45 identity and access active dictionary features and improvements

Published: September 10th, 2012

Windows Server 2012: Identity and Access

Module 1: Active Directory Features and Improvements.

Module Manual Author: Andrew Warren, Content Master

Microsoft Virtual Academy Student Manual ii

Information in this document, including URLs and other Internet Web site references, are subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. ® 2012 Microsoft Corporation. All rights reserved. Microsoft is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Microsoft Virtual Academy Student Manual iii

Contents

CONTENTS .................................................................................................................................................................................................................. III

MODULE 1: ACTIVE DIRECTORY FEATURES AND IMPROVEMENTS. .................................................................................................... 4

Module Overview ................................................................................................................................................................................................ 4

LESSON 1: DEPLOYMENT IMPROVEMENTS ................................................................................................................................................... 5

Improved Deployment Experience ............................................................................................................................................................... 6

Integrated Preparation Steps ................................................................................................................................................... 6 Prerequisites Validated Before Starting Deployment ............................................................................................................... 6 Integrated with Server Manager, Remote-able, and Built on Windows PowerShell ................................................................ 7 Configuration Wizard Aligns With Common Deployment Scenarios ....................................................................................... 7

Enhanced Install-From-Media ........................................................................................................................................................................ 8

AD FS 2.1 Included As Server Role ............................................................................................................................................................... 9

LESSON 2: VIRTUALIZED AD DS........................................................................................................................................................................ 10

Safe Virtualization of Domain Controllers ............................................................................................................................................... 11

Virtualized Domain Controller Cloning ..................................................................................................................................................... 13

LESSON 3: NEW FEATURES AND ENHANCEMENTS ................................................................................................................................. 15

RID Improvements ............................................................................................................................................................................................ 16

Deferred Index Creation ................................................................................................................................................................................. 18

Off-Premises Domain-Join ............................................................................................................................................................................. 19

Connected Accounts ........................................................................................................................................................................................ 20

Active Directory–Based Activation .............................................................................................................................................................. 21

Group Managed Service Accounts ............................................................................................................................................................. 22

AD DS Replication and Topology Cmdlets .............................................................................................................................................. 23

LESSON 4: MANAGEMENT IMPROVEMENTS .............................................................................................................................................. 25

Active Directory Recycle Bin .......................................................................................................................................................................... 26

Fine-Grained Password Policy ...................................................................................................................................................................... 27

AD DS Windows PowerShell History Viewer .......................................................................................................................................... 28

Dynamic Access Control ................................................................................................................................................................................. 29

Group Policy Enhancements ......................................................................................................................................................................... 31

Kerberos Constrained Delegation ............................................................................................................................................................... 32

FURTHER READING AND RESOURCES ........................................................................................................................................................... 34


Microsoft Virtual Academy Student Manual 4

Module 1: Active Directory Features and

Improvements.

Module Overview

This module introduces each of the new features of Active Directory® Domain Services (AD DS). It

explains the problems that these features address and what is required for you to deploy and use

them. The module also explores AD DS deployment improvements, improvements to AD DS

virtualization, new features and enhancements to existing features, and improvements to AD DS

management.



Lesson 1: Deployment Improvements

This lesson introduces the improvements that Windows Server® 2012 brings to AD DS deployment.



Improved Deployment Experience

In earlier versions of Windows Server, the process that was used to create domain controllers could

be confusing for administrators. It was also possible for administrators to launch DCPromo.exe when

the server on which the command was launched did not meet the prerequisites for promotion.

In Windows Server 2012, the process you use to create domain controllers within your enterprise has

been improved. The following sections describe these improvements.

Integrated Preparation Steps AD DS deployment in Windows Server 2012 integrates all of the required steps to deploy new

domain controllers into a single graphical interface. It requires only one enterprise-level credential,

and it can prepare the forest or domain by remotely targeting the appropriate operations master

roles. Note that the Adprep.exe process is integrated into the AD DS installation process; this

reduces the time that is required to install AD DS and reduces the chances for errors that might

block domain controller promotion.

Prerequisites Validated Before Starting Deployment Prerequisite validation occurs in the AD DS Configuration Wizard. The wizard identifies potential

errors before the installation begins, and you can then correct error conditions before they occur

without the concerns that result from a partially completed upgrade.



Integrated with Server Manager, Remote-able, and Built on Windows PowerShell The AD DS installation process is built on Windows PowerShell™ 3.0, is integrated with Server

Manager, can target multiple servers, and can remotely deploy domain controllers. This results in a

deployment experience that is simpler, more consistent, and less time-consuming. The installation

wizard creates a Windows PowerShell script that contains the options that were specified during the

graphical installation; this simplifies the deployment process by automating subsequent AD DS

installations through automatically generated Windows PowerShell scripts.

Note that you can complete the domain controller installation and promotion process entirely with

Windows PowerShell.

Configuration Wizard Aligns With Common Deployment Scenarios The configuration pages in the wizard are grouped in a sequence that mirror the requirements of the

most common promotion scenarios, with related options grouped in fewer wizard pages; this

provides better context, enabling you to make better domain controller installation choices, and

reduces the number of steps and the amount of time that is required to complete the domain

controller installation.



Enhanced Install-From-Media

In earlier versions of Windows Server, when you want to promote a server to the domain controller

role, it is possible to do so by using the install-from-media (IFM) option; this enables you to create

installation media from which you can promote the server. To create this installation media, you

must run the Ntdsutil.exe command-line tool.

However, as part of the media creation process, the Ntdsutil.exe command also performs an offline

defragmentation of the AD DS database. This defragmentation yields a smaller database file but can

take a long time to process.

In Windows Server 2012, you can choose not to perform the offline defragmentation pass, enabling

you to create the required media files more quickly. Bear in mind that the resulting IFM files may be

larger as a result of bypassing the defragmentation process, which could result in longer copying

times where slow links connect you to the target servers.



AD FS 2.1 Included As Server Role

Many large enterprise-level organizations want to be able to share information with other businesses

and/or consumers. For example, consider a business that wants to enable its customers to place

orders directly into its order processing system. Active Directory Federation Services (AD FS) allows

your organization to successfully implement this scenario by enabling the necessary claims and

trusts to facilitate it.

In earlier versions of Windows Server, you must download AD FS as a separate component from the

Microsoft Download website; this is no longer necessary, because AD FS 2.1 is included as a server

role in Windows Server 2012. You can install the role from within Server Manager without needing to

download it; this streamlines the process of deploying AD FS.


Microsoft Virtual Academy Student Manual

10

Lesson 2: Virtualized AD DS

Organizations are increasingly looking to virtualize workloads to optimize their IT infrastructure; this

move to a virtualized environment encompasses domain controllers. Virtualization of AD DS

environments has been ongoing for a number of years. Beginning with Windows Server 2012, AD DS

provides greater support for virtualizing domain controllers by introducing virtualization-safe

capabilities and enabling rapid deployment of virtual domain controllers through cloning. These new

virtualization features provide greater support for public and private clouds, hybrid environments

where portions of AD DS exist on-premises and in the cloud, and AD DS infrastructures that reside

completely on-premises.



11

Safe Virtualization of Domain Controllers

AD DS replication uses a monotonically increasing value that is assigned to transactions on each

domain controller; this is known as an update sequence number (USN). Each domain controller’s

database instance is also given an identity, known as an InvocationID. The InvocationID of a domain

controller and its USN together serve as a unique identifier that is associated with every write

transaction that is performed and must be unique within the forest. AD DS replication uses

InvocationID and USNs to determine what changes need to be replicated to other domain controllers.

However, if an administrator applies a snapshot that rolls back a domain controller to a point in time,

on that domain controller, a USN could be reused for an entirely different transaction; this may result

in replication failing to converge because other domain controllers will believe they have already

received the updates that are associated with the re-used USN.

In Windows Server 2012, AD DS relies on the hypervisor platform to expose an identifier called VM

Generation ID to detect whether a virtual machine (VM) has been rolled back in time. The design

uses a hypervisor-agnostic mechanism for utilizing the VM GenerationID in the VM.

Before completing any transaction, AD DS first reads the value of this identifier and compares it with

the last value that is stored in the directory. A mismatch is interpreted as a ‘rollback,’ and the

domain controller employs AD DS safeguards that are new to Windows Server, which consist of

resetting the InvocationID and discarding the relative identifier (RID) pool. From this point forward,



12

all transactions are associated with the domain controller’s new InvocationID. Other domain

controllers do not recognize the new InvocationID, so they will conclude that they have not already

seen these USNs and will accept the updates that are identified by the new InvocationID and USNs,

allowing the directory to converge.



13

Virtualized Domain Controller Cloning

Virtualized domain controller cloning enables you to create a clone of a virtualized domain controller.

With virtualized domain controller cloning, you can now promote a single virtual domain controller

per domain and rapidly deploy all additional replica virtual domain controllers through cloning. You

no longer have to repeatedly deploy a sysprepped server image, promote the server to a domain

controller, and then complete additional configuration requirements for every replica domain

controller.

Requirements

To implement domain controller cloning, you must meet the following requirements:

Your Windows Server 2012 virtual domain controllers must be hosted on hypervisor platforms

that are aware of the VM Generation ID.

The primary domain controller single operations master role must be running Windows Server

2012 to authorize the cloning operation.

The source domain controller that you clone must be authorized for cloning.

The DCCloneConfig.XML file must be present on the cloned domain controller in one of the

following locations:

o The directory containing the NTDS.DIT



14

o The default DIT directory (%windir%\NTDS)

o On removable media, such as a virtual floppy, USB storage device, or similar

Note that commonplace Windows Server 2012 services that are co-located with domain controllers

are supported, for example: Domain Name System (DNS), File Replication Service (FRS), and

Distributed File System Replication (DFS-R).



15

Lesson 3: New Features and Enhancements

This lesson explores some of the additional changes made to AD DS in Windows Server 2012,

including the ability to domain-join computers that are not connected to the corporate network,

support for connected accounts, and various other AD DS enhancements.



16

RID Improvements

The AD DS RID is used to uniquely identify objects in the distributed AD DS database. Each domain

controller holds a pool of RIDs and uses these to identify newly created objects, such as users,

groups, and computers. The process of generating unique RIDs is a single-master operation. One

domain controller is assigned the role of RID master, and it allocates a sequence of RIDs to each

domain controller in the domain. When a new domain account or group is created in one domain

controller's replica of Active Directory, it is assigned a security identifier (SID). The RID for the new

SID is taken from the domain controller's allocation of RIDs. When its supply of RIDs begins to run

low, the domain controller requests another block from the RID master.

In earlier versions of Windows Server, it was possible for the RID pool to become depleted due to

leakage. For example, if an administrator attempted to create a new account, but the account

creation failed due to the account properties not meeting the required AD DS security policy

requirements, the RID was already allocated, but was unused; the RID had leaked. In Windows

Server 2012, the domain controller maintains an in-memory container of reusable RIDs; this list of

reusable RIDs is used first, thereby reducing RID leakage.



17

Windows Server 2012 also identifies when the RID pool is invalidated by creating an entry in the

event log. The RID pool can become invalidated by performing an AD DS database restoration. AD

DS in Windows Server 2012 also imposes a maximum cap on the RID block size. Previously, you

could configure this value on the RID single operations master role holder by editing the registry and

the upper limit was unbounded; in Windows Server 2012, the upper limit is 15,000.

As RIDs are consumed, Windows Server 2012 produces periodic warnings and logs these to the

system log. The first such warning occurs when there is ten percent of remaining global space. These

events become more frequent as the global space is depleted further.

Finally, a soft-ceiling of ninety percent of the global RID space is set in AD DS in Windows Server

2012. Reaching this value triggers an event. The administrator can override this ‘ceiling’ by resetting

the sDS-RIDPoolAllocationEnabled value on the RID single operations master role holder.



18

Deferred Index Creation

Indexing attributes on AD DS objects enables those attributes to be searched faster. However,

maintaining the indexes for these attributes can impose a load on the domain controllers in your

enterprise.

In Windows Server 2012, you can implement DSheuristic; this value enables you to control index

creation, effectively deferring it until the domain controller is either restarted or receives an

UpdateSchemaNow rootDSE mod.

Any attribute that is in a deferred index state is logged in the vent log every day:

2944: Index deferred—logged once

2945: Index still pending—logged every 24 hours

1137: Index created—logged once (not a new event)



19

Off-Premises Domain-Join

In the past, the computers that you wanted to join to your organization’s domain had to be

connected to the organization’s network. AD DS in Windows Server 2012 enables you to domain-join

computers that are off-premises. For example, you can connect a user’s home-based laptop to your

organization’s domain without the user needing to bring the computer into the office; this is achieved

by using DirectAccess technology.



20

Connected Accounts

AD DS in Windows Server 2012 supports the ability to link users’ accounts with their Microsoft

accounts, enabling Windows® 8 features and apps to take advantage of specific online capabilities.

In addition, certain aspects of a user’s profile can be roamed between computers that share the

same Microsoft account.

When you think about implementing this capability, consider the following points:

Microsoft account logon to Windows with a connected Active Directory user account is not

supported.

Server SKUs do not support connected accounts.

The administrator must associate the Microsoft account with the target account.

The connected local user will appear in Local Users and Groups.



21

Active Directory–Based Activation

In current networks, volume licensing is usually managed by using Key Management Service (KMS)

servers. KMS has a number of disadvantages: it uses remote procedure calls (RPCs), it does not

support any form of authentication, and it does not provide a graphical console.

AD DS in Windows Server 2012 can provide the necessary volume activation without the requirement

for KMS, although you can configure coexistence with KMS to support volume activations for earlier

versions of Windows client operating systems.

The advantages of using Active Directory–based activation are:

You do not require additional server hardware to provide for activation services.

It eliminates the requirement for RPCs by using Lightweight Directory Access Protocol (LDAP)

exclusively.

It supports read-only domain controllers.

When you think about using Active Directory–based activation, consider that only Windows 8 and

Windows Server 2012 computers can activate using this service. For earlier client and server

operating systems, you must use KMS.



22

Group Managed Service Accounts

Standalone Managed Service Accounts, introduced with Windows Server 2008 R2 and Windows 7,

are managed domain accounts that provide automatic password management and simplified service

principal name (SPN) management, including delegation of management to other administrators.

The group Managed Service Account provides the same function within the domain but also extends

that functionality over multiple servers. When connecting to a service hosted on a server farm, such

as Network Load Balance, the authentication protocols supporting mutual authentication require that

all instances of the services use the same principal. When group Managed Service Accounts (gMSAs)

are used as service principals, the Windows operating system manages the password for the account

instead of relying on the administrator to manage the password.

You can only configure and administer gMSAs on computers running Windows Server 2012, but you

can deploy them as a single service identity solution in domains that still have some domain

controllers running operating systems earlier than Windows Server 2012. There are no domain or

forest functional level requirements.



23

AD DS Replication and Topology Cmdlets

Windows PowerShell for Active Directory in Windows Server 2012 includes support for replication and

topology management. It includes the ability to manage replication, sites, domains and forests,

domain controllers, and partitions.

Similar functionality is available by using Windows PowerShell cmdlets to that previously available in

Active Directory Sites and Services and Repadmin.exe. In addition, the cmdlets are compatible with

the existing Windows PowerShell for Active Directory cmdlets, thereby creating a streamlined

experience and enabling you to easily create automation scripts.

For example, to get a list of all AD DS sites, use the following code example. Get-ADReplicationSite -Filter *

To create a new site, use the following code example. New-ADReplicationSite BRANCH1

To create a new site link, use the following code example. New-ADReplicationSiteLink 'CORPORATE-BRANCH1' -SitesIncluded CORPORATE,BRANCH1 -

OtherAttributes @{'options'=1}



24

You can use these cmdlets, and others, to perform all AD DS replication and topology maintenance

that you previously performed in the graphical console.



25

Lesson 4: Management Improvements

AD DS in Windows Server 2012 provides a number of management improvements. This lesson

explores these improvements.



26

Active Directory Recycle Bin

The Active Directory Administrative Center has been enhanced to support graphical management of

the Active Directory Recycle Bin. Prior to Windows Server 2012, using the Active Directory Recycle

Bin meant you were required to use the Active Directory Service Interface (ADSI) Edit tool, which

was cumbersome and non-intuitive.



27

Fine-Grained Password Policy

The Active Directory Administrative Center has also been modified to support the creation and

management of fine-grained password policies. Again, in earlier versions of Windows Server, you

must use ADSI Edit to manage these fine-grained password policies.



28

AD DS Windows PowerShell History Viewer

As part of Microsoft’s commitment to the Windows PowerShell platform, the Active Directory

Administrative Center now provides a conveniently accessible Windows PowerShell History Viewer.

The Windows PowerShell History Viewer displays Windows PowerShell commands when a task is

performed through the UI.

There are many Windows PowerShell cmdlets for AD DS, but one of the challenges for AD DS

administrators is that there is a relative steep learning curve around Windows PowerShell for AD DS.

Even after learning them, it is hard to remember all of the cmdlets and their parameters.

In Windows Server 2012, as you execute actions in the UI, the equivalent Windows PowerShell for

Active Directory command is shown to the user in the Windows PowerShell History Viewer. These

commands in turn can be copied and reused in your scripts. This improvement reduces the time to

learn Windows PowerShell for Active Directory. It may also increase your users’ confidence in the

correctness of their automation scripts.



29

Dynamic Access Control

Dynamic Access Control enables you to create and manage central access and audit policies in AD DS,

which you can then manage through the Active Directory Administrative Center. These policies are

based on conditional expressions that take into account who the user is, what device they are using,

and what data they are accessing. You can then translate business requirements to efficient policy

enforcement and considerably reduce the number of security groups needed for access control.

To help organizations reach data compliance, Microsoft has focused on the following areas:

Identify the information that needs to be managed to meet business and compliance

requirements.

Apply appropriate access policies to information.

Audit access to information.

Encrypt information.

These focus areas were then translated to a set of Windows capabilities that enable data compliance

in partner and Windows-based solutions.

Dynamic Access Control integrates claims into Windows authentication (Kerberos) so that users and

devices can be described not only by the security groups they belong to, but also by claims such as

“User is from the Finance department” and “User’s security clearance is High.”



30

The file classification infrastructure in Windows Server 2012 has been integrated with Dynamic

Access Control to enable business owners and users to identify (tag) their data so that IT

administrators can target policies based on this tagging. This ability works in parallel with the ability

of the file classification infrastructure to automatically classify files based on content or any other

characteristics.

Dynamic Access Control also integrates with Rights Management Services to automatically protect

(encrypt) sensitive information on servers so that even when the information leaves the server, it is

still protected.



31

Group Policy Enhancements

The Group Policy Management Console includes new capabilities that enable you to more easily track

SYSVOL replication as it relates to Group Policy and force Group Policy updates from a central

location.

In earlier versions of Windows Server, if you changed Group Policy settings, those settings had to be

applied to the computer or user accounts in the appropriate organizational units (OUs). For computer

policy settings, the client computer had to restart to refresh the Group Policy, or the command

gpupdate /force had to be run on the client locally to refresh the settings.

In Windows Server 2012, you can do that directly from the Group Policy Management Console. By

right-clicking an OU and selecting Group Policy Update, all computer accounts inside the scope of the

OU will be updated at once. If an error occurs, a log file will be created automatically.



32

Kerberos Constrained Delegation

Kerberos Constrained Delegation (KCD) was introduced with Windows Server 2003. KCD permits a

service’s account (front-end) to act on the behalf of users in multi-tier applications for a limited set

of back-end services. For example:

A user accesses a web site as user1.

The user requests information from the web site (front-end) that requires the web server to

query a Microsoft® SQL Server® database (back-end).

Access to this data is authorized according to who accessed the front-end.

In this case, the web service must impersonate user1 when making the request to SQL Server.

To enable all this, you must configure the front-end services (by SPN) to which it can impersonate

users. In addition, setup and administration require domain admin privileges. Finally, KCD delegation

only works for back-end services in the same domain as the front-end service-accounts.

In Windows Server 2012, KCD moves the authorization decision to the resource owners. This permits

the back-end to authorize which front-end service accounts can impersonate users against their

resources. It supports cross-domain, cross-forest scenarios, no longer requires domain admin



33

privileges for setup and administration, and requires only administrative permission to the back-end

service account.



34

Further Reading and Resources

For further information about the topics covered in this session, see the following resources:

What’s New in Active Directory Domain Services

http://technet.microsoft.com/en-us/library/hh831477.aspx#BKMK_actdir_adba

Windows Server Blogs

http://blogs.technet.com/b/windowsserver

Windows Server 2012 Home Page and Product Download

http://www.microsoft.com/en-us/server-cloud/windows-server/2012-default.aspx

http://technet.microsoft.com/en-us/library/hh831477.aspx

http://technet.microsoft.com/en-us/library/hh831477.aspx

http://blogs.technet.com/b/windowsserver/



45 identity and access active dictionary features and improvements

Education