3. Active Directory module for PowerShell
Windows Server 2008 R2 is the first Microsoft server
OS to include PowerShell as part of the standard OS installation. To go
along with the built-in
PowerShell functionality, Windows Server 2008 R2 includes a series of
cmdlets to administer AD via PowerShell. Using the AD Module for
PowerShell, you can use PowerShell to administer user, computers,
groups, domains, and DCs.
4. Active Directory Best Practices Analyzer
AD now includes a best practices analyzer (BPA).
BPAs for other Microsoft products have been around for several years.
The most popular of these is the Exchange Server BPA. BPAs do exactly
as their name implies. The BPA will scan your servers and analyze
software configurations. It will then compare those configurations to a
list of best practices provided by the Microsoft product group
responsible for that particular piece of software. As an AD
administrator, you should not only run the AD BPA after deploying AD,
but on a regular basis postinstallation or when significant
configuration changes have been made to your environment. Let us
explore the AD BPA in more detail.
1. | The
AD BPA is automatically installed with the AD DS role. You can access
the BPA by selecting the AD node in Server Manager, then scrolling down
to the BPA as seen in Figure 11.
|
2. | To run the BPA, click the Scan this Role link. This will start a scan of the AD DS on the server.
|
3. | After
the scan completes, the results of the scan will be displayed inside
the BPA window. You can immediately see any noncompliant configuration
settings or warnings under the noncompliant tab. You can also click on
any alert to see the full details of the issue and how to resolve it
(see Figure 12).
|
4. | You can click the Compliant tab if you want to see the rules that were run in which the system was in compliance with best practices configurations.
|
5. | The
BPA can be rerun at any time from Server Manager. Run this tool and
remediate any issues on a regular basis to ensure that your AD domain
remains highly reliable and healthy.
|
|
Active Directory BPA and previous OS versions
The AD BPA can be run against DCs running the
previous version of Windows Server to check for misconfigurations on
those OSs as well.
|
Active Directory Web Services
Windows Server 2008 R2 AD includes Web services that
provide remote management capabilities for AD. The Active Directory Web
Services are primarily built to allow administrators to remotely
administer AD using PowerShell. This allows you to send PowerShell
commands to a remote DC from your local PC or other management server.
Additionally, the Active Directory Web Services provide a way for
developers to write applications that use the Web services to interact
with AD.
Active Directory Administrative Center
The new Active Directory Administrative Center
(ADAC) provides a way for administrators to perform regular management
tasks via an easy-to-use interface built on top of PowerShell. This
means that as an administrator you can use the GUI interface to perform
a task and the GUI then makes a call to a PowerShell script or cmdlet
to complete the requested task. Most of the same functions you perform
in ADUC can be performed in the new ADAC-rich GUI interface. Whether
you are a new or seasoned Windows administrator, you will want to check
out the new AD Admin Center.
Managed service accounts
Many applications and network services require the
use of service accounts. These accounts are typically dedicated to a
specific application and have passwords set to never expire. This
ensures no accidental service disruption due to the expiring of a
password. This, however, poses a security problem, especially for
organizations which must comply with various government regulations.
Microsoft has addressed this issue with a new feature known as Managed
Service Accounts. Managed service accounts allows AD to automatically
manage the passwords and Service Principal Names (SPNs). AD will
automatically manage and change the password on a regular basis and
ensure that the service using the account gets the password update. A
managed service account is not created using the ADUC console but via
the New-ADServiceAccount PowerShell cmdlet.
AD BPA and previous versions of Active Directory
The AD BPA can be pointed at other DCs
besides the one it is installed on. This allows you to run a best
practice check against other Windows 2008 R2 DCs or even downlevel DCs
running Windows Server 2008 R1 and Windows Server 2003.
