What’s new in Active Directory - Veeam Software · PDF fileWhat’s new in Active Directory in Windows Server 2012 and 2012 R2 Sander Berkouwer MCSE, MCITP, MCT, MVP
Post on 30-Jan-2018
235 Views
Preview:
Transcript
What’s new in Active Directory in Windows Server 2012 and 2012 R2
Sander Berkouwer MCSE, MCITP, MCT, MVP
Agenda What’s new in deployment and migration? Virtualization safeguards, Domain Controller Cloning New promotion and upgrade process Deferred Index Creation
What’s new in security? Group MSAs, Kerberos Armoring Protected Users, Authentication Policies Dynamic Access Control
What’s new in managing Active Directory? Active Directory Recycle Bin GUI Fine-grained Password Policies GUI PowerShell History Viewer
What’s New in Active Directory security
Group Managed Service Accounts (gMSAs) Challenges with Service Accounts Passwords are rarely changed, interactive logons rarely denied Passwords are stored semi-plain text in registry
Managed Service Accounts (2008R2) New object type in Active Directory Service accounts with automatic password and SPN management Ideal for service accounts on invidual servers group Managed Service Accounts (2012) New object type in Active Directory Linkable to groups and multiple computer objects Ideal for service accounts on server farms, clusters, etc.
Kerberos Armoring (FAST) Kerberos is for ‘safe networks’ It was never designed for the Internet (at MIT in 1980 – 1993) Initial Reply for Key Exchange from KDC is not strongly encrypted Can be bruteforced
Kerberos Armoring Also known as Flexible Authentication Secure Tunneling (FAST) Described in RFC 6113 Provides pre-authentication encryption, eliminating cipher fallback Enabling Kerberos Armoring Through Group Policy Objects (GPOs) on DCs and devices Options are: supported, not-supported, always provide claims and fail unarmored authentication requests
Protected Users Group Pass the Hash attacks are real NTLM hashes stored by LSASS can be ‘reused’ Can even be reused in Kerberos with RC4-HMAC-3DES encryption
Protected Users Group Built-in global security group in Active Directory Disables password caching, NTLM authentication, TGT lifetime Useful to harden user accounts that have administrative privileges Please note: Do not use for Computer accounts, service accounts, MSAs or gMSAs Make Protected Users change password first on 2008+ DC for AES Protection is non-configurable
Authentication Policies & Policy Silos Use when Protected Users protection is to rigid When you want to configure TGT lifetime and TGT Renewal settings When you want to specify a different scope (computers, anyone?) Authentication Policies & Authentication Policy Silos Tag objects within scope of a silo with a claim to apply a policy Requires Kerberos Armoring
Easily manageable Manage in GUI with Active Directory Administrative Center Manage with PowerShell Cmdlets Easily manageable, but strong enough to lock anyone out…
Dynamic Access Control Claims-based Access Control to files and folders Rich authorization scenarios based on user and/or device attributes Access can be based on properties of files and folders Define Dynamic Access Scope and access with Resource properties on files and folders and GPOs on file servers Claims based on attributes of user, device objects Central Access Policies Requirements Windows Server 2012-based Domain Controllers, or up Windows Server 2012-based File Servers, or up (and several SANs) CompoundID requires Windows 8
What’s New in managing Active Directory
Active Directory Scalability RID Pool Artificial Ceiling RID Pool depletion halts Active Directory object and trust creation RID Pool Master FSMO role on a Windows Server 2012-based DC Artificial Ceiling holding back RIDs 31st bit of the RID Pool Twice the amount of RIDs available for object and trust creation Now you can create 2 billion objects! :-) Unlocked using a RootDSE Modification with ldp.exe Exposed DNTs DNTs are domain controller-local and don’t get reused or reclaimed Hard to see how far a Domain Controller was using up DNTs In Windows Server 2012 and up, you can see with perfmon.exe
Active Directory Administrative Center Active Directory Recycle Bin GUI Recycle Bin has been available since Windows Server 2008 R2 Previously manageable with PowerShell-only Now in the Active Directory Administrative Center (dsac.exe)
Fine-grained Password Policy GUI FGPPs have been around since Windows Server 2008 Previously manageable on the command line and 3rd party tools Now in the Active Directory Administrative Center (dsac.exe) Active Directory PowerShell History Viewer Active Directory PowerShell modules include 145 PowerShell Cmdlets Hard, time consuming to learn? Active Directory Administrative Center (dsac.exe) to the rescue!
What’s New in deploying and migrating Active Directory
New Promotion and Upgrade Processes Challenges with promoting Domain Controllers Promoting a Domain Controller cannot be done remotely Preparing a domain/forest is difficult, time-consuming and error-prone
New Promotion process Dcpromo.exe be gone! The Active Directory Domain Services Configuration Wizard Available after role installation, can be done remotely from Server Mgr New Upgrade process No longer do you need to use adprep.exe in small environments Preparation is triggered automatically when promoting the first DC Adprep.exe still available, but only 64bit.
Deferred Index Creation Current challenges with indexability Indexability triggers immediate indexing process upon replication Indexing may result in Denial of Service
Deferred Index Creation Indexing may be deferred to a more suitable time Not enabled by default, needs a registry change
Triggering Index Creation Reboot the Domain Controller Perform a RootDSE Modification
Active Directory virtualization safeguards Challenges with virtualizing Domain Controllers Organizations want to ‘virtualize everything’ Active Directory assumes linearity of time for replication Improper procedures may lead to USN Rollbacks and Lingering objects Recommendations from Microsoft (pre-2012) Treat virtualized Domain Controllers as non-virtualized hosts Take care of time synchronization
Virtualization-safe Active Directory Active Directory takes advantage of VM-GenerationID Stores the ID in the database, checks value with every write When ID changes, RID Pool is discarded and resets InvocationID
Domain Controller Cloning Challenges with deploying replica Domain Controllers It takes 1-4 days to deploy new Domain Controllers Hard disks for Domain Controllers hard disks are 98% equal
Recommendations from Microsoft (pre-2012) Do not attempt to clone Domain Controllers Do not reuse the (virtual) hard disk of a Domain Controller
Domain Controller Cloning Clone virtualized Domain Controllers to create replicas Reduce 1-4 days to 10-15 minutes
Demo Domain Controller Cloning
Requirements Per feature in Active Directory
Requirements
2003
DFL
2008
DFL
2008
R2
FFL
2012
Ser
ver
2012
Sch
ema
2012
DC
2012
DC
+ P
DC
e
2012
DC
+ R
ID P
2012
on
all
DC
s
2012
DFL
2012
R2
Sche
ma
2012
R2
DC
2012
R2
PD
C
2012
R2
DFL
2012
Fil
e Se
rver
s
Win
do
ws
8
Deployment and migration Virtualization-safe(r) Active Directory
Domain Controller Cloning
New promotion and upgrade process
Deferred Index Creation
Security group Managed Service Accounts (gMSAs)
Kerberos Armoring (FAST)
Protected Users Group
Authentication Policies & Authentication Policy Silos
Dynamic Access Control
Manageability Active Directory Recycle Bin GUI
Fine-grained Password Policies GUI
Active Directory PowerShell History Viewer
Scalability RID Pool Artifical Ceiling
31st bit of the RID Pool
Exposed DNTs
Concluding
Concluding What’s new in deployment and migration? Virtualization safeguards, Domain Controller Cloning New promotion and upgrade process Deferred Index Creation
What’s new in security? Group MSAs, Kerberos Armoring Protected Users, Authentication Policies Dynamic Access Control
What’s new in managing Active Directory? Active Directory Recycle Bin GUI Fine-grained Password Policies GUI PowerShell History Viewer Scalability
Questions?
Thank you!
top related