70-410 windows server 2012 training
TRANSCRIPT
Windows Server 2012: A Techie’s Insight into the Hot New Features
Windows Server 2012Domain Controller cloningEnhanced Direct AccessSafe Domain controller virtualizationRID pool enhanced managementEnhanced logging PowerShell 3.0PowerShell WorkflowPowerShell historyKerberos CBACCompound identityRemote FXIP Address ManagementDHCP HADA object recovery GUIISCI TargetWindows NIC teamingVirtualization, virtualization, virtualization 32 virtual processors per VM1TB virtual machine memoryNew 64TB VHDX formatNative 4k disk supportHyper-V ReplicaHyper-V virtual fiber channelVirtual networkingLive storage migrationSupport for up to 64 nodes per clusterSupport for 4000 VMs per clusterHyper-V support for up to 2 TB of physical memoryLive VHD mergeCluster shared volumes v2SMB 2 SupportRDMA support in SMBScale-out file serverMulti-channel SMBVirtual NIC monitor modeStorage PowerShellNetwork PowerShellMulti-Tenancy, Port ACLs / FirewallStorage meteringStorage SpacesSMI-S support inboxVirtual NUMA supportCPU meteringNetwork meteringMemory meteringRemoteFX3D graphics remotingTouch remotingUSB remotingVDIGuest Application Health MonitoringVM Hardware Error IsolationVM Failover PrioritizationTrusted boot supportRemovable Shell & IEEnables roles in VHDs OfflineMulti-machine management protocolIntegrated workflows and PowerShell
So many new changes
andthey are all hot
My first dilemma
Should I be a man or a mouse?
Defaultinstallation
I went for the GUI
Easy to switch
Server Core Minimal Server Interface GUI Desktop
Experience
Graphical Management Tools and Infrastructure Server Graphical Shell Desktop ExperienceAdd/remove
Feature
PowerShellInstall-WindowsFeature
Uninstall-WindowsFeatureServer-Gui-Mgmt-Infra Server-Gui-Shell Desktop-Experience
Make sure PowerShell is you best friend
PowerShell 3.0 with over 2000 cmdletsAllows creation scripts with workflowAD PowerShell history helps you get startedNewest help files download on demand – Update-Help
A tour around the management GUI
Not technical – but a very useful reference
Windows key Metro StartWindows key + C Open Charms barWindows + I Settings on Charms barWindows + Q Search on Charms bar
Hover & clickMetro Start
Hover & selectfrom Charms bar
Just start typing
Virtualization, virtualization, virtualization
Virtual machines
Storage virtualization
Networkvirtualization
CPU & memory
virtualizationVM hardware
Offloading
VM1 VM2 VM3 VMn
Virtualized customer networks
Near SAN capabilityfrom commodity disks
NetworkDirect HBA for VMs
Direct data transfers ODX New dynamic
memory support
Live MigrationClustered VMs & hosts Replication Virtualized domain controller support
Impressive scalabilitySystem Resource
Maximum number Improvement factorWindows
2008 R2Windows Server
"8" Beta
HostLogical processors on hardware 64 160 2.5×Physical memory 1 TB 2 TB 2×Virtual processors per host 512 1,024 2×
Virtual machine
Virtual processors per virtual machine 4 32 8×
Memory per virtual machine 64 GB 1 TB 16×
Active virtual machines 384 1,024 2.7×
Cluster Nodes 16 64 4×Virtual machines 1,000 4,000 4×
A techie’s insight into the hot new features
So many features to choose fromLet’s look at some of the challenges I’ve faced over the last year
Deploying DirectAccessTroubleshooting Kerberos and delegation issuesFile Server authorization and auditingClaims based authenticationBuilding POC environments to test it all out
If Windows Server 2012 solves my issues – that’s hot
My hot three for today…DirectAccessKerberos enhancementsDynamic Access Control
Windows 2008 R2 DirectAccess – Simple?
When a DirectAccess client connects to the Internet it is automatically connected to the corporate intranet
No user action required
Corporate intranetInternet
It’s a truly great user experience - But…
Simple?
Tunnelling technologies for the Internet and intranet to support IPv6 over IPv4
Internet tunnelling selection based on client location – Internet, NAT, firewall
Encryption/authentication of Internet traffic (end-to-edge/end-to-end)PKI required Client location detection: Internet or corporate intranet
Corporate intranetInternet
May Be Not
Certificates require PKI
2008 Additional ChallengesUAG required for
Load-balancing Support for IPv4 intranet endpoints
NAT 64 & DNS 64Requires two consecutive public IPv4 addressesMulti-domain support complexPoor multi-site support Monitoring and troubleshooting problematicRRAS & DA could not coexist2FA only supported for Smartcards, no OTP supportMany deployments didn’t get off the drawing board
Windows Server
2012 fixes all and more…
NAT Multi-domain support
Multiple entry-points with automatic failover Comprehensive
One role supports both OTP & virtual SC Now’s it’s easier
One tunnel or two?DA on Windows 2008 R2 creates an infrastructure and intranet tunnel
Client certificates and computer/user accounts are used to authenticate to each tunnel endpoint
Certificates are required to support Windows 7 clients, NAP and 2FA client
Windows 8 clients can be supported through a single-tunnel configuration
Authentication to the endpoint managed through a Kerberos ProxyUses IPHTTPS
IPHTTPS optimised via SSL with NULL encryption
3-clicks and you’re done or full featureFor small to medium deployments the Getting Started Wizard will automatically deploy DA
Single-tunnel, IPHTTPS, single-public IP or NAT, and no PKI
If no public SSL cert is available a self-signed cert is automatically generated
Client group policy deployed using a WMI filterFor a full featured DirectAccess deployment you will need to go through the Remote Access Setup WizardYou can use the Getting Started Wizard and access the setup wizard afterwards
Just 3-clicks
My hot three for todayDirect AccessKerberos enhancementsDynamic Access Control
Kerberos ChangesWe’ve seen the Kerberos Proxy in action
This is used for Direct Access Remote Desktop users and cannot be deployed on the edge for other functions
There are a number of other changes to Kerberos to enhance day to day operations
Increase to the maximum Kerberos SSPI context buffer sizePAC group compressionWarning events for large token sizesIncreased logging
Hot topics for me are claims support and delegation
Adding Claims to the Kerberos Token
User’s Kerberos
Token
PAC
User’s group memberships added to PACAuthorization based on group membership
Pre-Windows 8
UserGroupsClaims
DeviceGroupsClaims
Windows 8Compound ID
PAC contains a user’s group and
claims information+
Device informationAuthorization based on group membership, user and device claims
Enabling Kerberos for ClaimsEnable the KDC administrative template for Support for Dynamic Access Control and Kerberos armoringKerberos armoring, also referred to as Flexible Authentication Secure Tunnelling (FAST), provides
A protected channel between the Kerberos client and the KDC
Protection against offline dictionary attacksSigns Kerberos error messages
Prevents spoofingCompound identity
Delegation
Prior to Windows Server 2012, constrained delegation required the front- and back-end services to be in the same domain2012 allows delegation across domains and forest trusts
Protect backend services by setting services account parameter – PrincipalsAllowedToDelegateToAccount
Block cross forest delegation by setting netdom trust to “no” for /EnableTGTDelegation
Enabling Claims identity
My hot three for todayDirect AccessKerberos enhancementsDynamic Access Control
Defining the access requirementsSales Consultants from the regional sales departments must have read/write access to their region’s sales documents
They are not allowed to access sales documents for other regions
Sales Managers must have access to sales documents in all regionsSales documents with high business impact must only be viewable by Sales ManagersThe access model must be applied across multiple file servers in the Active Directory forest
A nice to haveHigh impact documents should only be accessible from client machines that are managed by the Corp Sales department
How many different designs can you come up with?
Sales UK RW
UK
Sales
US
HI UK
HI US
Sales US RW
Sales HI UK RW
Sales HI US RW
UK Sales
US Sales
Sales Managers
How do we guarantee HI documents are placed in the correct folders?
Windows Server 2012 to the rescue…
No way to tag files and apply authorization and auditing based on file type
Files can be classified (tagged) and policies applied based on the files classification
No way to create ACLs based on expressions
Requires complex group structuresExpression based access control and
auditing
ACLs defined using groups Expressions can contain groups, users, and user and device claims
Device state not supported in authorization decisions
Access based on compound IDuser and device claims
Resolution
Elegant solutions
Permissions applied based on file classificationNo groupsWe even solved the “nice to have”
High impact documents should only be accessible from client machines that are managed by the Corp Sales department
UK
Sales
US
Access based on Central Access
Policy, file and folder classification,
andCBAC
A quick tour ofDynamic Access Control
So many great enhancementsJust one more I couldn’t miss…
Well that’s what’s hot for me
Consulting services on request
John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk
John Craddoc
kInfrastructure and security ArchitectXTSeminars Ltd
What’s hot for you?
Complete an evaluation on CommNet and enter to win!
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.