What’s New in Active Directory in Windows Server 2012Dean WellsActive Directory Product GroupMicrosoft
SIA312
Agenda
Objectives / Takeaways
Areas of Investment / Our Broad Goals
New Features / Enhancements
Summary of Requirements
ObjectivesProvide an understanding of…
the broad areas we have invested in and whythe business- and/or technical-challenges that led to each of the new features
Provide detailed insights into the Active Directory features and…
define requirements and implementation specificshighlight the value these features bring to your environment
Given the sheer volume of topics…provide technically-deep content striving for a balance of breadth and depthprovide you material that’s sufficiently complete & technically rich to be useful outside of the session
High-Level Areas of InvestmentSimplified deployment of Active Directory
Optimal deployment experiences in both private- and public-clouds
Increase consistency throughout the management experience
Accommodate business-driven security requirements through the integration of:
file-classification claims-based authorization
Our Broad GoalsVirtualization That Just Works• All Active Directory features work equally well in physical, virtual or mixed environments
Simplified Deployment of Active Directory• Complete integration of environment preparation, role installation and DC promotion into a single UI• DCs can be deployed rapidly to ease disaster recovery and workload balancing• DCs can be deployed remotely on multiple machines from a single Windows 8 machine• Consistent command-line experience through Windows PowerShell enables automation of deployment tasks
Simplified Management of Active Directory• GUI that simplifies complex tasks such as recovering a deleted object or managing password policies• Active Directory Windows PowerShell viewer shows the commands for actions performed in the GUI• Active Directory Windows PowerShell support for managing replication and topology data• Simplify delegation and management of service accounts
Miscellaneous
Management
New Features and Enhancements
Recycle Bin User Interface
Virtualization-Safe Technology
Active Directory Replication & Topology Cmdlets
Active DirectoryPlatform Changes
Dynamic Access Control
Active Directory Based Activation
Group Managed Service Accounts
Rapid Deployment Kerberos Enhancements
Active Directory PowerShell History Viewer User
Interface
Fine-Grained Password Policy User Interface
Simplified Deployment
Miscellaneous
Virtualization-Safe Technology
Active DirectoryPlatform Changes
Rapid Deployment
Simplified Deployment
New Features and Enhancements
Simplified DeploymentBackground
adding replica DCs running newer versions of the Windows Server operating system has proven to be:
time consumingerror-pronecomplex
In the past, IT pros were required to:obtain the correct (new) version of the ADprep toolsinteractively logon at specific per-domain DCs using a variety of different credentialsrun the preparation tool in the correct sequence with the correct switcheswait for replication convergence between each step
Simplified DeploymentSolution
integrate preparation steps into the promotion process
automate the pre-requisites between each of them
validate environment-wide pre-requisites before beginning deploymentintegrated with Server Manager and remoteablebuilt on Windows PowerShell for command-line and UI consistencyconfiguration wizard aligns to the most common deployment scenarios
Simplified Deployment: What Changed?… by integrating preparation and promotion processes & automating pre-requisites in-between
… by validating environment pre-requisites before deployment
… by providing remote capabilities for both preparation and promotion processes
… by aligning the configuration wizard to the most common deployment scenarios
… by integrating the full deployment experience with Server Manager
… by providing a deployment & configuration wizard that is built on top of Windows PowerShell
Streamline the deployment process
Minimize odds of deployment failures
Minimize number of touch-points
Optimize for common deployment pathsBring consistency with other Windows Server roles deployment experiencesGain UI-consistency by leveraging an enhanced command-line experience
Simplified Deployment
RequirementsWindows Server 2012target forest must be Windows Server 2003 functional level or greaterintroducing the first Windows Server 2012 DC requires Enterprise Admin and Schema Admin privileges
subsequent DCs require only Domain Admin privileges within the target domain
Simplified Deployment ++DC Promotion Retry Logic
Since Windows 2000, DCpromo has been intolerant of transient network failures
caused promotions to fail if the network (or helper DC) “hiccupped”
Windows Server 2012 promotion employs an indefinite retry
“indefinite” because no sufficiently meaningful set of metrics available from which to assert “sufficient progress”
so we’ve deferred the decision of “failure” to the administrator
Simplified Deployment ++Enhanced Install-from-media (IFM) options
Goal of IFM deploy a DC more quicklyyet “IFM prep” in NTDSUTIL executed a mandatory offline defragmentation pass
a maintenance task that our data suggests virtually nobody uses on existing production DCs
yielded an oftentimes much smaller DIT (which is great) but at the expense of time
In Windows Server 2012, NTDSUTIL’s IFMprep enhancedNTDSUTIL’s IFMprep now includes an option to eliminate the defragmentation pass
not the default, that remains as iseliminates potentially hours (or days) of media preparation time
DIT will be larger (whitespace, not fragmentation) increasing copy time if slow-links involved
Simplified Deployment ++AD FS V2.1 is in-the-box
AD FS v2.0 shipped out-of-band downloaded from http://microsoft.com
AD FS (v2.1) ships in-the-box as a server-role with Windows Server 2012
integrated with Windows Server 2012 Dynamic Access Control
Miscellaneous
Virtualization-Safe Technology
Active DirectoryPlatform Changes
Rapid Deployment
Simplified Deployment
New Features and Enhancements
Virtualization-Safe Technology
Backgroundcommon virtualization operations such as creating snapshots or copying VMs/VHDs can rollback the state of a virtual DCintroduces USN bubbles leading to permanently divergent state causing:
lingering objectsinconsistent passwordsinconsistent attribute valuesschema mismatches if the Schema FSMO is rolled back
the potential also exists for security principals to be created with duplicate SIDs
Virtualization-Safe Technology
SolutionWindows Server 2012 virtual DCs able to detect when:
snapshots are applieda VM is copied
built on a generation identifier (VM-generation ID) that is changed when virtualization-features such as VM-snapshot are usedWindows Server 2012 virtual DCs track the VM-generation ID to detect changes and protect Active Directory
protection achieved by:discarding RID poolresetting invocationIDre-asserting INITSYNC requirement for FSMOs
How Domain Controllers are ImpactedTi
mel
ine
of e
vent
s
TIME: T2
TIME: T3
TIME: T4
CreateSnapsh
ot
T1 SnapshotApplied!
USN: 100 ID: A
RID Pool: 500 - 1000
USN: 100 ID: A
RID Pool: 500 - 1000
USN: 250ID: A
RID Pool: 650 - 1000
+150 more users created
DC1(A)@USN = 200
DC2 receives updates: USNs >200
DC1(A)@USN = 250
USN: 200ID: A
RID Pool: 600- 1000
+100 users added
DC2 receives updates: USNs >100
DC1
DC2
TIME: T1
USN rollback NOT detected: only 50 users converge across the two DCsAll others are either on one or the other DC100 security principals (users in this example) with RIDs 500-599 have conflicting SIDs
Virtualization-Safe Technology
RequirementsWindows Server 2012 DCs hosted on hypervisor platform that supports VM-Generation ID
Miscellaneous
Virtualization-Safe Technology
Active DirectoryPlatform Changes
Rapid Deployment
Simplified Deployment
New Features and Enhancements
Rapid Deployment
Backgrounddeploying virtualized replica DCs is as labor-intensive as physical DCs
virtualization brings capabilities that can simplify deploymentthe result & goal of promoting additional DCs within a domain is an ~identical instance (a replica)
excluding name, IP address, etc.deployment today involves many (arguably redundant) steps
preparation & deployment of sysprep’d server imagemanually promoting a DC using:
over-the-wire: can be time-consuming depending upon size of directoryinstall-from-media (IFM): media-preparation and copying adds time & complexity
post-deployment configuration steps where necessary
Rapid Deployment: Domain Controller Cloning
Solutioncreate replicas of virtualized DCs by cloning existing ones
i.e. copy the VHD through hypervisor-specific export + import operationssimplify interaction & deployment-dependencies between HyperVisor and Active Directory admins
note that the authorization of clones remains under Enterprise/Domain Admins’ control
a game-changer for disaster-recoveryrequires ONLY a single Windows Server 2012 virtual DC per domain to quickly recover an entire forestsubsequent DCs can be rapidly deployed drastically reducing time to steady-state
enables elastic provisioning capabilities to support private-cloud deployments, etc.
NTDS starts
Obtain current VM-GenID
If different from value in DIT
Reset InvocationID, discard RID pool
DCCloneConfig.xml available?
Dcpromo /fixclone
Parse DCCloneConfig.xml
Configure network settings
Locate PDC
Call _IDL_DRSAddCloneDC(name, site)
Check authorization
Create new DC object by duplicating source DC objects(NTDSDSA, Server, Computer instances)
Generate new DC machine account and password
Save clone state (new name, password, site)
Promote as replica (IFM)
Run (specific) sysprep providers
Reboot
Clone VM Windows Server 2012 PDC
IDL_DRSAddCloneDC
CN=Configuration|--CN=Sites
|---CN=<site name>|---CN=Servers
|---CN=<DC Name> |---CN=NTDS Settings
Rapid Deployment: Cloning Flow
Rapid Deployment: Domain Controller Cloning
RequirementsWindows Server 2012 virtual DC hosted on VM-Generation-ID-aware hypervisor platformsPDC FSMO must be running Windows Server 2012 to authorize cloning operationsource DC must be authorized for cloning
through permission on domain head – “Allow DC to create a clone of itself”add the source DC’s computer account to the new “Cloneable Domain Controllers” group
DCCloneConfig.XML file must be present on the clone DC in one of:directory containing the NTDS.DIT default DIT directory (%windir%\NTDS) removable media (virtual floppy, USB, etc.)
commonplace Windows Server 2012 services that are co-located with DCs are supported, e.g. DNS, FRS, DFSR
additional services/scheduled tasks installed on the clone-source must be added to an admin-extensible whitelistif installed component is not present in whitelist, cloning process fails and cloned-DC boots to DSRM
Miscellaneous
Virtualization-Safe Technology
Rapid Deployment
Simplified Deployment
Active DirectoryPlatform Changes
New Features and Enhancements
Brief Terminology Level-Set
RootDSE modsaka. operational attributesLDAP’s answer to RPC
Constructed attributestypically imposes a compute burden—the answer is “constructed” based on something elsequery processor will reject anything other than a base-scoped filter that includes a constructed attributetypically not defined in the schema—known only to the code
LDAP controls and matching rulesaffect the way the query processor handles things, e.g.
return deleted objects (a control that is checked in along with the query)bitwise comparison (a matching rule) (searchFlags:1.2.840.113556.1.5.807:=1)
Finite address spaces within Active DirectoryRIDs (exposed)DNTs (exposed but new to Windows Server 2012)LIDs (not exposed)
RID Improvements
Backgrounda recent bout of cases involving RID depletion or complete global RID-space exhaustion motivated an investigation into root causea couple of bugs were identified and fixedthe investigation also highlighted the need for general improvements and concerns around finite scale limitations
RID Improvements
Account creation failure can cause the loss of 1 RIDa RID was leaked because a user was being created that didn’t meet policy
the RID was allocated, the user created, failed to meet policy user deleted RID leakedfixed in Windows Server 2012 by maintaining an in-memory bucket of RIDs that are available for reuse
note that if the DC is rebooted, the reuse list is lostreuse list is used preferentially over RID pool if entries existsize of the reuse list bound by the maximum number of user-creation attempts that simultaneously hit a failure case
our projections indicate single-digit size, i.e. nothing to take into account in sizing exercises
Prevent RID allocation during failed computer account creation by privilege by standard domain user
this is just another path (through domain join, for example) that permits the creation of computer accountsthe logic above is used in exactly the same way to eliminate the leak
Log event when a RID pool is invalidatedinvalidation occurs via a rootDSE mod. and more natural scenarios, e.g. virtual DC safeties, DIT restoration
RID Improvements
Missing rIDSetReferences value will lead to RID pool exhaustionattribute not correctly recreated when a DC’s computer account is deleted, later detected by the DC and reincarnated
DC checks attribute for pointer to its RID poolattribute isn’t populatedDC assumes no RID pool and requests a new oneDC receives RID pool from RID FSMO and attempts to write new RID block to its RID set and fails because no rIDSetReference exists30 seconds later, DC repeats process burning through <RID block size> RIDs on each attempt
a single offending DC will eat through the entire global RID space in ~2 years using default RID block size of 500
in Windows Server 2012, you guessed it – we fixed thisreincarnation populates the necessary attributes
Enforce a maximum cap on the RID policy RID Block Sizein the past, the RID block size was configurable on the RID FSMO’s registry and imposed no upper boundin Windows Server 2012, the maximum permissible admin-configured RID block size is 15,000 (values >15K == 15K)
RID Improvements
Periodic RID Consumption Warningat 10% of remaining global space, system logs informational event
first event at 100,000,000 RIDs used, second event logged at 10% of remainder
remainder = 900,000,00010% of remainder = 90,000,000
second event logged at 190,000,000existing RID consumption plus 10% of remainder
events become more frequent as the global space is further depleted
RID Improvements
RID Manager artificial ceiling protection mechanismthink of this as a soft ceiling blocks further allocations of RID pools
when hit, system flips msDS-RIDPoolAllocationEnabled on the RID Manager$ object to FALSE administrator flips back to TRUE to override
log an event indicating we’ve reached the ceilingan additional warning is logged when the global RID spaces reaches 80%
the attribute can only be set to FALSE by the SYSTEM and is mastered by the RID FSMO (i.e. write it against the RID FSMO)
DA can set it back to TRUENOTE: it is set to TRUE by default (possibly obvious)
the soft ceiling is 90% of the global RID space and is not configurablethe soft ceiling is deemed as ”reached” when a RID pool containing the 90% RID is issued
RID Improvements
Unlock 31st bit in the global RID spaceyes–we actually did it… and yes again, we tested the living s… well, we really tested it a lot doubles global RID space from 1 billion to 2 billionirreversible action so take care
CANNOT be authoritatively restored (unless it’s the only DC in the domain)31st bit is unlocked via a rootDSE mod (requires Windows Server 2012 RID FSMO)
sidCompatibilityVersion:1other DCs must be running Windows Server 2012 to exploit this
plan is, however, to backport it to Windows Server 2008 R2downlevel DCs will receive pools that use the higher order bit but will refuse to issue RIDs to new principals from within it, i.e. the DCs are good for everything other than creating new principals
they will, for example, happily authenticate users with RIDs above 1 billion
Deferred Index Creation
Adding indices to existing attributes resulted in DC performance issues, i.e.
DCs received schema update through replication5 minutes later, DCs refresh their schema cache
many/all DCs ~simultaneously begin building the index
Windows Server 2012 introduces new DSheuristic18th byte but uses a zero-base, so some say the 19th bytesetting it to 1 causes any Windows Server 2012 DC to defer building indices until:
it receives the UpdateSchemaNow rootDSE mod. (triggers rebuild of the schema cache)it is rebooted (which requires that the schema cache be rebuilt and, in turn, the deferred indices)
any attribute that is in a deferred index state will be logged in the Event Log every 24 hours
2944: index deferred – logged once2945: index still pending – logged every 24 hours1137: index created – logged once (not a new event)
Expose DNTs on rootDSE
Active Directory’s DIT uses DNTs if we think of the DIT as a spreadsheet, DNTs are very much like row numbersfinite address space == 2^31 (~2 billion)DNTs are NOT replicated (a database-local concept)never re-used (the value only ever increases)
DNTs are never re-serialized (or reclaimed) except during over-the-wire promotions neither IFM or cloning will re-serialize themonce you run out, the DC must be demoted and re-promoted over-the-wire
determining the DNT for a given DC required that you dump its database or programmatically interrogate the DIT
time consuming, impacts performance and disk space
Windows Server 2012 Active Directory exposes DNTs via:rootDSE constructed attribute: approximateHighestInternalObjectID perfmon counter, too
Off-Premises Domain Join
Extends offline domain-join by allowing the blob to accommodate Direct Access prerequisites
CertsGroup Policies
What does this mean?a computer can now be domain-joined over the Internet if the domain is Direct Access enabledgetting the blob to the non-domain-joined machine is an offline process and the responsibility of the admin
Connected Accounts
Backgrounda consumer-oriented feature coupled with Metro providing enhanced app-dev. capabilitiesprovides an out-of-box ability to interactively logon to Windows 8 as a “connected” Live IDroams certain aspects of a user’s profile between Windows 8 computers sharing the same connected Live ID
Connected Accounts
Live ID logon to Windows with a connected Active Directory user account is NOT supported
connecting local accounts on domain-joined machines IS supportedSSO to Live-supported web sites still functions as does profile sync, etc.Group Policy setting can disable Live ID connected accounts completely
Server SKUs do NOT support connected accounts
Note that Windows 8 client applications that are built to use Metro are able to leverage a rich set of features specific only to connected accounts
Connected Accounts
Object Picker and Windows as a whole will correctly display the Live ID, not the local account
any legacy applications will still see the NT-style account name
Administrator must associate the Live ID with the target account
this can be done retroactively or during the OOBE (page 2)
Connected local user WILL appear in Local Users and Groupspassword change attempts will be blocked
Enhanced LDAP logging
Enhanced LDAP logging added in Windows Server 2012existing LDAP logging capabilities deemed insufficient unable to isolate/diagnose root cause of many behaviors/failures with existing logging
Enabled through registry via logging overrides or level 5 LDAP loggingadditional logging logs entry and exit stats for a given APIwe now also track the entry and exit tick making it feasible to determine sequence of events
entry: logs the operation name, the SID of the caller’s context, the client IP, entry tick and client IDexit: logs the operation name, the SID of the caller’s context, client IP, entry and exit tick and client ID
… further details on this in the appendix of this deck
New LDAP Controls/Behaviors
Batched extended-LDAP operations (1.2.840.113556.1.4.2212)Require server-sorted search use index on sort attribute (1.2.840.113556.1.4.2207)DirSync_EX_Control (1.2.840.113556.1.4.2090)TreeDelete control with batch size (1.2.840.113556.1.4.2204)Include ties in server-sorted search results (1.2.840.113556.1.4.2210)Return highest change stamp applied as part of an update (1.2.840.113556.1.4.2205)Expected entry count (1.2.840.113556.1.4.2211)
… details on each of these new controls in the appendix of this deck
Miscellaneous
Management
Recycle Bin User Interface
Virtualization-Safe Technology
Active Directory Replication & Topology Cmdlets
Active DirectoryPlatform Changes
Dynamic Access Control
Active Directory Based Activation
Group Managed Service Accounts
Rapid Deployment Kerberos Enhancements
Active Directory PowerShell History Viewer User
Interface
Fine-Grained Password Policy User Interface
Simplified Deployment
New Features and Enhancements
Management
Recycle Bin User Interface
Active Directory Replication & Topology Cmdlets
Dynamic Access Control
Active Directory Based Activation
Group Managed Service Accounts
Kerberos Enhancements
Active Directory PowerShell History Viewer User
Interface
Fine-Grained Password Policy User Interface
New Features and Enhancements
Recycle Bin User Interface
Backgroundthe Recycle Bin feature introduced with Windows Server 2008 R2 provided an architecture permitting complete object recoveryscenarios requiring object recovery via the Recycle Bin are typically high-priority
recovery from accidental deletions, etc. resulting in failed logons / work-stoppages
the absence of a rich, graphical interface complicated its usage and slowed recovery
Recycle Bin User Interface
Solutionsimplify object recovery through the inclusion of a Deleted Objects node in the Active Directory Administrative Center
deleted objects can now be recovered within the graphical user interface
greatly reduces recovery-time by providing a discoverable, consistent view of deleted objects
Recycle Bin User Interface
RequirementsRecycle Bin’s own requirements must first be satisfied, e.g.
Windows Server 2008 R2 forest functional level Recycle Bin optional-feature must be switched on
Windows Server 2012 Active Directory Administrative CenterObjects requiring recovery must have been deleted within Deleted Object Lifetime (DOL)
defaults to 180 days
Management
Recycle Bin User Interface
Active Directory Replication & Topology Cmdlets
Active Directory Based Activation
Group Managed Service Accounts
Kerberos Enhancements
Active Directory PowerShell History Viewer User
Interface
Fine-Grained Password Policy User Interface
Dynamic Access Control
New Features and Enhancements
Dynamic Access Control (DAC)
Backgroundtoday, it’s difficult to translate business-intent using existing authorization modelno central administration capabilitiesexisting expression language makes it hard or impossible to fully express requirementsincreasing regulatory and business requirements around compliance demand a different approach
Dynamic Access Control (DAC)Solution
new central access policies (CAP) modelnew claims-based authorization platform enhances, not replaces, existing model
user-claims and device-claimsuser+device claims = compound identity
includes traditional group memberships toouse of file-classification information in authorization decisionsmodern authorization expressions, e.g.
evaluation of ANDed authorization conditionsleveraging classification and resource properties in ACLs
easier Access-Denied remediation experienceaccess- and audit-policies can be defined flexibly and simply, e.g.
IF resource.Confidentiality = high THEN audit.Success WHEN user.EmployeeType = vendor
Dynamic Access Control (DAC)Requirements
Windows 8 or Windows Server 2012 file servers (no DCs necessary yet)modern authorization expressions, e.g.
evaluating ANDed authorization conditionsNOTE: leveraging classification and resource properties in ACLs requires the Windows Server 2012 schema
Access Denied Remediation1 or more Windows Server 2012 DCs required for Kerberos claims
Central Access Policies (CAP) supportmust enable the claims-policy in a Domain Controller-scoped policy, e.g. Default Domain Controllers Policy
once configured, Windows 8 clients might use only Windows Server 2012 DCsenough DCs must be deployed to service the load imposed by uplevel clients and servers (piling-on)
Windows Server 2012 Active Directory Administrative Center to administer CAPs and CAPRs
CAPR = Claims Access Policy Rulesfor device-claims, compound ID must be switched on at the target service account
via Group Policy or directly editing the corresponding objectsdownlevel clients require DFL 5 in order to receive claims from a KDC
in the absence of that, uplevel servers able to use S4U2Self to obtain claims-enabled ticket on caller’s behalf
note that Authentication Mechanism Assurance (AMA) SIDs/claims and device authorization data not available since context around authentication method and device already lost
Kerberos Claims (DAC) in AD FS
BackgroundAD FS v2.0 is able to generate user-claims directly from NTtokens
also capable of further expanding claims based on attributes in Active Directory and other attribute stores
in Windows Server 2012, we know that Kerberos tickets can also contain claims
but AD FS 2.0 can’t read claims from Kerberos ticketsforced to make additional LDAP calls to Active Directory to source user-attribute claims
cannot leverage device-attribute claims at all
Kerberos Claims (DAC) in AD FS
SolutionAD FS (v2.1) in Windows Server 2012 now able to populate SAML tokens with user- and device-claims taken directly from the Kerberos ticket
RequirementsDAC enabled and configuredcompound ID must be switched on
for the AD FS service accountWindows Server 2012 AD FS (v2.1)
Management
Recycle Bin User Interface
Active Directory Replication & Topology Cmdlets
Dynamic Access Control
Group Managed Service Accounts
Kerberos Enhancements
Active Directory PowerShell History Viewer User
Interface
Fine-Grained Password Policy User Interface
Active Directory Based Activation
New Features and Enhancements
Active Directory-based Activation (AD BA)
Backgroundtoday, Volume Licensing for Windows/Office requires Key Management Service (KMS) servers requires minimal training
turnkey solution covers ~90% of deploymentscomplexity caused by lack of a graphical administration console
requires RPC traffic on the network which complicates mattersdoes not support any kind of authentication, the EULA prohibits the customer from connecting the KMS server to any external network
i.e. connectivity-alone to the service equates to activated
Active Directory-based Activation (AD BA)
Solutionuse your existing Active Directory infrastructure to activate your clients
no additional machines requiredno RPC requirement, uses LDAP exclusivelyincludes RODCs
beyond installation and service-specific requirements, no data written back to the directory
activating initial CSVLK (customer-specific volume license key) requires:one-time contact with Microsoft Activation Services over the Internet (identical to retail activation)key entered using volume activation server role or using command line.repeat the activation process for additional forests up to 6 times by default
activation-object maintained in configuration partitionrepresents proof of purchasemachines can be member of any domain in the forest
all Windows 8 machines will automatically activate
Active Directory-based Activation (AD BA)
Requirementsonly Windows 8 or Windows Server 2012 machines can leverage AD BAKMS and AD BA can coexist
you still need KMS if you require downlevel volume-licensingsetup requires Windows 8 or Windows Server 2012 machine requires Windows Server 2012 Active Directory schema, not Windows Server 2012 domain controllers
Management
Recycle Bin User Interface
Active Directory Replication & Topology Cmdlets
Dynamic Access Control
Active Directory Based Activation
Group Managed Service Accounts
Kerberos Enhancements
Active Directory Windows PowerShell History Viewer
Fine-Grained Password Policy User Interface
New Features and Enhancements
Active Directory Windows PowerShell History Viewer
BackgroundWindows PowerShell is a key technology in creating a consistent experience between the command-line and the graphical user interfaceWindows PowerShell increases productivity
but requires investment in learning how to use it
Active Directory Windows PowerShell History Viewer
Solutionallow administrators to view the Windows PowerShell commands executed when using the Administrative Center, e.g.
the administrator adds a user to a groupthe UI displays the equivalent Active Directory Windows PowerShell commandAdministrator’s can copy the resulting syntax and integrate it into their scripts
reduces learning-curveincreases confidence in scriptingfurther enhances Windows PowerShell discoverability
Active Directory Windows PowerShell History Viewer
RequirementsWindows Server 2012 Active Directory Administrative CenterActive Directory Web Service
running on a domain controller within the target domain
Management
Recycle Bin User Interface
Active Directory Replication & Topology Cmdlets
Dynamic Access Control
Active Directory Based Activation
Group Managed Service Accounts
Kerberos Enhancements
Active Directory Windows PowerShell History Viewer
Fine-Grained Password Policy User Interface
New Features and Enhancements
Fine-Grained Password Policy
Backgroundthe Fine-Grained Password Policy capability introduced with Windows Server 2008 provided more granular management of password-policiesin order to leverage the feature, administrators had to manually create password-settings objects (PSOs)
it proved difficult to ensure that the manually defined policy-values behaved as desired resulted in time-consuming, trial and error administration
Fine-Grained Password Policy
Solutioncreating, editing and assigning PSOs now managed through the Active Directory Administrative Centergreatly simplifies management of password-settings objects
Fine-Grained Password Policy
RequirementsFGPP requirements must be met, e.g.
Windows Server 2008 domain functional levelWindows Server 2012 Active Directory Administrative Center
Management
Recycle Bin User Interface
Active Directory Replication & Topology Cmdlets
Dynamic Access Control
Active Directory Based Activation
Group Managed Service Accounts
Active Directory Windows PowerShell History Viewer
Fine-Grained Password Policy User Interface Kerberos Enhancements
New Features and Enhancements
Flexible Authentication Secure Tunneling (FAST)
Backgroundoffline dictionary attack against password-based logons possiblerelatively well-known concern around Kerberos errors being spoofedclients may:
fallback to less-secure legacy protocolsweaken their cryptographic key strength and/or ciphers
Flexible Authentication Secure Tunneling (FAST)
SolutionKerberos in Windows Server 2012 supports Flexible Authentication Secure Tunneling (FAST)
defined by RFC 6113sometimes referred to as Kerberos armoring
provides a protected channel between a domain-joined client and DC
protects pre-authentication data for user’s AS_REQsuses LSK (logon session key) from computer’s TGT as shared secretnote that computer authentication is NOT armored
allows DCs to return authenticated Kerberos errors thereby protecting them from spoofing
once all Kerberos clients and DCs support FAST (the admin’s decision to make)
the domain can be configured to either require Kerberos armoring or use it upon request
must first ensure all or enough DCs are running Windows Server 2012enable the appropriate policy
“Support CBAC and Kerberos armoring”“All DCs can support CBAC and Require Kerberos armoring”
Flexible Authentication Secure Tunneling (FAST)
RequirementsWindows Server 2012 serversensure that all domains the client uses including transited referral domains:
enable the “Support CBAC and Kerberos armoring” policy for all Windows Server 2012 DCs have a sufficient number of Windows Server 2012 DCs to support FAST
enable “Require FAST” policy on supported clientsRFC-compliant FAST interop requires DFL 5
Kerberos Constrained Delegation (KCD)Background
Kerberos Constrained Delegation (KCD) was introduced with Windows Server 2003KCD permits a service’s account (front-end) to act on the behalf of users in multi-tier applications for a limited set of back-end services, e.g.
user accesses web site as user1user requests information from web site (front-end) that requires the web server to query a SQL database (back-end)access to this data is authorized according to who accessed the front-endin this case, the web service must impersonate user1 when making the request to SQL
front-end configured with the services (by SPN) to which it can impersonate userssetup/administration requires Domain Admin privilegesKCD delegation only works for back-end services in the same domain as the front-end service-accounts
Kerberos Constrained Delegation (KCD)
SolutionKCD in Windows Server 2012 moves the authorization decision to the resource-owners
permits back-end to authorize which front-end service-accounts can impersonate users against their resources
supports cross-domain, cross-forest scenariosno longer requires Domain Admin privileges
requires only administrative permission to the back-end service-account
Kerberos Constrained Delegation (KCD)Requirements
client’s run Windows XP or laterclient domain DCs running Windows Server 2003 or later
front-end server running Windows Server 20121 or more DCs in front-end domain running Windows Server 2012
1 or more DCs in back-end domain running Windows Server 2012 back-end server account configured with the accounts that are permitted for impersonation
not exposed through Active Directory Administrative Centerconfigured through Active Directory Windows PowerShell Cmdlet:
New/Set-ADComputer [-name] <string> [-PrincipalsAllowedToDelegateToAccount <ADPrincipal[]>]New/Set-ADServiceAccount [-name] <string> [-PrincipalsAllowedToDelegateToAccount <ADPrincipal[]>]
Windows Server 2012 schema update in back-end server’s forestback-end application server running Windows Server 2003 or later
Management
Recycle Bin User Interface
Active Directory Replication & Topology Cmdlets
Dynamic Access Control
Active Directory Based Activation
Kerberos Enhancements
Active Directory Windows PowerShell History Viewer
Fine-Grained Password Policy User Interface
Group Managed Service Accounts
New Features and Enhancements
Group Managed Service Accounts (gMSA)
BackgroundManaged Service Accounts (MSAs) introduced with Windows Server 2008 R2clustered or load-balanced services that needed to share a single security-principal were unsupported
MSAs not able to be used in many desirable scenarios
Group Managed Service Accounts (gMSA)
Solutionintroduce new security principal type known as a gMSAservices running on multiple hosts can run under the same gMSA account1 or more Windows Server 2012 DCs required
gMSAs can authenticate against any OS-version DCpasswords computed by Group Key Distribution Service (GKDS) running on all Windows Server 2012 DCs
Windows Server 2012 hosts using gMSAs obtain password and password-updates from GKDS
password retrieval limited to authorized computerspassword-change interval defined at gMSA account creation (30 days by default)like MSAs, gMSAs are supported only by the Windows Service Control Manager (SCM) and IIS application pools
support for scheduled tasks is being investigated
Group Managed Service Accounts (gMSA)
RequirementsWindows Server 2012 Active Directory schema updated in forests containing gMSAs1 or more Windows Server 2012 DCs to provide password computation and retrievalonly services running on Windows 8 or Windows Server 2012 can use gMSAsWindows Server 2012 Active Directory Module for Windows PowerShell to create gMSA accounts
Management
Recycle Bin User Interface
Dynamic Access Control
Active Directory Based Activation
Group Managed Service Accounts
Kerberos Enhancements
Active Directory Windows PowerShell History Viewer
Fine-Grained Password Policy User Interface
Active Directory Replication & Topology Cmdlets
New Features and Enhancements
Active Directory Replication & Topology Cmdlets
Backgroundadministrators require a variety of tools to manage Active Directory’s site topology
repadminntdsutilActive Directory Sites and Servicesetc.
results in an inconsistent experiencedifficult to automate
Active Directory Replication & Topology Cmdlets
Solutionmanage replication and site-topology with Active Directory Windows PowerShell
create and manage sites, site-links, site-link bridges, subnets and connectionsreplicate objects between DCsview replication metadata on object attributesview replication failuresetc.
provides a consistent and more easily scriptable experiencecompatible and interoperable with other Windows PowerShell Cmdlets
Active Directory Replication & Topology Cmdlets
RequirementsActive Directory Web Service (ADWS)
or Active Directory Management Gateway (for Windows Server 2003 or 2008)
Remote Server Administration Tools (RSAT)
In ReviewEasier to Manage
Windows Server 2012Managed Service Accounts for farms (gMSA)Support for cross-domain Kerberos Constrained DelegationSpoofing of Kerberos errors much more challengingActive Directory UI investments
support in Active Directory’s Administrative Center for managing deleted objects and Fine Grained Password Policiesability to view Windows PowerShell scripts that correspond to actions performed in the GUI
Easier scripting of replication and topology tasks using new Active Directory Windows PowerShell Cmdlets
In the past…Managed Service Accounts work only on a single machineKerberos Constrained Delegation (KCD) works only within a single domainKerberos errors able to be spoofedNo support in Active Directory Administrative Center for Recycle Bin or Fine Grained Password PoliciesPowerShell code must be written from scratchHodge-podge of incompatible command-line tools and UIs used for managing replication and topology
In ReviewEasier to Deploy
Windows Server 2012Safe virtualizationSimplified deployment
Integrated end-to-end deployment experienceAll deployment tasks are remoteable and automatically target the correct FSMOsInput and environment validation throughout the deployment process helps decrease failuresFull Windows PowerShell support for automated deployment
Rapid deployment of DCs using cloningAD FS deployment integration
In the past…Using snapshot features on virtual DCs results in a divergent Active Directory stateActive Directory environment preparation is overly complex requiring multiple stepsDC promotion requires multiple phases to completeDeployment is not remoteable and requires interactive logon to multiple DCsDifficult to write automation scripts
Summary of Minimum RequirementsWith this deployed… ... these features become available
+ First Windows Server 2012 domain-member (or Windows 8 with RSAT installed)
• New Active Directory Administrative Center• Windows PowerShell History Viewer• Graphical Recycle Bin and FGPP management
• Richer authorization through DAC & FCI• Active Directory-based Activation
• Requires Windows Server 2012 schema extensions• Active Directory Replication & Topology Cmdlets• AD FS (v2.1)
+ First Windows Server 2012 DC
• Simplified Deployment and Preparation• Dynamic Access Control policies and claims
• Kerberos Claims in AD FS (v2.1)• Cross-domain Kerberos Constrained Delegation• Group Managed Service Accounts• Virtualization-Safe for the Windows Server
2012 DC• requires Hypervisor support for VM-Gen-ID
+ Windows Server 2012 DC holds PDC FSMO role
• Rapid virtual DC deployment through DC-cloning• requires Hypervisor support for VM-Gen-ID
SIA, WSV, and VIR Track Resources
Talk to our Experts at the TLC#TE(sessioncode)
DOWNLOAD Windows Server 2012 Release Candidatemicrosoft.com/windowsserverHands-On Labs
DOWNLOAD Windows AzureWindowsazure.com/teched
Resources
Connect. Share. Discuss.http://northamerica.msteched.com
Learning
Microsoft Certification & Training Resourceswww.microsoft.com/learning
TechNet
Resources for IT Professionalshttp://microsoft.com/technet
Resources for Developershttp://microsoft.com/msdn
Complete an evaluation on CommNet and enter to win!
MS Tag
Scan the Tagto evaluate thissession now onmyTechEd Mobile
Appendix
Enhanced LDAP logging
Note that the registry override technique uses the Microsoft-internal DSID of the source-code file that implements the desired logging
DSID used in a non-traditional manner (though similar):<dir ID><dir ID><file ID><file ID><logging level><logging level><logging level><logging level>
typically, it’s:<dir ID><dir ID><file ID><file ID><line #><line #><line #><line #>
there are ~15 directories with 15+ potentially useful source files in eachsource-code access is a MUST (and an ability to read the code is beneficial, too )
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\”Value [MULTI_SZ]: Logging OverrideData: 0C12FFFF (where FFFF says “log everything”)
New LDAP Controls/Behaviors
Batched extended-LDAP operations (1.2.840.113556.1.4.2212)all operations within a given batch are treated as a single transaction, i.e. all succeed or all failprimarily designed for a developer audience
possible with LDP but really not realisticcomprises a regular LDAP control and an unimaginably complex value
concatenation of the series of BER encoding of the ASN.1 descriptions of the desired LDAP operations see, I told ya
useful for programmatic schema extensions since the entire list of updates could be batched permits the entire set of updates to succeed or fail as a lump
Expected entry count (1.2.840.113556.1.4.2211)LDAP control that requires a minimum and maximum value (again, BER encoded values so not trivial for the IT pro)if fewer than minimum or more than maximum, results are returned up to the exception and rounded to the nearest page sizeuseful for uniqueness and/or absence checking (min=1 & max=1 --OR-- min=0 & max=0)when used in conjunction with batch processing…
it is possible to express conditional LDAP operations that fail or succeed as a transaction based on a supplied criteriae.g. write email address <e1> to userX only IF <e1> is not already in use by anyone else
carve out a filter that queries for the email address within my desired scope within an expected entry count of “0”
New LDAP Controls/Behaviors
Require server-sorted search use index on sort attribute (1.2.840.113556.1.4.2207)
only impacts sorted searchesif query optimization does not result in a correctly sorted result set, then we revert to using a simple index over the sort attribute requires post-processing to satisfy request
the term “correctly” is defined as the index’s natural sort criteria matches the specified sort criteriaeliminates the need for tempTable thereby increasing scale possibilities (good for large result sets because, in the past, it would have simply failed)on the flip side, causes performance problems for smaller result sets
DIRSync_EX_Control (1.2.840.113556.1.4.2090)alters traditional DirSync behavior forces the return of specified unchanged attributesuseful for a primarily developer audience only
New LDAP Controls/Behaviors
TreeDelete control with batch size (1.2.840.113556.1.4.2204)ensures deletions do not slow convergence beyond system tolerance today, batch size is hard-coded to 16Knew control exposes a mechanism to lower this hard-coded default (not raise it)value must be between 2 and hard-coded limit of 16Kexposed as an LDAP control allowing the delete operation to declare its own batch sizerequires that the value for the control be BER encoded
Return highest change stamp applied as part of an update (1.2.840.113556.1.4.2205)
similar to searchStats control in that when checked in, causes the result to contain additional data housing the invocationID and highest USN allocated during the transactionITpro needs a tool to decode the resulting BER encoded series of key/value pairs
invocationID: 1.2.840.113556.1.4.2209highestUSN: 1.2.840.113556.1.4.2208
useful for programmatically determining convergence between any two instances immediately following an update
New LDAP Controls/Behaviors
Include ties in server-sorted search results [aka. “soft size limit”] (1.2.840.113556.1.4.2210)
within the context of a sorted search, two objects are considered “tied” if their attribute values for the sorted attribute are the same, i.e. the objects are tied by virtue of the common value in the sort attribute (same place in the index)also termed “soft size limit”value supplied for SOFT_SIZE_LIMIT must be less than LDAP size limitsearch must be sorted in order for the notion of a “tie” to have any meaningwhat does it do?
imagine paging through the Exchange GAL and requesting only a page at a timeyou’d like to be able to get the next page from any DC (not become “sticky” with the same DC the request began against)to do so, you need to be sure where the last page ended, e.g. I’m on page 3 sorted on givenName and it ends with Deanwhat if there are multiple Deans?“soft size limit” numerically governs the page-size but ensures that any duplicates of the last entry (Dean) are also returned
unless that exceeded the hard-size limitthis allows the next page to be requested by filtering on “(&(givenName>=Dean)(!(givenName=Dean)))”
which, in turn, permits the page requests to be distributed across DCs
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.