45 identity and access active dictionary features and improvements
Post on 20-Jan-2017
14 Views
Preview:
TRANSCRIPT
Published: September 10th, 2012
Windows Server 2012: Identity and Access
Module 1: Active Directory Features and Improvements.
Module Manual Author: Andrew Warren, Content Master
Microsoft Virtual Academy Student Manual ii
Information in this document, including URLs and other Internet Web site references, are subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. ® 2012 Microsoft Corporation. All rights reserved. Microsoft is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Microsoft Virtual Academy Student Manual iii
Contents
CONTENTS .................................................................................................................................................................................................................. III
MODULE 1: ACTIVE DIRECTORY FEATURES AND IMPROVEMENTS. .................................................................................................... 4
Module Overview ................................................................................................................................................................................................ 4
LESSON 1: DEPLOYMENT IMPROVEMENTS ................................................................................................................................................... 5
Improved Deployment Experience ............................................................................................................................................................... 6
Integrated Preparation Steps ................................................................................................................................................... 6 Prerequisites Validated Before Starting Deployment ............................................................................................................... 6 Integrated with Server Manager, Remote-able, and Built on Windows PowerShell ................................................................ 7 Configuration Wizard Aligns With Common Deployment Scenarios ....................................................................................... 7
Enhanced Install-From-Media ........................................................................................................................................................................ 8
AD FS 2.1 Included As Server Role ............................................................................................................................................................... 9
LESSON 2: VIRTUALIZED AD DS........................................................................................................................................................................ 10
Safe Virtualization of Domain Controllers ............................................................................................................................................... 11
Virtualized Domain Controller Cloning ..................................................................................................................................................... 13
LESSON 3: NEW FEATURES AND ENHANCEMENTS ................................................................................................................................. 15
RID Improvements ............................................................................................................................................................................................ 16
Deferred Index Creation ................................................................................................................................................................................. 18
Off-Premises Domain-Join ............................................................................................................................................................................. 19
Connected Accounts ........................................................................................................................................................................................ 20
Active Directory–Based Activation .............................................................................................................................................................. 21
Group Managed Service Accounts ............................................................................................................................................................. 22
AD DS Replication and Topology Cmdlets .............................................................................................................................................. 23
LESSON 4: MANAGEMENT IMPROVEMENTS .............................................................................................................................................. 25
Active Directory Recycle Bin .......................................................................................................................................................................... 26
Fine-Grained Password Policy ...................................................................................................................................................................... 27
AD DS Windows PowerShell History Viewer .......................................................................................................................................... 28
Dynamic Access Control ................................................................................................................................................................................. 29
Group Policy Enhancements ......................................................................................................................................................................... 31
Kerberos Constrained Delegation ............................................................................................................................................................... 32
FURTHER READING AND RESOURCES ........................................................................................................................................................... 34
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual 4
Module 1: Active Directory Features and
Improvements.
Module Overview
This module introduces each of the new features of Active Directory® Domain Services (AD DS). It
explains the problems that these features address and what is required for you to deploy and use
them. The module also explores AD DS deployment improvements, improvements to AD DS
virtualization, new features and enhancements to existing features, and improvements to AD DS
management.
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual 5
Lesson 1: Deployment Improvements
This lesson introduces the improvements that Windows Server® 2012 brings to AD DS deployment.
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual 6
Improved Deployment Experience
In earlier versions of Windows Server, the process that was used to create domain controllers could
be confusing for administrators. It was also possible for administrators to launch DCPromo.exe when
the server on which the command was launched did not meet the prerequisites for promotion.
In Windows Server 2012, the process you use to create domain controllers within your enterprise has
been improved. The following sections describe these improvements.
Integrated Preparation Steps AD DS deployment in Windows Server 2012 integrates all of the required steps to deploy new
domain controllers into a single graphical interface. It requires only one enterprise-level credential,
and it can prepare the forest or domain by remotely targeting the appropriate operations master
roles. Note that the Adprep.exe process is integrated into the AD DS installation process; this
reduces the time that is required to install AD DS and reduces the chances for errors that might
block domain controller promotion.
Prerequisites Validated Before Starting Deployment Prerequisite validation occurs in the AD DS Configuration Wizard. The wizard identifies potential
errors before the installation begins, and you can then correct error conditions before they occur
without the concerns that result from a partially completed upgrade.
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual 7
Integrated with Server Manager, Remote-able, and Built on Windows PowerShell The AD DS installation process is built on Windows PowerShell™ 3.0, is integrated with Server
Manager, can target multiple servers, and can remotely deploy domain controllers. This results in a
deployment experience that is simpler, more consistent, and less time-consuming. The installation
wizard creates a Windows PowerShell script that contains the options that were specified during the
graphical installation; this simplifies the deployment process by automating subsequent AD DS
installations through automatically generated Windows PowerShell scripts.
Note that you can complete the domain controller installation and promotion process entirely with
Windows PowerShell.
Configuration Wizard Aligns With Common Deployment Scenarios The configuration pages in the wizard are grouped in a sequence that mirror the requirements of the
most common promotion scenarios, with related options grouped in fewer wizard pages; this
provides better context, enabling you to make better domain controller installation choices, and
reduces the number of steps and the amount of time that is required to complete the domain
controller installation.
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual 8
Enhanced Install-From-Media
In earlier versions of Windows Server, when you want to promote a server to the domain controller
role, it is possible to do so by using the install-from-media (IFM) option; this enables you to create
installation media from which you can promote the server. To create this installation media, you
must run the Ntdsutil.exe command-line tool.
However, as part of the media creation process, the Ntdsutil.exe command also performs an offline
defragmentation of the AD DS database. This defragmentation yields a smaller database file but can
take a long time to process.
In Windows Server 2012, you can choose not to perform the offline defragmentation pass, enabling
you to create the required media files more quickly. Bear in mind that the resulting IFM files may be
larger as a result of bypassing the defragmentation process, which could result in longer copying
times where slow links connect you to the target servers.
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual 9
AD FS 2.1 Included As Server Role
Many large enterprise-level organizations want to be able to share information with other businesses
and/or consumers. For example, consider a business that wants to enable its customers to place
orders directly into its order processing system. Active Directory Federation Services (AD FS) allows
your organization to successfully implement this scenario by enabling the necessary claims and
trusts to facilitate it.
In earlier versions of Windows Server, you must download AD FS as a separate component from the
Microsoft Download website; this is no longer necessary, because AD FS 2.1 is included as a server
role in Windows Server 2012. You can install the role from within Server Manager without needing to
download it; this streamlines the process of deploying AD FS.
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual
10
Lesson 2: Virtualized AD DS
Organizations are increasingly looking to virtualize workloads to optimize their IT infrastructure; this
move to a virtualized environment encompasses domain controllers. Virtualization of AD DS
environments has been ongoing for a number of years. Beginning with Windows Server 2012, AD DS
provides greater support for virtualizing domain controllers by introducing virtualization-safe
capabilities and enabling rapid deployment of virtual domain controllers through cloning. These new
virtualization features provide greater support for public and private clouds, hybrid environments
where portions of AD DS exist on-premises and in the cloud, and AD DS infrastructures that reside
completely on-premises.
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual
11
Safe Virtualization of Domain Controllers
AD DS replication uses a monotonically increasing value that is assigned to transactions on each
domain controller; this is known as an update sequence number (USN). Each domain controller’s
database instance is also given an identity, known as an InvocationID. The InvocationID of a domain
controller and its USN together serve as a unique identifier that is associated with every write
transaction that is performed and must be unique within the forest. AD DS replication uses
InvocationID and USNs to determine what changes need to be replicated to other domain controllers.
However, if an administrator applies a snapshot that rolls back a domain controller to a point in time,
on that domain controller, a USN could be reused for an entirely different transaction; this may result
in replication failing to converge because other domain controllers will believe they have already
received the updates that are associated with the re-used USN.
In Windows Server 2012, AD DS relies on the hypervisor platform to expose an identifier called VM
Generation ID to detect whether a virtual machine (VM) has been rolled back in time. The design
uses a hypervisor-agnostic mechanism for utilizing the VM GenerationID in the VM.
Before completing any transaction, AD DS first reads the value of this identifier and compares it with
the last value that is stored in the directory. A mismatch is interpreted as a ‘rollback,’ and the
domain controller employs AD DS safeguards that are new to Windows Server, which consist of
resetting the InvocationID and discarding the relative identifier (RID) pool. From this point forward,
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual
12
all transactions are associated with the domain controller’s new InvocationID. Other domain
controllers do not recognize the new InvocationID, so they will conclude that they have not already
seen these USNs and will accept the updates that are identified by the new InvocationID and USNs,
allowing the directory to converge.
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual
13
Virtualized Domain Controller Cloning
Virtualized domain controller cloning enables you to create a clone of a virtualized domain controller.
With virtualized domain controller cloning, you can now promote a single virtual domain controller
per domain and rapidly deploy all additional replica virtual domain controllers through cloning. You
no longer have to repeatedly deploy a sysprepped server image, promote the server to a domain
controller, and then complete additional configuration requirements for every replica domain
controller.
Requirements
To implement domain controller cloning, you must meet the following requirements:
Your Windows Server 2012 virtual domain controllers must be hosted on hypervisor platforms
that are aware of the VM Generation ID.
The primary domain controller single operations master role must be running Windows Server
2012 to authorize the cloning operation.
The source domain controller that you clone must be authorized for cloning.
The DCCloneConfig.XML file must be present on the cloned domain controller in one of the
following locations:
o The directory containing the NTDS.DIT
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual
14
o The default DIT directory (%windir%\NTDS)
o On removable media, such as a virtual floppy, USB storage device, or similar
Note that commonplace Windows Server 2012 services that are co-located with domain controllers
are supported, for example: Domain Name System (DNS), File Replication Service (FRS), and
Distributed File System Replication (DFS-R).
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual
15
Lesson 3: New Features and Enhancements
This lesson explores some of the additional changes made to AD DS in Windows Server 2012,
including the ability to domain-join computers that are not connected to the corporate network,
support for connected accounts, and various other AD DS enhancements.
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual
16
RID Improvements
The AD DS RID is used to uniquely identify objects in the distributed AD DS database. Each domain
controller holds a pool of RIDs and uses these to identify newly created objects, such as users,
groups, and computers. The process of generating unique RIDs is a single-master operation. One
domain controller is assigned the role of RID master, and it allocates a sequence of RIDs to each
domain controller in the domain. When a new domain account or group is created in one domain
controller's replica of Active Directory, it is assigned a security identifier (SID). The RID for the new
SID is taken from the domain controller's allocation of RIDs. When its supply of RIDs begins to run
low, the domain controller requests another block from the RID master.
In earlier versions of Windows Server, it was possible for the RID pool to become depleted due to
leakage. For example, if an administrator attempted to create a new account, but the account
creation failed due to the account properties not meeting the required AD DS security policy
requirements, the RID was already allocated, but was unused; the RID had leaked. In Windows
Server 2012, the domain controller maintains an in-memory container of reusable RIDs; this list of
reusable RIDs is used first, thereby reducing RID leakage.
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual
17
Windows Server 2012 also identifies when the RID pool is invalidated by creating an entry in the
event log. The RID pool can become invalidated by performing an AD DS database restoration. AD
DS in Windows Server 2012 also imposes a maximum cap on the RID block size. Previously, you
could configure this value on the RID single operations master role holder by editing the registry and
the upper limit was unbounded; in Windows Server 2012, the upper limit is 15,000.
As RIDs are consumed, Windows Server 2012 produces periodic warnings and logs these to the
system log. The first such warning occurs when there is ten percent of remaining global space. These
events become more frequent as the global space is depleted further.
Finally, a soft-ceiling of ninety percent of the global RID space is set in AD DS in Windows Server
2012. Reaching this value triggers an event. The administrator can override this ‘ceiling’ by resetting
the sDS-RIDPoolAllocationEnabled value on the RID single operations master role holder.
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual
18
Deferred Index Creation
Indexing attributes on AD DS objects enables those attributes to be searched faster. However,
maintaining the indexes for these attributes can impose a load on the domain controllers in your
enterprise.
In Windows Server 2012, you can implement DSheuristic; this value enables you to control index
creation, effectively deferring it until the domain controller is either restarted or receives an
UpdateSchemaNow rootDSE mod.
Any attribute that is in a deferred index state is logged in the vent log every day:
2944: Index deferred—logged once
2945: Index still pending—logged every 24 hours
1137: Index created—logged once (not a new event)
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual
19
Off-Premises Domain-Join
In the past, the computers that you wanted to join to your organization’s domain had to be
connected to the organization’s network. AD DS in Windows Server 2012 enables you to domain-join
computers that are off-premises. For example, you can connect a user’s home-based laptop to your
organization’s domain without the user needing to bring the computer into the office; this is achieved
by using DirectAccess technology.
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual
20
Connected Accounts
AD DS in Windows Server 2012 supports the ability to link users’ accounts with their Microsoft
accounts, enabling Windows® 8 features and apps to take advantage of specific online capabilities.
In addition, certain aspects of a user’s profile can be roamed between computers that share the
same Microsoft account.
When you think about implementing this capability, consider the following points:
Microsoft account logon to Windows with a connected Active Directory user account is not
supported.
Server SKUs do not support connected accounts.
The administrator must associate the Microsoft account with the target account.
The connected local user will appear in Local Users and Groups.
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual
21
Active Directory–Based Activation
In current networks, volume licensing is usually managed by using Key Management Service (KMS)
servers. KMS has a number of disadvantages: it uses remote procedure calls (RPCs), it does not
support any form of authentication, and it does not provide a graphical console.
AD DS in Windows Server 2012 can provide the necessary volume activation without the requirement
for KMS, although you can configure coexistence with KMS to support volume activations for earlier
versions of Windows client operating systems.
The advantages of using Active Directory–based activation are:
You do not require additional server hardware to provide for activation services.
It eliminates the requirement for RPCs by using Lightweight Directory Access Protocol (LDAP)
exclusively.
It supports read-only domain controllers.
When you think about using Active Directory–based activation, consider that only Windows 8 and
Windows Server 2012 computers can activate using this service. For earlier client and server
operating systems, you must use KMS.
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual
22
Group Managed Service Accounts
Standalone Managed Service Accounts, introduced with Windows Server 2008 R2 and Windows 7,
are managed domain accounts that provide automatic password management and simplified service
principal name (SPN) management, including delegation of management to other administrators.
The group Managed Service Account provides the same function within the domain but also extends
that functionality over multiple servers. When connecting to a service hosted on a server farm, such
as Network Load Balance, the authentication protocols supporting mutual authentication require that
all instances of the services use the same principal. When group Managed Service Accounts (gMSAs)
are used as service principals, the Windows operating system manages the password for the account
instead of relying on the administrator to manage the password.
You can only configure and administer gMSAs on computers running Windows Server 2012, but you
can deploy them as a single service identity solution in domains that still have some domain
controllers running operating systems earlier than Windows Server 2012. There are no domain or
forest functional level requirements.
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual
23
AD DS Replication and Topology Cmdlets
Windows PowerShell for Active Directory in Windows Server 2012 includes support for replication and
topology management. It includes the ability to manage replication, sites, domains and forests,
domain controllers, and partitions.
Similar functionality is available by using Windows PowerShell cmdlets to that previously available in
Active Directory Sites and Services and Repadmin.exe. In addition, the cmdlets are compatible with
the existing Windows PowerShell for Active Directory cmdlets, thereby creating a streamlined
experience and enabling you to easily create automation scripts.
For example, to get a list of all AD DS sites, use the following code example. Get-ADReplicationSite -Filter *
To create a new site, use the following code example. New-ADReplicationSite BRANCH1
To create a new site link, use the following code example. New-ADReplicationSiteLink 'CORPORATE-BRANCH1' -SitesIncluded CORPORATE,BRANCH1 -
OtherAttributes @{'options'=1}
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual
24
You can use these cmdlets, and others, to perform all AD DS replication and topology maintenance
that you previously performed in the graphical console.
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual
25
Lesson 4: Management Improvements
AD DS in Windows Server 2012 provides a number of management improvements. This lesson
explores these improvements.
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual
26
Active Directory Recycle Bin
The Active Directory Administrative Center has been enhanced to support graphical management of
the Active Directory Recycle Bin. Prior to Windows Server 2012, using the Active Directory Recycle
Bin meant you were required to use the Active Directory Service Interface (ADSI) Edit tool, which
was cumbersome and non-intuitive.
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual
27
Fine-Grained Password Policy
The Active Directory Administrative Center has also been modified to support the creation and
management of fine-grained password policies. Again, in earlier versions of Windows Server, you
must use ADSI Edit to manage these fine-grained password policies.
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual
28
AD DS Windows PowerShell History Viewer
As part of Microsoft’s commitment to the Windows PowerShell platform, the Active Directory
Administrative Center now provides a conveniently accessible Windows PowerShell History Viewer.
The Windows PowerShell History Viewer displays Windows PowerShell commands when a task is
performed through the UI.
There are many Windows PowerShell cmdlets for AD DS, but one of the challenges for AD DS
administrators is that there is a relative steep learning curve around Windows PowerShell for AD DS.
Even after learning them, it is hard to remember all of the cmdlets and their parameters.
In Windows Server 2012, as you execute actions in the UI, the equivalent Windows PowerShell for
Active Directory command is shown to the user in the Windows PowerShell History Viewer. These
commands in turn can be copied and reused in your scripts. This improvement reduces the time to
learn Windows PowerShell for Active Directory. It may also increase your users’ confidence in the
correctness of their automation scripts.
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual
29
Dynamic Access Control
Dynamic Access Control enables you to create and manage central access and audit policies in AD DS,
which you can then manage through the Active Directory Administrative Center. These policies are
based on conditional expressions that take into account who the user is, what device they are using,
and what data they are accessing. You can then translate business requirements to efficient policy
enforcement and considerably reduce the number of security groups needed for access control.
To help organizations reach data compliance, Microsoft has focused on the following areas:
Identify the information that needs to be managed to meet business and compliance
requirements.
Apply appropriate access policies to information.
Audit access to information.
Encrypt information.
These focus areas were then translated to a set of Windows capabilities that enable data compliance
in partner and Windows-based solutions.
Dynamic Access Control integrates claims into Windows authentication (Kerberos) so that users and
devices can be described not only by the security groups they belong to, but also by claims such as
“User is from the Finance department” and “User’s security clearance is High.”
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual
30
The file classification infrastructure in Windows Server 2012 has been integrated with Dynamic
Access Control to enable business owners and users to identify (tag) their data so that IT
administrators can target policies based on this tagging. This ability works in parallel with the ability
of the file classification infrastructure to automatically classify files based on content or any other
characteristics.
Dynamic Access Control also integrates with Rights Management Services to automatically protect
(encrypt) sensitive information on servers so that even when the information leaves the server, it is
still protected.
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual
31
Group Policy Enhancements
The Group Policy Management Console includes new capabilities that enable you to more easily track
SYSVOL replication as it relates to Group Policy and force Group Policy updates from a central
location.
In earlier versions of Windows Server, if you changed Group Policy settings, those settings had to be
applied to the computer or user accounts in the appropriate organizational units (OUs). For computer
policy settings, the client computer had to restart to refresh the Group Policy, or the command
gpupdate /force had to be run on the client locally to refresh the settings.
In Windows Server 2012, you can do that directly from the Group Policy Management Console. By
right-clicking an OU and selecting Group Policy Update, all computer accounts inside the scope of the
OU will be updated at once. If an error occurs, a log file will be created automatically.
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual
32
Kerberos Constrained Delegation
Kerberos Constrained Delegation (KCD) was introduced with Windows Server 2003. KCD permits a
service’s account (front-end) to act on the behalf of users in multi-tier applications for a limited set
of back-end services. For example:
A user accesses a web site as user1.
The user requests information from the web site (front-end) that requires the web server to
query a Microsoft® SQL Server® database (back-end).
Access to this data is authorized according to who accessed the front-end.
In this case, the web service must impersonate user1 when making the request to SQL Server.
To enable all this, you must configure the front-end services (by SPN) to which it can impersonate
users. In addition, setup and administration require domain admin privileges. Finally, KCD delegation
only works for back-end services in the same domain as the front-end service-accounts.
In Windows Server 2012, KCD moves the authorization decision to the resource owners. This permits
the back-end to authorize which front-end service accounts can impersonate users against their
resources. It supports cross-domain, cross-forest scenarios, no longer requires domain admin
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual
33
privileges for setup and administration, and requires only administrative permission to the back-end
service account.
Module 1: Active Directory Features and Improvements.
Microsoft Virtual Academy Student Manual
34
Further Reading and Resources
For further information about the topics covered in this session, see the following resources:
What’s New in Active Directory Domain Services
http://technet.microsoft.com/en-us/library/hh831477.aspx#BKMK_actdir_adba
Windows Server Blogs
http://blogs.technet.com/b/windowsserver
Windows Server 2012 Home Page and Product Download
http://www.microsoft.com/en-us/server-cloud/windows-server/2012-default.aspx
top related