Brian Desmond Moran Technology Consulting .
-
Upload
alexia-perry -
Category
Documents
-
view
225 -
download
2
Transcript of Brian Desmond Moran Technology Consulting .
![Page 1: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/1.jpg)
ACTIVE DIRECTORY – WINDOWS SERVER
2008 & R2 – WHAT’S NEW
Brian Desmond
Moran Technology Consulting
www.morantechnology.com
www.briandesmond.com
![Page 2: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/2.jpg)
About Me
Chicago based Active Directory & Exchange consultant MS MVP for Active Directory since 2003 Author of Active Directory, 4th Ed from
O’ReillyYou should own a copy!
e-mail: [email protected] e-mail: [email protected]
website & blog: www.briandesmond.com
![Page 3: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/3.jpg)
Agenda
Server Core Managed Service Accounts Read-Only Domain Controllers Fine Grained Password Policies Deleted Object Management
![Page 4: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/4.jpg)
What is Server Core? New Installation Option for W2K8
Not a separate SKU, does not require separate CALs Security benefits
Smaller installation footprint“Less friendly” UI leads to less “tinkering” in branch
office scenarios Administering Server Core
Only specific services/roles can be installedLimited GUI – but not totally gone!Remote administration can use any GUI tools you’d
like
![Page 5: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/5.jpg)
Operational Concerns for Server Core Application compatibility for Server Core
Impact on anti-virus and other toolsWindows Server 2008 R2 adds .NET
Administrative learning curve “Can I ‘upgrade’ a Server Core install to
a full installation?”No, requires full re-install of the OS
![Page 6: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/6.jpg)
Agenda
Server Core Managed Service Accounts Read-Only Domain Controllers Fine Grained Password Policies Deleted Object Management
![Page 7: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/7.jpg)
RODC Server Admins needn’t be Domain AdminsPrevents Branch Admins from accidentally causing harmDelegated promotion
Policy to configure caching branch specific secrets on RODCPolicy to configure custom schema attributes as secrets
No replication from RODC to Full-DC
Admin Role Separation
Secrets not cached by-default
1-Way Replication
Change on RODC does not propagate to the entire enterprise
ROD C
Branch Office
Read-Only Domain Controllers
![Page 8: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/8.jpg)
Active Directory – No RODCs
Hub Site
Branch Office
Branch Office
Branch Office
Branch Office
![Page 9: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/9.jpg)
Domain Controller Secret Security
Hub Site
Branch Office
Branch Office
Branch Office
Branch Office
Domain-wide Password Reset!
![Page 10: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/10.jpg)
Active Directory –RODCs
Hub Site(RWDC)
Branch RODC
Branch RODC
Branch RODC
Branch RODC
![Page 11: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/11.jpg)
RODC Secret Security
Hub Site(RWDC)
Branch RODC
Branch RODC
Branch RODC
Branch RODC
Just a few Password Resets
![Page 12: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/12.jpg)
Password Replication Policy Defines what secrets are cached on the RODC Stored on a per RODC basis
Authenticated To ListCached Passwords ListCaching Allowed ListCaching Denied List
Cached passwords are removed when they expire or are changed
![Page 13: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/13.jpg)
Agenda
Server Core Managed Service Accounts Read-Only Domain Controllers Fine Grained Password Policies Deleted Object Management
![Page 14: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/14.jpg)
Fine Grained Password Policies
Limitless password and lockout policies per domain
Linked to directly to users or via groupsNo OU based linking!
Create with ADSIEdit – no FGPP GUIWindows 7 adds PowerShell cmdlets3rd Party tools available
![Page 15: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/15.jpg)
FGPP Management Tools
SpecOps Password Policy Basic - http://www.specopssoft.com
![Page 16: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/16.jpg)
Agenda
Server Core Read-Only Domain Controllers Fine Grained Password Policies Managed Service Accounts Deleted Object Management
![Page 17: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/17.jpg)
Service Accounts Today
Huge Security Hole Passwords never changed Nobody knows who knows the password Every service using the account is often
unknown
![Page 18: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/18.jpg)
Managed Service Accounts Windows Server 2008 R2 feature Service account password managed by
server automatically One-to-one service account to machine
relationship
![Page 19: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/19.jpg)
Agenda
Server Core Read-Only Domain Controllers Fine Grained Password Policies Managed Service Accounts Deleted Object Management
![Page 20: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/20.jpg)
Accidental Deletion Protection
Checkbox in Windows Server 2008 administrative toolsAdds an ACL to the object preventing Delete for Everyone
![Page 21: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/21.jpg)
Recycle Bin Object Lifecycle
Live Object Deleted Object Recycled Object
Tombstone Object
180 Days 180 Days
180 Days
Garbage collection
Garbage collection
Live Object
Windows Server 2008
Windows Server 2008 R2 w/ Recycle Bin(If not enabled, behavior is similar to Windows Server 2008)
LDAP OID 1.2.840.113556.1.4.417
LDAP OID 1.2.840.113556.1.4.2064
Returns Tombstones
Returns Deleted and Recycled
Returns Deleted
![Page 22: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/22.jpg)
What’s New? Windows Server 2008 coverage:
Read Only Domain Controllers (RODCs) Fine Grained Password Policies
(FGPPs) Auditing and security improvements Windows Server 2008 upgrade
procedure DNS enhancements (such as
GlobalName zones) Exchange 2007 integration & scripting Windows PowerShell & Active
Directory.NET Active Directory programming
New user interface features Lots of new diagrams and figures
Active Directory, 4th EdBest selling Active Directory title
Learn More! www.briandesmond.com/ad4/
![Page 23: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/23.jpg)
Questions?
![Page 24: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/24.jpg)
Thank You!
![Page 25: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/25.jpg)
LLTS Tracking Screenshot
![Page 26: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/26.jpg)
Owner Access Restriction Separates Owner
access from Creator accessRemember
CREATOR OWNER? Owners can modify
permissions by defaultUse OWNER
RIGHTS to prevent this
![Page 27: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/27.jpg)
Active Directory Auditing
Pre Windows Server 2008 Active Directory auditing was not very helpful
New auditing introduces:GranularityBefore and after data in auditsSeparate events for different types of
operations
![Page 28: Brian Desmond Moran Technology Consulting .](https://reader035.fdocuments.net/reader035/viewer/2022062221/56649cce5503460f949989e8/html5/thumbnails/28.jpg)
Sample Audit Event