SIA312: What’s new in Active Directory in Windows Server 2012

Dean Wells, Active Directory Product Group, Microsoft

This was another killer session, with a super dynamic speaker that only rivals Mark Minassi in presention and content. Dean could double as a stand up IT comedian. Although it may have not gotten a lot of press, there are a number of enhancements to Windows Server 2012 Active Directory. The session was highly technical and fast paced, so I didn’t get everything down. If you went to TechEd and can watch the video of this session, it is a must see if you have anything to do with AD in your job.

Brace yourself for a fire hose:

  • High Level Areas of Investment
    • Simplified deployment of AD
    • Optimal deployment experiences in both private and public clouds
    • Increase consistency throughout the management experience
    • Accommodate business-driven security requirements though the integration of file-classification and claims-based authorization (dynamic access controls)
  • Broad Goals
    • Virtualziation that just works
    • Simplified deployment of AD – No more adprep, forestprep,
    • Simplify Management of AD – GUI, PowerShell, etc.
  • New Features and Enhancements
    • Simplified Deployment
      • Background – Adding DCs were too hard and too error prone
      • Solution
        • Integrate preparation steps into the promotion process
        • Validates environment-wide pre-reqs
        • Integrated with server manager and remotable
        • Built on Windows powershell for GUI andn CLI consistency
        • Only one set of credentials needed (enterprise admin)
        • Note: Starting with Windows Server 2003 you can completely back out a scheme change.
      • Requirements
        • Windows Server 2012
      • Dcpromo will now retry forever until you cancel it, in case of network issues. Fixed a newly discovered bug that’s existed in AD for 12 years.
      • Enhanced IFM (install from media) options. Offline defrag is now no longer required prior to preparing for IFM. An option that you need to choose, as it’s not the default.
      • ADFS 2.1 is now in the box
    • Virtualization safe
      • DCs can detect when snapshots are taken
      • DCs can detect when they are copied
      • Built on a generation ID that is changed when VM-snapshots are used
      • Generation ID is exposed to the OS through the VMs BIOS ACPI table
      • Windows Server 2012 virtual DCs track the VM-generation ID to detect changes and protect AD.
        • Discard RID pool
        • Resetting InvocationID – Used when DCs write data
        • Re-asserting INITSYNC requirements for FSMOs
      • Requires a hypervisor that supports it. Only Hyper-V supports it today, but other vendors have been given the specification. Expect VMware and XenServer to support it in coming releases.
    • Rapid Deployment
      • Deploy a DC that is running as a VM and you can just copy it.
      • Powershell is used to prepare an existing VM and it creates a dcclone config file
      • Note: No need to use NTDSutil to whack dead DCs. You can use ADUC for a number of years now.
      • Doesn’t let you clone DCs with certain software (like certificate services). Built-in whitelist.
    • RID usage is now exposed and queryable (max 1 billion per forest)
    • RID Improvements
      • Background: Appended to the end of a SID. 30 bits.
      • Account creation failure could cause the loss of a RID
      • Prevent RID allocation through failed domain joins
      • Log events when RID pools are invalidated (e.g. malicous code)
      • Enforced a cap on RID block size (was unlimited), new max is 15,000
      • Periodic RID consumption warning. Events become more frequent as the pool depletes
      • RID artificial ceiling of 90%, which is a soft limit. Flip a bit on the RID and you can use the remaining 100 million
      • Unlocked the 31st bit in the global RID space. Address space now doubled from 1B to 2B. 31st bit was reserved to flag Novell migrated accounts.
    • Deferred index creation – Too geeky to explain here
    • Expose DNTs on RootDSE – Too geeky to explain here
    • Off-premises domain join
      • Extends offline domain-join by allowing the blog to accommodate direct access pre-reqs
        • Certs
        • Group policies
      • Download a base-64 blob from the web, then completely join your computer to the domain and setup direct access without ever touching the corporate network
    • Enhanced LDAP logging
    • New LDAP controls and behaviors
    • Reycle Bin GUI
    • Dynamic Access Control
    • Kerberos claims can be shoved into a ADFS claim token
    • Active-directory based Windows OS activation
      • Requires Windows 8 and Server 2012
    • Active Directory PowerShell History Viewer
      • Shows powershell cmdlet history like Exchange tools do
    • Fine-grained password policy GUI
    • Kerberos armoring  – Flexible Authentication Secure Tunneling (FAST)
    • KDC delegation now works across domains and forests. Huge for some customers.
    • Managed service accounts – Now old technology. New technology is Group Managed Service Accounts (gMSA).
      • Scheduled tasks can also use gMSAs
      • Need Server 2012 schema and one 2012 DC. Only works on Win8 and Server 2012.
      • Multiple computers can now utilize the gMSA unlike the legacy MSAs
    • AD replication and topology PowerShell cmdlets

GBing! (Inside joke for those that attended the session!)

Print Friendly, PDF & Email

Related Posts

Notify of
Inline Feedbacks
View all comments