Active Directory

Whats New in Windows Server 2008 AD?

Steve Clines

Agenda
1. Active Directory Overview 2. Active Directory Domain Services 3. Active Directory LDS 4. Active Directory Federation Services 5. Active Directory Certificate Services 6. Active Directory RMS

The AD Umbrella

Domain Services

Federation Services LDS Certificate Services

RMS

AD at a Glance

AD DS

AD LDS

AD FS

AD CS

AD RMS

Provides directory-based authentication/ authorization services in support of Microsoft-based networked services and applications

Provides an LDAP accessible directory service that supports identity management scenarios

Provides federation services supporting single sign-on to web applications

Provides PKI certificate issuance, management, and revocation services

Provides solution to secure how users utilize content (i.e. Office documents)

Whats new in AD DS?

Read-only Domain Controllers Fine-grained Password Policies Windows Server 2008 Server Core DNS Updates New management functionality

Read-only Domain Controllers

Problems with normal DCs Didnt work well in branch offices Must be physically secured No administrative delegation RODCs to the rescue Read-only replica of the AD partitions Allows for replication from a R/W DC No caching domain krbtgt password No caching user passwords by default

RODC Functionality

No rm

al A D

Re p lic

atio n

Read not write

Main Office

Branch Office

RODC Prerequisites
PDC emulator role holder must be running Windows Server 2008 The replication partner of RODC must run Windows Server 2008 Windows Server 2003 native mode or higher Run ADPREP/RODCPREP on existing forest (if not native 2008) No writeable DC in same domain/site as RODC

RODC Admin Separation

Can specify RODC administrators at DCPROMO time Use the DSMGMT command line tool to specify delegated administrators afterwards

RODC Credential Caching

Password by default are not cached Controlled with Password Replication Policy Can set at RODC install time or afterwards Cached passwords can be reset if RODC becomes compromised Demo

Filtered RODC Replication

Control over what attributes should not be replicated to a RODC for security reasons Forest Level Configured in the schema Works best in a 2008 native forest as 2003 DCs do not know about the filtered set.

RODC DNS Impacts

Any AD-integrated DNS zone on a RODC is read-only Does not auto-register itself with NS records Clients therefore cant register new records on a RODC DNS RODC DNS issues a referral to writeable DNS RODC DNS pulls down new record

Fine-grained Password Policy

Previously password and account lockout policy only set by Default Domain Policy GPO Can be applied to security groups and/or individual users Steps to implementing:

Create Password Settings Object (PSO) Apply PSO to objects via DN

Windows Server 2008 Server Core Can install 2008 in two ways

A full installation with full GUI and all available software services A minimal installation supporting command line interface
AD DS AD LDS DNS DHCP File Server Hyper-V Windows Media Services Print Management

Smaller target, less patching

Running a DC on Server Core

Most secure way of running a DC Can run most MMC tools remotely against Server Core No, PowerShell doesnt work Need to learn certain command line tools

NETSH configure network settings NETDOM rename computer/join domain SLMGR Software Licensing Manager OCLIST List the available roles/features OCSETUP Install the DNS roles DCPROMO Turn into DC using an answer file

AD DS Auditing
Previously audited what attribute changed Now audit information includes the previous and new values Now subdivided into four areas

DS access DS changes DS replication DS detailed replication

AD DS Auditing
5136 Successful modification to an attribute 5137 New object is created in the directory 5138 Object is undeleted in the directory 5139 Object is moved in the directory

AD DS Auditing
Not turned on by default

Enable in Default Domain Policy GPO Enable in the objects SACL

Can disable auditing within the attributes schema definition to fine-tune the audit collection (bit 9 in searchFlag property on)

DNS Changes
Support for IPv6 Support for AD-integrated zones on a RODC Background Loading GlobalZone Link Local Multicast Name Resolution (LLMNR)

New Management Features

Restartable Active Directory

AD DS is a separate service from LSA DC with stopped AD service is equivalent to a member server

Accidental OU Deletion Check Shadow Copy Backup Mountable Database

AD Lightweight Directory Services Previously introduced as ADAM Provides an LDAP accessible DS Removes all other AD DS features

No Kerberos authentication No forests, domains, DC, GC No dependency on DNS No site topology No group policies

AD LDS Scenarios
Uses for AD LDS

Whitepages Consolidation store Web authentication service via LDAP

AD LDS Instances
Each AD LDS server can host multiple directory stores (i.e. instances) Within each instance

Schema partition Configuration partition Zero or more application partitions

AD LDS Replication
Supports multimaster replication through configuration sets

Active Directory Federation Services

AD FS is a service that allows for the creation of federated relationships between organizations for web application authentication

Security Token Service

A service that takes a recognized token and issues another token Federations are a form of STS AD FS provides a web authentication cookie when a AD authentication token is presented

AD Certificate Services
Not significantly different than CS in 2003 Provides a certificate issuance/revokation services as well as CA service New items

Online Responder Service via Online Certificate Status Protocol (OCSP) Network Device Enrollment via Simple Certificate Enrollment Protocol (SCEP)

AD Rights Management Services Updated version of RMS Management of information usage Supported by Office 2003, 2007 and Sharepoint

Thank You!