Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

The things that are better left unspoken

a blog by Sander Berkouwer

Related

AD Manager Plus
 

Blog roll

News



Archives

An early look at new Active Directory features

Windows Server 2008 R2 and Windows 7 include new features in Active Directory, that were announced and explained at Microsoft’s Tech∙Ed Europe Middle East & Africa (EMEA) conference for IT Professionals in Barcelona (Spain) from November 3rd, 2008 to November 7th, 2008

Note:
This post represents the plans and progress made for Windows Server 2008 R2 and Windows 7 during the Milestone 3 timeframe, builds 6801 through 6937.

    

Active Directory Administrative Center

Windows Server 2008 R2 comes with new administrative tools. These tools offer a new Management experience. Biggest change is the management Console, called the Active Directory Administrative Center. This is a Microsoft Management Console (MMC) version 4 console and is task oriented. The Administrative Center replaces the current Active Directory Users and Computers (ADUC) MMC Snap-in (dsa.msc).

The new Management Console is a graphical shell for Powershell. After clicking together your commands, the administrative center shows the corresponding Powershell command on the screen and then execute it. This is the same way the Exchange 2007 Management Tools and Virtual Machine Manager 2008 work.

A feature called “Progressive Disclosure” is there to limit the information the tool returns to the administrator. This is useful for beginner administrators, but might also prove useful in delegation scenarios.

     

Best Practices Analyzer

Accompanying the Active Directory Administrative Center is the Active Directory Best Practices Analyzer (ADBPA), which will help Active Directory administrators to correct Active Directory problems proactively and compare Active Directory performance with previously made baselines.

Administrators, managing Exchange Servers will immediately recognize this tool as the Active Directory flavor of the Exchange Server Best Practices Analyzer (ExBPA), which provides them with help to correct the causes of unexpected behavior. The Active Directory Best Practices Analyzer (ADBPA) is a tool that goes beyond the Exchange Server Best Practices Analyzer (ExBPA), and integrates with the Server Manager, which in turn in Windows Server 2008 R2 receives a tremendous overhaul. (many roles will receive the ‘BPA’ treatment)

The version of the Active Directory Best Practices Analyzer (ADBPA) included in Windows Server 2008 R2 (version 1.0) focuses mainly on DNS problems, because they cause the most problems for Active Directory environments. Updates to the Active Directory Best Practices Analyzer (ADBPA) can be made available using Windows Update to address problems that might arise during the lifecycles of your Domain Controllers.

     

Powershell CMDlets

Powershell CMDlets are the basis of the new streamlined management experience. The team said there were approximately 85 Active Directory Services and Active Directory Lightweight Services related CMDlets available, most of them starting with Get-AD and Set-AD. These new Powershell CMDlets replace the current Active Directory command line tools. (dsget.exe, dsmod.exe, dsadd.exe, dsmove.exe, dsquery.exe and others)

The power of Powershell is not to be dismissed in Windows Server 2008 R2. For all you command line avoiders out there: there’s Graphical Powershell. This tool provides a Graphical User Interface (GUI), that allows you to interactively create and debug Powershell scripts within an integrated development environment similar to Visual Studio:

The Powershell CMDlets (and thus the Administrative Center) will use AD Web Services and the Windows Communication Foundation (WCF) instead of the common RPC and LDAP interfaces we use nowadays. According to the team this is the first step for leaving the RPC model and embracing a web services approach. The Active Directory team has plans to release a download of AD Web Services for previous versions of Windows Server. (Windows Server 2003 and Windows Server 2008)

Since the new AD Web Services require .Net, however, the new AD Web Service will not be compatible with Windows Server 2008 Server Core domain controllers (non-R2), since it lacks .Net framework. The new Active Directory Administrative Center and the Active Directory Powershell CMDlets cannot be used with Windows Server 2008 Server Core domain controllers.

     

Recycle Bin for Active Directory

Restoring deleted objects from Active Directory Directory Services and Active Directory Lightweight Directory Services in current versions of Windows Server, using the Directory Services Restore Mode, is not for the faint of heart. In this time of economic turmoil proposing an expensive 3rd party application for this purpose to the CFO isn’t for the faint of heart either…

Windows Server 2008 therefore comes with a Recycle Bin for Active Directory, that can be enabled. This features enables administrators to quickly undo an accidental deletion from Active Directory. It works like the Recycle Bin on a Windows client and allows an administrator to fully undelete a deleted object, because an object will not get tombstoned (immediately) but made inactive, while all the attributes and values are kept intact for a period of 180 days. After this period it will get recycled for 180 days, which effectively has the same function as the tombstone period.

To make the recycle bin possible a new forest level is introduced.

    

Managed Service Accounts

The Active Directory team created a new Active Directory object type, called a Managed Service Account. This object type, based on the workstation account allows for easier management of service accounts in Active Directory.

Since the new object type is based upon the computer account it is not hindered by account policies, like the password policy and the account lockout policy. Additionally it doesn’t offer interactive logons, which is an added layer of security. (but can also be a layer of trouble when a service needs to logon interactively)

Managed Service Accounts are related to Computer Accounts. You can add multiple Managed Service Accounts to one Computer Accounts, but you can’t, however, assign a Managed Service Account to multiple Computer Accounts.

The Managed Service Accounts feature requires the Windows Server 2008 R2 Domain level.

       

Offline Domain Join

One of the new features of Windows 7 and Windows Server 2008 R2 is their ability to join an Active Directory domain, without a direct communication path between the client wanting to become a member of the domain and a Domain Controller.

This is achieved through restructuring the way a client joins the domain in Windows 7 and Windows Server 2008 R2. You can use this feature with your existing Windows Server 2003 and Windows Server 2008 Domain Controllers.

A tool is made available named djoin.exe. It can be used to pre-provision a client at the Domain Controller and create the blob of data required to join a computer to the domain. On Windows 7 and Windows Server 2008 R2 clients the same tool can be used to load the blob in a way that it can be used to join the computer to the domain when it is rebooted.

            
  

Authentication Assurance

Active Directory Federated Services in Windows Server 2008 R2 includes a new feature known as Authentication Assurance. This feature allows administrators to establish authentication policies for accounts that are authenticated in federated domains. This enables a variety of advanced authentication scenarios, such as smart cards, for example.

In a Windows Server 2008 R2 level domain Administrators can map various properties, including authentication type and authentication strength to an identity and based on information during authentication, these identities are added to Kerberos tickets (such as use of smartcard for logon or the certificate used 2048 bit encryption) to provide access to federated resources. This way authentication methods (and thus identification) get assured.

Authentication Assurance requires the Windows Server 2008 R2 Domain Level.

         

Health model and Management Packs

Monitoring Active Directory with System Center Operations Manager (SCOM) has not been easy, with the absence of a specific Management Pack and Health Model. In System Center Operations Manager (SCOM) a Management Pack describes what to monitor and are made of XML files, containing classes, discoveries and monitors. The monitors are part of the Health model, which describes how to monitor.

The Active Directory team is working on completing the Management Pack and Health model to proactively monitor the availability and performance of Active Directory, so problems can be identified faster and resolved more accurately. The Health model is reused in the Best Practices Analyzer. One of the big advantages will be the ability for administrators to drill down in System Center Operations Manager to identify an underlying problem with Active Directory.

    

Concluding

A lot of advancements are being made to Active Directory management. In Windows Server 2008 R2 not only do we have more reliable authentication and service accounts, but also we can undelete objects in an easier way, join machines to the domains in an easier way and resolve problems more easily and without expensive 3rd party programs.

Further reading

[Video] Windows Server 2008 R2 AD: What's Coming Up? (Robert DeLuca and Alain Lissoir)
[DOC] Windows Server 2008 R2 Reviewers Guide 
Windows Server 2008 R2 Features | TechHead.co.uk 
Just a few of the new features to expect in Windows Server 2008 R2 
Windows Server 2008 R2 Overview 
Some Windows 7 and Server 2008 R2 Information 
Windows Server 2008's Enterprise Ambitions 
Preview: Windows Server 2008 R2 
Introduction to PowerShell/AD/PowerGUI 
Server 2008 R2 Active Directory 
Tech-Ed EMEA 2008: Windows Server 2008 R2 Overview 
Windows Server 2008 R2 Features  
Day 3: Windows Server 2008 R2 Overview 
Windows Server 2008 R2 and Active Directory 
Announcing Windows Server 2008 R2  
Windows Server 2008 R2 (or should it be called Windows Server 2009?) 
574 Reasons Why We Are So Proud and Optimistic About W7 and WS08R2  

Disclaimer Beta Software

The information on this webpage applies to software from Microsoft that was in testing phase but utilizable by experienced users by the time the webpage was written. This software has not been released for sale, distribution or usage for the general public. The information on this webpage and the beta software are provided "as is" without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.

Comments

Active Directory in Windows 2008 R2: all the features we wanted last time at fishbrains - Bret Fisher said:

We’re starting our plan for upgrading our Domain Controllers to Win2008.  A few cool features are snapshots of AD (may replace our lag sites if we can figure out how to use snapshots for item recovery) and local admins of the DC’s don’t have to be domain admins.  Our GPO replication also leaves legacy FRS technology for DFSR.  Lots of other little things are improved, but that’s the big stuff.

Honestly 2008 wasn’t that exciting for us AD fans.  No recycle bin, no PowerShell support, same old MMC w/o quick search, no native “web services” for AD… But it looks like they plan to take care of ALL that and more in Win2008 R2 (RTM 2010)

# November 15, 2008 7:02 PM

Windows Server 2008 R2 Features said:

Windows Server 2008 R2 and Windows 7 include new features in Active Directory, that were announced and explained at Microsoft’s Tech∙Ed Europe Middle East & Africa (EMEA) conference for IT Professionals in Barcelona (Spain) from November 3rd, 2008 to November 7th, 2008.
# November 16, 2008 5:27 AM

TrackBack said:

Windows Server 2008 R2 and Windows 7 include new features in Active Directory, that were announced and explained at Microsoft’s Tech∙Ed Europe Middle East & Africa (EMEA) conference for IT Professionals in Barcelona (Spain) from November 3rd, 2008 to November 7th, 2008

A lot of advancements are being made to Active Directory management. In Windows Server 2008 R2 not only do we have more reliable authentication and service accounts, but also we can undelete objects in an easier way, join machines to the domains in an easier way and resolve problems more easily and without expensive 3rd party programs.

# November 16, 2008 7:16 AM

What I Know » Windows 2008 R2 - What’s new so far ? said:

ويندوز سيرفر 2008 ار 2 مازال تحت التطوير وتم اصدار نسخه تجريبيه خاصه منه لفئه معينه من الاشخاص طبعا الاخبار بدات تطلع وش جديد هالاصدار وبصراحه حصلت على كم معلومه تدل على ان التغيير بويندوز 2008 R2 بيكون كبير من ناحيه الاداره.

التغيرات الحالية بـ Windows 2008 R2 -Server Core

اولا تم اظافه Active Directory Certificate Services للسيرفر روول.
ثانيا الان WoW64 بشكل افتراضي ماهو مثبت بالسيرفر بس اذا انت محتاجه لتشغيل برامج 32 بت بامكانك تثبيته.
ثالثا الخيارات التالية اصبحت اختياريه في النظام يعني بشكل افتراضي ماهي مثبته بس اذا محتاجها تثبتها
Subset of .NET Framework 2.0
Subset of .NET Framework 3.0 and 3.5
Windows PowerShell
ASP.NET and additional IIS support
رابعا النظام راح يكون فقط 64 بت يعني خلاص مافيه ويندوز سيرفر 32 بت 

التغيرات الحالية Windows 2008 R2 - Active Directory

تم اظافة ميزات جديده للاكتف دايركتري لويندوز 2008 ار 2 والميزات التالية هذا ما اعلن عنه لحد الان  يعني مازال فيه تغييرات جديده ما اعلن عنها للحين
اولا Active Directory Administrative Center
ثانيا Active Directory Best Practices Analyzer
ثالثا New Powershell CMDlets
اظافوا للباور شل - Get-AD & Set-AD وهم بدلاء عن الاوامر الموجوده حاليا وهم dsget.exe, dsmod.exe, dsadd.exe, dsmove.exe, dsquery.exe
رابعا Recycle Bin for Active Directory
خامسا Managed Service Accounts
سادسا Offline Domain Join
سابعا Authentication Assurance
ثامنا Active Directory Health model and Management Packs

لتفاصيل اكثر عن المزايا المذكوره اضغط هنا

# November 16, 2008 1:06 PM

TrackBack said:

Kolejne zapowiedzi nowości w Windows Server 2008 R2 - na pierwszy ogień Active Directory i sporo interesujących zmian. Sander Berkouwer na swoim blogu DirTeam.com opisuje wraz ze screenami rozmaite funkcje. Pierwszą z nich jest Active Directory Administrative Center, nowa zintegrowana konsola do zarządzania zastępująca dotychczasową dsa.msc, oparta już o MMC w wersji 4.0. Co ciekawe, jest ona tylko graficzną nakładką na interfejs do zarządzania domeną w PowerShellu. Pojawi się więc sporo nowych cmdletów Get-AD... i Set-AD.... W systemie odnajdziemy również narzędzie Best Practices Analyzer, które powinno wyglądać znajomo dla administratorów Exchange. Skupi się ono na rozwiązywaniu problemów z DNS i będzie aktualizowane przez Windows Update.

Drobną, ale cieszącą rzeczą jest też Kosz dla Active Directory znacznie ułatwiający proces odzyskiwania przypadkowo usuniętych obiektów. W nowej wersji usług katalogowych znajdziemy również nowy typ kont - Managed Service Accounts - które będą bazować na kontach komputerów i ułatwią zarządzanie usługami. Ciekawą nowością będzie także możliwość wpięcia stacji do domeny w trybie offline - to znaczy skonfigurowania komputera wstępnie bez aktywnego połączenia z kontrolerem, co ważne, także starszym niż Windows Server 2008 R2. Ponadto usługi ADFS będą posiadać funkcję zwaną Authentication Assurance umożliwiającą konfigurowanie polityk uwierzytelniania dla kont, które uwierzytelniane są w sfederowanych domenach.

Żądnym dalszej wiedzy na temat poszczególnych nowości i zmian w Active Directory odsyłamy do lektury bloga Sandera i polecamy obejrzenie oficjalnego klipu wideo prezentującego nowości w AD.

Co natomiast czeka administratorów serwerów w wersji Core? Wersja ta oczywiście nadal będzie rozwijana i w Windows Server 2008 R2 czeka ją również sporo zmian. Przede wszystkim Microsoft dodaje obsługę .NET Framework, na którą czekali praktycznie wszyscy. Core będzie mógł również pełnić funkcję Active Directory Certificate Services. Ponadto WoW64 nie będzie instalowany domyślnie - pozwoli to jeszcze bardziej zminimalizować płaszczyznę ewentualnego ataku. Opcjonalną funkcją dostępną do instalacji będzie też File System Resource Manager, PowerShell (dzięki obsłudze .NET) oraz, co naturalne, ASP.NET dla IIS. Jedyną funkcją IIS niedostępną w Server Core będzie już tylko konsola do zarządzania.

Powszechnie wiadomo, że Windows Server 2008 R2 będzie występować wyłącznie w wersji 64-bitowej. Po lekturze materiałów na temat wszystkich nowości warto ostudzić emocje i racjonalnie pomyśleć, czy na pewno będziemy mogli sobie na nie pozwolić. Brian Madden na swoim blogu zwraca uwagę na ważny fakt - wszystkie serwery terminalowe będą musiały być 64-bitowe, a co za tym idzie, wszystkie aplikacje również. Niestety nie wszędzie będzie to możliwe, migrację trzeba więc dokładnie i odpowiednio wcześnie zaplanować.

# November 17, 2008 12:58 PM

TrackBack said:

All'EMEA, durante la presentazione di Windows Server 2008 R2 e Windows 7, sono state spiegate le novità che sono state inserite nella nuova piattaforma server. Tra queste novità, spiccano le nuove features per Active Directory che potenzieranno ancora di più le sue funzionalità......per citarne alcuni, troviamo il cestino per gli oggetti (quindi niente più modalità di recovery per recuperare un utente eliminato per errore), la disponibilità dei comandi in PowerShell (come avviene per Exchange Server 2007) e la nascita di Active Directory Web Services.

Le novità sono grandi ed interessanti e sono state tutte descritte da Sander Berkouwer e le potrete trovare a questo link

# November 17, 2008 12:59 PM

4sysops - Windows Server 2008 R2 new features - the complete list - Part 2: Active Directory said:

Active Directory Domain Services in Windows Server 2008 R2 support a new forest functional level. I am not sure if all of the features described here require the R2 functional level. I will try to find out more about this issue soon. The better PowerShell support is probably the most important enhancement. However, my favorite new feature is the new Recycle Bin.

Sander Berkouwer described the new Active Directory features in more detail.

# November 26, 2008 12:14 PM

New Active Directory Features | Tech Repair Zone said:

New basic management tools are welcomed with open arms, actual hands on use for these tools is limited, but integral powershell accessibility and a completely redesigned GUI are a party in a box.   Also a fundamental ability is the Active Directory Recycle Bin.  You can delete something without losing the data completely, or when an account expires and auto-deletes, you’ll have an extended period of time that the account will remain accessible.

# March 15, 2009 4:10 AM

AD Doc Team said:

The Offline Domain Join Step-by-Step Guide is available on the TechNet site. The guide demonstrates how to use the djoin.exe utility to perform an offline domain join. The basic steps include:

djoin.exe /provision

djoin.exe /requestODJ

See more about the utility at djoin utility at http://technet.microsoft.com/en-us/library/dd392267.aspx.

# May 27, 2009 12:45 PM

The things that are better left unspoken said:

You might be running Windows Server 2003 (R2) and Windows Server 2008 Domain Controllers at the moment

# July 1, 2011 11:58 AM
Anonymous comments are disabled