Mark Minasi What’S New In Active Directory For Windows 7 Server 2008 R2
1. What's New in Active Directory
for Windows Server 2008 R2
Presented by Mark Minasi
help@minasi.com
forum, seminars at www.minasi.com
copyright 2009 Mark Minasi
1
2. Topics
• 70+ PowerShell cmdlets • Managed Service
• AD Web Service Accounts
• AD Recycle Bin • Best Practices Analyzer
• New DFL/FFL • AD Admin Center
• AD quot;optional featurequot; • Authentication
architecture change Mechanism Assurance
• Offline Domain Join
2
3. AD Gets PowerShell
why? many separate tools to create/manipulate things
• Over 70 cmdlets mean you can easily learn
how to create quot;objectsquot; (single users, OUs,
groups etc): example:
• New-ADUser -SamAccountName Joe -Name
quot;Joequot; -AccountPassword (ConvertTo-
SecureString -AsPlainText quot;Pasw0rdquot; -Force) -
Enabled $true -Path
'cn=users,DC=bigfirm,DC=com'
3
4. AD Gets PowerShell
getting it
• Easiest way is to use the PS shortcut in
Administrative Tools to get a good PS prompt
– the one on the Taskbar doesn't load that AD
stuff
• Or load Powershell 2.0 and type Import-
Module ActiveDirectory
• Also will ship with RSAT to run on Vista and
Win 7
4
5. AD Gets PowerShell
more details
• Cmdlets to create, delete, filter and modify AD
objects
• None for working with subnets and sites,
unfortunately, and setting AD permissions is
dicey
• Does not work via LDAP, RPC and the like
protocols; instead, cmdlets send their
requests to ADWS (quot;AD Web Servicequot;), a new
interface
5
6. AD Gets PowerShell
why? automation possibilities
• PowerShell allows you to build more complex
scripts on the order of complete applications
• PS 2.0 lets you build scripts with GUI
interfaces
• PS 2.0 lets you control remote systems
• PS is easier to learn than most command-line
interfaces you've met because of its regularity
in naming conventions
6
7. AD Gets PowerShell
why? pipeline makes automation easy
• Pipeline means you can stick commands
together to (1) operate on many objects and
(2) use filters to select which objects to
operate upon
• The idea is like this:
• [list all user accounts]|[filter to keep only the
disabled accounts] | [delete accounts]
7
8. AD Gets PowerShell
how this will work (1)
Active Directory
AD Web Service
quot;all users please!quot;
The Pipeline
get-aduser
8
9. AD Gets PowerShell
how this will work (2)
quot;Wherequot; command
The Pipeline
The Pipeline
criterion: only
disabled users!
9
10. AD Gets PowerShell
how this will work (3)
AD-Removeuser
I'll explain this
soon… but it's
The Pipeline some good news!
10
11. AD Gets PowerShell
Really? It's that easy?
• Not exactly, and there are lots of ways to do
this, but here's one generic (but longer than
necessary) approach:
• get-aduser -filter 'samaccountname -like quot;*quot;'
| where {-not $_.enabled}
|remove-aduser –whatif
• Let's pick it apart:
• (1) the get-aduser produces a list of all user
accounts
11
12. AD Gets PowerShell
step two: winnow out just the disabled user accts
• (2) The quot;|quot; is the quot;pipelinequot; symbol; it means, quot;take the
output of the command on the left and stuff it into the
command on the rightquot;
• The command on the right is quot;where,quot; and its job is to
(a) take whatever you give it and (b) some criterion and
produce a smaller set of output winnowed from the
input based on that criterion… put simply, it's a filter,
and this one only lets disabled accounts through
• quot;$_quot; means quot;what's currently in the pipeline,quot; and so
$_.enabled is the value of quot;enabledquot; (true or false) on
whatever object's in the pipeline
12
13. AD Gets PowerShell
(reference only): side note
• I'm using the first two commands (get-aduser and
where) to illustrate a generic approach to getting
a big whack of data and filtering out most of it
• In fact, though, quot;wherequot; isn't necessary, as get-
aduser has its own built-in quot;-filterquot; option
• I could have used that and saved a command, but
many PS cmdlets do not have a –filter option, and
so making you depend on a built-in –filter option
seemed a bad idea – but if it's there, -filter is
faster than piping to quot;where!quot;
13
14. AD Gets PowerShell
step three: delete those user accounts (but not really)
• (3) Again we've got a pipeline command, and
the list of user names that made it through
the quot;wherequot; filter are given to the last
command, quot;remove-aduserquot;
• As you'd guess, remove-aduser deletes
accounts
• I added quot;-whatifquot; because it says, quot;don't really
do this; just show what would happen if you
did;quot; it's great for testing
14
15. AD Gets PowerShell
the point of all this
• That example provided a blueprint for the many,
many times you'll want to say, quot;take all of the
users (or machines, OUs etc) in my domain that
meet X criteria and do Y to them,quot; and what
we've seen here will work for all of that
• The only hard part now is in figuring out how to
describe X (e.g. quot;{-not $_.enabled}quot;), and what
command will do Y (e.g. quot;remove-aduserquot;)
15
16. AD Gets PowerShell
a warning and more info
• Again, quot;wherequot; is less efficient than quot;-filterquot;
• Search quot;active directory module for windows
powershell cookbookquot; for tons of examples on
MSDN
• Online help:
– get-help <command> [-detailed] [-examples]
• PS for AD is a time-saver… start learning it
16
17. AD Gets PowerShell
the AD provider
• set-location AD:quot;dc=bigfirm,dc=comquot;
• Makes your command prompt show not your
current folder on the file system, but instead a
location on the AD; responds to CD like the file
system:
– sl AD:quot;dc=bigfirm,dc=comquot;
– md quot;ou=testquot;
– cd quot;ou=testquot;
17
18. AD Gets PowerShell
more AD provider examples
• cd .. (backs up one level)
• rd quot;ou=testquot;
• dir -filter objectclass=organizationalunit (list
all child objects that are OUs)
• dir cn=users –name (only shows names)
• There are move, copy, erase etc commands
18
19. AD Web Service
powershell's replacement for ldap
• Recall my note that PowerShell doesn't
communicate with AD via LDAP or ADSI, it
uses something called the quot;AD Web Servicequot;
• My first thought was, quot;Oh, no… another
protocol to secure? More ports to worry
about?quot;
• When examined more closely, though, it
seems to be a potentially good thing
19
20. AD Web Service
why a web service?
• Reason #1: Web services are here to stay
• Lots of other programming platforms use a
web services model and – the important part
– there are lots of programming tools, which
means we'll see more AD apps w/web services
20
21. AD Web Service
why a web service?
• Reason #2: it's a new protocol
• On the WMI side, we're seeing RPC being
slowly replaced by winrm, another Web
services-based protocol
– modern protocols tend to be more secure
– standards-based
– platform-independent
21
22. AD Web Service
details
• DC listens on TCP port 9389
• Every 2008 R2 DC runs ADWS
• Needed for PowerShell and some other new
AD items
• This does not mean that you have to run IIS on
your DC, nor need you offer access to port 80
(unless you need winrm, which is another
story)
22
24. AD Admin Center (ADAC)
• New GUI tool aiming at the same sorts of
things that AD Users and Computers (ADUC)
does
• Actually all PowerShell 2.0 GUI application…
under the hood, when you click a button,
ADAC generates and executes PowerShell AD
commands
24
25. AD Admin Center (ADAC)
what you'll like
• quot;Navigation Nodesquot; let you administer
multiple forests, domains, OUs etc
simultaneously
• Global search lets you search multiple quot;nodesquot;
simultaneously, and it does the search on the
server
• Local queries do client-side filtering and let
you build a query with the GUI and get back
the LDAP equivalent of the query
25
26. AD Admin Center (ADAC)
what you'll like
• ADUC's heavily tabbed interface replaced with
a somewhat crisper (albeit a bit slower)
interface
26
27. AD Admin Center (ADAC)
what they didn't get to
• ADAC's plan was to include quot;reflectivity,quot; a
notion whereby when you click a button to get
something done, it would show you what
command-line Powershell command would do
the same thing
• It'd be sort of a launching pad for writing
procedures, batch files and the like
• Didn't make it in this one
27
28. AD Recycle Bin
• We all make mistakes, and some of us have
experienced the quot;oops!quot; feeling once we
realize we've deleted an AD object
• Authoritative restores and tombstone
reanimation can bring back dead things, but
they're cumbersome or require third-party
tools
• 2008 R2 brings an undelete ability for AD
objects
28
29. 2008 R2 DFL/FFL, Optional Features
• AD Recycle Bin requires that your forest be in
2008 R2 Forest Functional Level…
• Yup, that's right, we've got a new DFL/FFL
• AD Recycle Bin needs that… but it needs more
as well
• R2 inaugurates a new aspect of AD, quot;optional
featuresquot; – the idea is that if you don't use a
feature, why enlarge the schema for
something you don't use?
29
30. Enabling AD Recycle Bin
• AD Recycle Bin is optional, so turn it on…
• Enable-ADOptionalFeature -Identity 'CN=Recycle
Bin Feature,CN=Optional Features,CN=Directory
Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=bigfirm,DC
=com' -Scope Forest -Target 'bigfirm.com'
• Change the colored stuff to match your forest's
name; need only do the above command once
• Note that as I write this (beta 1), the help is way
off about single quotes – only use this:' not this:`
30
31. Enabling AD Recycle Bin
Objects deleted before you enable this feature cannot be
undeleted with the Recycle Bin, even if you were in 2008 R2 FFL!
31
32. AD Recycle Bin
making it work
• I knew this would be the most popular R2 AD
feature, but I covered PowerShell first
because, well, you can only get to it with
PowerShell
• The command to restore a deleted AD object
is quot;restore-adobjectquot;
• The problem is in specifying the LDAP
distinguished name (DN) of the user
32
33. AD Recycle Bin
making it work
• Simple DN for a user quot;janequot; in a domain
quot;bigfirm.com:quot;CN=Jane,CN=Users,DC=bigfirm,
DC=comquot;
• DN after jane's deleted: quot;CN=jane 0ADEL:
ce076811-4a8b-49bb-b332-9695ed786ba6,
CN=Deleted Objects, DC=bigfirm, DC=com
• Now, we could undelete jane by giving restore-
adobject that entire DN… but how to find it?
• Answer: get-adobject
33
34. AD Recycle Bin
making it work
• Put them together:
• get-adobject -filter {samaccountname -eq
quot;janequot;} –includedeletedobject|restore-
adobject
• This will restore Jane; replacing –eq quot;Janequot;
with –like quot;*quot; would undelete all deleted
objects
34
35. AD Recycle Bin
details
• Objects can be recycled up to 180 days after
they've been deleted; after that, they are
quot;tombstonedquot; (and cannot be recycled) for
180 days, and then finally scavenged from AD
• You can only undelete an object if its
container is not deleted; for example, if I
deleted an OU and its users, I'd have to
undelete the OU before I could undelete its
users
35
36. AD Recycle Bin
details
• There isn't a –recurse switch on Restore-
ADObject; thus, if I deleted an OU that
contained users and OUs, which contained
users and OUs etc, then I'd have to hand-
undelete the tree from the top down
• Microsoft intends to write PowerShell script to
solve this by RTM
36
37. Offline Domain Join
• What it does:
– Lets you join a member server or workstation
even if the member is not connected to the
network
– You can do this either to a system that's up and
running, or you can essentially quot;inject domain
membershipquot; to a system that's not running but
has been mounted, like a non-running VHD
37
38. Offline Domain Join
• What it doesn't do
– You can't join a quot;Syspreppedquot; (that is, a system
that you've run sysprep on – the quot;newquot; phrase is
quot;generalizedquot;) – system offline
– Machine needs to be specialized and needs a
name
38
39. Offline Domain Join
• How it works, step one:
– First, you run a command-line app quot;djoin
/provisionquot; on a Win7-level DC/domain member
– Creates a machine account (so clearly you need
the right to do this) on the domain
– Creates a bit of data written to a text file (it's
binary data represented in base64, known as quot;the
blobquot;) that you'll need to move to the machine to
be joined to the domain
39
40. Offline Domain Join
• How it works, step two:
– Move the text file containing the blob to the
prospective domain member (must be Win 7-
level)
– As local administrator, run djoin /requestODJ
– System reads the blob, incorporates it into the
SYSTEM/SECURITY hives in the Registry, and it is
now a domain member
40
41. Offline Domain Join
example
• I'll join a system named quot;WSquot; to a domain
named quot;bigfirm.comquot;
• To start, I open an elevated command prompt
at dc1.bigfirm.com, a bigfirm DC (again,
needn't be at a DC)
• type:
• djoin /provision /domain bigfirm.com
/machine ws /savefile c:wsblob.txt
41
42. Offline Domain Join
looking at the example command
• djoin /provision /domain bigfirm.com
/machine ws /savefile c:wsblob.txt
– /machine needs just the hostname/NetBIOS
name, not an FQDN; had I typed quot;/machine
ws.bigfirm.com,quot; AD would have created a
machine account named quot;ws.bigfirm.com!quot;
– /domain takes either bigfirm.com or bigfirm
– physically transport wsblob.txt to WS
42
43. Installing the Blob: 3 Scenarios
• Install it to WS while WS is up and running
with the /localos option
• Apply to WS offline by
– booting the OS from some other OS
– booting an
• Build the blob into a WSIM script for Sysprep
and then use that script to image a system
and allow Sysprep to specialize that system
43
44. Offline Domain Join
scenario one: apply to running system
• Assume I've got wsblob.txt on a USB stick that I
insert into WS and the stick is drive E:
• From an elevated command prompt on WS:
• djoin /requestODJ /loadfile e:wsblob.txt
/windowspath c:windows /localos
• Significant point: djoin /requestodj really wants
to noodle with a set of Registry hives that are not
locked, as they are on running systems; quot;/localosquot;
warns djoin that it's modifying a running, locked
Registry
44
45. Offline Domain Join
scenario two: on an offline system
• Mount the C: drive of a specialized VHD with
machine name quot;WSquot; onto some system TECHPC
as, say, c:mountwin
• Assume WS's Windows folder is windows
• Assume I've got wsblob.txt on a USB stick that I
insert into TECHPC and the stick is drive E:
• From an elevated command prompt on TECHPC:
• djoin /requestODJ /loadfile e:wsblob.txt
/windowspath c:mountwinwindows
45
46. Offline Domain Join
scenario three: WSIM script
• Using WAIK 2.0 and WSIM… need WSIM from
WAIK 2 or later!
• There's a location for offline domain join info
in pass 4
• You insert the blob
• Can be used for installing new systems, or as a
Sysprep script
46
48. Offline Domain Join
scenario three: using it
• Create blob for a machine named quot;wsquot;
• Use WSIM to create an XML answer file named
quot;autounattend.xmlquot; that creates a machine
named quot;wsquot; with the blob value in the WSIM
answer file (more details in Newsletter #60)
• Pop the autounattend.xml file on a USB stick,
connect it to the new system, put the Win 7 DVD
into the new system's drive, turn the system on
and walk away…
48
49. Managed Service Accounts
background: what problem does this solve?
• Services must run under an account, and
LocalSystem/LocalService/NetworkService can't
always do the job
• IIS, Exchange, SQL are some common examples
• In that case, techies need to create accounts to
act as service accounts
• That works fine, except for the issue of
passwords: they need regular changing or
services stop working
49
50. Managed Service Accounts
background: what problem does this solve?
• Basically, it's a pain to manage passwords for the
user accounts that we happen to use for services
• Also, introducing new user accounts into services
means having to develop expertise with setspn, a
tool that basically informs Kerberos that account
quot;Aquot; is now the quot;authentication pointquot; for network
service quot;Bquot;
• Additionally, you've got to be a domain admin to
modify SPNs… MSAs let you delegate this to
others
50
51. Managed Service Accounts
answer: managed service accounts
• New class of accounts
• Sorta user accounts, sorta machine accounts
(new icon)
• You:
– Create one on the domain
– quot;Installquot; it on the member server
– Configure the service so that it logs on as that
account, and from there password updates etc are
automatic
• Need one account / member
51
52. Managed Service Accounts
password details
• 240-character passwords created
• Ignore group policies about passwords and
ignore fine-grained password policies
• Automatically handle password changes every
30 days
52
53. Managed Service Accounts
requirements/details
• Requires at least one 2008 R2 DC (which
means a 2008 R2 schema on the forest)
• Requires AD Powershell (and therefore AD
Web Service) to create accounts
• Live in their own new folder (not an OU) called
quot;Managed Service Accountsquot;
53
54. Managed Service Accounts
create the domain on the domain
• new-adserviceaccount -samaccountname svc1
• Finding info:
• get-adserviceaccount -identity svc1, or
• get-adserviceaccount -identity quot;cn=svc1,
cn=managed service accounts, dc=bigfirm,
dc=comquot;
• Remove with remove-adserviceaccount
• There's also a set-adserviceaccount to modify
aspects of an existing AD service account
54
55. Managed Service Accounts
quot;installquot; the account to a service on a member
• More specifically, quot;servicequot; means either a
svchost.exe, or an IIS application pool
• On the member, ensure that you've got
Powershell (RSAT will provide) and the AD
Powershell AD module
• Introduce the AD account to the member that
the service runs on:
• install-adserviceaccount -identity svc1
55
56. Managed Service Accounts
attach the account to a service on a member
• Verify that the account's attached to the given
member with get-adserviceaccount; example:
• quot;get-adserviceaccount –identity svc1quot; will,
when run, show
• HostComputers: {CN=s2,CN=Computers…quot;
which is the DN of the member server that we
just joined it to – before install-
adserviceaccount, the line would be blank
56
57. Managed Service Accounts
attach the account to a service on a member
• Now that the account's been quot;installedquot; on
the member, find the service in ther Services
snap-in and change the account the service
runs under just as we've been able to since NT
3.1 – go to Properties, choose the quot;Log onquot;
tab, and fill in the account name like
domainserviceaccountname$, and leave the
password blank
57
58. Managed Service Accounts
or user sc.exe
• sc config svc obj= domainaccountname$
• Example:
• sc config mysvc obj= bigfirmacct3
• REMEMBER to put a space after the equals
sign!
• Again, you can alternatively use IIS Admin to
associate an MSA to an IIS application pool
58
59. Managed Service Accounts
reviewing…
• Punch in the account as domainusername
• Put a $ at the end, as technically it's more of a
machine account than a user account
• Clear out the password field
• And if you're experimenting, understand that
this won't work on many built-in services; I
demonstrate it on quot;SNMP Trap…quot; but I don't
have any intention of using SNMP trap!
59
60. Managed Service Accounts
SPN management
• As mentioned, you can control who can
administer SPNs rather than needing to be a
domain admin
• If you rename a machine account, the SPN
gets fixed automatically
• If you change a DNS host name, the SPN gets
fixed automatically
60
61. Managed Service Accounts
forcing a password reset
• Reset-ADServiceAccountPassword [-Identity]
<ADServiceAccount>
• Probably never need it, but just in case!
61
62. Best Practices Analyzer
• A sort of graphical dcdiag/netdiag, a set of
quot;sanity checksquot;
• Access from Server Manager: Roles / Active
Directory Domain Services / in the right-hand
pane, scroll down below Events and System
Services
• Click quot;Scan This Rolequot;
62
64. AD Best Practices Analyzer
• You can run this remotely now that Server
Manager is remote-able
• There are a fixed set of tests, can't be changed
(although MS may change them now and then
via Windows Update)
• In my experience this can offer some quot;false
positivequot; errors, so double-check before
freaking out about a red circle with a white
cross in it
64
65. Authentication Mechanism Assurance
• New feature for users of the current quot;passivequot;
ADFS or the upcoming quot;activequot; ADFS
(quot;Genevaquot;)
• ADFS simplifies maintaining authentication
between secure Web-based applications from
completely disconnected forests, like
Microsoft's SharePoint talking to HP's
SharePoint
65
66. Authentication Mechanism Assurance
• When someone from (for example) HP signs
onto a trusted (different meaning from AD)
Microsoft site, information about them (e.g.
group memberships) gets passed to the
Microsoft server
• What's new is now it's possible for the HP
server to tell the Microsoft server how the
user authenticated in the first place
66
67. Authentication Mechanism Assurance
what good is that?
• Different logon methods are stronger or
weaker – e.g. smart cards are a fairly strong
method
• Only works with Kerberos, no NTLM
• Shows up as a group membership
• Really needs smart cards to be of any value
67
68. Thank You!
• Please fill in an evaluation
• Visit my site for free tech forum, newsletters
etc; I'm at help@minasi.com
• My two-day Windows Server 2008 seminar
comes to Philadelphia next week and Chicago
at the end of April
• Info on all of it at www.minasi.com
• Enjoy the rest of the show!
68
Notas do Editor
Get to see how a user object changes before and after deletion withget-adobject –filter {samaccountname –eq \"Joe\"} –includedeletedobject | flNote the changes in the GUID etc.