Windows Server 2012: A Techie’s Insight into the Hot New Features

Windows Server 2012Domain Controller cloningEnhanced Direct AccessSafe Domain controller virtualizationRID pool enhanced managementEnhanced logging PowerShell 3.0PowerShell WorkflowPowerShell historyKerberos CBACCompound identityRemote FXIP Address ManagementDHCP HADA object recovery GUIISCI TargetWindows NIC teamingVirtualization, virtualization, virtualization 32 virtual processors per VM1TB virtual machine memoryNew 64TB VHDX formatNative 4k disk supportHyper-V ReplicaHyper-V virtual fiber channelVirtual networkingLive storage migrationSupport for up to 64 nodes per clusterSupport for 4000 VMs per clusterHyper-V support for up to 2 TB of physical memoryLive VHD mergeCluster shared volumes v2SMB 2 SupportRDMA support in SMBScale-out file serverMulti-channel SMBVirtual NIC monitor modeStorage PowerShellNetwork PowerShellMulti-Tenancy, Port ACLs / FirewallStorage meteringStorage SpacesSMI-S support inboxVirtual NUMA supportCPU meteringNetwork meteringMemory meteringRemoteFX3D graphics remotingTouch remotingUSB remotingVDIGuest Application Health MonitoringVM Hardware Error IsolationVM Failover PrioritizationTrusted boot supportRemovable Shell & IEEnables roles in VHDs OfflineMulti-machine management protocolIntegrated workflows and PowerShell

So many new changes

andthey are all hot

My first dilemma

Should I be a man or a mouse?

Defaultinstallation

I went for the GUI

Easy to switch

Server Core Minimal Server Interface GUI Desktop

Experience

Graphical Management Tools and Infrastructure Server Graphical Shell Desktop ExperienceAdd/remove

Feature

PowerShellInstall-WindowsFeature

Uninstall-WindowsFeatureServer-Gui-Mgmt-Infra Server-Gui-Shell Desktop-Experience

Make sure PowerShell is you best friend

PowerShell 3.0 with over 2000 cmdletsAllows creation scripts with workflowAD PowerShell history helps you get startedNewest help files download on demand – Update-Help

A tour around the management GUI

Not technical – but a very useful reference

Windows key Metro StartWindows key + C Open Charms barWindows + I Settings on Charms barWindows + Q Search on Charms bar

Hover & clickMetro Start

Hover & selectfrom Charms bar

Just start typing

Virtualization, virtualization, virtualization

Virtual machines

Storage virtualization

Networkvirtualization

CPU & memory

virtualizationVM hardware

Offloading

VM1 VM2 VM3 VMn

Virtualized customer networks

Near SAN capabilityfrom commodity disks

NetworkDirect HBA for VMs

Direct data transfers ODX New dynamic

memory support

Live MigrationClustered VMs & hosts Replication Virtualized domain controller support

Impressive scalabilitySystem Resource

Maximum number Improvement factorWindows

2008 R2Windows Server

"8" Beta

HostLogical processors on hardware 64 160 2.5×Physical memory 1 TB 2 TB 2×Virtual processors per host 512 1,024 2×

Virtual machine

Virtual processors per virtual machine 4 32 8×

Memory per virtual machine 64 GB 1 TB 16×

Active virtual machines 384 1,024 2.7×

Cluster Nodes 16 64 4×Virtual machines 1,000 4,000 4×

A techie’s insight into the hot new features

So many features to choose fromLet’s look at some of the challenges I’ve faced over the last year

Deploying DirectAccessTroubleshooting Kerberos and delegation issuesFile Server authorization and auditingClaims based authenticationBuilding POC environments to test it all out

If Windows Server 2012 solves my issues – that’s hot

My hot three for today…DirectAccessKerberos enhancementsDynamic Access Control

Windows 2008 R2 DirectAccess – Simple?

When a DirectAccess client connects to the Internet it is automatically connected to the corporate intranet

No user action required

Corporate intranetInternet

It’s a truly great user experience - But…

Simple?

Tunnelling technologies for the Internet and intranet to support IPv6 over IPv4

Internet tunnelling selection based on client location – Internet, NAT, firewall

Encryption/authentication of Internet traffic (end-to-edge/end-to-end)PKI required Client location detection: Internet or corporate intranet

Corporate intranetInternet

May Be Not

Certificates require PKI

2008 Additional ChallengesUAG required for

Load-balancing Support for IPv4 intranet endpoints

NAT 64 & DNS 64Requires two consecutive public IPv4 addressesMulti-domain support complexPoor multi-site support Monitoring and troubleshooting problematicRRAS & DA could not coexist2FA only supported for Smartcards, no OTP supportMany deployments didn’t get off the drawing board

Windows Server

2012 fixes all and more…

NAT Multi-domain support

Multiple entry-points with automatic failover Comprehensive

One role supports both OTP & virtual SC Now’s it’s easier

One tunnel or two?DA on Windows 2008 R2 creates an infrastructure and intranet tunnel

Client certificates and computer/user accounts are used to authenticate to each tunnel endpoint

Certificates are required to support Windows 7 clients, NAP and 2FA client

Windows 8 clients can be supported through a single-tunnel configuration

Authentication to the endpoint managed through a Kerberos ProxyUses IPHTTPS

IPHTTPS optimised via SSL with NULL encryption

3-clicks and you’re done or full featureFor small to medium deployments the Getting Started Wizard will automatically deploy DA

Single-tunnel, IPHTTPS, single-public IP or NAT, and no PKI

If no public SSL cert is available a self-signed cert is automatically generated

Client group policy deployed using a WMI filterFor a full featured DirectAccess deployment you will need to go through the Remote Access Setup WizardYou can use the Getting Started Wizard and access the setup wizard afterwards

Just 3-clicks

My hot three for todayDirect AccessKerberos enhancementsDynamic Access Control

Kerberos ChangesWe’ve seen the Kerberos Proxy in action

This is used for Direct Access Remote Desktop users and cannot be deployed on the edge for other functions

There are a number of other changes to Kerberos to enhance day to day operations

Increase to the maximum Kerberos SSPI context buffer sizePAC group compressionWarning events for large token sizesIncreased logging

Hot topics for me are claims support and delegation

Adding Claims to the Kerberos Token

User’s Kerberos

Token

PAC

User’s group memberships added to PACAuthorization based on group membership

Pre-Windows 8

UserGroupsClaims

DeviceGroupsClaims

Windows 8Compound ID

PAC contains a user’s group and

claims information+

Device informationAuthorization based on group membership, user and device claims

Enabling Kerberos for ClaimsEnable the KDC administrative template for Support for Dynamic Access Control and Kerberos armoringKerberos armoring, also referred to as Flexible Authentication Secure Tunnelling (FAST), provides

A protected channel between the Kerberos client and the KDC

Protection against offline dictionary attacksSigns Kerberos error messages

Prevents spoofingCompound identity

Delegation

Prior to Windows Server 2012, constrained delegation required the front- and back-end services to be in the same domain2012 allows delegation across domains and forest trusts

Protect backend services by setting services account parameter – PrincipalsAllowedToDelegateToAccount

Block cross forest delegation by setting netdom trust to “no” for /EnableTGTDelegation

Enabling Claims identity

My hot three for todayDirect AccessKerberos enhancementsDynamic Access Control

Defining the access requirementsSales Consultants from the regional sales departments must have read/write access to their region’s sales documents

They are not allowed to access sales documents for other regions

Sales Managers must have access to sales documents in all regionsSales documents with high business impact must only be viewable by Sales ManagersThe access model must be applied across multiple file servers in the Active Directory forest

A nice to haveHigh impact documents should only be accessible from client machines that are managed by the Corp Sales department

How many different designs can you come up with?

Sales UK RW

UK

Sales

US

HI UK

HI US

Sales US RW

Sales HI UK RW

Sales HI US RW

UK Sales

US Sales

Sales Managers

How do we guarantee HI documents are placed in the correct folders?

Windows Server 2012 to the rescue…

No way to tag files and apply authorization and auditing based on file type

Files can be classified (tagged) and policies applied based on the files classification

No way to create ACLs based on expressions

Requires complex group structuresExpression based access control and

auditing

ACLs defined using groups Expressions can contain groups, users, and user and device claims

Device state not supported in authorization decisions

Access based on compound IDuser and device claims

Resolution

Elegant solutions

Permissions applied based on file classificationNo groupsWe even solved the “nice to have”

High impact documents should only be accessible from client machines that are managed by the Corp Sales department

UK

Sales

US

Access based on Central Access

Policy, file and folder classification,

andCBAC

A quick tour ofDynamic Access Control

So many great enhancementsJust one more I couldn’t miss…

Well that’s what’s hot for me

Consulting services on request

John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk

John Craddoc

kInfrastructure and security ArchitectXTSeminars Ltd

What’s hot for you?

Complete an evaluation on CommNet and enter to win!

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.