Active Directory in Windows Server 8 Paul Loonen Architect, CTO Office Avanade France & Belgium
Dec 21, 2014
Active Directory in Windows Server 8
Paul LoonenArchitect, CTO OfficeAvanade France & Belgium
Windows Server 8 AD DSTwo themes:• Easier to Deploy and Manage AD DS• Dynamic Access Control
Disclaimer: everything in this talk is based on the Developer Preview released for //Build
EASIER TO DEPLOY AND MANAGE AD DS
Easier to Deploy & Manage AD – Broad Goals
Virtualization That Just Works• Active Directory works equally well in physical, virtual or mixed environments
Simplified Deployment of Active Directory• Complete integration of environment preparation, role installation and DC
promotion into a single UI• DCs can be deployed rapidly to ease disaster recovery and workload balancing• DCs can be deployed remotely on multiple machines from a single Windows 8
machine• Consistent command-line experience through Windows PowerShell to enable
automation of deployment tasksSimplified Management of Active Directory
• GUI that simplifies complex tasks such as recovering a deleted object or managing password policies
• Active Directory Windows PowerShell viewer shows the commands for actions performed in the GUI
• Active Directory Windows PowerShell support for managing replication and topology data
DC Deployment
Integrated, Seamless Deployment• New domain controller promotion
interface• integrates the preparation steps into the
promotion process• automate the pre-requisites between each of the steps
• validate environment-wide pre-requisites before beginning deployment
• integrated with Server Manager and remoteable• built on Windows PowerShell for command-line
and UI consistency• configuration wizard aligns to the most common
deployment scenarios• What’s gone?
• DCPromo UI – command line is still there
DemoDomain Controller Promotion
DC Virtualization
DC Virtualization• Virtualization on current (pre-Win8) Domain
Controllers is a bad idea• Risks include• USN rollback• Replication issues• Invocation ID and USN together make sure AD knows what needs to be
replicated• Lingering objects• Inconsistent passwords• Inconsistent attribute values• Inconsistent schema if Schema master rolled back• Duplicate SIDs if RID master rolled back
DC Virtualization• Virtualization-safe protection• Windows Server 8 virtual DCs able to detect when:• snapshots are applied• a VM is copied
• detection built on a generation identifier (VM-generation ID) that is changed when virtualization-features such as VM-snapshot are used
• Windows Server 8 virtual DCs track the VM-generation ID to detect changes and protect Active Directory
• Virtual domain controller cloning• create replicas of virtualized DCs by cloning existing ones• i.e. copy the VHD through hypervisor-specific export + import operations• note that the authorization of clones remains under Enterprise/Domain Admins’
control• requires only one virtual DC per domain to seed and quickly recover an entire forest
Steps to clone a DC1. Make sure your hypervisor supports VM-Generation-ID2. Make sure your PDC FSMO runs Windows 8• BTW – you cannot clone the PDC FSMO !
3. Prepare• %windows%\NTDS\DCCloneConfig.xml• %windows%\NTDS\CustomDCCloneAllowList.xml• Remove any services from your DC that cannot be cloned• PS C:> Get-ADDCCloningExcludedApplicationList
4. Give permission in AD to computer object “Allow a DC to create a clone of itself” (on domain object)
5. Shutdown your DC, remove any snapshots6. Copy .vhd, create new VM using copied .vhd
ADAC Enhancements
AD Recycle Bin• Feature added in Win2k8R2• Allows complete object recovery• PowerShell only – no GUI (except 3rd
party)
• Recovery integrated in ADAC• “Deleted Objects” node in ADAC• Recovery in GUI• Same requirements as in Win2k8R2
Fine-Grained Password Policy• FGPP introduced in Win2k8• Allow special password
requirements• PSO object
• Creation now through ADAC
Windows PowerShell History• allow administrators to view
the Windows PowerShell commands executed when using the ADAC• including copy-paste!
• reduces learning-curve• increases confidence in
scripting• further enhances PowerShell
discoverability
DemoADAC Enhancements
AD Management enhancements with PowerShell
PowerShell additions in Windows 8• AD Management with PowerShell added in Windows
Server 2008 R2• 76 cmdlets – mostly mimicking ADUC functionality
• New for Windows 8• DC Deployment• Topology and Replication Management• Dynamic Access Control
Domain Controller Deployment• DCPromo.exe deprecated• No more UI, but still available from command line• PowerShell scripting is new approach• Easy integration in e.g. MDT
• 10 Cmdlets in new module ADDSDeployment• Test-ADDSDomain, DomainControllerInstallation,
DomainControllerUninstallation, DomainInstallation, ForestInstallation, ReadOnlyDomainControllerAccountCreation
• Install-ADDSDomain, DomainController, Forest• Add-ADDSReadOnlyDomainControllerAccount
Intermezzo: discoverability
Topology and replication• Scripting AD Management requires multiple tools and technologies• repadmin• Ntdsutil• GUI-based tools – kind of hard to automate
• Reality of Windows scripting is PowerShell• Using PS makes management consistent with this strategy• PowerShell is easy to discover • PowerShell history viewer• Get-Command –noun AD*• Show-Command• ISE
Replication Management• cmdlets give some of the repadmin functionality• Get-ADReplicationAttributeMetadata• Get-ADReplicationFailure• Get-ADReplicationPartnerMetadata• Get-ADReplicatoinQueueOperation• Get-ADReplicationUpToDatenessVectorTable• Sync-ADObject
Topology Management• 18 cmdlets added:• Get- / New- / Remove- / Set-ADReplicationSite• Get- / New- / Remove- / Set-ADReplicationSiteLink• Get- / New- / Remove- / Set-ADReplicationSiteLinkBridge• Get- / New- / Remove- / Set-ADReplicationSubnet• Get- / Set-ADReplicationConnection
DemoManage AD Using PowerShell
AD-Based Activation
Activation leveraging Active Directory
• Use your existing Active Directory infrastructure to activate your clients• New option when deploying Volume Activation Services role• no additional machines required• no RPC requirement, uses LDAP exclusively• includes RODCs
• Beyond installation and service-specific requirements, no data written back to the directory
• Activation-object maintained in configuration partition• Represents proof of purchase• Machines can be member of any domain in the forest• Must be enterprise admin (can be delegated)
• All Windows 8 machines will automatically activate
DemoAD-Based Activation
Dynamic Access Control
Data Management Challenges
Growth of users and
data
?
Distributed computing
Regulatory and Business
Compliance
?
Budget Constraints
Different views of Information Governance
CSO/CIO department
“I need to have the right
compliance controls to
keep me out of jail”
Infrastructure Support
“I don’t know what data is in
my repositories and how to control it”
Content Owner
“Is my important data appropriately protected and compliant with regulations –
how do I audit this”
IW
“I don’t know if I am
complying with my
organization’s polices”
Information governance policies• What is this really about?• Apply appropriate access policies • Audit access to information• Encrypt information• Apply appropriate retention to information
• Why should you care• Your solution or product creates, manages or protects
information in files• Compliance is becoming a factor in software purchasing
decisions
How Windows 8 enables these objectives• Bring existing identity claims model into the
Windows platform• Introduce a model to target access and audit
policies based on tagging to drive efficient policy enforcement and implement this model for files
• Bridge the gap between IT & Information Owners using information tagging for files
Approach in Windows 8
Plumb claims into the core Authentication platform via Kerberos with Active Directory
Enhance Authorization platform for files to author and manage richer access policies with claims
Enhance audit platform for files to drive efficient Audit controls across the Enterprise
Project User & Device Claims for consumption by .NET apps
Improve File Management infrastructure for Files in Win8
Expression-based access control policy
User claimsUser.Department = Finance
User.Clearance = High
ACCESS POLICYApplies to: @Resource.Impact == “High”
Allow | Read, Write | if (@User.Clearance == “High”) AND (@Device.Managed == True)
Device claimsDevice.Department =
FinanceDevice.Managed = True
Resource propertiesResource.Department =
FinanceResource.Impact = High
Active Directory
File Server
Token changes in Windows 8• Domain Controller issues groups… and claims!• Claims (user & device) sourced from Identity attributes
in AD• Compound ID – binds a user to the device to be
authorized as one principal• Claims delivered in Kerberos PAC
• NT Token has sections• User & Device data• Claims and Groups!
• OID to claim for cert based Auth• Support for X-Forest Claims Transformation
Windows 8 Token
Owner
Group
User Groups
Claims
Device Groups
Claims
Authorization – Updated ACL Model
Support for Expression with ‘AND’/’OR ’ primitives
User.memberOf (USA-Employees) AND User.memberOf (Finance-Division) AND User.memberOf (Authorization-Project)
Support for User Claims from AD
User.Division = ‘Finance’ AND User.CostCenter = 20000
Support for Static Device Claims from AD
User.Division = ‘Finance’AND Device.ITManaged = True
Target Policy based on Resource Type
IF (Resource.Impact = ‘HBI’)ALLOW AU Read User.EmployeeType = ‘FTE’
• No expressions in ACL• Led to group bloat
• ACLs only based on groups
• Led to group bloat
• No ability to control access based on device state
• No way to target policy based on Resource Type
• Claims support in ACEs managed as SDDL strings• Added / removed from SDDL strings via standard string manipulation
functions
Windows 7New in Windows
8 Example
Managing data on file serversLooking at the problem space for a data repository
• One of the largest repositories of data in the organization• Regulatory compliance periodic audits are expensive and
labor intensive• Data leakage of sensitive information• Exposure of information due to complexity of granting
access on a need to know basis
Resource Property
Definitions
In Active Directory:• Create resource property definitionsOn File Server:• Identify information• Tagging information by owner• Automatic classification • Line Of Business applications
Windows 8 Active Directory
Windows 8File Server
Content owner
Applications
Control access to information
Claim Definition
sResource Property
DefinitionsAccess policy
In Active Directory:• Create claim definitions• Create resource property definitions• Create central access policyIn Group Policy:• Send central access policies to file
serversOn File Server:• Apply access policy to the shared
folder• Identify informationAt Runtime:• User tries to access information
Windows 8 Active Directory
Windows 8File Server
Allow/
Deny
End User
Control access to information
DemoDynamic Access Control
Claim Definitions
Resource Property
DefinitionsAudit Policy
In Active Directory:• Create claim definitions• Create resource property
definitionsIn Group Policy:• Create global audit policyOn File Server:• Identify informationAt Runtime:• User tries to access
information
Windows 8 Active Directory
Windows 8File Server
Audit / No
Audit
End User
Audit Access to Information
Summary• What have we learned today?• AD DS is easier to deploy and manage• Server Manager• ADAC• PowerShell• Virtualization
• Claims paradigm is extended to File Servers, powered by AD DS more in John Craddock’s session
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Thank you!Questions?
@ploonenhttp://be-id.blogspot.com