Transcript Steve Olsson Program Manager Microsoft Dushyant Gill Program Manager Microsoft SIA 326 Celebrating 10 Years! On April 9th, 1999, the first Active Directory domain controllers were deployed on.

Steve Olsson
Program Manager
Microsoft
Dushyant Gill
Program Manager
Microsoft
SIA 326
Celebrating 10 Years!
On April 9th, 1999, the first Active Directory
domain controllers were deployed on a
production network at Microsoft
Our Priorities Over These Years
 Directory
of
Network Resources
 Basics: Delegation,
Search,
Site Topology
 Reduce Operating Cost
 Streamlined Manageability
 Branch Office
 End-to-End Scenarios
 Configuration
 Tackle Deployment
Pain Points
Blockers
 Scale and
Performance
R2
Active Directory in R2
PowerShell for AD
Command line scripting for administrative, configuration and diagnostic tasks
Limitations of traditional command line tools
Inconsistent UX
Inflexible text based I/O
No inherent interop between
tools
DCDiag.exe
Scripting is tedious
Text Output
NLTest.exe
Sort/Filter
Export/Import
Syntax/Format adaptation
Complex Scripting
PowerShell for AD
Command line scripting for administrative, configuration and diagnostic tasks
Comprehensive set of AD cmdlets for AD DS and
AD LDS administration and configuration
Brings the power and flexibility of PowerShell
core to AD
Consistency with other server roles
Powershell Advantages
Consistent vocabulary and syntax
Verbs – Add, New, Get, Set, Remove, Clear…
Nouns – ADObject, ADUser, ADComputer, ADDomain, ADForest, ADGroup,
ADAccount, ADDomainController, …
Easily discovered
No need to find, install, or learn other tools, utilities or commands
Flexible output
Output from one cmdlet easily consumed by another
Easily composed
Create higher level tools for complex operations
Leverage .Net Framework
All the capabilities of .Net Framework
Common automation platform at Microsoft
End-to-End manageability of AD with other roles such as Exchange, Group Policy
PowerShell Provider Model
Brings file system like navigation to the directory
Use familiar file system commands within the directory
Copy, Move, Rename, Delete, etc
Enables centralized management by mapping drives to AD DS, ADLDS
or AD Snapshots
Enables best practice sharing across connections
Recycle Bin for AD
Customer can recover an accidental deletion in Active Directory
Accidental deletions are the number #1 cause of AD
Disaster\Recovery scenarios
Feature takeaways
Allows recovery of deleted users, groups, etc
Locate deleted object
Get-ADObject -IncludeDeletedObjects
Recover deleted object
Restore-ADObject
All attributes are automatically restored
Including well know & problematic ‘Linked Attributes’
Description, password, group membership, managed by, etc
Recycle Bin for AD Object Life-cycle
Windows Server 2008
No Recycle bin feature
Garbage
Collection
Tombstone
Object
Live
Object
Windows Server 2008 R2
with Recycle Bin enabled
Live
Object
Deleted
Object
Tombstone
Object *
Garbage
Collection
Recovering Multiple Objects
Deleted Objects container
A flat list of all objects in the
Deleted state
DN is mangled, attributes preserved,
lastKnownParent
Delete
Undelete
Restore objects to live parent
Deleted objects must be
restored to a live parent
Perform restore in top-down order
lastKnownParent and lastKnownRDN
properties useful in
rebuilding hierarchy
RDN over 128 chars truncated
\0ADEL:…
\0ADEL:…
\0ADEL:…
\0ADEL:…
\0ADEL:…
\0ADEL:...
Recycle Bin Considerations
WS08R2 Forest Functional Level  Enable Recycle Bin Feature
Impact on backup strategy (backup shelf life may change)
Backups, IFM Seeds and Packaged Domain Controllers remain valid for
the lesser of DeletedObjectLifetime or TombstoneLifetime
Impact on the database size
WS08 R2 DIT size is 10-15% more than WS08 DIT size
Subsequent growth depends on size and frequency of object deletions.
15% growth in size of a deleted user observed in the MS production
forest.
No GUI – Management only through PowerShell
Tombstones can not be auth restored
Purging deleted objects
Delete the object from the Deleted Objects container
Get-ADObject –Filter {} –IncludeDeletedObjects | RemoveADObject
Managed Service Accounts
Simple management of service accounts
Running services under the context of domain user account
requires cumbersome password management.
Feature takeaways
Managed Service Accounts provide the isolation that services
need along with automatic password management
Lowers TCO through reduced service outages (for manual password
resets and related issues)
Use one Managed Service Account per Service per Server
Service account can not be shared by multiple machines
Better SPN management available with in WS08 R2 Domain
Functional Mode
Allows server renaming with effect service account
Using Managed Service Accounts
Provisioning
Account in AD
Provisioning
Account on
Member Server
or Client
Running the
Service using
MSA
• Create a new MSA on a WS08 R2 DC (New-ADServiceAccount)
• Optionally: Associate the account with a computer (Add-ADServiceAccount)
• Optionally: Delegate administration of account to the service admin
• Install the Managed Service Account on a WS08R2 Member server or a Win7 client
computer (Install-ADServiceAccount)
• Using Service Control Manager – run service using the MSA
Considerations for Managed Service Accounts
Correct Access Rights to MSA is Key
Assign permissions to a MSA just the way you would assign permissions to a user service
account
SCM gives the logonAsService on the local system permission to the MSA
The installers which do not let you specify an account without a password
Install using a normal user service account
Copy permissions to a MSA
Change the service to use the MSA in SCM
Scheduled tasks do not run under service accounts
Service accounts do not work with clustered services
If the Domain Functional Level is WS08R2, the SPN of service accounts will be
updated when the computer running the service accounts is renamed.
Recycle Bin & Managed Service Accounts
AD Administrative Center
Increase the productivity of IT Pros by providing a scalable, task-oriented UX for
managing Active Directory
Task oriented administration model
Progressive disclosure of data
Support for larger datasets
Consistency between CLI and UI capabilities
Navigation experience designed to support
multi-domain, multi-forest environments
Foundation for future UI enhancements
Active Directory Best Practices
Hundreds of Best Practices
Change per the environment
Difficult to separate best practices from “nice to haves”
Difficult to analyze root cause
AD Best Practice Analyzer
Identify deviations from best practices to help our customers better manage
their Active Directory deployments
Analyzes AD settings that cause most unexpected behavior
Flags settings/configurations that violate recommended best
practices
Provides guidance only, does not modify settings
User initiates scan; It’s not a monitoring solution
Can scan Local as well as Remote Domain Controllers
Quarterly updates post RTM
Initiating a BPA Analysis
From Server Manager (local + remote)
From PowerShell (local + remote)
Import-Module BestPractices
Invoke-BpaModel Microsoft/BestPractices/DirectoryServices
Get-BpaResult Microsoft/BestPractices/DirectoryServices
Best Practice Analyzer Rules
DNS Registration/Discovery
SRV/A/AAA records registered
Topology/connectivity
FSMO role assignment
FSMO availability
Disaster Recovery
Multiple DC per domain
Resultant backup lifetime
Replication
One GC per site
KCC enabled
VM Scenarios
Lingering Object Prevention
Strict Replication Consistency
Time Service
PDC time source
MaxPhaseCorrection limits
Considerations for WS08R2
Manageability Features
DC Requirements
AD PowerShell and AD Administrative Center talk to the DC via a new service,
running on the DC called AD Management Gateway Service (AKA AD Web Service).
AD Management Gateway Service will be available for install on WS08 and WS03
Domain Controllers
The service requires installing Net Framework 3.5 SP1 on WS08 and WS03
Domain Controllers
For service location, QFE is required to be installed on WS08 and WS03 Domain
Controllers, to register service specific SRV records in DNS
RSAT Install
AD PowerShell and AD Administrative Center can be installed on
WS08R2 using Server Manager  Add Features
Win7 Clients using WS08R2 RSAT
AD BPA can be triggered on a remote DC (including x-Forest) using Server Manager
remoting or PowerShell remoting
Offline Domain Join
Enable easier provisioning of machines in the data center
Inability to prepare the machine to be domain joined
while offline
Feature takeaways
Ability to pre-provision machine accounts in the domain to
prepare OS images for mass deployment
Machines are domain joined on initial boot without network
connectivity
Reduces steps and time needed to deploy in the data center
Requires Win7 client and only one WS08 R2 Domain
Controller
Using Offline Domain Join
Provisioning
Computer
Account in AD
• Create the computer account on a WS08R2 DC using (djoin.exe
/provision /savefile odjDatafile.txt …)
• Send odjDatafile.txt to the provisioning system
• Insert the binary data into the offline Win7 computer or VHD
Provision
machine or VHD
(djoin
/requestODJ /loadfile <filename.txt> …)
• This can also be done using setup unattend answer file.
• The Win7 computer is domain joined when it starts.
Start Computer
Authentication Mechanism Assurance
Applications can control access based on authentication strength and method
Customers cannot use authentication type or authentication
strength to protect corporate data
Example: control access to resources based on claims such as use of
smartcard for logon or the certificate used 2048 bit encryption
Feature takeaways
Administrators can map certificate issuance policies to groups which
applications can then use to control access to resources
Based on information obtained during authentication, these additional
credential attributes are added to Kerberos tickets and used by claims
aware applications as authorization data
Requires Windows Server 2008 R2 domain functional level
All domain controllers in the domain need to be WS 2008 R2 DCs
DSRM Password Sync
Better management of DSRM passwords
Very easy to lose track of DSRM passwords
It doesn't need to be changed and so most of the time, it isn‘t
Feature takeaways
Using NTDSUtil you can synchronize the local DSRM password on the DC
with the password of a domain user account.
Through GPP (Group Policy Preference) scheduled task, keep the DSRM
password of all DCs the same.
Available on WS08R2 and WS08 Domain Controllers
http://blogs.technet.com/askds/archive/2009/03/11/ds-restore-modepassword-maintenance.aspx
Resources
www.microsoft.com/teched
www.microsoft.com/learning
Sessions On-Demand & Community
Microsoft Certification & Training Resources
http://microsoft.com/technet
http://microsoft.com/msdn
Resources for IT Professionals
Resources for Developers
www.microsoft.com/learning
Microsoft Certification and Training Resources
Complete an
evaluation on
CommNet and
enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.