Upload
emmeline-floyd
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
Reimagining and Migrating Your Active DirectoryRick ClausSr. Technical Evangelist@RicksterCDN
#WCAB336Upgrading the Platform - How to Get There!
Andrew McMurrayTechnical
Evangelist@MaccaMSOZ
What part of your IT Infrastructure are you the most concerned with upgrading?
* note: My completely unsubstantiated informal TWPoll: http://twtpoll.com/uuk37y
What version of AD are you running now?
{Insert graph here}
http://twtpoll.com/79pisy
User+
Resources
Active Directory is 14 years old…• Where were you 14 years ago?• What did your network look like?
User
resource
resource
resource
User+
Resources
User+
Resources
U1
R1 R2 R3
U2
R4 R5 R6
UR4
UR1
UR2UR5
UR3
Active Directory Solved a LOT of issues
Why did we all make it so complicated?
Now the party is over….
When was the last time AD design / functionality revisited?
Why Windows Server 2012?• Your AD Admin life easier!• Automation with PowerShell• AD Recycle Bin• Fine Grained Password Policies• GroupPolicy updates
• Paving the way to Dynamic Access Control
• Virtualization support with VMGenID
Easiest path to Windows Server 2012 R2
Guidelines to make your life easier
• Simplify and Consolidate• ADMT 3.2 can’t be installed on Windows Server 2012
• http://support.microsoft.com/kb/2753560
• Consider Server Core implementations
• Read Only Domain Controllers
• Go Virtual (stay tuned)
Lets Get’er done!
Upgrade or Migration?X86 = NO DIRECT “in place” UPGRADE
PATH
:-(
Active Directory® and DNS Migration Pre-Migration Migration
Migration planning•Number of network interface cards (NICs)
Prepare source server•Back up•Collect migration data
Prepare destination server•Install Windows Server 2012•Assign temporary server name•Assign temporary IP address•Join domain
Make destination server a domain controller
Post-Migration (Optional)
Manually migrate DNS server settings
Transfer FSMO roles
Migrate IP address and rename servers
Perform verification steps
Retire source server
Roll back migration
Troubleshoot migration
Bringing in your First Windows Server 2012 DC
But wait – there are other options!
• In place upgrades of 2008 R2
• Virtualized DCs and Cloned DCs
How Serious is USN bubble via Virtualization?
Tim
elin
e o
f even
ts
TIME: T2
TIME: T3
TIME: T4
CreateSnapshot
T1 SnapshotApplied!
USN: 100 ID: A
RID Pool: 500 - 1000
USN: 100 ID: A
RID Pool: 500 - 1000
USN: 250ID: A
RID Pool: 650 - 1000
+150 more users created
DC1(A)@USN = 200
DC2 receives updates: USNs >200
DC1(A)@USN = 250
USN: 200ID: A
RID Pool: 600- 1000
+100 users added
DC2 receives updates: USNs >100
DC
1
DC
2
TIME: T1
USN rollback NOT detected: only 50 users converge across the two DCsAll others are either on one or the other DC100 security principals (users in this example) with RIDs 500-599 have conflicting SIDs
NTDS starts
Obtain current VM-GenID
If different from value in DIT
Reset InvocationID, discard RID pool
DCCloneConfig.xml available?
Dcpromo /fixclone
Parse DCCloneConfig.xml
Configure network settings
Locate PDC
Call _IDL_DRSAddCloneDC(name, site)
Check authorization
Create new DC object by duplicating source DC objects(NTDSDSA, Server, Computer instances)
Generate new DC machine account and password
Save clone state (new name, password, site)
Promote as replica (IFM)
Run (specific) sysprep providers
Reboot
Clone VM Windows Server 2012 PDC
IDL_DRSAddCloneDC
CN=Configuration|--CN=Sites
|---CN=<site name>|---CN=Servers
|---CN=<DC Name> |---CN=NTDS Settings
Rapid Deployment: Cloning Flow
Attack of the DC Clones
But wait – didn’t we forget something?
Cleaning up the old stuff
New stuff
Drop Your Gui - Server Core DCs
Easier to Secure, Manage, and Maintain
Supports Key Infrastructure Roles
Minimal Server Installation
Supports Unattended Installation
Reduced Attack Surface Less Disk Space Required
Reduced Software Maintenance
Reduced Management
~1GB
Implement AD “oops” Recycle Bin• Ever had someone with too many rights?
• “Lost” anything in AD and needed it back?
Updating Password Policy• Why?• Complexity = circumvention• Find right level of usability
• Requirements for Multiple policies?• Old way = domains• New way = Password Settings Object
Passwo
rd
IL0veM
yK1ds!
Remote Server Admin Tools
Group Policy Management Console• Force GP update• Group Policy replication
Easily resolve end-user permission issues
Centrally manage access control from Active Directory
Pre-stage and simulate the effect of changes to access policy
Automatically identify and classify data based on content
Paving the way to the future!Policy-driven access to data with Dynamic Access Control
Desired Access policyFor access to financial information that has high business impact, a user
must be a finance department employee with a high security clearance, and
must use a managed device registered with the finance department.
User claimsUser.Department = Finance
User.Clearance = High
Access policyFor access to financial information that has high business impact, a user must
be a finance department employee with a high security clearance, and must use a managed device registered with the finance department.
Device claimsDevice.Department = Finance
Device.Managed = True
Resource propertiesResource.Department =
FinanceResource.Impact = High
Active Directory Domain Services
Expression-based access rules
28
File server
Active Directory Domain Services
Create claim definitionsCreate file property definitionsCreate central access policy
Group PolicySend central access policies to file servers
File Server
Apply access policy to the shared folderIdentify information
User’s computer
User tries to access information
Central access policy workflow
29
Active Directory Domain Services
User
File server
Allow or deny
Claim definitions
Audit policy
File property definitions
Related content• (MDC-B323) Re-Architecting Your Infrastructure
with Windows Server 2012 and Microsoft System Center 2012 SP1
• (WCA-B336) Reimagining and Migrating Your Active Directory
• (MDC-B348) Networking Infrastructure and Management
• (MDC-B349) Your Fileservers and Storage Options
msdn
Resources for Developers
http://microsoft.com/msdn
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Resources for IT Professionals
http://microsoft.com/technet
Complete an evaluation on CommNet and enter to win!
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.