Active Directory in Windows Server 2012, 2012 R2, and beyond MI K E K L INE MI CR O SO FT MVP – D I R E CTOR Y S E R VI CES MK L INE@GMAIL.COM O R MK L I NE@ OUTLO OK .CO M TechGate 2013 – September 21, 2013 Reston, VA WWW.ADISFUN.COM Agenda • A quick Look Back – where have we come from • Active Directory Features introduced in various versions • Improvements • Active Directory Features in Windows 2012 • Recycle Bin, Password Policies, and Powershell Integration via ADAC • Dynamic Access Control • Virtualization Aware Active Directory • Active Directory Features in Windows 2012 R2 and Beyond • Protected Users • Authentication Silos and Policies • BYOD A stroll down memory lane (what most enterprises are using today) Active Directory Features Introduced in Windows 2003 • Universal group membership caching • Drag and Drop Functionality • Global Catalog Partial Sync • Adding domain controllers using backup media • Application Directory partitions Active Directory Features Introduced in Windows Server 2008 • Read-Only Domain Controllers • Fine-Grained Password Policies (2008 Domain Functional Level) • DFSR replication of Sysvol • http://blogs.technet.com/b/askds/archive/2010/04/22/the-case-for-migratingsysvol-to-dfsr.aspx • Re-startable Active Directory Services • Auditing Improvements • DSRM Password Sync Active Directory Features Introduced in Windows 2008 R2 • Active Directory Recycle bin (Windows 2008 R2 Forest Functional Level) • Active Directory Administrative Center • Active Directory Best Practices Analyzer • Bridgehead Server Selection Improvements • Native Active Directory PowerShell cmdlets Why We Are Here Today What about Government Security Guidelines? Active Directory is Many Things These Days • Windows Active Directory (AD) • • • • • • • • • • • Microsoft’s Broad Goals with AD in 2012 Simplified Deployment of Active Directory • • • • Complete integration of environment preparation, role installation and DC promotion into a single UI DCs can be deployed rapidly to ease disaster recovery and workload balancing DCs can be deployed remotely on multiple machines from a single Windows 8 machine Consistent command-line experience through Windows PowerShell enables automation of deployment tasks Simplified Management of Active Directory • GUI that simplifies complex tasks such as recovering a deleted object or managing password policies • Active Directory Windows PowerShell viewer shows the commands for actions performed in the GUI • Active Directory Windows PowerShell support for managing replication and topology data Virtualization Improvements • All Active Directory features work equally well in physical, virtual or mixed environments Adding Windows 2012 DCs • Adding DCs prior to Windows 2012 contained many challenges: • Confusing • Prone to errors • Time Consuming • Not easy to script and no parity between GUI and command line • System Administrators had to deal with many challenges: • • • • obtain the correct (new) version of the ADprep tools interactively logon at specific per-domain DCs using a variety of different credentials run the preparation tool in the correct sequence with the correct switches wait for replication between each step Simplified Deployment • Adprep.exe integration into the AD DS installation process • Reduces the time required to install AD DS and reduces the chances for errors that might block domain controller promotion. • AD DS server role installation, which is built on Windows PowerShell and can be run remotely on multiple servers • Reduces the likelihood of administrative errors and the overall time that is required for installation, especially when you are deploying multiple domain controllers across global regions and domains • Prerequisite validation in the AD DS Configuration Wizard • Identifies potential errors before the installation begins. You can correct error conditions before they occur without the concerns that result from a partially complete upgrade. Simplified Deployment • Requirements • Windows Server 2012 • target forest must be Windows Server 2003 functional level or greater • introducing the first Windows Server 2012 DC requires Enterprise Admin and Schema Admin privileges • subsequent DCs require only Domain Admin privileges within the target domain Goodbye DCPromo and Adprep is on Life Support DCPromo Continued Recycle Bin User Interface • Background • the Recycle Bin feature introduced with Windows Server 2008 R2 provided an architecture permitting complete object recovery • scenarios requiring object recovery via the Recycle Bin are typically high-priority • recovery from accidental deletions, etc. resulting in failed logons / workstoppages • the absence of a rich, graphical interface complicated its usage and slowed recovery • there were third party tools that added a GUI but no native tool Recycle Bin User Interface • Requirements • Recycle Bin’s own requirements must first be satisfied, e.g. • Windows Server 2008 R2 forest functional level • Recycle Bin optional-feature must be switched on • Windows Server 2012 Active Directory Administrative Center • Objects requiring recovery must have been deleted within Deleted Object Lifetime (DOL) • defaults to 180 days Recycle Bin Not Enabled Majority of attributes deleted Live object Delete Tombstone object Offline authoritative restore Garbage collection Tombstone lifetime (180 days) X Purged from directory Recycle Bin Enabled All attributes retained Live object Delete Deleted object Deleted object lifetime (180 days) Online undelete Garbage collection Recycled object Garbage collection Tombstone lifetime (180 days) X Purged from directory Demo Fine-Grained Password Policy • the Fine-Grained Password Policy capability introduced with Windows Server 2008 provided more granular management of password-policies • in order to leverage the feature, administrators had to manually create password-settings objects (PSOs) • difficult to ensure that the manually defined policyvalues behaved as desired • time-consuming, trial and error administration Fine-Grained Password Policy • Creating, editing and assigning PSOs now managed through the Active Directory Administrative Center • Simplifies management of password-settings objects • Note: FGPP still only applies to user and groups. You can’t link or associate policies to OUs • Requirements • FGPP requirements must be met • Windows Server 2008 domain functional level • Windows Server 2012 Active Directory Administrative Center Demo ADAC PowerShell History Viewer • Background • Windows PowerShell is a key technology in creating a consistent experience between the command-line and the graphical user interface • Windows PowerShell increases productivity • but requires investment in learning how to use it ADAC PowerShell History Viewer • allow administrators to view the Windows PowerShell commands executed when using the Administrative Center, for example: • the administrator adds a user to a group • the UI displays the equivalent Active Directory Windows PowerShell command • Administrator’s can copy the resulting syntax and integrate it into their scripts • reduces learning-curve • increases confidence in scripting • further enhances Windows PowerShell discoverability • Requirements • Windows Server 2012 Active Directory Administrative Center • Windows 2012 domain controller not required PowerShell Conversion - Examples • DCPromo >> Install-ADDSDomain, Install-ADDSDomainController • DSGET-Computer >> Get-ADComputer • DSGET-Site >> Get-ADReplicationSite • DSADDD User >> New-ADUser • Repadmin /ShowUTDVec >> Get-ADReplicaionUpToDatenessVectorTable • http://blogs.technet.com/b/ashleymcglone/archive/2013/01/02/free -download-cmd-to-powershell-guide-for-ad.aspx Demo Installation Options • Background • In previous versions of Windows Server admins had to choose between the full GUI install and server core (Windows 2008+) • Windows 2012 allows admins to switch between options • Full GUI Server • Minimal Server Interface (aka MinShell) • does not include significant aspects of the Server Graphical Shell. It enables most local GUI management tasks without requiring the Server Graphical Shell or Internet Explorer to be installed. This reduces the security and servicing footprint of the server thereby increasing safety and uptime while expanding deployment scenarios. Virtualized Domain Controllers – two new capabilities • Domain controllers can be safely cloned to deploy additional capacity and save configuration time • Accidental restoration of domain controller snapshots does not disrupt your AD DS environment. Safe Virtualization • Common virtualization operations such as creating snapshots or copying VMs/VHDs can rollback the state of a virtual DC • Can cause issues leading to permanently divergent state causing: • USN Rollbacks • Lingering objects • schema mismatches if the Schema FSMO is rolled back • the potential also exists for security principals to be created with duplicate SIDs Virtual Domain Controller Safe Restore • Windows Server 2012 virtual DCs track the VM-generation ID to detect changes and protect Active Directory • When the virtual machine boots up, the current value of the VM-Generation ID from the virtual machine is compared against the value in the database. If the two values are different • the DC's unique Invocation ID is reset • domain controller also discards the now-duplicated local Relative Identifier (RID) pool • Since other domain controllers do not recognize the new Invocation ID, they conclude that they have not already seen these USNs and accept the updates • non-authoritatively restores the SYSVOL folder Hypervisor Support for Snapshots & Cloning Windows Server 2012 Standard Edition (Hyper-V) Windows Server 2012 Enterprise Edition (Hyper-V) Hyper-V Server 2012 (Hyper-V) Windows 8 Professional (Hyper-V) Windows 8 Enterprise (Hyper-V) VMware Workstation 9.0 & 10.0 VMware vSphere 5.0 with Update 4 VMware vSphere 5.1 & 5.5 Dynamic Access Control (DAC) • A new claims-based authorization platform that enhances, not replaces, the existing model, which includes: • new claims-based authorization platform that enhances, not replaces, existing model • user-claims and device-claims • user+device claims = compound identity • • • • use of file-classification information in authorization decisions New central access policies (CAP) model Use of file-classification information in authorization decisions modern authorization expressions, e.g. • evaluation of ANDed authorization conditions • leveraging classification and resource properties in ACLs • easier Access-Denied remediation experience • access- and audit-policies can be defined flexibly and simply Dynamic Access Control (DAC) • Requirements • One or more Windows Server 2012 domain controllers • Windows Server 2012 file server • Enable the claims-policy in the Default Domain Controllers Policy • Windows Server 2012 Active Directory Administrative Center • For device-claims, compound ID must be switched on at the target service account by using Group Policy or editing the object directly http://blogs.technet.com/b/askds/archive/2012/09/07/l et-the-bogging-begin.aspx This isn't your grandfather's authorization either. Dynamic Access Control or DAC as we’ll call it, requires planning, diligence, and an understanding of many dependencies, such as Active Directory, Kerberos, and effective access…there are many knobs you must turn to configure it….” “… Demo Protected Users • Added protection for Administrators and other privileged accounts • Add user to Protected User Group which will enable: • Only Kerberos Authentication • 4 Hour TGT Lifetime • Delegation not Allowed • Requires • Windows 8.1 (or Server 2012 R2 hosts) • Windows Server 2012 R2 Domain & DCs • Renew user tickets (TGTs) beyond initial 4 hour lifetime Protected Users • Requirements • User Accounts in the Protected Users groups are restricted to only using Kerberos (Required for Authentication Policies & Silos to be effective) • Limits • Protected Users cannot sign on if Kerberos is broken • Accounts in the group can’t: • Authenticate with NTLM • Use DES or RC4 in Kerberos pre-authentication • Renew user tickets (TGTs) beyond initial 4 hour lifetime Authentication Policies & Silos • Authentication Policies • Forest Based Active Directory Policies • Applies to accounts in Windows Server 2012 R2 Domains • Controls which hosts an account can sign-in to • Configuration of access control conditions for authentication • Authentication Policy Silos • Allows isolation of related accounts that have constrained scope Scenarios enabled by Active Directory BYOD Single Sign On (SSO) experience on Workplace Joined devices Join Windows and iOS devices to the Workplace SSO across browser and enterprise applications Enable users to work from anywhere, adhering to IT risk management strategy IT can conditionally grant access to company applications Workplace joined devices provide a seamless second factor authentication Conditions include user, device and strength of authentication Audit logs capture the user and device information IT/ISV can author enterprise apps that deliver native experiences on devices and are integrated with AD for SSO and conditional access Workplace Join Associates the device with a user Provides a seamless second factor authentication Enables a better end user experience with SSO Avoids risks involved in saving passwords with each application Avoids users having to repeatedly enter their credentials Enabled by device registration service in AD FS Sample Demo Environment Allow access from specific users, when accessing from devices they have workplace joined Active Directory Future Talks • Go in-depth into Windows 2012 features such as Dynamic Access Control. • Windows Azure Active Directory – WAAD/AAD • Deploying Active Directory on Windows Azure Virtual Machines • Other?? Please don’t forget your evaluations … www.adisfun.com Email: firstname.lastname@example.org QUESTIONS?