What’s New in Windows Server 2008 AD? Active Directory What’s New in Windows Server 2008 AD?

Agenda 1. Active Directory Overview 2. Active Directory Domain Services 3. Active Directory LDS 4. Active Directory Federation Services 5. Active Directory Certificate Services 6. Active Directory RMS

The AD Umbrella Domain Services Federation Services RMS LDS Certificate Services

AD at a Glance AD DS AD LDS AD FS AD CS AD RMS Provides directory-based authentication/ authorization services in support of Microsoft-based networked services and applications Provides an LDAP accessible directory service that supports identity management scenarios Provides federation services supporting single sign-on to web applications Provides PKI certificate issuance, management, and revocation services Provides solution to secure how users utilize content (i.e. Office documents)

What’s new in AD DS? Read-only Domain Controllers Fine-grained Password Policies Windows Server 2008 Server Core DNS Updates New management functionality

Read-only Domain Controllers Problems with normal DCs Didn’t work well in branch offices Must be physically secured No administrative delegation RODCs to the rescue Read-only replica of the AD partitions Allows for replication from a R/W DC No caching domain krbtgt password No caching user passwords by default

RODC Functionality Normal AD Replication Main Office Branch Office Read not write Main Office Branch Office

RODC Prerequisites PDC emulator role holder must be running Windows Server 2008 The replication partner of RODC must run Windows Server 2008 Windows Server 2003 native mode or higher Run ADPREP/RODCPREP on existing forest (if not native 2008) No writeable DC in same domain/site as RODC

RODC Admin Separation Can specify RODC administrators at DCPROMO time Use the DSMGMT command line tool to specify delegated administrators afterwards Add video of doing a RODC promotion showing the prompt

RODC Credential Caching Password by default are not cached Controlled with Password Replication Policy Can set at RODC install time or afterwards Cached passwords can be reset if RODC becomes compromised Demo

Filtered RODC Replication Control over what attributes should not be replicated to a RODC for security reasons Forest Level Configured in the schema Works best in a 2008 native forest as 2003 DCs do not know about the filtered set. A malicious user who compromises an RODC can attempt to configure it in such a way that it tries to replicate attributes that are defined in the RODC filtered attribute set. If the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2008, the replication request is denied. However, if the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2003, the replication request could succeed.

RODC DNS Impacts Any AD-integrated DNS zone on a RODC is read-only Does not auto-register itself with NS records Clients therefore can’t register new records on a RODC DNS RODC DNS issues a referral to writeable DNS RODC DNS pulls down new record

Fine-grained Password Policy Previously password and account lockout policy only set by Default Domain Policy GPO Can be applied to security groups and/or individual users Steps to implementing: Create Password Settings Object (PSO) Apply PSO to objects via DN

Windows Server 2008 Server Core Can install 2008 in two ways A full installation with full GUI and all available software services A minimal installation supporting command line interface Smaller target, less patching AD DS AD LDS DNS DHCP File Server Hyper-V Windows Media Services Print Management

Running a DC on Server Core Most secure way of running a DC Can run most MMC tools remotely against Server Core No, PowerShell doesn’t work Need to learn certain command line tools NETSH – configure network settings NETDOM – rename computer/join domain SLMGR – Software Licensing Manager OCLIST – List the available roles/features OCSETUP – Install the DNS roles DCPROMO – Turn into DC using an answer file

AD DS Auditing Previously audited what attribute changed Now audit information includes the previous and new values Now subdivided into four areas DS access DS changes DS replication DS detailed replication

AD DS Auditing 5136 – Successful modification to an attribute 5137 – New object is created in the directory 5138 – Object is undeleted in the directory 5139 – Object is moved in the directory

AD DS Auditing Not turned on by default Enable in Default Domain Policy GPO Enable in the object’s SACL Can disable auditing within the attribute’s schema definition to fine-tune the audit collection (bit 9 in searchFlag property on)

DNS Changes Support for IPv6 Support for AD-integrated zones on a RODC Background Loading GlobalZone Link Local Multicast Name Resolution (LLMNR) The Link Local Multicast Name Resolution (or LLMNR) is a protocol based on the Domain Name System (DNS) packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link. It is included in Windows Vista and Windows Server 2008 [1]

New Management Features Restartable Active Directory AD DS is a separate service from LSA DC with stopped AD service is equivalent to a member server Accidental OU Deletion Check Shadow Copy Backup Mountable Database Demo First show the AD service Run ADUC in advanced mode and show Steveco users OU and user objects Show the prevent accidental delete checkbox Run NTDSUTIL Snapshot Activate instance NTDS List all (blank) Create List all Mount 1 Point out path and show in Explorer Delete Steveco users OU (clearing the accidental delete box first) Close ADUC Run another CMD window DSAMAIN /dbpath c:\SNAP……\windows\ntds\ntds.dit /ldapport 1000 Run ADUC and change DC to locahost:1000 Show that the users are there. Stop AD service Rename NTDS directory Copy the NTDS directory from mounted snapshot to production directory Do an authoritative restore of “ou=steveco users,dc=steveco,dc=corp” Restart AD service Run ADUC and show OU is restored (note that it may take a few seconds for the ADUC console to come up initially)

AD Lightweight Directory Services Previously introduced as ADAM Provides an LDAP accessible DS Removes all other AD DS features No Kerberos authentication No forests, domains, DC, GC No dependency on DNS No site topology No group policies

AD LDS Scenarios Uses for AD LDS Whitepages Consolidation store Web authentication service via LDAP

AD LDS Instances Each AD LDS server can host multiple directory stores (i.e. instances) Within each instance Schema partition Configuration partition Zero or more application partitions

AD LDS Replication Supports multimaster replication through configuration sets

Active Directory Federation Services AD FS is a service that allows for the creation of federated relationships between organizations for web application authentication

Security Token Service A service that takes a recognized token and issues another token Federations are a form of STS AD FS provides a web authentication cookie when a AD authentication token is presented

AD Certificate Services Not significantly different than CS in 2003 Provides a certificate issuance/revokation services as well as CA service New items Online Responder Service via Online Certificate Status Protocol (OCSP) Network Device Enrollment via Simple Certificate Enrollment Protocol (SCEP)

AD Rights Management Services Updated version of RMS Management of information usage Supported by Office 2003, 2007 and Sharepoint

Thank You!