Which PowerShell cmdlet is the correct one to use to create a new Active Directory site?

Active Directory Recycle Bin

AD now includes an undelete option known as the Recycle Bin. The AD Recycle Bin acts a lot like the Windows recycle bin we are all very familiar with. The AD Recycle Bin stores objects for 180 days (by default) after they are deleted from AD. This allows for easy full fidelity recovery of deleted AD objects using PowerShell commands. The one main requirement to use this feature is that your AD forest be in Windows Server 2008 R2 native mode, and all domain controllers in the domain need to be running Windows Server 2008 R2.

Active Directory

Active Directory has become the cornerstone of Windows Server domains. It is the core of many network environments supporting not only users and computers, but also applications like Microsoft Exchange Server. Active Directory was first introduced in Windows 2000 Server and has evolved with more reliability and features with each server operating system release. Windows Server 2008 R2 delivers a series of new Active Directory features such as:

Recycle Bin—The Recycle Bin allows administrators to restore deleted objects to Active Directory. This feature is welcome to any administrator who has accidentally deleted a user account on a Friday afternoon.

Active Directory Administrative Center—Active Directory Administrative Center provides a new way for Windows administrators to perform common tasks within their Active Directory domains. It is a GUI built on top of PowerShell, giving administrators an intuitive and easy-to-use tool to complete daily tasks such as reset passwords, create new user accounts, and manage groups and organizational units.

Active Directory PowerShell cmdlets—PowerShell, with the Active Directory cmdlets, provides a rich command line interface to script and automate common Active Directory tasks. Windows Server 2008 R2 contains over 75 cmdlets to perform actions, such as creating new users, resetting passwords, and managing group membership.

Active Directory Best Practices Analyzer (BPA)—The Active Directory BPA is a tool to help ensure that your Active Directory deployment is healthy and properly configured. The Active Directory BPA scans your Active Directory deployment and looks for configuration issues or common problems. The Active Directory BPA will then provide a report and recommended remediation steps for the discovered issues. New administrators will find this tool especially helpful to locate misconfigurations or early warning signs within their Active Directory domains.

1.2.1 Active Directory

The Active Directory (AD) replaces the flat-structured NT4 SAM with an X.500-like hierarchical directory structure. Exchange 2003 uses the Active Directory extensively because it no longer has a directory service of its own. The Active Directory is essentially a container for objects held in a hierarchical fashion. Active Directory provides methods for the search, retrieval, and update of information that it holds. Active Directory is a multimaster directory, and different parts of the Active Directory can exist on different servers within an organization. The Active Directory provides a mechanism for replication that means that information held on one particular Active Directory server can be replicated to another Active Directory server. As such, replication latency can be a factor that needs to be taken into consideration, and this gives rise to the concept of “loose consistency” said to exist with Active Directory; that is, information within the Active Directory may be inconsistent and correct only at a point in time due to replication latency. Active Directory is used by Exchange 2003 to hold information that is used by mail routing, provision of a Global Address List (GAL), and the storage of configuration information.

Planning for Active Directory Federation Services

Prior to deploying ADFS, you should properly plan your environment and ensure that the business requirements will be met by your proposed solution. For example, if you want to provide SSO for an extranet application in your permiter network, you will need to ensure that your design includes an AD forest and ADFS servers in the permiter network. You will also need to ensure that the applications support claims-based authentication using ADFS. After you document business requirements, you can begin designing your deployment. Figure 4.63 depicts an ADFS deployment with an application installed in the perimeter network. ADFS in this design is providing SSO for corporate users with existing user accounts in an internal AD forest.

ADFS has several prerequisites that must be met prior to deployment. The prerequisites are:

PKI—ADFS requires certificates to secure communications between two environments. Self-signed certificates can be used for testing and lab purposes but should not be used in production deployments.

Windows Server 2008 R2 Enterprise—ADFS servers require Windows Server 2008 R2 Enterprise edition or greater.

AD Domains—ADFS requires that an AD domain exists on both the account and resource side.

FS Web Agent installed on application server—The Web server hosting the application will need the federation services Web agent installed.

Other factors that you must consider as part of your planning process are:

Are there redundancy and high availability requirements?

Will the ADFS deployment involve several AD domains?

Do you have a PKI deployed to support certificate requirements of ADFS?

Who will manage access using ADFS?

Be sure that you can answer the aforementioned questions as part of your design and planning process. As with all features in this book, be sure you spend ample time testing your design in a lab environment before making changes to your production environment.

Publishing shared folders to Active Directory

Active Directory includes the ability to publish your shared folders to the directory service. This allows users to easily find network shares without needing to know the server or share name of the shared folder. Users can simply search Active Directory for the shared folder they wish to access and Active Directory will connect them to the correct server and shared folder name. To publish a shared folder to Active Directory, perform the following:

Open Active Directory users and computers (ADUC).

Right click the OU that you wish to publish the shared folder to, then select New | Shared Folder (see Figure 5.12).

Enter a name for the published share and the UNC path to the share location (see Figure 5.13). Then click OK.

You can now search for the shared folder using Active Directory (see Figure 5.14).

Domain Controller versus Member Server

In an AD environment, you have the choice to install and configure DNS on your domain controllers or on member servers. If you install DNS on your domain controllers, you can configure Active Directory-integrated zones.

Active Directory-integrated zones provide the following advantages over standard DNS zones:

There is not a single point of failure for the primary zone. In a standard DNS environment, if the primary master DNS server fails and is not brought online within a particular amount of time (specified in the SOA record), the secondary servers will remove the RRs from their zone, and name resolution will fail for the entire domain.

In large environments where DHCP servers and clients are updating RRs, this load can be distributed among domain controllers that store zone information in AD.

Active Directory-integrated zones provide enhanced security for zone replication in that DNS servers must be registered in AD and AD replication traffic is encrypted.

You can use secure dynamic updates with Active Directory-integrated zones to tighten security further.

Synchronization of zone information occurs automatically through AD replication. No further configuration is necessary to facilitate transfer of zone information among participating servers.

AD replication is more efficient than the standard zone transfer mechanisms. For example, AD replication propagates only the last changes. Even though an incremental zone transfer copies only the changes to the RRs, it propagates all the incremental changes to the RRs that have occurred since the last update. If you are not using IXFR, the entire zone file is copied whenever an update is made.

AD replication will compress replication traffic in certain circumstances, further reducing the bandwidth needed for DNS-related traffic.

New & Noteworthy…

Active Directory-integrated zones can be used in combination with secondary servers. For example, you can use secondary zones on servers that are not configured as domain controllers. This is advantageous in situations where you do not want AD traffic replicated across a WAN link, but you do want to have an authoritative DNS server available at a remote location. You cannot simultaneously load a standard text-based primary zone file and an Active Directory-integrated zone for the same domain on the same domain controller. However, you can combine primary, secondary, and Active Directory-integrated zones on the same domain controller. On a stand-alone or member server, primary and secondary zones can be combined on the same server. Furthermore, if you have multiple IP addresses bound to the server, you can emulate a secondary server on the same computer where the primary is located. This configuration is useful in very small environments where you have only one server.

4.3 Active Directory Federation Services

Active Directory Federation Services (ADFS) is an enterprise-level identity and access management system. ADFS 2.0 is Microsoft’s implementation of claims-based identity infrastructure. ADFS 2.0 was built using the Windows Identity Foundation framework. This framework allows ADFS 2.0 to grow as the framework grows. It also allows ADFS 2.0 to make use of the features and functionality integrated into the framework. ADFS 2.0 is installed as an add-on component to your Windows 2008-based or higher servers that can be downloaded from the Microsoft web site.

There is an ADFS role available on Windows 2008 servers, but it installs an older version of ADFS. If you want to use ADFS 2.0, you have to use the download file for installation.

4.3.3 ADFS 2.0 Federation Server Configuration Wizard

Before you can begin using ADFS 2.0, you must first configure your federation server. After installing ADFS 2.0, you will open the ADFS 2.0 Management Console. The first time you open the console, you will be presented with the Overview page, as seen in Fig. 4.1. The Overview page gives you the option to run the ADFS 2.0 Federation Server Configuration Wizard. The wizard will guide you through the steps needed to configure your federation server.

Fig. 4.1. ADFS Management Console Overview page.

The first screen of the wizard is the welcome screen as seen in Fig. 4.2. Here you choose whether the server you are configuring will be a part of a new Federation Service or if it will be added to an existing Federation Service. If this server is the first federation server in your ADFS implementation, choose “Create a new Federation Service.” If you choose “Add a federation server to an existing Federation Service,” you will be prompted to enter the name of the primary federation server of the Federation Service instance.

Fig. 4.2. ADFS Federation Server Configuration Wizard welcome screen.

An instance of ADFS is sometimes called a Federation Service.

The next screen you will see is the Deployment Type screen, as seen in Fig. 4.3. If you chose to create a new Federation Service, here you will have the option to either create a New federation server farm or to create a Standalone federation server. If you create a federation server farm, you can later add more federation servers to your farm to provide load balancing and high availability. If you choose to create a standalone federation server, these options will not be available to you. This section of the book assumes that you choose to create a new federation server farm.

Fig. 4.3. ADFS Configuration Wizard Deployment Type screen.

The next screen is the Federation Service Name screen (Fig. 4.4). The wizard will query the server’s Default Web Site for an appropriate certificate. The wizard will then pull the Subject name from the certificate. The wizard will show that name as the Federation Service Name.

Fig. 4.4. ADFS Configuration Wizard Federation Service Name screen.

The next screen is the Service Account screen, as seen in Fig. 4.5. Here you must specify a service account to be used to manage your server farm. The account you use for the service account must have access to all of the servers in the farm. It must also have rights to create a container in Active Directory.

Fig. 4.5. ADFS Config Wizard Service Account screen.

Next, you will be presented with the Summary screen, as seen in Fig. 4.6. The Summary screen tells you what actions are about to take place.

Fig. 4.6. ADFS Config Wizard Summary screen.

Finally, the Results screen as seen in Fig. 4.7 will let you know if everything was successful or not. You should review any errors or warnings that are presented.

Fig. 4.7. ADFS Config Wizard Results screen.

Summary of Exam Objectives

Active Directory is a database with a hierarchical structure, storing information on accounts, resources, and other elements making up the network. This information is stored in a data source located on the server and replicated to other DCs on the network. The information pertaining to Active Directory is organized into the schema, domain, and configuration partitions, and can also have additional information for programs stored in the application partition. This data can be accessed over the network using LDAP.

To identify objects within the directory structure, Active Directory supports a variety of different naming schemes. These include the Domain Name System (DNS), user principal name (UPN), Universal Naming Convention (UNC), Uniform Resource Locator (URL) and Lightweight Directory Access Protocol Uniform Resource Locator (LDAP URL). Distinguished names (DNs), relative distinguished names (RDNs) and canonical names, based on X.500 specifications, are also used to identify objects.

A variety of objects build the directory’s hierarchical structure, including users, computers, printers, other objects, and container objects that store them. In addition, other components are used to make up the physical and logical structure of Active Directory. Sites represent the physical structure of a network, while domains, trees, and forests represent the logical structure. Together, they are the building blocks that make up Active Directory.

A primary administrative tool for managing Windows Server 2003 and Active Directory is the Microsoft Management Console (MMC). Using this tool, you can load snap-ins that are used to administer different aspects of Windows Server 2003 and Active Directory. Three snap-ins are predominantly used to manage Active Directory: Active Directory Users and Computers, Active Directory Domains and Trusts, and Active Directory Sites and Services. In addition to these graphical tools, new command-line tools can be used to perform administrative tasks.

Active Directory also provides mechanisms for access control and authentication. Permissions can be applied to objects to control how they are used, while security descriptors, object inheritance, and authentication are used to determine a user’s access and the permissions set on objects. Authentication methods that are supported include Kerberos, X.509 certificates, LDAP over SSL, and PKI. Through these methods, Windows Server 2003 and Active Directory are secured from unauthorized access.

Windows Server 2003 provides a number of new features and tools. For some of these to be available, the functional level of the domain and/or forest must be raised first. The functional level is similar to the domain modes used in Windows Server 2000, where backward-compatible features become deactivated and new features that older operating systems can’t use become available as you raise the level.

A good understanding of the purpose and function of directory services and the infrastructure and topology of Active Directory are key elements in getting the most out of this powerful database. In this chapter, we provided the overview that is necessary to fully understanding the more specific topics covered in the rest of the book.

2.7 The Active Directory and Exchange

The Active Directory continues to provide the fundamental underpinning for Exchange 2007, just as it has done since Exchange 2000. Seven years or so later, we don't have to experience the same trauma that occurred when everyone had to upgrade to Windows 2000 and the Active Directory before they could deploy Exchange 2000 and most Active Directory deployments are in good shape now. Exchange also depends on the Active Directory for its permissions model and to provide the link to Edge servers so that anti-spam protection works smoothly, if you decide to deploy Edge servers for this purpose. For all these reasons and more, the Active Directory still deserves and requires attention from an Exchange administrator.

The big change for Exchange 2007 is the dependency on Active Directory sites as the basis for the message routing topology. If Active Directory replication works efficiently today, you should be in good shape to move forward with Exchange 2007. Moving to the 64-bit version of Windows may be a more interesting challenge because of the potential that exists to consolidate domain controllers and Global Catalogs into a smaller set of physical servers and it will be interesting to see how administrators approach this work. Leaving Active Directory behind (but always lurking in the background), we move on to discuss the basics of managing Exchange 2007.

Active Directory

To perform these functions, the domain controller must have information about users and other objects in a domain. In Windows 2000 and Windows Server 2003, this data is stored in Active Directory (AD), which is a directory service that runs on domain controllers. A directory serves as a structured source of information, containing data on objects and their attributes. Objects in the directory represent elements of your network (including users, groups, and computers). Attributes are values that define an object (such as its name, location, security rights, and other features). Using tools that access AD, an administrator can manage an object’s attributes to provide information that is accessible to users and control security at a granular level. By serving as a data store of information about a domain, AD is the means by which administrators achieve greater and more flexible control over a network.

When AD is installed, the server becomes a domain controller. Until this time, it is a member server that cannot be used for domain authentication and management of domain users or other domain-based objects. This does not mean, however, that AD can be installed on every version of Windows Server 2003. It can be installed on Standard Edition, Enterprise Edition, and Datacenter Edition, but servers running the Web Edition of Windows Server 2003 cannot be domain controllers. Web Edition servers can be only stand-alone or member servers that provide resources and services to the network.

EXAM WARNING

A server without AD installed on it can still deliver a variety of services, file storage, and access to other resources. However, until AD is installed, the server cannot authenticate domain users or provide the other functions of a domain controller. Once AD is installed, the member server ceases to be a member server and becomes a domain controller.

A Windows Server 2003 computer can be changed into a domain controller by using the Configure Your Server Wizard or by using the Active Directory Installation Wizard (DCPROMO). DCPROMO is a tool that promotes a member server to domain controller status. During the installation, a writable copy of the AD database is placed on the server’s hard disk. The file used to store directory information is called NTDS.dit and, by default, is located in %systemroot%\NTDS. When changes are made to the directory, they are saved to this file.

Each domain controller retains its own copy of the directory, containing information about the domain in which it is located. If one domain controller becomes unavailable, users and computers can still access the AD data store on another domain controller in that domain. This allows users to continue logging on to the network, even though the domain controller that is normally used is unavailable. It also allows computers and applications that require directory information to continue functioning while one of these servers is down.

Because a domain can have more than one domain controller, changes made to the directory on one domain controller must be updated on others. The process of copying these updates is called replication, which is used to synchronize information in the directory. Without replication, features in AD would fail to function properly. For example, if you added a user on one domain controller, the new account would be added to the directory store on that server. This would allow the user to log on to that domain controller, but he or she still could not log on to other domain controllers until the account was replicated. When a change is made on one domain controller, the changes need to be replicated, so that every domain controller continues to have an accurate copy of AD. This type of replication is called multi-master, because each domain controller contains a full read/write copy of the AD database.