The Benefits and Reasons for Upgrading to Windows Server 2012 Active DirectoryAdam HallRaymond Chou

AI-B301

Topics• Investment areas in Windows Server 2012 Active

Directory• Simplify and enhance the deployment process• Increase robustness on virtualization platforms• Enhance management capabilities • Accommodate business-driven security

requirementsA quick note: There is a lot of information in this session, too much in fact! Slides are heavy and designed for you to review. We’ll break it up with demo

Investment Areas

High-level areas of investment

Simplify and enhance the deployment process

Increase robustness on virtualization platforms

Enhance management capabilities

Accommodate business-driven security requirements

Simplify Deployment of Active Directory

Simplify Management of Active Directory

Virtualization That Just Works

Our broad goals

• All Active Directory features work equally well in physical, virtual or mixed environments

• Integration of environment prep, role install and DC promo into a single UI

• DCs can be deployed rapidly to ease disaster recovery and workload balancing

• DCs can be deployed remotely

on multiple machines from a single machine

• Consistent command-line experience through Windows PowerShell

• Interfaces that simplify complex tasks

• Active Directory Windows PowerShell viewer shows the commands for actions performed in the GUI

• Active Directory Windows PowerShell support for managing replication and topology data

• Simplify delegation and management of service accounts

New features and enhancements

Simplified Deployment

Virtualization-Safe Technology

Rapid Deployment

Active DirectoryPlatform Changes

Recycle Bin User Interface

Active Directory PowerShell History Viewer User Interface

Fine-Grained Password Policy User Interface

Active Directory Replication & Topology Cmdlets

Dynamic Access Control

Active Directory Based Activation

Kerberos Enhancements

Group Managed Service Accounts

Deployment Management

Simplified Deployment

Simplified deployment

In the past … The solution!Background

• adding DCs running newer versions of the Windows Server operating system has proven to be:

• time consuming

• error-prone

• complex

• obtain the correct (new) version of the ADprep tools

• interactively logon at specific per-domain DCs using a variety of different credentials

• run the preparation tool in the correct sequence with the correct switches

• wait for replication convergence between each step

• integrate preparation steps into the promotion process

• automate the pre-requisites between each of them

• validate environment-wide pre-requisites before beginning deployment

• integrated with Server Manager and be remoteable

• built on Windows PowerShell for command-line and UI consistency

• configuration wizard aligns to the most common deployment scenarios

Remote execution against multiple servers

Windows PowerShell script export option

Deployment wizard features

Integrated pre-deployment validation

Simplified configuration pages

Prerequisite validation

Demo: Simplified DeploymentRaymond Chou

Simplified deployment extras

Install from Media ADFSDCPROMO

• Since Windows 2000, DCpromo has been intolerant of transient network failures

• Windows Server 2012 promotion employs an indefinite retry

• “indefinite” because no sufficiently meaningful set of metrics available from which to assert “sufficient progress”

• Goal of IFM is to deploy a DC more quickly• Yet “IFM prep” in NTDSUTIL

executed a mandatory offline defragmentation pass

• In Windows Server 2012, NTDSUTIL’s IFMprep enhanced, now includes an option to eliminate the defragmentation pass• Not the default, that

remains as is

• AD FS v2.0 shipped out-of-band, downloaded from http://microsoft.com

• AD FS (v2.1) ships in-the-box as a server-role with Windows Server 2012

• integrated with Windows Server 2012 Dynamic Access Control

Virtualization

Virtualizing domain controllers

The solution! RequirementsBackground

• common virtualization operations such as creating snapshots or copying VMs/VHDs can rollback the state of a virtual DC

• Introduces issues:• lingering objects• inconsistent passwords• inconsistent attribute

values• schema mismatches if the

Schema FSMO is rolled back

• security principals created with duplicate SIDs

• Windows Server 2012 virtual DCs able to detect when snapshots are applied or a VM is copied

• built on a generation identifier (VM-generation ID) that is changed when virtualization-features such as VM-snapshot are used

• Windows Server 2012 virtual DCs track the VM-generation ID to detect changes and protect Active Directory by discarding RID pool, resetting invocationID and re-asserting INITSYNC requirement for FSMOs

• Windows Server 2012 DCs hosted on hypervisor platform that supports VM-Generation ID

Domain controller cloning

The solution! RequirementsBackground

• Deploying virtualized replica DCs is as labor-intensive as physical DCs

• Virtualization brings capabilities that can simplify deployment

• The result & goal of promoting additional DCs within a domain is an ~identical instance (a replica) excluding name, IP address, etc.

• Manually promoting a DC using over-the-wire: can be time-consuming depending upon size of directory, install-from-media (IFM) preparation and copying adds time & complexity

• Post-deployment configuration steps where necessary

• Create replicas of virtualized DCs by cloning existing ones i.e. copy the VHD through hypervisor-specific export + import operations

• Simplify interaction & deployment-dependencies between HyperVisor and Active Directory admins

• Note that the authorization of clones remains under Enterprise/Domain Admins’ control

• A game-changer for disaster-recovery

• Requires ONLY a single Windows Server 2012 virtual DC per domain to quickly recover an entire forest

• Subsequent DCs can be rapidly deployed drastically reducing time to steady-state

• Windows Server 2012 DCs hosted on hypervisor platform that supports VM-Generation ID

Demo: Virtualizing Domain Controllers

Raymond Chou

Rapid deployment extra – the cloning flow

NTDS starts

Obtain current VM-GenID

If different from value in DIT

Reset InvocationID, discard RID pool

DCCloneConfig.xml available?

Dcpromo /fixclone

Parse DCCloneConfig.xml

Configure network settings

Locate PDC

Call _IDL_DRSAddCloneDC(name, site)

Check authorization

Create new DC object by duplicating source DC objects(NTDSDSA, Server, Computer instances)

Generate new DC machine account and password

Save clone state (new name, password, site)

Promote as replica (IFM)

Run (specific) sysprep providers

Reboot

Clone VM Windows Server 2012 PDC

IDL_DRSAddCloneDC

CN=Configuration|--CN=Sites

|---CN=<site name>|---CN=Servers

|---CN=<DC Name> |---CN=NTDS Settings

Simplified Management

PowerShell

The solution! RequirementsBackground

• Windows PowerShell is a key technology in creating a consistent experience between the command-line and the graphical user interface

• Windows PowerShell increases productivity but requires investment in learning how to use it

• Allow administrators to view the Windows PowerShell commands executed when using the Administrative Center, e.g. the administrator adds a user to a group

• The UI displays the equivalent Active Directory Windows PowerShell command

• Administrator’s can copy the resulting syntax and integrate it into their scripts

• Reduces learning-curve, increases confidence in scripting, further enhances Windows PowerShell discoverability

• Windows Server 2012 Active Directory Administrative Center

• Active Directory Web Service running on a domain controller within the target domain

Topology management

The solution! RequirementsBackground

• Administrators require a variety of tools to manage Active Directory’s site topology

• Repadmin, ntdsutil, Active Directory Sites and Services, etc.

• Results in an inconsistent experience

• Difficult to automate

• Manage replication and site-topology with Active Directory Windows PowerShell

• Create and manage sites, site-links, site-link bridges, subnets and connections

• Replicate objects between DCs

• View replication metadata on object attributes, view replication failures, etc.

• Provides a consistent and more easily scriptable experience

• Compatible and interoperable with other Windows PowerShell Cmdlets

• Active Directory Web Service (ADWS)

• or Active Directory Management Gateway (for Windows Server 2003 or 2008)

• Remote Server Administration Tools (RSAT)

Demo: Managing Active Directory with PowerShellRaymond Chou

Active Directory-based activation

The solution! RequirementsBackground

• Volume Licensing for Windows/Office requires Key Management Service (KMS) servers, requires minimal training but:

• Requires RPC traffic on the network

• Does not support any kind of authentication, the EULA prohibits the customer from connecting the KMS server to any external network

• Use your existing Active Directory infrastructure to activate your clients

• No additional machines required, no RPC requirement, uses LDAP exclusively

• Includes RODCs!• Beyond installation and service-specific

requirements, no data written back to the directory

• Activating initial CSVLK (customer-specific volume license key) requires one-time contact with Microsoft Activation Services over the Internet (identical to retail activation)

• Repeat the activation process for additional forests up to 6 times by default

• Activation-object maintained in configuration partition

• Represents proof of purchase• machines can be member of any domain

in the forest• Win 8 machines will automatically

activate

• Only Windows 8 or Windows Server 2012 machines can leverage AD BA• KMS and AD BA can

coexist• You still need KMS if you

require downlevel volume-licensing• Setup requires Windows 8

or Windows Server 2012 machine • Requires Windows Server

2012 Active Directory schema, not Windows Server 2012 domain controllers

Simplified Management extra – gMSA

The solution! RequirementsBackground

• Managed Service Accounts (MSAs) introduced with Windows Server 2008 R2

• Clustered or load-balanced services that needed to share a single security-principal were unsupported

• MSAs not able to be used in many desirable scenarios

• Introduce new security principal type known as a gMSA

• Services running on multiple hosts can run under the same gMSA account

• 1 or more Windows Server 2012 DCs required

• gMSAs can authenticate against any OS-version DC

• Passwords computed by Group Key Distribution Service (GKDS) running on all Windows Server 2012 DCs

• Windows Server 2012 hosts using gMSAs obtain password and password-updates from GKDS

• Password retrieval limited to authorized computers

• Password-change interval defined at gMSA account creation (30 days by default)

• Like MSAs, gMSAs are supported only by the Windows Service Control Manager (SCM) and IIS application pools

• Support for scheduled tasks is being investigated

• Windows Server 2012 Active Directory schema updated in forests containing gMSAs

• 1 or more Windows Server 2012 DCs to provide password computation and retrieval

• Only services running on Windows 8 or Windows Server 2012 can use gMSAs

• Windows Server 2012 Active Directory Module for Windows PowerShell to create gMSA accounts

Simplified Management extras

Recycle Bin UI Fine-grained passwords

Offline Domain Join

• Extends offline domain-join by allowing the blob to accommodate Direct Access prerequisites – Certs, GPOs

• What does this mean? A computer can now be domain-joined over the Internet if the domain is Direct Access enabled

• Getting the blob to the non-domain-joined machine is an offline process and the responsibility of the admin

• The Recycle Bin feature introduced with Windows Server 2008 R2 provided an architecture permitting complete object recovery

• Scenarios requiring object recovery via the Recycle Bin are typically high-priority

• Recovery from accidental deletions, etc. resulting in failed logons / work-stoppages

• The absence of a rich, graphical interface complicated its usage and slowed recovery

• Solution

• Simplify object recovery through the inclusion of a Deleted Objects node in the Active Directory Administrative Center

• Deleted objects can now be recovered within the graphical user interface

• The Fine-Grained Password Policy capability introduced with Windows Server 2008 provided more granular management of password-policies

• In order to leverage the feature, administrators had to manually create password-settings objects (PSOs)

• It proved difficult to ensure that the manually defined policy-values behaved as desired

• Resulted in time-consuming, trial and error administration

• Solution

• Creating, editing and assigning PSOs now managed through the Active Directory Administrative Center

• Greatly simplifies management of password-settings objects

Demo: Offline Domain Join

Raymond Chou

Simplified Management – Security extras

Kerberos Constrained Delegation (KCD)

Flexible Authentication Secure Tunneling (FAST)

• Offline dictionary attack against password-based logons possible

• Relatively well-known concern around Kerberos errors being spoofed

• Clients may:• Fallback to less-secure legacy protocols• Weaken their cryptographic key strength

and/or ciphers

• Solution• Kerberos in Windows Server 2012 supports

Flexible Authentication Secure Tunneling (FAST)• Defined by RFC 6113• Sometimes referred to as Kerberos armoring• Provides a protected channel between a

domain-joined client and DC

• Kerberos Constrained Delegation (KCD) was introduced with Windows Server 2003

• KCD permits a service’s account (front-end) to act on the behalf of users in multi-tier applications for a limited set of back-end services, e.g.

• User accesses web site as user1• User requests information from web site (front-end) that requires

the web server to query a SQL database (back-end)• Access to this data is authorized according to who accessed the

front-end• In this case, the web service must impersonate user1 when

making the request to SQL• Front-end configured with the services (by SPN) to which it can

impersonate users• Setup/administration requires Domain Admin privileges• KCD delegation only works for back-end services in the same

domain as the front-end service-accounts• KCD in Windows Server 2012 moves the authorization decision to

the resource-owners• Permits back-end to authorize which front-end service-accounts

can impersonate users against their resources• Supports cross-domain, cross-forest scenarios• No longer requires Domain Admin privileges• Requires only administrative permission to the back-end service-

account

Leveraging to protect information

Dynamic Access Control

The solution! RequirementsBackground

• Today, it’s difficult to translate business-intent using existing authorization model

• No central administration capabilities

• Existing expression language makes it hard or impossible to fully express requirements

• Increasing regulatory and business requirements around compliance demand a different approach

• New central access policies (CAP) model• New claims-based authorization platform

enhances, not replaces, existing model• User-claims and device-claims• User+device claims = compound

identity• Includes traditional group memberships

too• Use of file-classification information in

authorization decisions• Modern authorization expressions, e.g.• Evaluation of ANDed authorization

conditions• Leveraging classification and resource

properties in ACLs• Easier Access-Denied remediation

experience• Access- and audit-policies can be

defined flexibly and simply, e.g.• IF resource.Confidentiality = high THEN

audit.Success WHEN user.EmployeeType = vendor

• Support for scheduled tasks is being investigated

• Windows Server 2012 File Servers

• At least one Windows Server Domain Controller

• Windows 8 or Windows Server 2012 for device claims

Demo: Dynamic Access Control

Raymond Chou

Kerberos in ADFS

The Solution!Background

• AD FS v2.0 is able to generate user-claims directly from NTtokens

• Also capable of further expanding claims based on attributes in Active Directory and other attribute stores

• In Windows Server 2012, we know that Kerberos tickets can also contain claims

• But AD FS 2.0 can’t read claims from Kerberos tickets

• Forced to make additional LDAP calls to Active Directory to source user-attribute claims

• Cannot leverage device-attribute claims at all

• Solution

• AD FS (v2.1) in Windows Server 2012 now able to populate SAML tokens with user- and device-claims taken directly from the Kerberos ticket

• Requirements

• DAC enabled and configured

• Compound ID must be switched on for the AD FS service account

• Windows Server 2012 AD FS (v2.1)

Wrap

Summary of minimum requirements

You get … With this deployed …

First Windows Server 2012 domain-member(or Windows 8 with RSAT installed)

• New Active Directory Administrative Center, Windows PowerShell History Viewer, Graphical Recycle Bin and FGPP management

• Richer authorization through DAC & FCI• Active Directory-based Activation (Requires Windows Server

2012 schema extensions)

• Active Directory Replication & Topology Cmdlets• AD FS (v2.1)First Windows Server 2012 DC • Simplified Deployment and Preparation• Dynamic Access Control policies & claims, Kerberos Claims in AD

FS (v2.1)• Cross-domain Kerberos Constrained Delegation• Group Managed Service Accounts• Virtualization-Safe for the Windows Server 2012 DC (requires

Hypervisor support for VM-Gen-ID)

Windows Server 2012 DC holds PDC FSMO role

• Rapid virtual DC deployment through DC-cloning (requires Hypervisor support for VM-Gen-ID)

Evaluation

Complete your session evaluations today and enter to win prizes daily. Provide your feedback at a CommNet kiosk or log on at www.2013mms.com.Upon submission you will receive instant notification if you have won a prize. Prize pickup is at the Information Desk located in Attendee Services in the Mandalay Bay Foyer. Entry details can be found on the MMS website.

We want to hear from you!

Resources

http://channel9.msdn.com/Events

Access MMS Online to view session recordings after the event.

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.