1 / 32

Windows Server 2012 Active Directory - what’s in it for me?

Windows Server 2012 Active Directory - what’s in it for me?. Tony Murray, Directory Services MVP. Microsoft’s Broad Goals. Virtualization That Just Works All Active Directory features work equally well in physical, virtual or mixed environments. Simplified Deployment of Active Directory

heman
Download Presentation

Windows Server 2012 Active Directory - what’s in it for me?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Windows Server 2012 Active Directory - what’s in it for me? Tony Murray, Directory Services MVP

  2. Microsoft’s Broad Goals • Virtualization That Just Works • All Active Directory features work equally well in physical, virtual or mixed environments • Simplified Deployment of Active Directory • Complete integration of environment preparation, role installation and DC promotion into a single UI • DCs can be deployed rapidly to ease disaster recovery and workload balancing • DCs can be deployed remotely on multiple machines from a single Windows Server 2012 machine • Consistent command-line experience through Windows PowerShell enables automation of deployment tasks • Simplified Management of Active Directory • GUI that simplifies complex tasks such as recovering a deleted object or managing password policies • Active Directory Windows PowerShell viewer shows the commands for actions performed in the GUI • Active Directory Windows PowerShell support for managing replication and topology data • Simplify delegation and management of service accounts

  3. New Features and Enhancements Management Miscellaneous Simplified Deployment Recycle Bin User Interface Dynamic Access Control Virtualization-Safe Technology Active Directory PowerShell History Viewer User Interface Active Directory Based Activation Rapid Deployment Fine-Grained Password Policy User Interface Kerberos Enhancements Active DirectoryPlatform Changes Active Directory Replication & Topology Cmdlets Group Managed Service Accounts

  4. Simplified Deployment • Background • adding replica DCs running newer versions of the Windows Server operating system has proven to be: • time consuming • error-prone • complex • In the past, IT pros were required to: • obtain the correct (new) version of the ADprep tools • interactively logon at specific per-domain DCs using a variety of different credentials • run the preparation tool in the correct sequence with the correct switches • wait for replication convergence between each step

  5. Simplified Deployment • Solution • integrate preparation steps into the promotion process • automate the pre-requisites between each of them • validate environment-wide pre-requisites before beginning deployment • integrated with Server Manager and remoteable • built on Windows PowerShell for command-line and UI consistency • configuration wizard aligns to the most common deployment scenarios

  6. Virtualization-Safe Technology • Background • common virtualization operations such as creating snapshots or copying VMs/VHDs can rollback the state of a virtual DC • introduces USN bubbles leading to permanently divergent state causing: • lingering objects • inconsistent passwords • inconsistent attribute values • schema mismatches if the Schema FSMO is rolled back • the potential also exists for security principals to be created with duplicate SIDs

  7. How Domain Controllers are Impacted Timeline of events DC2 DC1 Create Snapshot USN: 100 ID: A RID Pool: 500 - 1000 • USN rollback NOT detected: only 50 users converge across the two DCs • All others are either on one or the other DC • 100 security principals (users in this example) with RIDs 500-599 have conflicting SIDs TIME: T1 USN: 200 ID: A RID Pool: 600- 1000 DC2 receives updates: USNs >100 DC1(A)@USN = 200 T1Snapshot Applied! USN: 100 +100 users added ID: A RID Pool: 500 - 1000 TIME: T2 USN: 250 RID Pool: 650 - 1000 DC2 receives updates: USNs >200 ID: A TIME: T3 +150 more users created TIME: T4 DC1(A)@USN = 250

  8. Virtualization-Safe Technology • Solution • Windows Server 2012 virtual DCs able to detect when: • snapshots are applied • a VM is copied • built on a generation identifier (VM-generation ID) that is changed when virtualization-features such as VM-snapshot are used • Windows Server 2012 virtual DCs track the VM-generation ID to detect changes and protect Active Directory • protection achieved by: • discarding RID pool • resetting invocationID • re-asserting INITSYNC requirement for FSMOs

  9. Virtualization-Safe Technology • Requirements • Windows Server 2012 DCs hosted on hypervisor platform that supports VM-Generation ID

  10. Rapid Deployment: Domain Controller Cloning • Requirements • Windows Server 2012 virtual DC hosted on VM-Generation-ID-aware hypervisor platforms • PDC FSMO must be running Windows Server 2012 to authorize cloning operation • source DC must be authorized for cloning • DCCloneConfig.XML file must be present on the clone DC • commonplace Windows Server 2012 services that are co-located with DCs are supported, e.g. DNS, FRS, DFSR

  11. Recycle Bin User Interface • Background • the Recycle Bin feature introduced with Windows Server 2008 R2 provided an architecture permitting complete object recovery • scenarios requiring object recovery via the Recycle Bin are typically high-priority • recovery from accidental deletions, etc. resulting in failed logons / work-stoppages • the absence of a rich, graphical interface complicated its usage and slowed recovery

  12. Recycle Bin User Interface • Solution • simplify object recovery through the inclusion of a Deleted Objects node in the Active Directory Administrative Center • deleted objects can now be recovered within the graphical user interface • greatly reduces recovery-time by providing a discoverable, consistent view of deleted objects

  13. Recycle Bin User Interface • Requirements • Recycle Bin’s own requirements must first be satisfied, e.g. • Windows Server 2008 R2 forest functional level • Recycle Bin optional-feature must be switched on • Windows Server 2012 Active Directory Administrative Center • Objects requiring recovery must have been deleted within Deleted Object Lifetime (DOL) • defaults to 180 days

  14. Dynamic Access Control (DAC) • Solution • new central access policies (CAP) model • new claims-based authorization platform enhances, not replaces, existing model • use of file-classification information in authorization decisions • modern authorization expressions • easier Access-Denied remediation experience • access- and audit-policies can be defined flexibly and simply,

  15. Dynamic Access Control (DAC) • Requirements • Windows 8 or Windows Server 2012 file servers (no DCs necessary yet) • 1 or more Windows Server 2012 DCs required for Kerberos claims • Windows Server 2012 Active Directory Administrative Center to administer CAPs and CAPRs • for device-claims, compound ID must be switched on at the target service account • downlevelclients require DFL 5 in order to receive claims from a KDC

  16. Kerberos Claims (DAC) in AD FS • Background • AD FS v2.0 is able to generate user-claims directly from NTtokens • also capable of further expanding claims based on attributes in Active Directory and other attribute stores • in Windows Server 2012, we know that Kerberos tickets can also contain claims • but AD FS 2.0 can’t read claims from Kerberos tickets • forced to make additional LDAP calls to Active Directory to source user-attribute claims • cannot leverage device-attribute claims at all

  17. Active Directory-based Activation (AD BA) • Background • today, Volume Licensing for Windows/Office requires Key Management Service (KMS) servers • requires minimal training • turnkey solution covers ~90% of deployments • complexity caused by lack of a graphical administration console • requires RPC traffic on the network which complicates matters • does not support any kind of authentication, the EULA prohibits the customer from connecting the KMS server to any external network • i.e. connectivity-alone to the service equates to activated

  18. Active Directory-based Activation (AD BA) • Requirements • only Windows 8 or Windows Server 2012 machines can leverage AD BA • KMS and AD BA can coexist • you still need KMS if you require downlevel volume-licensing • setup requires Windows 8 or Windows Server 2012 machine • requires Windows Server 2012 Active Directory schema, not Windows Server 2012 domain controllers

  19. Active Directory Windows PowerShell History Viewer • Background • Windows PowerShell is a key technology in creating a consistent experience between the command-line and the graphical user interface • Windows PowerShell increases productivity • but requires investment in learning how to use it

  20. Active Directory Windows PowerShell History Viewer • Solution • allow administrators to view the Windows PowerShell commands executed when using the Administrative Center, e.g. • the administrator adds a user to a group • the UI displays the equivalent Active Directory Windows PowerShell command • Administrator’s can copy the resulting syntax and integrate it into their scripts • reduces learning-curve • increases confidence in scripting • further enhances Windows PowerShell discoverability

  21. Active Directory Windows PowerShell History Viewer • Requirements • Windows Server 2012 Active Directory Administrative Center • Active Directory Web Service • running on a domain controller within the target domain

  22. Fine-Grained Password Policy • Background • the Fine-Grained Password Policy capability introduced with Windows Server 2008 provided more granular management of password-policies • in order to leverage the feature, administrators had to manually create password-settings objects (PSOs) • it proved difficult to ensure that the manually defined policy-values behaved as desired • resulted in time-consuming, trial and error administration

  23. Fine-Grained Password Policy • Solution • creating, editing and assigning PSOs now managed through the Active Directory Administrative Center • greatly simplifies management of password-settings objects

  24. Fine-Grained Password Policy • Requirements • FGPP requirements must be met, e.g. • Windows Server 2008 domain functional level • Windows Server 2012 Active Directory Administrative Center

  25. Group Managed Service Accounts (gMSA) • Background • Managed Service Accounts (MSAs) introduced with Windows Server 2008 R2 • clustered or load-balanced services that needed to share a single security-principal were unsupported • MSAs not able to be used in many desirable scenarios

  26. Group Managed Service Accounts (gMSA) • Solution • introduce new security principal type known as a gMSA • services running on multiple hosts can run under the same gMSA account • 1 or more Windows Server 2012 DCs required • Windows Server 2012 hosts using gMSAs obtain password and password-updates from GKDS • password-change interval defined at gMSA account creation (30 days by default) • like MSAs, gMSAs are supported only by the Windows Service Control Manager (SCM) and IIS application pool

  27. Group Managed Service Accounts (gMSA) • Requirements • Windows Server 2012 Active Directory schema updated in forests containing gMSAs • 1 or more Windows Server 2012 DCs to provide password computation and retrieval • only services running on Windows 8 or Windows Server 2012 can use gMSAs • Windows Server 2012 Active Directory Module for Windows PowerShell to create gMSA accounts

  28. Active Directory Replication & Topology Cmdlets • Background • administrators require a variety of tools to manage Active Directory’s site topology • repadmin • ntdsutil • Active Directory Sites and Services • etc. • results in an inconsistent experience • difficult to automate

  29. Active Directory Replication & Topology Cmdlets • Solution • manage replication and site-topology with Active Directory Windows PowerShell • create and manage sites, site-links, site-link bridges, subnets and connections • replicate objects between DCs • view replication metadata on object attributes • view replication failures • etc. • provides a consistent and more easily scriptable experience • compatible and interoperable with other Windows PowerShell Cmdlets

  30. Active Directory Replication & Topology Cmdlets • Requirements • Active Directory Web Service (ADWS) • or Active Directory Management Gateway (for Windows Server 2003 or 2008) • Remote Server Administration Tools (RSAT)

  31. Summary of Minimum Requirements

  32. Demo – AD UI Improvements

More Related