what’s new in windows server 2012 active directory?
DESCRIPTION
More info on http://techdays.be.TRANSCRIPT
![Page 1: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/1.jpg)
What’s New in Windows Server 2012 Active Directory
John CraddockInfrastructure and security ArchitectXTSeminars Ltd
![Page 2: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/2.jpg)
With Windows Server 2012 AD you can
Use GUI management for: The Recycle Bin Fine Grain Password Policies
Perform simplified and more robust DC installationsSafely virtualize DCsClone DCsImplement Kerberos claims identityControl access to files and folders with Dynamic Access ControlProtect the RID poolUse PowerShell for everythingAnd more…
![Page 3: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/3.jpg)
Demo…AD GUI enhancements
![Page 4: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/4.jpg)
Make sure PowerShell is your best friend
PowerShell 3.0 with over 2000 cmdlets Allows creation scripts with workflow AD PowerShell history helps you get started Comprehensive cmdlets for replication management Newest help files download on demand: Update-Help
![Page 5: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/5.jpg)
Installing Domain Controllers
![Page 6: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/6.jpg)
Dcpromo RIP
Provides XML file and PowerShell command to
automate adding the role
Can be run remotely
![Page 7: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/7.jpg)
Create IFM seed with NTDSUTILIFM seed generation no longer requires
offline defrag (on by default)
Target forest must be Server 2003 functional level or higher
![Page 8: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/8.jpg)
Adprep can still be run manually if required
PowerShellChecks are performed at each stage of the Wizard and
any issues highlighted before the final validation
Requires Enterprise Admin privilege
![Page 9: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/9.jpg)
DC virtualization
![Page 10: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/10.jpg)
Restoring from an image
One DC fails We can restore an image backup
Any problems?
![Page 11: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/11.jpg)
DSA-GUID = A
InvocationID = E
highestCommitedUSN = 4567
HW vector M,5679
DSA-GUID = A
InvocationID = E
highestCommitedUSN =1000
DSA-GUID = B
InvocationID = M
highestCommitedUSN = 3000
HW vector M,3000 HW vector E,1000
Tim
e
DSA-GUID = A
InvocationID = E
highestCommitedUSN =4567
DSA-GUID = B
InvocationID = M
highestCommitedUSN = 5679
HW vector M,5679 HW vector E,4567
DSA-GUID = B
InvocationID = M
highestCommitedUSN = 3000
HW vector E,1000
Restore
snapshot
USN rollback…
![Page 12: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/12.jpg)
Send me your changes from 1000
Add users
3050
Send me your changes from 5679
There aren’t any!It gets worse!
Replication OK
DSA-GUID = A
InvocationID = E
highestCommitedUSN = 4567
DSA-GUID = B
InvocationID = M
highestCommitedUSN = 3000
HW vector M,5679 HW vector E,1000
DC1 DC2
Checks UTD vectors fromDC2 and sends changes
What happens next?
![Page 13: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/13.jpg)
There aren’t any!
DSA-GUID = A
InvocationID = E
highestCommitedUSN = 4567
DSA-GUID = B
InvocationID = M
highestCommitedUSN = 3050
HW vector M,5679 HW vector E,1000
Send me your changes from 5679
Appears more up to date than me, that’s not right!
Disable inbound and outbound replication
Stop Netlogon service
Write event log messages Replicationlog
Post Server 2003 SP1 quarantining
![Page 14: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/14.jpg)
Windows Server 2012 solution
The hypervisor creates an identifier VM-Generation ID (128 bits) Exposed to the guest OS via the BIOS ACPI namespace Stored by the DC on promotion in the msDS-GenerationID
attribute An attribute of the DC computer object
The VM-Generation ID is set during a VM import, copy or application of a snapshotWhen the DC boots, if the VM-Generation ID and the msDS-GenerationID are not the same The DC assumes an AD restore
InvocationID Changes Seen as a new replication source
RID pool discarded Non-authoritative restore of SYSVOL
![Page 15: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/15.jpg)
Hypervisor support 22 January 2013
Windows Server 2012 Standard Edition (Hyper-V) Windows Server 2012 Enterprise Edition (Hyper-V) Hyper-V Server 2012 (Hyper-V) Windows 8 Professional (Hyper-V) Windows 8 Enterprise (Hyper-V) VMware Workstation 9.0 VMware vSphere 5.0 with Update 4 VMware vSphere 5.1
Watch this space
![Page 16: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/16.jpg)
Demo…Virtualization safe
![Page 17: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/17.jpg)
DC cloning
![Page 18: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/18.jpg)
Cloning steps
PDCEW2012
Hypervisor support for
VM-Generation ID
CloneableDomainControllers
Check for incompatible componentsGet-ADDCCloningExcludedApplicationList
Remove incompatible components or declare them as safe
Source DC
XML
Deploy XML to source DC or mounted vhd/vhdx copy(can be on removable media)
Shutdown& copy
Hypervisor support for
VM-Generation ID
Create new VM
Cloned DC
DCCloneConfig.XMLIf ID has changed cloning starts if XML exists
![Page 19: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/19.jpg)
Start the copied DC and…
![Page 20: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/20.jpg)
DefaultDCCloneAllowList.XML
Get-ADDCCloningExcludedApplicationList displays any services or applications that are running that are NOT included in the XML
These applications or services must either be removed or if considered safe added to CustomDCCloneAllowList.XML
Generate XML using: Get-ADDCCloningExcludedApplicationList -GenerateXML
Xml added to %windir%\NTDS
![Page 21: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/21.jpg)
DCCloneConfig.XML
<?xml version="1.0"?><d3c:DCCloneConfig xmlns:d3c="uri:microsoft.com:schemas:DCCloneConfig"> <ComputerName>rootdc4</ComputerName> <SiteName>London</SiteName> <IPSettings> <IPv4Settings> <StaticSettings> <Address>192.168.137.202</Address> <SubnetMask>255.255.255.0</SubnetMask> <DefaultGateway>192.168.137.1</DefaultGateway> <DNSResolver>192.168.137.200</DNSResolver> </StaticSettings> </IPv4Settings> </IPSettings></d3c:DCCloneConfig>
Create using New-ADDCCloneConfigFileor create from sample:..\windows\system32\SampleDCCloneConfig.XML
DCCloneConfig.xml placed in …\windows\NTDSAlternate locations are available
New-ADDCCloneConfigFile –Static -IPv4Address "192.168.137.202" -IPv4DNSResolver "192.168.137.200" -IPv4SubnetMask "255.255.255.0" -CloneComputerName "AD-DC3" -IPv4DefaultGateway "192.168.137.1" -SiteName "London"
![Page 22: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/22.jpg)
Demo…Cloning
![Page 23: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/23.jpg)
Kerberos enhancements
![Page 24: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/24.jpg)
Kerberos changes
There are a number of other changes to Kerberos to enhance day to day operations Increase to the maximum Kerberos SSPI context buffer size PAC group compression Warning events for large token sizes Increased logging
Major changes New Kerberos constrained delegation support Claims support
![Page 25: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/25.jpg)
Delegation
Prior to Windows Server 2012, constrained delegation required the front- and back-end service accounts to be in the same domain2012 allows delegation across domains and forest trusts
Protect backend services by setting services account parameter – PrincipalsAllowedToDelegateToAccount
Block cross forest delegation by setting netdom trust to “no” for /EnableTGTDelegation
![Page 26: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/26.jpg)
Adding claims to the Kerberos token
User’s Kerberos
Token
PAC
User’s group memberships added to PACAuthorization based on group membership
Pre-Windows 8
UserGroups
Claims
DeviceGroups
Claims
Windows 8 & Server 2012
Compound ID
PAC contains a user’s group and claims
information+
Device information
Authorization can be based on group membership, user and device claims
![Page 27: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/27.jpg)
Dynamic Access Control
Files can be classified (tagged) and access and audit policies applied based on the files classification
Expression based access control and auditing
Expressions can contain groups, users, and user and device claims
Access based on compound IDuser and device claims
![Page 28: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/28.jpg)
Enabling Kerberos for claims
Enable the KDC administrative template for Support for Dynamic Access Control and Kerberos armoringKerberos armoring also referred to as Flexible Authentication Secure Tunneling (FAST) provides: A protected channel between the Kerberos client and the KDC
Protection against offline dictionary attacks Signs Kerberos error messages
Prevent spoofing Compound identity
![Page 29: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/29.jpg)
Exhaustible resources
![Page 30: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/30.jpg)
DNTs
Each DC keeps track of object written to its database using a Distinguished Name Tag (DNT) The DNT is held in a 2^31 bit number (~ 2 billion) The DNT is incremented as each new object is written A DNT value is never reused even if an object is deleted
When you run out of DNTs the DC must be demoted and then repromotedThe DNT value is now exposed through a constructed attribute of RootDSE approximateHighestInternalObjectID
![Page 31: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/31.jpg)
S-1-5-21-1539329446-2123584859-1544097757-5023
SIDs
SIDs must be unique throughout and across forestsThe RID is incremented by one each time a new SID is generated This is simple to implement in a single-master environment A RID master is required in a multi-master domain controller
environment
Domainsubauthority RID
![Page 32: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/32.jpg)
RID management attributes
7500
6500 7000
6500 7000
rIDAvailablePoolHolds start of next
pool to be allocated
rIDPreviousAllocationPool
rIDAllocationPool
RID Master
rIDPreviousAllocationPool
rIDAllocationPool
Current pool on DC
Next pool to be used on DC
Applies for a new pool when 50% of the current pool has been consumed
7500
Replicates
No replication
XRID Set used for SID generation
![Page 33: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/33.jpg)
RID Manager Attributes
The RID Manager object is replicated to all DCs in the domain The rIDAvailablePool attribute is used by the RID Master when
allocating the next RID pool to a DC
fSMORoleOwner
cn=RID Manager$,cn=System,dc=example,dc=com
Distinguished name of the NTDS Settings object
rIDAvailablePool (large integer 64-bits)
High valueTotal number of RIDs that can be
created in the domain
Low valueStart of Next RID pool to be
allocated
![Page 34: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/34.jpg)
RID problems
The maximum available RID is held as a 30 bit number 1073,741,824
10,000 RIDs/day for the next 294 years So why is it an issue?
Rogue script creating millions of security principles Very large RID Block size set Incorrect values entered when elevating the RID pool during recovery Large numbers of domain controllers removed and re-added Bug – new RID pool requested every 30 seconds can occur under certain rare
circumstances See KB 2618669 for Windows 2008 R2 hotfix
![Page 35: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/35.jpg)
Windows Server 2012
Warnings at 10% usage of remaining pool size After warning recalculates the 10% marker and repeats First event at 100 million
If you receive this you probably have a problem
Ceiling at 90% usage – intervention required to issue more RIDsMax RID block size capped at 15K HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\
RID Values\RID Block Size
Global RID Space Size Unlock Global space can use 31 bit number doubling the RIDs available
2003 & 2008 DCs cannot use the 31 bit RID values
![Page 36: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/36.jpg)
Demo…RID Master in action
![Page 37: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/37.jpg)
Lots of other improvements
Support for deferred index creationOff-premises domain join Supports DirectAccess clients
Enhanced LDAP loggingNew LDAP behavioursActive Directory Based Activation (AD BA) Automatic activation for Windows 8 and Windows Server 2012
machines You still require KMS to support downlevel volume-licensing
![Page 38: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/38.jpg)
Lots of other improvements (continued)
Group Managed Service Accounts (gMSA) gMSA accounts can run a service across multiple servers
Services running gMSA accounts only supported on Windows 8 and Windows Server 2012
PowerShell Cmdlets for replication support
![Page 39: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/39.jpg)
So what do we get?
Better GUI supportMore robust deployment of DCsSimplified Active Directory upgrade pathVirtualization safeQuick deployment via cloningFast domain and forest recovery through cloningCross-domain and forest constrained delegationRich access control and auditing via Dynamic Access ControlRecovery from depleted RID poolsPowerShell everywhere…
![Page 40: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/40.jpg)
TechEd 2013
I will be speaking a TechEd 2013 Precon: Windows Server DirectAccess Other breakouts
![Page 41: What’s new in Windows Server 2012 Active Directory?](https://reader034.vdocuments.site/reader034/viewer/2022051314/54b7ca4e4a7959466a8b45b4/html5/thumbnails/41.jpg)
Consulting services on request
John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk
John Craddoc
kInfrastructure and security ArchitectXTSeminars Ltd