1 / 29

Active Directory

Active Directory. What’s New in Windows Server 2008 AD?. Agenda. 1. Active Directory Overview. 2. Active Directory Domain Services. 3. Active Directory LDS. 4. Active Directory Federation Services. 5. Active Directory Certificate Services. 6. Active Directory RMS. The AD Umbrella. Domain

allegra-nichols
Télécharger la présentation

Active Directory

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Active Directory What’s New in Windows Server 2008 AD?

  2. Agenda 1. Active Directory Overview 2. Active Directory Domain Services 3. Active Directory LDS 4. Active Directory Federation Services 5. Active Directory Certificate Services 6. Active Directory RMS

  3. The AD Umbrella Domain Services Federation Services RMS LDS Certificate Services

  4. AD at a Glance AD LDS AD RMS AD DS AD FS AD CS Provides directory-based authentication/ authorization services in support of Microsoft-based networked services and applications Provides an LDAP accessible directory service that supports identity management scenarios Provides federation services supporting single sign-on to web applications Provides PKI certificate issuance, management, and revocation services Provides solution to secure how users utilize content (i.e. Office documents)

  5. What’s new in AD DS? • Read-only Domain Controllers • Fine-grained Password Policies • Windows Server 2008 Server Core • DNS Updates • New management functionality

  6. Read-only Domain Controllers • Problems with normal DCs • Didn’t work well in branch offices • Must be physically secured • No administrative delegation • RODCs to the rescue • Read-only replica of the AD partitions • Allows for replication from a R/W DC • No caching domain krbtgt password • No caching user passwords by default

  7. RODC Functionality Normal AD Replication Read not write Main Office Branch Office

  8. RODC Prerequisites • PDC emulator role holder must be running Windows Server 2008 • The replication partner of RODC must run Windows Server 2008 • Windows Server 2003 native mode or higher • Run ADPREP/RODCPREP on existing forest (if not native 2008) • No writeable DC in same domain/site as RODC

  9. RODC Admin Separation • Can specify RODC administrators at DCPROMO time • Use the DSMGMT command line tool to specify delegated administrators afterwards

  10. RODC Credential Caching • Password by default are not cached • Controlled with Password Replication Policy • Can set at RODC install time or afterwards • Cached passwords can be reset if RODC becomes compromised • Demo

  11. Filtered RODC Replication • Control over what attributes should not be replicated to a RODC for security reasons • Forest Level • Configured in the schema • Works best in a 2008 native forest as 2003 DCs do not know about the filtered set.

  12. RODC DNS Impacts • Any AD-integrated DNS zone on a RODC is read-only • Does not auto-register itself with NS records • Clients therefore can’t register new records on a RODC DNS • RODC DNS issues a referral to writeable DNS • RODC DNS pulls down new record

  13. Fine-grained Password Policy • Previously password and account lockout policy only set by Default Domain Policy GPO • Can be applied to security groups and/or individual users • Steps to implementing: • Create Password Settings Object (PSO) • Apply PSO to objects via DN

  14. Windows Server 2008 Server Core • Can install 2008 in two ways • A full installation with full GUI and all available software services • A minimal installation supporting command line interface • Smaller target, less patching • AD DS • AD LDS • DNS • DHCP • File Server • Hyper-V • Windows Media Services • Print Management

  15. Running a DC on Server Core • Most secure way of running a DC • Can run most MMC tools remotely against Server Core • No, PowerShell doesn’t work • Need to learn certain command line tools • NETSH – configure network settings • NETDOM – rename computer/join domain • SLMGR – Software Licensing Manager • OCLIST – List the available roles/features • OCSETUP – Install the DNS roles • DCPROMO – Turn into DC using an answer file

  16. AD DS Auditing • Previously audited what attribute changed • Now audit information includes the previous and new values • Now subdivided into four areas • DS access • DS changes • DS replication • DS detailed replication

  17. AD DS Auditing • 5136 – Successful modification to an attribute • 5137 – New object is created in the directory • 5138 – Object is undeleted in the directory • 5139 – Object is moved in the directory

  18. AD DS Auditing • Not turned on by default • Enable in Default Domain Policy GPO • Enable in the object’s SACL • Can disable auditing within the attribute’s schema definition to fine-tune the audit collection (bit 9 in searchFlag property on)

  19. DNS Changes • Support for IPv6 • Support for AD-integrated zones on a RODC • Background Loading • GlobalZone • Link Local Multicast Name Resolution (LLMNR)

  20. New Management Features • Restartable Active Directory • AD DS is a separate service from LSA • DC with stopped AD service is equivalent to a member server • Accidental OU Deletion Check • Shadow Copy Backup • Mountable Database

  21. AD Lightweight Directory Services • Previously introduced as ADAM • Provides an LDAP accessible DS • Removes all other AD DS features • No Kerberos authentication • No forests, domains, DC, GC • No dependency on DNS • No site topology • No group policies

  22. AD LDS Scenarios • Uses for AD LDS • Whitepages • Consolidation store • Web authentication service via LDAP

  23. AD LDS Instances • Each AD LDS server can host multiple directory stores (i.e. instances) • Within each instance • Schema partition • Configuration partition • Zero or more application partitions

  24. AD LDS Replication • Supports multimaster replication through configuration sets

  25. Active Directory Federation Services • AD FS is a service that allows for the creation of federated relationships between organizations for web application authentication

  26. Security Token Service • A service that takes a recognized token and issues another token • Federations are a form of STS • AD FS provides a web authentication cookie when a AD authentication token is presented

  27. AD Certificate Services • Not significantly different than CS in 2003 • Provides a certificate issuance/revokation services as well as CA service • New items • Online Responder Service via Online Certificate Status Protocol (OCSP) • Network Device Enrollment via Simple Certificate Enrollment Protocol (SCEP)

  28. AD Rights Management Services • Updated version of RMS • Management of information usage • Supported by Office 2003, 2007 and Sharepoint

  29. Thank You!

More Related