View
3.587
Download
0
Tags:
Embed Size (px)
DESCRIPTION
TechNet webcast by Paul Loonen. Session recording: http://technet.microsoft.com/en-us/video/active-directory-domain-services-in-windows-server-2012
Citation preview
©2009 Microsoft Corporation. All Rights Reserved.©2009 Microsoft Corporation. All Rights Reserved.
Discover what’s new in Active Directory in Windows Server 2012
Paul [email protected] / @ploonen
©2009 Microsoft Corporation. All Rights Reserved.
Agenda
• Objectives / Takeaways
• Areas of Investment / Our Broad Goals
• New Features / Enhancements
• Summary of Requirements
©2009 Microsoft Corporation. All Rights Reserved.
Objectives• Provide an understanding of…• the broad areas we have invested in and why• the business- and/or technical-challenges that led to each of the
new features
• Provide detailed insights into the Active Directory features and…• define requirements and implementation specifics• highlight the value these features bring to your environment
• Given the sheer volume of topics…• provide technically-deep content striving for a balance of breadth
and depth• provide you material that’s sufficiently complete & technically rich
to be useful outside of the session
©2009 Microsoft Corporation. All Rights Reserved.
High-Level Areas of Investment• Simplified deployment of Active Directory
• Optimal deployment experiences in both private- and public-clouds
• Increase consistency throughout the management experience
• Accommodate business-driven security requirements through the integration of:• file-classification • claims-based authorization
©2009 Microsoft Corporation. All Rights Reserved.
Our Broad GoalsVirtualization That Just Works
• All Active Directory features work equally well in physical, virtual or mixed environments
Simplified Deployment of Active Directory
• Complete integration of environment preparation, role installation and DC promotion into a single UI• DCs can be deployed rapidly to ease disaster recovery and workload balancing• DCs can be deployed remotely on multiple machines from a single Windows Server 2012 machine• Consistent command-line experience through Windows PowerShell enables automation of deployment tasks
Simplified Management of Active Directory
• GUI that simplifies complex tasks such as recovering a deleted object or managing password policies• Active Directory Windows PowerShell viewer shows the commands for actions performed in the GUI• Active Directory Windows PowerShell support for managing replication and topology data• Simplify delegation and management of service accounts
©2009 Microsoft Corporation. All Rights Reserved.
Miscellaneous
Management
New Features and Enhancements
Recycle Bin User Interface
Virtualization-Safe Technology
Active Directory Replication & Topology Cmdlets
Active DirectoryPlatform Changes
Dynamic Access Control
Active Directory Based Activation
Group Managed Service Accounts
Rapid Deployment Kerberos Enhancements
Active Directory PowerShell History Viewer User
Interface
Fine-Grained Password Policy User Interface
Simplified Deployment
©2009 Microsoft Corporation. All Rights Reserved.
Miscellaneous
Virtualization-Safe Technology
Active DirectoryPlatform Changes
Rapid Deployment
Simplified Deployment
New Features and Enhancements
©2009 Microsoft Corporation. All Rights Reserved.
Simplified Deployment• Background• adding replica DCs running newer versions of the Windows
Server operating system has proven to be:• time consuming• error-prone• complex
• In the past, IT pros were required to:• obtain the correct (new) version of the ADprep tools• interactively logon at specific per-domain DCs using a variety of different
credentials• run the preparation tool in the correct sequence with the correct switches• wait for replication convergence between each step
©2009 Microsoft Corporation. All Rights Reserved.
Simplified Deployment• Solution• integrate preparation steps into the
promotion process• automate the pre-requisites between each of
them
• validate environment-wide pre-requisites before beginning deployment
• integrated with Server Manager and remoteable
• built on Windows PowerShell for command-line and UI consistency
• configuration wizard aligns to the most common deployment scenarios
©2009 Microsoft Corporation. All Rights Reserved.
Simplified Deployment: What Changed?… by integrating preparation and promotion processes & automating pre-requisites in-between
… by validating environment pre-requisites before deployment
… by providing remote capabilities for both preparation and promotion processes
… by aligning the configuration wizard to the most common deployment scenarios
… by integrating the full deployment experience with Server Manager
… by providing a deployment & configuration wizard that is built on top of Windows PowerShell
Streamline the deployment process
Minimize odds of deployment failures
Minimize number of touch-points
Optimize for common deployment paths
Bring consistency with other Windows Server roles deployment experiencesGain UI-consistency by leveraging an enhanced command-line experience
©2009 Microsoft Corporation. All Rights Reserved.
Simplified Deployment
• Requirements• Windows Server 2012• target forest must be Windows Server 2003 functional level or
greater• introducing the first Windows Server 2012 DC requires
Enterprise Admin and Schema Admin privileges• subsequent DCs require only Domain Admin privileges within the target
domain
©2009 Microsoft Corporation. All Rights Reserved.
Simplified Deployment ++DC Promotion Retry Logic
• Since Windows 2000, DCpromo has been intolerant of transient network failures• caused promotions to fail if the network (or helper DC)
“hiccupped”
• Windows Server 2012 promotion employs an indefinite retry• “indefinite” because no sufficiently meaningful set of metrics
available from which to assert “sufficient progress”• so we’ve deferred the decision of “failure” to the administrator
©2009 Microsoft Corporation. All Rights Reserved.
Simplified Deployment ++Enhanced Install-from-media (IFM) options
• Goal of IFM deploy a DC more quickly• yet “IFM prep” in NTDSUTIL executed a mandatory offline
defragmentation pass• a maintenance task that our data suggests virtually nobody uses on existing
production DCs
• yielded a much smaller DIT (which is great) but at the expense of time
• In Windows Server 2012, NTDSUTIL’s IFMprep enhanced• NTDSUTIL’s IFMprep now includes an option to eliminate the
defragmentation pass• not the default, that remains as is
• eliminates potentially hours (or days) of media preparation time• DIT will be larger (whitespace, not fragmentation) increasing copy time if slow-links
involved
©2009 Microsoft Corporation. All Rights Reserved.
Simplified Deployment ++AD FS V2.1 is in-the-box
• AD FS v2.0 shipped out-of-band • downloaded from http://microsoft.com
• AD FS (v2.1) ships in-the-box as a server-role with Windows Server 2012• integrated with Windows Server 2012 Dynamic Access
Control
©2009 Microsoft Corporation. All Rights Reserved.
Miscellaneous
Virtualization-Safe Technology
Active DirectoryPlatform Changes
Rapid Deployment
Simplified Deployment
New Features and Enhancements
©2009 Microsoft Corporation. All Rights Reserved.
Virtualization-Safe Technology
• Background• common virtualization operations
such as creating snapshots or copying VMs/VHDs can rollback the state of a virtual DC
• introduces USN bubbles leading to permanently divergent state causing:• lingering objects• inconsistent passwords• inconsistent attribute values• schema mismatches if the Schema FSMO is
rolled back
• the potential also exists for security principals to be created with duplicate SIDs
©2009 Microsoft Corporation. All Rights Reserved.
Virtualization-Safe Technology
• Solution• Windows Server 2012 virtual DCs able to detect when:• snapshots are applied• a VM is copied
• built on a generation identifier (VM-generation ID) that is changed when virtualization-features such as VM-snapshot are used
• Windows Server 2012 virtual DCs track the VM-generation ID to detect changes and protect Active Directory• protection achieved by:
• discarding RID pool• resetting invocationID• re-asserting INITSYNC requirement for FSMOs
©2009 Microsoft Corporation. All Rights Reserved.
How Domain Controllers are ImpactedTim
elin
e o
f even
ts
TIME: T2
TIME: T3
TIME: T4
CreateSnapsho
t
T1 SnapshotApplied!
USN: 100 ID: A
RID Pool: 500 - 1000
USN: 100 ID: A
RID Pool: 500 - 1000
USN: 250ID: A
RID Pool: 650 - 1000
+150 more users created
DC1(A)@USN = 200
DC2 receives updates: USNs >200
DC1(A)@USN = 250
USN: 200ID: A
RID Pool: 600- 1000
+100 users added
DC2 receives updates: USNs >100
DC
1
DC
2
TIME: T1
USN rollback NOT detected: only 50 users converge across the two DCsAll others are either on one or the other DC100 security principals (users in this example) with RIDs 500-599 have conflicting SIDs
©2009 Microsoft Corporation. All Rights Reserved.
Virtualization-Safe Technology
• Requirements• Windows Server 2012 DCs hosted on hypervisor platform
that supports VM-Generation ID
©2009 Microsoft Corporation. All Rights Reserved.
Miscellaneous
Virtualization-Safe Technology
Active DirectoryPlatform Changes
Rapid Deployment
Simplified Deployment
New Features and Enhancements
©2009 Microsoft Corporation. All Rights Reserved.
Rapid Deployment
• Background• deploying virtualized replica DCs is as labor-intensive as
physical DCs • virtualization brings capabilities that can simplify deployment• the result & goal of promoting additional DCs within a domain is an
~identical instance (a replica)• excluding name, IP address, etc.
• deployment today involves many (arguably redundant) steps• preparation & deployment of sysprep’d server image• manually promoting a DC using:
• over-the-wire: can be time-consuming depending upon size of directory• install-from-media (IFM): media-preparation and copying adds time &
complexity• post-deployment configuration steps where necessary
©2009 Microsoft Corporation. All Rights Reserved.
Rapid Deployment: DC Cloning• Solution• create replicas of virtualized DCs by cloning existing ones• i.e. copy the VHD through hypervisor-specific export + import operations
• simplify interaction & deployment-dependencies between HyperVisor and Active Directory admins• note that the authorization of clones remains under Enterprise/Domain
Admins’ control
• a game-changer for disaster-recovery• requires ONLY a single Windows Server 2012 virtual DC per domain to
quickly recover an entire forest• subsequent DCs can be rapidly deployed drastically reducing time to
steady-state
• enables elastic provisioning capabilities to support private-cloud deployments, etc.
©2009 Microsoft Corporation. All Rights Reserved.
NTDS starts
Obtain current VM-GenID
If different from value in DIT
Reset InvocationID, discard RID pool
DCCloneConfig.xml available?
Dcpromo /fixclone
Parse DCCloneConfig.xml
Configure network settings
Locate PDC
Call _IDL_DRSAddCloneDC(name, site)
Check authorization
Create new DC object by duplicating source DC objects(NTDSDSA, Server, Computer instances)
Generate new DC machine account and password
Save clone state (new name, password, site)
Promote as replica (IFM)
Run (specific) sysprep providers
Reboot
Clone VM Windows Server 2012 PDC
IDL_DRSAddCloneDC
CN=Configuration|--CN=Sites
|---CN=<site name>|---CN=Servers
|---CN=<DC Name> |---CN=NTDS Settings
Rapid Deployment: Cloning Flow
©2009 Microsoft Corporation. All Rights Reserved.
Rapid Deployment: DC Cloning
• Requirements• Windows Server 2012 virtual DC hosted on VM-Generation-ID-aware
hypervisor platforms• PDC FSMO must be running Windows Server 2012 to authorize cloning
operation• source DC must be authorized for cloning
• through permission on domain head – “Allow DC to create a clone of itself”• add the source DC’s computer account to the new “Cloneable Domain Controllers” group
• DCCloneConfig.XML file must be present on the clone DC in one of:• directory containing the NTDS.DIT • default DIT directory (%windir%\NTDS) • removable media (virtual floppy, USB, etc.)
• commonplace Windows Server 2012 services that are co-located with DCs are supported, e.g. DNS, FRS, DFSR• additional services/scheduled tasks installed on the clone-source must be added to an admin-
extensible whitelist• if installed component is not present in whitelist, cloning process fails and cloned-DC boots to DSRM
©2009 Microsoft Corporation. All Rights Reserved.
Miscellaneous
Virtualization-Safe Technology
Rapid Deployment
Simplified Deployment
Active DirectoryPlatform Changes
New Features and Enhancements
©2009 Microsoft Corporation. All Rights Reserved.
Brief Terminology Level-Set• RootDSE mods
• aka. operational attributes• LDAP’s answer to RPC
• Constructed attributes• typically imposes a compute burden—the answer is “constructed” based on something else• query processor will reject anything other than a base-scoped filter that includes a constructed
attribute• typically not defined in the schema—known only to the code
• LDAP controls and matching rules• affect the way the query processor handles things, e.g.
• return deleted objects (a control that is checked in along with the query)• bitwise comparison (a matching rule) (searchFlags:1.2.840.113556.1.5.807:=1)
• Finite address spaces within Active Directory• RIDs (exposed)• DNTs (exposed but new to Windows Server 2012)
©2009 Microsoft Corporation. All Rights Reserved.
RID Improvements
• Background• a recent bout of cases involving RID depletion or complete global
RID-space exhaustion motivated an investigation into root cause• a couple of bugs were identified and fixed• the investigation also highlighted the need for general
improvements and concerns around finite scale limitations
©2009 Microsoft Corporation. All Rights Reserved.
RID Improvements
• Account creation failure can cause the loss of 1 RID• a RID was leaked because a user was being created that didn’t meet policy
• the RID was allocated, the user created, failed to meet policy user deleted RID leaked• fixed in Windows Server 2012 by maintaining an in-memory bucket of RIDs that are available for reuse
• note that if the DC is rebooted, the reuse list is lost• reuse list is used preferentially over RID pool if entries exist• size of the reuse list bound by the maximum number of user-creation attempts that simultaneously hit a
failure case • our projections indicate single-digit size, i.e. nothing to take into account in sizing exercises
• Prevent RID allocation during failed computer account creation by privilege by standard domain user• this is just another path (through domain join, for example) that permits the creation of computer
accounts• the logic above is used in exactly the same way to eliminate the leak
• Log event when a RID pool is invalidated• invalidation occurs via a rootDSE mod. and more natural scenarios, e.g. virtual DC safeties, DIT
restoration
©2009 Microsoft Corporation. All Rights Reserved.
RID Improvements• Missing rIDSetReferences value will lead to RID pool exhaustion
• attribute not correctly recreated when a DC’s computer account is deleted, later detected by the DC and reincarnated• DC checks attribute for pointer to its RID pool• attribute isn’t populated• DC assumes no RID pool and requests a new one• DC receives RID pool from RID FSMO and attempts to write new RID block to its RID set and fails because no
rIDSetReference exists• 30 seconds later, DC repeats process burning through <RID block size> RIDs on each attempt
• a single offending DC will eat through the entire global RID space in ~2 years using default RID block size of 500
• Fixed in Windows Server 2012• reincarnation populates the necessary attributes• Fixed for R2 - http://support.microsoft.com/kb/2618669
• Enforce a maximum cap on the RID policy RID Block Size• in the past, the RID block size was configurable on the RID FSMO’s registry and imposed no
upper bound (HKLM\SYSTEM\CurrentControlSet\Services\NTDS\RID Values\RID Block Size)
• in Windows Server 2012, the maximum permissible admin-configured RID block size is 15,000 (values >15K == 15K)
©2009 Microsoft Corporation. All Rights Reserved.
RID Improvements
• Periodic RID Consumption Warning• at 10% used, system logs informational event• first event at 100,000,000 RIDs used, second event logged at 10% of
remainder• remainder = 900,000,000• 10% of remainder = 90,000,000
• second event logged at 190,000,000• existing RID consumption plus 10% of remainder
• events become more frequent as the global space is further depleted
©2009 Microsoft Corporation. All Rights Reserved.
RID Improvements
• RID Manager artificial ceiling protection mechanism• think of this as a soft ceiling • blocks further allocations of RID pools
• when hit, system flips msDS-RIDPoolAllocationEnabled on the RID Manager$ object to FALSE administrator flips back to TRUE to override
• log an event indicating we’ve reached the ceiling• an additional warning is logged when the global RID spaces reaches 80%
• the attribute can only be set to FALSE by the SYSTEM and is mastered by the RID FSMO (i.e. write it against the RID FSMO)• DA can set it back to TRUE• NOTE: it is set to TRUE by default (possibly obvious)
• the soft ceiling is 90% of the global RID space and is not configurable• the soft ceiling is deemed as ”reached” when a RID pool containing the 90%
RID is issued
©2009 Microsoft Corporation. All Rights Reserved.
RID Improvements
• Unlock 31st bit in the global RID space• Historically used to flag accounts that were migrated
from Novell Netware• doubles global RID space from 1 billion to 2 billion• irreversible action so take care
• CANNOT be authoritatively restored (unless it’s the only DC in the domain)
• 31st bit is unlocked via a rootDSE mod (requires Windows Server 2012 RID FSMO)• sidCompatibilityVersion:1
• other DCs must be running Windows Server 2012 to exploit this• plan is, however, to backport it to Windows Server 2008 R2• downlevel DCs will receive pools that use the higher order bit but will
refuse to issue RIDs to new principals from within it, i.e. the DCs are good for everything other than creating new principals
• they will, for example, happily authenticate users with RIDs above 1 billion
©2009 Microsoft Corporation. All Rights Reserved.
Deferred Index Creation
• Adding indices to existing attributes resulted in DC performance issues, i.e.• DCs received schema update through replication• 5 minutes later, DCs refresh their schema cache
• many/all DCs ~simultaneously begin building the index – huge performance impact!
• Windows Server 2012 introduces new DSheuristic• 18th byte but uses a zero-base, so some say the 19th byte• setting it to 1 causes any Windows Server 2012 DC to defer building indices
until:• it receives the UpdateSchemaNow rootDSE mod. (triggers rebuild of the schema cache)• it is rebooted (which requires that the schema cache be rebuilt and, in turn, the deferred indices)
• any attribute that is in a deferred index state will be logged in the Event Log every 24 hours• 2944: index deferred – logged once• 2945: index still pending – logged every 24 hours• 1137: index created – logged once (not a new event)
©2009 Microsoft Corporation. All Rights Reserved.
Expose DNTs on rootDSE• Active Directory’s DIT uses DNTs (“Distinguished Name Tags”)
• if we think of the DIT as a spreadsheet, DNTs are very much like row numbers• finite address space == 2^31 (~2 billion)• DNTs are NOT replicated (a database-local concept)• never re-used (the value only ever increases)
• DNTs are never re-serialized (or reclaimed) except during over-the-wire promotions • neither IFM or cloning will re-serialize them• once you run out, the DC must be demoted and re-promoted over-the-wire
• determining the DNT for a given DC required that you dump its database or programmatically interrogate the DIT• time consuming, impacts performance and disk space
• How to solve • Remove the offending DC and re-promote
• Windows Server 2012 Active Directory exposes DNTs via:• rootDSE constructed attribute: approximateHighestInternalObjectID
©2009 Microsoft Corporation. All Rights Reserved.
Off-Premises Domain Join
• Extends offline domain-join by allowing the blob to accommodate Direct Access prerequisites• Certs• Group Policies
• What does this mean?• a computer can now be domain-joined over the Internet if the
domain is Direct Access enabled• getting the blob to the non-domain-joined machine is an offline
process and the responsibility of the admin
©2009 Microsoft Corporation. All Rights Reserved.
Enhanced LDAP logging
• Enhanced LDAP logging added in Windows Server 2012• existing LDAP logging capabilities deemed insufficient • unable to isolate/diagnose root cause of many behaviors/failures with existing
logging
• Enabled through registry via logging overrides or level 5 LDAP logging• additional logging logs entry and exit stats for a given API• we now also track the entry and exit tick making it feasible to determine
sequence of events• entry: logs the operation name, the SID of the caller’s context, the client IP, entry tick and client
ID• exit: logs the operation name, the SID of the caller’s context, client IP, entry and exit tick and client
ID
•… further details on this in the appendix of this deck
©2009 Microsoft Corporation. All Rights Reserved.
New LDAP Controls/Behaviors
• Batched extended-LDAP operations (1.2.840.113556.1.4.2212)• Require server-sorted search use index on sort attribute (1.2.840.113556.1.4.2207)• DirSync_EX_Control (1.2.840.113556.1.4.2090)• TreeDelete control with batch size (1.2.840.113556.1.4.2204)• Include ties in server-sorted search results (1.2.840.113556.1.4.2210)• Return highest change stamp applied as part of an update
(1.2.840.113556.1.4.2205)• Expected entry count (1.2.840.113556.1.4.2211)
• … details on each of these new controls in the appendix of this deck
©2009 Microsoft Corporation. All Rights Reserved.
Miscellaneous
Management
Recycle Bin User Interface
Virtualization-Safe Technology
Active Directory Replication & Topology Cmdlets
Active DirectoryPlatform Changes
Dynamic Access Control
Active Directory Based Activation
Group Managed Service Accounts
Rapid Deployment Kerberos Enhancements
Active Directory PowerShell History Viewer User
Interface
Fine-Grained Password Policy User Interface
Simplified Deployment
New Features and Enhancements
©2009 Microsoft Corporation. All Rights Reserved.
Management
Recycle Bin User Interface
Active Directory Replication & Topology Cmdlets
Dynamic Access Control
Active Directory Based Activation
Group Managed Service Accounts
Kerberos Enhancements
Active Directory PowerShell History Viewer User
Interface
Fine-Grained Password Policy User Interface
New Features and Enhancements
©2009 Microsoft Corporation. All Rights Reserved.
Recycle Bin User Interface
• Background• the Recycle Bin feature introduced with Windows Server 2008 R2
provided an architecture permitting complete object recovery• scenarios requiring object recovery via the Recycle Bin are
typically high-priority• recovery from accidental deletions, etc. resulting in failed logons / work-stoppages
• the absence of a rich, graphical interface complicated its usage and slowed recovery
©2009 Microsoft Corporation. All Rights Reserved.
Recycle Bin User Interface
• Solution• simplify object recovery
through the inclusion of a Deleted Objects node in the Active Directory Administrative Center • deleted objects can now be
recovered within the graphical user interface
• greatly reduces recovery-time by providing a discoverable, consistent view of deleted objects
©2009 Microsoft Corporation. All Rights Reserved.
Recycle Bin User Interface
• Requirements• Recycle Bin’s own requirements must first be satisfied, e.g.• Windows Server 2008 R2 forest functional level • Recycle Bin optional-feature must be switched on
• Windows Server 2012 Active Directory Administrative Center• Objects requiring recovery must have been deleted within
Deleted Object Lifetime (DOL)• defaults to 180 days
©2009 Microsoft Corporation. All Rights Reserved.
Management
Recycle Bin User Interface
Active Directory Replication & Topology Cmdlets
Active Directory Based Activation
Group Managed Service Accounts
Kerberos Enhancements
Active Directory PowerShell History Viewer User
Interface
Fine-Grained Password Policy User Interface
Dynamic Access Control
New Features and Enhancements
©2009 Microsoft Corporation. All Rights Reserved.
Dynamic Access Control (DAC)
• Background• today, it’s difficult to translate business-intent using existing
authorization model• no central administration capabilities• existing expression language makes it hard or impossible to
fully express requirements• increasing regulatory and business requirements around
compliance demand a different approach
©2009 Microsoft Corporation. All Rights Reserved.
Dynamic Access Control (DAC)• Solution• new central access policies (CAP) model• new claims-based authorization
platform enhances, not replaces, existing model• user-claims and device-claims• user+device claims = compound identity
• includes traditional group memberships too
• use of file-classification information in authorization decisions
• modern authorization expressions, e.g.• evaluation of ANDed authorization conditions• leveraging classification and resource properties
in ACLs
• easier Access-Denied remediation experience
• access- and audit-policies can be defined flexibly and simply, e.g.• IF resource.Confidentiality = high THEN
audit.Success WHEN user.EmployeeType = vendor
©2009 Microsoft Corporation. All Rights Reserved.
Dynamic Access Control (DAC)• Requirements
• Windows 8 or Windows Server 2012 file servers (no DCs necessary yet)• modern authorization expressions, e.g.
• evaluating ANDed authorization conditions• NOTE: leveraging classification and resource properties in ACLs requires the Windows Server 2012
schema• Access Denied Remediation
• 1 or more Windows Server 2012 DCs required for Kerberos claims• Central Access Policies (CAP) support• must enable the claims-policy in a Domain Controller-scoped policy, e.g. Default Domain Controllers Policy
• once configured, Windows 8 clients might use only Windows Server 2012 DCs• enough DCs must be deployed to service the load imposed by uplevel clients and servers (piling-on)
• Windows Server 2012 Active Directory Administrative Center to administer CAPs and CAPRs• CAPR = Claims Access Policy Rules
• for device-claims, compound ID must be switched on at the target service account• via Group Policy or directly editing the corresponding objects
• downlevel clients require DFL 5 in order to receive claims from a KDC• in the absence of that, uplevel servers able to use S4U2Self to obtain claims-enabled ticket on caller’s
behalf• note that Authentication Mechanism Assurance (AMA) SIDs/claims and device authorization data not
available since context around authentication method and device already lost
©2009 Microsoft Corporation. All Rights Reserved.
Kerberos Claims (DAC) in AD FS
• Background• AD FS v2.0 is able to generate user-claims directly from
NTtokens• also capable of further expanding claims based on attributes in Active
Directory and other attribute stores
• in Windows Server 2012, we know that Kerberos tickets can also contain claims• but AD FS 2.0 can’t read claims from Kerberos tickets• forced to make additional LDAP calls to Active Directory to source user-
attribute claims • cannot leverage device-attribute claims at all
©2009 Microsoft Corporation. All Rights Reserved.
Kerberos Claims (DAC) in AD FS
• Solution• AD FS (v2.1) in Windows Server
2012 now able to populate SAML tokens with user- and device-claims taken directly from the Kerberos ticket
• Requirements• DAC enabled and configured• compound ID must be switched on
for the AD FS service account• Windows Server 2012 AD FS (v2.1)
©2009 Microsoft Corporation. All Rights Reserved.
Management
Recycle Bin User Interface
Active Directory Replication & Topology Cmdlets
Dynamic Access Control
Group Managed Service Accounts
Kerberos Enhancements
Active Directory PowerShell History Viewer User
Interface
Fine-Grained Password Policy User Interface
Active Directory Based Activation
New Features and Enhancements
©2009 Microsoft Corporation. All Rights Reserved.
Active Directory-based Activation (AD BA)
• Background• today, Volume Licensing for Windows/Office requires Key
Management Service (KMS) servers • requires minimal training• turnkey solution covers ~90% of deployments• complexity caused by lack of a graphical administration console
• requires RPC traffic on the network which complicates matters
• does not support any kind of authentication, the EULA prohibits the customer from connecting the KMS server to any external network• i.e. connectivity-alone to the service equates to activated
©2009 Microsoft Corporation. All Rights Reserved.
Active Directory-based Activation (AD BA)
• Solution• use your existing Active Directory infrastructure to activate your clients
• no additional machines required• no RPC requirement, uses LDAP exclusively• includes RODCs
• beyond installation and service-specific requirements, no data written back to the directory• activating initial CSVLK (customer-specific volume license key) requires:
• one-time contact with Microsoft Activation Services over the Internet (identical to retail activation)• key entered using volume activation server role or using command line.• repeat the activation process for additional forests up to 6 times by default
• activation-object maintained in configuration partition• represents proof of purchase• machines can be member of any domain in the forest
• all Windows 8 and Windows Server 2012 machines will automatically activate
©2009 Microsoft Corporation. All Rights Reserved.
Active Directory-based Activation (AD BA)
• Requirements• only Windows 8 or Windows Server 2012 machines can
leverage AD BA• KMS and AD BA can coexist• you still need KMS if you require downlevel volume-licensing
• setup requires Windows 8 or Windows Server 2012 machine • requires Windows Server 2012 Active Directory schema, not
Windows Server 2012 domain controllers
©2009 Microsoft Corporation. All Rights Reserved.
Management
Recycle Bin User Interface
Active Directory Replication & Topology Cmdlets
Dynamic Access Control
Active Directory Based Activation
Group Managed Service Accounts
Kerberos Enhancements
Active Directory Windows PowerShell History Viewer
Fine-Grained Password Policy User Interface
New Features and Enhancements
©2009 Microsoft Corporation. All Rights Reserved.
Active Directory Windows PowerShell History Viewer
• Background• Windows PowerShell is a key technology in creating a
consistent experience between the command-line and the graphical user interface
• Windows PowerShell increases productivity• but requires investment in learning how to use it
©2009 Microsoft Corporation. All Rights Reserved.
Active Directory Windows PowerShell History Viewer
• Solution• allow administrators to view the
Windows PowerShell commands executed when using the Administrative Center, e.g.• the administrator adds a user to a group• the UI displays the equivalent Active
Directory Windows PowerShell command• Administrator’s can copy the resulting
syntax and integrate it into their scripts
• reduces learning-curve• increases confidence in scripting• further enhances Windows
PowerShell discoverability
©2009 Microsoft Corporation. All Rights Reserved.
Active Directory Windows PowerShell History Viewer
• Requirements• Windows Server 2012 Active Directory Administrative Center• Active Directory Web Service• running on a domain controller within the target domain
©2009 Microsoft Corporation. All Rights Reserved.
Management
Recycle Bin User Interface
Active Directory Replication & Topology Cmdlets
Dynamic Access Control
Active Directory Based Activation
Group Managed Service Accounts
Kerberos Enhancements
Active Directory Windows PowerShell History Viewer
Fine-Grained Password Policy User Interface
New Features and Enhancements
©2009 Microsoft Corporation. All Rights Reserved.
Fine-Grained Password Policy
• Background• the Fine-Grained Password Policy capability introduced with
Windows Server 2008 provided more granular management of password-policies
• in order to leverage the feature, administrators had to manually create password-settings objects (PSOs)• it proved difficult to ensure that the manually defined policy-values
behaved as desired • resulted in time-consuming, trial and error administration
©2009 Microsoft Corporation. All Rights Reserved.
Fine-Grained Password Policy
• Solution• creating, editing and assigning
PSOs now managed through the Active Directory Administrative Center
• greatly simplifies management of password-settings objects
©2009 Microsoft Corporation. All Rights Reserved.
Fine-Grained Password Policy
• Requirements• FGPP requirements must be met, e.g.• Windows Server 2008 domain functional level
• Windows Server 2012 Active Directory Administrative Center
©2009 Microsoft Corporation. All Rights Reserved.
Management
Recycle Bin User Interface
Active Directory Replication & Topology Cmdlets
Dynamic Access Control
Active Directory Based Activation
Group Managed Service Accounts
Active Directory Windows PowerShell History Viewer
Fine-Grained Password Policy User Interface
Kerberos Enhancements
New Features and Enhancements
©2009 Microsoft Corporation. All Rights Reserved.
Flexible Authentication Secure Tunneling (FAST)• Background• offline dictionary attack against password-based logons
possible• relatively well-known concern around Kerberos errors being
spoofed• clients may:• fallback to less-secure legacy protocols• weaken their cryptographic key strength and/or ciphers
©2009 Microsoft Corporation. All Rights Reserved.
Flexible Authentication Secure Tunneling (FAST)• Solution• Kerberos in Windows Server 2012 supports Flexible Authentication
Secure Tunneling (FAST)• defined by RFC 6113• sometimes referred to as “Kerberos armoring”
• provides a protected channel between a domain-joined client and DC • protects pre-authentication data for user’s AS_REQs
• uses LSK (logon session key) from computer’s TGT as shared secret• note that computer authentication is NOT armored
• allows DCs to return authenticated Kerberos errors thereby protecting them from spoofing
• once all Kerberos clients and DCs support FAST (the admin’s decision to make)• the domain can be configured to either require Kerberos armoring or use it upon
request• must first ensure all or enough DCs are running Windows Server 2012• enable the appropriate policy• “Support CBAC and Kerberos armoring”• “All DCs can support CBAC and Require Kerberos armoring”
©2009 Microsoft Corporation. All Rights Reserved.
Flexible Authentication Secure Tunneling (FAST)• Requirements• Windows Server 2012 servers• ensure that all domains the client uses including transited
referral domains:• enable the “Support CBAC and Kerberos armoring” policy for all Windows
Server 2012 DCs • have a sufficient number of Windows Server 2012 DCs to support FAST
• enable “Require FAST” policy on supported clients• RFC-compliant FAST interop requires DFL 5
©2009 Microsoft Corporation. All Rights Reserved.
Kerberos Constrained Delegation (KCD)• Background
• Kerberos Constrained Delegation (KCD) was introduced with Windows Server 2003• KCD permits a service’s account (front-end) to act on the behalf of users in multi-
tier applications for a limited set of back-end services, e.g.• user accesses web site as user1• user requests information from web site (front-end) that requires the web server to
query a SQL database (back-end)• access to this data is authorized according to who accessed the front-end• in this case, the web service must impersonate user1 when making the request to SQL
• front-end configured with the services (by SPN) to which it can impersonate users• setup/administration requires Domain Admin privileges• KCD delegation only works for back-end services in the same domain as the front-
end service-accounts
©2009 Microsoft Corporation. All Rights Reserved.
Kerberos Constrained Delegation (KCD)
• Solution• KCD in Windows Server 2012 moves the authorization
decision to the resource-owners• permits back-end to authorize which front-end service-accounts can
impersonate users against their resources
• supports cross-domain, cross-forest scenarios• no longer requires Domain Admin privileges• requires only administrative permission to the back-end service-account
©2009 Microsoft Corporation. All Rights Reserved.
Kerberos Constrained Delegation (KCD)• Requirements• client’s run Windows XP or later• client domain DCs running Windows Server 2003 or later
• front-end server running Windows Server 2012• 1 or more DCs in front-end domain running Windows Server 2012
• 1 or more DCs in back-end domain running Windows Server 2012 • back-end server account configured with the accounts that are permitted for
impersonation• not exposed through Active Directory Administrative Center• configured through Active Directory Windows PowerShell Cmdlet:
• New/Set-ADComputer [-name] <string> [-PrincipalsAllowedToDelegateToAccount <ADPrincipal[]>]• New/Set-ADServiceAccount [-name] <string> [-PrincipalsAllowedToDelegateToAccount
<ADPrincipal[]>]
• Windows Server 2012 schema update in back-end server’s forest• back-end application server running Windows Server 2003 or later
©2009 Microsoft Corporation. All Rights Reserved.
Management
Recycle Bin User Interface
Active Directory Replication & Topology Cmdlets
Dynamic Access Control
Active Directory Based Activation
Kerberos Enhancements
Active Directory Windows PowerShell History Viewer
Fine-Grained Password Policy User Interface
Group Managed Service Accounts
New Features and Enhancements
©2009 Microsoft Corporation. All Rights Reserved.
Group Managed Service Accounts (gMSA)
• Background• Managed Service Accounts (MSAs) introduced with Windows
Server 2008 R2• clustered or load-balanced services that needed to share a
single security-principal were unsupported• MSAs not able to be used in many desirable scenarios
©2009 Microsoft Corporation. All Rights Reserved.
Group Managed Service Accounts (gMSA)• Solution• introduce new security principal type known as a gMSA (superset of
MSAs)• services running on multiple hosts can run under the same gMSA
account• 1 or more Windows Server 2012 DCs required• gMSAs can authenticate against any OS-version DC• passwords computed by Group Key Distribution Service (GKDS) running on all
Windows Server 2012 DCs
• Windows Server 2012 hosts using gMSAs obtain password and password-updates from GKDS• password retrieval limited to authorized computers
• password-change interval defined at gMSA account creation (30 days by default)
• like MSAs, gMSAs are supported only by the Windows Service Control Manager (SCM), IIS application pools and scheduled tasks
©2009 Microsoft Corporation. All Rights Reserved.
Group Managed Service Accounts (gMSA)
• Requirements• Windows Server 2012 Active Directory schema updated in
forests containing gMSAs• 1 or more Windows Server 2012 DCs to provide password
computation and retrieval• only services running on Windows 8 or Windows Server 2012
can use gMSAs• Windows Server 2012 Active Directory Module for Windows
PowerShell to create gMSA accounts
©2009 Microsoft Corporation. All Rights Reserved.
Management
Recycle Bin User Interface
Dynamic Access Control
Active Directory Based Activation
Group Managed Service Accounts
Kerberos Enhancements
Active Directory Windows PowerShell History Viewer
Fine-Grained Password Policy User Interface
Active Directory Replication & Topology Cmdlets
New Features and Enhancements
©2009 Microsoft Corporation. All Rights Reserved.
Active Directory Replication & Topology Cmdlets
• Background• administrators require a variety of tools to manage Active
Directory’s site topology• repadmin• ntdsutil• Active Directory Sites and Services• etc.
• results in an inconsistent experience• difficult to automate
©2009 Microsoft Corporation. All Rights Reserved.
Active Directory Replication & Topology Cmdlets
• Solution• manage replication and site-topology with Active Directory
Windows PowerShell• create and manage sites, site-links, site-link bridges, subnets and
connections• replicate objects between DCs• view replication metadata on object attributes• view replication failures• etc.
• provides a consistent and more easily scriptable experience• compatible and interoperable with other Windows
PowerShell Cmdlets
©2009 Microsoft Corporation. All Rights Reserved.
Active Directory Replication & Topology Cmdlets
• Requirements• Active Directory Web Service (ADWS)• or Active Directory Management Gateway
(for Windows Server 2003 or 2008)
• Remote Server Administration Tools (RSAT)• In fact: the upgraded PS module
©2009 Microsoft Corporation. All Rights Reserved.
In ReviewEasier to Manage
• Windows Server 2012• Managed Service Accounts for farms
(gMSA)• Support for cross-domain Kerberos
Constrained Delegation• Spoofing of Kerberos errors much more
challenging• Active Directory UI investments• support in Active Directory’s Administrative
Center for managing deleted objects and Fine Grained Password Policies
• ability to view Windows PowerShell scripts that correspond to actions performed in the GUI
• Easier scripting of replication and topology tasks using new Active Directory Windows PowerShell Cmdlets
• In the past…• Managed Service Accounts work only on
a single machine• Kerberos Constrained Delegation (KCD)
works only within a single domain• Kerberos errors able to be spoofed• No support in Active Directory
Administrative Center for Recycle Bin or Fine Grained Password Policies
• PowerShell code must be written from scratch
• Hodge-podge of incompatible command-line tools and UIs used for managing replication and topology
©2009 Microsoft Corporation. All Rights Reserved.
In ReviewEasier to Deploy
• Windows Server 2012• Safe virtualization• Simplified deployment• Integrated end-to-end deployment
experience• All deployment tasks are remoteable and
automatically target the correct FSMOs• Input and environment validation throughout
the deployment process helps decrease failures
• Full Windows PowerShell support for automated deployment
• Rapid deployment of DCs using cloning• AD FS deployment integration
• In the past…• Using snapshot features on virtual DCs
results in a divergent Active Directory state
• Active Directory environment preparation is overly complex requiring multiple steps
• DC promotion requires multiple phases to complete
• Deployment is not remoteable and requires interactive logon to multiple DCs
• Difficult to write automation scripts
©2009 Microsoft Corporation. All Rights Reserved.
Summary of Minimum RequirementsWith this deployed… ... these features become available
+ First Windows Server 2012 domain-member (or Windows 8 with RSAT installed)
• New Active Directory Administrative Center• Windows PowerShell History Viewer• Graphical Recycle Bin and FGPP management
• Richer authorization through DAC & FCI• Active Directory-based Activation
• Requires Windows Server 2012 schema extensions• Active Directory Replication & Topology Cmdlets• AD FS (v2.1)
+ First Windows Server 2012 DC
• Simplified Deployment and Preparation• Dynamic Access Control policies and claims
• Kerberos Claims in AD FS (v2.1)• Cross-domain Kerberos Constrained Delegation• Group Managed Service Accounts• Virtualization-Safe for the Windows Server
2012 DC• requires Hypervisor support for VM-Gen-ID
+ Windows Server 2012 DC holds PDC FSMO role
• Rapid virtual DC deployment through DC-cloning• requires Hypervisor support for VM-Gen-ID
©2009 Microsoft Corporation. All Rights Reserved.
Call to Action
• Download the WS 2012 Trial: • http://technet.microsoft.com/en-us/evalcenter/hh670538.a
spx
• Take additional training on Microsoft Virtual Academy: • https://www.microsoftvirtualacademy.com/
• Follow the Windows Server Blog: • http://blogs.technet.com/b/windowsserver/
©2009 Microsoft Corporation. All Rights Reserved.
Q & A
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.