server 2008 DC into domain

Promote RODC

Deployment stepsDeployment steps


14/33

RODC in Branch Offices(Primary and supported scenario)

Intended for environments with limited physical security

RODC in DMZ(Being evaluated)

Intended for environments with cross-Corpnet\DMZresource access requirements

RODC on the Internet(Being evaluated)

Intended for environments with cross-Corpnet\Internetresource access requirements

Deployment scenariosDeployment scenarios


15/33

Deployment scenariosDeployment scenarios

Secure Appliance DC

AdminRole

Separation

RODC

ServerCore

Bitlocker

IPSEC Firewall Auth IP


16/33

Internet Security Accelerator (ISA) server

Microsoft Office Live Communications Server Microsoft Systems Management Server (SMS)

Microsoft Office Outlook

Microsoft Operations Manager (MOM)

Windows SharePoint Services

Microsoft SQL Server

Windows Server services, including: Active Directory Certificate Services (AD CS)

Active Directory Rights Management Services (AD RMS)

Credential Roaming

Distributed File System (DFS)

Distributed File System Replication (DFSR) and File Replication Service (FRS)

Domain Name System (DNS)

Dynamic Host Configuration Protocol (DHCP)

Group Policy

Internet Authentication Service

Internet Information Services (IIS)

Network Access Protection (NAP)

Terminal Services (Users and Computers snap-in)

Terminal Services Licensing server


17/33

SecuritSecurit

BranchBranch OfficeOffice

ManageabilitManageabilit

BranchBranch OfficeOffice


18/33

Compliance and business requirements mandatedifferent account settings for different users

Examples

Administrators

Strict setting (passwords expire every 14 days)

Service accounts

Moderate settings (passwords expire every 31 days, different

lockout threshold, minimum password length 32 characters)Average user password policy

(Passwords expire every 90 days)

Problem overviewProblem overview


19/33

Can be applied to:

Users

Global security groups

Does NOT apply to:

Computer objects

Non-domain user accounts

Organizational Units

AdministrationAdministration


20/33

Multiple policies can be associated with the user

Precedence rules on groups are used to calculateresultant policy when multiple policies are applied

Deployment RequirementsAll domain controllers must be Windows Server 2008

Windows Server 2008 Domain FunctionalMode required

No client changes necessary

AdministrationAdministration


21/33

Verify all domain controllers are running WindowsServer 2008

Raise Domain Functional Mode to WindowsServer 2008

Define the password policies you want for thedifferent users

Create necessary security groups with users

Apply policies to the appropriate security groups

Deployment stepsDeployment steps


22/33

Event logs tell you exactly:Who made a change

When the change was made

What object/attribute was changed

The beginning and end values

Auditing is controlled by:

Global audit policy

SACL

Schema


23/33


24/33

Without a reboot you can now:Apply DS patches

Perform offline defragmentation

DS stopped similar to member server:

NTDS.dit is offline

Can log on locally with DSRM password

Server Core

RestartableAD DS

Fewerreboots forservicing


25/33

Protection from accidental deletion of objects inActive Directory

Snapshot viewer enables restore ofdeleted objects

Leverages VSS snapshots of AD database takenvia NTDSUTIL

Use LDAP client to bind to snapshot and view read-onlyinstances of AD databases

Enables objects to be recreated using LDAP APIs andtombstone reanimation


26/33

Use Server Performance Advisor to collectperformance statistics

XML report tells you most searched attribute,most accessed DC, etc.

Deploy AD MP SP1 for Windows Server 2008DC/RODCs


27/33

SecuritySecurity ManageabilityManageability



28/33


29/33

Acquired DesktopStandard in Oct. 2006Extend investment in Group Policy

PolicyMaker and GPOVault

GPOVault

Advanced Group Policy Management(AGPM) available through Microsoft Desktop

Optimization Pack (MDOP) for Software

Assurance

PolicyMakerExtensions made available for Server 2008

Group Policy extensions implemented as

Group Policy Preferences

GPO PreferencesGPO Preferences ---- AcquisitionAcquisition


30/33

1,800+ policy settings in XP versus 2400+

in Windows Vista / Server 2008 Variety of support across the Operating System

Group Policy is a Windows Manageability basic

Policy Settings Greatly Expanded in a

Number of Areas, examples include:

GPO Preferences DetailsGPO Preferences Details

RemovableRemovableStorageStorageDevicesDevices

IPSec/IPSec/WindowsWindowsFirewallFirewall

PowerPowerManagementManagement

PrinterPrinterManagementManagement

TroubleshootingTroubleshootingand Diagnosticsand Diagnostics

WindowsWindowsDefenderDefender

NetworkNetworkAccessAccess

ProtectionProtection

InternetInternetExplorerExplorer

Tablet PCTablet PC

Windows ErrorWindows ErrorReportingReporting

User AccountUser AccountControl (UAC)Control (UAC)

Wired andWired andWirelessWireless

PolicyPolicyDesktop ShellDesktop Shell GlobalizationGlobalization

RemoteRemoteAssistanceAssistance


31/33

GPO Preferences UI and SummaryGPO Preferences UI and Summary

Improves IT productivity

Reduces need for logon scriptsLimits configuration errors

Enhances end-user satisfaction

Minimizes image maintenance

Reduces overall image count


32/33

The release to manufacturing (RTM) version ofExchange 2007 cannot be installed on WindowsServer 2008. However, Exchange 2007 ServicePack 1 will be supported for installation on

Windows Server 2008.Exchange Server 2003 Service Pack 2, Exchange2007, and Exchange 2007 SP1 (when released)are supported in environments that either partly or

entirely use writeable Windows Server 2008directory servers.

No version of Microsoft Exchange uses read-onlydomain controllers (RODCs)


33/33

2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft m ust respond to changing marketconditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

what's new in ad for 2008 -deep dive- 4-23-08

Documents