1 / 20

IT Pro Connections 2009 The cutting edge event for IT pros

IT Pro Connections 2009 The cutting edge event for IT pros. Active Directory in Depth Χρήστος Σπανουγάκης MCT, MVP. Agenda . AD module for Windows PowerShell AD Administrative Center AD Best Practice Analyser Managed Service Accounts Offline domain join

wyatt-blankenship
Download Presentation

IT Pro Connections 2009 The cutting edge event for IT pros

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT Pro Connections 2009 The cutting edge event for IT pros Active Directory in Depth Χρήστος ΣπανουγάκηςMCT, MVP

  2. Agenda • AD module for Windows PowerShell • AD Administrative Center • AD Best Practice Analyser • Managed Service Accounts • Offline domain join • Authentication mechanism assurance • AD Recycle Bin • AD Troubleshooting - Discussion

  3. Windows Evolution

  4. Windows PowerShell for AD • PowerShell v2 includes an AD Module • Comprehensive set of AD cmdlets for AD DS and AD LDS administration, configuration and diagnostic tasks • Easy to compose and manage complex tasks • PowerShell drives for AD • Simple navigation in AD DS, AD LDS and AD Snapshots • Certain tasks can only be achieved through PowerShell

  5. Example (and demo) Import-module ActiveDirectory New-ADUser -Name “Spanougakis Chris” -SamAccountName “chris" -AccountPassword (ConvertTo-SecureString-AsPlainText “Temp0Pwd0!" -Force) -Enabled $true -ChangePasswordAtLogon $true -GivenName “Chris" -Surname “Spanougakis" -UserPrincipalName “chris@itproconnections.local”-Path “OU=Admins,OU=UK,DC=itproconnections,DC=local"

  6. AD Web Services (ADWS) Demo • ADWS is automatically installed with AD DS and AD LDS • Port 9389 must be open for remote administration • Active Directory Management Gateway (ADMG) service available for Windows Server 2003 and 2008 • Does not support instances of AD Mounting Tool PowerShell Cmdlets WS-* 9389 ADWS LDAP LDAP LDAP 3268 389 MountedAD instance AD LDSinstance AD / GC

  7. AD Administrative Center • Built on PowerShell Cmdlets • Task-oriented model • Simultaneously connectto other domains • Progressive disclosure of data • Powerful Searching

  8. Best Practice Analyser • Compares current configuration on DC to best practice recommendations • Scan started via Server Manager or PowerShell • Results through UI and PowerShell output • Provides guidance, does not fix problems • Red Eye • Warning • Information • Quarterly updates

  9. Service Accounts Username: SRV1 Password: ***** Password changesmust be updatedon the service account • Using built in accounts for services does not provide service isolation • What’s the alternative? • Run the services using standard user accounts • How many of you change services account passwords on a regular basis? • Any problems? Domain accountUsername: SRV1 Password: *****

  10. Managed Service Accounts (demo) Configure service: Append $ to accountname example\svc1$ Username: Password: Domain: example.com Domain accountname: SVC1 3 1 Created in domain: New-ADServiceAccount svc1 2 Install-ADServiceAccount svc1 4 Server automatically resets based on “Max machine account password age” Can reset password withReset-ADServiceAccountPassword svc1 Accounts must be created and managedthrough Windows PowerShell SERVER1

  11. Requirements & Caveats • Service / application requiring managed account must be running on Windows 7 or 2008 R2 • Requires AD Module for Windows PowerShell to be installed • Forest and domain must be prepared for 2008 R2 • adprep /forestprep & adprep /domainprep • Managed accounts cannot be shared across multiple servers • In other words.. Use them LOCALLY...

  12. Offline Domain Joins • Allows a Windows 7 or Windows 2008 R2 machines to be joined to a domain while offline • On start up, the machine is already domain joined and there is no reboot requirement • Speeds up deployment of VMs and scripted installs • New section in unattended.xml supports offline domain joins • Simplifies domain joins to RODCs

  13. Djoin.exe (demo) Djoin /provision /domain example.com / machine ms1 /savefile ms1.txt • Windows 7 or 2008 R2 required for • Computers running djoin • Computers being joined to domain Computer account metadata. Base-64 encoded, treat as security sensitive Computeraccount object djoin /requestODJ /loadfile <ms1.txt> /windowspath <Windows directory> Requires /localos Add accountmetadata Offline VHD or Physical system Online VHD or Physical system Requires reboot Unattended.xml

  14. Authentication Mechanism Assurance Restricted access Fullaccess • Allows applications to control access to resources based on authentication strength • For example only allow access to a resource if the user has been authenticated using a SmartCard • Require Windows 2008 R2 domain functionality Normal authentication Strong authentication

  15. Resource Access Control • When a certificate based logon method is used an administrator-designated universal group is added to the user’s Kerberos token • This group is then used to control access to resources • It is possible to add different groups based on the type of certificate used to logon • Access to resources can consequently be based on the certificate type

  16. Recycle Bin for AD • Requires 2008 R2 Forest functionality • PowerShell driven • Enable-ADOptionalFeature ‘Recycle Bin Feature’ –Scope ForestOrConfigurationSet –Target ‘forest’ • Once enabled cannot be disabled • Get-ADObject –LDAPFilter {} –IncludeDeletedObjects • Restore-ADObject –Identity <id> • Parent object must be restored in advance of child object • Restores all attributes including linked Attributes

  17. No Recycle Bin Majority of attributes deleted • Re-animate API restores objects while on-line • Many attributes missing • Re-animation does not restore multi-valued linked attributes such as group membership Garbagecollection X Live object Tombstoneobject Delete Purged fromdirectory Offline authoritative restore Tombstone lifetime (180 days)

  18. Recycle Bin Enabled (demo) All attributes retained • All attributes restored Live object Deletedobject Delete Deleted object lifetime (180 days) Online undelete Recycledobject Garbagecollection X Purged fromdirectory Tombstone lifetime (180 days)

  19. The Path to Windows Server 2008 R2 • Prep forest and domain for Windows 2008 R2 • Windows 7 clients can be provision with offline domain joins against existing 2003/2008 infrastructure • Install Active Directory Management Gateway (ADMG) service on Windows 2003/2008 servers • Use AD PowerShell and ADAC running on Windows 7 • Upgraded servers can use Managed Service Accounts

  20. Functional Levels • Switches to R2 domain and forest functionality are reversible • Use PowerShell to reverse • Set-ADForestMode -Identity itproconnections.local -ForestMode Windows2008Forest • Cannot be reversed once Recycle Bin is enabled • 2008 R2 domain functionality for: • Authentication Mechanism Assurance • SPN management for Manage Service Accounts • 2008 R2 forest functionality allows Recycle Bin to be enabled

More Related