![Page 1: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/1.jpg)
Active Directory in Windows Server 8
Paul LoonenArchitect, CTO OfficeAvanade France & Belgium
![Page 2: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/2.jpg)
Windows Server 8 AD DSTwo themes:• Easier to Deploy and Manage AD DS• Dynamic Access Control
Disclaimer: everything in this talk is based on the Developer Preview released for //Build
![Page 3: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/3.jpg)
EASIER TO DEPLOY AND MANAGE AD DS
![Page 4: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/4.jpg)
Easier to Deploy & Manage AD – Broad Goals
Virtualization That Just Works• Active Directory works equally well in physical, virtual or mixed environments
Simplified Deployment of Active Directory• Complete integration of environment preparation, role installation and DC
promotion into a single UI• DCs can be deployed rapidly to ease disaster recovery and workload balancing• DCs can be deployed remotely on multiple machines from a single Windows 8
machine• Consistent command-line experience through Windows PowerShell to enable
automation of deployment tasksSimplified Management of Active Directory
• GUI that simplifies complex tasks such as recovering a deleted object or managing password policies
• Active Directory Windows PowerShell viewer shows the commands for actions performed in the GUI
• Active Directory Windows PowerShell support for managing replication and topology data
![Page 5: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/5.jpg)
DC Deployment
![Page 6: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/6.jpg)
Integrated, Seamless Deployment• New domain controller promotion
interface• integrates the preparation steps into the
promotion process• automate the pre-requisites between each of the steps
• validate environment-wide pre-requisites before beginning deployment
• integrated with Server Manager and remoteable• built on Windows PowerShell for command-line
and UI consistency• configuration wizard aligns to the most common
deployment scenarios• What’s gone?
• DCPromo UI – command line is still there
![Page 7: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/7.jpg)
DemoDomain Controller Promotion
![Page 8: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/8.jpg)
DC Virtualization
![Page 9: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/9.jpg)
DC Virtualization• Virtualization on current (pre-Win8) Domain
Controllers is a bad idea• Risks include• USN rollback• Replication issues• Invocation ID and USN together make sure AD knows what needs to be
replicated• Lingering objects• Inconsistent passwords• Inconsistent attribute values• Inconsistent schema if Schema master rolled back• Duplicate SIDs if RID master rolled back
![Page 10: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/10.jpg)
DC Virtualization• Virtualization-safe protection• Windows Server 8 virtual DCs able to detect when:• snapshots are applied• a VM is copied
• detection built on a generation identifier (VM-generation ID) that is changed when virtualization-features such as VM-snapshot are used
• Windows Server 8 virtual DCs track the VM-generation ID to detect changes and protect Active Directory
• Virtual domain controller cloning• create replicas of virtualized DCs by cloning existing ones• i.e. copy the VHD through hypervisor-specific export + import operations• note that the authorization of clones remains under Enterprise/Domain Admins’
control• requires only one virtual DC per domain to seed and quickly recover an entire forest
![Page 11: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/11.jpg)
Steps to clone a DC1. Make sure your hypervisor supports VM-Generation-ID2. Make sure your PDC FSMO runs Windows 8• BTW – you cannot clone the PDC FSMO !
3. Prepare• %windows%\NTDS\DCCloneConfig.xml• %windows%\NTDS\CustomDCCloneAllowList.xml• Remove any services from your DC that cannot be cloned• PS C:> Get-ADDCCloningExcludedApplicationList
4. Give permission in AD to computer object “Allow a DC to create a clone of itself” (on domain object)
5. Shutdown your DC, remove any snapshots6. Copy .vhd, create new VM using copied .vhd
![Page 12: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/12.jpg)
ADAC Enhancements
![Page 13: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/13.jpg)
AD Recycle Bin• Feature added in Win2k8R2• Allows complete object recovery• PowerShell only – no GUI (except 3rd
party)
• Recovery integrated in ADAC• “Deleted Objects” node in ADAC• Recovery in GUI• Same requirements as in Win2k8R2
![Page 14: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/14.jpg)
Fine-Grained Password Policy• FGPP introduced in Win2k8• Allow special password
requirements• PSO object
• Creation now through ADAC
![Page 15: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/15.jpg)
Windows PowerShell History• allow administrators to view
the Windows PowerShell commands executed when using the ADAC• including copy-paste!
• reduces learning-curve• increases confidence in
scripting• further enhances PowerShell
discoverability
![Page 16: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/16.jpg)
DemoADAC Enhancements
![Page 17: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/17.jpg)
AD Management enhancements with PowerShell
![Page 18: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/18.jpg)
PowerShell additions in Windows 8• AD Management with PowerShell added in Windows
Server 2008 R2• 76 cmdlets – mostly mimicking ADUC functionality
• New for Windows 8• DC Deployment• Topology and Replication Management• Dynamic Access Control
![Page 19: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/19.jpg)
Domain Controller Deployment• DCPromo.exe deprecated• No more UI, but still available from command line• PowerShell scripting is new approach• Easy integration in e.g. MDT
• 10 Cmdlets in new module ADDSDeployment• Test-ADDSDomain, DomainControllerInstallation,
DomainControllerUninstallation, DomainInstallation, ForestInstallation, ReadOnlyDomainControllerAccountCreation
• Install-ADDSDomain, DomainController, Forest• Add-ADDSReadOnlyDomainControllerAccount
![Page 20: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/20.jpg)
Intermezzo: discoverability
![Page 21: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/21.jpg)
Topology and replication• Scripting AD Management requires multiple tools and technologies• repadmin• Ntdsutil• GUI-based tools – kind of hard to automate
• Reality of Windows scripting is PowerShell• Using PS makes management consistent with this strategy• PowerShell is easy to discover • PowerShell history viewer• Get-Command –noun AD*• Show-Command• ISE
![Page 22: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/22.jpg)
Replication Management• cmdlets give some of the repadmin functionality• Get-ADReplicationAttributeMetadata• Get-ADReplicationFailure• Get-ADReplicationPartnerMetadata• Get-ADReplicatoinQueueOperation• Get-ADReplicationUpToDatenessVectorTable• Sync-ADObject
![Page 23: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/23.jpg)
Topology Management• 18 cmdlets added:• Get- / New- / Remove- / Set-ADReplicationSite• Get- / New- / Remove- / Set-ADReplicationSiteLink• Get- / New- / Remove- / Set-ADReplicationSiteLinkBridge• Get- / New- / Remove- / Set-ADReplicationSubnet• Get- / Set-ADReplicationConnection
![Page 24: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/24.jpg)
DemoManage AD Using PowerShell
![Page 25: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/25.jpg)
AD-Based Activation
![Page 26: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/26.jpg)
Activation leveraging Active Directory
• Use your existing Active Directory infrastructure to activate your clients• New option when deploying Volume Activation Services role• no additional machines required• no RPC requirement, uses LDAP exclusively• includes RODCs
• Beyond installation and service-specific requirements, no data written back to the directory
• Activation-object maintained in configuration partition• Represents proof of purchase• Machines can be member of any domain in the forest• Must be enterprise admin (can be delegated)
• All Windows 8 machines will automatically activate
![Page 27: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/27.jpg)
DemoAD-Based Activation
![Page 28: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/28.jpg)
Dynamic Access Control
![Page 29: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/29.jpg)
Data Management Challenges
Growth of users and
data
?
Distributed computing
Regulatory and Business
Compliance
?
Budget Constraints
![Page 30: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/30.jpg)
Different views of Information Governance
CSO/CIO department
“I need to have the right
compliance controls to
keep me out of jail”
Infrastructure Support
“I don’t know what data is in
my repositories and how to control it”
Content Owner
“Is my important data appropriately protected and compliant with regulations –
how do I audit this”
IW
“I don’t know if I am
complying with my
organization’s polices”
![Page 31: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/31.jpg)
Information governance policies• What is this really about?• Apply appropriate access policies • Audit access to information• Encrypt information• Apply appropriate retention to information
• Why should you care• Your solution or product creates, manages or protects
information in files• Compliance is becoming a factor in software purchasing
decisions
![Page 32: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/32.jpg)
How Windows 8 enables these objectives• Bring existing identity claims model into the
Windows platform• Introduce a model to target access and audit
policies based on tagging to drive efficient policy enforcement and implement this model for files
• Bridge the gap between IT & Information Owners using information tagging for files
![Page 33: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/33.jpg)
Approach in Windows 8
Plumb claims into the core Authentication platform via Kerberos with Active Directory
Enhance Authorization platform for files to author and manage richer access policies with claims
Enhance audit platform for files to drive efficient Audit controls across the Enterprise
Project User & Device Claims for consumption by .NET apps
Improve File Management infrastructure for Files in Win8
![Page 34: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/34.jpg)
Expression-based access control policy
User claimsUser.Department = Finance
User.Clearance = High
ACCESS POLICYApplies to: @Resource.Impact == “High”
Allow | Read, Write | if (@User.Clearance == “High”) AND (@Device.Managed == True)
Device claimsDevice.Department =
FinanceDevice.Managed = True
Resource propertiesResource.Department =
FinanceResource.Impact = High
Active Directory
File Server
![Page 35: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/35.jpg)
Token changes in Windows 8• Domain Controller issues groups… and claims!• Claims (user & device) sourced from Identity attributes
in AD• Compound ID – binds a user to the device to be
authorized as one principal• Claims delivered in Kerberos PAC
• NT Token has sections• User & Device data• Claims and Groups!
• OID to claim for cert based Auth• Support for X-Forest Claims Transformation
Windows 8 Token
Owner
Group
User Groups
Claims
Device Groups
Claims
![Page 36: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/36.jpg)
Authorization – Updated ACL Model
Support for Expression with ‘AND’/’OR ’ primitives
User.memberOf (USA-Employees) AND User.memberOf (Finance-Division) AND User.memberOf (Authorization-Project)
Support for User Claims from AD
User.Division = ‘Finance’ AND User.CostCenter = 20000
Support for Static Device Claims from AD
User.Division = ‘Finance’AND Device.ITManaged = True
Target Policy based on Resource Type
IF (Resource.Impact = ‘HBI’)ALLOW AU Read User.EmployeeType = ‘FTE’
• No expressions in ACL• Led to group bloat
• ACLs only based on groups
• Led to group bloat
• No ability to control access based on device state
• No way to target policy based on Resource Type
• Claims support in ACEs managed as SDDL strings• Added / removed from SDDL strings via standard string manipulation
functions
Windows 7New in Windows
8 Example
![Page 37: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/37.jpg)
Managing data on file serversLooking at the problem space for a data repository
• One of the largest repositories of data in the organization• Regulatory compliance periodic audits are expensive and
labor intensive• Data leakage of sensitive information• Exposure of information due to complexity of granting
access on a need to know basis
![Page 38: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/38.jpg)
Resource Property
Definitions
In Active Directory:• Create resource property definitionsOn File Server:• Identify information• Tagging information by owner• Automatic classification • Line Of Business applications
Windows 8 Active Directory
Windows 8File Server
Content owner
Applications
Control access to information
![Page 39: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/39.jpg)
Claim Definition
sResource Property
DefinitionsAccess policy
In Active Directory:• Create claim definitions• Create resource property definitions• Create central access policyIn Group Policy:• Send central access policies to file
serversOn File Server:• Apply access policy to the shared
folder• Identify informationAt Runtime:• User tries to access information
Windows 8 Active Directory
Windows 8File Server
Allow/
Deny
End User
Control access to information
![Page 40: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/40.jpg)
DemoDynamic Access Control
![Page 41: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/41.jpg)
Claim Definitions
Resource Property
DefinitionsAudit Policy
In Active Directory:• Create claim definitions• Create resource property
definitionsIn Group Policy:• Create global audit policyOn File Server:• Identify informationAt Runtime:• User tries to access
information
Windows 8 Active Directory
Windows 8File Server
Audit / No
Audit
End User
Audit Access to Information
![Page 42: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/42.jpg)
Summary• What have we learned today?• AD DS is easier to deploy and manage• Server Manager• ADAC• PowerShell• Virtualization
• Claims paradigm is extended to File Servers, powered by AD DS more in John Craddock’s session
![Page 43: Discover what´s new in Windows 8 Active Directory](https://reader035.vdocuments.us/reader035/viewer/2022062616/54962710b47959666f8b478c/html5/thumbnails/43.jpg)
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Thank you!Questions?
@ploonenhttp://be-id.blogspot.com