Embed Size (px)
DESCRIPTION
Active Directory and all that you can do with it has come a long way in the last ten years. Are you really using everything that is in there to get the best bang for your buck? Learn how to make your life easier with things like the Active Directory RecycleBin to save you from those “oops” moments we’ve all encountered. Explore how the improved management interfaces including PowerShell support will make administration less time consuming and more automated. Implement multiple password policies and enhanced Group Policies to keep the security group and user community in harmony. On top of all that, architectural changes like Read Only Domain Controllers, Server Core implementations and Offline Domain Join capabilities can make you a hero, keep your organization more secure and save you time – it just gets better. If you are ready to transition your cushy family sedan implementation of Active Directory into a tweaked out street-legal sports coupe – this demo intensive scenario session is for you. Come learn what you need to know to get your Active Directory firing on all cylinders and map out the road to Active Directory nirvana.
Citation preview
JUNE 7-10, 2010 | NEW ORLEANS, LA
Turbo Charge Your Active Directory Implementation
Rick ClausSr. Technical EvangelistMicrosoft Canada
[email protected]: @RicksterCDN
SESSION CODE: WSV330
Agenda – Real Simple…
Set the stage – where’s Active Directory at with you?
Intro Session Scenario – Contoso inc.
Demos
More Demos…
Even More Demos!
Action Plan
User+
Resources
Active Directory is 10 years old…Where were you 10 years ago?What did your network look like?
User
resource resource resource
User+
Resources
User+
Resources
U1
R1 R2 R3
U2
R4 R5 R6
UR4
UR1
UR2UR5
UR3
Active Directory Solved a LOT of issues
Now the party is over….
When was the last time AD design / functionality revisited?
How did you get your Active Directory?Designed it yourselfHad consulting assistanceNot involved with projectInherited it after it was doneJust moved into role – no idea on design choices
3%
24%
29%16%
27%
2%
Active Directory Version
2000 2003 2003 R22008 2008 R2 Other (NT4) 58% are missing out
on solutions that canmake their lives easier!
Scenario for this session – Contoso BankYou are Admin @ ContosoYour environment is the following:
Running Active Directory @ 2003 levelsMultiple regional officesBasic functionality of AD
Multiple DCsMulti-Master DNS
Site design correctly implemented
“Challenges” at ContosoMultiple skill levels of adminsSecurity at remote officesDeployment of new workstationsCIO / CEO / users / admins with one password policy
Let’s get to it!
Tweak & Tune your AD with the following:
Upgrade / Migrate to 2008 R2
Lookin’ at Server Core and RODC options
Active Directory RecycleBin
Support Multiple PW Policies
Better Service Account Management
Improved Management Tools
Offline Domain Join for deployments
Upgrade or Migration?
X86 = NO DIRECT “in place” UPGRADE PATH:-(
©2009 Microsoft Corporation. All Rights Reserved.
Active Directory® and DNS Migration Pre-Migration Migration
Migration planning•Number of network interface cards (NICs)
Prepare source server•Back up•Collect migration data
Prepare destination server•Install Windows Server 2008 R2•Assign temporary server name•Assign temporary IP address•Join domain
Make destination server a domain controller
Post-Migration (Optional)
Manually migrate DNS server settings
Transfer FSMO roles
Migrate IP address and rename servers
Perform verification steps
Retire source server
Roll back migration
Troubleshoot migration
Source Server Destination Server
Windows Server Migration Tools
Migration Cmdlet Description
Get-SmigServerFeature Discovers features available for migration and features in the migration store available for import
Export-SmigServerSetting
Exports specified role, feature, and OS settings to a migration store
Import-SmigServerSetting
Imports specified role, feature, and OS settings from a migration store
Send-SmigServerData Transfers data and shares, preserving local and domain permissions
Receive-SmigServerData
Receives transferred data
Import Settings
Transfer Data and Shares
Export-SmigServerSettingSend-SmigServerData
Import-SmigServerSettingReceive-SmigServerData
Temp StorageExport
Settings
Upgrade / MigrationYou just have to do it. You won’t regret it.
Demo
Seize the Opportunity
Doing same thing can lead to same results
Core Installs of Server 2008 R2 vs full installs
Physical or Virtual?
Read Only Domain Controllers?
Minimize impact on rollout process
©2009 Microsoft Corporation. All Rights Reserved.
Server Core Domain Controllers
Easier to Secure, Manage, and Maintain Supports Key Infrastructure Roles
Minimal Server Installation
Supports Unattended Installation
Reduced Attack Surface Less Disk Space Required
Reduced Software Maintenance
Reduced Management
~1GB
Refine / RedesignDeploying Core DCs with Remote Management
Demo
Implement AD “oops” Recycle BinEver had someone with too many rights?“Lost” anything in AD and needed it back?
Active Directory Recycle Bin
Setup RequirementsAdprep must be used for Windows Server 2003 and Windows Server 2008 forestAll domain controllers in your Active Directory forest are running Windows Server 2008 R2Raise the functional level of your Active Directory forest to Windows Server 2008 R2
The process of enabling Active Directory Recycle Bin is irreversible. After you enable Active Directory Recycle Bin in your environment, you cannot disable it.
Reduces Downtime and EffortAD Objects Are PreservedFunctional for AD DS and AD LDSUse LDP.exe or Windows PowerShell Cmdlets
Implement “oops” RecycleBinKeep from #clausing yourself
Demo
Updating Password PolicyWhy?
Complexity = circumventionFind right level of usability
Requirements for Multiple policies?Old way = domainsNew way = Password Settings Object
Password
IL0veMyK1ds!
Secure PW PolicyCreating Password Setting Objects
Demo
How About Service Accounts?Domain-Based Service Accounts Managed by ADEnhanced Security
Less Disruption of ServiceReduce Recurrent Administrative Tasks
Administrative BenefitsCreate class domain accountsAccounts are now reset automaticallySPN management tasks are not completedCan be delegated to non-administrators
SQL IIS
Managed ServiceAccount
Local Accounts
Virtual Accounts
Securing Service AccountsSimplifying password management for Service Accounts
Demo
Managing AD – your options…
Over 15 new role services and features addedNew configurations added for Scan Server, AD CS, and Remote Desktop ServicesRemoting and Windows PowerShellIntegration with BPA
Updated Server Manager: Provides a unified experience for adding, configuring, and managing servers
New in Windows Server 2008 R2!
Managing AD – your options…
Customizable GUI
Active Directory Administrative Center
New ways to Manage ADA plethora of tools - what fits for you?
Demo
Windows PowerShell™ 2.0 – Manage for Scale
New FunctionalityActive Directory module provider Active Directory module cmdletsWindows PowerShell Integrated Scripting Environment (ISE)Out-GridView cmdletPerformance counters
Only installs on Windows Server 2008 R2At least one Windows Server 2008 R2 domain controller or LDS configuration setWindows 7 and Report Server Administration Tools (RSAT)
Special Considerations
A Windows PowerShell moduleManage AD domains and Lightweight Directory Services (LDS) configuration setsAD Database Mounting Tool instance
Active Directory Module in Windows Server 2008 R2
Manage for scaleObligatory PowerShell CLI Goodness
Demo
Run on Windows® 7 or Windows Server 2008 R2Must have user rights to join workstation to the domainDefaults target domain controller running a version of Windows Server 2008 R2
Special ConsiderationsAdvantages
AD state changes are completed without network traffic to the computerComputer state changes are completed without any network traffic to a domain controllerEach change can be completed at different times
Offline Domain Joins
Reduces time and effort for large-scale deploymentsEstablishes trust between operating system and Active Directory Domain
Djoin.exe
Offline Domain JoinsSimplify your desktop deployment automation!
Demo
Action Plan
Start your Migration planning!
Do Your Research
Align functionality with Business Needs
Get started now. No really. Get started!I <3 AD
Related ContentWSV201 - 10 Hot Topics Every IT Admin Needs to Know about Windows Server 2008 R2WSV301 - Administrators’ Idol: Windows and Active Directory Best PracticesWSV332 – Windows Server 2008 R2 Deployment with Microsoft Deployment Toolkit (MDT)WSV334 – Windows Server 2008 R2: Tips on Automating and Managing the Breadth of Your IT Environment
WSV08-HOL - What’s New in Active Directory (V3.0)WSV10-HOL - Deploying Windows Server 2008 R2 with Microsoft Deployment Toolkit (MDT) 2010
WSV07-INT - New Remote Management Technologies in Windows Server 2008 R2WSV09-INT - Server Deployment and Maintenance in Windows Server 2008 R2
TLC-54 - Windows PowerShell and Server ManagementTLC-61 - Windows Server Solutions
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
Complete an evaluation on CommNet and enter to win!
Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st
http://northamerica.msteched.com/registration
You can also register at the
North America 2011 kiosk located at registrationJoin us in Atlanta next year
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Apendix: Resources and LinksActive Directory Domain Services and DNS Server Migration Guide
http://technet.microsoft.com/en-us/library/dd379558(WS.10).aspxMigrate Server roles to Windows 2008 R2
http://technet.microsoft.com/en-us/library/dd365353(WS.10).aspxWhat’s New in AD in Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/dd378796(WS.10).aspxWhat’s New in Windows Server Manager in Windows 2008 R2
http://technet.microsoft.com/en-us/library/dd378896(WS.10).aspxWhat’s New in Server 2008 R2 AD DCs
http://technet.microsoft.com/en-us/magazine/ff679947.aspxActive Directory Recycle Bin – Step by Step
http://technet.microsoft.com/en-us/library/dd392261(WS.10).aspxAD Fine Grained Password and Lockout Policy Step by Step
http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspxAsk the Directory Services Team Blog (Ned Pyle – you’re my hero)
http://blogs.technet.com/b/askds Active Directory Recycle Bin (Joey Snow on Edge)
http://edge.technet.com/Media/Active-Directory-Recycle-Bin/
edge.technet.com
blogs.technet.com/canitpro
poshoholic.com
www.energizedtech.com
