What’s new in Active Directory in Windows Server 2012 and 2012 R2

Sander Berkouwer MCSE, MCITP, MCT, MVP

Agenda What’s new in deployment and migration? Virtualization safeguards, Domain Controller Cloning New promotion and upgrade process Deferred Index Creation

What’s new in security? Group MSAs, Kerberos Armoring Protected Users, Authentication Policies Dynamic Access Control

What’s new in managing Active Directory? Active Directory Recycle Bin GUI Fine-grained Password Policies GUI PowerShell History Viewer

What’s New in Active Directory security

Group Managed Service Accounts (gMSAs) Challenges with Service Accounts Passwords are rarely changed, interactive logons rarely denied Passwords are stored semi-plain text in registry

Managed Service Accounts (2008R2) New object type in Active Directory Service accounts with automatic password and SPN management Ideal for service accounts on invidual servers group Managed Service Accounts (2012) New object type in Active Directory Linkable to groups and multiple computer objects Ideal for service accounts on server farms, clusters, etc.

Kerberos Armoring (FAST) Kerberos is for ‘safe networks’ It was never designed for the Internet (at MIT in 1980 – 1993) Initial Reply for Key Exchange from KDC is not strongly encrypted Can be bruteforced

Kerberos Armoring Also known as Flexible Authentication Secure Tunneling (FAST) Described in RFC 6113 Provides pre-authentication encryption, eliminating cipher fallback Enabling Kerberos Armoring Through Group Policy Objects (GPOs) on DCs and devices Options are: supported, not-supported, always provide claims and fail unarmored authentication requests

Protected Users Group Pass the Hash attacks are real NTLM hashes stored by LSASS can be ‘reused’ Can even be reused in Kerberos with RC4-HMAC-3DES encryption

Protected Users Group Built-in global security group in Active Directory Disables password caching, NTLM authentication, TGT lifetime Useful to harden user accounts that have administrative privileges Please note: Do not use for Computer accounts, service accounts, MSAs or gMSAs Make Protected Users change password first on 2008+ DC for AES Protection is non-configurable

Authentication Policies & Policy Silos Use when Protected Users protection is to rigid When you want to configure TGT lifetime and TGT Renewal settings When you want to specify a different scope (computers, anyone?) Authentication Policies & Authentication Policy Silos Tag objects within scope of a silo with a claim to apply a policy Requires Kerberos Armoring

Easily manageable Manage in GUI with Active Directory Administrative Center Manage with PowerShell Cmdlets Easily manageable, but strong enough to lock anyone out…

Dynamic Access Control Claims-based Access Control to files and folders Rich authorization scenarios based on user and/or device attributes Access can be based on properties of files and folders Define Dynamic Access Scope and access with Resource properties on files and folders and GPOs on file servers Claims based on attributes of user, device objects Central Access Policies Requirements Windows Server 2012-based Domain Controllers, or up Windows Server 2012-based File Servers, or up (and several SANs) CompoundID requires Windows 8

What’s New in managing Active Directory

Active Directory Scalability RID Pool Artificial Ceiling RID Pool depletion halts Active Directory object and trust creation RID Pool Master FSMO role on a Windows Server 2012-based DC Artificial Ceiling holding back RIDs 31st bit of the RID Pool Twice the amount of RIDs available for object and trust creation Now you can create 2 billion objects! :-) Unlocked using a RootDSE Modification with ldp.exe Exposed DNTs DNTs are domain controller-local and don’t get reused or reclaimed Hard to see how far a Domain Controller was using up DNTs In Windows Server 2012 and up, you can see with perfmon.exe

Active Directory Administrative Center Active Directory Recycle Bin GUI Recycle Bin has been available since Windows Server 2008 R2 Previously manageable with PowerShell-only Now in the Active Directory Administrative Center (dsac.exe)

Fine-grained Password Policy GUI FGPPs have been around since Windows Server 2008 Previously manageable on the command line and 3rd party tools Now in the Active Directory Administrative Center (dsac.exe) Active Directory PowerShell History Viewer Active Directory PowerShell modules include 145 PowerShell Cmdlets Hard, time consuming to learn? Active Directory Administrative Center (dsac.exe) to the rescue!

What’s New in deploying and migrating Active Directory

New Promotion and Upgrade Processes Challenges with promoting Domain Controllers Promoting a Domain Controller cannot be done remotely Preparing a domain/forest is difficult, time-consuming and error-prone

New Promotion process Dcpromo.exe be gone! The Active Directory Domain Services Configuration Wizard Available after role installation, can be done remotely from Server Mgr New Upgrade process No longer do you need to use adprep.exe in small environments Preparation is triggered automatically when promoting the first DC Adprep.exe still available, but only 64bit.

Deferred Index Creation Current challenges with indexability Indexability triggers immediate indexing process upon replication Indexing may result in Denial of Service

Deferred Index Creation Indexing may be deferred to a more suitable time Not enabled by default, needs a registry change

Triggering Index Creation Reboot the Domain Controller Perform a RootDSE Modification

Active Directory virtualization safeguards Challenges with virtualizing Domain Controllers Organizations want to ‘virtualize everything’ Active Directory assumes linearity of time for replication Improper procedures may lead to USN Rollbacks and Lingering objects Recommendations from Microsoft (pre-2012) Treat virtualized Domain Controllers as non-virtualized hosts Take care of time synchronization

Virtualization-safe Active Directory Active Directory takes advantage of VM-GenerationID Stores the ID in the database, checks value with every write When ID changes, RID Pool is discarded and resets InvocationID

Domain Controller Cloning Challenges with deploying replica Domain Controllers It takes 1-4 days to deploy new Domain Controllers Hard disks for Domain Controllers hard disks are 98% equal

Recommendations from Microsoft (pre-2012) Do not attempt to clone Domain Controllers Do not reuse the (virtual) hard disk of a Domain Controller

Domain Controller Cloning Clone virtualized Domain Controllers to create replicas Reduce 1-4 days to 10-15 minutes

Demo Domain Controller Cloning

Requirements Per feature in Active Directory

Requirements

2003

DFL

2008

DFL

2008

R2

FFL

2012

Ser

ver

2012

Sch

ema

2012

DC

2012

DC

+ P

DC

e

2012

DC

+ R

ID P

2012

on

all

DC

s

2012

DFL

2012

R2

Sche

ma

2012

R2

DC

2012

R2

PD

C

2012

R2

DFL

2012

Fil

e Se

rver

s

Win

do

ws

8

Deployment and migration Virtualization-safe(r) Active Directory

Domain Controller Cloning

New promotion and upgrade process

Deferred Index Creation

Security group Managed Service Accounts (gMSAs)

Kerberos Armoring (FAST)

Protected Users Group

Authentication Policies & Authentication Policy Silos

Dynamic Access Control

Manageability Active Directory Recycle Bin GUI

Fine-grained Password Policies GUI

Active Directory PowerShell History Viewer

Scalability RID Pool Artifical Ceiling

31st bit of the RID Pool

Exposed DNTs

Concluding

Concluding What’s new in deployment and migration? Virtualization safeguards, Domain Controller Cloning New promotion and upgrade process Deferred Index Creation

What’s new in security? Group MSAs, Kerberos Armoring Protected Users, Authentication Policies Dynamic Access Control

What’s new in managing Active Directory? Active Directory Recycle Bin GUI Fine-grained Password Policies GUI PowerShell History Viewer Scalability

Questions?

Thank you!