1. Active Directory in Windows Server 2012, 2012 R2, and beyond
MIKE KLINE
Microsoft mvp – directory services or
TechGate 2013 – September 21, 2013 Reston, VA

3. @mekline
Technical Reviewer

4. Agenda A quick Look Back – where have we come from
Active Directory Features introduced in various versions
Improvements
Active Directory Features in Windows 2012
Recycle Bin, Password Policies, and Powershell Integration via ADAC
Dynamic Access Control
Virtualization Aware Active Directory
Active Directory Features in Windows 2012 R2 and Beyond
Protected Users
Authentication Silos and Policies
BYOD

5. A stroll down memory lane (what most enterprises are using today)
April 24, 2003
Feb 4, 2008
July 22, 2009

6. Active Directory Features Introduced in Windows 2003
Universal group membership caching
Drag and Drop Functionality
Global Catalog Partial Sync
Adding domain controllers using backup media
Application Directory partitions

7. Active Directory Features Introduced in Windows Server 2008
Read-Only Domain Controllers
Fine-Grained Password Policies (2008 Domain Functional Level)
DFSR replication of Sysvol
sysvol-to-dfsr.aspx
Re-startable Active Directory Services
Auditing Improvements
DSRM Password Sync

8. Active Directory Features Introduced in Windows 2008 R2
Active Directory Recycle bin (Windows 2008 R2 Forest Functional Level)
Active Directory Administrative Center
Active Directory Best Practices Analyzer
Bridgehead Server Selection Improvements
Native Active Directory PowerShell cmdlets

9. Why We Are Here Today
Sep 4, 2012
Oct 18, 2013

10. What about Government Security Guidelines?
DSAWG = Defense Information Assurance Security Accreditation Working Group

11. Active Directory is Many Things These Days
Windows Active Directory (AD)
You host it, on-premises / Cloud
You manage the infrastructure and the data
Services:
AD Directory Services (AD DS)
Kerberos authentication
NTLM authentication
AD Lightweight Directory Services (AD LDS)
aka ADAM
AD Federation Services (AD FS)
AD Certificate Services (AD CS)
AD Rights Management Services (AD RMS)
Windows Azure Active Directory (WAAD)
Microsoft hosts it in their datacenters
Microsoft manages the infrastructure
You manage the data
Services:
Directory Services
Federated authentication
WS-Federation
SAML
Oauth 2.0
More to come...
Access Control Services (ACS)

13. Microsoft’s Broad Goals with AD in 2012
Simplified Deployment of Active Directory
Complete integration of environment preparation, role installation and DC promotion into a single UI
DCs can be deployed rapidly to ease disaster recovery and workload balancing
DCs can be deployed remotely on multiple machines from a single Windows 8 machine
Consistent command-line experience through Windows PowerShell enables automation of deployment tasks
Simplified Management of Active Directory
GUI that simplifies complex tasks such as recovering a deleted object or managing password policies
Active Directory Windows PowerShell viewer shows the commands for actions performed in the GUI
Active Directory Windows PowerShell support for managing replication and topology data
Virtualization Improvements
All Active Directory features work equally well in physical, virtual or mixed environments

14. Adding Windows 2012 DCs
Adding DCs prior to Windows 2012 contained many challenges:
Confusing
Prone to errors
Time Consuming
Not easy to script and no parity between GUI and command line
System Administrators had to deal with many challenges:
obtain the correct (new) version of the ADprep tools
interactively logon at specific per-domain DCs using a variety of different credentials
run the preparation tool in the correct sequence with the correct switches
wait for replication between each step

15. Simplified Deployment
Adprep.exe integration into the AD DS installation process
Reduces the time required to install AD DS and reduces the chances for errors that might block domain controller promotion.
AD DS server role installation, which is built on Windows PowerShell and can be run remotely on multiple servers
Reduces the likelihood of administrative errors and the overall time that is required for installation, especially when you are deploying multiple domain controllers across global regions and domains
Prerequisite validation in the AD DS Configuration Wizard
Identifies potential errors before the installation begins. You can correct error conditions before they occur without the concerns that result from a partially complete upgrade.

16. Simplified Deployment
Requirements
Windows Server 2012
target forest must be Windows Server 2003 functional level or greater
introducing the first Windows Server 2012 DC requires Enterprise Admin and Schema Admin privileges
subsequent DCs require only Domain Admin privileges within the target domain

17. Goodbye DCPromo and Adprep is on Life Support

18. DCPromo Continued

19. Recycle Bin User Interface
Background
the Recycle Bin feature introduced with Windows Server 2008 R2 provided an architecture permitting complete object recovery
scenarios requiring object recovery via the Recycle Bin are typically high-priority
recovery from accidental deletions, etc. resulting in failed logons / work- stoppages
the absence of a rich, graphical interface complicated its usage and slowed recovery
there were third party tools that added a GUI but no native tool

20. Recycle Bin User Interface
Requirements
Recycle Bin’s own requirements must first be satisfied, e.g.
Windows Server 2008 R2 forest functional level
Recycle Bin optional-feature must be switched on
Windows Server 2012 Active Directory Administrative Center
Objects requiring recovery must have been deleted within Deleted Object Lifetime (DOL)
defaults to 180 days

21. Recycle Bin Not Enabled
Tombstone object
Delete
Majority of attributes deleted
Live object
Garbage collection X
Purged from directory
Tombstone lifetime (180 days)
Offline authoritative restore

22. Recycle Bin Enabled X Delete Garbage collection Recycled object
All attributes retained
Live object
Delete
Deleted object
Deleted object lifetime (180 days)
Online undelete
Garbage collection
Recycled object
Garbage collection X
Purged from directory
Tombstone lifetime (180 days)

23. Demo
Active Directory Recycle Bin in Windows 2012 ADAC

24. Fine-Grained Password Policy
the Fine-Grained Password Policy capability introduced with Windows Server 2008 provided more granular management of password-policies
in order to leverage the feature, administrators had to manually create password-settings objects (PSOs)
difficult to ensure that the manually defined policy- values behaved as desired
time-consuming, trial and error administration

25. Fine-Grained Password Policy
Creating, editing and assigning PSOs now managed through the Active Directory Administrative Center
Simplifies management of password-settings objects
Note: FGPP still only applies to user and groups. You can’t link or associate policies to OUs
Requirements
FGPP requirements must be met
Windows Server 2008 domain functional level
Windows Server 2012 Active Directory Administrative Center

26. Demo
Fine-Grained Password Policies in Windows Server 2012

27. ADAC PowerShell History Viewer
Background
Windows PowerShell is a key technology in creating a consistent experience between the command-line and the graphical user interface
Windows PowerShell increases productivity
but requires investment in learning how to use it

28. ADAC PowerShell History Viewer
allow administrators to view the Windows PowerShell commands executed when using the Administrative Center, for example:
the administrator adds a user to a group
the UI displays the equivalent Active Directory Windows PowerShell command
Administrator’s can copy the resulting syntax and integrate it into their scripts
reduces learning-curve
increases confidence in scripting
further enhances Windows PowerShell discoverability
Requirements
Windows Server 2012 Active Directory Administrative Center
Windows 2012 domain controller not required

29. PowerShell Conversion - Examples
DCPromo >> Install-ADDSDomain, Install-ADDSDomainController
DSGET-Computer >> Get-ADComputer
DSGET-Site >> Get-ADReplicationSite
DSADDD User >> New-ADUser
Repadmin /ShowUTDVec >> Get-ADReplicaionUpToDatenessVectorTable
-download-cmd-to-powershell-guide-for-ad.aspx

30. Demo
PowerShell History Viewer

31. Installation Options Background
In previous versions of Windows Server admins had to choose between the full GUI install and server core (Windows 2008+)
Windows 2012 allows admins to switch between options
Full GUI Server
Minimal Server Interface (aka MinShell)
does not include significant aspects of the Server Graphical Shell. It enables most local GUI management tasks without requiring the Server Graphical Shell or Internet Explorer to be installed. This reduces the security and servicing footprint of the server thereby increasing safety and uptime while expanding deployment scenarios. 

32. Virtualized Domain Controllers – two new capabilities
Domain controllers can be safely cloned to deploy additional capacity and save configuration time
Accidental restoration of domain controller snapshots does not disrupt your AD DS environment.

33. 4/19/ :39 PM
Safe Virtualization
Common virtualization operations such as creating snapshots or copying VMs/VHDs can rollback the state of a virtual DC
Can cause issues leading to permanently divergent state causing:
USN Rollbacks
Lingering objects
schema mismatches if the Schema FSMO is rolled back
the potential also exists for security principals to be created with duplicate SIDs
©2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

34. Virtual Domain Controller Safe Restore
Windows Server 2012 virtual DCs track the VM-generation ID to detect changes and protect Active Directory
When the virtual machine boots up, the current value of the VM-Generation ID from the virtual machine is compared against the value in the database. If the two values are different
the DC's unique Invocation ID is reset
domain controller also discards the now-duplicated local Relative Identifier (RID) pool
Since other domain controllers do not recognize the new Invocation ID, they conclude that they have not already seen these USNs and accept the updates
non-authoritatively restores the SYSVOL folder

35. Hypervisor Support for Snapshots & Cloning
Windows Server 2012 Standard Edition (Hyper-V) Windows Server 2012 Enterprise Edition (Hyper-V) Hyper-V Server 2012 (Hyper-V) Windows 8 Professional (Hyper-V) Windows 8 Enterprise (Hyper-V) VMware Workstation 9.0 & 10.0 VMware vSphere 5.0 with Update 4 VMware vSphere 5.1 & 5.5

36. Dynamic Access Control (DAC)
4/19/ :39 PM
Dynamic Access Control (DAC)
A new claims-based authorization platform that enhances, not replaces, the existing model, which includes:
new claims-based authorization platform that enhances, not replaces, existing model
user-claims and device-claims
user+device claims = compound identity
use of file-classification information in authorization decisions
New central access policies (CAP) model
Use of file-classification information in authorization decisions
modern authorization expressions, e.g.
evaluation of ANDed authorization conditions
leveraging classification and resource properties in ACLs
easier Access-Denied remediation experience
access- and audit-policies can be defined flexibly and simply
©2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

37. Dynamic Access Control (DAC)
Requirements
One or more Windows Server 2012 domain controllers
Windows Server 2012 file server
Enable the claims-policy in the Default Domain Controllers Policy
Windows Server 2012 Active Directory Administrative Center
For device-claims, compound ID must be switched on at the target service account by using Group Policy or editing the object directly

38.
“…This isn't your grandfather's authorization either. Dynamic Access Control or DAC as we’ll call it, requires planning, diligence, and an understanding of many dependencies, such as Active Directory, Kerberos, and effective access…there are many knobs you must turn to configure it….”

39. Demo
Dynamic Access Control

40. Protected Users
Added protection for Administrators and other privileged accounts
Add user to Protected User Group which will enable:
Only Kerberos Authentication
4 Hour TGT Lifetime
Delegation not Allowed
Requires
Windows 8.1 (or Server 2012 R2 hosts)
Windows Server 2012 R2 Domain & DCs
Renew user tickets (TGTs) beyond initial 4 hour lifetime

41. Protected Users Requirements
User Accounts in the Protected Users groups are restricted to only using Kerberos (Required for Authentication Policies & Silos to be effective)
Limits
Protected Users cannot sign on if Kerberos is broken
Accounts in the group can’t:
Authenticate with NTLM
Use DES or RC4 in Kerberos pre-authentication
Renew user tickets (TGTs) beyond initial 4 hour lifetime

42. Authentication Policies & Silos
Forest Based Active Directory Policies
Applies to accounts in Windows Server 2012 R2 Domains
Controls which hosts an account can sign-in to
Configuration of access control conditions for authentication
Authentication Policy Silos
Allows isolation of related accounts that have constrained scope

43. Scenarios enabled by Active Directory BYOD
Microsoft Office365
4/19/2017
Scenarios enabled by Active Directory BYOD
Single Sign On (SSO) experience on Workplace Joined devices
Join Windows and iOS devices to the Workplace
SSO across browser and enterprise applications
Enable users to work from anywhere, adhering to IT risk management strategy
IT can conditionally grant access to company applications
Workplace joined devices provide a seamless second factor authentication
Conditions include user, device and strength of authentication
Audit logs capture the user and device information
IT/ISV can author enterprise apps that deliver native experiences on devices and are integrated with AD for SSO and conditional access
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

44. Workplace Join Associates the device with a user
Provides a seamless second factor authentication
Enables a better end user experience with SSO
Avoids risks involved in saving passwords with each application
Avoids users having to repeatedly enter their credentials
Enabled by device registration service in AD FS

45. Sample Demo Environment
Allow access from specific users, when accessing from devices they have workplace joined
Firewall
WhoAmI
(Claims based)
Web app
(Windows auth)
Web application proxy
AD FS
Device registration service
Active Directory

46. Future Talks
Go in-depth into Windows 2012 features such as Dynamic Access Control.
Windows Azure Active Directory – WAAD/AAD
Deploying Active Directory on Windows Azure Virtual Machines
Other??

47. Please don’t forget your evaluations …
Questions?