Active Directory - Uniwersytet Warmińsko
Download
Report
Transcript Active Directory - Uniwersytet Warmińsko
Active Directory
What’s New in Windows Server 2008 AD?
Steve Clines
Agenda
1. Active Directory Overview
2. Active Directory Domain Services
3. Active Directory LDS
4. Active Directory Federation Services
5. Active Directory Certificate Services
6. Active Directory RMS
The AD Umbrella
Domain
Services
Federation
Services
LDS
Certificate
Services
RMS
AD at a Glance
AD DS
Provides
directory-based
authentication/
authorization
services in
support of
Microsoft-based
networked
services and
applications
AD LDS
AD FS
Provides
an LDAP
accessible
directory
service that
supports
identity
management
scenarios
Provides
federation
services
supporting
single sign-on
to web
applications
AD CS
Provides PKI
certificate
issuance,
management,
and revocation
services
AD RMS
Provides
solution to
secure how
users utilize
content (i.e.
Office
documents)
What’s new in AD DS?
Read-only Domain Controllers
Fine-grained Password Policies
Windows Server 2008 Server Core
DNS Updates
New management functionality
Read-only Domain Controllers
Problems with normal DCs
Didn’t work well in branch offices
Must be physically secured
No administrative delegation
RODCs to the rescue
Read-only replica of the AD partitions
Allows for replication from a R/W DC
No caching domain krbtgt password
No caching user passwords by default
RODC Functionality
Read
not write
Main Office
Branch Office
RODC Prerequisites
PDC emulator role holder must be running
Windows Server 2008
The replication partner of RODC must run
Windows Server 2008
Windows Server 2003 native mode or
higher
Run ADPREP/RODCPREP on existing
forest (if not native 2008)
No writeable DC in same domain/site as
RODC
RODC Admin Separation
Can specify RODC administrators at
DCPROMO time
Use the DSMGMT command line tool to
specify delegated administrators
afterwards
RODC Credential Caching
Password by default are not cached
Controlled with Password Replication
Policy
Can set at RODC install time or afterwards
Cached passwords can be reset if RODC
becomes compromised
Demo
Filtered RODC Replication
Control over what attributes should not be
replicated to a RODC for security reasons
Forest Level
Configured in the schema
Works best in a 2008 native forest as 2003
DCs do not know about the filtered set.
RODC DNS Impacts
Any AD-integrated DNS zone on a RODC
is read-only
Does not auto-register itself with NS
records
Clients therefore can’t register new
records on a RODC DNS
RODC DNS issues a referral to
writeable DNS
RODC DNS pulls down new record
Fine-grained Password Policy
Previously password and account lockout
policy only set by Default Domain Policy
GPO
Can be applied to security groups and/or
individual users
Steps to implementing:
Create Password Settings Object (PSO)
Apply PSO to objects via DN
Windows Server 2008 Server Core
Can install 2008 in two ways
A full installation with full GUI and all available
software services
A minimal installation supporting command
line interface
Smaller target, less patching
AD DS
AD LDS
DNS
DHCP
File Server
Hyper-V
Windows Media
Services
Print Management
Running a DC on Server Core
Most secure way of running a DC
Can run most MMC tools remotely against
Server Core
No, PowerShell doesn’t work
Need to learn certain command line tools
NETSH – configure network settings
NETDOM – rename computer/join domain
SLMGR – Software Licensing Manager
OCLIST – List the available roles/features
OCSETUP – Install the DNS roles
DCPROMO – Turn into DC using an answer file
AD DS Auditing
Previously audited what attribute changed
Now audit information includes the
previous and new values
Now subdivided into four areas
DS access
DS changes
DS replication
DS detailed replication
AD DS Auditing
5136 – Successful modification to an
attribute
5137 – New object is created in the
directory
5138 – Object is undeleted in the directory
5139 – Object is moved in the directory
AD DS Auditing
Not turned on by default
Enable in Default Domain Policy GPO
Enable in the object’s SACL
Can disable auditing within the attribute’s
schema definition to fine-tune the audit
collection (bit 9 in searchFlag property on)
DNS Changes
Support for IPv6
Support for AD-integrated zones on a
RODC
Background Loading
GlobalZone
Link Local Multicast Name Resolution
(LLMNR)
New Management Features
Restartable Active Directory
AD DS is a separate service from LSA
DC with stopped AD service is equivalent to a
member server
Accidental OU Deletion Check
Shadow Copy Backup
Mountable Database
AD Lightweight Directory Services
Previously introduced as ADAM
Provides an LDAP accessible DS
Removes all other AD DS features
No Kerberos authentication
No forests, domains, DC, GC
No dependency on DNS
No site topology
No group policies
AD LDS Scenarios
Uses for AD LDS
Whitepages
Consolidation store
Web authentication service via LDAP
AD LDS Instances
Each AD LDS server can
host multiple directory
stores (i.e. instances)
Within each instance
Schema partition
Configuration partition
Zero or more application
partitions
AD LDS Replication
Supports multimaster replication through
configuration sets
Active Directory Federation Services
AD FS is a service that allows for the
creation of federated relationships
between organizations for web application
authentication
Security Token Service
A service that takes a recognized token
and issues another token
Federations are a form of STS
AD FS provides a web authentication
cookie when a AD authentication token is
presented
AD Certificate Services
Not significantly different than CS in 2003
Provides a certificate issuance/revokation
services as well as CA service
New items
Online Responder Service via Online
Certificate Status Protocol (OCSP)
Network Device Enrollment via Simple
Certificate Enrollment Protocol (SCEP)
AD Rights Management Services
Updated version of RMS
Management of information usage
Supported by Office 2003, 2007 and
Sharepoint
Thank You!