DANIEL PETRI, PREMIER FIELD ENGINEER, MICROSOFT

TakeawaysNew AD Features Agenda AD Enhancements Areas of Investment / Our Broad Goals Summary of Requirements

Simplified Server Management Takeaways Virtualization That Just Works Simplified Management of Active Directory Simplified Deployment of Active Directory

Windows Server Management Philosophy

The new Windows Server Manager

Solution Invest in remote multi-server management Improve admin-to-server ratio Principled UI Design Minimize context switching Glance-able, relevant & actionable information Easier ramp to automation Requirements For Windows Server 2012 – OOB For Windows 8 – install RSAT To manage Windows Server 2008/R2 – Install WMF 3.0,.NET 4.0, Enable PowerShell remoting, install KB Simplified Server Management

Server Management Demo

MiscellaneousManagement New AD Features and Enhancements Simplified Deployment Virtualization-Safe Technology Rapid Deployment Active Directory Platform Changes Recycle Bin User Interface Fine-Grained Password Policy User Interface Dynamic Access Control * More…

Background Simplified AD Deployment Using ADPREP had issues: Time consuming Error-prone Complex In the past, IT pros were required to: Get the correct (new) version Interactively logon at specific per-domain DCs Run the preparation tool in the correct sequence Wait for replication convergence

Solution Simplified AD Deployment Integrate Automate Validate Remoteable PowerShell Requirements Windows Server 2012 computer Windows Server 2003 functional level or greater

DC Deployment Demo

In the past, network glitches during DCPROMO could crash the entire process Simplified AD Deployment In Windows Server 2012, promotion now uses an indefinite retry loop Until administrator fixes network issue, or clicks “cancel”

In the past, Install From Media (IFM) used to perform a mandatory offline defrag of the DIT file On a large DIT, this could take hours, even days No one ever performs an offline defrag… Simplified AD Deployment In Windows Server 2012, NTDSUTIL > IFMprep eliminates the defragmentation pass (optional) Creating the IFM media file is very (!) fast

DC Deployment - IFM Demo

Simplified AD Deployment

Background Virtualization-Safe Technology Creating snapshots or copying VMs/VHDs can rollback the state of a virtual DC Lingering objects Inconsistent passwords Inconsistent attribute values Schema mismatches Duplicate SIDs

17 Timeline of events TIME: T2TIME: T3TIME: T4 Create Snapshot T1 Snapshot Applied! USN: 100 ID: ARID Pool: USN: 100 ID: ARID Pool: USN: 250 ID: ARID Pool: more users created = 200 DC2 receives updates: USNs >200 = 250 USN: 200 ID: ARID Pool: users added DC2 receives updates: USNs >100 DC1 DC2 TIME: T1 USN rollback NOT detected: only 50 users converge across the two DCs All others are either on one or the other DC 100 security principals (users in this example) with RIDs have conflicting SIDs How Domain Controllers are Impacted

Solution Virtualization-Safe Technology Virtual DCs use a VM GenerationID Whenever a snapshot is rolled back, GenerationID is changed DC checks during reboot, and for each write in DIT If changed, protection steps are initiated Requirements Windows Server 2012 DCs hosted on hypervisor platform that supports GenerationID: Hyper-V 3.0 3rd-party Hypervisors

Virtualization-Safe Technology

Background Rapid Deployment Deploying virtualized replica DCs is as labor-intensive as physical DCs Preparation & deployment of sysprep’d server image Manually promoting a DC Post-deployment configuration steps where necessary Virtualization brings capabilities that can simplify deployment

Solution Rapid Deployment: Domain Controller Cloning Create replicas of virtualized DCs by cloning existing ones A game-changer for disaster-recovery Enables elastic provisioning capabilities Requirements Windows Server 2012 DCs hosted on hypervisor platform that supports GenerationID PDC FSMO on Windows Server 2012 (cannot be cloned) Source DC must be authorized for cloning

DC Deployment – DC Cloning Demo

Rapid Deployment: Domain Controller Cloning

Background Recycle Bin User Interface Introduced with Windows Server 2008 R2 allows administrators to recover deleted objects such as users, groups, OUs Typically high-priority In the past, IT pros were required to enable and use the Recycle Bin through PowerShell commands Complex, not easy to remember or use

Solution Recycle Bin User Interface Simplify object recovery Easy to use graphical UI Reduces recovery time Restores all attributes and group memberships Requirements Windows Server 2008 R2 FFL Recycle Bin optional-feature must be switched on Windows Server 2012 Active Directory Administrative Center Objects must have been deleted within Deleted Object Lifetime (180 days)

Recycle Bin User Interface Demo

Recycle Bin User Interface

Background Fine-Grained Password Policy UI Introduced with Windows Server 2008, allows more granular management of password-policies Manually create password-settings objects (PSOs) In the past, IT pros were required to enable and use Fine-Grained Password Policies through ADSIEDIT or by importing LDIF files Complex, time consuming, not easy to remember or use

Solution Fine-Grained Password Policy UI Simplify creating, editing and assigning PSOs Easy to use graphical UI (No change – can be assigned only to users and/or groups) Requirements Windows Server 2008 DFL Windows Server 2012 Active Directory Administrative Center

Fine-Grained Password Policy UI Demo

Fine-Grained Password Policy UI

More (we didn’t have time for these…) + AD Features and Enhancements RID Improvements Active Directory Based Activation Dynamic Access Control (DAC) Group Managed Service Accounts (gMSA) AD Replication & Topology PowerShell Cmdlets PowerShell History Viewer Off-Premises Domain Join Connected Accounts Kerberos Enhancements Kerberos Constrained Delegation (KCD) Flexible Authentication Secure Tunneling (FAST) Enhanced LDAP logging New LDAP Controls/Behaviors

First Windows Server 2012 domain- member (or Windows 8 with RSAT installed) Summary of Minimum Requirements New Active Directory Administrative Center Windows PowerShell History Viewer Graphical Recycle Bin (2008 R2 FFL) and FGPP management (2008 DFL) Richer authorization through DAC & FCI Active Directory-based Activation Requires Windows Server 2012 Schema Active Directory Replication & Topology Cmdlets Installing this….… gives you this

Summary of Minimum Requirements Simplified Deployment and Preparation Dynamic Access Control policies and claims Group Managed Service Accounts Virtualization-Safe for the Windows Server 2012 DC Requires Hypervisor support for VM-Gen-ID First Windows Server 2012 DC Installing this….… gives you this

Summary of Minimum Requirements Windows Server 2012 DC PDC Emulator role Rapid virtual DC deployment through DC-cloning Requires Hypervisor support for VM-Gen-ID Installing this….… gives you this

Simplified Server Management Takeaways Virtualization That Just Works Simplified Management of Active Directory Simplified Deployment of Active Directory

Popcorn Challenge What AD Database parameter allows DCs to know that their replication partner has been restored? A.VM GenerationID B.DSA InvocationID C.RID Pool D.KUKU-ID

QUESTIONS?

DOWNLOAD WINDOWS SERVER 2012 RTM WHAT NEXT?