Active Directory

Windows Server 2008 R2

Updates

1
 Session Objectives And Takeaways
Describe Active Directory features in
Windows Server 2008 R2
Discuss the importance of these features
to our customers
Demonstrate how some of these features
will benefit our customers

2
 Agenda
What’s new in Active Directory for Windows
Server 2008 R2?
PowerShell Cmdlets
Active Directory Administrative center
Best Practice Analyzer
Recycle Bin for AD
Managed Service accounts
Offline Domain Join
Authentication Assurance
Health Model and Management Packs
Active Directory Tour demonstration
Conclusion
3
 Powershell for AD
Command line scripting for administrative, configuration and diagnostic tasks

Past limitations
30+ command line tools for administering
AD are not consistent in their usage
Difficult to compose these tools to
achieve complex tasks
Feature takeaway
85+ AD cmdlets for comprehensive AD DS and
AD LDS administration and configuration
Communicates using Web Service protocols
Can be used to manage Windows Server 2008
and 2003 domain controllers, using future AD
Web Service download
4
 Powershell Advantages
Consistent vocabulary and syntax
Predictable discovery
Flexible output formatting
Cmdlets can be easily composed (pipe)
to build complex operations
End-to-End manageability with Exchange,
Group Policy, etc

5
 PowerShell Provider Model
Provides sessions, server context, security context and path context
Enables best practices sharing across connections
Combination of cmdlets & provider means familiar model for users
Perform operations in AD that are similar to the file system or registry,
such as rename, move, etc

6
 Get-Command -CommandType Cmdlet *-AD*
Add-ADComputerServiceAccount Get-ADServiceAccount Set-ADAccountControl
Add-ADDomainControllerPasswordReplicationPolicy Get-ADUser Set-ADAccountExpiration
Add-ADFineGrainedPasswordPolicySubject Get-ADUserResultantPasswordPolicy Set-ADAccountPassword
Add-ADGroupMember Install-ADServiceAccount Set-ADComputer
Add-ADPrincipalGroupMembership Move-ADDirectoryServer Set-ADDefaultDomainPasswordPolicy
Clear-ADAccountExpiration Move-ADDirectoryServerOperationMasterRole Set-ADDomain
Disable-ADAccount Move-ADObject Set-ADDomainMode
Disable-ADOptionalFeature New-ADComputer Set-ADFineGrainedPasswordPolicy
Enable-ADAccount New-ADFineGrainedPasswordPolicy Set-ADForest
Enable-ADOptionalFeature New-ADGroup Set-ADForestMode
Get-ADAccountAuthorizationGroup New-ADObject Set-ADGroup
Get-ADAccountResultantPasswordReplicationPolicy New-ADOrganizationalUnit Set-ADObject
Get-ADComputer New-ADServiceAccount Set-ADOrganizationalUnit
Get-ADComputerServiceAccount New-ADUser Set-ADServiceAccount
Get-ADDefaultDomainPasswordPolicy Remove-ADComputer Set-ADUser
Get-ADDomain Remove-ADComputerServiceAccount Uninstall-ADServiceAccount
Get-ADDomainController Remove-ADDomainControllerPasswordReplicationPolicy Unlock-ADAccount
Get-ADDomainControllerPasswordReplicationPolicy Remove-ADFineGrainedPasswordPolicy
Get-ADDomainControllerPasswordReplicationPolicyUsage Remove-ADFineGrainedPasswordPolicySubject
Get-ADFineGrainedPasswordPolicy Remove-ADGroup
Get-ADFineGrainedPasswordPolicySubject Remove-ADGroupMember
Get-ADForest Remove-ADObject
Get-ADGroup Remove-ADOrganizationalUnit
Get-ADGroupMember Remove-ADPrincipalGroupMembership
Get-ADObject Remove-ADServiceAccount
Get-ADOptionalFeature Remove-ADUser
Get-ADOrganizationalUnit Rename-ADObject
Get-ADPrincipalGroupMembership Reset-ADServiceAccountPassword
Get-ADRootDSE Restore-ADObject
Search-ADAccount

7
 Administrative Center for AD
Increase the productivity of IT Pros by providing a scalable, task-
oriented UX for managing Active Directory
Past limitations
Non task-oriented UI causes customer pain
Example: resetting user passwords
Representation in MMC not scalable for large datasets
Feature takeaway
Tasks executed through PowerShell Cmdlets
Task oriented administration model, with support
for larger datasets
Consistency between CLI and UI management capabilities
Navigation experience designed to support multi-domain,
multi-forest environments

8
 Progressive disclosure
Task oriented
Powershell based instrumentation
Multi-Domains/Multi-Forests

9
 Best Practice Analyzer
Identify deviations from best practices to help our customers
better manage their Active Directory deployments
Past limitations
No easy and automated validation of AD configuration
against best practices
Feature takeaway
Analyzes AD settings that cause most unexpected behavior in
customer environments
Leverages PowerShell cmdlets to gather run-time data
Makes recommendations in the context of the deployment
Available through Server Manager BPA runtime tool

10
 Best Practice Analyzer first set of scenarios
Version 1.0 of the BPA focuses mostly on common DNS issues
Checking SRV records for DC are registered with its DNS Server
A/AAAA records of a DC are registered with its DNS Server
DC has a valid host name
Schema Naming Master and Domain Naming Master FSMO are
recommended to be on same machine
RID and PDC recommended to be on same machine
Each domain is recommended to have at least two DCs

11
 Windows Server 2008 Windows Server 2008 R2
Additions
GUI
GUI
ADUC/ADSS/ADDT BPA ADMUX

CLI
MMC WSH

CLIENT CLI
ADSI AD PS MUX

.NET .NET
DS RPC-Based Protocols LDAP WCF WPF
SAM DSR … …

.NET
WCF

AD Web Service

.NET
S.DS.P/S.DS.AM/S.DS.AD
SERVER
DS RPC-Based Protocols LDAP
SAM DSR … …

AD Core
12
Recycle Bin for AD
Customer can undo an accidental deletion in Active Directory
Past limitations
Accidental object deletion causes business downtime –
deleted users cannot logon or access corporate resources
Accidental deletions are the number #1 cause of AD
Disaster\Recovery scenarios
Feature takeaway
Recycle bin for AD DS and AD LDS objects
Feature enabled with a new forest functional level
Requires all DCs in the forest to be Windows Server 2008 R2 DCs
For AD LDS, all replicas must be running in a new ‘application mode’
 Recycle Bin for AD Object Life-cycle
180 Days

Live Object Tombstone Object Garbage collection

Returns
Returns Tombstones
Windows
Windows Server
Server 2008
2008 Tombstones

LDAP
LDAP OID
OID 1.2.840.113556.1.4.417
1.2.840.113556.1.4.417
Windows
Windows Server
Server 2008
2008 R2
R2 with
with Recycle
Recycle Bin
Bin enabled
enabled
(If
(If not
not enabled,
enabled, behavior
behavior is
is similar
similar to
to Windows
Windows Server
Server 2008)
2008)
Returns
Returns Deleted
Deleted LDAP
LDAP OID
OID 1.2.840.113556.1.4.2064
1.2.840.113556.1.4.2064
Returns
Returns Deleted
Deleted and
and Recycled
Recycled

Live Object Deleted Object Recycled Object Garbage collection

180 Days 180 Days

14
Managed Service Accounts
Simple management of service accounts
Past limitations
Management of individual accounts for services
is cumbersome
Periodic maintenance often causes outages
Example: resetting service account password
Feature takeaway
A manageable solution that addresses isolation
needs for services
Better SPN management in Win7 Domain Functional Mode
Lower TCO from reduced service outages (for manual
password resets and related issues)
One Managed Service Account per Service per box
No human intervention for password management!
Offline Domain Join
Enable easier provisioning of machines in the data center
Past limitations
Reboot needed after domain join
Inability to prepare the machine to
be domain joined while offline
Feature takeaway
Ability to pre-provision machine accounts in the
domain to prepare OS images for mass deployment
Machines are domain joined on initial boot
Reduces steps and time needed to deploy
in the data center
Authentication Assurance
Applications can control resource access based
on authentication strength and method
Past limitations
Customers cannot use authentication type or authentication strength
to protect corporate data
Example: control access to resources based on claims such as use of
smartcard for logon or the certificate used 2048 bit encryption
Feature takeaway
Administrators can map various properties, including authentication
type and authentication strength to an identity
Based on information during authentication, these identities are
added to Kerberos tickets for use by applications
Feature is enabled with a new domain functional level
All domain controllers in the domain need to be Window Server 2008 R2 DCs
 Health Model
Enable IT administrators to better diagnose
and resolve Active Directory issues
Past limitations
Diagnostic information is
incomplete and inconsistent
Feature takeaway
Continued investment towards completing
the health model
A single authoritative source for information
used in Management Packs, Best Practice
Analyzer and online documentation

18
Management Pack
Provide proactive monitoring of availability
and performance of Active Directory
Past limitations
Current management pack lacks support
for Windows Server 2008 and MOM 2007
Feature takeaway
Support for Windows Server 2008 domain controllers
Multiple replication latency groups
Ability to monitor multiple forests from a single
management group
Management pack for MOM 2007
The journey to Windows Server 2008 R2
Upgrading to Windows 7 client while keeping existing servers, you can use:
Off-line domain join
Once AD Web-service is available for existing servers, if you upgrade to
Windows 7 client, you can use:
AD Powershell and ADAC with all your servers
Upgrading to Windows 7 client while installing one or more Windows Server
2008 R2 (one per domain), you can use:
Managed service account
If you change the domain functional level to Windows Server 2008 R2,
you can use:
Authentication Assurance
Managed service account with an enhanced SPN management experience
If you change the Forest functional level to Windows Server 2008 R2,
you can use:
AD Recycle-bin
Related Content
Tuesday, November 4th
Identity Lifecycle Manager 2 (Part 1): Empowering users with self-service identity management solutions 10:45-12:00pm
Windows Server 2008 R2 Active Directory: What's Coming Up? 1:30-2:45pm
Chalk & Talk: Windows Server Active Directory (IDA03-IS) 3:15-4:30pm
Windows Vista PKI Enhancement in Windows 7 and Windows Server 2008 R2 3:15-4:30pm
Going Virtual with the Intelligent Application Gateway and a Sneak Peak at the Future! 3:15-4:30pm
Forefront Security for Exchange Server: Advanced Spam and AntiMalware Scanning Today and Tomorrow 5:00-6:15pm
Active Directory Rights Management Services (AD RMS) - End to End 5:00-6:15pm

Wednesday, November 5th

Microsoft Forefront Security for SharePoint: The Next Generation of Collaboration Security 9:00-10:15am
Ask The Experts 12:15-12:45pm
Identity Lifecycle Manager 2 (Part 2): Expressing and enforcing business policy 1:30-2:45pm
Introduction to Microsoft Forefront Codename Stirling 1:30-2:45pm
Connecting Active Directory to Microsoft Cloud Services 3:45-5:00pm
Hybrid Messaging Security for Exchange Server 3:45-5:00pm
Using Active Directory Domain Services for Linux Servers 5:30-6:45pm

Visit the Identity & Security booths for a detailed guide to activities at TechEd EMEA
 Related Content
Thursday, November 6th
Windows Server 2008 Active Directory Best Practices (IDA08) 8:30-9:45pm
Notes from the Field: Deploying Microsoft Identity Lifecycle Manager 2007 Certificate Management 10:15-11:30am
Ask The Experts 12:15-12:45pm
Successful deployment tips for Security and Strong Authentication 1:00-2:15pm
Using Network Access Protection (NAP) in combination with FCS 1:00-2:15pm
Identity Lifecycle Manager 2 (Part 3): Extensibility and provisioning with ILM 2 2:40-3:55pm

Universal sign-in utilizing AD, CardSpace and federation technologies: How to sign in any user, in any kind of
4:20-5:35pm
application, in any scenario, using 'Zermatt' and claims-based identity

Windows Server 2008 R2 Active Directory: What’s Coming Up? (IDA309–REPEAT) 6:00-7:15pm

Friday, November 7th

Active Directory Information Security - Where is the boundary? 9:00-10:15am
A Technical Preview and Deep Dive of Next Generation ISA Server 9:00-10:15am
A DS Geek's Notes from the Field - Active Directory Uncovered 10:45-12:00pm
Infrastructure services for SOA security and federation: 'Geneva' Security Token Services 3:15-4:30pm

Visit the Identity & Security booths for a detailed guide to activities at TechEd EMEA
22
 © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not
be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED
OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23