John Craddock Infrastructure & Security Architect XTSeminars Ltd Session Code: SIA319 Agenda AD module for Windows PowerShell AD Administrative Center AD Best Practice Analyser Managed Service Accounts Offline.
Download ReportTranscript John Craddock Infrastructure & Security Architect XTSeminars Ltd Session Code: SIA319 Agenda AD module for Windows PowerShell AD Administrative Center AD Best Practice Analyser Managed Service Accounts Offline.
John Craddock Infrastructure & Security Architect XTSeminars Ltd Session Code: SIA319
Agenda
AD module for Windows PowerShell AD Administrative Center AD Best Practice Analyser Managed Service Accounts Offline domain join Authentication mechanism assurance AD Recycle Bin
Windows PowerShell for AD
PowerShell v2 includes an AD Module Comprehensive set of AD cmdlets for AD DS and AD LDS administration, configuration and diagnostic tasks Easy to compose and manage complex tasks PowerShell drives for AD Simple navigation in AD DS, AD LDS and AD Snapshots Certain tasks can only be achieved through PowerShell
Example
Import-module ActiveDirectory New-ADUser -Name “Craddock John” -SamAccountName “jcraddock" -AccountPassword (ConvertTo-SecureString -AsPlainText “Temp0Pwd0!" -Force) -Enabled $true -ChangePasswordAtLogon $true -GivenName “John" -Surname “Craddock" -UserPrincipalName “[email protected]” -Path “OU=Admins,OU=UK,DC=example,DC=com"
AD Web Services (ADWS)
WS-* LDAP Mounted AD instance PowerShell Cmdlets ADWS 9389 LDAP 389 AD LDS instance AD / GC LDAP 3268 ADWS is automatically installed with AD DS and AD LDS Port 9389 must be open for remote administration Active Directory Management Gateway (ADMG) service available for Windows Server 2003 and 2008 Does not support instances of AD Mounting Tool
AD Administrative Center
Built on PowerShell Cmdlets Task-oriented model Simultaneously connect to other domains Progressive disclosure of data Powerful Searching
Best Practice Analyser
Compares current configuration on DC to best practice recommendations Scan started via Server Manager or PowerShell Results through UI and PowerShell output Provides guidance, does not fix problems Red Eye Warning Information Quarterly updates
Collecting and Analysing Data
XML Schema Validation AD DS BPA PowerShell Script Collects data XML Results document BPA Run Time AD DS BPA rule set Analysis AD DS BPA guidance AD DS BPA Report
Service Accounts
Password changes must be updated on the service account Domain Domain account Username: SRV1 Password: ***** User Username: SRV1 Password: ***** Using built in accounts for services does not provide service isolation What’s the alternative?
Run the services using standard user accounts How many of you change services account passwords on a regular basis?
Any problems?
Managed Service Accounts
Domain: example.com
Domain account name: SVC1 Configure service: Append $ to account name 3 Username: example\svc1$ Password: Domain Created in domain: 1 New-ADServiceAccount svc1 4 Server automatically resets based on “Max machine account password age” 2 Install-ADServiceAccount svc1 Can reset password with Reset-ADServiceAccountPassword svc1 Accounts must be created and managed through Windows PowerShell SERVER1
Requirements & Caveats
Service / application requiring managed account must be running on Windows 7 or 2008 R2 Requires AD Module for Windows PowerShell to be installed Forest and domain must be prepared for 2008 R2 adprep /forestprep & adprep /domianprep 2008 R2 domain functional level adds SPN management Managed accounts cannot be shared across multiple servers
Offline Domain Joins
Allows a Windows 7 or Windows 2008 R2 machines to be joined to a domain while offline On start up, the machine is already domain joined and there is no reboot requirement Speeds up deployment of VMs and scripted installs New section in unattended.xml supports offline domain joins Simplifies domain joins to RODCs
Djoin.exe
Djoin /provision /domain example.com / machine ms1 /savefile ms1.txt
Domain Computer account metadata.
Base-64 encoded, treat as security sensitive Computer account object Offline VHD or Physical system djoin /requestODJ /loadfile
Windows 7 or 2008 R2 required for Computers running djoin Computers being joined to domain
Authentication Mechanism Assurance
Restricted access Full access Normal authentication Strong authentication Allows applications to control access to resources based on authentication strength For example only allow access to a resource if the user has been authenticated using a SmartCard Require Windows 2008 R2 domain functionality
Resource Access Control
When a certificate based logon method is used an administrator-designated universal group is added to the user’s Kerberos token This group is then used to control access to resources It is possible to add different groups based on the type of certificate used to logon Access to resources can consequently be based on the certificate type
Recycle Bin for AD
Requires 2008 R2 Forest functionality PowerShell driven Enable-ADOptionalFeature ‘Recycle Bin Feature’ – Scope ForestOrConfigurationSet –Target ‘forest’ Once enabled cannot be disabled Get-ADObject –LDAPFilter {} –IncludeDeletedObjects Restore-ADObject –Identity
No Recycle Bin
Majority of attributes deleted Live object Delete Tombstone object Offline authoritative restore Garbage collection Tombstone lifetime (180 days) X Purged from directory Re-animate API restores objects while on-line Many attributes missing Re-animation does not restore multi-valued linked attributes such as group membership
Recycle Bin Enabled
Live object Delete All attributes retained Deleted object Deleted object lifetime (180 days) Online undelete Recycled object Garbage collection Tombstone lifetime (180 days) X Purged from directory All attributes restored
Other Thoughts
Backups are valid for max of smallest value of DOL or TSL Best practice recommendation DOL = TSL Anticipated database growth 5-10% On deletion, regulatory compliance may not allow retained of full copy of deleted object Permanently delete with Get-Adobject –LDAPFilter {} –IncludeDeletedObjects | Remove-ADObject
What to Know More?
Come to my session SIA402 Online Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle Bin Friday 13/11/2009 13:00-14:15 Budapest - Hall 7-2b
The Path to Windows Server 2008 R2
Prep forest and domain for Windows 2008 R2 Windows 7 clients can be provision with offline domain joins against existing 2003/2008 infrastructure Install Active Directory Management Gateway (ADMG) service on Windows 2003/2008 servers Use AD PowerShell and ADAC running on Windows 7 Upgraded servers can use Managed Service Accounts
Functional Levels
Switches to R2 domain and forest functionality are reversible Use PowerShell to reverse Cannot be reversed once Recycle Bin is enabled 2008 R2 domain functionality for: Authentication Mechanism Assurance SPN management for Manage Service Accounts 2008 R2 forest functionality allows Recycle Bin to be enabled
What’s your Favourite?
AD module for Windows PowerShell AD Administrative Center AD Best Practice Analyser Managed Service Accounts Offline domain join Authentication mechanism assurance AD Recycle Bin
Resources
www.microsoft.com/teched Sessions On-Demand & Community www.microsoft.com/learning Microsoft Certification & Training Resources http://microsoft.com/technet Resources for IT Professionals http://microsoft.com/msdn Resources for Developers
Related Content
Breakout Sessions: SIA402 Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle Bin SVR317 Managing Windows Server 2008 R2 and Windows 7 with Windows PowerShell V2 Interactive Theater Sessions : SIA02-IS Active Directory: What's New in R2 Hands-on Labs: WSV03-HOL Advanced Windows PowerShell Scripting WSV20-HOL Windows Server 2008 R2: What's New in Microsoft Active Directory
My Sessions at TechEd
Breakout Sessions: SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory?
SIA402 Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle Bin SVR401 DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and Transition Technologies SVR402 DirectAccess Technical Drilldown, Part 2 of 2: Putting It All Together Interactive Theater Sessions: SVR08-IS End-to-End Remote Connectivity with DirectAccess
Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.