WS 2008 R2 Active Directory: Diving in to the core Siddharth Bhai Program Manager, Microsoft Corp Presented at the Windows Networking User Group on Feb 3, 2010.
Agenda Windows Server 2008 R2 AD Recycle bin Offline Domain Join AD Technologies QnA
Windows Server 2008 R2 Comprehensive PowerShell commands Task based management UI to manage ADDS and ADLDS simplifies IT Pro workflows Active Directory AD Recycle Bin Offline Domain Join Managed-Service Accounts Authentication assurance saves AD objects and jobs from accidental deletion streamlines data center deployments reduces service management costs enables enforcement of federation policies
Our focus Today Comprehensive PowerShell commands Task based management UI to manage ADDS and ADLDS simplifies IT Pro workflows Active Directory AD Recycle Bin Offline Domain Join Managed-Service Accounts Authentication assurance saves AD objects and jobs from accidental deletion streamlines data center deployments reduces service management costs enables enforcement of federation policies
AD Recycle Bin What is it? allows recovery of any deleted Active Directory object in its complete & original condition What do you need to know? you are able to fully recover deleted-objects there is a configurable interval for the duration in which a deleted object can be recovered How do you prep to use it? requires forest-functional level 4 (WIN2008R2) You must manually enable the feature
Recycle Bin Object Lifecycle Windows Server 2008 - no Recycle Bin feature Windows Server 2008 - with Recycle Bin enabled Live Object Tombstone Object Garbage Collection Live Object Deleted Object Recycled Object Garbage Collection
Recycle Bin Object Lifecycle Windows Server 2008 Live Object 180 Days Tombstone Object Garbage collection LDAP OID 1.2.840.113556.1.4.417 Returns Deleted Returns Tombstones Windows Server 2008 R2 - with Recycle Bin enabled LDAP OID 1.2.840.113556.1.4.2064 Returns Deleted and Recycled Live Object Deleted Object Recycled Object Garbage collection 180 Days 180 Days
Recycle Bin details What was the configurable interval you told us about? Deleted Object Lifetime (DOL) = TombStone Lifetime (TSL) = 180 days (by default) AD admins : Changes in notion of TSL (Deleted Object Lifetime or DOL) both can be modified independently (cn=directory Services,cn=Windows NT, cn=services, cn=config ) msds-deletedobjectlifetime tombstonelifetime What does this mean for my backups? backups remain valid for the lesser of DOL, TSL Restore an object < Get-ADObject -Filter {displayname -eq "Mary"} -IncludeDeletedObjects Restore-ADObject Demand-deletion aka. instant-recycle (double-delete) delete the object from the Deleted Objects container Get-ADObject Filter {<suitable filter>} IncludeDeletedObjects Remove-ADObject
Deleted Object Lifetime DeletedObjectLifetime Is the period during which a deleted object can be restored, fully without loss of attributes Not set by default If DOL = null, a deleted object stays deleted for tombstonelifetime (fallback) Recycled Object Lifetime tombstonelifetime is the actual attribute (default = 180 days) User should not worry about this as it is simply an artifact of replication Too short lingering objects; too long database bloat
Recycle Bin impact to your AD deployment Impact on the DIT the first Windows Server 2008 R2 DC generates churn, why? DIT-size on existing downlevel DCs initially remains (mostly) unaffected replicated isrecycled property represents a trivial increase in size DIT-size on Windows Server 2008 R2 DC instantly ~10-15% larger than non-r2 DCs due to additional columns and indices that are present from day-one once Recycle Bin is turned on, expect 10-15% plus ongoing impact of new deletions Feature NOT enabled by functional level alone our first (and currently only) optional feature optional features need to be switched on / bound to schema FSMO Enable-ADOptionalFeature Recycle Bin Feature Scope ForestOrConfigurationSet Target {target DC or LDS-instance DN} Resulting behavioral changes once object isrecycled, traditional tombstone reanimation blocked
Windows 7 Optional Features CN=Optional Features, CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration, DC=contoso,DC=com CN=Partitions, CN=Configuration, DC=contoso,DC=com
Recycle Bin recovering objects Deleted Objects container flat list of objects in deleted state RDN mangled (<RDN>+DEL:+CHAR(0A)) linked/non-linked attributes preserved lastknownparent and lastknownrdn populated Delete Restore objects to live parent deleted objects MUST be restored to a live parent perform restore top-down lastknownxx properties useful in rebuilding hierarchy \0ADEL: \0ADEL: \0ADEL: \0ADEL: \0ADEL:...
Deleting an Object Object deletion in WS08: Object deletion in WS08 R2: isdeleted=true lastknownparent set Moved to the DeletedObjects container DN is mangled rdn beyond 128 char would be truncated Hierarchy is effectively flattened All but a few non-linked attributes (e.g. GUID, SID, sidhistory, etc.) are preserved All linked attributes (e.g. member/memberof) are stripped away Only visible with ShowDeletedObjects LDAP control Purged after tombstonelifetime expires isdeleted=true; isrecycled=null lastknownparent, ms-ds-lastknownrdn set Moved to the DeletedObjects container DN is mangled rdn beyond 128 char would be truncated Hierarchy is effectively flattened All non-linked attributes are preserved All linked attributes are preserved Only visible with ShowDeletedObjects LDAP control Purged after deletedobjectlifetime expires if that value is set, else after tombstonelifetime expires
Restoring an Object Object restoration in WS08: Object restoration in WS08 R2: Delete isdeleted attribute Change DN based on lastknownparent and mangled DN Only some non-linked attributes (e.g. GUID, SID, sidhistory, etc.) are restored import old values from snapshots None of the linked attributes (e.g. member/memberof) are restored regenerate links using LDIFs from auth restore Tool: ldp.exe Delete isdeleted attribute Change DN based on lastknownparent and ms-dslastknownrdn All non-linked attributes are restored All linked attributes, even crossdomain links, are restored Tool: ldp.exe, Active Directory PowerShell
How an Object is Deleted In WS08: Object is first locally deleted Non-linked attributes that are not preserved are cleared (in the data table) All linked attributes are removed (from the link table) Object deletion is replicated isdeleted=true is the replicated event Same operations as above are repeated on each notified DC Cross-domain DCs are notified as follows: Infrastructure Master checks Global Catalog server for referenced objects with mangled DN (indicating object deletion) If so, creates an InfrastructureUpdateObject to trigger deletions of object on various DCs
How an Object is Deleted In WS08 R2: Object is first locally deleted All non-linked attributes are preserved (in the data table) All linked attributes (in the link table) are marked as deactivated Object deletion is replicated isdeleted=true is the replicated event Same operations as above are repeated on each notified DC Cross-domain DCs are notified as follows: Every DC checks Global Catalog server for referenced objects with mangled DN (indicating object deletion) If so, deletes object locally
AD LDS has Recycle Bin too! Ensure all instances in the configuration set are running Windows Server 2008 R2 Use LDIFDE to extend schema using MS- ADAM-Upgrade-2.LDF shipped inbox
Restoring Object(s) - ADPsh #Restore a single object Get-ADObject -Filter {displayname -eq "Mary"} - IncludeDeletedObjects Restore-ADObject #Restore a tree Get-ADObject -ldapfilter:"(msds- LastKnownRDN=Finance_Department)" IncludeDeletedObjects Restore-ADObject Get-ADObject -SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -Filter {lastknownparent -eq "OU=Finance_Department,DC=contoso,DC=com"} - IncludeDeletedObjects Restore-ADObject Get-ADObject -SearchBase "CN=Deleted Objects,DC=contoso,DC=com" -Filter {lastknownparent -eq "OU=Admins,OU=Finance_Department,DC=contoso,DC=com"} - IncludeDeletedObjects Restore-ADObject
Setting object lifetimes - ADPsh #Change deletedobjectlifetime Set-ADObject -Identity CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=mydomain,DC=com Partition CN=Configuration,DC=mydomain,DC=com Replace:@{ msds-deletedobjectlifetime = 60} #Change tombstonelifetime Set-ADObject -Identity CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=mydomain,DC=com Partition CN=Configuration,DC=mydomain,DC=com Replace:@{ tombstonelifetime = 365}
Offline Domain Join (ODJ) What does it do? allows a client to fully achieve a domain-joined state without ever having communicated with a domain controller What do you need to know? machines are domain-joined on initial boot without requirement for network connectivity reduces reboots / time needed to deploy OS images How do you prep for it? NO forest or domain functional level requirement NO Windows Server 2008 R2 DCs required joining machine must, however, be Windows 7 client or Windows Server 2008 R2 member
ODJ try it yourself 1. Get a new Windows 7 client or Windows Server 2008 R2 machine 2. Gracefully shut down the new machine 3. Gain writeable access to the new machine s physical or virtual disk 4. On a second domain-joined machine & using domain-join-capable credentials, run djoin /provision /domain <target domain> /machine <new machine name> /savefile <filename> djoin /requestodj /loadfile <filename> /windowspath <path to new machine s %windir%> 5. Reboot new machine it s now in a fully domain-joined state
ODJ specifics on the blob
Offline Join: Developer Support NET_API_STATUS NetProvisionComputerAccount( in LPCWSTR lpdomain, in LPCWSTR lpmachinename, in_opt LPCWSTR lpmachineaccountou, in_opt LPCWSTR lpdcname, in DWORD dwoptions, out_opt PBYTE pprovisionbindata, out_opt DWORD pdwprovisionbindatasize, out_opt LPWSTR pprovisiontextdata ); NET_API_STATUS NetRequestOfflineDomainJoin( in BYTE *pprovisionbindata, in DWORD cbprovisionbindatasize, in DWORD dwoptions, in LPCWSTR lpwindowspath );
Offline Join: The Possibilities Rapid deployments in next-gen datacenters Goal: Deploy 1000 new servers every 30 minutes. Integration into service offerings Would you considering including it in your IT services offering? Web-based interface workflow for create, download, apply, join Your thoughts?
Active Directory Technologies AD Domain Services AD DS AD Rights Management Services AD RMS AD Lightweight Directory Services AD LDS AD Certificate Services AD CS AD Federation Services AD FS
Resources Active Directory Recycle bin Step-By-Step: http://technet.microsoft.com/en-us/library/dd392261(ws.10).aspx Offline Domain Join Step-By-Step: http://technet.microsoft.com/en-us/library/dd392267(ws.10).aspx Active Directory technologies: http://www.microsoft.com/windowsserver2008/en/us/active-directory.aspx
Thank You!