Upload
griselda-carroll
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
The Benefits and Reasons for Upgrading to Windows Server 2012 Active DirectoryAdam HallRaymond Chou
AI-B301
Topics• Investment areas in Windows Server 2012 Active
Directory• Simplify and enhance the deployment process• Increase robustness on virtualization platforms• Enhance management capabilities • Accommodate business-driven security
requirementsA quick note: There is a lot of information in this session, too much in fact! Slides are heavy and designed for you to review. We’ll break it up with demo
High-level areas of investment
Simplify and enhance the deployment process
Increase robustness on virtualization platforms
Enhance management capabilities
Accommodate business-driven security requirements
Simplify Deployment of Active Directory
Simplify Management of Active Directory
Virtualization That Just Works
Our broad goals
• All Active Directory features work equally well in physical, virtual or mixed environments
• Integration of environment prep, role install and DC promo into a single UI
• DCs can be deployed rapidly to ease disaster recovery and workload balancing
• DCs can be deployed remotely
on multiple machines from a single machine
• Consistent command-line experience through Windows PowerShell
• Interfaces that simplify complex tasks
• Active Directory Windows PowerShell viewer shows the commands for actions performed in the GUI
• Active Directory Windows PowerShell support for managing replication and topology data
• Simplify delegation and management of service accounts
New features and enhancements
Simplified Deployment
Virtualization-Safe Technology
Rapid Deployment
Active DirectoryPlatform Changes
Recycle Bin User Interface
Active Directory PowerShell History Viewer User Interface
Fine-Grained Password Policy User Interface
Active Directory Replication & Topology Cmdlets
Dynamic Access Control
Active Directory Based Activation
Kerberos Enhancements
Group Managed Service Accounts
Deployment Management
Simplified deployment
In the past … The solution!Background
• adding DCs running newer versions of the Windows Server operating system has proven to be:
• time consuming
• error-prone
• complex
• obtain the correct (new) version of the ADprep tools
• interactively logon at specific per-domain DCs using a variety of different credentials
• run the preparation tool in the correct sequence with the correct switches
• wait for replication convergence between each step
• integrate preparation steps into the promotion process
• automate the pre-requisites between each of them
• validate environment-wide pre-requisites before beginning deployment
• integrated with Server Manager and be remoteable
• built on Windows PowerShell for command-line and UI consistency
• configuration wizard aligns to the most common deployment scenarios
Remote execution against multiple servers
Windows PowerShell script export option
Deployment wizard features
Integrated pre-deployment validation
Simplified configuration pages
Prerequisite validation
Simplified deployment extras
Install from Media ADFSDCPROMO
• Since Windows 2000, DCpromo has been intolerant of transient network failures
• Windows Server 2012 promotion employs an indefinite retry
• “indefinite” because no sufficiently meaningful set of metrics available from which to assert “sufficient progress”
• Goal of IFM is to deploy a DC more quickly• Yet “IFM prep” in NTDSUTIL
executed a mandatory offline defragmentation pass
• In Windows Server 2012, NTDSUTIL’s IFMprep enhanced, now includes an option to eliminate the defragmentation pass• Not the default, that
remains as is
• AD FS v2.0 shipped out-of-band, downloaded from http://microsoft.com
• AD FS (v2.1) ships in-the-box as a server-role with Windows Server 2012
• integrated with Windows Server 2012 Dynamic Access Control
Virtualizing domain controllers
The solution! RequirementsBackground
• common virtualization operations such as creating snapshots or copying VMs/VHDs can rollback the state of a virtual DC
• Introduces issues:• lingering objects• inconsistent passwords• inconsistent attribute
values• schema mismatches if the
Schema FSMO is rolled back
• security principals created with duplicate SIDs
• Windows Server 2012 virtual DCs able to detect when snapshots are applied or a VM is copied
• built on a generation identifier (VM-generation ID) that is changed when virtualization-features such as VM-snapshot are used
• Windows Server 2012 virtual DCs track the VM-generation ID to detect changes and protect Active Directory by discarding RID pool, resetting invocationID and re-asserting INITSYNC requirement for FSMOs
• Windows Server 2012 DCs hosted on hypervisor platform that supports VM-Generation ID
Domain controller cloning
The solution! RequirementsBackground
• Deploying virtualized replica DCs is as labor-intensive as physical DCs
• Virtualization brings capabilities that can simplify deployment
• The result & goal of promoting additional DCs within a domain is an ~identical instance (a replica) excluding name, IP address, etc.
• Manually promoting a DC using over-the-wire: can be time-consuming depending upon size of directory, install-from-media (IFM) preparation and copying adds time & complexity
• Post-deployment configuration steps where necessary
• Create replicas of virtualized DCs by cloning existing ones i.e. copy the VHD through hypervisor-specific export + import operations
• Simplify interaction & deployment-dependencies between HyperVisor and Active Directory admins
• Note that the authorization of clones remains under Enterprise/Domain Admins’ control
• A game-changer for disaster-recovery
• Requires ONLY a single Windows Server 2012 virtual DC per domain to quickly recover an entire forest
• Subsequent DCs can be rapidly deployed drastically reducing time to steady-state
• Windows Server 2012 DCs hosted on hypervisor platform that supports VM-Generation ID
Rapid deployment extra – the cloning flow
NTDS starts
Obtain current VM-GenID
If different from value in DIT
Reset InvocationID, discard RID pool
DCCloneConfig.xml available?
Dcpromo /fixclone
Parse DCCloneConfig.xml
Configure network settings
Locate PDC
Call _IDL_DRSAddCloneDC(name, site)
Check authorization
Create new DC object by duplicating source DC objects(NTDSDSA, Server, Computer instances)
Generate new DC machine account and password
Save clone state (new name, password, site)
Promote as replica (IFM)
Run (specific) sysprep providers
Reboot
Clone VM Windows Server 2012 PDC
IDL_DRSAddCloneDC
CN=Configuration|--CN=Sites
|---CN=<site name>|---CN=Servers
|---CN=<DC Name> |---CN=NTDS Settings
PowerShell
The solution! RequirementsBackground
• Windows PowerShell is a key technology in creating a consistent experience between the command-line and the graphical user interface
• Windows PowerShell increases productivity but requires investment in learning how to use it
• Allow administrators to view the Windows PowerShell commands executed when using the Administrative Center, e.g. the administrator adds a user to a group
• The UI displays the equivalent Active Directory Windows PowerShell command
• Administrator’s can copy the resulting syntax and integrate it into their scripts
• Reduces learning-curve, increases confidence in scripting, further enhances Windows PowerShell discoverability
• Windows Server 2012 Active Directory Administrative Center
• Active Directory Web Service running on a domain controller within the target domain
Topology management
The solution! RequirementsBackground
• Administrators require a variety of tools to manage Active Directory’s site topology
• Repadmin, ntdsutil, Active Directory Sites and Services, etc.
• Results in an inconsistent experience
• Difficult to automate
• Manage replication and site-topology with Active Directory Windows PowerShell
• Create and manage sites, site-links, site-link bridges, subnets and connections
• Replicate objects between DCs
• View replication metadata on object attributes, view replication failures, etc.
• Provides a consistent and more easily scriptable experience
• Compatible and interoperable with other Windows PowerShell Cmdlets
• Active Directory Web Service (ADWS)
• or Active Directory Management Gateway (for Windows Server 2003 or 2008)
• Remote Server Administration Tools (RSAT)
Active Directory-based activation
The solution! RequirementsBackground
• Volume Licensing for Windows/Office requires Key Management Service (KMS) servers, requires minimal training but:
• Requires RPC traffic on the network
• Does not support any kind of authentication, the EULA prohibits the customer from connecting the KMS server to any external network
• Use your existing Active Directory infrastructure to activate your clients
• No additional machines required, no RPC requirement, uses LDAP exclusively
• Includes RODCs!• Beyond installation and service-specific
requirements, no data written back to the directory
• Activating initial CSVLK (customer-specific volume license key) requires one-time contact with Microsoft Activation Services over the Internet (identical to retail activation)
• Repeat the activation process for additional forests up to 6 times by default
• Activation-object maintained in configuration partition
• Represents proof of purchase• machines can be member of any domain
in the forest• Win 8 machines will automatically
activate
• Only Windows 8 or Windows Server 2012 machines can leverage AD BA• KMS and AD BA can
coexist• You still need KMS if you
require downlevel volume-licensing• Setup requires Windows 8
or Windows Server 2012 machine • Requires Windows Server
2012 Active Directory schema, not Windows Server 2012 domain controllers
Simplified Management extra – gMSA
The solution! RequirementsBackground
• Managed Service Accounts (MSAs) introduced with Windows Server 2008 R2
• Clustered or load-balanced services that needed to share a single security-principal were unsupported
• MSAs not able to be used in many desirable scenarios
• Introduce new security principal type known as a gMSA
• Services running on multiple hosts can run under the same gMSA account
• 1 or more Windows Server 2012 DCs required
• gMSAs can authenticate against any OS-version DC
• Passwords computed by Group Key Distribution Service (GKDS) running on all Windows Server 2012 DCs
• Windows Server 2012 hosts using gMSAs obtain password and password-updates from GKDS
• Password retrieval limited to authorized computers
• Password-change interval defined at gMSA account creation (30 days by default)
• Like MSAs, gMSAs are supported only by the Windows Service Control Manager (SCM) and IIS application pools
• Support for scheduled tasks is being investigated
• Windows Server 2012 Active Directory schema updated in forests containing gMSAs
• 1 or more Windows Server 2012 DCs to provide password computation and retrieval
• Only services running on Windows 8 or Windows Server 2012 can use gMSAs
• Windows Server 2012 Active Directory Module for Windows PowerShell to create gMSA accounts
Simplified Management extras
Recycle Bin UI Fine-grained passwords
Offline Domain Join
• Extends offline domain-join by allowing the blob to accommodate Direct Access prerequisites – Certs, GPOs
• What does this mean? A computer can now be domain-joined over the Internet if the domain is Direct Access enabled
• Getting the blob to the non-domain-joined machine is an offline process and the responsibility of the admin
• The Recycle Bin feature introduced with Windows Server 2008 R2 provided an architecture permitting complete object recovery
• Scenarios requiring object recovery via the Recycle Bin are typically high-priority
• Recovery from accidental deletions, etc. resulting in failed logons / work-stoppages
• The absence of a rich, graphical interface complicated its usage and slowed recovery
• Solution
• Simplify object recovery through the inclusion of a Deleted Objects node in the Active Directory Administrative Center
• Deleted objects can now be recovered within the graphical user interface
• The Fine-Grained Password Policy capability introduced with Windows Server 2008 provided more granular management of password-policies
• In order to leverage the feature, administrators had to manually create password-settings objects (PSOs)
• It proved difficult to ensure that the manually defined policy-values behaved as desired
• Resulted in time-consuming, trial and error administration
• Solution
• Creating, editing and assigning PSOs now managed through the Active Directory Administrative Center
• Greatly simplifies management of password-settings objects
Simplified Management – Security extras
Kerberos Constrained Delegation (KCD)
Flexible Authentication Secure Tunneling (FAST)
• Offline dictionary attack against password-based logons possible
• Relatively well-known concern around Kerberos errors being spoofed
• Clients may:• Fallback to less-secure legacy protocols• Weaken their cryptographic key strength
and/or ciphers
• Solution• Kerberos in Windows Server 2012 supports
Flexible Authentication Secure Tunneling (FAST)• Defined by RFC 6113• Sometimes referred to as Kerberos armoring• Provides a protected channel between a
domain-joined client and DC
• Kerberos Constrained Delegation (KCD) was introduced with Windows Server 2003
• KCD permits a service’s account (front-end) to act on the behalf of users in multi-tier applications for a limited set of back-end services, e.g.
• User accesses web site as user1• User requests information from web site (front-end) that requires
the web server to query a SQL database (back-end)• Access to this data is authorized according to who accessed the
front-end• In this case, the web service must impersonate user1 when
making the request to SQL• Front-end configured with the services (by SPN) to which it can
impersonate users• Setup/administration requires Domain Admin privileges• KCD delegation only works for back-end services in the same
domain as the front-end service-accounts• KCD in Windows Server 2012 moves the authorization decision to
the resource-owners• Permits back-end to authorize which front-end service-accounts
can impersonate users against their resources• Supports cross-domain, cross-forest scenarios• No longer requires Domain Admin privileges• Requires only administrative permission to the back-end service-
account
Dynamic Access Control
The solution! RequirementsBackground
• Today, it’s difficult to translate business-intent using existing authorization model
• No central administration capabilities
• Existing expression language makes it hard or impossible to fully express requirements
• Increasing regulatory and business requirements around compliance demand a different approach
• New central access policies (CAP) model• New claims-based authorization platform
enhances, not replaces, existing model• User-claims and device-claims• User+device claims = compound
identity• Includes traditional group memberships
too• Use of file-classification information in
authorization decisions• Modern authorization expressions, e.g.• Evaluation of ANDed authorization
conditions• Leveraging classification and resource
properties in ACLs• Easier Access-Denied remediation
experience• Access- and audit-policies can be
defined flexibly and simply, e.g.• IF resource.Confidentiality = high THEN
audit.Success WHEN user.EmployeeType = vendor
• Support for scheduled tasks is being investigated
• Windows Server 2012 File Servers
• At least one Windows Server Domain Controller
• Windows 8 or Windows Server 2012 for device claims
Kerberos in ADFS
The Solution!Background
• AD FS v2.0 is able to generate user-claims directly from NTtokens
• Also capable of further expanding claims based on attributes in Active Directory and other attribute stores
• In Windows Server 2012, we know that Kerberos tickets can also contain claims
• But AD FS 2.0 can’t read claims from Kerberos tickets
• Forced to make additional LDAP calls to Active Directory to source user-attribute claims
• Cannot leverage device-attribute claims at all
• Solution
• AD FS (v2.1) in Windows Server 2012 now able to populate SAML tokens with user- and device-claims taken directly from the Kerberos ticket
• Requirements
• DAC enabled and configured
• Compound ID must be switched on for the AD FS service account
• Windows Server 2012 AD FS (v2.1)
Summary of minimum requirements
You get … With this deployed …
First Windows Server 2012 domain-member(or Windows 8 with RSAT installed)
• New Active Directory Administrative Center, Windows PowerShell History Viewer, Graphical Recycle Bin and FGPP management
• Richer authorization through DAC & FCI• Active Directory-based Activation (Requires Windows Server
2012 schema extensions)
• Active Directory Replication & Topology Cmdlets• AD FS (v2.1)First Windows Server 2012 DC • Simplified Deployment and Preparation• Dynamic Access Control policies & claims, Kerberos Claims in AD
FS (v2.1)• Cross-domain Kerberos Constrained Delegation• Group Managed Service Accounts• Virtualization-Safe for the Windows Server 2012 DC (requires
Hypervisor support for VM-Gen-ID)
Windows Server 2012 DC holds PDC FSMO role
• Rapid virtual DC deployment through DC-cloning (requires Hypervisor support for VM-Gen-ID)
Evaluation
Complete your session evaluations today and enter to win prizes daily. Provide your feedback at a CommNet kiosk or log on at www.2013mms.com.Upon submission you will receive instant notification if you have won a prize. Prize pickup is at the Information Desk located in Attendee Services in the Mandalay Bay Foyer. Entry details can be found on the MMS website.
We want to hear from you!
Resources
http://channel9.msdn.com/Events
Access MMS Online to view session recordings after the event.
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.