Upload
sophia-griffith
View
218
Download
2
Tags:
Embed Size (px)
Citation preview
Steve Clines
What’s New in Windows Server 2008 AD?
Active Directory
Agenda
1. Active Directory Overview1. Active Directory Overview
2. Active Directory Domain Services 2. Active Directory Domain Services
3. Active Directory LDS3. Active Directory LDS
4. Active Directory Federation Services 4. Active Directory Federation Services
5. Active Directory Certificate Services5. Active Directory Certificate Services
6. Active Directory RMS6. Active Directory RMS
The AD Umbrella
DomainServices Federation
Services
LDS
RMS
CertificateServices
AD at a Glance
AD DS AD LDS AD FS AD CS
Provides directory-based authentication/authorization services in support of Microsoft-
based networked
services and applications
Providesan LDAP
accessible directory
service that supports identity
management scenarios
Provides federation services
supporting single sign-on
to web applications
Provides PKI certificate issuance,
management, and revocation
services
AD RMS
Provides solution to secure how users utilize content (i.e.
Office documents)
What’s new in AD DS?
Read-only Domain Controllers Fine-grained Password Policies Windows Server 2008 Server Core DNS Updates New management functionality
Read-only Domain Controllers
Problems with normal DCs Didn’t work well in branch offices Must be physically secured No administrative delegation
RODCs to the rescue Read-only replica of the AD partitions Allows for replication from a R/W DC No caching domain krbtgt password No caching user passwords by default
RODC Functionality
Main Office
Branch Office
Normal AD Replication Read not write
RODC Prerequisites
PDC emulator role holder must be running Windows Server 2008
The replication partner of RODC must run Windows Server 2008
Windows Server 2003 native mode or higher
Run ADPREP/RODCPREP on existing forest (if not native 2008)
No writeable DC in same domain/site as RODC
RODC Admin Separation
Can specify RODC administrators at DCPROMO time
Use the DSMGMT command line tool to specify delegated administrators afterwards
RODC Credential Caching
Password by default are not cached Controlled with Password Replication
Policy Can set at RODC install time or afterwards Cached passwords can be reset if RODC
becomes compromised Demo
Filtered RODC Replication
Control over what attributes should not be replicated to a RODC for security reasons Forest Level Configured in the schema
Works best in a 2008 native forest as 2003 DCs do not know about the filtered set.
RODC DNS Impacts
Any AD-integrated DNS zone on a RODC is read-only
Does not auto-register itself with NS records
Clients therefore can’t register new records on a RODC DNS RODC DNS issues a referral to
writeable DNS RODC DNS pulls down new record
Fine-grained Password Policy
Previously password and account lockout policy only set by Default Domain Policy GPO
Can be applied to security groups and/or individual users
Steps to implementing: Create Password Settings Object (PSO) Apply PSO to objects via DN
Windows Server 2008 Server Core
Can install 2008 in two ways A full installation with full GUI and all available
software services A minimal installation supporting command
line interface
Smaller target, less patching AD DS AD LDS DNS DHCP
File Server Hyper-V Windows Media
Services Print Management
Running a DC on Server Core
Most secure way of running a DC Can run most MMC tools remotely against
Server Core No, PowerShell doesn’t work Need to learn certain command line tools
NETSH – configure network settings NETDOM – rename computer/join domain SLMGR – Software Licensing Manager OCLIST – List the available roles/features OCSETUP – Install the DNS roles DCPROMO – Turn into DC using an answer file
AD DS Auditing
Previously audited what attribute changed Now audit information includes the
previous and new values Now subdivided into four areas
DS access DS changes DS replication DS detailed replication
AD DS Auditing
5136 – Successful modification to an attribute
5137 – New object is created in the directory
5138 – Object is undeleted in the directory 5139 – Object is moved in the directory
AD DS Auditing
Not turned on by default Enable in Default Domain Policy GPO Enable in the object’s SACL
Can disable auditing within the attribute’s schema definition to fine-tune the audit collection (bit 9 in searchFlag property on)
DNS Changes
Support for IPv6 Support for AD-integrated zones on a
RODC Background Loading GlobalZone Link Local Multicast Name Resolution
(LLMNR)
New Management Features
Restartable Active Directory AD DS is a separate service from LSA DC with stopped AD service is equivalent to a
member server
Accidental OU Deletion Check Shadow Copy Backup Mountable Database
AD Lightweight Directory Services
Previously introduced as ADAM Provides an LDAP accessible DS Removes all other AD DS features
No Kerberos authentication No forests, domains, DC, GC No dependency on DNS No site topology No group policies
AD LDS Scenarios
Uses for AD LDS Whitepages Consolidation store Web authentication service via LDAP
AD LDS Instances
Each AD LDS server can host multiple directory stores (i.e. instances)
Within each instance Schema partition Configuration partition Zero or more application
partitions
AD LDS Replication
Supports multimaster replication through configuration sets
Active Directory Federation Services
AD FS is a service that allows for the creation of federated relationships between organizations for web application authentication
Security Token Service
A service that takes a recognized token and issues another token
Federations are a form of STS AD FS provides a web authentication
cookie when a AD authentication token is presented
AD Certificate Services
Not significantly different than CS in 2003 Provides a certificate issuance/revokation
services as well as CA service New items
Online Responder Service via Online Certificate Status Protocol (OCSP)
Network Device Enrollment via Simple Certificate Enrollment Protocol (SCEP)
AD Rights Management Services
Updated version of RMS Management of information usage Supported by Office 2003, 2007 and
Sharepoint
Thank You!