Steve Clines

What’s New in Windows Server 2008 AD?

Active Directory

Agenda

1. Active Directory Overview1. Active Directory Overview

2. Active Directory Domain Services 2. Active Directory Domain Services

3. Active Directory LDS3. Active Directory LDS

4. Active Directory Federation Services 4. Active Directory Federation Services

5. Active Directory Certificate Services5. Active Directory Certificate Services

6. Active Directory RMS6. Active Directory RMS

The AD Umbrella

DomainServices Federation

Services

LDS

RMS

CertificateServices

AD at a Glance

AD DS AD LDS AD FS AD CS

Provides directory-based authentication/authorization services in support of Microsoft-

based networked

services and applications

Providesan LDAP

accessible directory

service that supports identity

management scenarios

Provides federation services

supporting single sign-on

to web applications

Provides PKI certificate issuance,

management, and revocation

services

AD RMS

Provides solution to secure how users utilize content (i.e.

Office documents)

What’s new in AD DS?

Read-only Domain Controllers Fine-grained Password Policies Windows Server 2008 Server Core DNS Updates New management functionality

Read-only Domain Controllers

Problems with normal DCs Didn’t work well in branch offices Must be physically secured No administrative delegation

RODCs to the rescue Read-only replica of the AD partitions Allows for replication from a R/W DC No caching domain krbtgt password No caching user passwords by default

RODC Functionality

Main Office

Branch Office

Normal AD Replication Read not write

RODC Prerequisites

PDC emulator role holder must be running Windows Server 2008

The replication partner of RODC must run Windows Server 2008

Windows Server 2003 native mode or higher

Run ADPREP/RODCPREP on existing forest (if not native 2008)

No writeable DC in same domain/site as RODC

RODC Admin Separation

Can specify RODC administrators at DCPROMO time

Use the DSMGMT command line tool to specify delegated administrators afterwards

RODC Credential Caching

Password by default are not cached Controlled with Password Replication

Policy Can set at RODC install time or afterwards Cached passwords can be reset if RODC

becomes compromised Demo

Filtered RODC Replication

Control over what attributes should not be replicated to a RODC for security reasons Forest Level Configured in the schema

Works best in a 2008 native forest as 2003 DCs do not know about the filtered set.

RODC DNS Impacts

Any AD-integrated DNS zone on a RODC is read-only

Does not auto-register itself with NS records

Clients therefore can’t register new records on a RODC DNS RODC DNS issues a referral to

writeable DNS RODC DNS pulls down new record

Fine-grained Password Policy

Previously password and account lockout policy only set by Default Domain Policy GPO

Can be applied to security groups and/or individual users

Steps to implementing: Create Password Settings Object (PSO) Apply PSO to objects via DN

Windows Server 2008 Server Core

Can install 2008 in two ways A full installation with full GUI and all available

software services A minimal installation supporting command

line interface

Smaller target, less patching AD DS AD LDS DNS DHCP

File Server Hyper-V Windows Media

Services Print Management

Running a DC on Server Core

Most secure way of running a DC Can run most MMC tools remotely against

Server Core No, PowerShell doesn’t work Need to learn certain command line tools

NETSH – configure network settings NETDOM – rename computer/join domain SLMGR – Software Licensing Manager OCLIST – List the available roles/features OCSETUP – Install the DNS roles DCPROMO – Turn into DC using an answer file

AD DS Auditing

Previously audited what attribute changed Now audit information includes the

previous and new values Now subdivided into four areas

DS access DS changes DS replication DS detailed replication

AD DS Auditing

5136 – Successful modification to an attribute

5137 – New object is created in the directory

5138 – Object is undeleted in the directory 5139 – Object is moved in the directory

AD DS Auditing

Not turned on by default Enable in Default Domain Policy GPO Enable in the object’s SACL

Can disable auditing within the attribute’s schema definition to fine-tune the audit collection (bit 9 in searchFlag property on)

DNS Changes

Support for IPv6 Support for AD-integrated zones on a

RODC Background Loading GlobalZone Link Local Multicast Name Resolution

(LLMNR)

New Management Features

Restartable Active Directory AD DS is a separate service from LSA DC with stopped AD service is equivalent to a

member server

Accidental OU Deletion Check Shadow Copy Backup Mountable Database

AD Lightweight Directory Services

Previously introduced as ADAM Provides an LDAP accessible DS Removes all other AD DS features

No Kerberos authentication No forests, domains, DC, GC No dependency on DNS No site topology No group policies

AD LDS Scenarios

Uses for AD LDS Whitepages Consolidation store Web authentication service via LDAP

AD LDS Instances

Each AD LDS server can host multiple directory stores (i.e. instances)

Within each instance Schema partition Configuration partition Zero or more application

partitions

AD LDS Replication

Supports multimaster replication through configuration sets

Active Directory Federation Services

AD FS is a service that allows for the creation of federated relationships between organizations for web application authentication

Security Token Service

A service that takes a recognized token and issues another token

Federations are a form of STS AD FS provides a web authentication

cookie when a AD authentication token is presented

AD Certificate Services

Not significantly different than CS in 2003 Provides a certificate issuance/revokation

services as well as CA service New items

Online Responder Service via Online Certificate Status Protocol (OCSP)

Network Device Enrollment via Simple Certificate Enrollment Protocol (SCEP)

AD Rights Management Services

Updated version of RMS Management of information usage Supported by Office 2003, 2007 and

Sharepoint

Thank You!