September 03, 2009 12:00 AM
New Active Directory Features in Windows Server 2008 R2
AD capabilities will turn any admin into SuperAdmin
Windows IT Pro
InstantDoc ID #102483
Rating: 
(1)
(1)
Windows Server 2008 R2 is known for its new Hyper-V implementation
with zero down-time migration capabilities; however, changes to Active
Directory (AD) in Server 2008 R2 are almost as compelling and hint at
this important infrastructure’s future developments. The new AD features
can be separated into two areas—manageability enhancements and
"everything else," which includes some very useful capabilities.
Domain and Forest Functional Level Changes
Server 2008 R2 offers a new domain functional level, which you can enable after you have all Windows Server 2008 R2 domain controllers (DCs) in the domain. It adds support for the new authentication mechanism assurance features we will discuss shortly.
Server 2008 R2 also offers a new forest functional level. It requires all DCs in the entire forest to be running Server 2008 R2 and adds support for the new Recycle Bin feature. Unlike previous Windows Server domain and forest functional level changes, this operation isn’t one-way and can be reversed providing you haven’t activated any feature that requires the domain or forest level.
For example, if you’ve moved to the Server 2008 R2 forest functional level and haven’t enabled the Recycle Bin, you could drop the forest functional level back down to the Server 2008 functional level. After you move to a Server 2008 R2 functional level, you aren’t able to add Windows Server 2003 or Server 2008 DCs to the domain or forest. Before you can introduce a Windows Server 2008 R2 DC into a domain, you must perform a schema update as well as other tasks to be able to use certain new features in Server 2008 R2.
If you’re coming from a Windows 2003 domain as opposed to a domain already prepared for Server 2008, you’ll also need to update Group Policy objects (GPOs). In terms of co-existence, Windows 2000 SP4, Windows 2003 and Server 2008 DCs can exist in a domain with Server 2008 R2 DCs. Windows NT 4.0 BDCs aren’t supported in a domain with Server 2008 R2. Obviously as we start changing domain/forest functional modes we are restricted to the OS level of DCs to match our domain/forest level.
Managebility Features
Server 2008 started the big push for Windows PowerShell-based management across the OS and services, but not all components had PowerShell support (many, in fact, did not). Server Core’s new minimal installation mode with reduced footprint and attack surface didn't even support PowerShell because of the .NET dependency, which wasn’t available on Server Core.
Server 2008 R2 remedies many of these PowerShell omissions. Server Core now supports many components of .NET, which means PowerShell is supported on Server 2008 R2 Server Core installations, and many roles and features that previously didn't support PowerShell now do, including AD.
The AD PowerShell implementation includes 75 PowerShell cmdlets and a PowerShell provider with an additional 14 cmdlets. Microsoft estimates that around 70 percent of AD functions can be performed with direct AD cmdlets written specifically to address the actions. The other 30 percent of these actions can be accomplished with PowerShell but not with dedicated cmdlets; instead, combinations of cmdlets are used.
Active Directory Web Service
A new Active Directory Web Service (AD WS) is installed on Server 2008 R2 DCs; it operates over port 9389. The required firewall exception is enabled automatically as part of the role installation (including server core DCs); however, if you control firewall exceptions via Group Policy, you need to ensure you open this new port. Currently most tools connect using LDAP and remote procedure calls (RPCs).
However, offering a web service for AD access enables a superior developer experience and forms the first stage of a bigger objective, which is the enablement of AD for cloud and distributed service scenarios. AD PowerShell cmdlets use the interface provided by AD Web Service (ADWS). If a DC can’t be found offering the ADWS, then the AD PowerShell cmdlets won’t work.
It’s therefore very important you have a sufficient number of R2 DCs running ADWS across all domains that a PowerShell cmdlet might query. Although you can disable ADWS, it’s discouraged. Note that when Server 2008 R2 is released, an out-of-band update for Windows 2003 and Server 2008 will be released to add ADWS to these AD implementations.
Active Directory Administrative Center
Active Directory Administrative Center (ADAC) (see Figure 1) is a new interface designed to replace Active Directory Users and Computers. In future server versions, ADAC will also replace AD Domains and Trusts and AD Sites and Services, offering a single administrative interface for all AD management along with support for features that currently don't have any graphical interface, such as Recycle Bin and fine-grained password policies (FGPPs).
ADAC lets you manage users, groups, computers, and organizational units (OUs) and offers powerful and intuitive search and filter options. Within a single instance, it lets you manage multiple domains and even connect to multiple DCs simultaneously.
ADAC is built on PowerShell but currently doesn’t display the PowerShell commands that would be used to complete actions; this may be an option for a future version. ADAC consists of many layers; for example, it uses PowerShell, and PowerShell uses ADWS. ADAC’s many new components and dependencies on the new 2008 R2 capabilities actually give us a very rich platform for AD management.
Even More Great Management Features
In addition to the key features above, you’ll also find more components related to management. Each is extremely useful in its own right.
Active Directory Health Model. This is a single authoritative source for diagnostic information, which is used by the management packs and best practice analyzers. This health model can also be accessed by other third-party applications if necessary.
Best Practices Analyzer (BPA) for Active Directory. This is available through Server Manager and allows the installation of the selected DC to be validated against all the AD best practices. It’s a useful “quick access” check point to confirm configuration.
Management Pack for Server 2008 and Server 2008 R2. Although not an AD feature, a new System Center Operations Manager 2007 management pack monitors all features related to Server 2008 and Server 2008 R2 Active Directory implementations. See the Microsoft download page.
The Really Good Stuff
Server 2008 R2’s new management features give you many more options. However, the two most-sought after functions of Server 2008 R2 actually lie outside of management: Managed Service Accounts (MSAs) and the AD Recycle Bin.
Managed Service Accounts. Service accounts—dedicated AD accounts that run a server service—are the longest-standing security vulnerability in AD. Because services such as SQL Server and Exchange depend on these accounts, changing their passwords will interrupt the service.
To combat this problem, many installations opt to use built-in accounts such as the local system and network service accounts, which are then shared by many services. However, if one service is compromised, all the services using the same built-in account could be compromised. This has finally been fixed in R2 with MSAs.
Domain and Forest Functional Level Changes
Server 2008 R2 offers a new domain functional level, which you can enable after you have all Windows Server 2008 R2 domain controllers (DCs) in the domain. It adds support for the new authentication mechanism assurance features we will discuss shortly.
Server 2008 R2 also offers a new forest functional level. It requires all DCs in the entire forest to be running Server 2008 R2 and adds support for the new Recycle Bin feature. Unlike previous Windows Server domain and forest functional level changes, this operation isn’t one-way and can be reversed providing you haven’t activated any feature that requires the domain or forest level.
For example, if you’ve moved to the Server 2008 R2 forest functional level and haven’t enabled the Recycle Bin, you could drop the forest functional level back down to the Server 2008 functional level. After you move to a Server 2008 R2 functional level, you aren’t able to add Windows Server 2003 or Server 2008 DCs to the domain or forest. Before you can introduce a Windows Server 2008 R2 DC into a domain, you must perform a schema update as well as other tasks to be able to use certain new features in Server 2008 R2.
If you’re coming from a Windows 2003 domain as opposed to a domain already prepared for Server 2008, you’ll also need to update Group Policy objects (GPOs). In terms of co-existence, Windows 2000 SP4, Windows 2003 and Server 2008 DCs can exist in a domain with Server 2008 R2 DCs. Windows NT 4.0 BDCs aren’t supported in a domain with Server 2008 R2. Obviously as we start changing domain/forest functional modes we are restricted to the OS level of DCs to match our domain/forest level.
Managebility Features
Server 2008 started the big push for Windows PowerShell-based management across the OS and services, but not all components had PowerShell support (many, in fact, did not). Server Core’s new minimal installation mode with reduced footprint and attack surface didn't even support PowerShell because of the .NET dependency, which wasn’t available on Server Core.
Server 2008 R2 remedies many of these PowerShell omissions. Server Core now supports many components of .NET, which means PowerShell is supported on Server 2008 R2 Server Core installations, and many roles and features that previously didn't support PowerShell now do, including AD.
The AD PowerShell implementation includes 75 PowerShell cmdlets and a PowerShell provider with an additional 14 cmdlets. Microsoft estimates that around 70 percent of AD functions can be performed with direct AD cmdlets written specifically to address the actions. The other 30 percent of these actions can be accomplished with PowerShell but not with dedicated cmdlets; instead, combinations of cmdlets are used.
Active Directory Web Service
A new Active Directory Web Service (AD WS) is installed on Server 2008 R2 DCs; it operates over port 9389. The required firewall exception is enabled automatically as part of the role installation (including server core DCs); however, if you control firewall exceptions via Group Policy, you need to ensure you open this new port. Currently most tools connect using LDAP and remote procedure calls (RPCs).
However, offering a web service for AD access enables a superior developer experience and forms the first stage of a bigger objective, which is the enablement of AD for cloud and distributed service scenarios. AD PowerShell cmdlets use the interface provided by AD Web Service (ADWS). If a DC can’t be found offering the ADWS, then the AD PowerShell cmdlets won’t work.
It’s therefore very important you have a sufficient number of R2 DCs running ADWS across all domains that a PowerShell cmdlet might query. Although you can disable ADWS, it’s discouraged. Note that when Server 2008 R2 is released, an out-of-band update for Windows 2003 and Server 2008 will be released to add ADWS to these AD implementations.
Active Directory Administrative Center
Active Directory Administrative Center (ADAC) (see Figure 1) is a new interface designed to replace Active Directory Users and Computers. In future server versions, ADAC will also replace AD Domains and Trusts and AD Sites and Services, offering a single administrative interface for all AD management along with support for features that currently don't have any graphical interface, such as Recycle Bin and fine-grained password policies (FGPPs).
ADAC lets you manage users, groups, computers, and organizational units (OUs) and offers powerful and intuitive search and filter options. Within a single instance, it lets you manage multiple domains and even connect to multiple DCs simultaneously.
ADAC is built on PowerShell but currently doesn’t display the PowerShell commands that would be used to complete actions; this may be an option for a future version. ADAC consists of many layers; for example, it uses PowerShell, and PowerShell uses ADWS. ADAC’s many new components and dependencies on the new 2008 R2 capabilities actually give us a very rich platform for AD management.
Even More Great Management Features
In addition to the key features above, you’ll also find more components related to management. Each is extremely useful in its own right.
Active Directory Health Model. This is a single authoritative source for diagnostic information, which is used by the management packs and best practice analyzers. This health model can also be accessed by other third-party applications if necessary.
Best Practices Analyzer (BPA) for Active Directory. This is available through Server Manager and allows the installation of the selected DC to be validated against all the AD best practices. It’s a useful “quick access” check point to confirm configuration.
Management Pack for Server 2008 and Server 2008 R2. Although not an AD feature, a new System Center Operations Manager 2007 management pack monitors all features related to Server 2008 and Server 2008 R2 Active Directory implementations. See the Microsoft download page.
The Really Good Stuff
Server 2008 R2’s new management features give you many more options. However, the two most-sought after functions of Server 2008 R2 actually lie outside of management: Managed Service Accounts (MSAs) and the AD Recycle Bin.
Managed Service Accounts. Service accounts—dedicated AD accounts that run a server service—are the longest-standing security vulnerability in AD. Because services such as SQL Server and Exchange depend on these accounts, changing their passwords will interrupt the service.
To combat this problem, many installations opt to use built-in accounts such as the local system and network service accounts, which are then shared by many services. However, if one service is compromised, all the services using the same built-in account could be compromised. This has finally been fixed in R2 with MSAs.
No comments:
Post a Comment