930 likes | 1.33k Views
WSV312. What’s New in Active Directory in Windows Server 2012. Pete Calvert @ erucsbo. Agenda. Objectives / Takeaways Areas of Investment / Our Broad Goals New Features / Enhancements Summary of Requirements. Objectives. Provide an understanding of…
E N D
WSV312 What’s New in Active Directory in Windows Server 2012 Pete Calvert @erucsbo
Agenda • Objectives / Takeaways • Areas of Investment / Our Broad Goals • New Features / Enhancements • Summary of Requirements
Objectives • Provide an understanding of… • the broad areas we have invested in and why • the business- and/or technical-challenges that led to each of the new features • Provide detailed insights into the Active Directory features and… • define requirements and implementation specifics • highlight the value these features bring to your environment • Given the sheer volume of topics… • provide technically-deep content striving for a balance of breadth and depth • provide you material that’s sufficiently complete & technically rich to be useful outside of the session
High-Level Areas of Investment • Simplified deployment of Active Directory • Optimal deployment experiences in both private- and public-clouds • Increase consistency throughout the management experience • Accommodate business-driven security requirements through the integration of: • file-classification • claims-based authorization
Our Broad Goals • Virtualization That Just Works • All Active Directory features work equally well in physical, virtual or mixed environments • Simplified Deployment of Active Directory • Complete integration of environment preparation, role installation and DC promotion into a single UI • DCs can be deployed rapidly to ease disaster recovery and workload balancing • DCs can be deployed remotely on multiple machines from a single Windows 8 machine • Consistent command-line experience through Windows PowerShell enables automation of deployment tasks • Simplified Management of Active Directory • GUI that simplifies complex tasks such as recovering a deleted object or managing password policies • Active Directory Windows PowerShell viewer shows the commands for actions performed in the GUI • Active Directory Windows PowerShell support for managing replication and topology data • Simplify delegation and management of service accounts
New Features and Enhancements Management Miscellaneous Simplified Deployment Recycle Bin User Interface Dynamic Access Control Virtualization-Safe Technology Active Directory PowerShell History Viewer User Interface Active Directory Based Activation Rapid Deployment Fine-Grained Password Policy User Interface Kerberos Enhancements Active DirectoryPlatform Changes Active Directory Replication & Topology Cmdlets Group Managed Service Accounts
New Features and Enhancements Miscellaneous Simplified Deployment Virtualization-Safe Technology Rapid Deployment Active DirectoryPlatform Changes
Simplified Deployment • Background • adding replica DCs running newer versions of the Windows Server operating system has proven to be: • time consuming • error-prone • complex • In the past, IT pros were required to: • obtain the correct (new) version of the ADprep tools • interactively logon at specific per-domain DCs using a variety of different credentials • run the preparation tool in the correct sequence with the correct switches • wait for replication convergence between each step
Simplified Deployment • Solution • integrate preparation steps into the promotion process • automate the pre-requisites between each of them • validate environment-wide pre-requisites before beginning deployment • integrated with Server Manager and remoteable • built on Windows PowerShell for command-line and UI consistency • configuration wizard aligns to the most common deployment scenarios
Simplified Deployment: What Changed? Streamline the deployment process … by integrating preparation and promotion processes & automating pre-requisites in-between … by validating environment pre-requisites before deployment Minimize odds of deployment failures … by providing remote capabilities for both preparation and promotion processes Minimize number of touch-points … by aligning the configuration wizard to the most common deployment scenarios Optimize for common deployment paths … by integrating the full deployment experience with Server Manager Bring consistency with other Windows Server roles deployment experiences Gain UI-consistency by leveraging an enhanced command-line experience … by providing a deployment & configuration wizard that is built on top of Windows PowerShell
Simplified Deployment • Requirements • Windows Server 2012 • target forest must be Windows Server 2003 functional level or greater • introducing the first Windows Server 2012 DC requires Enterprise Admin and Schema Admin privileges • subsequent DCs require only Domain Admin privileges within the target domain
Simplified Deployment ++DC Promotion Retry Logic • Since Windows 2000, DCpromo has been intolerant of transient network failures • caused promotions to fail if the network (or helper DC) “hiccupped” • Windows Server 2012 promotion employs an indefinite retry • “indefinite” because no sufficiently meaningful set of metrics available from which to assert “sufficient progress” • so we’ve deferred the decision of “failure” to the administrator
Simplified Deployment ++Enhanced Install-from-media (IFM) options • Goal of IFM deploy a DC more quickly • yet “IFM prep” in NTDSUTIL executed a mandatory offline defragmentation pass • a maintenance task that our data suggests virtually nobody uses on existing production DCs • yielded an oftentimes much smaller DIT (which is great) but at the expense of time • In Windows Server 2012, NTDSUTIL’s IFMprep enhanced • NTDSUTIL’s IFMprep now includes an option to eliminate the defragmentation pass • not the default, that remains as is • eliminates potentially hours (or days) of media preparation time • DIT will be larger (whitespace, not fragmentation) increasing copy time if slow-links involved
Simplified Deployment ++AD FS V2.1 is in-the-box • AD FS v2.0 shipped out-of-band • downloaded from http://microsoft.com • AD FS (v2.1) ships in-the-box as a server-role with Windows Server 2012 • integrated with Windows Server 2012 Dynamic Access Control
New Features and Enhancements Miscellaneous Simplified Deployment Virtualization-Safe Technology Rapid Deployment Active DirectoryPlatform Changes
Virtualization-Safe Technology • Background • common virtualization operations such as creating snapshots or copying VMs/VHDs can rollback the state of a virtual DC • introduces USN bubbles leading to permanently divergent state causing: • lingering objects • inconsistent passwords • inconsistent attribute values • schema mismatches if the Schema FSMO is rolled back • the potential also exists for security principals to be created with duplicate SIDs
How Domain Controllers are Impacted Timeline of events DC2 DC1 TIME: T1 Create Snapshot USN: 100 RID Pool: 500 - 1000 ID: A • USN rollback NOT detected: only 50 users converge across the two DCs • All others are either on one or the other DC • 100 security principals (users in this example) with RIDs 500-599 have conflicting SIDs +100 users added TIME: T2 USN: 200 ID: A RID Pool: 600 - 1000 DC2 receives updates: USNs >100 DC1(A)@USN = 200 TIME: T3 T1Snapshot Applied! USN: 100 RID Pool: 500 - 1000 ID: A +150 more users created TIME: T4 USN: 250 DC1(A)@USN = 250 ID: A RID Pool: 650 - 1000 DC2 receives updates: USNs >200
Virtualization-Safe Technology • Solution • Windows Server 2012 virtual DCs able to detect when: • snapshots are applied • a VM is copied • built on a generation identifier (VM-generation ID) that is changed when virtualization-features such as VM-snapshot are used • Windows Server 2012 virtual DCs track the VM-generation ID to detect changes and protect Active Directory • protection achieved by: • discarding RID pool • resetting invocationID • re-asserting INITSYNC requirement for FSMOs
Virtualization-Safe Technology • Requirements • Windows Server 2012 DCs hosted on hypervisor platform that supports VM-Generation ID
New Features and Enhancements Miscellaneous Simplified Deployment Virtualization-Safe Technology Rapid Deployment Active DirectoryPlatform Changes
Rapid Deployment • Background • deploying virtualized replica DCs is as labor-intensive as physical DCs • virtualization brings capabilities that can simplify deployment • the result & goal of promoting additional DCs within a domain is an ~identical instance (a replica) • excluding name, IP address, etc. • deployment today involves many (arguably redundant) steps • preparation & deployment of sysprep’d server image • manually promoting a DC using: • over-the-wire: can be time-consuming depending upon size of directory • install-from-media (IFM): media-preparation and copying adds time & complexity • post-deployment configuration steps where necessary
Rapid Deployment: Domain Controller Cloning • Solution • create replicas of virtualized DCs by cloning existing ones • i.e. copy the VHD through hypervisor-specific export + import operations • simplify interaction & deployment-dependencies between HyperVisor and Active Directory admins • note that the authorization of clones remains under Enterprise/Domain Admins’ control • a game-changer for disaster-recovery • requires ONLY a single Windows Server 2012 virtual DC per domain to quickly recover an entire forest • subsequent DCs can be rapidly deployed drastically reducing time to steady-state • enables elastic provisioning capabilities to support private-cloud deployments, etc.
Rapid Deployment: Cloning Flow Clone VM Windows Server 2012 PDC NTDS starts IDL_DRSAddCloneDC Configure network settings Obtain current VM-GenID Check authorization Locate PDC If different from value in DIT CN=Configuration |--CN=Sites |---CN=<site name> |---CN=Servers |---CN=<DC Name> |---CN=NTDS Settings Create new DC object by duplicating source DC objects (NTDSDSA, Server, Computer instances) Call _IDL_DRSAddCloneDC(name, site) Reset InvocationID, discard RID pool Save clone state (new name, password, site) Generate new DC machine account and password DCCloneConfig.xml available? Promote as replica (IFM) Dcpromo /fixclone Run (specific) sysprepproviders Parse DCCloneConfig.xml Reboot
Rapid Deployment: Domain Controller Cloning • Requirements • Windows Server 2012 virtual DC hosted on VM-Generation-ID-aware hypervisor platforms • PDC FSMO must be running Windows Server 2012 to authorize cloning operation • source DC must be authorized for cloning • through permission on domain head – “Allow DC to create a clone of itself” • add the source DC’s computer account to the new “Cloneable Domain Controllers” group • DCCloneConfig.XML file must be present on the clone DC in one of: • directory containing the NTDS.DIT • default DIT directory (%windir%\NTDS) • removable media (virtual floppy, USB, etc.) • commonplace Windows Server 2012 services that are co-located with DCs are supported, e.g. DNS, FRS, DFSR • additional services/scheduled tasks installed on the clone-source must be added to an admin-extensible whitelist • if installed component is not present in whitelist, cloning process fails and cloned-DC boots to DSRM
New Features and Enhancements Miscellaneous Simplified Deployment Virtualization-Safe Technology Rapid Deployment Active DirectoryPlatform Changes
Brief Terminology Level-Set • RootDSE mods • aka. operational attributes • LDAP’s answer to RPC • Constructed attributes • typically imposes a compute burden—the answer is “constructed” based on something else • query processor will reject anything other than a base-scoped filter that includes a constructed attribute • typically not defined in the schema—known only to the code • LDAP controls and matching rules • affect the way the query processor handles things, e.g. • return deleted objects (a control that is checked in along with the query) • bitwise comparison (a matching rule) (searchFlags:1.2.840.113556.1.5.807:=1) • Finite address spaces within Active Directory • RIDs (exposed) • DNTs (exposed but new to Windows Server 2012) • LIDs (not exposed)
RID Improvements • Background • a recent bout of cases involving RID depletion or complete global RID-space exhaustion motivated an investigation into root cause • a couple of bugs were identified and fixed • the investigation also highlighted the need for general improvements and concerns around finite scale limitations
RID Improvements • Account creation failure can cause the loss of 1 RID • a RID was leaked because a user was being created that didn’t meet policy • the RID was allocated, the user created, failed to meet policy user deleted RID leaked • fixed in Windows Server 2012 by maintaining an in-memory bucket of RIDs that are available for reuse • note that if the DC is rebooted, the reuse list is lost • reuse list is used preferentially over RID pool if entries exist • size of the reuse list bound by the maximum number of user-creation attempts that simultaneously hit a failure case • our projections indicate single-digit size, i.e. nothing to take into account in sizing exercises • Prevent RID allocation during failed computer account creation by privilege by standard domain user • this is just another path (through domain join, for example) that permits the creation of computer accounts • the logic above is used in exactly the same way to eliminate the leak • Log event when a RID pool is invalidated • invalidation occurs via a rootDSE mod. and more natural scenarios, e.g. virtual DC safeties, DIT restoration
RID Improvements • Missing rIDSetReferences value will lead to RID pool exhaustion • attribute not correctly recreated when a DC’s computer account is deleted, later detected by the DC and reincarnated • DC checks attribute for pointer to its RID pool • attribute isn’t populated • DC assumes no RID pool and requests a new one • DC receives RID pool from RID FSMO and attempts to write new RID block to its RID set and fails because no rIDSetReference exists • 30 seconds later, DC repeats process burning through <RID block size> RIDs on each attempt • a single offending DC will eat through the entire global RID space in ~2 years using default RID block size of 500 • in Windows Server 2012, you guessed it – we fixed this • reincarnation populates the necessary attributes • Enforce a maximum cap on the RID policy RID Block Size • in the past, the RID block size was configurable on the RID FSMO’s registry and imposed no upper bound • in Windows Server 2012, the maximum permissible admin-configured RID block size is 15,000 (values >15K == 15K)
RID Improvements • Periodic RID Consumption Warning • at 10% of remaining global space, system logs informational event • first event at 100,000,000 RIDs used, second event logged at 10% of remainder • remainder = 900,000,000 • 10% of remainder = 90,000,000 • second event logged at 190,000,000 • existing RID consumption plus 10% of remainder • events become more frequent as the global space is further depleted
RID Improvements • RID Manager artificial ceiling protection mechanism • think of this as a soft ceiling • blocks further allocations of RID pools • when hit, system flips msDS-RIDPoolAllocationEnabled on the RID Manager$ object to FALSE administrator flips back to TRUE to override • log an event indicating we’ve reached the ceiling • an additional warning is logged when the global RID spaces reaches 80% • the attribute can only be set to FALSE by the SYSTEM and is mastered by the RID FSMO (i.e. write it against the RID FSMO) • DA can set it back to TRUE • NOTE: it is set to TRUE by default (possibly obvious) • the soft ceiling is 90% of the global RID space and is not configurable • the soft ceiling is deemed as ”reached” when a RID pool containing the 90% RID is issued
RID Improvements • Unlock 31st bit in the global RID space • yes–we actually did it… and yes again, we tested the living s… well, we really tested it a lot • doubles global RID space from 1 billion to 2 billion • irreversible action so take care • CANNOT be authoritatively restored (unless it’s the only DC in the domain) • 31st bit is unlocked via a rootDSE mod (requires Windows Server 2012 RID FSMO) • sidCompatibilityVersion:1 • other DCs must be running Windows Server 2012 to exploit this • plan is, however, to backport it to Windows Server 2008 R2 • downlevel DCs will receive pools that use the higher order bit but will refuse to issue RIDs to new principals from within it, i.e. the DCs are good for everything other than creating new principals • they will, for example, happily authenticate users with RIDs above 1 billion
Deferred Index Creation • Adding indices to existing attributes resulted in DC performance issues, i.e. • DCs received schema update through replication • 5 minutes later, DCs refresh their schema cache • many/all DCs ~simultaneously begin building the index • Windows Server 2012 introduces new DSheuristic • 18th byte but uses a zero-base, so some say the 19th byte • setting it to 1 causes any Windows Server 2012 DC to defer building indices until: • it receives the UpdateSchemaNowrootDSE mod. (triggers rebuild of the schema cache) • it is rebooted (which requires that the schema cache be rebuilt and, in turn, the deferred indices) • any attribute that is in a deferred index state will be logged in the Event Log every 24 hours • 2944: index deferred – logged once • 2945: index still pending – logged every 24 hours • 1137: index created – logged once (not a new event)
Expose DNTs on rootDSE • Active Directory’s DIT uses DNTs • if we think of the DIT as a spreadsheet, DNTs are very much like row numbers • finite address space == 2^31 (~2 billion) • DNTs are NOT replicated (a database-local concept) • never re-used (the value only ever increases) • DNTs are never re-serialized (or reclaimed) except during over-the-wire promotions • neither IFM or cloning will re-serialize them • once you run out, the DC must be demoted and re-promoted over-the-wire • determining the DNT for a given DC required that you dump its database or programmatically interrogate the DIT • time consuming, impacts performance and disk space • Windows Server 2012 Active Directory exposes DNTs via: • rootDSE constructed attribute: approximateHighestInternalObjectID • perfmon counter, too
Off-Premises Domain Join • Extends offline domain-join by allowing the blob to accommodate Direct Access prerequisites • Certs • Group Policies • What does this mean? • a computer can now be domain-joined over the Internet if the domain is Direct Access enabled • getting the blob to the non-domain-joined machine is an offline process and the responsibility of the admin
Connected Accounts • Background • a consumer-oriented feature coupled with ModernUIproviding enhanced app-dev. capabilities • provides an out-of-box ability to interactively logon to Windows 8 as a “connected” Live ID • roams certain aspects of a user’s profile between Windows 8 computers sharing the same connected Live ID
Connected Accounts • Live ID logon to Windows with a connected Active Directory user account is NOT supported • connecting local accounts on domain-joined machines IS supported • SSO to Live-supported web sites still functions as does profile sync, etc. • Group Policy setting can disable Live ID connected accounts completely • Server SKUs do NOT support connected accounts • Note that Windows 8 client applications that are built to use ModernUIare able to leverage a rich set of features specific only to connected accounts
Connected Accounts • Object Picker and Windows as a whole will correctly display the Live ID, not the local account • any legacy applications will still see the NT-style account name • Administrator must associate the Live ID with the target account • this can be done retroactively or during the OOBE (page 2) • Connected local user WILL appear in Local Users and Groups • password change attempts will be blocked
Enhanced LDAP logging • Enhanced LDAP logging added in Windows Server 2012 • existing LDAP logging capabilities deemed insufficient • unable to isolate/diagnose root cause of many behaviors/failures with existing logging • Enabled through registry via logging overrides or level 5 LDAP logging • additional logging logs entry and exit stats for a given API • we now also track the entry and exit tick making it feasible to determine sequence of events • entry: logs the operation name, the SID of the caller’s context, the client IP, entry tick and client ID • exit: logs the operation name, the SID of the caller’s context, client IP, entry and exit tick and client ID • … further details on this in the appendix of this deck
New LDAP Controls/Behaviors • Batched extended-LDAP operations (1.2.840.113556.1.4.2212) • Require server-sorted search use index on sort attribute (1.2.840.113556.1.4.2207) • DirSync_EX_Control (1.2.840.113556.1.4.2090) • TreeDelete control with batch size (1.2.840.113556.1.4.2204) • Include ties in server-sorted search results (1.2.840.113556.1.4.2210) • Return highest change stamp applied as part of an update (1.2.840.113556.1.4.2205) • Expected entry count (1.2.840.113556.1.4.2211) • … details on each of these new controls in the appendix of this deck
New Features and Enhancements Management Miscellaneous SimplifiedDeployment Recycle Bin User Interface Dynamic Access Control Virtualization-Safe Technology Active Directory PowerShell History Viewer User Interface Active Directory Based Activation RapidDeployment Fine-Grained Password Policy User Interface Kerberos Enhancements Active DirectoryPlatform Changes Active Directory Replication & Topology Cmdlets Group Managed Service Accounts
New Features and Enhancements Management Recycle Bin User Interface Dynamic Access Control Active Directory PowerShell History Viewer User Interface Active Directory Based Activation Fine-Grained Password Policy User Interface Kerberos Enhancements Active Directory Replication & Topology Cmdlets Group Managed Service Accounts
Recycle Bin User Interface • Background • the Recycle Bin feature introduced with Windows Server 2008 R2 provided an architecture permitting complete object recovery • scenarios requiring object recovery via the Recycle Bin are typically high-priority • recovery from accidental deletions, etc. resulting in failed logons / work-stoppages • the absence of a rich, graphical interface complicated its usage and slowed recovery
Recycle Bin User Interface • Solution • simplify object recovery through the inclusion of a Deleted Objects node in the Active Directory Administrative Center • deleted objects can now be recovered within the graphical user interface • greatly reduces recovery-time by providing a discoverable, consistent view of deleted objects
Recycle Bin User Interface • Requirements • Recycle Bin’s own requirements must first be satisfied, e.g. • Windows Server 2008 R2 forest functional level • Recycle Bin optional-feature must be switched on • Windows Server 2012 Active Directory Administrative Center • Objects requiring recovery must have been deleted within Deleted Object Lifetime (DOL) • defaults to 180 days
New Features and Enhancements Management Recycle Bin User Interface Dynamic Access Control Active Directory PowerShell History Viewer User Interface Active Directory Based Activation Fine-Grained Password Policy User Interface Kerberos Enhancements Active Directory Replication & Topology Cmdlets Group Managed Service Accounts
Dynamic Access Control (DAC) • Background • today, it’s difficult to translate business-intent using existing authorization model • no central administration capabilities • existing expression language makes it hard or impossible to fully express requirements • increasing regulatory and business requirements around compliance demand a different approach
Dynamic Access Control (DAC) • Solution • new central access policies (CAP) model • new claims-based authorization platform enhances, not replaces, existing model • user-claims and device-claims • user+device claims = compound identity • includes traditional group memberships too • use of file-classification information in authorization decisions • modern authorization expressions, e.g. • evaluation of ANDed authorization conditions • leveraging classification and resource properties in ACLs • easier Access-Denied remediation experience • access- and audit-policies can be defined flexibly and simply, e.g. • IF resource.Confidentiality = high THEN audit.Success WHEN user.EmployeeType = vendor
Dynamic Access Control (DAC) • Requirements • Windows 8 or Windows Server 2012 file servers (no DCs necessary yet) • modern authorization expressions, e.g. • evaluating ANDed authorization conditions • NOTE: leveraging classification and resource properties in ACLs requires the Windows Server 2012 schema • Access Denied Remediation • 1 or more Windows Server 2012 DCs required for Kerberos claims • Central Access Policies (CAP) support • must enable the claims-policy in a Domain Controller-scoped policy, e.g. Default Domain Controllers Policy • once configured, Windows 8 clients might use only Windows Server 2012 DCs • enough DCs must be deployed to service the load imposed by uplevel clients and servers (piling-on) • Windows Server 2012 Active Directory Administrative Center to administer CAPs and CAPRs • CAPR = Claims Access Policy Rules • for device-claims, compound ID must be switched on at the target service account • via Group Policy or directly editing the corresponding objects • downlevel clients require DFL 5 in order to receive claims from a KDC • in the absence of that, uplevel servers able to use S4U2Self to obtain claims-enabled ticket on caller’s behalf • note that Authentication Mechanism Assurance (AMA) SIDs/claims and device authorization data not available since context around authentication method and device already lost
Kerberos Claims (DAC) in AD FS • Background • AD FS v2.0 is able to generate user-claims directly from NTtokens • also capable of further expanding claims based on attributes in Active Directory and other attribute stores • in Windows Server 2012, we know that Kerberos tickets can also contain claims • but AD FS 2.0 can’t read claims from Kerberos tickets • forced to make additional LDAP calls to Active Directory to source user-attribute claims • cannot leverage device-attribute claims at all