IT Pro Connections 2009 The cutting edge event for IT pros Active Directory in Depth Χρήστος Σπανουγάκης MCT, MVP

Agenda  AD module for Windows PowerShell  AD Administrative Center  AD Best Practice Analyser  Managed Service Accounts  Offline domain join  Authentication mechanism assurance  AD Recycle Bin  AD Troubleshooting - Discussion

Windows Evolution

Windows PowerShell for AD  PowerShell v2 includes an AD Module  Comprehensive set of AD cmdlets for AD DS and AD LDS administration, configuration and diagnostic tasks  Easy to compose and manage complex tasks  PowerShell drives for AD Simple navigation in AD DS, AD LDS and AD Snapshots  Certain tasks can only be achieved through PowerShell

Example (and demo) Import-module ActiveDirectory New-ADUser -Name “Spanougakis Chris” -SamAccountName “chris" -AccountPassword (ConvertTo-SecureString -AsPlainText “Temp0Pwd0!" -Force) -Enabled $true -ChangePasswordAtLogon $true -GivenName “Chris" -Surname “Spanougakis" -UserPrincipalName -Path “OU=Admins,OU=UK,DC=itproconnections, DC=local"

AD Web Services (ADWS) Demo  ADWS is automatically installed with AD DS and AD LDS Port 9389 must be open for remote administration  Active Directory Management Gateway (ADMG) service available for Windows Server 2003 and 2008 Does not support instances of AD Mounting Tool ADWSADWS PowerShell Cmdlets AD / GC WS-* AD LDS instance Mounted AD instance LDAP

AD Administrative Center Task-oriented model Progressive disclosure of data Powerful Searching Simultaneously connect to other domains Built on PowerShell Cmdlets

Best Practice Analyser  Compares current configuration on DC to best practice recommendations  Scan started via Server Manager or PowerShell Results through UI and PowerShell output  Provides guidance, does not fix problems Red Eye Warning Information  Quarterly updates

Collecting and Analysing Data BPA Run Time AD DS BPA PowerShell Script Collects data XML Schema XML Results document AD DS BPA guidance AD DS BPA rule set AnalysisAnalysis ValidationValidation AD DS BPA Report

Service Accounts  Using built in accounts for services does not provide service isolation  What’s the alternative? Run the services using standard user accounts  How many of you change services account passwords on a regular basis? Any problems? Username: SRV1 Password: ***** Domain account Username: SRV1 Password: ***** Password changes must be updated on the service account

Managed Service Accounts (demo) Username: Password: Domain: example.com SERVER1 example\svc1$ Configure service: Append $ to account name Server automatically resets based on “Max machine account password age” Install-ADServiceAccount svc1 22 Domain account name: SVC1 Created in domain: New-ADServiceAccount svc Can reset password with Reset-ADServiceAccountPassword svc1 44 Accounts must be created and managed through Windows PowerShell

Requirements & Caveats  Service / application requiring managed account must be running on Windows 7 or 2008 R2 Requires AD Module for Windows PowerShell to be installed  Forest and domain must be prepared for 2008 R2 adprep /forestprep & adprep /domainprep  Managed accounts cannot be shared across multiple servers  In other words.. Use them LOCALLY...

Offline Domain Joins  Allows a Windows 7 or Windows 2008 R2 machines to be joined to a domain while offline On start up, the machine is already domain joined and there is no reboot requirement  Speeds up deployment of VMs and scripted installs  New section in unattended.xml supports offline domain joins  Simplifies domain joins to RODCs

Online VHD or Physical system Requires reboot Requires /localos Offline VHD or Physical system Djoin.exe (demo)  Windows 7 or 2008 R2 required for Computers running djoin Computers being joined to domain Computer account object Computer account metadata. Base-64 encoded, treat as security sensitive djoin /requestODJ /loadfile /windowspath Djoin /provision /domain example.com / machine ms1 /savefile ms1.txt Unattended.xml Add account metadata

Authentication Mechanism Assurance  Allows applications to control access to resources based on authentication strength For example only allow access to a resource if the user has been authenticated using a SmartCard  Require Windows 2008 R2 domain functionality Strong authenticationNormal authentication Restricted access Full access

Resource Access Control  When a certificate based logon method is used an administrator-designated universal group is added to the user’s Kerberos token This group is then used to control access to resources  It is possible to add different groups based on the type of certificate used to logon Access to resources can consequently be based on the certificate type

Recycle Bin for AD  Requires 2008 R2 Forest functionality  PowerShell driven Enable-ADOptionalFeature ‘Recycle Bin Feature’ –Scope ForestOrConfigurationSet –Target ‘forest’ Once enabled cannot be disabled Get-ADObject –LDAPFilter {} –IncludeDeletedObjects Restore-ADObject –Identity Parent object must be restored in advance of child object  Restores all attributes including linked Attributes

No Recycle Bin  Re-animate API restores objects while on-line Many attributes missing  Re-animation does not restore multi-valued linked attributes such as group membership Live object Tombstone object DeleteDelete Majority of attributes deleted Garbage collection X Purged from directory Tombstone lifetime (180 days) Offline authoritative restore

Recycle Bin Enabled (demo)  All attributes restored Live object Garbage collection X Purged from directory Recycled object Deleted object lifetime (180 days) Tombstone lifetime (180 days) DeleteDelete Deleted object All attributes retained Online undelete

The Path to Windows Server 2008 R2  Prep forest and domain for Windows 2008 R2  Windows 7 clients can be provision with offline domain joins against existing 2003/2008 infrastructure  Install Active Directory Management Gateway (ADMG) service on Windows 2003/2008 servers Use AD PowerShell and ADAC running on Windows 7  Upgraded servers can use Managed Service Accounts

Functional Levels  Switches to R2 domain and forest functionality are reversible Use PowerShell to reverse Set-ADForestMode -Identity itproconnections.local - ForestMode Windows2008Forest Cannot be reversed once Recycle Bin is enabled  2008 R2 domain functionality for: Authentication Mechanism Assurance SPN management for Manage Service Accounts  2008 R2 forest functionality allows Recycle Bin to be enabled

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.