What's New in Active Directory in Windows Server 2012

What's New in Active Directory in Windows Server 2012

SIA312 Whats New in Active Directory in Windows Server 2012 Dean Wells Active Directory Product Group Microsoft Agenda Objectives / Takeaways Areas of Investment / Our Broad Goals New Features / Enhancements Summary of Requirements Objectives Provide an understanding of the broad areas we have invested in and why the business- and/or technical-challenges that led to each of the new features Provide detailed insights into the Active Directory features and define requirements and implementation specifics

highlight the value these features bring to your environment Given the sheer volume of topics provide technically-deep content striving for a balance of breadth and depth provide you material thats sufficiently complete & technically rich High-Level Areas of Investment Simplified deployment of Active Directory Optimal deployment experiences in both private- and public-clouds Increase consistency throughout the management experience Accommodate business-driven security requirements through the integration of: file-classification claims-based authorization Our Broad Goals Virtualization That Just Works All Active Directory features work equally well in physical, virtual or mixed environments Simplified Deployment of Active Directory

Complete integration of environment preparation, role installation and DC promotion into a single UI DCs can be deployed rapidly to ease disaster recovery and workload balancing DCs can be deployed remotely on multiple machines from a single Windows 8 machine Consistent command-line experience through Windows PowerShell enables automation of deployment tasks Simplified Management of Active Directory GUI that simplifies complex tasks such as recovering a deleted object or managing password policies Active Directory Windows PowerShell viewer shows the commands for actions performed in the GUI Active Directory Windows PowerShell support for managing replication and topology data Simplify delegation and management of service accounts New Features and Enhancements Miscellaneou s

Management Simplified Simplified Deployment Deployment Recycle Recycle Bin Bin User User Interface Interface Dynamic Dynamic Access Access Control Control Virtualization-Safe Virtualization-Safe Technology

Technology Active Active Directory Directory PowerShell PowerShell History History Viewer Viewer User User Interface Interface Active Active Directory Directory Based Based Activation Activation Rapid Rapid Deployment Deployment

Fine-Grained Fine-Grained Password Password Policy Policy User User Interface Interface Kerberos Kerberos Enhancements Enhancements Active Active Directory Directory Platform Platform Changes Changes Active Active Directory Directory Replication

Replication & & Topology Topology Cmdlets Cmdlets Group Group Managed Managed Service Service Accounts Accounts New Features and Enhancements Miscellaneou s Simplified Simplified Deployment Deployment Virtualization-Safe Virtualization-Safe Technology

Technology Rapid Rapid Deployment Deployment Active Active Directory Directory Platform Platform Changes Changes Simplified Deployment Background adding replica DCs running newer versions of the Windows Server operating system has proven to be: time consuming error-prone complex In the past, IT pros were required to: obtain the correct (new) version of the ADprep tools

interactively logon at specific per-domain DCs using a variety of different credentials run the preparation tool in the correct sequence with the correct switches wait for replication convergence between each step Simplified Deployment Solution integrate preparation steps into the promotion process automate the pre-requisites between each of them validate environment-wide prerequisites before beginning deployment integrated with Server Manager and remoteable built on Windows PowerShell for command-line and UI consistency configuration wizard aligns to the most common deployment Simplified Deployment: What Changed? Streamline the deployment

process by integrating preparation and promotion processes & automating pre-requisites inbetween Minimize odds of deployment failures by validating environment pre-requisites before deployment Minimize number of touch-points by providing remote capabilities for both preparation and promotion processes Optimize for common deployment paths by aligning the configuration wizard to the most common deployment scenarios Bring consistency with other

Windows Server roles deployment experiences Gain UI-consistency by leveraging an enhanced command-line experience by integrating the full deployment experience with Server Manager by providing a deployment & configuration wizard that is built on top of Windows PowerShell Simplified Deployment Requirements Windows Server 2012 target forest must be Windows Server 2003 functional level or greater introducing the first Windows Server 2012 DC requires Enterprise Admin and Schema Admin privileges subsequent DCs require only Domain Admin privileges within the target domain Simplified Deployment ++

DC Promotion Retry Logic Since Windows 2000, DCpromo has been intolerant of transient network failures caused promotions to fail if the network (or helper DC) hiccupped Windows Server 2012 promotion employs an indefinite retry indefinite because no sufficiently meaningful set of metrics available from which to assert sufficient progress so weve deferred the decision of failure to the administrator Simplified Deployment ++ Enhanced Install-from-media (IFM) options Goal of IFM deploy a DC more quickly yet IFM prep in NTDSUTIL executed a mandatory offline defragmentation pass a maintenance task that our data suggests virtually nobody uses on existing production DCs yielded an oftentimes much smaller DIT (which is great) but at the

expense of time In Windows Server 2012, NTDSUTILs IFMprep enhanced NTDSUTILs IFMprep now includes an option to eliminate the defragmentation pass not the default, that remains as is eliminates potentially hours (or days) of media preparation time DIT will be larger (whitespace, not fragmentation) increasing copy time if slowlinks involved Simplified Deployment ++ AD FS V2.1 is in-the-box AD FS v2.0 shipped out-of-band downloaded from http://microsoft.com AD FS (v2.1) ships in-the-box as a server-role with Windows Server 2012 integrated with Windows Server 2012 Dynamic Access Control New Features and Enhancements Miscellaneou s

Simplified Simplified Deployment Deployment Virtualization-Safe Virtualization-Safe Technology Technology Rapid Rapid Deployment Deployment Active Active Directory Directory Platform Platform Changes Changes Virtualization-Safe Technology Background common virtualization operations

such as creating snapshots or copying VMs/VHDs can rollback the state of a virtual DC introduces USN bubbles leading to permanently divergent state causing: lingering objects inconsistent passwords inconsistent attribute values schema mismatches if the Schema FSMO is rolled back the potential also exists for security principals to be created with duplicate SIDs Virtualization-Safe Technology Solution Windows Server 2012 virtual DCs able to detect when: snapshots are applied a VM is copied built on a generation identifier (VM-generation ID) that is

changed when virtualization-features such as VM-snapshot are used Windows Server 2012 virtual DCs track the VM-generation ID to detect changes and protect Active Directory protection achieved by: discarding RID pool resetting invocationID re-asserting INITSYNC requirement for FSMOs How Domain Controllers are Impacted DC2 DC2 Timeline of events DC1 DC1 TIME: T1 Create Snapsh ot

USN: 100 ID: RID Pool: 500 A 1000 USN rollback +100 users addedNOT TIME: T2 TIME: T3 detected: only 50 users converge across the two DCs USN: All others are either on one or the other DC 200 principals ID: RID Pool:(users 600- in this

DC2example) receives updates: USNs 100 security with RIDs 500-599 have >100 A 1000 DC1(A) conflicting SIDs @USN = 200 USN: T1 Snapshot 100 ID: RID Pool: 500 Applied! A 1000 +150 more users

created TIME: T4 USN: 250 ID: RID Pool: 650 A 1000 DC2 receives updates: USNs >200 DC1(A) @USN = 250 Virtualization-Safe Technology Requirements Windows Server 2012 DCs hosted on hypervisor platform that supports VM-Generation ID New Features and Enhancements Miscellaneou

s Simplified Simplified Deployment Deployment Virtualization-Safe Virtualization-Safe Technology Technology Rapid Rapid Deployment Deployment Active Active Directory Directory Platform Platform Changes Changes Rapid Deployment Background

deploying virtualized replica DCs is as labor-intensive as physical DCs virtualization brings capabilities that can simplify deployment the result & goal of promoting additional DCs within a domain is an ~identical instance (a replica) excluding name, IP address, etc. deployment today involves many (arguably redundant) steps preparation & deployment of sysprepd server image manually promoting a DC using: over-the-wire: can be time-consuming depending upon size of directory install-from-media (IFM): media-preparation and copying adds time & complexity Rapid Deployment: Domain Controller Cloning Solution create replicas of virtualized DCs by cloning existing ones i.e. copy the VHD through hypervisor-specific export + import operations simplify interaction & deployment-dependencies between HyperVisor and Active Directory admins

note that the authorization of clones remains under Enterprise/Domain Admins control a game-changer for disaster-recovery requires ONLY a single Windows Server 2012 virtual DC per domain to quickly recover an entire forest subsequent DCs can be rapidly deployed drastically reducing time to steady-state enables elastic provisioning capabilities to support privatecloud deployments, etc. Rapid Deployment: Cloning Flow Clone VM Windows Server 2012 PDC NTDS starts Obtain current VM-GenID If different from value in DIT Reset InvocationID,

discard RID pool DCCloneConfig.xml available? Dcpromo /fixclone Configure network settings IDL_DRSAddCloneDC Locate PDC Check authorization Call _IDL_DRSAddCloneDC(name, site) Save clone state (new name, password, site) Promote as replica (IFM) Run (specific) sysprep providers Parse DCCloneConfig.xml Reboot

Create new DC object by CN=Configuration duplicating source DC objects |--CN=Sites (NTDSDSA, Server, Computer |---CN= |---CN=Servers |---CN= Generate new DC machine |---CN=NTDS Settings account and password Rapid Deployment: Domain Controller Cloning Requirements Windows Server 2012 virtual DC hosted on VM-Generation-ID-aware hypervisor platforms PDC FSMO must be running Windows Server 2012 to authorize cloning operation source DC must be authorized for cloning through permission on domain head Allow DC to create a clone of itself

add the source DCs computer account to the new Cloneable Domain Controllers group DCCloneConfig.XML file must be present on the clone DC in one of: directory containing the NTDS.DIT default DIT directory (%windir%\NTDS) removable media (virtual floppy, USB, etc.) commonplace Windows Server 2012 services that are co-located with DCs are supported, e.g. DNS, FRS, DFSR additional services/scheduled tasks installed on the clone-source must be added to an adminextensible whitelist if installed component is not present in whitelist, cloning process fails and cloned-DC boots to New Features and Enhancements Miscellaneou s Simplified Simplified Deployment Deployment Virtualization-Safe Virtualization-Safe Technology Technology

Rapid Rapid Deployment Deployment Active Active Directory Directory Platform Platform Changes Changes Brief Terminology Level-Set RootDSE mods aka. operational attributes LDAPs answer to RPC Constructed attributes typically imposes a compute burdenthe answer is constructed based on something else query processor will reject anything other than a base-scoped filter that includes a constructed attribute typically not defined in the schemaknown only to the code

LDAP controls and matching rules affect the way the query processor handles things, e.g. return deleted objects (a control that is checked in along with the query) bitwise comparison (a matching rule) (searchFlags:1.2.840.113556.1.5.807:=1) Finite address spaces within Active Directory RIDs (exposed) RID Improvements Background a recent bout of cases involving RID depletion or complete global RID-space exhaustion motivated an investigation into root cause a couple of bugs were identified and fixed the investigation also highlighted the need for general improvements and concerns around finite scale limitations RID Improvements Account creation failure can cause the loss of 1 RID a RID was leaked because a user was being created that didnt meet policy the RID was allocated, the user created, failed to meet policy user deleted RID leaked fixed in Windows Server 2012 by maintaining an in-memory bucket of RIDs that are available for

reuse note that if the DC is rebooted, the reuse list is lost reuse list is used preferentially over RID pool if entries exist size of the reuse list bound by the maximum number of user-creation attempts that simultaneously hit a failure case our projections indicate single-digit size, i.e. nothing to take into account in sizing exercises Prevent RID allocation during failed computer account creation by privilege by standard domain user this is just another path (through domain join, for example) that permits the creation of computer accounts the logic above is used in exactly the same way to eliminate the leak Log event when a RID pool is invalidated invalidation occurs via a rootDSE mod. and more natural scenarios, e.g. virtual DC safeties, DIT restoration RID Improvements Missing rIDSetReferences value will lead to RID pool exhaustion attribute not correctly recreated when a DCs computer account is deleted, later detected by the DC and reincarnated DC checks attribute for pointer to its RID pool attribute isnt populated

DC assumes no RID pool and requests a new one DC receives RID pool from RID FSMO and attempts to write new RID block to its RID set and fails because no rIDSetReference exists 30 seconds later, DC repeats process burning through RIDs on each attempt a single offending DC will eat through the entire global RID space in ~2 years using default RID block size of 500 in Windows Server 2012, you guessed it we fixed this reincarnation populates the necessary attributes Enforce a maximum cap on the RID policy RID Block Size in the past, the RID block size was configurable on the RID FSMOs registry and imposed no upper bound in Windows Server 2012, the maximum permissible admin-configured RID block size is 15,000 (values >15K == 15K) RID Improvements Periodic RID Consumption Warning at 10% of remaining global space, system logs informational event first event at 100,000,000 RIDs used, second event logged at 10% of remainder remainder = 900,000,000

10% of remainder = 90,000,000 second event logged at 190,000,000 existing RID consumption plus 10% of remainder events become more frequent as the global space is further depleted RID Improvements RID Manager artificial ceiling protection mechanism think of this as a soft ceiling blocks further allocations of RID pools when hit, system flips msDS-RIDPoolAllocationEnabled on the RID Manager$ object to FALSE administrator flips back to TRUE to override log an event indicating weve reached the ceiling an additional warning is logged when the global RID spaces reaches 80% the attribute can only be set to FALSE by the SYSTEM and is mastered by the RID FSMO (i.e. write it against the RID FSMO) DA can set it back to TRUE NOTE: it is set to TRUE by default (possibly obvious)

the soft ceiling is 90% of the global RID space and is not configurable the soft ceiling is deemed as reached when a RID pool containing the 90% RID is issued RID Improvements Unlock 31st bit in the global RID space yeswe actually did it and yes again, we tested the living s well, we really tested it a lot doubles global RID space from 1 billion to 2 billion irreversible action so take care CANNOT be authoritatively restored (unless its the only DC in the domain) 31st bit is unlocked via a rootDSE mod (requires Windows Server 2012 RID FSMO) sidCompatibilityVersion:1 other DCs must be running Windows Server 2012 to exploit this plan is, however, to backport it to Windows Server 2008 R2 downlevel DCs will receive pools that use the higher order bit but will refuse to issue RIDs to new principals from within it, i.e. the DCs are good for everything other than creating new principals they will, for example, happily authenticate users with RIDs above 1 billion Deferred Index Creation

Adding indices to existing attributes resulted in DC performance issues, i.e. DCs received schema update through replication 5 minutes later, DCs refresh their schema cache many/all DCs ~simultaneously begin building the index Windows Server 2012 introduces new DSheuristic 18th byte but uses a zero-base, so some say the 19th byte setting it to 1 causes any Windows Server 2012 DC to defer building indices until: it receives the UpdateSchemaNow rootDSE mod. (triggers rebuild of the schema cache) it is rebooted (which requires that the schema cache be rebuilt and, in turn, the deferred indices) any attribute that is in a deferred index state will be logged in the Event Log every 24 hours 2944: index deferred logged once 2945: index still pending logged every 24 hours 1137: index created logged once (not a new event) Expose DNTs on rootDSE Active Directorys DIT uses DNTs if we think of the DIT as a spreadsheet, DNTs are very much like row numbers

finite address space == 2^31 (~2 billion) DNTs are NOT replicated (a database-local concept) never re-used (the value only ever increases) DNTs are never re-serialized (or reclaimed) except during over-the-wire promotions neither IFM or cloning will re-serialize them once you run out, the DC must be demoted and re-promoted over-the-wire determining the DNT for a given DC required that you dump its database or programmatically interrogate the DIT time consuming, impacts performance and disk space Windows Server 2012 Active Directory exposes DNTs via: rootDSE constructed attribute: approximateHighestInternalObjectID perfmon counter, too Off-Premises Domain Join Extends offline domain-join by allowing the blob to accommodate Direct Access prerequisites Certs Group Policies What does this mean? a computer can now be domain-joined over the Internet if the

domain is Direct Access enabled getting the blob to the non-domain-joined machine is an offline process and the responsibility of the admin Connected Accounts Background a consumer-oriented feature coupled with Metro providing enhanced app-dev. capabilities provides an out-of-box ability to interactively logon to Windows 8 as a connected Live ID roams certain aspects of a users profile between Windows 8 computers sharing the same connected Live ID Connected Accounts Live ID logon to Windows with a connected Active Directory user account

is NOT supported connecting local accounts on domain-joined machines IS supported SSO to Live-supported web sites still functions as does profile sync, etc. Group Policy setting can disable Live ID connected accounts completely Server SKUs do NOT support connected accounts Note that Windows 8 client applications that are built to use Metro are able to leverage a rich set of features specific Connected Accounts Object Picker and Windows as a whole will correctly display the Live ID, not the local account any legacy applications will still see the NT-style account name Administrator must associate the Live ID with the target account this can be done retroactively or during the OOBE (page 2) Connected local user WILL appear in Local Users and Groups password change attempts will be blocked

Enhanced LDAP logging Enhanced LDAP logging added in Windows Server 2012 existing LDAP logging capabilities deemed insufficient unable to isolate/diagnose root cause of many behaviors/failures with existing logging Enabled through registry via logging overrides or level 5 LDAP logging additional logging logs entry and exit stats for a given API we now also track the entry and exit tick making it feasible to determine sequence of events entry: logs the operation name, the SID of the callers context, the client IP, entry tick and client ID exit: logs the operation name, the SID of the callers context, client IP, entry and exit tick and client ID further details on this in the appendix of this deck New LDAP Controls/Behaviors Batched extended-LDAP operations (1.2.840.113556.1.4.2212) Require server-sorted search use index on sort attribute (1.2.840.113556.1.4.2207)

DirSync_EX_Control (1.2.840.113556.1.4.2090) TreeDelete control with batch size (1.2.840.113556.1.4.2204) Include ties in server-sorted search results (1.2.840.113556.1.4.2210) Return highest change stamp applied as part of an update (1.2.840.113556.1.4.2205) Expected entry count (1.2.840.113556.1.4.2211) details on each of these new controls in the appendix of this deck New Features and Enhancements Miscellaneou s Management Simplified Simplified Deployment Deployment Recycle Recycle Bin Bin User User Interface

Interface Dynamic Dynamic Access Access Control Control Virtualization-Safe Virtualization-Safe Technology Technology Active Active Directory Directory PowerShell PowerShell History History Viewer Viewer User User Interface Interface

Active Active Directory Directory Based Based Activation Activation Rapid Rapid Deployment Deployment Fine-Grained Fine-Grained Password Password Policy Policy User User Interface Interface Kerberos Kerberos Enhancements Enhancements

Active Active Directory Directory Platform Platform Changes Changes Active Active Directory Directory Replication Replication & & Topology Topology Cmdlets Cmdlets Group Group Managed Managed Service Service Accounts Accounts

New Features and Enhancements Management Recycle Recycle Bin Bin User User Interface Interface Dynamic Dynamic Access Access Control Control Active Active Directory Directory PowerShell PowerShell History History Viewer Viewer User

User Interface Interface Active Active Directory Directory Based Based Activation Activation Fine-Grained Fine-Grained Password Password Policy Policy User User Interface Interface Kerberos Kerberos Enhancements Enhancements

Active Active Directory Directory Replication Replication & & Topology Topology Cmdlets Cmdlets Group Group Managed Managed Service Service Accounts Accounts Recycle Bin User Interface Background the Recycle Bin feature introduced with Windows Server 2008 R2 provided an architecture permitting complete object recovery scenarios requiring object recovery via the Recycle Bin are typically high-priority

recovery from accidental deletions, etc. resulting in failed logons / workstoppages the absence of a rich, graphical interface complicated its usage and slowed recovery Recycle Bin User Interface Solution simplify object recovery through the inclusion of a Deleted Objects node in the Active Directory Administrative Center deleted objects can now be recovered within the graphical user interface greatly reduces recovery-time by providing a discoverable, consistent view of deleted objects Recycle Bin User Interface

Requirements Recycle Bins own requirements must first be satisfied, e.g. Windows Server 2008 R2 forest functional level Recycle Bin optional-feature must be switched on Windows Server 2012 Active Directory Administrative Center Objects requiring recovery must have been deleted within Deleted Object Lifetime (DOL) defaults to 180 days New Features and Enhancements Management Recycle Recycle Bin Bin User User Interface Interface Dynamic Dynamic Access

Access Control Control Active Active Directory Directory PowerShell PowerShell History History Viewer Viewer User User Interface Interface Active Active Directory Directory Based Based Activation Activation Fine-Grained Fine-Grained Password

Password Policy Policy User User Interface Interface Kerberos Kerberos Enhancements Enhancements Active Active Directory Directory Replication Replication & & Topology Topology Cmdlets Cmdlets Group Group Managed Managed Service Service

Accounts Accounts Dynamic Access Control (DAC) Background today, its difficult to translate business-intent using existing authorization model no central administration capabilities existing expression language makes it hard or impossible to fully express requirements increasing regulatory and business requirements around compliance demand a different approach Dynamic Access Control (DAC) Solution new central access policies (CAP) model new claims-based authorization platform enhances, not replaces, existing model user-claims and device-claims user+device claims = compound identity includes traditional group memberships too

use of file-classification information in authorization decisions modern authorization expressions, e.g. evaluation of ANDed authorization conditions leveraging classification and resource properties in ACLs easier Access-Denied remediation experience access- and audit-policies can be defined flexibly and simply, e.g. IF resource.Confidentiality = high THEN Dynamic Access Control (DAC) Requirements Windows 8 or Windows Server 2012 file servers (no DCs necessary yet) modern authorization expressions, e.g. evaluating ANDed authorization conditions NOTE: leveraging classification and resource properties in ACLs requires the Windows Server 2012 schema Access Denied Remediation

1 or more Windows Server 2012 DCs required for Kerberos claims Central Access Policies (CAP) support must enable the claims-policy in a Domain Controller-scoped policy, e.g. Default Domain Controllers Policy once configured, Windows 8 clients might use only Windows Server 2012 DCs enough DCs must be deployed to service the load imposed by uplevel clients and servers (piling-on) Windows Server 2012 Active Directory Administrative Center to administer CAPs and CAPRs CAPR = Claims Access Policy Rules for device-claims, compound ID must be switched on at the target service account via Group Policy or directly editing the corresponding objects downlevel clients require DFL 5 in order to receive claims from a KDC in the absence of that, uplevel servers able to use S4U2Self to obtain claims-enabled ticket on callers behalf Kerberos Claims (DAC) in AD FS Background AD FS v2.0 is able to generate user-claims directly from NTtokens also capable of further expanding claims based on attributes in Active

Directory and other attribute stores in Windows Server 2012, we know that Kerberos tickets can also contain claims but AD FS 2.0 cant read claims from Kerberos tickets forced to make additional LDAP calls to Active Directory to source userattribute claims cannot leverage device-attribute claims at all Kerberos Claims (DAC) in AD FS Solution AD FS (v2.1) in Windows Server 2012 now able to populate SAML tokens with user- and deviceclaims taken directly from the Kerberos ticket Requirements DAC enabled and configured compound ID must be switched on for the AD FS service account Windows Server 2012 AD FS (v2.1) New Features and Enhancements Management

Recycle Recycle Bin Bin User User Interface Interface Dynamic Dynamic Access Access Control Control Active Active Directory Directory PowerShell PowerShell History History Viewer Viewer User User Interface Interface

Active Active Directory Directory Based Based Activation Activation Fine-Grained Fine-Grained Password Password Policy Policy User User Interface Interface Kerberos Kerberos Enhancements Enhancements Active Active Directory Directory Replication

Replication & & Topology Topology Cmdlets Cmdlets Group Group Managed Managed Service Service Accounts Accounts Active Directory-based Activation (AD BA) Background today, Volume Licensing for Windows/Office requires Key Management Service (KMS) servers requires minimal training turnkey solution covers ~90% of deployments complexity caused by lack of a graphical administration console requires RPC traffic on the network which complicates

matters does not support any kind of authentication, the EULA prohibits the customer from connecting the KMS server to any external network i.e. connectivity-alone to the service equates to activated Active Directory-based Activation (AD BA) Solution use your existing Active Directory infrastructure to activate your clients no additional machines required no RPC requirement, uses LDAP exclusively includes RODCs beyond installation and service-specific requirements, no data written back to the directory activating initial CSVLK (customer-specific volume license key) requires: one-time contact with Microsoft Activation Services over the Internet (identical to retail activation) key entered using volume activation server role or using command line. repeat the activation process for additional forests up to 6 times by default activation-object maintained in configuration partition represents proof of purchase

machines can be member of any domain in the forest all Windows 8 machines will automatically activate Active Directory-based Activation (AD BA) Requirements only Windows 8 or Windows Server 2012 machines can leverage AD BA KMS and AD BA can coexist you still need KMS if you require downlevel volume-licensing setup requires Windows 8 or Windows Server 2012 machine requires Windows Server 2012 Active Directory schema, not Windows Server 2012 domain controllers New Features and Enhancements Management Recycle Recycle Bin Bin User

User Interface Interface Dynamic Dynamic Access Access Control Control Active Active Directory Directory Windows Windows PowerShell PowerShell History History Viewer Viewer Active Active Directory Directory Based Based Activation

Activation Fine-Grained Fine-Grained Password Password Policy Policy User User Interface Interface Kerberos Kerberos Enhancements Enhancements Active Active Directory Directory Replication Replication & & Topology Topology Cmdlets Cmdlets

Group Group Managed Managed Service Service Accounts Accounts Active Directory Windows PowerShell History Viewer Background Windows PowerShell is a key technology in creating a consistent experience between the command-line and the graphical user interface Windows PowerShell increases productivity but requires investment in learning how to use it Active Directory Windows PowerShell History Viewer Solution allow administrators to view the Windows PowerShell commands executed when using the Administrative

Center, e.g. the administrator adds a user to a group the UI displays the equivalent Active Directory Windows PowerShell command Administrators can copy the resulting syntax and integrate it into their scripts reduces learning-curve increases confidence in scripting Active Directory Windows PowerShell History Viewer Requirements Windows Server 2012 Active Directory Administrative Center Active Directory Web Service running on a domain controller within the target domain New Features and Enhancements

Management Recycle Recycle Bin Bin User User Interface Interface Dynamic Dynamic Access Access Control Control Active Active Directory Directory Windows Windows PowerShell PowerShell History History Viewer Viewer

Active Active Directory Directory Based Based Activation Activation Fine-Grained Fine-Grained Password Password Policy Policy User User Interface Interface Kerberos Kerberos Enhancements Enhancements Active Active Directory Directory Replication Replication

& & Topology Topology Cmdlets Cmdlets Group Group Managed Managed Service Service Accounts Accounts Fine-Grained Password Policy Background the Fine-Grained Password Policy capability introduced with Windows Server 2008 provided more granular management of password-policies in order to leverage the feature, administrators had to manually create password-settings objects (PSOs) it proved difficult to ensure that the manually defined policy-values behaved as desired resulted in time-consuming, trial and error administration

Fine-Grained Password Policy Solution creating, editing and assigning PSOs now managed through the Active Directory Administrative Center greatly simplifies management of passwordsettings objects Fine-Grained Password Policy Requirements FGPP requirements must be met, e.g. Windows Server 2008 domain functional level Windows Server 2012 Active Directory Administrative Center New Features and Enhancements Management Recycle Recycle Bin Bin

User User Interface Interface Dynamic Dynamic Access Access Control Control Active Active Directory Directory Windows Windows PowerShell PowerShell History History Viewer Viewer Active Active Directory Directory Based

Based Activation Activation Fine-Grained Fine-Grained Password Password Policy Policy User User Interface Interface Kerberos Kerberos Enhancements Enhancements Active Active Directory Directory Replication Replication & & Topology Topology Cmdlets Cmdlets

Group Group Managed Managed Service Service Accounts Accounts Flexible Authentication Secure Tunneling (FAST) Background offline dictionary attack against password-based logons possible relatively well-known concern around Kerberos errors being spoofed clients may: fallback to less-secure legacy protocols weaken their cryptographic key strength and/or ciphers Flexible Authentication Secure Tunneling (FAST) Solution Kerberos in Windows Server 2012 supports Flexible Authentication

Secure Tunneling (FAST) defined by RFC 6113 sometimes referred to as Kerberos armoring provides a protected channel between a domain-joined client and DC protects pre-authentication data for users AS_REQs uses LSK (logon session key) from computers TGT as shared secret note that computer authentication is NOT armored allows DCs to return authenticated Kerberos errors thereby protecting them from spoofing once all Kerberos clients and DCs support FAST (the admins decision to make) the domain can be configured to either require Kerberos armoring or use it upon request must first ensure all or enough DCs are running Windows Server 2012 enable the appropriate policy Flexible Authentication Secure Tunneling (FAST) Requirements

Windows Server 2012 servers ensure that all domains the client uses including transited referral domains: enable the Support CBAC and Kerberos armoring policy for all Windows Server 2012 DCs have a sufficient number of Windows Server 2012 DCs to support FAST enable Require FAST policy on supported clients RFC-compliant FAST interop requires DFL 5 Kerberos Constrained Delegation (KCD) Background Kerberos Constrained Delegation (KCD) was introduced with Windows Server 2003 KCD permits a services account (front-end) to act on the behalf of users in multi-tier applications for a limited set of back-end services, e.g. user accesses web site as user1 user requests information from web site (front-end) that requires the web server to query a SQL database (back-end) access to this data is authorized according to who accessed the front-end in this case, the web service must impersonate user1 when making the request to SQL

front-end configured with the services (by SPN) to which it can impersonate users setup/administration requires Domain Admin privileges KCD delegation only works for back-end services in the same Kerberos Constrained Delegation (KCD) Solution KCD in Windows Server 2012 moves the authorization decision to the resource-owners permits back-end to authorize which front-end service-accounts can impersonate users against their resources supports cross-domain, cross-forest scenarios no longer requires Domain Admin privileges requires only administrative permission to the back-end service-account Kerberos Constrained Delegation (KCD) Requirements clients run Windows XP or later client domain DCs running Windows Server 2003 or later front-end server running Windows Server 2012 1 or more DCs in front-end domain running Windows Server 2012

1 or more DCs in back-end domain running Windows Server 2012 back-end server account configured with the accounts that are permitted for impersonation not exposed through Active Directory Administrative Center configured through Active Directory Windows PowerShell Cmdlet: New/Set-ADComputer [-name] [-PrincipalsAllowedToDelegateToAccount ] New/Set-ADServiceAccount [-name] [-PrincipalsAllowedToDelegateToAccount ] Windows Server 2012 schema update in back-end servers forest back-end application server running Windows Server 2003 or later New Features and Enhancements Management Recycle Recycle Bin Bin User User Interface Interface Dynamic Dynamic

Access Access Control Control Active Active Directory Directory Windows Windows PowerShell PowerShell History History Viewer Viewer Active Active Directory Directory Based Based Activation Activation Fine-Grained Fine-Grained Password Password

Policy Policy User User Interface Interface Kerberos Kerberos Enhancements Enhancements Active Active Directory Directory Replication Replication & & Topology Topology Cmdlets Cmdlets Group Group Managed Managed Service Service Accounts

Accounts Group Managed Service Accounts (gMSA) Background Managed Service Accounts (MSAs) introduced with Windows Server 2008 R2 clustered or load-balanced services that needed to share a single security-principal were unsupported MSAs not able to be used in many desirable scenarios Group Managed Service Accounts (gMSA) Solution introduce new security principal type known as a gMSA services running on multiple hosts can run under the same gMSA account 1 or more Windows Server 2012 DCs required gMSAs can authenticate against any OS-version DC passwords computed by Group Key Distribution Service (GKDS) running on all Windows Server 2012 DCs Windows Server 2012 hosts using gMSAs obtain password and

password-updates from GKDS password retrieval limited to authorized computers password-change interval defined at gMSA account creation (30 days by default) like MSAs, gMSAs are supported only by the Windows Service Control Manager (SCM) and IIS application pools support for scheduled tasks is being investigated Group Managed Service Accounts (gMSA) Requirements Windows Server 2012 Active Directory schema updated in forests containing gMSAs 1 or more Windows Server 2012 DCs to provide password computation and retrieval only services running on Windows 8 or Windows Server 2012 can use gMSAs Windows Server 2012 Active Directory Module for Windows PowerShell to create gMSA accounts New Features and Enhancements Management

Recycle Recycle Bin Bin User User Interface Interface Dynamic Dynamic Access Access Control Control Active Active Directory Directory Windows Windows PowerShell PowerShell History History Viewer Viewer Active

Active Directory Directory Based Based Activation Activation Fine-Grained Fine-Grained Password Password Policy Policy User User Interface Interface Kerberos Kerberos Enhancements Enhancements Active Active Directory Directory Replication Replication &

& Topology Topology Cmdlets Cmdlets Group Group Managed Managed Service Service Accounts Accounts Active Directory Replication & Topology Cmdlets Background administrators require a variety of tools to manage Active Directorys site topology repadmin ntdsutil Active Directory Sites and Services etc. results in an inconsistent experience difficult to automate

Active Directory Replication & Topology Cmdlets Solution manage replication and site-topology with Active Directory Windows PowerShell create and manage sites, site-links, site-link bridges, subnets and connections replicate objects between DCs view replication metadata on object attributes view replication failures etc. provides a consistent and more easily scriptable experience compatible and interoperable with other Windows PowerShell Cmdlets Active Directory Replication & Topology Cmdlets Requirements Active Directory Web Service (ADWS) or Active Directory Management Gateway

(for Windows Server 2003 or 2008) Remote Server Administration Tools (RSAT) In Review Easier to Manage Windows Server 2012 Managed Service Accounts for farms (gMSA) Support for cross-domain Kerberos Constrained Delegation Spoofing of Kerberos errors much more challenging Active Directory UI investments support in Active Directorys Administrative Center for managing deleted objects and Fine Grained Password Policies ability to view Windows PowerShell scripts that correspond to actions performed in the GUI

Easier scripting of replication and topology tasks using new Active Directory Windows PowerShell Cmdlets In the past Managed Service Accounts work only on a single machine Kerberos Constrained Delegation (KCD) works only within a single domain Kerberos errors able to be spoofed No support in Active Directory Administrative Center for Recycle Bin or Fine Grained Password Policies PowerShell code must be written from scratch Hodge-podge of incompatible command-line tools and UIs used for managing replication and topology In Review Easier to Deploy

Windows Server 2012 Safe virtualization Simplified deployment Integrated end-to-end deployment experience All deployment tasks are remoteable and automatically target the correct FSMOs Input and environment validation throughout the deployment process helps decrease failures Full Windows PowerShell support for automated deployment Rapid deployment of DCs using cloning AD FS deployment integration In the past Using snapshot features on virtual DCs results in a divergent Active Directory state Active Directory environment preparation is overly complex requiring multiple steps

DC promotion requires multiple phases to complete Deployment is not remoteable and requires interactive logon to multiple DCs Difficult to write automation scripts Summary of Minimum Requirements With this deployed ... these features become available + First Windows Server 2012 domainmember (or Windows 8 with RSAT installed)

+ + First Windows Server 2012 DC Windows Server 2012 DC holds PDC FSMO role New Active Directory Administrative Center Windows PowerShell History Viewer Graphical Recycle Bin and FGPP management Richer authorization through DAC & FCI Active Directory-based Activation

Requires Windows Server 2012 schema extensions Active Directory Replication & Topology Cmdlets AD FS (v2.1) Simplified Deployment and Preparation Dynamic Access Control policies and claims Kerberos Claims in AD FS (v2.1) Cross-domain Kerberos Constrained Delegation Group Managed Service Accounts Virtualization-Safe for the Windows Server 2012 DC requires Hypervisor support for VM-Gen-ID Rapid virtual DC deployment through DCcloning requires Hypervisor support for VM-Gen-ID SIA, WSV, and VIR Track Resources #TE(sessioncod e) Hands-On Labs Talk to our Experts at the TLC

DOWNLOAD Windows Server 2012 Release Candidate DOWNLOAD Windows Azure microsoft.com/ windowsserver Windowsazure.com/ teched Resources Learnin g Connect. Share. Discuss. Microsoft Certification & Training Resources http://northamerica.msteched.com

www.microsoft.com/learning TechNe t Resources for IT Professionals http://microsoft.com/technet Resources for Developers http://microsoft.com/msdn Complete an evaluation on CommNet and enter to win! MS Tag Scan the Tag to evaluate this session now on myTechEd Mobile

Questions? Thank you [email protected] Appendix Enhanced LDAP logging Note that the registry override technique uses the Microsoft-internal DSID of the source-code file that implements the desired logging DSID used in a non-traditional manner (though similar):

typically, its: there are ~15 directories with 15+ potentially useful source files in each source-code access is a MUST (and an ability to read the code is beneficial, too ) HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\ Value [MULTI_SZ]: Logging Override

Data: 0C12FFFF (where FFFF says log everything) New LDAP Controls/Behaviors Batched extended-LDAP operations (1.2.840.113556.1.4.2212) all operations within a given batch are treated as a single transaction, i.e. all succeed or all fail primarily designed for a developer audience possible with LDP but really not realistic comprises a regular LDAP control and an unimaginably complex value concatenation of the series of BER encoding of the ASN.1 descriptions of the desired LDAP operations see, I told ya useful for programmatic schema extensions since the entire list of updates could be batched permits the entire set of updates to succeed or fail as a lump Expected entry count (1.2.840.113556.1.4.2211) LDAP control that requires a minimum and maximum value (again, BER encoded values so not trivial for the IT pro) if fewer than minimum or more than maximum, results are returned up to the exception and rounded to the nearest page size useful for uniqueness and/or absence checking (min=1 & max=1 --OR-- min=0 & max=0) when used in conjunction with batch processing it is possible to express conditional LDAP operations that fail or succeed as a transaction based on a supplied criteria

e.g. write email address to userX only IF is not already in use by anyone else carve out a filter that queries for the email address within my desired scope within an expected entry count of 0 New LDAP Controls/Behaviors Require server-sorted search use index on sort attribute (1.2.840.113556.1.4.2207) only impacts sorted searches if query optimization does not result in a correctly sorted result set, then we revert to using a simple index over the sort attribute requires postprocessing to satisfy request the term correctly is defined as the indexs natural sort criteria matches the specified sort criteria eliminates the need for tempTable thereby increasing scale possibilities (good for large result sets because, in the past, it would have simply failed) on the flip side, causes performance problems for smaller result sets DIRSync_EX_Control (1.2.840.113556.1.4.2090) alters traditional DirSync behavior forces the return of specified unchanged attributes useful for a primarily developer audience only New LDAP Controls/Behaviors TreeDelete control with batch size (1.2.840.113556.1.4.2204) ensures deletions do not slow convergence beyond system tolerance

today, batch size is hard-coded to 16K new control exposes a mechanism to lower this hard-coded default (not raise it) value must be between 2 and hard-coded limit of 16K exposed as an LDAP control allowing the delete operation to declare its own batch size requires that the value for the control be BER encoded Return highest change stamp applied as part of an update (1.2.840.113556.1.4.2205) similar to searchStats control in that when checked in, causes the result to contain additional data housing the invocationID and highest USN allocated during the transaction ITpro needs a tool to decode the resulting BER encoded series of key/value pairs invocationID: 1.2.840.113556.1.4.2209 highestUSN: 1.2.840.113556.1.4.2208 New LDAP Controls/Behaviors Include ties in server-sorted search results [aka. soft size limit] (1.2.840.113556.1.4.2210) within the context of a sorted search, two objects are considered tied if their attribute values for the sorted attribute are the same, i.e. the objects are tied by virtue of the common value in the sort attribute (same place in the index) also termed soft size limit

value supplied for SOFT_SIZE_LIMIT must be less than LDAP size limit search must be sorted in order for the notion of a tie to have any meaning what does it do? imagine paging through the Exchange GAL and requesting only a page at a time youd like to be able to get the next page from any DC (not become sticky with the same DC the request began against) to do so, you need to be sure where the last page ended, e.g. Im on page 3 sorted on givenName and it ends with Dean what if there are multiple Deans? soft size limit numerically governs the page-size but ensures that any duplicates of the last entry (Dean) are also returned unless that exceeded the hard-size limit this allows the next page to be requested by filtering on (&(givenName>=Dean)(! 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Recently Viewed Presentations

  • FileNewTemplate - Illinois

    FileNewTemplate - Illinois

    Challenges Adapting Large Software Systems for State-of-the-Art Hardware Platforms. Initial focus on key computational kernels eventually gives way to the need to optimize an ocean of less critical routines, due to observance of Amdahl's Law. Even though these less critical...
  • Handling and Restraint - West Ada School District

    Handling and Restraint - West Ada School District

    Goat. Commonly seen on a dairy for cattle, keeps them in the bunk to eat feed and not waste food. Horses—dentistry, or other clinical procedures. Sheep- sheering, deworming, etc. Goats- milking, deworming, trimming hooves. ... Handling and Restraint
  • Menopause Basics - unich.it

    Menopause Basics - unich.it

    Menopause Basics Learning Objectives: Describe the hypothalamic-pituitary-ovarian axis Differentiate between Perimenopause and Menopause Learn physiologic and anatomic changes at menopause Describe typical menopausal symptoms Perform focused history +physical for menopausal woman Interpret selected laboratory tests to evaluate menopause.
  • The Art of Writing English Literature Essays

    The Art of Writing English Literature Essays

    The Art of Writing English Literature Essays. A Level Activities to improve . your writing. ... If your essay is worth 30 marks, discuss how these marks might be allocated for each of your exams ... This is a contention....
  • Trauma in Young Children: Developing a trauma-informed approach

    Trauma in Young Children: Developing a trauma-informed approach

    Putting words to emotions allows us to make meaning of experiences and to gain a sense of control. Normalize traumatic responses and remind child he/she is . SAFE NOW . as often as needed. When a child is overwhelmed with...
  • Essentials of GENETICS Eighth Edition 16 The Genetics

    Essentials of GENETICS Eighth Edition 16 The Genetics

    G1/S, G2/M, and M checkpoints Section 16.3 Cell-Cycle Control and Checkpoints G1/S checkpoints monitor cell size and determine whether DNA has been damaged. G2/M is where physiological conditions are checked (once G1/S are passed) prior to mitosis.
  • Module 43 Social Psychology: Social Thinking  How do

    Module 43 Social Psychology: Social Thinking How do

    Situational Attributions were more likely when seen from the actor's perspective. Module 43 & 44a * Looking back on our past selves, we are more likely to attribute past behaviors to dispositional factors (traits). Political perspective also effect attributions! Conservative...
  • Background to Antigone

    Background to Antigone

    Oedipus They have four children together (Antigone is one of them) Antigone must lead her blind father into exile Creon, Jocasta's brother, takes control of Thebes Thebes has been thrown info chaos and conflict The stage has been set for...