SlideShare una empresa de Scribd logo

Windows Server 2012 AD Management and Security Enhancements

Descargar como PPTX, PDF
Microsoft TechNet - Belgium and Luxembourg
Microsoft TechNet - Belgium and Luxembourg

More info on http://techdays.be.

Tecnología
1 de 41
With Windows Server 2012 AD you can Use GUI management for:  The Recycle Bin  Fine Grain Password Policies Perform simplified and more robust DC installations Safely virtualize DCs Clone DCs Implement Kerberos claims identity Control access to files and folders with Dynamic Access Control Protect the RID pool Use PowerShell for everything And more…
Make sure PowerShell is your best friend PowerShell 3.0 with over 2000 cmdlets  Allows creation scripts with workflow  AD PowerShell history helps you get started  Comprehensive cmdlets for replication management  Newest help files download on demand: Update-Help
Installing Domain Controllers
Dcpromo RIP Can be run remotely
Create IFM seed with NTDSUTIL IFM seed generation no longer requires offline defrag (on by default)
Adprep can still be run manually if required Checks are performed at each stage of the Wizard and any issues highlighted before the final validation
DC virtualization
Restoring from an image One DC fails  We can restore an image backup Any problems?
USN rollback… snapshot DSA-GUID = A DSA-GUID = B InvocationID = E InvocationID = M highestCommitedUSN =1000 highestCommitedUSN = 3000 HW vector M,3000 HW vector E,1000 DSA-GUID = A DSA-GUID = B Time InvocationID = E InvocationID = M highestCommitedUSN =4567 highestCommitedUSN = 5679 HW vector M,5679 HW vector E,4567 DSA-GUID = A DSA-GUID = B Restore InvocationID = E InvocationID = M highestCommitedUSN = 4567 highestCommitedUSN = 3000 HW vector M,5679 HW vector E,1000
What happens next? Add users DC1 DC2 DSA-GUID = A DSA-GUID = B InvocationID = E InvocationID = M highestCommitedUSN = 4567 highestCommitedUSN = 3000 3050 HW vector M,5679 HW vector E,1000 Send me your changes from 1000 Checks UTD vectors from DC2 and sends changes  Replication OK Send me your changes from 5679 It gets worse! There aren’t any!
Post Server 2003 SP1 quarantining DSA-GUID = A DSA-GUID = B InvocationID = E InvocationID = M highestCommitedUSN = 4567 highestCommitedUSN = 3050 HW vector M,5679 HW vector E,1000 Send me your changes from 5679 There aren’t any! Appears more up to date than me, that’s not right! Replication Write event log messages log Disable inbound and outbound replication Stop Netlogon service
Windows Server 2012 solution The hypervisor creates an identifier VM-Generation ID (128 bits)  Exposed to the guest OS via the BIOS ACPI namespace  Stored by the DC on promotion in the msDS-GenerationID attribute  An attribute of the DC computer object The VM-Generation ID is set during a VM import, copy or application of a snapshot When the DC boots, if the VM-Generation ID and the msDS-GenerationID are not the same  The DC assumes an AD restore  InvocationID Changes  Seen as a new replication source  RID pool discarded  Non-authoritative restore of SYSVOL
Hypervisor support 22 January 2013 Windows Server 2012 Standard Edition (Hyper-V) Windows Server 2012 Enterprise Edition (Hyper-V) Hyper-V Server 2012 (Hyper-V) Windows 8 Professional (Hyper-V) Windows 8 Enterprise (Hyper-V) VMware Workstation 9.0 VMware vSphere 5.0 with Update 4 VMware vSphere 5.1
DC cloning
Cloning steps Source DC CloneableDomainControllers Check for incompatible components PDCE Get-ADDCCloningExcludedApplicationList W2012 Remove incompatible components or declare them as safe Cloned DC Create new VM XML DCCloneConfig.XML Deploy XML to source DC If ID has changed or mounted vhd/vhdx copy cloning starts if XML (can be on removable media) exists
Start the copied DC and…
DefaultDCCloneAllowList.XML Get-ADDCCloningExcludedApplicationList displays any services or applications that are running that are NOT included in the XML These applications or services must either be removed or if considered safe added to CustomDCCloneAllowList.XML Generate XML using:  Get-ADDCCloningExcludedApplicationList -GenerateXML  Xml added to %windir%NTDS
DCCloneConfig.XML New-ADDCCloneConfigFile –Static -IPv4Address "192.168.137.202" -IPv4DNSResolver "192.168.137.200" -IPv4SubnetMask "255.255.255.0" -CloneComputerName "AD-DC3" -IPv4DefaultGateway "192.168.137.1" -SiteName "London" <?xml version="1.0"?> <d3c:DCCloneConfig xmlns:d3c="uri:microsoft.com:schemas:DCCloneConfig Create using New-ADDCCloneConfigFile <ComputerName>rootdc4</ComputerName> <SiteName>London</SiteName> or create from sample: <IPSettings> ..windowssystem32SampleDCCloneConfig.XML <IPv4Settings> <StaticSettings> <Address>192.168.137.202</Address> DCCloneConfig.xml placed in …windowsNTDS <SubnetMask>255.255.255.0</SubnetMask> Alternate locations are available <DefaultGateway>192.168.137.1</DefaultGateway> <DNSResolver>192.168.137.200</DNSResolver> </StaticSettings> </IPv4Settings> </IPSettings> </d3c:DCCloneConfig>
Kerberos enhancements
Kerberos changes There are a number of other changes to Kerberos to enhance day to day operations  Increase to the maximum Kerberos SSPI context buffer size  PAC group compression  Warning events for large token sizes  Increased logging Major changes  New Kerberos constrained delegation support  Claims support
Block cross forest delegation Delegation by setting netdom trust to “no” for /EnableTGTDelegation Protect backend services by setting services account parameter – PrincipalsAllowedToDelegateToAccount Prior to Windows Server 2012, constrained delegation required the front- and back-end service accounts to be in the same domain 2012 allows delegation across domains and forest trusts
Adding claims to the Kerberos token Pre-Windows 8 Windows 8 & Server 2012 Compound ID PAC contains a user’s User’s Kerberos Groups group and claims Token User information Claims + PAC Groups Device information Device Claims User’s group memberships added to PAC Authorization can be based on group Authorization based on group membership, user and device claims membership
Dynamic Access Control Files can be classified (tagged) and access and audit policies applied based on the files classification Expression based access control and auditing Expressions can contain groups, users, and user and device claims Access based on compound ID user and device claims
Enabling Kerberos for claims Enable the KDC administrative template for Support for Dynamic Access Control and Kerberos armoring Kerberos armoring also referred to as Flexible Authentication Secure Tunneling (FAST) provides:  A protected channel between the Kerberos client and the KDC  Protection against offline dictionary attacks  Signs Kerberos error messages  Prevent spoofing  Compound identity
Exhaustible resources
DNTs Each DC keeps track of object written to its database using a Distinguished Name Tag (DNT)  The DNT is held in a 2^31 bit number (~ 2 billion)  The DNT is incremented as each new object is written  A DNT value is never reused even if an object is deleted When you run out of DNTs the DC must be demoted and then repromoted The DNT value is now exposed through a constructed attribute of RootDSE  approximateHighestInternalObjectID
SIDs S-1-5-21-1539329446-2123584859-1544097757-5023 Domain subauthority RID SIDs must be unique throughout and across forests The RID is incremented by one each time a new SID is generated  This is simple to implement in a single-master environment  A RID master is required in a multi-master domain controller environment
RID management attributes RID Master rIDAvailablePool Replicates Holds start of next 7500 7500 pool to be allocated Applies for a new pool No replication X when 50% of the current rIDPreviousAllocationPool 6500 7000 pool has been consumed rIDAllocationPool 6500 7000 RID Set used for SID generation rIDPreviousAllocationPool Current pool on DC rIDAllocationPool Next pool to be used on DC
RID Manager Attributes cn=RID Manager$,cn=System,dc=example,dc=com fSMORoleOwner Distinguished name of the NTDS Settings object rIDAvailablePool (large integer 64-bits) High value Low value Total number of RIDs that can be Start of Next RID pool to be allocated created in the domain The RID Manager object is replicated to all DCs in the domain  The rIDAvailablePool attribute is used by the RID Master when allocating the next RID pool to a DC
RID problems The maximum available RID is held as a 30 bit number  1073,741,824  10,000 RIDs/day for the next 294 years  So why is it an issue?  Rogue script creating millions of security principles  Very large RID Block size set  Incorrect values entered when elevating the RID pool during recovery  Large numbers of domain controllers removed and re-added  Bug – new RID pool requested every 30 seconds can occur under certain rare circumstances  See KB 2618669 for Windows 2008 R2 hotfix
Windows Server 2012 Warnings at 10% usage of remaining pool size  After warning recalculates the 10% marker and repeats  First event at 100 million  If you receive this you probably have a problem Ceiling at 90% usage – intervention required to issue more RIDs Max RID block size capped at 15K  HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSRID ValuesRID Block Size Global RID Space Size Unlock  Global space can use 31 bit number doubling the RIDs available  2003 & 2008 DCs cannot use the 31 bit RID values
Lots of other improvements Support for deferred index creation Off-premises domain join  Supports DirectAccess clients Enhanced LDAP logging New LDAP behaviours Active Directory Based Activation (AD BA)  Automatic activation for Windows 8 and Windows Server 2012 machines  You still require KMS to support downlevel volume-licensing
Lots of other improvements (continued) Group Managed Service Accounts (gMSA)  gMSA accounts can run a service across multiple servers  Services running gMSA accounts only supported on Windows 8 and Windows Server 2012 PowerShell Cmdlets for replication support
So what do we get? Better GUI support More robust deployment of DCs Simplified Active Directory upgrade path Virtualization safe Quick deployment via cloning Fast domain and forest recovery through cloning Cross-domain and forest constrained delegation Rich access control and auditing via Dynamic Access Control Recovery from depleted RID pools PowerShell everywhere…
TechEd 2013 I will be speaking a TechEd 2013  Precon: Windows Server DirectAccess  Other breakouts
Consulting services on request John.craddock@xtseminars.co.uk John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk

Recomendados

Monitoring Identity Manager by JMX
Monitoring Identity Manager by JMXMonitoring Identity Manager by JMX
Monitoring Identity Manager by JMXTakayuki Okazaki
 
Postgre sql run book
Postgre sql run bookPostgre sql run book
Postgre sql run bookVasudeva Rao
 
Building Scalable SQL Applications Using NoSQL Paradigms
Building Scalable SQL Applications Using NoSQL ParadigmsBuilding Scalable SQL Applications Using NoSQL Paradigms
Building Scalable SQL Applications Using NoSQL ParadigmsMichael Rys
 
Firebird 2.1 What's New by Vladislav Khorsun (English)
Firebird 2.1 What's New by Vladislav Khorsun (English)Firebird 2.1 What's New by Vladislav Khorsun (English)
Firebird 2.1 What's New by Vladislav Khorsun (English)Alexey Kovyazin
 
Scaling with SQL Server and SQL Azure Federations
Scaling with SQL Server and SQL Azure FederationsScaling with SQL Server and SQL Azure Federations
Scaling with SQL Server and SQL Azure FederationsMichael Rys
 
Jdbc session02
Jdbc session02Jdbc session02
Jdbc session02Niit Care
 
hibernate
hibernatehibernate
hibernateArjun Shanka
 
Jdbc session01
Jdbc session01Jdbc session01
Jdbc session01Niit Care
 

Recomendados

Monitoring Identity Manager by JMX
Monitoring Identity Manager by JMXMonitoring Identity Manager by JMX
Monitoring Identity Manager by JMXTakayuki Okazaki
 
Postgre sql run book
Postgre sql run bookPostgre sql run book
Postgre sql run bookVasudeva Rao
 
Building Scalable SQL Applications Using NoSQL Paradigms
Building Scalable SQL Applications Using NoSQL ParadigmsBuilding Scalable SQL Applications Using NoSQL Paradigms
Building Scalable SQL Applications Using NoSQL ParadigmsMichael Rys
 
Firebird 2.1 What's New by Vladislav Khorsun (English)
Firebird 2.1 What's New by Vladislav Khorsun (English)Firebird 2.1 What's New by Vladislav Khorsun (English)
Firebird 2.1 What's New by Vladislav Khorsun (English)Alexey Kovyazin
 
Scaling with SQL Server and SQL Azure Federations
Scaling with SQL Server and SQL Azure FederationsScaling with SQL Server and SQL Azure Federations
Scaling with SQL Server and SQL Azure FederationsMichael Rys
 
Jdbc session02
Jdbc session02Jdbc session02
Jdbc session02Niit Care
 
hibernate
hibernatehibernate
hibernateArjun Shanka
 
Jdbc session01
Jdbc session01Jdbc session01
Jdbc session01Niit Care
 
Programa Electoral de IU Miranda de Ebro
Programa Electoral de IU Miranda de EbroPrograma Electoral de IU Miranda de Ebro
Programa Electoral de IU Miranda de EbroIu Miranda de Ebro
 
Active Directory en 2012 : les meilleures pratiques en design, sécurité et ad...
Active Directory en 2012 : les meilleures pratiques en design, sécurité et ad...Active Directory en 2012 : les meilleures pratiques en design, sécurité et ad...
Active Directory en 2012 : les meilleures pratiques en design, sécurité et ad...Microsoft Technet France
 
Франшиза хостела Достоевский
Франшиза хостела ДостоевскийФраншиза хостела Достоевский
Франшиза хостела ДостоевскийEvgeny Grishakov
 
DOWNLOAD
DOWNLOADDOWNLOAD
DOWNLOADLeandro Meira da Silva
 
Livre blanc : Guide des bonnes relations banques startups
Livre blanc : Guide des bonnes relations banques startupsLivre blanc : Guide des bonnes relations banques startups
Livre blanc : Guide des bonnes relations banques startupspolenumerique33
 
Programme colloque eco conception 26 mars 2015 à Begles
Programme colloque eco conception 26 mars 2015 à BeglesProgramme colloque eco conception 26 mars 2015 à Begles
Programme colloque eco conception 26 mars 2015 à Beglespolenumerique33
 
Active Directory
Active Directory Active Directory
Active Directory Sandeep Kapadane
 
Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)securityxploded
 
Whitepaper : Why Third-Party Archiving is Still Necessary in Exchange 2010
Whitepaper : Why Third-Party Archiving is Still Necessary in Exchange 2010 Whitepaper : Why Third-Party Archiving is Still Necessary in Exchange 2010
Whitepaper : Why Third-Party Archiving is Still Necessary in Exchange 2010 EMC
 
20140727soifvol3 madrebonita
20140727soifvol3 madrebonita20140727soifvol3 madrebonita
20140727soifvol3 madrebonitaMaco Yoshioka
 
Jump start your application monitoring with APM
Jump start your application monitoring with APMJump start your application monitoring with APM
Jump start your application monitoring with APMMicrosoft TechNet - Belgium and Luxembourg
 
Swipp Plus Quick Start Guide
Swipp Plus Quick Start GuideSwipp Plus Quick Start Guide
Swipp Plus Quick Start GuideSwipp
 
Gambia23
Gambia23Gambia23
Gambia236thclassClareCastle
 
Minimum wage mon042514
Minimum wage mon042514Minimum wage mon042514
Minimum wage mon042514Travis Klein
 
Personality test
Personality testPersonality test
Personality testshibi225
 
Germansk mytologi og_verdensanskuelse_nor
Germansk mytologi og_verdensanskuelse_norGermansk mytologi og_verdensanskuelse_nor
Germansk mytologi og_verdensanskuelse_norSebastian Hübner
 
Fri lenin and trotsky
Fri lenin and trotskyFri lenin and trotsky
Fri lenin and trotskyTravis Klein
 
Private Cloud Day Session 1: Building your Private Cloud Infrastructure
Private Cloud Day Session 1: Building your Private Cloud InfrastructurePrivate Cloud Day Session 1: Building your Private Cloud Infrastructure
Private Cloud Day Session 1: Building your Private Cloud InfrastructureMicrosoft TechNet - Belgium and Luxembourg
 
Automatic Annotation in UniProtKB
Automatic Annotation in UniProtKBAutomatic Annotation in UniProtKB
Automatic Annotation in UniProtKBEBI
 
Automating Azure VMs with PowerShell
Automating Azure VMs with PowerShellAutomating Azure VMs with PowerShell
Automating Azure VMs with PowerShellAlexander Feschenko
 
VMworld 2013: vCloud Powered HPC is Better and Outperforming Physical
VMworld 2013: vCloud Powered HPC is Better and Outperforming PhysicalVMworld 2013: vCloud Powered HPC is Better and Outperforming Physical
VMworld 2013: vCloud Powered HPC is Better and Outperforming PhysicalVMworld
 
Create your own multi node Application Blue Prints using VMware Application D...
Create your own multi node Application Blue Prints using VMware Application D...Create your own multi node Application Blue Prints using VMware Application D...
Create your own multi node Application Blue Prints using VMware Application D...nicwijn
 

Más contenido relacionado

Destacado

Programa Electoral de IU Miranda de Ebro
Programa Electoral de IU Miranda de EbroPrograma Electoral de IU Miranda de Ebro
Programa Electoral de IU Miranda de EbroIu Miranda de Ebro
 
Active Directory en 2012 : les meilleures pratiques en design, sécurité et ad...
Active Directory en 2012 : les meilleures pratiques en design, sécurité et ad...Active Directory en 2012 : les meilleures pratiques en design, sécurité et ad...
Active Directory en 2012 : les meilleures pratiques en design, sécurité et ad...Microsoft Technet France
 
Франшиза хостела Достоевский
Франшиза хостела ДостоевскийФраншиза хостела Достоевский
Франшиза хостела ДостоевскийEvgeny Grishakov
 
Livre blanc : Guide des bonnes relations banques startups
Livre blanc : Guide des bonnes relations banques startupsLivre blanc : Guide des bonnes relations banques startups
Livre blanc : Guide des bonnes relations banques startupspolenumerique33
 
Programme colloque eco conception 26 mars 2015 à Begles
Programme colloque eco conception 26 mars 2015 à BeglesProgramme colloque eco conception 26 mars 2015 à Begles
Programme colloque eco conception 26 mars 2015 à Beglespolenumerique33
 
Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)securityxploded
 
Whitepaper : Why Third-Party Archiving is Still Necessary in Exchange 2010
Whitepaper : Why Third-Party Archiving is Still Necessary in Exchange 2010 Whitepaper : Why Third-Party Archiving is Still Necessary in Exchange 2010
Whitepaper : Why Third-Party Archiving is Still Necessary in Exchange 2010 EMC
 
20140727soifvol3 madrebonita
20140727soifvol3 madrebonita20140727soifvol3 madrebonita
20140727soifvol3 madrebonitaMaco Yoshioka
 
Swipp Plus Quick Start Guide
Swipp Plus Quick Start GuideSwipp Plus Quick Start Guide
Swipp Plus Quick Start GuideSwipp
 
Minimum wage mon042514
Minimum wage mon042514Minimum wage mon042514
Minimum wage mon042514Travis Klein
 
Personality test
Personality testPersonality test
Personality testshibi225
 
Germansk mytologi og_verdensanskuelse_nor
Germansk mytologi og_verdensanskuelse_norGermansk mytologi og_verdensanskuelse_nor
Germansk mytologi og_verdensanskuelse_norSebastian Hübner
 
Fri lenin and trotsky
Fri lenin and trotskyFri lenin and trotsky
Fri lenin and trotskyTravis Klein
 
Automatic Annotation in UniProtKB
Automatic Annotation in UniProtKBAutomatic Annotation in UniProtKB
Automatic Annotation in UniProtKBEBI
 

Destacado (19)

Programa Electoral de IU Miranda de Ebro
Programa Electoral de IU Miranda de EbroPrograma Electoral de IU Miranda de Ebro
Programa Electoral de IU Miranda de Ebro
 
Active Directory en 2012 : les meilleures pratiques en design, sécurité et ad...
Active Directory en 2012 : les meilleures pratiques en design, sécurité et ad...Active Directory en 2012 : les meilleures pratiques en design, sécurité et ad...
Active Directory en 2012 : les meilleures pratiques en design, sécurité et ad...
 
Франшиза хостела Достоевский
Франшиза хостела ДостоевскийФраншиза хостела Достоевский
Франшиза хостела Достоевский
 
DOWNLOAD
DOWNLOADDOWNLOAD
DOWNLOAD
 
Livre blanc : Guide des bonnes relations banques startups
Livre blanc : Guide des bonnes relations banques startupsLivre blanc : Guide des bonnes relations banques startups
Livre blanc : Guide des bonnes relations banques startups
 
Programme colloque eco conception 26 mars 2015 à Begles
Programme colloque eco conception 26 mars 2015 à BeglesProgramme colloque eco conception 26 mars 2015 à Begles
Programme colloque eco conception 26 mars 2015 à Begles
 
Active Directory
Active Directory Active Directory
Active Directory
 
Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)
 
Whitepaper : Why Third-Party Archiving is Still Necessary in Exchange 2010
Whitepaper : Why Third-Party Archiving is Still Necessary in Exchange 2010 Whitepaper : Why Third-Party Archiving is Still Necessary in Exchange 2010
Whitepaper : Why Third-Party Archiving is Still Necessary in Exchange 2010
 
20140727soifvol3 madrebonita
20140727soifvol3 madrebonita20140727soifvol3 madrebonita
20140727soifvol3 madrebonita
 
Jump start your application monitoring with APM
Jump start your application monitoring with APMJump start your application monitoring with APM
Jump start your application monitoring with APM
 
Swipp Plus Quick Start Guide
Swipp Plus Quick Start GuideSwipp Plus Quick Start Guide
Swipp Plus Quick Start Guide
 
Gambia23
Gambia23Gambia23
Gambia23
 
Minimum wage mon042514
Minimum wage mon042514Minimum wage mon042514
Minimum wage mon042514
 
Personality test
Personality testPersonality test
Personality test
 
Germansk mytologi og_verdensanskuelse_nor
Germansk mytologi og_verdensanskuelse_norGermansk mytologi og_verdensanskuelse_nor
Germansk mytologi og_verdensanskuelse_nor
 
Fri lenin and trotsky
Fri lenin and trotskyFri lenin and trotsky
Fri lenin and trotsky
 
Private Cloud Day Session 1: Building your Private Cloud Infrastructure
Private Cloud Day Session 1: Building your Private Cloud InfrastructurePrivate Cloud Day Session 1: Building your Private Cloud Infrastructure
Private Cloud Day Session 1: Building your Private Cloud Infrastructure
 
Automatic Annotation in UniProtKB
Automatic Annotation in UniProtKBAutomatic Annotation in UniProtKB
Automatic Annotation in UniProtKB
 

Similar a Windows Server 2012 AD Management and Security Enhancements

Automating Azure VMs with PowerShell
Automating Azure VMs with PowerShellAutomating Azure VMs with PowerShell
Automating Azure VMs with PowerShellAlexander Feschenko
 
VMworld 2013: vCloud Powered HPC is Better and Outperforming Physical
VMworld 2013: vCloud Powered HPC is Better and Outperforming PhysicalVMworld 2013: vCloud Powered HPC is Better and Outperforming Physical
VMworld 2013: vCloud Powered HPC is Better and Outperforming PhysicalVMworld
 
Create your own multi node Application Blue Prints using VMware Application D...
Create your own multi node Application Blue Prints using VMware Application D...Create your own multi node Application Blue Prints using VMware Application D...
Create your own multi node Application Blue Prints using VMware Application D...nicwijn
 
Ultan Kinahan Business Continuity & Dr With Virtualization And Doubletake
Ultan Kinahan Business Continuity & Dr With Virtualization And DoubletakeUltan Kinahan Business Continuity & Dr With Virtualization And Doubletake
Ultan Kinahan Business Continuity & Dr With Virtualization And DoubletakeNathan Winters
 
VMworld 2013: Data In, Data Out and Data Protected
VMworld 2013: Data In, Data Out and Data Protected VMworld 2013: Data In, Data Out and Data Protected
VMworld 2013: Data In, Data Out and Data Protected VMworld
 
Moving to ws2003
Moving to ws2003Moving to ws2003
Moving to ws2003Sumit Tambe
 
Topology Service Injection using Dragonflow & Kuryr
Topology Service Injection using Dragonflow & KuryrTopology Service Injection using Dragonflow & Kuryr
Topology Service Injection using Dragonflow & KuryrEshed Gal-Or
 
Forbidden fruits of Active Directory – Cloning, snapshotting, virtualization
Forbidden fruits of Active Directory – Cloning, snapshotting, virtualization Forbidden fruits of Active Directory – Cloning, snapshotting, virtualization
Forbidden fruits of Active Directory – Cloning, snapshotting, virtualization Microsoft TechNet - Belgium and Luxembourg
 
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014Amazon Web Services
 
3 2--power-aware-cloud
3 2--power-aware-cloud3 2--power-aware-cloud
3 2--power-aware-cloudBHUVIJAYAVELU
 
Windows 2008 R2 Virtualization
Windows 2008 R2 VirtualizationWindows 2008 R2 Virtualization
Windows 2008 R2 VirtualizationEduardo Castro
 
VMware Disaster Recovery Solution Presentation EN (1).pptx
VMware Disaster Recovery Solution Presentation EN (1).pptxVMware Disaster Recovery Solution Presentation EN (1).pptx
VMware Disaster Recovery Solution Presentation EN (1).pptxFernando564134
 
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...Amazon Web Services
 
Discovery Day 2019 Sofia - Big data clusters
Discovery Day 2019 Sofia - Big data clustersDiscovery Day 2019 Sofia - Big data clusters
Discovery Day 2019 Sofia - Big data clustersIvan Donev
 
Mens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practiceMens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practicekuchinskaya
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authenticationdkaya
 
ARC304 Solutions in Action - AWS re: Invent 2012
ARC304 Solutions in Action - AWS re: Invent 2012ARC304 Solutions in Action - AWS re: Invent 2012
ARC304 Solutions in Action - AWS re: Invent 2012Amazon Web Services
 
Moving Enterprise Windows Workloads to AWS – Peter Stanski
Moving Enterprise Windows Workloads to AWS – Peter StanskiMoving Enterprise Windows Workloads to AWS – Peter Stanski
Moving Enterprise Windows Workloads to AWS – Peter StanskiAmazon Web Services
 

Similar a Windows Server 2012 AD Management and Security Enhancements (20)

Automating Azure VMs with PowerShell
Automating Azure VMs with PowerShellAutomating Azure VMs with PowerShell
Automating Azure VMs with PowerShell
 
VMworld 2013: vCloud Powered HPC is Better and Outperforming Physical
VMworld 2013: vCloud Powered HPC is Better and Outperforming PhysicalVMworld 2013: vCloud Powered HPC is Better and Outperforming Physical
VMworld 2013: vCloud Powered HPC is Better and Outperforming Physical
 
Create your own multi node Application Blue Prints using VMware Application D...
Create your own multi node Application Blue Prints using VMware Application D...Create your own multi node Application Blue Prints using VMware Application D...
Create your own multi node Application Blue Prints using VMware Application D...
 
Ultan Kinahan Business Continuity & Dr With Virtualization And Doubletake
Ultan Kinahan Business Continuity & Dr With Virtualization And DoubletakeUltan Kinahan Business Continuity & Dr With Virtualization And Doubletake
Ultan Kinahan Business Continuity & Dr With Virtualization And Doubletake
 
VMworld 2013: Data In, Data Out and Data Protected
VMworld 2013: Data In, Data Out and Data Protected VMworld 2013: Data In, Data Out and Data Protected
VMworld 2013: Data In, Data Out and Data Protected
 
70 533 study material
70 533 study material70 533 study material
70 533 study material
 
Moving to ws2003
Moving to ws2003Moving to ws2003
Moving to ws2003
 
Topology Service Injection using Dragonflow & Kuryr
Topology Service Injection using Dragonflow & KuryrTopology Service Injection using Dragonflow & Kuryr
Topology Service Injection using Dragonflow & Kuryr
 
Forbidden fruits of Active Directory – Cloning, snapshotting, virtualization
Forbidden fruits of Active Directory – Cloning, snapshotting, virtualization Forbidden fruits of Active Directory – Cloning, snapshotting, virtualization
Forbidden fruits of Active Directory – Cloning, snapshotting, virtualization
 
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
(SDD422) Amazon VPC Deep Dive | AWS re:Invent 2014
 
3 2--power-aware-cloud
3 2--power-aware-cloud3 2--power-aware-cloud
3 2--power-aware-cloud
 
DCV
DCVDCV
DCV
 
Windows 2008 R2 Virtualization
Windows 2008 R2 VirtualizationWindows 2008 R2 Virtualization
Windows 2008 R2 Virtualization
 
VMware Disaster Recovery Solution Presentation EN (1).pptx
VMware Disaster Recovery Solution Presentation EN (1).pptxVMware Disaster Recovery Solution Presentation EN (1).pptx
VMware Disaster Recovery Solution Presentation EN (1).pptx
 
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
 
Discovery Day 2019 Sofia - Big data clusters
Discovery Day 2019 Sofia - Big data clustersDiscovery Day 2019 Sofia - Big data clusters
Discovery Day 2019 Sofia - Big data clusters
 
Mens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practiceMens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practice
 
Implementing 802.1x Authentication
Implementing 802.1x AuthenticationImplementing 802.1x Authentication
Implementing 802.1x Authentication
 
ARC304 Solutions in Action - AWS re: Invent 2012
ARC304 Solutions in Action - AWS re: Invent 2012ARC304 Solutions in Action - AWS re: Invent 2012
ARC304 Solutions in Action - AWS re: Invent 2012
 
Moving Enterprise Windows Workloads to AWS – Peter Stanski
Moving Enterprise Windows Workloads to AWS – Peter StanskiMoving Enterprise Windows Workloads to AWS – Peter Stanski
Moving Enterprise Windows Workloads to AWS – Peter Stanski
 

Más de Microsoft TechNet - Belgium and Luxembourg

Más de Microsoft TechNet - Belgium and Luxembourg (20)

Windows 10: all you need to know!
Windows 10: all you need to know!Windows 10: all you need to know!
Windows 10: all you need to know!
 
Configuration Manager 2012 – Compliance Settings 101 - Tim de Keukelaere
Configuration Manager 2012 – Compliance Settings 101 - Tim de KeukelaereConfiguration Manager 2012 – Compliance Settings 101 - Tim de Keukelaere
Configuration Manager 2012 – Compliance Settings 101 - Tim de Keukelaere
 
Windows 8.1 a closer look
Windows 8.1 a closer lookWindows 8.1 a closer look
Windows 8.1 a closer look
 
So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.So you’ve successfully installed SCOM… Now what.
So you’ve successfully installed SCOM… Now what.
 
Data Leakage Prevention
Data Leakage PreventionData Leakage Prevention
Data Leakage Prevention
 
Deploying and managing ConfigMgr Clients
Deploying and managing ConfigMgr ClientsDeploying and managing ConfigMgr Clients
Deploying and managing ConfigMgr Clients
 
Self Service BI anno 2013 – Where Do We Come From and Where Are We Going?
Self Service BI anno 2013 – Where Do We Come From and Where Are We Going?Self Service BI anno 2013 – Where Do We Come From and Where Are We Going?
Self Service BI anno 2013 – Where Do We Come From and Where Are We Going?
 
Hands on with Hyper-V Clustering Maintenance Mode & Cluster Aware Updating
Hands on with Hyper-V Clustering Maintenance Mode & Cluster Aware UpdatingHands on with Hyper-V Clustering Maintenance Mode & Cluster Aware Updating
Hands on with Hyper-V Clustering Maintenance Mode & Cluster Aware Updating
 
SCEP 2012 inside SCCM 2012
SCEP 2012 inside SCCM 2012SCEP 2012 inside SCCM 2012
SCEP 2012 inside SCCM 2012
 
What’s new in Lync Server 2013: Persistent Chat
What’s new in Lync Server 2013: Persistent ChatWhat’s new in Lync Server 2013: Persistent Chat
What’s new in Lync Server 2013: Persistent Chat
 
What's new for Lync 2013 Clients & Devices
What's new for Lync 2013 Clients & DevicesWhat's new for Lync 2013 Clients & Devices
What's new for Lync 2013 Clients & Devices
 
Office 365 ProPlus: Click-to-run deployment and management
Office 365 ProPlus: Click-to-run deployment and managementOffice 365 ProPlus: Click-to-run deployment and management
Office 365 ProPlus: Click-to-run deployment and management
 
Office 365 Identity Management options
Office 365 Identity Management options Office 365 Identity Management options
Office 365 Identity Management options
 
SharePoint Installation and Upgrade: Untangling Your Options
SharePoint Installation and Upgrade: Untangling Your Options SharePoint Installation and Upgrade: Untangling Your Options
SharePoint Installation and Upgrade: Untangling Your Options
 
The application model in real life
The application model in real lifeThe application model in real life
The application model in real life
 
Microsoft private cloud with Cisco and Netapp - Flexpod solution
Microsoft private cloud with Cisco and Netapp - Flexpod solutionMicrosoft private cloud with Cisco and Netapp - Flexpod solution
Microsoft private cloud with Cisco and Netapp - Flexpod solution
 
Managing Windows RT devices in the Enterprise
Managing Windows RT devices in the Enterprise Managing Windows RT devices in the Enterprise
Managing Windows RT devices in the Enterprise
 
Moving from Device Centric to a User Centric Management
Moving from Device Centric to a User Centric Management Moving from Device Centric to a User Centric Management
Moving from Device Centric to a User Centric Management
 
Network Management in System Center 2012 SP1 - VMM
Network Management in System Center 2012 SP1 - VMM Network Management in System Center 2012 SP1 - VMM
Network Management in System Center 2012 SP1 - VMM
 
Hackers (Not) Halted
Hackers (Not) Halted Hackers (Not) Halted
Hackers (Not) Halted
 

Último

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 

Último (20)

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 

Windows Server 2012 AD Management and Security Enhancements

  • 1.
  • 2. With Windows Server 2012 AD you can Use GUI management for:  The Recycle Bin  Fine Grain Password Policies Perform simplified and more robust DC installations Safely virtualize DCs Clone DCs Implement Kerberos claims identity Control access to files and folders with Dynamic Access Control Protect the RID pool Use PowerShell for everything And more…
  • 3.
  • 4. Make sure PowerShell is your best friend PowerShell 3.0 with over 2000 cmdlets  Allows creation scripts with workflow  AD PowerShell history helps you get started  Comprehensive cmdlets for replication management  Newest help files download on demand: Update-Help
  • 6. Dcpromo RIP Can be run remotely
  • 7. Create IFM seed with NTDSUTIL IFM seed generation no longer requires offline defrag (on by default)
  • 8. Adprep can still be run manually if required Checks are performed at each stage of the Wizard and any issues highlighted before the final validation
  • 10. Restoring from an image One DC fails  We can restore an image backup Any problems?
  • 11. USN rollback… snapshot DSA-GUID = A DSA-GUID = B InvocationID = E InvocationID = M highestCommitedUSN =1000 highestCommitedUSN = 3000 HW vector M,3000 HW vector E,1000 DSA-GUID = A DSA-GUID = B Time InvocationID = E InvocationID = M highestCommitedUSN =4567 highestCommitedUSN = 5679 HW vector M,5679 HW vector E,4567 DSA-GUID = A DSA-GUID = B Restore InvocationID = E InvocationID = M highestCommitedUSN = 4567 highestCommitedUSN = 3000 HW vector M,5679 HW vector E,1000
  • 12. What happens next? Add users DC1 DC2 DSA-GUID = A DSA-GUID = B InvocationID = E InvocationID = M highestCommitedUSN = 4567 highestCommitedUSN = 3000 3050 HW vector M,5679 HW vector E,1000 Send me your changes from 1000 Checks UTD vectors from DC2 and sends changes  Replication OK Send me your changes from 5679 It gets worse! There aren’t any!
  • 13. Post Server 2003 SP1 quarantining DSA-GUID = A DSA-GUID = B InvocationID = E InvocationID = M highestCommitedUSN = 4567 highestCommitedUSN = 3050 HW vector M,5679 HW vector E,1000 Send me your changes from 5679 There aren’t any! Appears more up to date than me, that’s not right! Replication Write event log messages log Disable inbound and outbound replication Stop Netlogon service
  • 14. Windows Server 2012 solution The hypervisor creates an identifier VM-Generation ID (128 bits)  Exposed to the guest OS via the BIOS ACPI namespace  Stored by the DC on promotion in the msDS-GenerationID attribute  An attribute of the DC computer object The VM-Generation ID is set during a VM import, copy or application of a snapshot When the DC boots, if the VM-Generation ID and the msDS-GenerationID are not the same  The DC assumes an AD restore  InvocationID Changes  Seen as a new replication source  RID pool discarded  Non-authoritative restore of SYSVOL
  • 15. Hypervisor support 22 January 2013 Windows Server 2012 Standard Edition (Hyper-V) Windows Server 2012 Enterprise Edition (Hyper-V) Hyper-V Server 2012 (Hyper-V) Windows 8 Professional (Hyper-V) Windows 8 Enterprise (Hyper-V) VMware Workstation 9.0 VMware vSphere 5.0 with Update 4 VMware vSphere 5.1
  • 16.
  • 18. Cloning steps Source DC CloneableDomainControllers Check for incompatible components PDCE Get-ADDCCloningExcludedApplicationList W2012 Remove incompatible components or declare them as safe Cloned DC Create new VM XML DCCloneConfig.XML Deploy XML to source DC If ID has changed or mounted vhd/vhdx copy cloning starts if XML (can be on removable media) exists
  • 19. Start the copied DC and…
  • 20. DefaultDCCloneAllowList.XML Get-ADDCCloningExcludedApplicationList displays any services or applications that are running that are NOT included in the XML These applications or services must either be removed or if considered safe added to CustomDCCloneAllowList.XML Generate XML using:  Get-ADDCCloningExcludedApplicationList -GenerateXML  Xml added to %windir%NTDS
  • 21. DCCloneConfig.XML New-ADDCCloneConfigFile –Static -IPv4Address "192.168.137.202" -IPv4DNSResolver "192.168.137.200" -IPv4SubnetMask "255.255.255.0" -CloneComputerName "AD-DC3" -IPv4DefaultGateway "192.168.137.1" -SiteName "London" <?xml version="1.0"?> <d3c:DCCloneConfig xmlns:d3c="uri:microsoft.com:schemas:DCCloneConfig Create using New-ADDCCloneConfigFile <ComputerName>rootdc4</ComputerName> <SiteName>London</SiteName> or create from sample: <IPSettings> ..windowssystem32SampleDCCloneConfig.XML <IPv4Settings> <StaticSettings> <Address>192.168.137.202</Address> DCCloneConfig.xml placed in …windowsNTDS <SubnetMask>255.255.255.0</SubnetMask> Alternate locations are available <DefaultGateway>192.168.137.1</DefaultGateway> <DNSResolver>192.168.137.200</DNSResolver> </StaticSettings> </IPv4Settings> </IPSettings> </d3c:DCCloneConfig>
  • 22.
  • 24. Kerberos changes There are a number of other changes to Kerberos to enhance day to day operations  Increase to the maximum Kerberos SSPI context buffer size  PAC group compression  Warning events for large token sizes  Increased logging Major changes  New Kerberos constrained delegation support  Claims support
  • 25. Block cross forest delegation Delegation by setting netdom trust to “no” for /EnableTGTDelegation Protect backend services by setting services account parameter – PrincipalsAllowedToDelegateToAccount Prior to Windows Server 2012, constrained delegation required the front- and back-end service accounts to be in the same domain 2012 allows delegation across domains and forest trusts
  • 26. Adding claims to the Kerberos token Pre-Windows 8 Windows 8 & Server 2012 Compound ID PAC contains a user’s User’s Kerberos Groups group and claims Token User information Claims + PAC Groups Device information Device Claims User’s group memberships added to PAC Authorization can be based on group Authorization based on group membership, user and device claims membership
  • 27. Dynamic Access Control Files can be classified (tagged) and access and audit policies applied based on the files classification Expression based access control and auditing Expressions can contain groups, users, and user and device claims Access based on compound ID user and device claims
  • 28. Enabling Kerberos for claims Enable the KDC administrative template for Support for Dynamic Access Control and Kerberos armoring Kerberos armoring also referred to as Flexible Authentication Secure Tunneling (FAST) provides:  A protected channel between the Kerberos client and the KDC  Protection against offline dictionary attacks  Signs Kerberos error messages  Prevent spoofing  Compound identity
  • 30. DNTs Each DC keeps track of object written to its database using a Distinguished Name Tag (DNT)  The DNT is held in a 2^31 bit number (~ 2 billion)  The DNT is incremented as each new object is written  A DNT value is never reused even if an object is deleted When you run out of DNTs the DC must be demoted and then repromoted The DNT value is now exposed through a constructed attribute of RootDSE  approximateHighestInternalObjectID
  • 31. SIDs S-1-5-21-1539329446-2123584859-1544097757-5023 Domain subauthority RID SIDs must be unique throughout and across forests The RID is incremented by one each time a new SID is generated  This is simple to implement in a single-master environment  A RID master is required in a multi-master domain controller environment
  • 32. RID management attributes RID Master rIDAvailablePool Replicates Holds start of next 7500 7500 pool to be allocated Applies for a new pool No replication X when 50% of the current rIDPreviousAllocationPool 6500 7000 pool has been consumed rIDAllocationPool 6500 7000 RID Set used for SID generation rIDPreviousAllocationPool Current pool on DC rIDAllocationPool Next pool to be used on DC
  • 33. RID Manager Attributes cn=RID Manager$,cn=System,dc=example,dc=com fSMORoleOwner Distinguished name of the NTDS Settings object rIDAvailablePool (large integer 64-bits) High value Low value Total number of RIDs that can be Start of Next RID pool to be allocated created in the domain The RID Manager object is replicated to all DCs in the domain  The rIDAvailablePool attribute is used by the RID Master when allocating the next RID pool to a DC
  • 34. RID problems The maximum available RID is held as a 30 bit number  1073,741,824  10,000 RIDs/day for the next 294 years  So why is it an issue?  Rogue script creating millions of security principles  Very large RID Block size set  Incorrect values entered when elevating the RID pool during recovery  Large numbers of domain controllers removed and re-added  Bug – new RID pool requested every 30 seconds can occur under certain rare circumstances  See KB 2618669 for Windows 2008 R2 hotfix
  • 35. Windows Server 2012 Warnings at 10% usage of remaining pool size  After warning recalculates the 10% marker and repeats  First event at 100 million  If you receive this you probably have a problem Ceiling at 90% usage – intervention required to issue more RIDs Max RID block size capped at 15K  HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSRID ValuesRID Block Size Global RID Space Size Unlock  Global space can use 31 bit number doubling the RIDs available  2003 & 2008 DCs cannot use the 31 bit RID values
  • 36.
  • 37. Lots of other improvements Support for deferred index creation Off-premises domain join  Supports DirectAccess clients Enhanced LDAP logging New LDAP behaviours Active Directory Based Activation (AD BA)  Automatic activation for Windows 8 and Windows Server 2012 machines  You still require KMS to support downlevel volume-licensing
  • 38. Lots of other improvements (continued) Group Managed Service Accounts (gMSA)  gMSA accounts can run a service across multiple servers  Services running gMSA accounts only supported on Windows 8 and Windows Server 2012 PowerShell Cmdlets for replication support
  • 39. So what do we get? Better GUI support More robust deployment of DCs Simplified Active Directory upgrade path Virtualization safe Quick deployment via cloning Fast domain and forest recovery through cloning Cross-domain and forest constrained delegation Rich access control and auditing via Dynamic Access Control Recovery from depleted RID pools PowerShell everywhere…
  • 40. TechEd 2013 I will be speaking a TechEd 2013  Precon: Windows Server DirectAccess  Other breakouts
  • 41. Consulting services on request John.craddock@xtseminars.co.uk John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk