IT Pro Connections 2009The cutting edge event for IT pros

Active Directory in Depth

Χρήστος Σπανουγάκης MCT, MVP

Agenda

AD module for Windows PowerShell AD Administrative Center AD Best Practice Analyser Managed Service Accounts Offline domain join Authentication mechanism assurance AD Recycle Bin AD Troubleshooting - Discussion

Windows Evolution

Windows PowerShell for AD PowerShell v2 includes an AD Module Comprehensive set of AD cmdlets for AD DS

and AD LDS administration, configuration and diagnostic tasks

Easy to compose and manage complex tasks PowerShell drives for AD

Simple navigation in AD DS, AD LDS and AD Snapshots

Certain tasks can only be achieved through PowerShell

Example (and demo)Import-module ActiveDirectory

New-ADUser -Name “Spanougakis Chris” -SamAccountName “chris" -AccountPassword (ConvertTo-SecureString -AsPlainText “Temp0Pwd0!" -Force) -Enabled $true -ChangePasswordAtLogon $true -GivenName “Chris" -Surname “Spanougakis" -UserPrincipalName “chris@itproconnections.local”-Path “OU=Admins,OU=UK,DC=itproconnections,DC=local"

AD Web Services (ADWS) Demo ADWS is automatically

installed with AD DS and AD LDS

Port 9389 must be open for remote administration

Active Directory Management Gateway (ADMG) service available for Windows Server 2003 and 2008

Does not support instances of AD Mounting Tool

ADWS

PowerShell Cmdlets

AD / GC

9389

389 3268

WS-*

AD LDSinstance

MountedAD instance

LDAP LDAP LDAP

AD Administrative Center

Task-oriented model

Progressive disclosure of data Powerful Searching

Simultaneously connectto other domains

Built on PowerShell Cmdlets

Best Practice Analyser Compares current configuration on DC to best

practice recommendations Scan started via Server Manager or PowerShell

Results through UI and PowerShell output Provides guidance, does not fix problems

Red EyeWarningInformation

Quarterly updates

Domain

Service Accounts

Using built in accounts for services does not provide service isolation

What’s the alternative?Run the services using standard user accounts

How many of you change services account passwords on a regular basis?

Any problems?

Username: SRV1Password: *****

User

Domain accountUsername: SRV1Password: *****

Password changesmust be updatedon the service account

Managed Service Accounts (demo)

Domain

Username: Password:

Domain:example.com

SERVER1

example\svc1$Configure service:Append $ to accountname

Server automatically resets based on “Max machine account password age”

Install-ADServiceAccount svc12

Domain accountname: SVC1

Created in domain:New-ADServiceAccount svc1

1

3

Can reset password withReset-ADServiceAccountPassword svc1

4

Accounts must be created and managedthrough Windows PowerShell

Requirements & Caveats Service / application requiring managed account

must be running on Windows 7 or 2008 R2Requires AD Module for Windows PowerShell to be installed

Forest and domain must be prepared for 2008 R2adprep /forestprep & adprep /domainprep

Managed accounts cannot be shared across multiple servers

In other words.. Use them LOCALLY...

Offline Domain Joins Allows a Windows 7 or Windows 2008 R2

machines to be joined to a domain while offlineOn start up, the machine is already domain joined and there is no reboot requirement

Speeds up deployment of VMs and scripted installs

New section in unattended.xml supports offline domain joins

Simplifies domain joins to RODCs

Online VHD orPhysical systemRequires reboot

Requires /localos

Offline VHD orPhysical system

Djoin.exe (demo)

Windows 7 or 2008 R2 required for Computers running djoin Computers being joined to domain

Domain

Computeraccount object

Computer account metadata.Base-64 encoded, treat as security sensitive

djoin /requestODJ /loadfile <ms1.txt> /windowspath <Windows directory>

Djoin /provision /domain example.com / machine ms1 /savefile ms1.txt

Unattended.xml

Add accountmetadata

Authentication Mechanism Assurance

Allows applications to control access to resources based on authentication strength

For example only allow access to a resource if the user has been authenticated using a SmartCard

Require Windows 2008 R2 domain functionality

Strong authenticationNormal authentication

Restricted access Fullaccess

Resource Access Control When a certificate based logon method is used

an administrator-designated universal group is added to the user’s Kerberos token

This group is then used to control access to resources It is possible to add different groups based on

the type of certificate used to logonAccess to resources can consequently be based on the certificate type

Recycle Bin for AD Requires 2008 R2 Forest functionality PowerShell driven

Enable-ADOptionalFeature ‘Recycle Bin Feature’ –Scope ForestOrConfigurationSet –Target ‘forest’

Once enabled cannot be disabledGet-ADObject –LDAPFilter {} –IncludeDeletedObjectsRestore-ADObject –Identity <id>Parent object must be restored in advance of child object

Restores all attributes including linked Attributes

No Recycle Bin

Re-animate API restores objects while on-lineMany attributes missing

Re-animation does not restore multi-valued linked attributes such as group membership

Live object

TombstoneobjectDelete

Majority of attributes deleted

Garbagecollection X

Purged fromdirectory

Tombstone lifetime (180 days)Offline authoritative restore

Recycle Bin Enabled (demo)

All attributes restored

Live object

Garbagecollection X

Purged fromdirectory

Recycledobject

Deleted object lifetime (180 days)

Tombstone lifetime (180 days)

DeleteDeletedobject

All attributes retained

Online undelete

The Path to Windows Server 2008 R2

Prep forest and domain for Windows 2008 R2 Windows 7 clients can be provision with offline

domain joins against existing 2003/2008 infrastructure

Install Active Directory Management Gateway (ADMG) service on Windows 2003/2008 servers

Use AD PowerShell and ADAC running on Windows 7 Upgraded servers can use Managed Service

Accounts

Functional Levels Switches to R2 domain and forest functionality

are reversibleUse PowerShell to reverseSet-ADForestMode -Identity itproconnections.local -ForestMode Windows2008ForestCannot be reversed once Recycle Bin is enabled

2008 R2 domain functionality for:Authentication Mechanism AssuranceSPN management for Manage Service Accounts

2008 R2 forest functionality allows Recycle Bin to be enabled