1. IT3004 - Windows Server 2012: Fabrizio Volpe MVP DirectoryUpgrading Active DirectoryServices 2011 & 2012 (Italy)MCITP

2. Agenda Nuove Funzionalit e Miglioramenti Scenari Cloud e Federation per iDirectory Services Upgrade Domain Controllers aWindows Server 2012 I Passaggi Successivi 3. Nuove Funzionalit e Miglioramenti Recycle BinDynamicSimplified DeploymentUser Interface Access ControlActive DirectoryVirtualization Safe Active DirectoryPowerShell HistoryTechnologyBased Activation Viewer User InterfaceFine-Grained Password Rapid DeploymentKerberos Enhancements Policy User Interface Active Directory Active DirectoryGroup Managed ServiceReplication & TopologyPlatform Changes Accounts Cmdlets 4. Simplified Deployment Solution integrate preparation steps into the promotion process automate the pre-requisites between each of them validate environment-wide pre- requisites before beginning deployment integrated with Server Manager and remotable built on Windows PowerShell for command-line and UI consistency configuration wizard aligns to the most common deployment scenarios 5. Demo -Windows Server 2012 Domain Controller With GUI 6. Simplified Deployment: Cosa Cambia ?Streamline the deployment processMinimize odds of deployment failures Optimize for common deploymentMinimize number of touch-points pathsBring consistency with other Windows Gain UI-consistency by leveraging anServer roles deployment experiencesenhanced command-line experience 7. Install From MediaCreate Full NoDefrag%s Create IFM media withoutdefragmenting for a full ADDC or an AD/LDS instanceWindows Server 2012into folder %s adds two additionaloptions to theNtdsutil.exe command-Create Sysvol FullNoDefrag %s line tool for the IFM (IFM Create IFM media withSYSVOL and withoutMedia Creation) menudefragmenting for a full ADDC into folder %s 8. Simplified Deployment Requirements Windows Server 2012 target forest must be Windows Server 2003 functional level orgreater introducing the first Windows Server 2012 DC requires EnterpriseAdmin and Schema Admin privileges subsequent DCs require only Domain Admin privileges within thetarget domain Altre features impiegate DC Promotion Retry Logic Enhanced Install-from-media (IFM) options AD FS V2.1 in-the-box 9. Virtualization-Safe Technology Background common virtualization operations such as creating snapshots or copying VMs/VHDs can rollback the state of a virtual DC introduces USN bubbles leading to permanently divergent state causing: lingering objects inconsistent passwords inconsistent attribute values schema mismatches if the Schema FSMO is rolled back the potential also exists for security principals to be created with duplicate SIDs 10. Virtualization Safe Technology 11. Che succede se il VM-Generation ID stato modificatoBefore any changes are made to the local active directory databasethe server checks to see what its VM-Generation ID is, if it is notwhat it is expecting then it will do several things.The first thing that will be done is the local RID pool will beinvalidated and a new RID pool will be requested from the RIDmaster.Next the invocation ID will be increased so that the when replicationhappens even though the USN would be the same the domaincontrollers invocation ID would be different meaning the otherdomain controllers would accept the update and replicate. 12. Rapid Deployment DC CloningDC Cloning Promote and configure ONLY once Easier and faster to deploy replica DCs Minimizes dependencies/interactions between hypervisor administrators and Active Directory administrators when deploying DCs 13. Prepare the environmentStep 1: Validate that the hypervisor supportsVM-Generation ID and therefore, cloningStep 2: Verify the PDC emulator role is hosted bya domain controller that runs Windows Server2012 and that it is online and reachable by thecloned domain controller during cloning. 14. Prepare the source domain controllerStep 3: Authorize the source domain controller forcloningStep 4: Remove incompatible services or programs oradd them to the CustomDCCloneAllowList.xml file.Step 5: Create DCCloneConfig.xmlStep 6: Take the source domain controller offline 15. Create the cloned domain controllerStep 7: Copy or export the source VMand add the XML if not already copiedStep 8: Create a new virtual machinefrom the copyStep 9: Start the new virtual machineto commence cloning 16. Steps for deploying a clone virtualized domain controller Prerequisites Step 1: Grant the source virtualized domain controllerthe permission to be cloned Step 2: Run Get-ADDCCloningExcludedApplicationList cmdlet Step 3: Run New-ADDCCloneConfigFile Step 4: Export and then import the virtual machine ofthe source domain controller 17. Demo - DC Cloning 18. Active Directory Platform Change Improved allocation and scale ofRIDs (relative identifiers), deferredindex creation Kerberos enhancements andsupport for Kerberos claims in ADFS 19. Active Directory forest in WindowsAzure 20. Active Directory forest in WindowsAzureYou can install Windows Server 2012, but beaware that the virtualized domain controller safeguards that are built into Windows Server2012 are not available on Windows Azure VirtualNetworks. The virtualized domain controllersafeguards require support for VM-GenerationID, which Windows Azure VirtualNetworks do not provide at the present time http://www.windowsazure.com/en- us/manage/services/networking/active-directory- forest/ 21. Active Directory FederationRole description Simplified, securedidentity federation andWeb single sign-on(SSO) capabilities. Federation Service role service Federation Service Proxy role Web Agent role services 22. Active Directory Federation in Windows 2012Integration with Dynamic Access Control scenariosImproved installation experience using ServerAdditional Windows PowerShell cmdlet 23. Active Directory clouddeploymentsRemote PowerShell Cloud-based servers can be promoted to domaincontrollersActive Directory is Deployment withCloning 24. Upgrade Domain Controllers a Windows Server 2012System requirements for installing AD DS on Windows Server2012 On domain controllers that you plan to upgrade to Windows Server 2012, make sure that the drive that hosts the Active Directory database (NTDS.DIT) has at least 20% free disk space before you begin the operating system upgradeTipologia di Installazione Server Core Full Minimal Server Interface 25. Upgrade Domain Controllers a Windows Server 2012Supported in-place upgrade paths Domain controllers that run Windows Server 2008 or Windows Server 2008 R2 can be upgraded to Windows Server 2012 You cannot upgrade domain controllers that run Windows Server 2003. 26. Upgrade Domain Controllers a Windows Server 2012Functional level features and requirements 27. Upgrade Domain Controllers a Windows Server 2012Operations master roles 28. Migrare AD a Windows Server 2012Upgrading forests and Using the new Server ManagerdomainsDeploying new replica Using the new Server ManagerDCsManaging AD DS PowerShell History Viewer using AD AD Recycle bin GUIAdministrative Center Fine Grained Password Policy GUI 29. Scenari di UpgradeDa Windows 2003 a Windows 2012Da Windows 2008 a Windows 2012 30. Demo Upgrade To Windows 2012 DC 31. I Passaggi Successivi Best Practices Analyzer (BPA) 32. Promoting a Domain Controller with PowerShell Install the Active Directory Domain Servicesrole Prerequisite Checks Promoting the DC Best Practices Analyzer 33. Demo - Promoting a Domain Controller with PowerShell 34. Limiti di BPA e PrerequisitesChecker No check on other No inventory ofMicrosoft existing applicationapplications oror services on the DC3rd party applications 35. Best Practices for Implementing Schema Updates Test your forest recovery plans. Test your schema extensions in your recoveryenvironment and in any other test/non-productionenvironments 36. Planning Infrastructure Planning and Design documents http://www.microsoft.com/en- us/download/details.aspx?id=732 Impatto delle nuove funzionalit Active Directory Web Services (ADWS) Virtualized Domain Controller Cloning Dynamic Access Control (DAC) & Kerberos Flexible Authentication Secure Tunneling (FAST or AKA Kerberos armoring) 37. Summary of Minimum RequirementsWith this deployed... these features become available New Active Directory Administrative Center Windows PowerShell History Viewer+ First Windows Server 2012 domain- Graphical Recycle Bin and FGPP management Richer authorization through DAC & FCImember Active Directory-based Activation(or Windows 8 with RSAT installed) Requires Windows Server 2012 schema extensions Active Directory Replication & Topology Cmdlets AD FS (v2.1) Simplified Deployment and Preparation Dynamic Access Control policies and claims Kerberos Claims in AD FS (v2.1) Cross-domain Kerberos Constrained+ First Windows Server 2012 DC Delegation Group Managed Service Accounts Virtualization-Safe for the Windows Server 2012 DC requires Hypervisor support for VM-Gen-ID Rapid virtual DC deployment through DC-+ Windows Server 2012 DC holds PDC cloningFSMO role requires Hypervisor support for VM-Gen-ID 38. Migrazione e RistrutturazioneSource domain: Target domain:The source The targetdomain must be domain must beADMT 3.2 andActive Directory running running PES 3.1 Migration Tool Windows Server Windows Serverinstallationversion 3.2 2003, Windows2003, Windowserrors onServer 2008, orServer 2008, or Windows ServerWindows Server Windows Server 2012 2008 R22008 R2 http://support.microsoft.com/kb/2753560/en-us 39. Troubleshooting Domain Controller Deployment General Methodology for Troubleshooting Domain Controller Configuration Tools and Commands Logging Options http://technet.microsoft.com/en- us/library/jj592690.aspx 40. Demo - Troubleshooting 41. Q&A 42. Thank you