Transcript TechGate Sep 21 2013_FinaltoPost

Active Directory in Windows Server 2012,
2012 R2, and beyond
MI K E K L INE
MI CR O SO FT MVP – D I R E CTOR Y S E R VI CES
MK L [email protected] O R MK L I NE@ OUTLO OK .CO M
TechGate 2013 – September 21, 2013 Reston, VA
WWW.ADISFUN.COM
Agenda
• A quick Look Back – where have we come from
• Active Directory Features introduced in various versions
• Improvements
• Active Directory Features in Windows 2012
• Recycle Bin, Password Policies, and Powershell Integration via ADAC
• Dynamic Access Control
• Virtualization Aware Active Directory
• Active Directory Features in Windows 2012 R2 and Beyond
• Protected Users
• Authentication Silos and Policies
• BYOD
A stroll down memory lane (what most
enterprises are using today)
Active Directory Features Introduced in
Windows 2003
• Universal group membership caching
• Drag and Drop Functionality
• Global Catalog Partial Sync
• Adding domain controllers using backup media
• Application Directory partitions
Active Directory Features Introduced in
Windows Server 2008
• Read-Only Domain Controllers
• Fine-Grained Password Policies (2008 Domain Functional Level)
• DFSR replication of Sysvol
• http://blogs.technet.com/b/askds/archive/2010/04/22/the-case-for-migratingsysvol-to-dfsr.aspx
• Re-startable Active Directory Services
• Auditing Improvements
• DSRM Password Sync
Active Directory Features Introduced in
Windows 2008 R2
• Active Directory Recycle bin (Windows 2008 R2 Forest Functional
Level)
• Active Directory Administrative Center
• Active Directory Best Practices Analyzer
• Bridgehead Server Selection Improvements
• Native Active Directory PowerShell cmdlets
Why We Are Here Today
What about Government Security Guidelines?
Active Directory is Many Things These Days
• Windows Active Directory (AD)
•
•
•
•
•
•
•
•
•
•
•
Microsoft’s Broad Goals with AD in 2012
Simplified Deployment of Active Directory
•
•
•
•
Complete integration of environment preparation, role installation and DC promotion into a single UI
DCs can be deployed rapidly to ease disaster recovery and workload balancing
DCs can be deployed remotely on multiple machines from a single Windows 8 machine
Consistent command-line experience through Windows PowerShell enables automation of deployment tasks
Simplified Management of Active Directory
• GUI that simplifies complex tasks such as recovering a deleted object or managing password policies
• Active Directory Windows PowerShell viewer shows the commands for actions performed in the GUI
• Active Directory Windows PowerShell support for managing replication and topology data
Virtualization Improvements
• All Active Directory features work equally well in physical, virtual or mixed environments
Adding Windows 2012 DCs
• Adding DCs prior to Windows 2012 contained many challenges:
• Confusing
• Prone to errors
• Time Consuming
• Not easy to script and no parity between GUI and command line
• System Administrators had to deal with many challenges:
•
•
•
•
obtain the correct (new) version of the ADprep tools
interactively logon at specific per-domain DCs using a variety of different credentials
run the preparation tool in the correct sequence with the correct switches
wait for replication between each step
Simplified Deployment
• Adprep.exe integration into the AD DS installation process
• Reduces the time required to install AD DS and reduces the chances for errors
that might block domain controller promotion.
• AD DS server role installation, which is built on Windows PowerShell and can
be run remotely on multiple servers
• Reduces the likelihood of administrative errors and the overall time that is
required for installation, especially when you are deploying multiple domain
controllers across global regions and domains
• Prerequisite validation in the AD DS Configuration Wizard
• Identifies potential errors before the installation begins. You can correct error
conditions before they occur without the concerns that result from a partially
complete upgrade.
Simplified Deployment
• Requirements
• Windows Server 2012
• target forest must be Windows Server 2003 functional level or greater
• introducing the first Windows Server 2012 DC requires Enterprise Admin and
Schema Admin privileges
• subsequent DCs require only Domain Admin privileges within the target
domain
Goodbye DCPromo and Adprep is
on Life Support
DCPromo Continued
Recycle Bin User Interface
• Background
• the Recycle Bin feature introduced with Windows Server 2008 R2
provided an architecture permitting complete object recovery
• scenarios requiring object recovery via the Recycle Bin are typically
high-priority
• recovery from accidental deletions, etc. resulting in failed logons / workstoppages
• the absence of a rich, graphical interface complicated its usage and
slowed recovery
• there were third party tools that added a GUI but no native tool
Recycle Bin User Interface
• Requirements
• Recycle Bin’s own requirements must first be satisfied, e.g.
• Windows Server 2008 R2 forest functional level
• Recycle Bin optional-feature must be switched on
• Windows Server 2012 Active Directory Administrative Center
• Objects requiring recovery must have been deleted within Deleted
Object Lifetime (DOL)
• defaults to 180 days
Recycle Bin Not Enabled
Majority of attributes deleted
Live
object
Delete
Tombstone
object
Offline authoritative restore
Garbage
collection
Tombstone lifetime (180 days)
X
Purged from
directory
Recycle Bin Enabled
All attributes retained
Live
object
Delete
Deleted
object
Deleted object lifetime (180 days)
Online undelete
Garbage
collection
Recycled
object
Garbage
collection
Tombstone lifetime (180 days)
X
Purged from
directory
Demo
Fine-Grained Password Policy
• the Fine-Grained Password Policy capability introduced
with Windows Server 2008 provided more granular
management of password-policies
• in order to leverage the feature, administrators had to
manually create password-settings objects (PSOs)
• difficult to ensure that the manually defined policyvalues behaved as desired
• time-consuming, trial and error administration
Fine-Grained Password Policy
• Creating, editing and assigning PSOs now managed through the
Active Directory Administrative Center
• Simplifies management of password-settings objects
• Note: FGPP still only applies to user and groups. You can’t link or
associate policies to OUs
• Requirements
• FGPP requirements must be met
• Windows Server 2008 domain functional level
• Windows Server 2012 Active Directory Administrative Center
Demo
ADAC PowerShell History Viewer
• Background
• Windows PowerShell is a key technology in creating a consistent
experience between the command-line and the graphical user
interface
• Windows PowerShell increases productivity
• but requires investment in learning how to use it
ADAC PowerShell History Viewer
• allow administrators to view the Windows PowerShell commands executed when
using the Administrative Center, for example:
• the administrator adds a user to a group
• the UI displays the equivalent Active Directory Windows PowerShell command
• Administrator’s can copy the resulting syntax and integrate it into their scripts
• reduces learning-curve
• increases confidence in scripting
• further enhances Windows PowerShell discoverability
• Requirements
• Windows Server 2012 Active Directory Administrative Center
• Windows 2012 domain controller not required
PowerShell Conversion - Examples
• DCPromo >> Install-ADDSDomain, Install-ADDSDomainController
• DSGET-Computer >> Get-ADComputer
• DSGET-Site >> Get-ADReplicationSite
• DSADDD User >> New-ADUser
• Repadmin /ShowUTDVec >> Get-ADReplicaionUpToDatenessVectorTable
• http://blogs.technet.com/b/ashleymcglone/archive/2013/01/02/free
-download-cmd-to-powershell-guide-for-ad.aspx
Demo
Installation Options
• Background
• In previous versions of Windows Server admins had to choose
between the full GUI install and server core (Windows 2008+)
• Windows 2012 allows admins to switch between options
• Full GUI Server
• Minimal Server Interface (aka MinShell)
• does not include significant aspects of the Server Graphical Shell. It enables most local
GUI management tasks without requiring the Server Graphical Shell or Internet
Explorer to be installed. This reduces the security and servicing footprint of the server
thereby increasing safety and uptime while expanding deployment scenarios.
Virtualized Domain Controllers –
two new capabilities
• Domain controllers can be safely cloned to deploy additional capacity and save
configuration time
• Accidental restoration of domain controller snapshots does not disrupt your AD DS
environment.
Safe Virtualization
• Common virtualization operations such as creating snapshots or copying
VMs/VHDs can rollback the state of a virtual DC
• Can cause issues leading to permanently divergent state causing:
• USN Rollbacks
• Lingering objects
• schema mismatches if the Schema FSMO is rolled back
• the potential also exists for security principals to be created with duplicate
SIDs
Virtual Domain Controller Safe Restore
• Windows Server 2012 virtual DCs track the VM-generation ID to detect changes and
protect Active Directory
• When the virtual machine boots up, the current value of the VM-Generation ID from
the virtual machine is compared against the value in the database. If the two values
are different
• the DC's unique Invocation ID is reset
• domain controller also discards the now-duplicated local Relative Identifier (RID)
pool
• Since other domain controllers do not recognize the new Invocation ID, they
conclude that they have not already seen these USNs and accept the updates
• non-authoritatively restores the SYSVOL folder
Hypervisor Support for Snapshots & Cloning
Windows Server 2012 Standard Edition (Hyper-V)
Windows Server 2012 Enterprise Edition (Hyper-V)
Hyper-V Server 2012 (Hyper-V)
Windows 8 Professional (Hyper-V)
Windows 8 Enterprise (Hyper-V)
VMware Workstation 9.0 & 10.0
VMware vSphere 5.0 with Update 4
VMware vSphere 5.1 & 5.5
Dynamic Access Control (DAC)
• A new claims-based authorization platform that enhances, not replaces, the existing model, which
includes:
• new claims-based authorization platform that enhances, not replaces, existing model
• user-claims and device-claims
• user+device claims = compound identity
•
•
•
•
use of file-classification information in authorization decisions
New central access policies (CAP) model
Use of file-classification information in authorization decisions
modern authorization expressions, e.g.
• evaluation of ANDed authorization conditions
• leveraging classification and resource properties in ACLs
• easier Access-Denied remediation experience
• access- and audit-policies can be defined flexibly and simply
Dynamic Access Control (DAC)
• Requirements
• One or more Windows Server 2012 domain controllers
• Windows Server 2012 file server
• Enable the claims-policy in the Default Domain Controllers Policy
• Windows Server 2012 Active Directory Administrative Center
• For device-claims, compound ID must be switched on at the target service account
by using Group Policy or editing the object directly
http://blogs.technet.com/b/askds/archive/2012/09/07/l
et-the-bogging-begin.aspx
This isn't your grandfather's authorization either.
Dynamic Access Control or DAC as we’ll call it, requires
planning, diligence, and an understanding of many
dependencies, such as Active Directory, Kerberos, and
effective access…there are many knobs you must turn to
configure it….”
“…
Demo
Protected Users
• Added protection for Administrators and other privileged accounts
• Add user to Protected User Group which will enable:
• Only Kerberos Authentication
• 4 Hour TGT Lifetime
• Delegation not Allowed
• Requires
• Windows 8.1 (or Server 2012 R2 hosts)
• Windows Server 2012 R2 Domain & DCs
• Renew user tickets (TGTs) beyond initial 4 hour lifetime
Protected Users
• Requirements
• User Accounts in the Protected Users groups are restricted to only using
Kerberos (Required for Authentication Policies & Silos to be effective)
• Limits
• Protected Users cannot sign on if Kerberos is broken
• Accounts in the group can’t:
• Authenticate with NTLM
• Use DES or RC4 in Kerberos pre-authentication
• Renew user tickets (TGTs) beyond initial 4 hour lifetime
Authentication Policies & Silos
• Authentication Policies
• Forest Based Active Directory Policies
• Applies to accounts in Windows Server 2012 R2 Domains
• Controls which hosts an account can sign-in to
• Configuration of access control conditions for authentication
• Authentication Policy Silos
• Allows isolation of related accounts that have constrained scope
Scenarios enabled by Active Directory BYOD
Single Sign On (SSO) experience on Workplace Joined devices
 Join Windows and iOS devices to the Workplace
 SSO across browser and enterprise applications
Enable users to work from anywhere, adhering to IT risk management strategy
IT can conditionally grant access to company applications
 Workplace joined devices provide a seamless second factor authentication
 Conditions include user, device and strength of authentication
 Audit logs capture the user and device information
IT/ISV can author enterprise apps that deliver native experiences on devices and are
integrated with AD for SSO and conditional access
Workplace Join
Associates the device with a user
 Provides a seamless second factor authentication
Enables a better end user experience with SSO
 Avoids risks involved in saving passwords with each application
 Avoids users having to repeatedly enter their credentials
Enabled by device registration service in AD FS
Sample Demo Environment
Allow access from
specific users, when
accessing from devices
they have workplace
joined
Active Directory
Future Talks
• Go in-depth into Windows 2012 features such as Dynamic Access
Control.
• Windows Azure Active Directory – WAAD/AAD
• Deploying Active Directory on Windows Azure Virtual Machines
• Other??
Please don’t forget your evaluations …
www.adisfun.com
Email: [email protected]
QUESTIONS?