• Enhanced Command-line and Automated Management
  • Improved Identity Management
  • Improvements for All Active Directory Server Roles
  • Active Directory PowerShell Cmdlets: Step-by-step Feature Review
  • Improvements in Active Directory Domain Services
  • Active Directory Administrative Center: Step-by-step Feature Review
  • Active Directory Recycle Bin: Step-by-step Feature Review
  • Enable the Active Directory Recycle Bin Feature
  • Delete Objects in Active Directory
  • Recover Deleted Objects in Active Directory Recycle Bin
  • Offline Domain Join: Step-by-step Feature Review
  • Improvements in Active Directory Federated Services
  • Reduced Administrative Effort for Interactive Administrative Tasks




    Download 362.76 Kb.
    bet6/10
    Sana21.03.2017
    Hajmi362.76 Kb.
    1   2   3   4   5   6   7   8   9   10

    Reduced Administrative Effort for Interactive Administrative Tasks


    Reducing administrative effort for day-to-day administrative tasks is another key design goal for Windows Server 2008 R2. Many of the management consoles used to manage Windows Server 2008 R2 have been updated or completely redesigned to help reduce your administrative effort. Some of the prominent updated and redesigned management consoles are listed in the following table with descriptions of the improvements.
    Table 32: Updated & Redesigned Management Consoles in Windows Server 2008 R2

    Management Console

    Improvements

    Server Manager

    Support for remote management of computers

    Improved integration with many role and role services management consoles



    Active Directory Administrative Center

    Based on administrative capabilities provided by PowerShell cmdlets

    Task-driven user interface




    Internet Information Services

    Based on administrative capabilities provided by PowerShell cmdlets

    Task-driven user interface




    Hyper-V™ Management Console

    Improved tools for day-to-day tasks

    Tight integration with System Center Virtual Machine Manager for managing multiple Hyper-V™ servers.





    Enhanced Command-line and Automated Management


    The PowerShell 1.0 scripting environment was shipped with Windows Server 2008 RTM. Windows Server 2008 R2 includes PowerShell 2.0, which offers a number of improvements over version 1.0, including the following:

    Improved remote management by using PowerShell remoting. For more information about PowerShell remoting, see “Improved Remote Management” under “Management” the upcoming Windows Server 2008 R2 Technical Overview.

    Improved security for management data, including state and configuration information, by using constrained runspaces. For more information about constrained runspaces, see “Improved Security for Management” under “Management” in the upcoming Windows Server 2008 R2 Technical Overview.

    Enhanced GUIs for creating and debugging PowerShell scripts and viewing PowerShell script output by using Graphical PowerShell and the Out-GridView cmdlet. For more information about Graphical PowerShell and the Out-GridView cmdlet, see “Enhanced Graphical User Interfaces” under “Management” in the upcoming Windows Server 2008 R2 Technical Overview.

    Extended scripting functionality that supports creation of more powerful scripts with less development effort. For more information on this topic, see “Extended Scripting Functionality” under “Management” in the upcoming Windows Server 2008 R2 Technical Overview.

    Improved portability of PowerShell scripts and cmdlets between multiple computers. For more information about this topic, see “Improved Portability of PowerShell Scripts and Cmdlets” under “Management” in the upcoming Windows Server 2008 R2 Technical Overview.

    During your review of PowerShell version 2.0 in Windows Server 2008 R2, you will want to familiarize yourself with the new GUI tools, Graphical PowerShell and the Out-GridView cmdlet. As illustrated in the following figure, Graphical PowerShell provides a GUI that allows you to interactively create and debug PowerShell scripts within an integrated development environment similar to Visual Studio.





    Figure 20: Graphical PowerShell user interface with Active Directory Provider

    Graphical PowerShell includes the following features:

    Syntax coloring for PowerShell scripts (similar to syntax coloring in Visual Studio)

    Support for Unicode characters

    Support for composing and debugging multiple PowerShell scripts in a multi-tabbed interface

    Ability to run an entire script, or a portion of a script, within the integrated development environment

    Support for up to eight PowerShell runspaces within the integrated development environment

    Note: Graphical PowerShell feature requires Microsoft .NET Framework 3.0.

    The new Out-GridView cmdlet displays the results of other commands in an interactive table, where you can search, sort, and group the results. For example, you can send the results of a get-process, get-wmiobject, or get-eventlog command to Out-GridView and use the table features to examine the data.



    Note: The Out-GridView cmdlet feature requires Microsoft .NET Framework 3.0.

    Also during your review, you will want to familiarize yourself with the new and updated cmdlets available in PowerShell version 2.0 and Windows Server 2008 R2, a very few of which are listed in the following figure.





    Figure 21: A snapshot of new cmdlets

    Improved Identity Management


    Identity management has always been one of the critical management tasks for Windows-based networks. The implications of a poorly managed identity managed system are one of the largest security concerns for any organization.

    Windows Server 2008 R2 includes identity management improvements in the Active Directory Domain Services and Active Directory Federated Services server roles.


    Improvements for All Active Directory Server Roles


    Windows Server 2008 R2 includes the following identity management improvements that affect all Active Directory server roles:

    New forest functional level. Windows Server 2008 R2 includes a new Active Directory forest functional level. Many of the new features in the Active Directory server roles require the Active Directory forest to be configured with this new functional level.

    Enhanced command line and automated management. PowerShell cmdlets provide the ability to fully manage Active Directory server roles.

    Improved automated monitoring and notification. An updated System Center Manager 2007 Management Pack helps improve the monitoring and management of Active Directory server roles.

    Active Directory PowerShell Cmdlets: Step-by-step Feature Review


    In this task you will use the PowerShell V2 Graphical Console to perform basic user and group administrative tasks. You will begin by loading the ActiveDirectory module, exposing over 75 Active Directory cmdlets. You will then use these cmdlets to administer Active Directory.

    To review how the Active Directory PowerShell cmdlets feature works, you need to complete the tasks in the following table. Perform the steps in the following table while logged on as a member of the Enterprise Admins security group.



    Table 43: Active Directory PowerShell Cmdlets

    High-level task

    Details

    Start the PowerShell V2 Graphical Console

    On the Start menu, click All Programs, click Windows PowerShell V2, and then click Graphical Console (Windows PowerShell V2).

    Load the Active Directory Module

    In the PowerShell V2 Graphical Console, in the Command Pane, type the following commands, pressing Enter after each command.

    Add-Module ActiveDirectory

    Get-Module


    List the available cmdlets

    In the PowerShell V2 Graphical Console, in the Command Pane, type the following command, and then press Enter.

    Get-Command *ad*



    Browse an Active Directory domain

    In the Command Pane, enter the following commands, pressing Enter after each command (where domain_name is the name of your domain and top_level_domain is your top level domain).

    Cd AD:

    PWD

    DIR | Format-Table -Auto

    CD "DC=domain_name,_name DC=top_level_doman"

    DIR | ft –a

    Tip: You can press the TAB key to auto complete many of these commands and save a great deal of typing.

    List all user objects

    In the Command Pane, enter the following commands, pressing Enter after each command.

    CD CN=Users

    Dir | ft –a

    Get-ADObject –Filter {name -like “*”}

    Get-ADUser –Filter {name -like “*”}

    Get-ADUser -Filter {name -like "*"} | Select Name, Enabled | Format-Table -Auto

    Enable the Guest user object

    In the Command Pane, enter the following commands, pressing Enter after each command.

    Enable-ADAccount –Identity Guest

    Get-ADUser -Filter {name -like "*"} | Select Name, Enabled | Format-Table -Auto

    Display information about the Domain Admins group

    In the Command Pane, enter the following commands, pressing Enter after each command (where domain_name is the name of your domain and top_level_domain is your top level domain).

    Get-ADGroup -SearchBase "DC=domain_name,DC=top_level_domain" -SearchScope Subtree -Filter {Name -Like "*Domain Admins*"} -Properties Extended

    Display information about a domain

    In the Command Pane, type the following command and then press Enter (where domain_name is the name of your domain).

    Get-ADDomain domain_name

    The output of this command allows you to easily determine things such as operations master roles.



    Display information about domain controllers

    In the Command Pane, type the following command and then press Enter.

    Get-ADDomainController –Discover

    Display information about the domain password policy

    In the Command Pane, type the following command and then press Enter (where domain_name is the fully qualified domain name of your domain).

    Get-ADDefaultDomainPasswordPolicy domain_name

    Create a new organizational unit

    In the Command Pane, type the following command and then press Enter (where where domain_name is the name of your domain and top_level_domain is your top level domain).

    New-ADOrganizationalUnit –Name “Europe” –Path “DC=domain_name,DC=top_level_domain

    Display the properties of the new organizational unit

    In the Command Pane, type the following command and then press Enter (where where domain_name is the name of your domain and top_level_domain is your top level domain).

    Get-ADOrganizationalUnit “OU=Europe,DC=domain_name,DC=top_level_domain” –Properties Extended

    Delete the new organizational unit

    In the Command Pane, type the following commands and then press Enter after each command (where where domain_name is the name of your domain and top_level_domain is your top level domain).

    CD AD:

    CD “DC=domain_name,DC=top_level_domain

    Set-ADorganizationalUnit Europe –ProtectedFromAccidentalDeletion $False

    Remove-ADOrganizationalUnit Europe

    Close the PowerShell V2 Graphical Console

    Close the PowerShell V2 Graphical Console.


    Improvements in Active Directory Domain Services


    The Active Directory Domain Service server role in Windows Server 2008 R2 includes the following improvements:

    Recovery of deleted objects. Domains in Active Directory now have a Recycle Bin feature that allows you to recover deleted objects. If an Active Directory object is inadvertently deleted, you can restore the object from the Recycle Bin. This feature requires the updated R2 forest functional level.

    Improved process for joining domains. Computers can now join a domain without being connected to the domain during the deployment process, also known as an offline domain join. This process allows you to fully automate the joining of a domain during deployment. Domain administrators create an XML file that can be included as a part of the automated deployment process. The file includes all the information necessary for the target computer to join the domain.

    Improved management of user accounts used as identity for services. One time-consuming management task is the maintenance of passwords for user accounts that are used as identities for services, also known as service accounts. When the password for a service account changes, the services using that identity also must be updated with the new password. To address this problem, Windows Server 2008 R2 includes a new feature known as managed service accounts. In Windows Server 2008 R2, when the password for a service account changes, the managed service account feature automatically updates the password for all services that use the service account.

    Reduced effort to perform common administrative tasks. As illustrated in the following figure, Windows Server 2008 R2 includes a new Active Directory Domain Services management console, Active Directory Administrative Center.



    Figure 22: Active Directory Administrative Center management console

    Active Directory Administrative Center is a task-based management console that is based on the new PowerShell cmdlets in Windows Server 2008 R2. Active Directory Administrative Center is designed to help reduce the administrative effort for performing common administrative tasks.


    Active Directory Administrative Center: Step-by-step Feature Review


    To review how the Active Directory Administrative Center feature works, you need to complete the tasks in the following table. Perform the steps in the following table while logged on as a member of the Enterprise Admins security group.

    Table 54: Explore the Active Directory Administrative Center

    High-level task

    Details

    Start the Active Directory Administrative Center

    On the Start menu, point to Administrative Tools, and then click Active Directory Administrative Center.


    Navigate to an organizational unit

    In Active Directory Administrative Center, in the Explorer pane, click Overview.

    Using the fly-out menu system, navigate to organizational_unit (where organizational_unit is the name of the organizational unit where you want to create an organizational unit).



    Tip: Click the right arrow next to the domain root to begin using the fly-out menu system. As you navigate, type the first few letters of each organizational unit to shorten the navigation.

    Create an organizational unit

    In the Tasks pane, click New, and then click Organizational Unit.

    The Create dialog box appears.

    In the Create dialog box, in Name, type Demonstration OU, and then click OK.


    Create a user

    Using the fly-out menu system, navigate to Demonstration OU.

    In the Tasks pane, click New, and then click User.

    The Create dialog box appears.

    Compete the Create dialog box by using the following information, and then click OK:

    First Name: Pilar

    Last Name: Ackerman

    User logon: pilarau

    Select Password never expires check box.

    Clear Change password at next logon check box.

    Password: P@ssw0rd



    Create a new group

    Using the fly-out menu system, navigate to Demonstration OU.

    In the Tasks pane, click New, and then click Group.

    The Create dialog box appears.

    Compete the Create dialog box by using the following information, and then click OK:

    Name: Support

    Select Protect from Accidental Deletion check box.



    Add a user to a group

    In Search, type Pilar Ackerman.

    In the Results pane, click Pilar Ackerman.

    In the Tasks pane, click Add to group.

    In the Select Groups dialog box, in Enter the object names to select, type Support, click Check Names, and then click OK.




    Active Directory Recycle Bin: Step-by-step Feature Review


    To review how the Active Directory Recycle Bin feature works, you need to complete the following tasks:

    Enable the Active Directory Recycle Bin feature

    Delete objects in Active Directory

    Verify the deleted objects are in the Active Directory Recycle Bin

    Recover the objects in the Active Directory Recycle Bin

    Verify the deleted objects have been recovered.



    Note: Perform these steps in a test environment as these steps could adversely affect your production environment.
    Enable the Active Directory Recycle Bin Feature

    Perform the steps in the following table while logged on as a member of the Enterprise Admins security group. Before you can recover deleted objects in your Active Directory infrastructure, you must enable the Active Directory Recycle Bin feature.

    Table 65: Enable the Active Directory Recycle Bin Feature

    High-level task

    Details

    Start the Active Directory PowerShell Snap-in

    On the Start menu, point to Administrative Tools, and then click Active Directory PowerShell Snap-in.


    Check the state of the Recycle Bin feature

    In Windows PowerShell, type the following command and then press Enter.

    Get-ADOptionalFeature –Filter ‘Name –Like “*”’

    In the output you should see the:



    EnabledScopes property is currently empty, which indicates that this feature is not enabled.

    RequiredForestMode property indicates the prerequisites for enabling this feature.

    Enable the Recycle Bin feature

    In Windows PowerShell, type the following command and then press Enter (where forest is the name of your forest).

    Enable-ADOptionalFeature ‘Recycle Bin Feature’ –Scope Forest –Target ‘forest

    Note: The Recycle Bin feature is disabled by default.

    To confirm the command, press Enter.



    Note: Once you enabled the Recycle Bin feature, you cannot disable the feature at a later time.

    Verify the Recycle Bin feature is enabled

    In Windows PowerShell, type the following command and then press Enter.

    Get-ADOptionalFeature –Filter ‘Name –Like “*”’

    The value of the EnabledScopes property reflects that the Recycle Bin is enabled.


    Delete Objects in Active Directory

    Perform the steps in the following table while logged on as a member of the Enterprise Admins security group.

    Table 76: Delete Objects in Active Directory

    High-level task

    Details

    Start the Active Directory Administrative Center

    On the Start menu, point to Administrative Tools, and then click Active Directory Administrative Center.


    Navigate to an organizational unit

    Using the fly-out menu system, navigate to Demonstration OU

    Tip: Click the right arrow next to the domain root to begin using the fly-out menu system. As you navigate, type the first few letters of each organizational unit to shorten the navigation.

    Delete an organizational unit

    In the Tasks pane, click Delete.

    In the Delete Confirmation dialog box, click Yes.



    Verify the deleted objects are in the Active Directory Recycle Bin

    Perform the steps in the following table while logged on as a member of the Enterprise Admins security group.



    Table 87: Verify the deleted objects are in the Active Directory Recycle Bin

    High-level task

    Details

    Start the Active Directory PowerShell Snap-in

    On the Start menu, point to Administrative Tools, and then click Active Directory PowerShell Snap-in.


    Display the contents of the Recycle Bin

    In Windows PowerShell, type the following command and then press Enter (where domain is your domain name and top_level_domain is your top level domain name).

    Get-ADObject –SearchBase “CN=Deleted Objects,DC=domain,DC=top_level_domain” –ldapFilter “(objectClass=*)” -includeDeletedObjects

    This command displays the entire contents of the recycle bin.

    Leave the output of this command on the screen as you will use it in the next step.


    Verify the Pilar Ackerman user object is in the Recycle Bin

    In Windows PowerShell, type the following command and then press Enter.

    Get-ADObject –Filter ‘Name –Like “*Pilar Ackerman*”’ –SearchScope Subtree –includeDeletedObjects

    The output of this command will show the details for the Pilar Ackerman user object. The distinguished name indicates this object is in the Recycle Bin.



    Verify the Demonstration OU is in the Recycle Bin

    In Windows PowerShell, type the following command and then press Enter.

    Get-ADObject –Filter ‘Name –Like “*Demonstration OU*”’ –SearchScope Subtree –IncludeDeletedObjects

    The output of this command will show the details for the Demonstration OU organizational unit. The distinguished name indicates this object is in the Recycle Bin.


    Recover Deleted Objects in Active Directory Recycle Bin

    Perform the steps in the following table while logged on as a member of the Enterprise Admins security group.

    Table 98: Recover Deleted Objects in Active Directory Recycle Bin

    High-level task

    Details

    Start the Active Directory PowerShell Snap-in

    On the Start menu, point to Administrative Tools, and then click Active Directory PowerShell Snap-in.


    Attempt to restore the Pilar Ackerman user object

    In Windows PowerShell, copy the objectGUID value for the object Pilar Ackerman to the clipboard.

    Tip: To copy text from a command prompt, right click and then select Mark. Highlight the text to copy and then press Enter. The objectGUID was listed in a previous output.

    In Windows PowerShell, type the following command and then press Enter (where objectGUID is the objectGUID for Pilar Ackerman).



    Restore-ADObject –Identity objectGUID

    Tip: To paste, right-click and then click Paste.

    The command fails with an error message indicating that the objects parent object does not exist.



    Identify the parent container for the Pilar Ackerman user object

    In Windows PowerShell, type the following command and then press Enter.

    Get-ADObject –Filter ‘Name –Like “*Pilar Ackerman*”’ –SearchScope Subtree –includeDeletedObjects –properties lastKnownParent

    This command displays the last known parent object, which you can tell, is also in the Recycle Bin.



    Restore the deleted organizational unit

    In Windows PowerShell, type the following command and then press Enter (where objectGUID is the objectGUID of the Demonstration OU organizational unit).

    Restore-ADObject –Identity objectGUID

    Tip: To complete this command, copy the value of the objectGUID property from the Demonstration OU object, which can be found from the output of the last command.

    To restore all the deleted objects

    In Windows PowerShell, type the following command and then press Enter (where domain is your domain name and top_level_domain is your top level domain name).

    Get-ADObject –ldapFilter “(lastKnownParent=OU=Demonstration OU, DC=domain,DC=top_level_domain)” –includeDeletedObjects | Restore-ADObject

    This command lists all objects that have the last known parent attribute as the Demonstrated OU and pipes them into the Restore-ADObject Cmdlet.


    Verify the Deleted Objects Are Recovered

    Perform the steps in the following table while logged on as a member of the Enterprise Admins security group.



    Table 109: Verify the Deleted Objects Are Recovered

    High-level task

    Details

    Start the Active Directory Administrative Center

    On the Start menu, point to Administrative Tools, and then click Active Directory Administrative Center.


    Verify the Demonstration OU organizational unit has been recovered

    Using the fly-out menu system, navigate to Demonstration OU

    Tip: Click the right arrow next to the domain root to begin using the fly-out menu system. As you navigate, type the first few letters of each organizational unit to shorten the navigation.

    Verify the Pilar Ackerman user object has been recovered

    In Search, type Pilar Ackerman

    The Pilar Ackerman user object should appear in the results pane.


    Offline Domain Join: Step-by-step Feature Review


    Offline domain join involves two steps. In the first step you provision a computer account in Active Directory and save the account information in a file. In the second step you use that file in a command that inserts the domain join information into an offline version of Windows.

    Perform the steps in the following table while logged on as a member of the Enterprise Admins security group.



    Table 1110: Offline domain join

    High-level task

    Details

    Provision a new computer account

    On the Start menu, in Start Search, type cmd, and then press Enter.

    At the command prompt, type the following command and then press Enter (where domain_name is the name of your domain).

    DJOIN /Provision /Domain domain_name /Machine DEN-SRV-01 /SaveFile DEN-SRV-01.DJoin

    This command creates a computer account in Active Directory and stores the computer account password and related information in an encrypted file. The encrypted file can then be used to offline domain join a computer.



    Display the contents of the provisioning file

    At the command prompt, type the following command and then press Enter.

    Type DEN-SRV-01.DJoin

    Note: The contents of the .DJoin file are encrypted.

    Verify the computer account is created in Active Directory

    On the Start menu, point to Administrative Tools and then click Active Directory Administrative Center.

    Using the fly-out menu system, navigate to domain_name\Computers (where domain is the name of your domain).



    Tip: Click the right arrow next to the domain root to begin using the fly-out menu system. As you navigate, type the first few letters of each organizational unit to shorten the navigation.

    In the information pane, note that the computer account DEN-SVR-01 has been created.



    To join the computer to the domain

    The following command would be run on DEN-SRV-01 to join that computer to the domain

    DJOIN /Requestodj /LoadFile DEN-SVR-01.DJoin /WindowsPath \Mount\Windows

    Note: Do not run this command. It is provided for reference purposes only.

    This command is intended to be run against an offline copy of Windows such as a WIM file or VHD that has been mounted as a drive or folder in the file system.




    Improvements in Active Directory Federated Services


    Active Directory Federated Services in Windows Server 2008 R2 includes a new feature known as authentication assurance. This feature allows administrators to establish authentication policies for accounts that are authenticated in federated domains. This enables a variety of advanced authentication scenarios, such as smart cards, for example.


    Download 362.76 Kb.
    1   2   3   4   5   6   7   8   9   10




    Download 362.76 Kb.

    Bosh sahifa
    Aloqalar

        Bosh sahifa



    Reduced Administrative Effort for Interactive Administrative Tasks

    Download 362.76 Kb.