AD for Windows 2012 Deeper Dive - Dynamic Access Control and Domain Controller Cloning JONATHAN CORE – DOMAIN CONTROLLER CLONING KEITH BREWER – DYNAMIC.

Slides:



Advertisements
Similar presentations
Copyright line. Configuring Server Roles in Windows 2008 Exam Objectives New Roles in 2008 New Roles in 2008 Read-Only Domain Controllers (RODCs) Read-Only.
Advertisements

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
IP ADDRESS MANAGEMENT [IPAM]
Active Directory Virtualization Safeguards and Domain Controller Cloning with Windows Server 2012 Manu Pushpendran Program Manager Microsoft Corporation.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Module 3 Windows Server 2008 Branch Office Scenario.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Chapter 7 HARDENING SERVERS.
Security and Policy Enforcement Mark Gibson Dave Northey
What is the problem we are trying to solve? Users want to work anywhere on any device IT needs to retain control and manage risk.
DANIEL PETRI, PREMIER FIELD ENGINEER, MICROSOFT. TakeawaysNew AD Features Agenda AD Enhancements Areas of Investment / Our Broad Goals Summary of Requirements.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Understanding Active Directory
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Upgrading the Platform - How to Get There!
Active Directory and Dynamic Access Control Pete Calvert
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Module 1: Installing Active Directory Domain Services
Module 1: Installing Active Directory Domain Services
Overview of Active Directory Domain Services Lesson 1.
Module 1 Introduction to Managing Microsoft® Windows Server® 2008 Environment.
Advanced Deployment and Administration of AD DS
Implementing Secure Shared File Access
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
Implementing Dynamic Host Configuration Protocol
Week 9 Objectives Securing Files and Folders Protecting Shared Files and Folders by Using Shadow Copies Configuring Network Printing.
Implementing File and Print Services
Hands-On Microsoft Windows Server 2008
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Module 6: Designing Active Directory Security in Windows Server 2008.
What’s New in Active Directory in Windows Server 2012 Pete WSV312.
Keep Your Information Safe! Josh Heller Sr. Product Manager Microsoft Corporation SIA206.
Module 9 Configuring Messaging Policy and Compliance.
20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,
Active Directory Windows2003 Server. Agenda What is Active Directory What is Active Directory Building an Active Directory Building an Active Directory.
Maintaining Active Directory Domain Services
What is new in security in Windows 2012 or Dynamic Access Control Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security.
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Week #3: Configuring and Troubleshooting DHCP
Module 3 Configuring File Access and Printers on Windows ® 7 Clients.
Module 3 Configuring File Access and Printers on Windows 7 Clients.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Module 4: Configuring and Troubleshooting DHCP
User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based.
Introduction to Active Directory Domain Services
Module 7 Planning and Deploying Messaging Compliance.
Module 3: Configuring File Access and Printers on Windows 7 Clients
Module 1: Implementing Active Directory ® Domain Services.
Czy są zmiany w AD Domain Services Windows 2012 Andrzej Kokociński
What’s New in Active Directory in Windows Server 2012 Samuel Devasahayam Active Directory Product Group Microsoft Ulf Simon-Weidner Senior Consultant,
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Installing Domain Controllers Dcpromo RIP Provides XML file and PowerShell command to automate adding the role Can be run remotely.
Introduction to Active Directory
Keep Your Information Safe! Josh Heller Sr. Product Manager Microsoft Corporation SIA206.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
QUESTION 1: Your role of Network Administrator at ABC.com includes the management of the Active Directory Domain Services (AD DS) domain named ABC.com.
Windows Server 2012 Active Directory - what’s in it for me? Tony Murray, Directory Services MVP.
MCSA Windows Server 2012 Pass Upgrading Your Skills to MCSA Windows Server 2012 Exam By The Help Of Exams4Sure Get Complete File From
Basharat Institute of Higher Education
Assignment # 8.
Module Overview Installing and Configuring a Network Policy Server
Configuring Windows Firewall with Advanced Security
Configuring and Troubleshooting Routing and Remote Access
Active Directory Fundamentals
CIS 409Competitive Success/tutorialrank.com
CIS 409 Education for Service-- tutorialrank.com.
CIS 409 RANK Lessons in Excellence-- cis409rank.com.
Presentation transcript:

AD for Windows 2012 Deeper Dive - Dynamic Access Control and Domain Controller Cloning JONATHAN CORE – DOMAIN CONTROLLER CLONING KEITH BREWER – DYNAMIC ACCESS CONTROL DMVMUG Reston, VA

Dynamic Access Control

The access control challenge

Dynamic Access Control Technical Features Kerberos support for user claims and device authorization information Support for conditional expressions in permission and audit entries File classification, and central access policies provide an end-to-end authorization management solution. Include conditional expression support in Global Object Access Auditing. Automatic Rights Management Services (RMS) encryption for sensitive Office documents (not included in this document). Access denied remediation to ease the burden of troubleshooting share access problems (not included in this document).

Dynamic Access Control New features included in Windows Server 2012 Scenarios Identify data – Automatic and manual classification of files can be applied to tag data in file servers across the organization Control access to files - Central access policies enable organizations to apply safety net policies. For example, you could define who can access health information within the organization. Audit access to files - Central audit policies for compliance reporting and forensic analysis. For example, you could identify who accessed highly sensitive information. Apply RMS protection - Automatic Rights Management Services (RMS) encryption for sensitive Office documents. For example, you could configure RMS to encrypt all documents containing HIPAA information.

Dynamic Access Control Benefits Central access policy for access to files – enable organizations to set safety net policies that reflect the business and regulatory compliance. Auditing for compliance and analysis – Enable targeted auditing across file servers for compliance reporting and forensic analysis Protecting sensitive information – Identifying and protecting sensitive information both in a Windows Server 2012 environment and when it leaves the Windows Server 2012 environment Access denied assistance– Improve access denied experience to reduce the helpdesk load and incident time for troubleshooting access denied

Dynamic Access Control Prerequisites Windows Server 2012 At least one Windows Server 2012 domain controller accessible by the Windows client in the user's domain At least one Windows Server 2012 domain controller in each domain when using claims across a forest trust Windows 8 client (required when using device claims)

Dynamic Access Control Building Blocks ACEs with conditions, including Boolean logic and relative operators Expression-Based ACEs User and computer attributes can be used in ACEs User and Device Claims File classifications can be used in authorization decisions Continuous automatic classification Automatic RMS encryption based on classification Classification Enhancements Central authorization/audit rules defined in AD and applied across multiple file servers Central Access and Audit Policies Allow users to request access Provide detailed troubleshooting info to admins Access Denied Assistance

Expression-Based Access Conditions x 50 Country 50 Groups Department x Groups Restricted Access 2000 Groups!

User and Device Claims

User claims User.Department = Finance User.Clearance = High ACCESS POLICY Applies = High Allow | Read, Write | if AND == True) Device claims Device.Department = Finance Device.Managed = True Resource properties Resource.Department = Finance Resource.Impact = High AD DS 11 Central access policies File Server

Claim Support in Windows Server 2012 Claim Information within the PAC Previously included information User security identifiers Group security identifiers Windows Server 2012 User claims Device security identifiers Device group security identifiers Device claims (optional) KDC asks DSA to retrieve claim information from Active Directory KDC inserts claims retrieved by DSA into PAC

Claim Support in Windows Server 2012 Microsoft Confidential - For Internal Use Only Flexible Authentication Secure Tunnel (FAST) Known as Kerberos Armoring in Windows 8 (RFC6113) Benefits Protects user pre-authentication data generated from passwords from offline dictionary attacks Protects user Kerberos authentication from KDC error spoofing to downgrade to NTLM Creates a tunnel between the client and the KDC during AS and TGS exchanges Windows 8 armors the AS exchange by using the devices TGT to protect the request Windows 8 armors the TGS exchange by using the users TGT to protect the request

Claim Support in Windows Server 2012 Microsoft Confidential - For Internal Use Only Compound Authentication An extension of Kerberos armoring (FAST) that allows clients to provide the devices TGT Compound Authentication enables a Windows 8 KDC to issue service tickets that include device authorization data Device authorization data includes: Device groups Device claims Access tokens created from issued service tickets also include device authorization data

Claim Support in Windows Server 2012 Microsoft Confidential - For Internal Use Only Compound Authentication - Requirements Windows 8 Domain Controller Support for Dynamic Access Control and Kerberos armoring Device must support Compound Authentication (Windows 8) Resource device must support Compound Authentication Applications that support Compound Authentication should register their support for Compound Authentication, or You can enable the Kerberos Group Policy setting Support compound authentication Never: KDC will not provide compound authentication. Automatic: Once a Dynamic Access Control aware application is installed, the KDC will always provide compound authentication and after the last Dynamic Access Control aware application is removed the KDC will not provide compound authentication. Always: KDC will always provide compound authentication.

Claim Support in Windows Server Microsoft Confidential - For Internal Use Only

Kerberos and The New Token Pre-2012 Token User Account User Groups [other stuff] 2012 Token User Account User Groups Claims Device Groups Claims [other stuff]

Incrementally add capabilities Current infrastructure Windows Server 2012 File Servers Access and Audit Policies based on security groups and file tagging Expression-Based ACEs Windows Server 2012 DCs Centrally defined access and audit policies User claims can be used by access and audit policies Windows 8 clients Add device claims to access and audit policies Better access denied experience

How Access Check Works File/Folder Security Descriptor Central Access Policy Reference NTFS Permissions Active Directory (cached in local Registry) Cached Central Access Policy Definition Access Control Decision: 1)Access Check – Share permissions if applicable 2)Access Check – File permissions 3)Access Check – Every matching Central Access Rule in Central Access Policy Share Security Descriptor Share Permissions Cached Central Access Rule

AD Domain Controller Cloning

Before you clone When it makes sense to use Considerations before using Preparation and Pre-Reqs How it works What is this VM Generation ID you speak of? From then (prior to 2012) to now Step – by – Step

Before you Clone When to use it Primarily for rolling out a number of Virtual Domain Controllers Initial rollout of 2012 Disaster Recovery Restore Lab or Test environment Increase capacity in large environments (Cloud) Things to consider History – Microsoft wanted to implement a safeguard for VMs Volume Generation ID must be supported by Virtualization Technology Name of DC will be that of original appended w/ -CLNnnnn Prep includes a few commands STILL not recommended to restore from snapshots (Safeguard)

Before you Clone (contd) Prep and Pre-Reqs Hypervisor that supports VM-Generation ID (Server 2012) Deployed 2012 DC in a domain containing 2012 PDCe Add Source DC to Cloneable Domain Controllers group Run PowerShell cmdlets Get-ADDCCloningExcludedApplicationList New-ADDCCloneConfigFile Export then import VM NOTE: The following server roles are not supported for cloning: Dynamic Host Configuration Protocol (DHCP) Active Directory Certificate Services (AD CS) Active Directory Lightweight Directory Services (AD LDS)

How it works What is VM Generation ID AD DS initially stores the VM GenerationID identifier as part of the msDS-GenerationID attribute on the domain controllers computer object From then….. Problems occur when replication is attempted and we experience USN Rollback (Event ID 2095)

How it works (Contd) What is VM Generation ID AD DS initially stores the VM GenerationID identifier as part of the msDS-GenerationID attribute on the domain controllers computer object To now (Server 2012) When VM restored or rebooted, VMGID is compared to whats in the DIT (AD Database) If different, invocationID reset & RID pool discarded

How it works Step-by-Step (Assuming youve added the clone-able DC to the Security Group) Create the configuration file Shutdown the Source DC / VM Export and Import VM Power New VM on and verify IF there is a failure – Reboot will result in DSRM More on troubleshooting can be found HERE HERE

Create Configuration File 1.Checks for PDCe unless offline switch used 2.Verify Source DC is member of Cloneable Domain Controllers group 3.Check against applications that may not support cloning Allow List: C:\Windows\System32\ DefaultDCCloneAllowList.xml New-ADDCCloneConfigFile -IPv4Address IPv4DefaultGateway IPv4SubnetMask IPv4DNSResolver , Static -SiteName CORPDR

Create Configuration File (Contd) XML Files Used DefaultDCCloneAllowList.xml -Default of allowed Services on a DC CustomDCCloneAllowList.xml -Created if GenerateXML switch used when using PS cmdlet above DCCloneConfig.xml -This is what is ultimately used on boot for cloning and renamed once used. -Location can be one of the following -%windir%\NTDS -Location of DIT -Root of any recoverable media Get-ADDCCloningExcludedApplicationList

Short Q & A

References Introduction to AD DS Virtualization Detect and Recover from USN Rollback TechNet Blog – AskPFE : Virtual Domain Controller Cloning in Windows Server in-windows-server-2012.aspx in-windows-server-2012.aspx DC Cloning Troubleshooting DMVMUG Reston, VA Domain Controller Cloning

Speakers Blog: Need more information on DMVMUG Visit Need more information on DMVMUG Visit

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.