Reimagining and Migrating Your Active DirectoryRick ClausSr. Technical Evangelist@RicksterCDN

#WCAB336Upgrading the Platform - How to Get There!

Andrew McMurrayTechnical

Evangelist@MaccaMSOZ

What part of your IT Infrastructure are you the most concerned with upgrading?

* note: My completely unsubstantiated informal TWPoll: http://twtpoll.com/uuk37y

What version of AD are you running now?

{Insert graph here}

http://twtpoll.com/79pisy

User+

Resources

Active Directory is 14 years old…• Where were you 14 years ago?• What did your network look like?

User

resource

resource

resource

User+

Resources

User+

Resources

U1

R1 R2 R3

U2

R4 R5 R6

UR4

UR1

UR2UR5

UR3

Active Directory Solved a LOT of issues

Why did we all make it so complicated?

Now the party is over….

When was the last time AD design / functionality revisited?

Why Windows Server 2012?• Your AD Admin life easier!• Automation with PowerShell• AD Recycle Bin• Fine Grained Password Policies• GroupPolicy updates

• Paving the way to Dynamic Access Control

• Virtualization support with VMGenID

Easiest path to Windows Server 2012 R2

Guidelines to make your life easier

• Simplify and Consolidate• ADMT 3.2 can’t be installed on Windows Server 2012

• http://support.microsoft.com/kb/2753560

• Consider Server Core implementations

• Read Only Domain Controllers

• Go Virtual (stay tuned)

Lets Get’er done!

Upgrade or Migration?X86 = NO DIRECT “in place” UPGRADE

PATH

:-(

Active Directory® and DNS Migration Pre-Migration Migration

Migration planning•Number of network interface cards (NICs)

Prepare source server•Back up•Collect migration data

Prepare destination server•Install Windows Server 2012•Assign temporary server name•Assign temporary IP address•Join domain

Make destination server a domain controller

Post-Migration (Optional)

Manually migrate DNS server settings

Transfer FSMO roles

Migrate IP address and rename servers

Perform verification steps

Retire source server

Roll back migration

Troubleshoot migration

Bringing in your First Windows Server 2012 DC

But wait – there are other options!

• In place upgrades of 2008 R2

• Virtualized DCs and Cloned DCs

How Serious is USN bubble via Virtualization?

Tim

elin

e o

f even

ts

TIME: T2

TIME: T3

TIME: T4

CreateSnapshot

T1 SnapshotApplied!

USN: 100 ID: A

RID Pool: 500 - 1000

USN: 100 ID: A

RID Pool: 500 - 1000

USN: 250ID: A

RID Pool: 650 - 1000

+150 more users created

DC1(A)@USN = 200

DC2 receives updates: USNs >200

DC1(A)@USN = 250

USN: 200ID: A

RID Pool: 600- 1000

+100 users added

DC2 receives updates: USNs >100

DC

1

DC

2

TIME: T1

USN rollback NOT detected: only 50 users converge across the two DCsAll others are either on one or the other DC100 security principals (users in this example) with RIDs 500-599 have conflicting SIDs

NTDS starts

Obtain current VM-GenID

If different from value in DIT

Reset InvocationID, discard RID pool

DCCloneConfig.xml available?

Dcpromo /fixclone

Parse DCCloneConfig.xml

Configure network settings

Locate PDC

Call _IDL_DRSAddCloneDC(name, site)

Check authorization

Create new DC object by duplicating source DC objects(NTDSDSA, Server, Computer instances)

Generate new DC machine account and password

Save clone state (new name, password, site)

Promote as replica (IFM)

Run (specific) sysprep providers

Reboot

Clone VM Windows Server 2012 PDC

IDL_DRSAddCloneDC

CN=Configuration|--CN=Sites

|---CN=<site name>|---CN=Servers

|---CN=<DC Name> |---CN=NTDS Settings

Rapid Deployment: Cloning Flow

Attack of the DC Clones

But wait – didn’t we forget something?

Cleaning up the old stuff

New stuff

Drop Your Gui - Server Core DCs

Easier to Secure, Manage, and Maintain

Supports Key Infrastructure Roles

Minimal Server Installation

Supports Unattended Installation

Reduced Attack Surface Less Disk Space Required

Reduced Software Maintenance

Reduced Management

~1GB

Implement AD “oops” Recycle Bin• Ever had someone with too many rights?

• “Lost” anything in AD and needed it back?

Updating Password Policy• Why?• Complexity = circumvention• Find right level of usability

• Requirements for Multiple policies?• Old way = domains• New way = Password Settings Object

Passwo

rd

IL0veM

yK1ds!

Remote Server Admin Tools

Group Policy Management Console• Force GP update• Group Policy replication

Easily resolve end-user permission issues

Centrally manage access control from Active Directory

Pre-stage and simulate the effect of changes to access policy

Automatically identify and classify data based on content

Paving the way to the future!Policy-driven access to data with Dynamic Access Control

Desired Access policyFor access to financial information that has high business impact, a user

must be a finance department employee with a high security clearance, and

must use a managed device registered with the finance department.

User claimsUser.Department = Finance

User.Clearance = High

Access policyFor access to financial information that has high business impact, a user must

be a finance department employee with a high security clearance, and must use a managed device registered with the finance department.

Device claimsDevice.Department = Finance

Device.Managed = True

Resource propertiesResource.Department =

FinanceResource.Impact = High

Active Directory Domain Services

Expression-based access rules

28

File server

Active Directory Domain Services

Create claim definitionsCreate file property definitionsCreate central access policy

Group PolicySend central access policies to file servers

File Server

Apply access policy to the shared folderIdentify information

User’s computer

User tries to access information

Central access policy workflow

29

Active Directory Domain Services

User

File server

Allow or deny

Claim definitions

Audit policy

File property definitions

Related content• (MDC-B323) Re-Architecting Your Infrastructure

with Windows Server 2012 and Microsoft System Center 2012 SP1

• (WCA-B336) Reimagining and Migrating Your Active Directory

• (MDC-B348) Networking Infrastructure and Management

• (MDC-B349) Your Fileservers and Storage Options

msdn

Resources for Developers

http://microsoft.com/msdn

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Resources for IT Professionals

http://microsoft.com/technet

Complete an evaluation on CommNet and enter to win!

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.