1 / 25

The ActiveDirectory Module 2008R2 and 2012

Learn how to install, manage and utilize the ActiveDirectory Module for Windows Server 2008R2 and 2012 through this comprehensive course taught by expert Gary Siepser.

norton
Download Presentation

The ActiveDirectory Module 2008R2 and 2012

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The ActiveDirectory Module2008R2 and 2012 Written and Delivered by: Gary Siepser

  2. AD Module Prerequisites • Server Side (We need AD Web Services) • At least one 2008 R2 or 2012 DC in the targeted domain, OR • A 2003 or 2008 DC running the Active Directory Management Gateway Service • Client Side (We need the AD PowerShell Module) • OS Requirement: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012 • Windows 7 and 8: Install current Remote Server Administration Tools • On Server versions, RSAT already present, just add feature • Add the ActiveDirectory Module either through the Add/Remove Features GUI or using PowerShell: • Install-WindowsFeatureRSAT-AD-Powershell • To actually use the cmdlets the module must be imported • On PowerShell v2: Import-Module ActiveDirectory • PowerShell v3: you can import manually, but v2 will automatically import modules the first time you attempt to use a command from one

  3. New AD Cmdlets • The current set of AD Powershell cmdlets can be classified into categories: • Account Management • Topology management • Directory object management • Provider cmdlets • New with Server 2012 • Active Directory Replication and Topology Management Using Windows PowerShell • Installing AD DS Using Windows PowerShell • Removing AD DS Using Windows PowerShell

  4. New AD Cmdlets • In the account management set we have cmdlets that – • Create, delete, write and read users, groups, computers, managed service accounts and Organizational units (OUs). • Manage account settings such as: expiration date, password etc. • Manage group membership, get account token groups. • Manage fine grained password policy and default domain password policy.

  5. New AD Cmdlets • In the topology management set we have cmdlets that – • Discover DCs, manage FSMOs, move DCs across site and get DC info. • Manage password replication policy of RODCs. • Manage domain and forest, set forest and domain functional level. • Manage optional features.

  6. New AD Cmdlets • In the directory object management set we have cmdlets that – • Create, delete, write and read all types of AD object. • Move, rename and restore AD objects. • In the Provider cmdlets set we have cmdlets that enables file-system like browsing capabilities in Active Directory PSDrive.

  7. New AD Cmdlets (new for 2012) • In the Active Directory Replication and Topology Management cmdlets that- • Manage • Replication • Sites • SiteLinks • Similar functionality as RepAdmin.exe • In addition, the cmdlets are compatible with the existing Windows PowerShell for Active Directory cmdlets, thus creating a streamlined experience and allowing customers to easily create automation scripts.

  8. New AD Cmdlets (new for 2012) • Installing AD DS Using Windows PowerShell • Beginning with Windows Server 2012, you can install AD DS using Windows PowerShell. Dcpromo.exe is deprecated beginning with Windows Server 2012 • Removing AD DS Using Windows PowerShell • Uninstall-ADDomainController for removal of Domain Controller • Deployment (install and uninstall) cmdlets are in ADDSDeployment Module

  9. Getting Help with the Module • PSv3 Introduces Updatable Help • No Help included with cmdlets, needs to be updates from internet • Tricky with no direct internet connection • Can be done offline (Save-Help and target Update-Help) • Internet connection machine will only save-help for modules it has • Deployment Module only runs on DC • Likely internet connected machine wont have module, thus no “off-line” help update (copying the module manifest can make this work)

  10. Connecting the Cmdlets to AD • You don’t need to do anything to connect to AD with default settings • PSDrives do add some convienence: • When you load the AD PowerShell module (import-module activedirectory), a default basic AD drive is created: AD: • Additional PS drives can be created for different flavors of AD connection, like DC vs GC, serverlessvs explicit, alternate credentials to AD • Simply change the current working directory to the drive (or AD connection) you want to use, and then run the cmdlets • Example Default GC Connection Drive:New-PSDrive -Name GC -PSProviderActiveDirectory -Root "" -Description "Global Catalog Connection" -Server "contoso.com:3268“ • On a cmdlet-by-cmdletbasis you can also control these same connection related settings

  11. Key Concept: Object Ouput from the Cmdlets • Cmdlets return objects with limited properties by default • Using the –Properties param to specify additional properties to bring back(i.e. ‘–properties office’ or ‘–properties *’) • Many Account Management Most ADObjects have default formatting of a listTables tend to be nicer looking so often times you must pipe to a format-table to get nice looking results(i.e. Get-ADUser –Filter * | Format-Table Name,givenname –Autosize)

  12. Key Concept: The -Identity Parameter • The identity param is the default param, and position 1 • Param used to target a single object • The eligible attributes vary by object type • Example for ADUser Object: • Distinguished Name • GUID (objectGUID) • Security Identifier (objectSid) • SAM User Name (sAMUserName) • More Details in: Get-Help about_ActiveDirectory_IdentityThis help topic is only viewable while module loaded

  13. Key Concept: The -LDAPFilter Parameter • This paramter allows for native LDAP Filters • Can use filter created from other tools • LDAP filters use an odd syntax if you aren't already familiar with it • Must use actual attribute names from AD • Unless you are re-using old filters, or already are familiar with this syntax, I recommend using the –filter param instead of -LDAPFilter • Ex:Get-ADUser –LDAPFilter “(givenname=g*)”Get-ADUser–LDAPFilter“(|(givenname=g*)(givenname=s*))”Get-ADUser –LDAPFilter“(&(|(givenname=g*)(givenname=s*))(office=mason))”

  14. Key Concept: The –Filter Parameter • This is a more PowerShell-like syntax that resembles the syntax of a Where-Object • Details can be found in the help topic: about_ActiveDirectory_Filter • We have more user friendly names for attributes that can be used, though actual AD Attributes name can also be used(to see all the friendly and AD names see: about_ActiveDirectory_ObjectModel) • Limited operators supported • Ex:Get-ADUser -Filter {surname -eq "Siepser"}

  15. AD Provider • AD Provider is available once AD Module is imported: • Use common Provider cmdlets to manage AD drive: • Name Capabilities Drives • -------- ---------------- -------- • ActiveDirectory Include... {AD} Get-PSProvider PS C:\> Set-location ad: PS AD:\> dir Name ObjectClassDistinguishedName ---- ----------- ----------------- contosodomainDNS DC=contoso,DC=com Configuration configurationCN=Configuration,DC=contoso,DC=com Schema dMDCN=Schema,CN=Configuration,DC=contoso,DC=com DomainDnsZonesdomainDNS DC=DomainDnsZones,DC=contoso,DC=com ForestDnsZonesdomainDNSDC=ForestDnsZones,DC=contoso,DC=com PS AD:\> cd "DC=contoso,DC=com“ PS AD:\DC=contoso,DC=com\> dir| ftpschildname PS AD:\DC=contoso,DC=com\> md “OU=Test“ PS AD:\DC=contoso,DC=com\> cd “OU=Test“ PS AD:\OU=Test,DC=contoso,DC=com\>

  16. User Account Management Examples Create User New-ADUser –name jpublic-SamAccountName“jpublic“ ` -GivenName“John" -Surname “Public" -DisplayName“John Public“ Import-Csv c:\pristine.csv | New-ADUser –Office Miami Query Users Get-ADUser -Filter * -Properties * Get-ADUser -Filter * -Properties *,msDS-ReplAttributeMetaData Get-ADUser –Filter {office –eq ‘Los Angeles’} Targets Single AD Object Only! Set-ADUser -Identity “jpublic" –Title “Engineer“ Get-ADUser –Filter {office –eq‘Miami’} | Set-ADUser –Office MIA Modify User Delete User Remove-ADUserjpublic Get-ADUser –Filter {office –eq ‘Miami’} | Remove-ADUser

  17. Computer Account Management Examples Get-ADComputer -Filter * -property name,OperatingSystem,` OperatingSystemServicePack,OperatingSystemVersion | Out-GridView Computer Information $OneYearAgo = (Get-Date).AddYears(-1) Get-ADComputer -Filter {LastLogonTimeStamp –lt$OneYearAgo} | Disable-ADAccount Find Stale Computer Accounts OR Search-ADAccount –ComputersOnly –AccountInactive –TimeSpan 180

  18. Group Management Examples Only members in group (includes groups) Get-ADGroupMember IT Get-ADGroupMemberIT -Recursive Enumerate Group Users in nested groups as well Create Group New-ADGroup –name “Sales” -Path “OU=Groups,DC=Contoso,DC=com” ` -GroupScope “Global” -GroupCategory “Security” $ITUsers = Get-ADUser -filter {Department -eq "IT"} Add-ADGroupMember -Identity ITCommunications -Members $ITUsers OR $ITUsers | Add-ADPrincipalGroupMembership -MemberOfITCommunications Populate Group

  19. Group Management (continued) $ITUsers | Remove-ADPrincipalGroupMembership-MemberOf "IT“ OR Remove-ADGroupMember -Identity "IT" -members $ITUsers Remove From Group TIP: There will be a prompt to confirm. Consider setting $ConfirmPreferenceautomatic variable in scripts. To suppress all confirmations or the –Comfirm:$false on any action cmdlet to suppress just that one time $OrignalConfirmPreference = $ConfirmPreference $ConfirmPreference = "none" Remove-ADGroupMember -Identity "IT" -members $itusers $ConfirmPreference = $OrignalConfirmPreference OR Remove-ADGroupMember -Identity "IT" -members $itusers –Confirm:$False

  20. Multi-Valued Attributes • Example: • OtherTelephone • Multi-valued attribute can contain a single or multiple values • Each value must be unique • Use Hash Table (Key/Value pair) i.e. @{} New-ADUser-Path "ou=sales,ou=departments,dc=contoso,dc=com" ` -name "Sales1" -SamAccountName "Sales1" ` -UsePrincipalName "Sales1@contoso.com" ` -department "sales“ -OtherAttributes ` @{otherTelephone="555-555-5555","123-456-7890"} User Telephone Numbers New-ADUser–Identity jpublic ` –Add @{otherTelephone="555-555-5555","123-456-7890"}

  21. New Site Management (2012 Module) • To create a new site • New-ADReplicationSite BRANCH1 • This command creates the new branch office site, branch1. • To create a new site link • New-ADReplicationSiteLink 'CORPORATE-BRANCH1' -SitesIncluded CORPORATE,BRANCH1 -OtherAttributes @{'options'=1} • This command created the site link to BRANCH1 and turned on the change notification process. • To set the site link cost and replication frequency • Set-ADReplicationSiteLink CORPORATE-BRANCH1 -Cost 100 -ReplicationFrequencyInMinutes 15 • This command sets the site link cost to BRANCH1 at 100 and set the replication frequency with the site to 15 minutes. • To move a domain controller to a different site • Get-ADDomainController DC2 | Move-ADDirectoryServer -Site BRANCH1 • This command moves the domain controller, DC2 to the BRANCH1 site.

  22. Checking Replication Status (2012 Module) • Get-ADReplicationUpToDatenessVectorTable • Look at “High Water Mark”…highest USN per server and replication partner • Example below has great variance: • DC3 not up to date, its missing many new user accounts: The numbers are too far apart

  23. Domain Controller Deployment (2012 Server) • Separate PS Module – ADDSDeployment PS C:\> Get-Command -Module ADDSDeployment CommandType Name ModuleName ----------- ---- ---------- Cmdlet Add-ADDSReadOnlyDomainControllerAccountADDSDeployment Cmdlet Install-ADDSDomainADDSDeployment Cmdlet Install-ADDSDomainControllerADDSDeployment Cmdlet Install-ADDSForestADDSDeployment Cmdlet Test-ADDSDomainControllerInstallationADDSDeployment Cmdlet Test-ADDSDomainControllerUninstallationADDSDeployment Cmdlet Test-ADDSDomainInstallationADDSDeployment Cmdlet Test-ADDSForestInstallationADDSDeployment Cmdlet Test-ADDSReadOnlyDomainControllerAccountCreationADDSDeployment Cmdlet Uninstall-ADDSDomainControllerADDSDeployment Install-ADDSDomainController-DomainName child.contoso.com -Credential (get-credential) In this example, you would be prompted for the safe mode password, and credentials to actually join the domain as a DC. All prompts can be answered ahead and thus suppressed

  24. Thank You • Go out there and deal with the pre-reqs now • Get the module ready to roll even if don’t use it much • Once you get hooked on the “PowerShell” way, you’ll probably start hating the GUI • That doesn’t mean to avoid the GUI, you’ll just find that language based administration can really rock sometimes • Play, Play, Play and discover all the other great nuggets I haven’t found yet. This stuff is brand new

  25. Resources • Active Directory Administration with Windows PowerShell: http://technet.microsoft.com/en-us/library/dd378937(v=WS.10).aspx • Active Directory PowerShell blog: http://blogs.msdn.com/b/adpowershell/ • Active Directory Replication and Topology Management Using Windows PowerShell • Installing AD DS Using Windows PowerShell • Removing AD DS Using Windows PowerShell • In the Dynamic Access Control deployment documentation, look for any sections that are labeled Windows PowerShell equivalent commands • In the Active Directory Domain Services (AD DS) Virtualization documentation, see the steps for deploying a virtualized domain controller.

More Related