Windows Server 2008 R2 is here, with new tools and utilities for the directory service IT pro to help you manage and maximise the potential of your Active Directory. What's going to be your favourite new feature? Maybe it's the Best Practice Analyser that will scan your infrastructure and point out both compliant and noncompliant aspects of your environment together with suggestions for improvements. Do you want tools to simplify your day-to-day management of the AD? There's a new kid on the block, the Active Directory Administrative Center. Built on Windows PowerShell technology it provides a rich GUI allowing you to perform common Active Directory tasks through both data-driven and task-driven navigation. Not a GUI fan? Then R2 brings you more than 85 PowerShell Cmdlets to allow you to manage, diagnose, and automate AD tasks from the command-line or PowerShell scripts. Maybe your favourite will be the recycle bin allowing you to recover deleted objects while the directory is online or the ability to perform offline domain join allowing you to streamline your deployments. There are more choices, come to this high-energy, fast paced, demo rich presentation and get all the details

2. What's Windows Server 2008 R2 Going to Do for Your Active Directory? John Craddock Infrastructure & Security Architect XTSeminars Ltd Session Code: SIA319

3. Agenda AD module for Windows PowerShell AD Administrative Center AD Best Practice Analyser Managed Service Accounts Offline domain join Authentication mechanism assurance AD Recycle Bin

4. Windows PowerShell for AD PowerShell v2 includes an AD Module Comprehensive set of AD cmdlets for AD DS and AD LDS administration, configuration and diagnostic tasks Easy to compose and manage complex tasks PowerShell drives for AD Simple navigation in AD DS, AD LDS and AD Snapshots Certain tasks can only be achieved through PowerShell

5. Example Import-module ActiveDirectory New-ADUser -Name “Craddock John” -SamAccountName “jcraddock" -AccountPassword (ConvertTo-SecureString-AsPlainText “Temp0Pwd0!" -Force) -Enabled $true -ChangePasswordAtLogon $true -GivenName “John" -Surname “Craddock" -UserPrincipalName “jcraddock@example.com”-Path “OU=Admins,OU=UK,DC=example,DC=com"

6. AD Web Services (ADWS) ADWS is automatically installed with AD DS and AD LDS Port 9389 must be open for remote administration Active Directory Management Gateway (ADMG) service available for Windows Server 2003 and 2008 Does not support instances of AD Mounting Tool PowerShell Cmdlets WS-* 9389 ADWS LDAP LDAP LDAP 3268 389 AD / GC AD LDSinstance MountedAD instance

7. AD Administrative Center Built on PowerShell Cmdlets Task-oriented model Simultaneously connectto other domains Progressive disclosure of data Powerful Searching

8. Best Practice Analyser Compares current configuration on DC to best practice recommendations Scan started via Server Manager or PowerShell Results through UI and PowerShell output Provides guidance, does not fix problems Red Eye Warning Information Quarterly updates

9. Collecting and Analysing Data XML Schema Validation AD DS BPAPowerShell Script Collects data XML Results document AD DS BPArule set AD DS BPAReport Analysis BPA Run Time AD DS BPAguidance

10. Service Accounts Username: SRV1 Password: ***** Password changesmust be updatedon the service account Domain accountUsername: SRV1 Password: ***** Using built in accounts for services does not provide service isolation What’s the alternative? Run the services using standard user accounts How many of you change services account passwords on a regular basis? Any problems?

11. Managed Service Accounts Configure service: Append $ to accountname examplevc1$ Username: Password: Domain: example.com Domain accountname: SVC1 3 1 Created in domain: New-ADServiceAccount svc1 2 Install-ADServiceAccount svc1 4 Server automatically resets based on “Max machine account password age” Can reset password withReset-ADServiceAccountPassword svc1 Accounts must be created and managedthrough Windows PowerShell SERVER1

12. Requirements & Caveats Service / application requiring managed account must be running on Windows 7 or 2008 R2 Requires AD Module for Windows PowerShell to be installed Forest and domain must be prepared for 2008 R2 adprep /forestprep & adprep /domianprep 2008 R2 domain functional level adds SPN management Managed accounts cannot be shared across multiple servers

13. Offline Domain Joins Allows a Windows 7 or Windows 2008 R2 machines to be joined to a domain while offline On start up, the machine is already domain joined and there is no reboot requirement Speeds up deployment of VMs and scripted installs New section in unattended.xml supports offline domain joins Simplifies domain joins to RODCs

14. Djoin.exe Djoin /provision /domain example.com / machine ms1 /savefile ms1.txt Computer account metadata. Base-64 encoded, treat as security sensitive Computeraccount object djoin /requestODJ /loadfile <ms1.txt> /windowspath <Windows directory> Requires /localos Add accountmetadata Online VHD or Physical system Requires reboot Offline VHD or Physical system Unattended.xml Windows 7 or 2008 R2 required for Computers running djoin Computers being joined to domain

15. Authentication Mechanism Assurance Restricted access Fullaccess Strong authentication Normal authentication Allows applications to control access to resources based on authentication strength For example only allow access to a resource if the user has been authenticated using a SmartCard Require Windows 2008 R2 domain functionality

16. Resource Access Control When a certificate based logon method is used an administrator-designated universal group is added to the user’s Kerberos token This group is then used to control access to resources It is possible to add different groups based on the type of certificate used to logon Access to resources can consequently be based on the certificate type

17. Recycle Bin for AD Requires 2008 R2 Forest functionality PowerShell driven Enable-ADOptionalFeature ‘Recycle Bin Feature’ –Scope ForestOrConfigurationSet –Target ‘forest’ Once enabled cannot be disabled Get-ADObject –LDAPFilter {} –IncludeDeletedObjects Restore-ADObject –Identity <id> Parent object must be restored in advance of child object Restores all attributes including linked Attributes

18. No Recycle Bin Majority of attributes deleted Garbagecollection X Live object Tombstoneobject Delete Purged fromdirectory Offline authoritative restore Tombstone lifetime (180 days) Re-animate API restores objects while on-line Many attributes missing Re-animation does not restore multi-valued linked attributes such as group membership

19. Recycle Bin Enabled All attributes retained Live object Deletedobject Delete Deleted object lifetime (180 days) Online undelete Garbagecollection Recycledobject X Purged fromdirectory Tombstone lifetime (180 days) All attributes restored

20. Other Thoughts Backups are valid for max of smallest value of DOL or TSL Best practice recommendation DOL = TSL Anticipated database growth 5-10% On deletion, regulatory compliance may not allow retained of full copy of deleted object Permanently delete with Get-Adobject –LDAPFilter {} –IncludeDeletedObjects | Remove-ADObject

21. What to Know More? Come to my session SIA402 Online Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle Bin Friday 13/11/2009 13:00-14:15 Budapest - Hall 7-2b

22. The Path to Windows Server 2008 R2 Prep forest and domain for Windows 2008 R2 Windows 7 clients can be provision with offline domain joins against existing 2003/2008 infrastructure Install Active Directory Management Gateway (ADMG) service on Windows 2003/2008 servers Use AD PowerShell and ADAC running on Windows 7 Upgraded servers can use Managed Service Accounts

23. Functional Levels Switches to R2 domain and forest functionality are reversible Use PowerShell to reverse Cannot be reversed once Recycle Bin is enabled 2008 R2 domain functionality for: Authentication Mechanism Assurance SPN management for Manage Service Accounts 2008 R2 forest functionality allows Recycle Bin to be enabled

24. What’s your Favourite? AD module for Windows PowerShell AD Administrative Center AD Best Practice Analyser Managed Service Accounts Offline domain join Authentication mechanism assurance AD Recycle Bin

25. Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online. www.microsoft.com/teched Sessions On-Demand & Community www.microsoft.com/learning Microsoft Certification & Training Resources http://microsoft.com/technet Resources for IT Professionals http://microsoft.com/msdn Resources for Developers Resources

26. Related Content Required Slide Speakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session. Breakout Sessions: SIA402 Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle Bin SVR317 Managing Windows Server 2008 R2 and Windows 7 with Windows PowerShell V2 Interactive Theater Sessions : SIA02-IS Active Directory: What's New in R2 Hands-on Labs: WSV03-HOL Advanced Windows PowerShell Scripting WSV20-HOL Windows Server 2008 R2: What's New in Microsoft Active Directory

27. My Sessions at TechEd Required Slide Speakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session. Breakout Sessions: SIA319 What's Windows Server 2008 R2 Going to Do for Your Active Directory? SIA402 Recovery of Active Directory Deleted Objects and the Windows Server 2008 R2 Recycle Bin SVR401 DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and Transition Technologies SVR402 DirectAccess Technical Drilldown, Part 2 of 2: Putting It All Together Interactive Theater Sessions: SVR08-IS End-to-End Remote Connectivity with DirectAccess

28. Required Slide Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!

30. Required Slide © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.