what's new in ad for 2008 -deep dive- 4-23-08
TRANSCRIPT
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
1/33
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
2/33
Active Directory Investments in Windows Server 2008
Branch OfficeRead-Only Domain Controllers
SecurityAuditing, Password Policies
ManageabilityDeployment, Backup/Restore
Q&A
Group PolicyGroup Policy Preferences
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
3/33
Active Directory Domain Services (AD DS)Previously Active Directory
Active Directory Lightweight Directory Services(AD LDS)
Previously ADAM, Active Directory Application Mode
Server roles
Server functionalities like AD DS, AD LDS, DNS, DHCP
Centrally managed through Server Manager
Server Core
Minimal server installation option
Reduces attack surface because fewercomponents installed
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
4/33
Windows Server 2000
Deliver best-of-breed Enterprise NOS Directory
Windows Server 2003Simpler management, easy deployment
Windows Server 2008
Secure Branch Office deployments
Manageability and administration improvementsreduce IT costs
Active Directory Domain ServicesActive Directory Domain Services
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
5/33
SecuritySecurity ManageabilityManageability
Branch OfficeBranch Office
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
6/33
Branch OfficeBranch Office
ManageabilityManageabilityec rityec rity
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
7/33
Deployment of domain controllers at remotelocations challenges enterprises
Deployment of domain controllers at
unsecured locations
Delegation of domain administrator privileges toadministrators at branches
Dealing with these challenges
Consolidation of domain controllers in few locations?New option: Introducing the read-only domaincontroller (RODC)
Problem overviewProblem overview
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
8/33
Impact of stolen RODC limited to accounts withreplicated secrets
Password replication policy, to prevent replication of
secrets to insecure locations
By default, no secrets are replicated
Recommend replication of passwords ofbranch-specific accounts
Read-only Partial Attribute Set (RO PAS) allowscertain schema attributes to be markedas secrets
Applications must be aware that such attributes will not
be available on all domain controllers
DCs in unsecured locationsDCs in unsecured locations
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
9/33
Incorporating RODCs into your AD design
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
10/33
Incorporating RODCs into your AD design
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
11/33
Admin role separation
RODC server administrators do not have to bedomain administrators!
Prevents accidental modifications bymachine administrators
Two-stage DC promotion
First stage: domain administrator pre-creates RODC
computer accountSecond stage: machine administrator at branchpromotes the machine to RODC
Delegated administratorDelegated administrator
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
12/33
Must be in Windows Server 2003 ForestFunctional Mode
At least one Windows Server 2008 DC required
Multiple Windows Server 2008 DCs recommended forfault tolerance
Application compatibility
Some client updates may be required depending on
deployment scenarios
Deployment requirementsDeployment requirements
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
13/33
Verify Forest Functional Mode is WindowsServer 2003
ADPREP /ForestPrep
ADPREP /DomainPrep
ADPREP /RodcPrep
Promote a Windows Server 2008 DC into domain
Promote RODC
Deployment stepsDeployment steps
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
14/33
RODC in Branch Offices(Primary and supported scenario)
Intended for environments with limited physical security
RODC in DMZ(Being evaluated)
Intended for environments with cross-Corpnet\DMZresource access requirements
RODC on the Internet(Being evaluated)
Intended for environments with cross-Corpnet\Internetresource access requirements
Deployment scenariosDeployment scenarios
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
15/33
Deployment scenariosDeployment scenarios
Secure Appliance DC
AdminRole
Separation
RODC
ServerCore
Bitlocker
IPSEC Firewall Auth IP
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
16/33
Internet Security Accelerator (ISA) server
Microsoft Office Live Communications Server Microsoft Systems Management Server (SMS)
Microsoft Office Outlook
Microsoft Operations Manager (MOM)
Windows SharePoint Services
Microsoft SQL Server
Windows Server services, including: Active Directory Certificate Services (AD CS)
Active Directory Rights Management Services (AD RMS)
Credential Roaming
Distributed File System (DFS)
Distributed File System Replication (DFSR) and File Replication Service (FRS)
Domain Name System (DNS)
Dynamic Host Configuration Protocol (DHCP)
Group Policy
Internet Authentication Service
Internet Information Services (IIS)
Network Access Protection (NAP)
Terminal Services (Users and Computers snap-in)
Terminal Services Licensing server
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
17/33
SecuritSecurit
BranchBranch OfficeOffice
ManageabilitManageabilit
BranchBranch OfficeOffice
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
18/33
Compliance and business requirements mandatedifferent account settings for different users
Examples
Administrators
Strict setting (passwords expire every 14 days)
Service accounts
Moderate settings (passwords expire every 31 days, different
lockout threshold, minimum password length 32 characters)Average user password policy
(Passwords expire every 90 days)
Problem overviewProblem overview
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
19/33
Can be applied to:
Users
Global security groups
Does NOT apply to:
Computer objects
Non-domain user accounts
Organizational Units
AdministrationAdministration
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
20/33
Multiple policies can be associated with the user
Precedence rules on groups are used to calculateresultant policy when multiple policies are applied
Deployment RequirementsAll domain controllers must be Windows Server 2008
Windows Server 2008 Domain FunctionalMode required
No client changes necessary
AdministrationAdministration
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
21/33
Verify all domain controllers are running WindowsServer 2008
Raise Domain Functional Mode to WindowsServer 2008
Define the password policies you want for thedifferent users
Create necessary security groups with users
Apply policies to the appropriate security groups
Deployment stepsDeployment steps
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
22/33
Event logs tell you exactly:Who made a change
When the change was made
What object/attribute was changed
The beginning and end values
Auditing is controlled by:
Global audit policy
SACL
Schema
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
23/33
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
24/33
Without a reboot you can now:Apply DS patches
Perform offline defragmentation
DS stopped similar to member server:
NTDS.dit is offline
Can log on locally with DSRM password
Server Core
RestartableAD DS
Fewerreboots forservicing
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
25/33
Protection from accidental deletion of objects inActive Directory
Snapshot viewer enables restore ofdeleted objects
Leverages VSS snapshots of AD database takenvia NTDSUTIL
Use LDAP client to bind to snapshot and view read-onlyinstances of AD databases
Enables objects to be recreated using LDAP APIs andtombstone reanimation
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
26/33
Use Server Performance Advisor to collectperformance statistics
XML report tells you most searched attribute,most accessed DC, etc.
Deploy AD MP SP1 for Windows Server 2008DC/RODCs
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
27/33
SecuritySecurity ManageabilityManageability
Branch OfficeBranch Office
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
28/33
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
29/33
Acquired DesktopStandard in Oct. 2006Extend investment in Group Policy
PolicyMaker and GPOVault
GPOVault
Advanced Group Policy Management(AGPM) available through Microsoft Desktop
Optimization Pack (MDOP) for Software
Assurance
PolicyMakerExtensions made available for Server 2008
Group Policy extensions implemented as
Group Policy Preferences
GPO PreferencesGPO Preferences ---- AcquisitionAcquisition
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
30/33
1,800+ policy settings in XP versus 2400+
in Windows Vista / Server 2008 Variety of support across the Operating System
Group Policy is a Windows Manageability basic
Policy Settings Greatly Expanded in a
Number of Areas, examples include:
GPO Preferences DetailsGPO Preferences Details
RemovableRemovableStorageStorageDevicesDevices
IPSec/IPSec/WindowsWindowsFirewallFirewall
PowerPowerManagementManagement
PrinterPrinterManagementManagement
TroubleshootingTroubleshootingand Diagnosticsand Diagnostics
WindowsWindowsDefenderDefender
NetworkNetworkAccessAccess
ProtectionProtection
InternetInternetExplorerExplorer
Tablet PCTablet PC
Windows ErrorWindows ErrorReportingReporting
User AccountUser AccountControl (UAC)Control (UAC)
Wired andWired andWirelessWireless
PolicyPolicyDesktop ShellDesktop Shell GlobalizationGlobalization
RemoteRemoteAssistanceAssistance
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
31/33
GPO Preferences UI and SummaryGPO Preferences UI and Summary
Improves IT productivity
Reduces need for logon scriptsLimits configuration errors
Enhances end-user satisfaction
Minimizes image maintenance
Reduces overall image count
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
32/33
The release to manufacturing (RTM) version ofExchange 2007 cannot be installed on WindowsServer 2008. However, Exchange 2007 ServicePack 1 will be supported for installation on
Windows Server 2008.Exchange Server 2003 Service Pack 2, Exchange2007, and Exchange 2007 SP1 (when released)are supported in environments that either partly or
entirely use writeable Windows Server 2008directory servers.
No version of Microsoft Exchange uses read-onlydomain controllers (RODCs)
-
8/8/2019 What's New in AD for 2008 -Deep Dive- 4-23-08
33/33
2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft m ust respond to changing marketconditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.