what’s new in active directory in windows server 2012 samuel devasahayam active directory product...

What’s New in Active Directory in Windows Server 2012

Samuel DevasahayamActive Directory Product GroupMicrosoft

Ulf Simon-WeidnerSenior Consultant, Author, Trainer, SpeakerComputacenter, Germany

SIA312

Agenda

Objectives / Takeaways

Areas of Investment / Our Broad Goals

New Features / Enhancements

Summary of Requirements

speaking 2.0

Twitter Questions using hashtag#TESIA312

Questions?

#TESIA312

http://www.microsoft.com/sqlserverlabs

Objectives

Provide an understanding of…the broad areas we have invested in and whythe business- and/or technical-challenges that led to each of the new features

Provide detailed insights into the Active Directory features and…

define requirements and implementation specificshighlight the value these features bring to your environment

Given the sheer volume of topics…provide technically-deep content striving for a balance of breadth and depthprovide you material that’s sufficiently complete & technically rich to be useful outside of the session

High-Level Areas of Investment

Simplified deployment of Active Directory

Optimal deployment experiences in both private- and public-clouds

Increase consistency throughout the management experience

Accommodate business-driven security requirements through the integration of:

file-classification claims-based authorization

Our Broad Goals

Virtualization That Just Works

• All Active Directory features work equally well in physical, virtual or mixed environments

Simplified Deployment of Active Directory

• Complete integration of environment preparation, role installation and DC promotion into a single UI• DCs can be deployed rapidly to ease disaster recovery and workload balancing• DCs can be deployed remotely on multiple machines from a single Windows 8 machine• Consistent command-line experience through Windows PowerShell enables automation of deployment tasks

Simplified Management of Active Directory

• GUI that simplifies complex tasks such as recovering a deleted object or managing password policies• Active Directory Windows PowerShell viewer shows the commands for actions performed in the GUI• Active Directory Windows PowerShell support for managing replication and topology data• Simplify delegation and management of service accounts

Miscellaneous

New Features and Enhancements

Virtualization-Safe Technology

Active DirectoryPlatform Changes

Rapid Deployment

Simplified Deployment

Management

Recycle Bin User Interface

Active Directory Replication & Topology Cmdlets

Dynamic Access Control

Active Directory Based Activation

Group Managed Service Accounts

Kerberos Enhancements

Active Directory PowerShell History Viewer User

Interface

Fine-Grained Password Policy User Interface

Miscellaneous



Rapid Deployment




Backgroundadding replica DCs running newer versions of the Windows Server operating system has proven to be:

time consumingerror-pronecomplex

In the past, IT pros were required to:obtain the correct (new) version of the ADprep toolsinteractively logon at specific per-domain DCs using a variety of different credentialsrun the preparation tool in the correct sequence with the correct switcheswait for replication convergence between each step

Simplified DeploymentSolution

integrate preparation steps into the promotion process

automate the pre-requisites between each of them

validate environment-wide pre-requisites before beginning deploymentintegrated with Server Manager and remoteablebuilt on Windows PowerShell for command-line and UI consistencyconfiguration wizard aligns to the most common deployment scenarios

Simplified Deployment: What Changed?… by integrating preparation and promotion processes & automating pre-requisites in-between

… by validating environment pre-requisites before deployment

… by providing remote capabilities for both preparation and promotion processes

… by aligning the configuration wizard to the most common deployment scenarios

… by integrating the full deployment experience with Server Manager

… by providing a deployment & configuration wizard that is built on top of Windows PowerShell

Streamline the deployment process

Minimize odds of deployment failures

Minimize number of touch-points

Optimize for common deployment paths

Bring consistency with other Windows Server roles deployment experiencesGain UI-consistency by leveraging an enhanced command-line experience


RequirementsWindows Server 2012target forest must be Windows Server 2003 functional level or greaterintroducing the first Windows Server 2012 DC requires Enterprise Admin and Schema Admin privileges

subsequent DCs require only Domain Admin privileges within the target domain

Simplified Deployment ++DC Promotion Retry Logic

Since Windows 2000, DCpromo has been intolerant of transient network failures

caused promotions to fail if the network (or helper DC) “hiccupped”

Windows Server 2012 promotion employs an indefinite retry

“indefinite” because no sufficiently meaningful set of metrics available from which to assert “sufficient progress”

so we’ve deferred the decision of “failure” to the administrator

Simplified Deployment ++Enhanced Install-from-media (IFM) options

Goal of IFM deploy a DC more quicklyyet “IFM prep” in NTDSUTIL executed a mandatory offline defragmentation pass

a maintenance task that our data suggests virtually nobody uses on existing production DCs

yielded an oftentimes much smaller DIT (which is great) but at the expense of time

In Windows Server 2012, NTDSUTIL’s IFMprep enhancedNTDSUTIL’s IFMprep now includes an option to eliminate the defragmentation pass

not the default, that remains as is

eliminates potentially hours (or days) of media preparation timeDIT will be larger (whitespace, not fragmentation) increasing copy time if slow-links involved

Simplified Deployment ++AD FS V2.1 is in-the-box

AD FS v2.0 shipped out-of-band downloaded from http://microsoft.com

AD FS (v2.1) ships in-the-box as a server-role with Windows Server 2012

integrated with Windows Server 2012 Dynamic Access Control

http://microsoft.com/

Miscellaneous



Rapid Deployment




Backgroundcommon virtualization operations such as creating snapshots or copying VMs/VHDs can rollback the state of a virtual DCintroduces USN bubbles leading to permanently divergent state causing:

lingering objectsinconsistent passwordsinconsistent attribute valuesschema mismatches if the Schema FSMO is rolled back

the potential also exists for security principals to be created with duplicate SIDs


SolutionWindows Server 2012 virtual DCs able to detect when:

snapshots are applieda VM is copied

built on a generation identifier (VM-generation ID) that is changed when virtualization-features such as VM-snapshot are usedWindows Server 2012 virtual DCs track the VM-generation ID to detect changes and protect Active Directory

protection achieved by:discarding RID poolresetting invocationIDre-asserting INITSYNC requirement for FSMOs

How Domain Controllers are ImpactedTim

elin

e o

f even

ts

TIME: T2

TIME: T3

TIME: T4

CreateSnapsh

ot

T1 SnapshotApplied!

USN: 100 ID: A

RID Pool: 500 - 1000

USN: 100 ID: A

RID Pool: 500 - 1000

USN: 250ID: A

RID Pool: 650 - 1000

+150 more users created

DC1(A)@USN = 200

DC2 receives updates: USNs >200

DC1(A)@USN = 250

USN: 200ID: A

RID Pool: 600- 1000

+100 users added

DC2 receives updates: USNs >100

DC

1

DC

2

TIME: T1

USN rollback NOT detected: only 50 users converge across the two DCsAll others are either on one or the other DC100 security principals (users in this example) with RIDs 500-599 have conflicting SIDs


RequirementsWindows Server 2012 DCs hosted on hypervisor platform that supports VM-Generation ID

Miscellaneous



Rapid Deployment



Rapid Deployment

Backgrounddeploying virtualized replica DCs is as labor-intensive as physical DCs

virtualization brings capabilities that can simplify deploymentthe result & goal of promoting additional DCs within a domain is an ~identical instance (a replica)

excluding name, IP address, etc.

deployment today involves many (arguably redundant) steps

preparation & deployment of sysprep’d server image (with latest patches)manually promoting a DC using:

over-the-wire: can be time-consuming depending upon size of directoryinstall-from-media (IFM): media-preparation and copying adds time & complexity

post-deployment configuration steps where necessary

Rapid Deployment: Domain Controller Cloning

Solutioncreate replicas of virtualized DCs by cloning existing ones

i.e. copy the VHD through hypervisor-specific export + import operations

simplify interaction & deployment-dependencies between HyperVisor and Active Directory admins

note that the authorization of clones remains under Enterprise/Domain Admins’ control

a game-changer for disaster-recoveryrequires ONLY a single Windows Server 2012 virtual DC per domain to quickly recover an entire forestsubsequent DCs can be rapidly deployed drastically reducing time to steady-state

enables elastic provisioning capabilities to support private-cloud deployments, etc.

NTDS starts

Obtain current VM-GenID

If different from value in DIT

Reset InvocationID, discard RID pool

DCCloneConfig.xml available?

Dcpromo /fixclone

Parse DCCloneConfig.xml

Configure network settings

Locate PDC

Call _IDL_DRSAddCloneDC(name, site)

Check authorization

Create new DC object by duplicating source DC objects(NTDSDSA, Server, Computer instances)

Generate new DC machine account and password

Save clone state (new name, password, site)

Promote as replica (IFM)

Run (specific) sysprep providers

Reboot

Clone VM Windows Server 2012 PDC

IDL_DRSAddCloneDC

CN=Configuration|--CN=Sites

|---CN=<site name>|---CN=Servers

|---CN=<DC Name> |---CN=NTDS Settings

Rapid Deployment: Cloning Flow

Rapid Deployment: Domain Controller CloningRequirements

Windows Server 2012 virtual DC hosted on VM-Generation-ID-aware hypervisor platformsPDC FSMO must be running Windows Server 2012 to authorize cloning operationsource DC must be authorized for cloning

through permission on domain head – “Allow DC to create a clone of itself”add the source DC’s computer account to the new “Cloneable Domain Controllers” group

DCCloneConfig.XML file must be present on the clone DC in one of:directory containing the NTDS.DIT default DIT directory (%windir%\NTDS) removable media (virtual floppy, USB, etc.)

commonplace Windows Server 2012 services that are co-located with DCs are supported, e.g. DNS, FRS, DFSR

additional services/scheduled tasks installed on the clone-source must be added to an admin-extensible whitelistif installed component is not present in whitelist, cloning process fails and cloned-DC boots to DSRM

Miscellaneous


Rapid Deployment




Brief Terminology Level-SetRootDSE mods

aka. operational attributesLDAP’s answer to RPC

Constructed attributestypically imposes a compute burden—the answer is “constructed” based on something elsequery processor will reject anything other than a base-scoped filter that includes a constructed attributetypically not defined in the schema—known only to the code

LDAP controls and matching rulesaffect the way the query processor handles things, e.g.

return deleted objects (a control that is checked in along with the query)bitwise comparison (a matching rule) (searchFlags:1.2.840.113556.1.5.807:=1)

Finite address spaces within Active DirectoryRIDs (exposed)DNTs (exposed but new to Windows Server 2012)LIDs (not exposed)

RID Improvements

Backgrounda recent bout of cases involving RID depletion or complete global RID-space exhaustion motivated an investigation into root causea couple of bugs were identified and fixedthe investigation also highlighted the need for general improvements and concerns around finite scale limitations

RID Improvements

What were the problems? Failed user account creation when policy is met leaked 1 RIDFailed computer account creation by privilege by standard domain userMissing rIDSetReferences value will lead to RID pool exhaustionNo limit on RID pool block size exacerbated above problemsPoor warning messages meant admins did not catch this early enough

RID ImprovementsWhat did we do to fix this?

Fixed RID leak issues during user account & computer account creationDC reincarnation now populates appropriate ridSetReference attributeEnforce a maximum cap (15K) on the RID policy RID Block SizeLog event every time a RID pool is invalidated on a DCPeriodic RID Consumption Warning at 10% of global RID spaceRID Manager artificial ceiling protection mechanism

Triggered at 90% of global RID space

Unlock the 31st bit of global RID space

…further details on this in the appendix of this deck

Deferred Index CreationAdding indices to existing attributes resulted in DC performance issues, i.e.

DCs received schema update through replication5 minutes later, DCs refresh their schema cache

many/all DCs ~simultaneously begin building the index

Windows Server 2012 introduces new DSheuristic18th byte but uses a zero-base, so some say the 19th bytesetting it to 1 causes any Windows Server 2012 DC to defer building indices until:

it receives the UpdateSchemaNow rootDSE mod. (triggers rebuild of the schema cache)it is rebooted (which requires that the schema cache be rebuilt and, in turn, the deferred indices)

any attribute that is in a deferred index state will be logged in the Event Log every 24 hours

2944: index deferred – logged once2945: index still pending – logged every 24 hours1137: index created – logged once (not a new event)

Off-Premises Domain Join

Extends offline domain-join by allowing the blob to accommodate Direct Access prerequisites

CertsGroup Policies

What does this mean?a computer can now be domain-joined over the Internet if the domain is Direct Access enabledgetting the blob to the non-domain-joined machine is an offline process and the responsibility of the admin

Connected Accounts

Backgrounda consumer-oriented feature coupled with Metro providing enhanced app-dev. capabilitiesprovides an out-of-box ability to interactively logon to Windows 8 as a “connected” Live IDroams certain aspects of a user’s profile between Windows 8 computers sharing the same connected Live ID

Connected Accounts

Live ID logon to Windows with a connected Active Directory user account is NOT supported

connecting local accounts on domain-joined machines IS supportedSSO to Live-supported web sites still functions as does profile sync, etc.Group Policy setting can disable Live ID connected accounts completely

Server SKUs do NOT support connected accounts

Note that Windows 8 client applications that are built to use Metro are able to leverage a rich set of features specific only to connected accounts

Connected Accounts

Object Picker and Windows as a whole will correctly display the Live ID, not the local account

any legacy applications will still see the NT-style account name

Administrator must associate the Live ID with the target account

this can be done retroactively or during the OOBE (page 2)

Connected local user WILL appear in Local Users and Groupspassword change attempts will be blocked

Expose DNTs on rootDSEActive Directory’s DIT uses DNTs

if we think of the DIT as a spreadsheet, DNTs are very much like row numbersfinite address space == 2^31 (~2 billion)DNTs are NOT replicated (a database-local concept)never re-used (the value only ever increases)

DNTs are never re-serialized (or reclaimed) except during over-the-wire promotions neither IFM or cloning will re-serialize themonce you run out, the DC must be demoted and re-promoted over-the-wire

determining the DNT for a given DC required that you dump its database or programmatically interrogate the DIT

time consuming, impacts performance and disk space

Windows Server 2012 Active Directory exposes DNTs via:rootDSE constructed attribute: approximateHighestInternalObjectID perfmon counter, too

Enhanced LDAP logging

Enhanced LDAP logging added in Windows Server 2012existing LDAP logging capabilities deemed insufficient unable to isolate/diagnose root cause of many behaviors/failures with existing logging

Enabled through registry via logging overrides or level 5 LDAP loggingadditional logging logs entry and exit stats for a given APIwe now also track the entry and exit tick making it feasible to determine sequence of events

entry: logs the operation name, the SID of the caller’s context, the client IP, entry tick and client IDexit: logs the operation name, the SID of the caller’s context, client IP, entry and exit tick and client ID

… further details on this in the appendix of this deck

New LDAP Controls/Behaviors

Batched extended-LDAP operations (1.2.840.113556.1.4.2212)Require server-sorted search use index on sort attribute (1.2.840.113556.1.4.2207)DirSync_EX_Control (1.2.840.113556.1.4.2090)TreeDelete control with batch size (1.2.840.113556.1.4.2204)Include ties in server-sorted search results (1.2.840.113556.1.4.2210)Return highest change stamp applied as part of an update (1.2.840.113556.1.4.2205)Expected entry count (1.2.840.113556.1.4.2211)

… further details on each of these new controls in the appendix of this deck

Miscellaneous

Management








Rapid Deployment Kerberos Enhancements


Interface




Management








Interface




Backgroundthe Recycle Bin feature introduced with Windows Server 2008 R2 provided an architecture permitting complete object recoveryscenarios requiring object recovery via the Recycle Bin are typically high-priority

recovery from accidental deletions, etc. resulting in failed logons / work-stoppages

the absence of a rich, graphical interface complicated its usage and slowed recovery


Solutionsimplify object recovery through the inclusion of a Deleted Objects node in the Active Directory Administrative Center

deleted objects can now be recovered within the graphical user interface

greatly reduces recovery-time by providing a discoverable, consistent view of deleted objects


RequirementsRecycle Bin’s own requirements must first be satisfied, e.g.

Windows Server 2008 R2 forest functional level Recycle Bin optional-feature must be switched on

Windows Server 2012 Active Directory Administrative CenterObjects requiring recovery must have been deleted within Deleted Object Lifetime (DOL)

defaults to 180 days

Management








Interface



Active Directory Windows PowerShell History Viewer

BackgroundWindows PowerShell is a key technology in creating a consistent experience between the command-line and the graphical user interfaceWindows PowerShell increases productivity

but requires investment in learning how to use it


Solutionallow administrators to view the Windows PowerShell commands executed when using the Administrative Center, e.g.

the administrator adds a user to a groupthe UI displays the equivalent Active Directory Windows PowerShell commandAdministrator’s can copy the resulting syntax and integrate it into their scripts

reduces learning-curveincreases confidence in scriptingfurther enhances Windows PowerShell discoverability


RequirementsWindows Server 2012 Active Directory Administrative CenterActive Directory Web Service

running on a domain controller within the target domain

Management








Interface



Fine-Grained Password Policy

Backgroundthe Fine-Grained Password Policy capability introduced with Windows Server 2008 provided more granular management of password-policiesin order to leverage the feature, administrators had to manually create password-settings objects (PSOs)

it proved difficult to ensure that the manually defined policy-values behaved as desired resulted in time-consuming, trial and error administration


Solutioncreating, editing and assigning PSOs now managed through the Active Directory Administrative Centergreatly simplifies management of password-settings objects


RequirementsFGPP requirements must be met, e.g.

Windows Server 2008 domain functional level

Windows Server 2012 Active Directory Administrative Center

Management








Interface



Group Managed Service Accounts (gMSA)

BackgroundManaged Service Accounts (MSAs) introduced with Windows Server 2008 R2clustered or load-balanced services that needed to share a single security-principal were unsupported

MSAs not able to be used in many desirable scenarios


Solutionintroduce new security principal type known as a gMSAservices running on multiple hosts can run under the same gMSA account1 or more Windows Server 2012 DCs required

gMSAs can authenticate against any OS-version DCpasswords computed by Group Key Distribution Service (GKDS) running on all Windows Server 2012 DCs

Windows Server 2012 hosts using gMSAs obtain password and password-updates from GKDS

password retrieval limited to authorized computers

password-change interval defined at gMSA account creation (30 days by default)like MSAs, gMSAs are supported only by the Windows Service Control Manager (SCM) and IIS application pools

support for scheduled tasks is being investigated


RequirementsWindows Server 2012 Active Directory schema updated in forests containing gMSAs1 or more Windows Server 2012 DCs to provide password computation and retrievalonly services running on Windows 8 or Windows Server 2012 can use gMSAsWindows Server 2012 Active Directory Module for Windows PowerShell to create gMSA accounts

Management








Interface




Backgroundadministrators require a variety of tools to manage Active Directory’s site topology

repadminntdsutilActive Directory Sites and Servicesetc.

results in an inconsistent experiencedifficult to automate


Solutionmanage replication and site-topology with Active Directory Windows PowerShell

create and manage sites, site-links, site-link bridges, subnets and connectionsreplicate objects between DCsview replication metadata on object attributesview replication failuresetc.

provides a consistent and more easily scriptable experiencecompatible and interoperable with other Windows PowerShell Cmdlets


RequirementsActive Directory Web Service (ADWS)

or Active Directory Management Gateway (for Windows Server 2003 or 2008)

Remote Server Administration Tools (RSAT)

Management








Interface



Active Directory-based Activation (AD BA)

Backgroundtoday, Volume Licensing for Windows/Office requires Key Management Service (KMS) servers requires minimal training

turnkey solution covers ~90% of deploymentscomplexity caused by lack of a graphical administration console

requires RPC traffic on the network which complicates mattersdoes not support any kind of authentication, the EULA prohibits the customer from connecting the KMS server to any external network

i.e. connectivity-alone to the service equates to activated


Solutionuse your existing Active Directory infrastructure to activate your clients

no additional machines requiredno RPC requirement, uses LDAP exclusivelyincludes RODCs

beyond installation and service-specific requirements, no data written back to the directory

activating initial CSVLK (customer-specific volume license key) requires:one-time contact with Microsoft Activation Services over the Internet (identical to retail activation)key entered using volume activation server role or using command line.repeat the activation process for additional forests up to 6 times by default

activation-object maintained in configuration partitionrepresents proof of purchasemachines can be member of any domain in the forest

all Windows 8 machines will automatically activate


Requirementsonly Windows 8 or Windows Server 2012 machines can leverage AD BAKMS and AD BA can coexist

you still need KMS if you require downlevel volume-licensing

setup requires Windows 8 or Windows Server 2012 machine requires Windows Server 2012 Active Directory schema, not Windows Server 2012 domain controllers

Management








Interface



Flexible Authentication Secure Tunneling (FAST)

Backgroundoffline dictionary attack against password-based logons possiblerelatively well-known concern around Kerberos errors being spoofedclients may:

fallback to less-secure legacy protocolsweaken their cryptographic key strength and/or ciphers


SolutionKerberos in Windows Server 2012 supports Flexible Authentication Secure Tunneling (FAST)

defined by RFC 6113sometimes referred to as Kerberos armoring

provides a protected channel between a domain-joined client and DC

protects pre-authentication data for user’s AS_REQsuses LSK (logon session key) from computer’s TGT as shared secretnote that computer authentication is NOT armored

allows DCs to return authenticated Kerberos errors thereby protecting them from spoofing

once all Kerberos clients and DCs support FAST (the admin’s decision to make)

the domain can be configured to either require Kerberos armoring or use it upon request

must first ensure all or enough DCs are running Windows Server 2012enable the appropriate policy

“Support CBAC and Kerberos armoring”“All DCs can support CBAC and Require Kerberos armoring”


RequirementsWindows Server 2012 serversensure that all domains the client uses including transited referral domains:

enable the “Support CBAC and Kerberos armoring” policy for all Windows Server 2012 DCs have a sufficient number of Windows Server 2012 DCs to support FAST

enable “Require FAST” policy on supported clientsRFC-compliant FAST interop requires DFL 5

Kerberos Constrained Delegation (KCD)

BackgroundKerberos Constrained Delegation (KCD) was introduced with Windows Server 2003KCD permits a service’s account (front-end) to act on the behalf of users in multi-tier applications for a limited set of back-end services, e.g.

user accesses web site as user1user requests information from web site (front-end) that requires the web server to query a SQL database (back-end)access to this data is authorized according to who accessed the front-endin this case, the web service must impersonate user1 when making the request to SQL

front-end configured with the services (by SPN) to which it can impersonate userssetup/administration requires Domain Admin privilegesKCD delegation only works for back-end services in the same domain as the front-end service-accounts


SolutionKCD in Windows Server 2012 moves the authorization decision to the resource-owners

permits back-end to authorize which front-end service-accounts can impersonate users against their resources

supports cross-domain, cross-forest scenariosno longer requires Domain Admin privileges

requires only administrative permission to the back-end service-account


Requirementsclient’s run Windows XP or laterclient domain DCs running Windows Server 2003 or later

front-end server running Windows Server 20121 or more DCs in front-end domain running Windows Server 2012

1 or more DCs in back-end domain running Windows Server 2012 back-end server account configured with the accounts that are permitted for impersonation

not exposed through Active Directory Administrative Centerconfigured through Active Directory Windows PowerShell Cmdlet:

New/Set-ADComputer [-name] <string> [-PrincipalsAllowedToDelegateToAccount <ADPrincipal[]>]New/Set-ADServiceAccount [-name] <string> [-PrincipalsAllowedToDelegateToAccount <ADPrincipal[]>]

Windows Server 2012 schema update in back-end server’s forestback-end application server running Windows Server 2003 or later

Management








Interface



Dynamic Access Control (DAC)

Backgroundtoday, it’s difficult to translate business-intent using existing authorization modelno central administration capabilitiesexisting expression language makes it hard or impossible to fully express requirementsincreasing regulatory and business requirements around compliance demand a different approach

Dynamic Access Control (DAC)Solution

new central access policies (CAP) modelnew claims-based authorization platform enhances, not replaces, existing model

user-claims and device-claimsuser+device claims = compound identity

includes traditional group memberships too

use of file-classification information in authorization decisionsmodern authorization expressions, e.g.

evaluation of ANDed authorization conditionsleveraging classification and resource properties in ACLs

easier Access-Denied remediation experienceaccess- and audit-policies can be defined flexibly and simply, e.g.

IF resource.Confidentiality = high THEN audit.Success WHEN user.EmployeeType = vendor

Dynamic Access Control (DAC)

RequirementsWindows 8 or Windows Server 2012 file servers (no DCs necessary yet)

modern authorization expressions, e.g.evaluating ANDed authorization conditionsNOTE: leveraging classification and resource properties in ACLs requires the Windows Server 2012 schema

Access Denied Remediation

1 or more Windows Server 2012 DCs required for Kerberos claimsCentral Access Policies (CAP) supportmust enable the claims-policy in a Domain Controller-scoped policy, e.g. Default Domain Controllers Policy

once configured, Windows 8 clients might use only Windows Server 2012 DCsenough DCs must be deployed to service the load imposed by uplevel clients and servers (piling-on)

Windows Server 2012 Active Directory Administrative Center to administer CAPs and CAPRs

CAPR = Claims Access Policy Rules

for device-claims, compound ID must be switched on at the target service accountvia Group Policy or directly editing the corresponding objects

downlevel clients require DFL 5 in order to receive claims from a KDCin the absence of that, uplevel servers able to use S4U2Self to obtain claims-enabled ticket on caller’s behalf

note that Authentication Mechanism Assurance (AMA) SIDs/claims and device authorization data not available since context around authentication method and device already lost

Kerberos Claims (DAC) in AD FS

BackgroundAD FS v2.0 is able to generate user-claims directly from NTtokens

also capable of further expanding claims based on attributes in Active Directory and other attribute stores

in Windows Server 2012, we know that Kerberos tickets can also contain claims

but AD FS 2.0 can’t read claims from Kerberos ticketsforced to make additional LDAP calls to Active Directory to source user-attribute claims

cannot leverage device-attribute claims at all

Kerberos Claims (DAC) in AD FS

SolutionAD FS (v2.1) in Windows Server 2012 now able to populate SAML tokens with user- and device-claims taken directly from the Kerberos ticket

RequirementsDAC enabled and configuredcompound ID must be switched on

for the AD FS service accountWindows Server 2012 AD FS (v2.1)

In ReviewEasier to Manage

Windows Server 2012Managed Service Accounts for farms (gMSA)Support for cross-domain Kerberos Constrained DelegationSpoofing of Kerberos errors much more challengingActive Directory UI investments

support in Active Directory’s Administrative Center for managing deleted objects and Fine Grained Password Policiesability to view Windows PowerShell scripts that correspond to actions performed in the GUI

Easier scripting of replication and topology tasks using new Active Directory Windows PowerShell Cmdlets

In the past…Managed Service Accounts work only on a single machineKerberos Constrained Delegation (KCD) works only within a single domainKerberos errors able to be spoofedNo support in Active Directory Administrative Center for Recycle Bin or Fine Grained Password PoliciesPowerShell code must be written from scratchHodge-podge of incompatible command-line tools and UIs used for managing replication and topology

In ReviewEasier to Deploy

Windows Server 2012Safe virtualizationSimplified deployment

Integrated end-to-end deployment experienceAll deployment tasks are remoteable and automatically target the correct FSMOsInput and environment validation throughout the deployment process helps decrease failuresFull Windows PowerShell support for automated deployment

Rapid deployment of DCs using cloningAD FS deployment integration

In the past…Using snapshot features on virtual DCs results in a divergent Active Directory stateActive Directory environment preparation is overly complex requiring multiple stepsDC promotion requires multiple phases to completeDeployment is not remoteable and requires interactive logon to multiple DCsDifficult to write automation scripts

Summary of Minimum Requirements

With this deployed… ... these features become available

+ First Windows Server 2012 domain-member (or Windows 8 with RSAT installed)

• New Active Directory Administrative Center• Windows PowerShell History Viewer• Graphical Recycle Bin and FGPP management

• Richer authorization through DAC & FCI• Active Directory-based Activation

• Requires Windows Server 2012 schema extensions• Active Directory Replication & Topology Cmdlets• AD FS (v2.1)

+ First Windows Server 2012 DC

• Simplified Deployment and Preparation• Dynamic Access Control policies and claims

• Kerberos Claims in AD FS (v2.1)• Cross-domain Kerberos Constrained Delegation• Group Managed Service Accounts• Virtualization-Safe for the Windows Server

2012 DC• requires Hypervisor support for VM-Gen-ID

+ Windows Server 2012 DC holds PDC FSMO role

• Rapid virtual DC deployment through DC-cloning• requires Hypervisor support for VM-Gen-ID

SIA, WSV, and VIR Track Resources

DOWNLOAD Windows Server 2012 Release Candidate

microsoft.com/windowsserver

#TESIA312 DOWNLOAD Microsoft System Center 2012 Evaluation

microsoft.com/systemcenterHands-On Labs

Talk to our Experts at the TLC




Resources

Connect. Share. Discuss.

http://europe.msteched.com

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources for IT Professionals

http://microsoft.com/technet Resources for Developers

http://microsoft.com/msdn

http://europe.msteched.com/

http://europe.msteched.com/

http://www.microsoft.com/learning

http://microsoft.com/technet

http://microsoft.com/msdn

Evaluations

http://europe.msteched.com/sessions

Submit your evals online

http://europe.msteched.com/sessions

Questions?

Thank youSamuel [email protected]

Ulf B. Simon-Weidnerwww.msmvps.com/UlfBSimonWeidner

mailto:[email protected]

http://www.msmvps.com/UlfBSimonWeidner

Appendix

RID ImprovementsAccount creation failure can cause the loss of 1 RID

a RID was leaked because a user was being created that didn’t meet policythe RID was allocated, the user created, failed to meet policy user deleted RID leaked

fixed in Windows Server 2012 by maintaining an in-memory bucket of RIDs that are available for reuse

note that if the DC is rebooted, the reuse list is lostreuse list is used preferentially over RID pool if entries existsize of the reuse list bound by the maximum number of user-creation attempts that simultaneously hit a failure case

our projections indicate single-digit size, i.e. nothing to take into account in sizing exercisesPrevent RID allocation during failed computer account creation by privilege by standard domain user

this is just another path (through domain join, for example) that permits the creation of computer accountsthe logic above is used in exactly the same way to eliminate the leak

Log event when a RID pool is invalidatedinvalidation occurs via a rootDSE mod. and more natural scenarios, e.g. virtual DC safeties, DIT restoration

RID ImprovementsMissing rIDSetReferences value will lead to RID pool exhaustion

attribute not correctly recreated when a DC’s computer account is deleted, later detected by the DC and reincarnated

DC checks attribute for pointer to its RID poolattribute isn’t populatedDC assumes no RID pool and requests a new oneDC receives RID pool from RID FSMO and attempts to write new RID block to its RID set and fails because no rIDSetReference exists30 seconds later, DC repeats process burning through <RID block size> RIDs on each attempt

a single offending DC will eat through the entire global RID space in ~2 years using default RID block size of 500

in Windows Server 2012, you guessed it – we fixed thisreincarnation populates the necessary attributes

Enforce a maximum cap on the RID policy RID Block Sizein the past, the RID block size was configurable on the RID FSMO’s registry and imposed no upper boundin Windows Server 2012, the maximum permissible admin-configured RID block size is 15,000 (values >15K == 15K)

RID Improvements

Periodic RID Consumption Warningat 10% of remaining global space, system logs informational event

first event at 100,000,000 RIDs used, second event logged at 10% of remainder

remainder = 900,000,00010% of remainder = 90,000,000

second event logged at 190,000,000existing RID consumption plus 10% of remainder

events become more frequent as the global space is further depleted

RID Improvements

RID Manager artificial ceiling protection mechanismthink of this as a soft ceiling blocks further allocations of RID pools

when hit, system flips msDS-RIDPoolAllocationEnabled on the RID Manager$ object to FALSE administrator flips back to TRUE to override

log an event indicating we’ve reached the ceilingan additional warning is logged when the global RID spaces reaches 80%

the attribute can only be set to FALSE by the SYSTEM and is mastered by the RID FSMO (i.e. write it against the RID FSMO)

DA can set it back to TRUENOTE: it is set to TRUE by default (possibly obvious)

the soft ceiling is 90% of the global RID space and is not configurablethe soft ceiling is deemed as ”reached” when a RID pool containing the 90% RID is issued

RID Improvements

Unlock 31st bit in the global RID spaceyes–we actually did it… and yes again, we tested the living s… well, we really tested it a lot doubles global RID space from 1 billion to 2 billionirreversible action so take care

CANNOT be authoritatively restored (unless it’s the only DC in the domain)

31st bit is unlocked via a rootDSE mod (requires Windows Server 2012 RID FSMO)

sidCompatibilityVersion:1

other DCs must be running Windows Server 2012 to exploit thisplan is, however, to backport it to Windows Server 2008 R2downlevel DCs will receive pools that use the higher order bit but will refuse to issue RIDs to new principals from within it, i.e. the DCs are good for everything other than creating new principals

they will, for example, happily authenticate users with RIDs above 1 billion

Enhanced LDAP logging

Note that the registry override technique uses the Microsoft-internal DSID of the source-code file that implements the desired logging

DSID used in a non-traditional manner (though similar):<dir ID><dir ID><file ID><file ID><logging level><logging level><logging level><logging level>

typically, it’s:<dir ID><dir ID><file ID><file ID><line #><line #><line #><line #>

there are ~15 directories with 15+ potentially useful source files in eachsource-code access is a MUST (and an ability to read the code is beneficial, too )

HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\”Value [MULTI_SZ]: Logging OverrideData: 0C12FFFF (where FFFF says “log everything”)


Batched extended-LDAP operations (1.2.840.113556.1.4.2212)all operations within a given batch are treated as a single transaction, i.e. all succeed or all failprimarily designed for a developer audience

possible with LDP but really not realisticcomprises a regular LDAP control and an unimaginably complex value

concatenation of the series of BER encoding of the ASN.1 descriptions of the desired LDAP operations see, I told ya

useful for programmatic schema extensions since the entire list of updates could be batched permits the entire set of updates to succeed or fail as a lump

Expected entry count (1.2.840.113556.1.4.2211)LDAP control that requires a minimum and maximum value (again, BER encoded values so not trivial for the IT pro)if fewer than minimum or more than maximum, results are returned up to the exception and rounded to the nearest page sizeuseful for uniqueness and/or absence checking (min=1 & max=1 --OR-- min=0 & max=0)when used in conjunction with batch processing…

it is possible to express conditional LDAP operations that fail or succeed as a transaction based on a supplied criteriae.g. write email address <e1> to userX only IF <e1> is not already in use by anyone else

carve out a filter that queries for the email address within my desired scope within an expected entry count of “0”


Require server-sorted search use index on sort attribute (1.2.840.113556.1.4.2207)

only impacts sorted searchesif query optimization does not result in a correctly sorted result set, then we revert to using a simple index over the sort attribute requires post-processing to satisfy request

the term “correctly” is defined as the index’s natural sort criteria matches the specified sort criteriaeliminates the need for tempTable thereby increasing scale possibilities (good for large result sets because, in the past, it would have simply failed)on the flip side, causes performance problems for smaller result sets

DIRSync_EX_Control (1.2.840.113556.1.4.2090)alters traditional DirSync behavior forces the return of specified unchanged attributesuseful for a primarily developer audience only


TreeDelete control with batch size (1.2.840.113556.1.4.2204)ensures deletions do not slow convergence beyond system tolerance today, batch size is hard-coded to 16Knew control exposes a mechanism to lower this hard-coded default (not raise it)value must be between 2 and hard-coded limit of 16Kexposed as an LDAP control allowing the delete operation to declare its own batch sizerequires that the value for the control be BER encoded

Return highest change stamp applied as part of an update (1.2.840.113556.1.4.2205)

similar to searchStats control in that when checked in, causes the result to contain additional data housing the invocationID and highest USN allocated during the transactionITpro needs a tool to decode the resulting BER encoded series of key/value pairs

invocationID: 1.2.840.113556.1.4.2209highestUSN: 1.2.840.113556.1.4.2208

useful for programmatically determining convergence between any two instances immediately following an update


Include ties in server-sorted search results [aka. “soft size limit”] (1.2.840.113556.1.4.2210)

within the context of a sorted search, two objects are considered “tied” if their attribute values for the sorted attribute are the same, i.e. the objects are tied by virtue of the common value in the sort attribute (same place in the index)also termed “soft size limit”value supplied for SOFT_SIZE_LIMIT must be less than LDAP size limitsearch must be sorted in order for the notion of a “tie” to have any meaningwhat does it do?

imagine paging through the Exchange GAL and requesting only a page at a timeyou’d like to be able to get the next page from any DC (not become “sticky” with the same DC the request began against)to do so, you need to be sure where the last page ended, e.g. I’m on page 3 sorted on givenName and it ends with Deanwhat if there are multiple Deans?“soft size limit” numerically governs the page-size but ensures that any duplicates of the last entry (Dean) are also returned

unless that exceeded the hard-size limitthis allows the next page to be requested by filtering on “(&(givenName>=Dean)(!(givenName=Dean)))”

which, in turn, permits the page requests to be distributed across DCs

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.

what’s new in active directory in windows server 2012 samuel devasahayam active directory product...

Documents

active directory features

windows server

single windows

windows vista

windows p

whats new

product names

informational purposes