Reduced Administrative Effort for Interactive Administrative Tasks
Reducing administrative effort for day-to-day administrative tasks is another key design goal for Windows Server 2008 R2. Many of the management consoles used to manage Windows Server 2008 R2 have been updated or completely redesigned to help reduce your administrative effort. Some of the prominent updated and redesigned management consoles are listed in the following table with descriptions of the improvements.
Table 32: Updated & Redesigned Management Consoles in Windows Server 2008 R2
Management Console
|
Improvements
|
Server Manager
|
Support for remote management of computers
Improved integration with many role and role services management consoles
|
Active Directory Administrative Center
|
Based on administrative capabilities provided by PowerShell cmdlets
Task-driven user interface
|
Internet Information Services
|
Based on administrative capabilities provided by PowerShell cmdlets
Task-driven user interface
|
Hyper-V™ Management Console
|
Improved tools for day-to-day tasks
Tight integration with System Center Virtual Machine Manager for managing multiple Hyper-V™ servers.
|
Enhanced Command-line and Automated Management
The PowerShell 1.0 scripting environment was shipped with Windows Server 2008 RTM. Windows Server 2008 R2 includes PowerShell 2.0, which offers a number of improvements over version 1.0, including the following:
Improved remote management by using PowerShell remoting. For more information about PowerShell remoting, see “Improved Remote Management” under “Management” the upcoming Windows Server 2008 R2 Technical Overview.
Improved security for management data, including state and configuration information, by using constrained runspaces. For more information about constrained runspaces, see “Improved Security for Management” under “Management” in the upcoming Windows Server 2008 R2 Technical Overview.
Enhanced GUIs for creating and debugging PowerShell scripts and viewing PowerShell script output by using Graphical PowerShell and the Out-GridView cmdlet. For more information about Graphical PowerShell and the Out-GridView cmdlet, see “Enhanced Graphical User Interfaces” under “Management” in the upcoming Windows Server 2008 R2 Technical Overview.
Extended scripting functionality that supports creation of more powerful scripts with less development effort. For more information on this topic, see “Extended Scripting Functionality” under “Management” in the upcoming Windows Server 2008 R2 Technical Overview.
Improved portability of PowerShell scripts and cmdlets between multiple computers. For more information about this topic, see “Improved Portability of PowerShell Scripts and Cmdlets” under “Management” in the upcoming Windows Server 2008 R2 Technical Overview.
During your review of PowerShell version 2.0 in Windows Server 2008 R2, you will want to familiarize yourself with the new GUI tools, Graphical PowerShell and the Out-GridView cmdlet. As illustrated in the following figure, Graphical PowerShell provides a GUI that allows you to interactively create and debug PowerShell scripts within an integrated development environment similar to Visual Studio.
Figure 20: Graphical PowerShell user interface with Active Directory Provider
Graphical PowerShell includes the following features:
Syntax coloring for PowerShell scripts (similar to syntax coloring in Visual Studio)
Support for Unicode characters
Support for composing and debugging multiple PowerShell scripts in a multi-tabbed interface
Ability to run an entire script, or a portion of a script, within the integrated development environment
Support for up to eight PowerShell runspaces within the integrated development environment
Note: Graphical PowerShell feature requires Microsoft .NET Framework 3.0.
The new Out-GridView cmdlet displays the results of other commands in an interactive table, where you can search, sort, and group the results. For example, you can send the results of a get-process, get-wmiobject, or get-eventlog command to Out-GridView and use the table features to examine the data.
Note: The Out-GridView cmdlet feature requires Microsoft .NET Framework 3.0.
Also during your review, you will want to familiarize yourself with the new and updated cmdlets available in PowerShell version 2.0 and Windows Server 2008 R2, a very few of which are listed in the following figure.
Figure 21: A snapshot of new cmdlets
Improved Identity Management
Identity management has always been one of the critical management tasks for Windows-based networks. The implications of a poorly managed identity managed system are one of the largest security concerns for any organization.
Windows Server 2008 R2 includes identity management improvements in the Active Directory Domain Services and Active Directory Federated Services server roles.
Improvements for All Active Directory Server Roles
Windows Server 2008 R2 includes the following identity management improvements that affect all Active Directory server roles:
New forest functional level. Windows Server 2008 R2 includes a new Active Directory forest functional level. Many of the new features in the Active Directory server roles require the Active Directory forest to be configured with this new functional level.
Enhanced command line and automated management. PowerShell cmdlets provide the ability to fully manage Active Directory server roles.
Improved automated monitoring and notification. An updated System Center Manager 2007 Management Pack helps improve the monitoring and management of Active Directory server roles.
In this task you will use the PowerShell V2 Graphical Console to perform basic user and group administrative tasks. You will begin by loading the ActiveDirectory module, exposing over 75 Active Directory cmdlets. You will then use these cmdlets to administer Active Directory.
To review how the Active Directory PowerShell cmdlets feature works, you need to complete the tasks in the following table. Perform the steps in the following table while logged on as a member of the Enterprise Admins security group.
Table 43: Active Directory PowerShell Cmdlets
High-level task
|
Details
|
Start the PowerShell V2 Graphical Console
|
On the Start menu, click All Programs, click Windows PowerShell V2, and then click Graphical Console (Windows PowerShell V2).
|
Load the Active Directory Module
|
In the PowerShell V2 Graphical Console, in the Command Pane, type the following commands, pressing Enter after each command.
Add-Module ActiveDirectory
Get-Module
|
List the available cmdlets
|
In the PowerShell V2 Graphical Console, in the Command Pane, type the following command, and then press Enter.
Get-Command *ad*
|
Browse an Active Directory domain
|
In the Command Pane, enter the following commands, pressing Enter after each command (where domain_name is the name of your domain and top_level_domain is your top level domain).
Cd AD:
PWD
DIR | Format-Table -Auto
CD "DC=domain_name,_name DC=top_level_doman"
DIR | ft –a
Tip: You can press the TAB key to auto complete many of these commands and save a great deal of typing.
|
List all user objects
|
In the Command Pane, enter the following commands, pressing Enter after each command.
CD CN=Users
Dir | ft –a
Get-ADObject –Filter {name -like “*”}
Get-ADUser –Filter {name -like “*”}
Get-ADUser -Filter {name -like "*"} | Select Name, Enabled | Format-Table -Auto
|
Enable the Guest user object
|
In the Command Pane, enter the following commands, pressing Enter after each command.
Enable-ADAccount –Identity Guest
Get-ADUser -Filter {name -like "*"} | Select Name, Enabled | Format-Table -Auto
|
Display information about the Domain Admins group
|
In the Command Pane, enter the following commands, pressing Enter after each command (where domain_name is the name of your domain and top_level_domain is your top level domain).
Get-ADGroup -SearchBase "DC=domain_name,DC=top_level_domain" -SearchScope Subtree -Filter {Name -Like "*Domain Admins*"} -Properties Extended
|
Display information about a domain
|
In the Command Pane, type the following command and then press Enter (where domain_name is the name of your domain).
Get-ADDomain domain_name
The output of this command allows you to easily determine things such as operations master roles.
|
Display information about domain controllers
|
In the Command Pane, type the following command and then press Enter.
Get-ADDomainController –Discover
|
Display information about the domain password policy
|
In the Command Pane, type the following command and then press Enter (where domain_name is the fully qualified domain name of your domain).
Get-ADDefaultDomainPasswordPolicy domain_name
|
Create a new organizational unit
|
In the Command Pane, type the following command and then press Enter (where where domain_name is the name of your domain and top_level_domain is your top level domain).
New-ADOrganizationalUnit –Name “Europe” –Path “DC=domain_name,DC=top_level_domain”
|
Display the properties of the new organizational unit
|
In the Command Pane, type the following command and then press Enter (where where domain_name is the name of your domain and top_level_domain is your top level domain).
Get-ADOrganizationalUnit “OU=Europe,DC=domain_name,DC=top_level_domain” –Properties Extended
|
Delete the new organizational unit
|
In the Command Pane, type the following commands and then press Enter after each command (where where domain_name is the name of your domain and top_level_domain is your top level domain).
CD AD:
CD “DC=domain_name,DC=top_level_domain”
Set-ADorganizationalUnit Europe –ProtectedFromAccidentalDeletion $False
Remove-ADOrganizationalUnit Europe
|
Close the PowerShell V2 Graphical Console
|
Close the PowerShell V2 Graphical Console.
|
Improvements in Active Directory Domain Services
The Active Directory Domain Service server role in Windows Server 2008 R2 includes the following improvements:
Recovery of deleted objects. Domains in Active Directory now have a Recycle Bin feature that allows you to recover deleted objects. If an Active Directory object is inadvertently deleted, you can restore the object from the Recycle Bin. This feature requires the updated R2 forest functional level.
Improved process for joining domains. Computers can now join a domain without being connected to the domain during the deployment process, also known as an offline domain join. This process allows you to fully automate the joining of a domain during deployment. Domain administrators create an XML file that can be included as a part of the automated deployment process. The file includes all the information necessary for the target computer to join the domain.
Improved management of user accounts used as identity for services. One time-consuming management task is the maintenance of passwords for user accounts that are used as identities for services, also known as service accounts. When the password for a service account changes, the services using that identity also must be updated with the new password. To address this problem, Windows Server 2008 R2 includes a new feature known as managed service accounts. In Windows Server 2008 R2, when the password for a service account changes, the managed service account feature automatically updates the password for all services that use the service account.
Reduced effort to perform common administrative tasks. As illustrated in the following figure, Windows Server 2008 R2 includes a new Active Directory Domain Services management console, Active Directory Administrative Center.
Figure 22: Active Directory Administrative Center management console
Active Directory Administrative Center is a task-based management console that is based on the new PowerShell cmdlets in Windows Server 2008 R2. Active Directory Administrative Center is designed to help reduce the administrative effort for performing common administrative tasks.
Active Directory Administrative Center: Step-by-step Feature Review
To review how the Active Directory Administrative Center feature works, you need to complete the tasks in the following table. Perform the steps in the following table while logged on as a member of the Enterprise Admins security group.
Table 54: Explore the Active Directory Administrative Center
High-level task
|
Details
|
Start the Active Directory Administrative Center
|
On the Start menu, point to Administrative Tools, and then click Active Directory Administrative Center.
|
Navigate to an organizational unit
|
In Active Directory Administrative Center, in the Explorer pane, click Overview.
Using the fly-out menu system, navigate to organizational_unit (where organizational_unit is the name of the organizational unit where you want to create an organizational unit).
Tip: Click the right arrow next to the domain root to begin using the fly-out menu system. As you navigate, type the first few letters of each organizational unit to shorten the navigation.
|
Create an organizational unit
|
In the Tasks pane, click New, and then click Organizational Unit.
The Create dialog box appears.
In the Create dialog box, in Name, type Demonstration OU, and then click OK.
|
Create a user
|
Using the fly-out menu system, navigate to Demonstration OU.
In the Tasks pane, click New, and then click User.
The Create dialog box appears.
Compete the Create dialog box by using the following information, and then click OK:
First Name: Pilar
Last Name: Ackerman
User logon: pilarau
Select Password never expires check box.
Clear Change password at next logon check box.
Password: P@ssw0rd
|
Create a new group
|
Using the fly-out menu system, navigate to Demonstration OU.
In the Tasks pane, click New, and then click Group.
The Create dialog box appears.
Compete the Create dialog box by using the following information, and then click OK:
Name: Support
Select Protect from Accidental Deletion check box.
|
Add a user to a group
|
In Search, type Pilar Ackerman.
In the Results pane, click Pilar Ackerman.
In the Tasks pane, click Add to group.
In the Select Groups dialog box, in Enter the object names to select, type Support, click Check Names, and then click OK.
|
Active Directory Recycle Bin: Step-by-step Feature Review
To review how the Active Directory Recycle Bin feature works, you need to complete the following tasks:
Enable the Active Directory Recycle Bin feature
Delete objects in Active Directory
Verify the deleted objects are in the Active Directory Recycle Bin
Recover the objects in the Active Directory Recycle Bin
Verify the deleted objects have been recovered.
Note: Perform these steps in a test environment as these steps could adversely affect your production environment.
Perform the steps in the following table while logged on as a member of the Enterprise Admins security group. Before you can recover deleted objects in your Active Directory infrastructure, you must enable the Active Directory Recycle Bin feature.
Table 65: Enable the Active Directory Recycle Bin Feature
High-level task
|
Details
|
Start the Active Directory PowerShell Snap-in
|
On the Start menu, point to Administrative Tools, and then click Active Directory PowerShell Snap-in.
|
Check the state of the Recycle Bin feature
|
In Windows PowerShell, type the following command and then press Enter.
Get-ADOptionalFeature –Filter ‘Name –Like “*”’
In the output you should see the:
EnabledScopes property is currently empty, which indicates that this feature is not enabled.
RequiredForestMode property indicates the prerequisites for enabling this feature.
|
Enable the Recycle Bin feature
|
In Windows PowerShell, type the following command and then press Enter (where forest is the name of your forest).
Enable-ADOptionalFeature ‘Recycle Bin Feature’ –Scope Forest –Target ‘forest’
Note: The Recycle Bin feature is disabled by default.
To confirm the command, press Enter.
Note: Once you enabled the Recycle Bin feature, you cannot disable the feature at a later time.
|
Verify the Recycle Bin feature is enabled
|
In Windows PowerShell, type the following command and then press Enter.
Get-ADOptionalFeature –Filter ‘Name –Like “*”’
The value of the EnabledScopes property reflects that the Recycle Bin is enabled.
| Delete Objects in Active Directory
Perform the steps in the following table while logged on as a member of the Enterprise Admins security group.
Table 76: Delete Objects in Active Directory
High-level task
|
Details
|
Start the Active Directory Administrative Center
|
On the Start menu, point to Administrative Tools, and then click Active Directory Administrative Center.
|
Navigate to an organizational unit
|
Using the fly-out menu system, navigate to Demonstration OU
Tip: Click the right arrow next to the domain root to begin using the fly-out menu system. As you navigate, type the first few letters of each organizational unit to shorten the navigation.
|
Delete an organizational unit
|
In the Tasks pane, click Delete.
In the Delete Confirmation dialog box, click Yes.
|
Verify the deleted objects are in the Active Directory Recycle Bin
Perform the steps in the following table while logged on as a member of the Enterprise Admins security group.
Table 87: Verify the deleted objects are in the Active Directory Recycle Bin
High-level task
|
Details
|
Start the Active Directory PowerShell Snap-in
|
On the Start menu, point to Administrative Tools, and then click Active Directory PowerShell Snap-in.
|
Display the contents of the Recycle Bin
|
In Windows PowerShell, type the following command and then press Enter (where domain is your domain name and top_level_domain is your top level domain name).
Get-ADObject –SearchBase “CN=Deleted Objects,DC=domain,DC=top_level_domain” –ldapFilter “(objectClass=*)” -includeDeletedObjects
This command displays the entire contents of the recycle bin.
Leave the output of this command on the screen as you will use it in the next step.
|
Verify the Pilar Ackerman user object is in the Recycle Bin
|
In Windows PowerShell, type the following command and then press Enter.
Get-ADObject –Filter ‘Name –Like “*Pilar Ackerman*”’ –SearchScope Subtree –includeDeletedObjects
The output of this command will show the details for the Pilar Ackerman user object. The distinguished name indicates this object is in the Recycle Bin.
|
Verify the Demonstration OU is in the Recycle Bin
|
In Windows PowerShell, type the following command and then press Enter.
Get-ADObject –Filter ‘Name –Like “*Demonstration OU*”’ –SearchScope Subtree –IncludeDeletedObjects
The output of this command will show the details for the Demonstration OU organizational unit. The distinguished name indicates this object is in the Recycle Bin.
| Recover Deleted Objects in Active Directory Recycle Bin
Perform the steps in the following table while logged on as a member of the Enterprise Admins security group.
Table 98: Recover Deleted Objects in Active Directory Recycle Bin
High-level task
|
Details
|
Start the Active Directory PowerShell Snap-in
|
On the Start menu, point to Administrative Tools, and then click Active Directory PowerShell Snap-in.
|
Attempt to restore the Pilar Ackerman user object
|
In Windows PowerShell, copy the objectGUID value for the object Pilar Ackerman to the clipboard.
Tip: To copy text from a command prompt, right click and then select Mark. Highlight the text to copy and then press Enter. The objectGUID was listed in a previous output.
In Windows PowerShell, type the following command and then press Enter (where objectGUID is the objectGUID for Pilar Ackerman).
Restore-ADObject –Identity objectGUID
Tip: To paste, right-click and then click Paste.
The command fails with an error message indicating that the objects parent object does not exist.
|
Identify the parent container for the Pilar Ackerman user object
|
In Windows PowerShell, type the following command and then press Enter.
Get-ADObject –Filter ‘Name –Like “*Pilar Ackerman*”’ –SearchScope Subtree –includeDeletedObjects –properties lastKnownParent
This command displays the last known parent object, which you can tell, is also in the Recycle Bin.
|
Restore the deleted organizational unit
|
In Windows PowerShell, type the following command and then press Enter (where objectGUID is the objectGUID of the Demonstration OU organizational unit).
Restore-ADObject –Identity objectGUID
Tip: To complete this command, copy the value of the objectGUID property from the Demonstration OU object, which can be found from the output of the last command.
|
To restore all the deleted objects
|
In Windows PowerShell, type the following command and then press Enter (where domain is your domain name and top_level_domain is your top level domain name).
Get-ADObject –ldapFilter “(lastKnownParent=OU=Demonstration OU, DC=domain,DC=top_level_domain)” –includeDeletedObjects | Restore-ADObject
This command lists all objects that have the last known parent attribute as the Demonstrated OU and pipes them into the Restore-ADObject Cmdlet.
|
Verify the Deleted Objects Are Recovered
Perform the steps in the following table while logged on as a member of the Enterprise Admins security group.
Table 109: Verify the Deleted Objects Are Recovered
High-level task
|
Details
|
Start the Active Directory Administrative Center
|
On the Start menu, point to Administrative Tools, and then click Active Directory Administrative Center.
|
Verify the Demonstration OU organizational unit has been recovered
|
Using the fly-out menu system, navigate to Demonstration OU
Tip: Click the right arrow next to the domain root to begin using the fly-out menu system. As you navigate, type the first few letters of each organizational unit to shorten the navigation.
|
Verify the Pilar Ackerman user object has been recovered
|
In Search, type Pilar Ackerman
The Pilar Ackerman user object should appear in the results pane.
| Offline Domain Join: Step-by-step Feature Review
Offline domain join involves two steps. In the first step you provision a computer account in Active Directory and save the account information in a file. In the second step you use that file in a command that inserts the domain join information into an offline version of Windows.
Perform the steps in the following table while logged on as a member of the Enterprise Admins security group.
Table 1110: Offline domain join
High-level task
|
Details
|
Provision a new computer account
|
On the Start menu, in Start Search, type cmd, and then press Enter.
At the command prompt, type the following command and then press Enter (where domain_name is the name of your domain).
DJOIN /Provision /Domain domain_name /Machine DEN-SRV-01 /SaveFile DEN-SRV-01.DJoin
This command creates a computer account in Active Directory and stores the computer account password and related information in an encrypted file. The encrypted file can then be used to offline domain join a computer.
|
Display the contents of the provisioning file
|
At the command prompt, type the following command and then press Enter.
Type DEN-SRV-01.DJoin
Note: The contents of the .DJoin file are encrypted.
|
Verify the computer account is created in Active Directory
|
On the Start menu, point to Administrative Tools and then click Active Directory Administrative Center.
Using the fly-out menu system, navigate to domain_name\Computers (where domain is the name of your domain).
Tip: Click the right arrow next to the domain root to begin using the fly-out menu system. As you navigate, type the first few letters of each organizational unit to shorten the navigation.
In the information pane, note that the computer account DEN-SVR-01 has been created.
|
To join the computer to the domain
|
The following command would be run on DEN-SRV-01 to join that computer to the domain
DJOIN /Requestodj /LoadFile DEN-SVR-01.DJoin /WindowsPath \Mount\Windows
Note: Do not run this command. It is provided for reference purposes only.
This command is intended to be run against an offline copy of Windows such as a WIM file or VHD that has been mounted as a drive or folder in the file system.
|
Improvements in Active Directory Federated Services
Active Directory Federated Services in Windows Server 2008 R2 includes a new feature known as authentication assurance. This feature allows administrators to establish authentication policies for accounts that are authenticated in federated domains. This enables a variety of advanced authentication scenarios, such as smart cards, for example.
|
