Active Directory in Windows Server 2012, 2012 R2, and beyond MIKE KLINE Microsoft mvp – directory services mkline@gmail.com or mkline@outlook.com www.adisfun.com TechGate 2013 – September 21, 2013 Reston, VA

@mekline Technical Reviewer

Agenda A quick Look Back – where have we come from Active Directory Features introduced in various versions Improvements Active Directory Features in Windows 2012 Recycle Bin, Password Policies, and Powershell Integration via ADAC Dynamic Access Control Virtualization Aware Active Directory Active Directory Features in Windows 2012 R2 and Beyond Protected Users Authentication Silos and Policies BYOD

A stroll down memory lane (what most enterprises are using today) April 24, 2003 Feb 4, 2008 July 22, 2009

Active Directory Features Introduced in Windows 2003 Universal group membership caching Drag and Drop Functionality Global Catalog Partial Sync Adding domain controllers using backup media Application Directory partitions

Active Directory Features Introduced in Windows Server 2008 Read-Only Domain Controllers Fine-Grained Password Policies (2008 Domain Functional Level) DFSR replication of Sysvol http://blogs.technet.com/b/askds/archive/2010/04/22/the-case-for-migrating- sysvol-to-dfsr.aspx Re-startable Active Directory Services Auditing Improvements DSRM Password Sync

Active Directory Features Introduced in Windows 2008 R2 Active Directory Recycle bin (Windows 2008 R2 Forest Functional Level) Active Directory Administrative Center Active Directory Best Practices Analyzer Bridgehead Server Selection Improvements Native Active Directory PowerShell cmdlets

Why We Are Here Today Sep 4, 2012 Oct 18, 2013

What about Government Security Guidelines? DSAWG = Defense Information Assurance Security Accreditation Working Group

Active Directory is Many Things These Days Windows Active Directory (AD) You host it, on-premises / Cloud You manage the infrastructure and the data Services: AD Directory Services (AD DS) Kerberos authentication NTLM authentication AD Lightweight Directory Services (AD LDS) aka ADAM AD Federation Services (AD FS) AD Certificate Services (AD CS) AD Rights Management Services (AD RMS) Windows Azure Active Directory (WAAD) Microsoft hosts it in their datacenters Microsoft manages the infrastructure You manage the data Services: Directory Services Federated authentication WS-Federation SAML Oauth 2.0 More to come... Access Control Services (ACS)

Microsoft’s Broad Goals with AD in 2012 Simplified Deployment of Active Directory Complete integration of environment preparation, role installation and DC promotion into a single UI DCs can be deployed rapidly to ease disaster recovery and workload balancing DCs can be deployed remotely on multiple machines from a single Windows 8 machine Consistent command-line experience through Windows PowerShell enables automation of deployment tasks Simplified Management of Active Directory GUI that simplifies complex tasks such as recovering a deleted object or managing password policies Active Directory Windows PowerShell viewer shows the commands for actions performed in the GUI Active Directory Windows PowerShell support for managing replication and topology data Virtualization Improvements All Active Directory features work equally well in physical, virtual or mixed environments

Adding Windows 2012 DCs Adding DCs prior to Windows 2012 contained many challenges: Confusing Prone to errors Time Consuming Not easy to script and no parity between GUI and command line System Administrators had to deal with many challenges: obtain the correct (new) version of the ADprep tools interactively logon at specific per-domain DCs using a variety of different credentials run the preparation tool in the correct sequence with the correct switches wait for replication between each step

Simplified Deployment Adprep.exe integration into the AD DS installation process Reduces the time required to install AD DS and reduces the chances for errors that might block domain controller promotion. AD DS server role installation, which is built on Windows PowerShell and can be run remotely on multiple servers Reduces the likelihood of administrative errors and the overall time that is required for installation, especially when you are deploying multiple domain controllers across global regions and domains Prerequisite validation in the AD DS Configuration Wizard Identifies potential errors before the installation begins. You can correct error conditions before they occur without the concerns that result from a partially complete upgrade.

Simplified Deployment Requirements Windows Server 2012 target forest must be Windows Server 2003 functional level or greater introducing the first Windows Server 2012 DC requires Enterprise Admin and Schema Admin privileges subsequent DCs require only Domain Admin privileges within the target domain

Goodbye DCPromo and Adprep is on Life Support

DCPromo Continued

Recycle Bin User Interface Background the Recycle Bin feature introduced with Windows Server 2008 R2 provided an architecture permitting complete object recovery scenarios requiring object recovery via the Recycle Bin are typically high-priority recovery from accidental deletions, etc. resulting in failed logons / work- stoppages the absence of a rich, graphical interface complicated its usage and slowed recovery there were third party tools that added a GUI but no native tool

Recycle Bin User Interface Requirements Recycle Bin’s own requirements must first be satisfied, e.g. Windows Server 2008 R2 forest functional level Recycle Bin optional-feature must be switched on Windows Server 2012 Active Directory Administrative Center Objects requiring recovery must have been deleted within Deleted Object Lifetime (DOL) defaults to 180 days

Recycle Bin Not Enabled Tombstone object Delete Majority of attributes deleted Live object Garbage collection X Purged from directory Tombstone lifetime (180 days) Offline authoritative restore

Recycle Bin Enabled X Delete Garbage collection Recycled object All attributes retained Live object Delete Deleted object Deleted object lifetime (180 days) Online undelete Garbage collection Recycled object Garbage collection X Purged from directory Tombstone lifetime (180 days)

Demo Active Directory Recycle Bin in Windows 2012 ADAC

Fine-Grained Password Policy the Fine-Grained Password Policy capability introduced with Windows Server 2008 provided more granular management of password-policies in order to leverage the feature, administrators had to manually create password-settings objects (PSOs) difficult to ensure that the manually defined policy- values behaved as desired time-consuming, trial and error administration

Fine-Grained Password Policy Creating, editing and assigning PSOs now managed through the Active Directory Administrative Center Simplifies management of password-settings objects Note: FGPP still only applies to user and groups. You can’t link or associate policies to OUs Requirements FGPP requirements must be met Windows Server 2008 domain functional level Windows Server 2012 Active Directory Administrative Center

Demo Fine-Grained Password Policies in Windows Server 2012

ADAC PowerShell History Viewer Background Windows PowerShell is a key technology in creating a consistent experience between the command-line and the graphical user interface Windows PowerShell increases productivity but requires investment in learning how to use it

ADAC PowerShell History Viewer allow administrators to view the Windows PowerShell commands executed when using the Administrative Center, for example: the administrator adds a user to a group the UI displays the equivalent Active Directory Windows PowerShell command Administrator’s can copy the resulting syntax and integrate it into their scripts reduces learning-curve increases confidence in scripting further enhances Windows PowerShell discoverability Requirements Windows Server 2012 Active Directory Administrative Center Windows 2012 domain controller not required

PowerShell Conversion - Examples DCPromo >> Install-ADDSDomain, Install-ADDSDomainController DSGET-Computer >> Get-ADComputer DSGET-Site >> Get-ADReplicationSite DSADDD User >> New-ADUser Repadmin /ShowUTDVec >> Get-ADReplicaionUpToDatenessVectorTable http://blogs.technet.com/b/ashleymcglone/archive/2013/01/02/free -download-cmd-to-powershell-guide-for-ad.aspx

Demo PowerShell History Viewer

Installation Options Background In previous versions of Windows Server admins had to choose between the full GUI install and server core (Windows 2008+) Windows 2012 allows admins to switch between options Full GUI Server Minimal Server Interface (aka MinShell) does not include significant aspects of the Server Graphical Shell. It enables most local GUI management tasks without requiring the Server Graphical Shell or Internet Explorer to be installed. This reduces the security and servicing footprint of the server thereby increasing safety and uptime while expanding deployment scenarios. 

Virtualized Domain Controllers – two new capabilities Domain controllers can be safely cloned to deploy additional capacity and save configuration time Accidental restoration of domain controller snapshots does not disrupt your AD DS environment.

4/19/2017 11:39 PM Safe Virtualization Common virtualization operations such as creating snapshots or copying VMs/VHDs can rollback the state of a virtual DC Can cause issues leading to permanently divergent state causing: USN Rollbacks Lingering objects schema mismatches if the Schema FSMO is rolled back the potential also exists for security principals to be created with duplicate SIDs ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Virtual Domain Controller Safe Restore Windows Server 2012 virtual DCs track the VM-generation ID to detect changes and protect Active Directory When the virtual machine boots up, the current value of the VM-Generation ID from the virtual machine is compared against the value in the database. If the two values are different the DC's unique Invocation ID is reset domain controller also discards the now-duplicated local Relative Identifier (RID) pool Since other domain controllers do not recognize the new Invocation ID, they conclude that they have not already seen these USNs and accept the updates non-authoritatively restores the SYSVOL folder

Hypervisor Support for Snapshots & Cloning Windows Server 2012 Standard Edition (Hyper-V) Windows Server 2012 Enterprise Edition (Hyper-V) Hyper-V Server 2012 (Hyper-V) Windows 8 Professional (Hyper-V) Windows 8 Enterprise (Hyper-V) VMware Workstation 9.0 & 10.0 VMware vSphere 5.0 with Update 4 VMware vSphere 5.1 & 5.5

Dynamic Access Control (DAC) 4/19/2017 11:39 PM Dynamic Access Control (DAC) A new claims-based authorization platform that enhances, not replaces, the existing model, which includes: new claims-based authorization platform that enhances, not replaces, existing model user-claims and device-claims user+device claims = compound identity use of file-classification information in authorization decisions New central access policies (CAP) model Use of file-classification information in authorization decisions modern authorization expressions, e.g. evaluation of ANDed authorization conditions leveraging classification and resource properties in ACLs easier Access-Denied remediation experience access- and audit-policies can be defined flexibly and simply ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Dynamic Access Control (DAC) Requirements One or more Windows Server 2012 domain controllers Windows Server 2012 file server Enable the claims-policy in the Default Domain Controllers Policy Windows Server 2012 Active Directory Administrative Center For device-claims, compound ID must be switched on at the target service account by using Group Policy or editing the object directly

http://blogs.technet.com/b/askds/archive/2012/09/07/let-the-bogging-begin.aspx “…This isn't your grandfather's authorization either. Dynamic Access Control or DAC as we’ll call it, requires planning, diligence, and an understanding of many dependencies, such as Active Directory, Kerberos, and effective access…there are many knobs you must turn to configure it….”

Demo Dynamic Access Control

Protected Users Added protection for Administrators and other privileged accounts Add user to Protected User Group which will enable: Only Kerberos Authentication 4 Hour TGT Lifetime Delegation not Allowed Requires Windows 8.1 (or Server 2012 R2 hosts) Windows Server 2012 R2 Domain & DCs Renew user tickets (TGTs) beyond initial 4 hour lifetime

Protected Users Requirements User Accounts in the Protected Users groups are restricted to only using Kerberos (Required for Authentication Policies & Silos to be effective) Limits Protected Users cannot sign on if Kerberos is broken Accounts in the group can’t: Authenticate with NTLM Use DES or RC4 in Kerberos pre-authentication Renew user tickets (TGTs) beyond initial 4 hour lifetime

Authentication Policies & Silos Forest Based Active Directory Policies Applies to accounts in Windows Server 2012 R2 Domains Controls which hosts an account can sign-in to Configuration of access control conditions for authentication Authentication Policy Silos Allows isolation of related accounts that have constrained scope

Scenarios enabled by Active Directory BYOD Microsoft Office365 4/19/2017 Scenarios enabled by Active Directory BYOD Single Sign On (SSO) experience on Workplace Joined devices Join Windows and iOS devices to the Workplace SSO across browser and enterprise applications Enable users to work from anywhere, adhering to IT risk management strategy IT can conditionally grant access to company applications Workplace joined devices provide a seamless second factor authentication Conditions include user, device and strength of authentication Audit logs capture the user and device information IT/ISV can author enterprise apps that deliver native experiences on devices and are integrated with AD for SSO and conditional access © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Workplace Join Associates the device with a user Provides a seamless second factor authentication Enables a better end user experience with SSO Avoids risks involved in saving passwords with each application Avoids users having to repeatedly enter their credentials Enabled by device registration service in AD FS

Sample Demo Environment Allow access from specific users, when accessing from devices they have workplace joined Firewall WhoAmI (Claims based) Web app (Windows auth) Web application proxy AD FS Device registration service Active Directory

Future Talks Go in-depth into Windows 2012 features such as Dynamic Access Control. Windows Azure Active Directory – WAAD/AAD Deploying Active Directory on Windows Azure Virtual Machines Other??

Please don’t forget your evaluations … www.adisfun.com Email: mkline@gmail.com Questions?