What’s new in Windows Server 2012 Active Directory?


Published on

More info on http://techdays.be.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

What’s new in Windows Server 2012 Active Directory?

  1. 1. With Windows Server 2012 AD you canUse GUI management for:  The Recycle Bin  Fine Grain Password PoliciesPerform simplified and more robust DC installationsSafely virtualize DCsClone DCsImplement Kerberos claims identityControl access to files and folders with Dynamic Access ControlProtect the RID poolUse PowerShell for everythingAnd more…
  2. 2. Make sure PowerShell is your best friendPowerShell 3.0 with over 2000 cmdlets Allows creation scripts with workflow AD PowerShell history helps you get started Comprehensive cmdlets for replication management Newest help files download on demand: Update-Help
  3. 3. Installing Domain Controllers
  4. 4. Dcpromo RIP Can be run remotely
  5. 5. Create IFM seed with NTDSUTILIFM seed generation no longer requires offline defrag (on by default)
  6. 6. Adprep can still be run manually if required Checks are performed at each stage of the Wizard and any issues highlighted before the final validation
  7. 7. DC virtualization
  8. 8. Restoring from an image One DC fails  We can restore an image backup Any problems?
  9. 9. USN rollback… snapshot DSA-GUID = A DSA-GUID = B InvocationID = E InvocationID = M highestCommitedUSN =1000 highestCommitedUSN = 3000 HW vector M,3000 HW vector E,1000 DSA-GUID = A DSA-GUID = B Time InvocationID = E InvocationID = M highestCommitedUSN =4567 highestCommitedUSN = 5679 HW vector M,5679 HW vector E,4567 DSA-GUID = A DSA-GUID = B Restore InvocationID = E InvocationID = M highestCommitedUSN = 4567 highestCommitedUSN = 3000 HW vector M,5679 HW vector E,1000
  10. 10. What happens next? Add users DC1 DC2 DSA-GUID = A DSA-GUID = B InvocationID = E InvocationID = M highestCommitedUSN = 4567 highestCommitedUSN = 3000 3050 HW vector M,5679 HW vector E,1000 Send me your changes from 1000 Checks UTD vectors from DC2 and sends changes  Replication OK Send me your changes from 5679 It gets worse! There aren’t any!
  11. 11. Post Server 2003 SP1 quarantining DSA-GUID = A DSA-GUID = B InvocationID = E InvocationID = M highestCommitedUSN = 4567 highestCommitedUSN = 3050 HW vector M,5679 HW vector E,1000 Send me your changes from 5679 There aren’t any! Appears more up to date than me, that’s not right! Replication Write event log messages log Disable inbound and outbound replication Stop Netlogon service
  12. 12. Windows Server 2012 solution The hypervisor creates an identifier VM-Generation ID (128 bits)  Exposed to the guest OS via the BIOS ACPI namespace  Stored by the DC on promotion in the msDS-GenerationID attribute  An attribute of the DC computer object The VM-Generation ID is set during a VM import, copy or application of a snapshot When the DC boots, if the VM-Generation ID and the msDS-GenerationID are not the same  The DC assumes an AD restore  InvocationID Changes  Seen as a new replication source  RID pool discarded  Non-authoritative restore of SYSVOL
  13. 13. Hypervisor support22 January 2013 Windows Server 2012 Standard Edition (Hyper-V) Windows Server 2012 Enterprise Edition (Hyper-V) Hyper-V Server 2012 (Hyper-V) Windows 8 Professional (Hyper-V) Windows 8 Enterprise (Hyper-V) VMware Workstation 9.0 VMware vSphere 5.0 with Update 4 VMware vSphere 5.1
  14. 14. DC cloning
  15. 15. Cloning steps Source DC CloneableDomainControllers Check for incompatible components PDCE Get-ADDCCloningExcludedApplicationList W2012 Remove incompatible components or declare them as safe Cloned DC Create new VM XMLDCCloneConfig.XMLDeploy XML to source DC If ID has changedor mounted vhd/vhdx copy cloning starts if XML(can be on removable media) exists
  16. 16. Start the copied DC and…
  17. 17. DefaultDCCloneAllowList.XMLGet-ADDCCloningExcludedApplicationList displays any services orapplications that are running that are NOT included in the XMLThese applications or services must either be removed or if consideredsafe added to CustomDCCloneAllowList.XMLGenerate XML using: Get-ADDCCloningExcludedApplicationList -GenerateXML  Xml added to %windir%NTDS
  18. 18. DCCloneConfig.XML New-ADDCCloneConfigFile –Static -IPv4Address "" -IPv4DNSResolver "" -IPv4SubnetMask "" -CloneComputerName "AD-DC3" -IPv4DefaultGateway "" -SiteName "London" <?xml version="1.0"?> <d3c:DCCloneConfig xmlns:d3c="uri:microsoft.com:schemas:DCCloneConfigCreate using New-ADDCCloneConfigFile <ComputerName>rootdc4</ComputerName> <SiteName>London</SiteName>or create from sample: <IPSettings>..windowssystem32SampleDCCloneConfig.XML <IPv4Settings> <StaticSettings> <Address></Address>DCCloneConfig.xml placed in …windowsNTDS <SubnetMask></SubnetMask>Alternate locations are available <DefaultGateway></DefaultGateway> <DNSResolver></DNSResolver> </StaticSettings> </IPv4Settings> </IPSettings> </d3c:DCCloneConfig>
  19. 19. Kerberos enhancements
  20. 20. Kerberos changesThere are a number of other changes to Kerberos to enhance day to dayoperations Increase to the maximum Kerberos SSPI context buffer size PAC group compression Warning events for large token sizes Increased loggingMajor changes New Kerberos constrained delegation support Claims support
  21. 21. Block cross forest delegationDelegation by setting netdom trust to “no” for /EnableTGTDelegation Protect backend services by setting services account parameter – PrincipalsAllowedToDelegateToAccount Prior to Windows Server 2012, constrained delegation required the front- and back-end service accounts to be in the same domain 2012 allows delegation across domains and forest trusts
  22. 22. Adding claims to the Kerberos token Pre-Windows 8 Windows 8 & Server 2012 Compound ID PAC contains a user’s User’s Kerberos Groups group and claims Token User information Claims + PAC Groups Device information Device ClaimsUser’s group memberships added toPAC Authorization can be based on groupAuthorization based on group membership, user and device claimsmembership
  23. 23. Dynamic Access ControlFiles can be classified (tagged) and access and audit policies applied based on the files classification Expression based access control and auditingExpressions can contain groups, users, and user and device claims Access based on compound ID user and device claims
  24. 24. Enabling Kerberos for claimsEnable the KDC administrative template for Support for Dynamic AccessControl and Kerberos armoringKerberos armoring also referred to as Flexible Authentication SecureTunneling (FAST) provides: A protected channel between the Kerberos client and the KDC  Protection against offline dictionary attacks Signs Kerberos error messages  Prevent spoofing Compound identity
  25. 25. Exhaustible resources
  26. 26. DNTsEach DC keeps track of object written to its database using aDistinguished Name Tag (DNT) The DNT is held in a 2^31 bit number (~ 2 billion) The DNT is incremented as each new object is written A DNT value is never reused even if an object is deletedWhen you run out of DNTs the DC must be demoted and thenrepromotedThe DNT value is now exposed through a constructed attribute ofRootDSE approximateHighestInternalObjectID
  27. 27. SIDs S-1-5-21-1539329446-2123584859-1544097757-5023 Domain subauthority RIDSIDs must be unique throughout and across forestsThe RID is incremented by one each time a new SID is generated This is simple to implement in a single-master environment A RID master is required in a multi-master domain controller environment
  28. 28. RID management attributes RID Master rIDAvailablePool Replicates Holds start of next 7500 7500 pool to be allocatedApplies for a new pool No replication Xwhen 50% of the current rIDPreviousAllocationPool 6500 7000pool has been consumed rIDAllocationPool 6500 7000 RID Set used for SID generation rIDPreviousAllocationPool Current pool on DC rIDAllocationPool Next pool to be used on DC
  29. 29. RID Manager Attributes cn=RID Manager$,cn=System,dc=example,dc=com fSMORoleOwner Distinguished name of the NTDS Settings object rIDAvailablePool (large integer 64-bits) High value Low value Total number of RIDs that can be Start of Next RID pool to be allocated created in the domain The RID Manager object is replicated to all DCs in the domain  The rIDAvailablePool attribute is used by the RID Master when allocating the next RID pool to a DC
  30. 30. RID problems The maximum available RID is held as a 30 bit number  1073,741,824  10,000 RIDs/day for the next 294 years  So why is it an issue?  Rogue script creating millions of security principles  Very large RID Block size set  Incorrect values entered when elevating the RID pool during recovery  Large numbers of domain controllers removed and re-added  Bug – new RID pool requested every 30 seconds can occur under certain rare circumstances  See KB 2618669 for Windows 2008 R2 hotfix
  31. 31. Windows Server 2012 Warnings at 10% usage of remaining pool size  After warning recalculates the 10% marker and repeats  First event at 100 million  If you receive this you probably have a problem Ceiling at 90% usage – intervention required to issue more RIDs Max RID block size capped at 15K  HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSRID ValuesRID Block Size Global RID Space Size Unlock  Global space can use 31 bit number doubling the RIDs available  2003 & 2008 DCs cannot use the 31 bit RID values
  32. 32. Lots of other improvementsSupport for deferred index creationOff-premises domain join Supports DirectAccess clientsEnhanced LDAP loggingNew LDAP behavioursActive Directory Based Activation (AD BA) Automatic activation for Windows 8 and Windows Server 2012 machines You still require KMS to support downlevel volume-licensing
  33. 33. Lots of other improvements (continued)Group Managed Service Accounts (gMSA) gMSA accounts can run a service across multiple servers  Services running gMSA accounts only supported on Windows 8 and Windows Server 2012PowerShell Cmdlets for replication support
  34. 34. So what do we get?Better GUI supportMore robust deployment of DCsSimplified Active Directory upgrade pathVirtualization safeQuick deployment via cloningFast domain and forest recovery through cloningCross-domain and forest constrained delegationRich access control and auditing via Dynamic Access ControlRecovery from depleted RID poolsPowerShell everywhere…
  35. 35. TechEd 2013I will be speaking a TechEd 2013 Precon: Windows Server DirectAccess Other breakouts
  36. 36. Consulting services on request John.craddock@xtseminars.co.uk John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk