1 / 37

Windows Server 2012: A Techie’s Insight into the Hot New Features

WSV326. Windows Server 2012: A Techie’s Insight into the Hot New Features. John Craddock Infrastructure and Security Architect XTSeminars Ltd, UK. Windows Server 2012. Domain Controller cloning Enhanced Direct Access Safe Domain controller virtualization RID pool enhanced management

taline
Download Presentation

Windows Server 2012: A Techie’s Insight into the Hot New Features

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WSV326 Windows Server 2012: A Techie’s Insight into the Hot New Features John Craddock Infrastructure and Security Architect XTSeminars Ltd, UK

  2. Windows Server 2012 Domain Controller cloning Enhanced Direct Access Safe Domain controller virtualization RID pool enhanced management Enhanced logging PowerShell 3.0 PowerShell Workflow PowerShell history Kerberos CBAC Compound identity Remote FX IP Address Management DHCP HA DA object recovery GUI ISCI Target Windows NIC teaming Virtualization, virtualization, virtualization 32 virtual processors per VM 1TB virtual machine memory New 64TB VHDX format Native 4k disk support Hyper-V Replica Hyper-V virtual fiber channel Virtual networking Live storage migration Support for up to 64 nodes per cluster Support for 4000 VMs per cluster Hyper-V support for up to 2 TB of physical memory Live VHD merge Cluster shared volumes v2 SMB 2 Support RDMA support in SMB Scale-out file server Multi-channel SMB Virtual NIC monitor mode Storage PowerShell Network PowerShell Multi-Tenancy, Port ACLs / Firewall Storage metering Storage Spaces SMI-S support inbox Virtual NUMA support CPU metering Network metering Memory metering RemoteFX 3D graphics remoting Touch remoting USB remoting VDI Guest Application Health Monitoring VM Hardware Error Isolation VM Failover Prioritization Trusted boot support Removable Shell & IE Enables roles in VHDs Offline Multi-machine management protocol Integrated workflows and PowerShell So many new changesandthey are all hot

  3. My first dilemma Defaultinstallation • Should I be a man or a mouse? • I went for the GUI

  4. Easy to switch Server Core Minimal Server Interface GUI Desktop Experience Graphical Management Tools and Infrastructure Add/remove Feature Desktop Experience Server Graphical Shell PowerShellInstall-WindowsFeature Uninstall-WindowsFeature Server-Gui-Mgmt-Infra Server-Gui-Shell Desktop-Experience

  5. Make sure PowerShell is you best friend • PowerShell 3.0 with over 2000 cmdlets • Allows creation scripts with workflow • AD PowerShell history helps you get started • Newest help files download on demand – Update-Help

  6. A tour around the management GUI

  7. Not technical – but a very useful reference Hover & selectfrom Charms bar Hover & clickMetro Start Just start typing

  8. Virtualization, virtualization, virtualization Clustered VMs & hosts Virtualized domain controller support Live Migration Replication VM1 VM2 VM3 VMn             Virtual machines Networkvirtualization CPU & memoryvirtualization Storage virtualization VM hardwareOffloading Network Direct HBA for VMsDirect data transfers ODX Near SAN capabilityfrom commodity disks Virtualized customer networks New dynamicmemory support

  9. Impressive scalability

  10. A techie’s insight into the hot new features • So many features to choose from • Let’s look at some of the challenges I’ve faced over the last year • Deploying DirectAccess • Troubleshooting Kerberos and delegation issues • File Server authorization and auditing • Claims based authentication • Building POC environments to test it all out If Windows Server 2012 solves my issues – that’s hot

  11. My hot three for today… • DirectAccess • Kerberos enhancements • Dynamic Access Control

  12. Windows 2008 R2 DirectAccess – Simple? • When a DirectAccess client connects to the Internet it is automatically connected to the corporate intranet • No user action required Internet Corporate intranet It’s a truly great user experience - But…

  13. May Be Not Simple? Internet Corporate intranet Tunnelling technologies for the Internet and intranet to support IPv6 over IPv4 Internet tunnelling selection based on client location – Internet, NAT, firewall Encryption/authentication of Internet traffic (end-to-edge/end-to-end) PKI required Client location detection: Internet or corporate intranet Certificates require PKI

  14. 2008 Additional Challenges Windows Server 2012 fixes all and more… • UAG required for • Load-balancing • Support for IPv4 intranet endpoints • NAT 64 & DNS 64 • Requires two consecutive public IPv4 addresses • Multi-domain support complex • Poor multi-site support • Monitoring and troubleshooting problematic • RRAS & DA could not coexist • 2FA only supported for SmartCards, no OTP support • Many deployments didn’t get off the drawing board    NAT  Multi-domain support  Multiple entry-points with automatic failover  Comprehensive  One role supports both  OTP & virtual SC  Now’s it’s easier

  15. One tunnel or two? • DA on Windows 2008 R2 creates an infrastructure and intranet tunnel • Client certificates and computer/user accounts are used to authenticate to each tunnel endpoint • Certificates are required to support Windows 7 clients, NAP and 2FA client • Windows 8 clients can be supported through a single-tunnel configuration • Authentication to the endpoint managed through a Kerberos Proxy • Uses IPHTTPS • IPHTTPS optimised via SSL with NULL encryption

  16. 3-clicks and you’re done or full feature • For small to medium deployments the Getting Started Wizard will automatically deploy DA • Single-tunnel, IPHTTPS, single-public IP or NAT, and no PKI • If no public SSL cert is available a self-signed cert is automatically generated • Client group policy deployed using a WMI filter • For a full featured DirectAccess deployment you will need to go through the Remote Access Setup Wizard • You can use the Getting Started Wizard and access the setup wizard afterwards

  17. Just 3-clicks

  18. My hot three for today • Direct Access • Kerberos enhancements • Dynamic Access Control

  19. Kerberos Changes • We’ve seen the Kerberos Proxy in action • This is used for Direct Access Remote Desktop users and cannot be deployed on the edge for other functions • There are a number of other changes to Kerberos to enhance day to day operations • Increase to the maximum Kerberos SSPI context buffer size • PAC group compression • Warning events for large token sizes • Increased logging • Hot topics for me are claims support and delegation

  20. Adding Claims to the Kerberos Token Pre-Windows 8 Windows 8 Compound ID PAC contains a user’s group and claims information + Device information User’s Kerberos Token User Groups Claims PAC Device Groups Claims User’s group memberships added to PAC Authorization based on group membership Authorization based on group membership, user and device claims

  21. Enabling Kerberos for Claims • Enable the KDC administrative template for Support for Dynamic Access Control and Kerberos armoring • Kerberos armoring, also referred to as Flexible Authentication Secure Tunnelling (FAST), provides • A protected channel between the Kerberos client and the KDC • Protection against offline dictionary attacks • Signs Kerberos error messages • Prevents spoofing • Compound identity

  22. Block cross forest delegation by setting netdomtrust to “no” for /EnableTGTDelegation Delegation • Prior to Windows Server 2012, constrained delegation required the front- and back-end services to be in the same domain • 2012 allows delegation across domains and forest trusts Protect backend services by setting services account parameter – PrincipalsAllowedToDelegateToAccount

  23. Enabling Claims identity

  24. My hot three for today • Direct Access • Kerberos enhancements • Dynamic Access Control

  25. Defining the access requirements • Sales Consultants from the regional sales departments must have read/write access to their region’s sales documents • They are not allowed to access sales documents for other regions • Sales Managers must have access to sales documents in all regions • Sales documents with high business impact must only be viewable by Sales Managers • The access model must be applied across multiple file servers in the Active Directory forest

  26. A nice to have • High impact documents should only be accessible from client machines that are managed by the Corp Sales department

  27. How many different designs can you come up with? Sales UK Sales UK Sales UK RW US Sales US RW US Sales HI UK Sales HI UK RW Sales Managers HI US Sales HI US RW How do we guarantee HI documents are placed in the correct folders?

  28. Windows Server 2012 to the rescue… Resolution No way to tag files and apply authorization and auditing based on file type Files can be classified (tagged) and policies applied based on the files classification No way to create ACLs based on expressions Requires complex group structures Expression based access control and auditing ACLs defined using groups Expressions can contain groups, users, and user and device claims Device state not supported in authorization decisions Access based on compound ID user and device claims

  29. Elegant solutions Access based on Central Access Policy, file and folder classification,andCBAC Sales • Permissions applied based on file classification • No groups • We even solved the “nice to have” • High impact documents should only be accessible from client machines that are managed by the Corp Sales department UK US

  30. A quick tour ofDynamic Access Control

  31. So many great enhancements • Just one more I couldn’t miss…

  32. Well that’s what’s hot for me

  33. Consulting services on request John.craddock@xtseminars.co.uk John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk John Craddock Infrastructure and security Architect XTSeminars Ltd @john_craddock blog.xtseminars.co.uk

  34. What’s hot for you?

  35. Required Slide Complete an evaluation on CommNet and enter to win!

  36. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related