Discover what´s new in Windows 8 Active Directory

Active Directory in Windows Server 8

Paul LoonenArchitect, CTO OfficeAvanade France & Belgium

Windows Server 8 AD DSTwo themes:• Easier to Deploy and Manage AD DS• Dynamic Access Control

Disclaimer: everything in this talk is based on the Developer Preview released for //Build

EASIER TO DEPLOY AND MANAGE AD DS

Easier to Deploy & Manage AD – Broad Goals

Virtualization That Just Works• Active Directory works equally well in physical, virtual or mixed environments

Simplified Deployment of Active Directory• Complete integration of environment preparation, role installation and DC

promotion into a single UI• DCs can be deployed rapidly to ease disaster recovery and workload balancing• DCs can be deployed remotely on multiple machines from a single Windows 8

machine• Consistent command-line experience through Windows PowerShell to enable

automation of deployment tasksSimplified Management of Active Directory

• GUI that simplifies complex tasks such as recovering a deleted object or managing password policies

• Active Directory Windows PowerShell viewer shows the commands for actions performed in the GUI

• Active Directory Windows PowerShell support for managing replication and topology data

DC Deployment

Integrated, Seamless Deployment• New domain controller promotion

interface• integrates the preparation steps into the

promotion process• automate the pre-requisites between each of the steps

• validate environment-wide pre-requisites before beginning deployment

• integrated with Server Manager and remoteable• built on Windows PowerShell for command-line

and UI consistency• configuration wizard aligns to the most common

deployment scenarios• What’s gone?

• DCPromo UI – command line is still there

DemoDomain Controller Promotion

DC Virtualization

DC Virtualization• Virtualization on current (pre-Win8) Domain

Controllers is a bad idea• Risks include• USN rollback• Replication issues• Invocation ID and USN together make sure AD knows what needs to be

replicated• Lingering objects• Inconsistent passwords• Inconsistent attribute values• Inconsistent schema if Schema master rolled back• Duplicate SIDs if RID master rolled back

DC Virtualization• Virtualization-safe protection• Windows Server 8 virtual DCs able to detect when:• snapshots are applied• a VM is copied

• detection built on a generation identifier (VM-generation ID) that is changed when virtualization-features such as VM-snapshot are used

• Windows Server 8 virtual DCs track the VM-generation ID to detect changes and protect Active Directory

• Virtual domain controller cloning• create replicas of virtualized DCs by cloning existing ones• i.e. copy the VHD through hypervisor-specific export + import operations• note that the authorization of clones remains under Enterprise/Domain Admins’

control• requires only one virtual DC per domain to seed and quickly recover an entire forest

Steps to clone a DC1. Make sure your hypervisor supports VM-Generation-ID2. Make sure your PDC FSMO runs Windows 8• BTW – you cannot clone the PDC FSMO !

3. Prepare• %windows%\NTDS\DCCloneConfig.xml• %windows%\NTDS\CustomDCCloneAllowList.xml• Remove any services from your DC that cannot be cloned• PS C:> Get-ADDCCloningExcludedApplicationList

4. Give permission in AD to computer object “Allow a DC to create a clone of itself” (on domain object)

5. Shutdown your DC, remove any snapshots6. Copy .vhd, create new VM using copied .vhd

ADAC Enhancements

AD Recycle Bin• Feature added in Win2k8R2• Allows complete object recovery• PowerShell only – no GUI (except 3rd

party)

• Recovery integrated in ADAC• “Deleted Objects” node in ADAC• Recovery in GUI• Same requirements as in Win2k8R2

Fine-Grained Password Policy• FGPP introduced in Win2k8• Allow special password

requirements• PSO object

• Creation now through ADAC

Windows PowerShell History• allow administrators to view

the Windows PowerShell commands executed when using the ADAC• including copy-paste!

• reduces learning-curve• increases confidence in

scripting• further enhances PowerShell

discoverability

DemoADAC Enhancements

AD Management enhancements with PowerShell

PowerShell additions in Windows 8• AD Management with PowerShell added in Windows

Server 2008 R2• 76 cmdlets – mostly mimicking ADUC functionality

• New for Windows 8• DC Deployment• Topology and Replication Management• Dynamic Access Control

Domain Controller Deployment• DCPromo.exe deprecated• No more UI, but still available from command line• PowerShell scripting is new approach• Easy integration in e.g. MDT

• 10 Cmdlets in new module ADDSDeployment• Test-ADDSDomain, DomainControllerInstallation,

DomainControllerUninstallation, DomainInstallation, ForestInstallation, ReadOnlyDomainControllerAccountCreation

• Install-ADDSDomain, DomainController, Forest• Add-ADDSReadOnlyDomainControllerAccount

Intermezzo: discoverability

Topology and replication• Scripting AD Management requires multiple tools and technologies• repadmin• Ntdsutil• GUI-based tools – kind of hard to automate

• Reality of Windows scripting is PowerShell• Using PS makes management consistent with this strategy• PowerShell is easy to discover • PowerShell history viewer• Get-Command –noun AD*• Show-Command• ISE

Replication Management• cmdlets give some of the repadmin functionality• Get-ADReplicationAttributeMetadata• Get-ADReplicationFailure• Get-ADReplicationPartnerMetadata• Get-ADReplicatoinQueueOperation• Get-ADReplicationUpToDatenessVectorTable• Sync-ADObject

Topology Management• 18 cmdlets added:• Get- / New- / Remove- / Set-ADReplicationSite• Get- / New- / Remove- / Set-ADReplicationSiteLink• Get- / New- / Remove- / Set-ADReplicationSiteLinkBridge• Get- / New- / Remove- / Set-ADReplicationSubnet• Get- / Set-ADReplicationConnection

DemoManage AD Using PowerShell

AD-Based Activation

Activation leveraging Active Directory

• Use your existing Active Directory infrastructure to activate your clients• New option when deploying Volume Activation Services role• no additional machines required• no RPC requirement, uses LDAP exclusively• includes RODCs

• Beyond installation and service-specific requirements, no data written back to the directory

• Activation-object maintained in configuration partition• Represents proof of purchase• Machines can be member of any domain in the forest• Must be enterprise admin (can be delegated)

• All Windows 8 machines will automatically activate

DemoAD-Based Activation

Dynamic Access Control

Data Management Challenges

Growth of users and

data

?

Distributed computing

Regulatory and Business

Compliance

?

Budget Constraints

Different views of Information Governance

CSO/CIO department

“I need to have the right

compliance controls to

keep me out of jail”

Infrastructure Support

“I don’t know what data is in

my repositories and how to control it”

Content Owner

“Is my important data appropriately protected and compliant with regulations –

how do I audit this”

IW

“I don’t know if I am

complying with my

organization’s polices”

Information governance policies• What is this really about?• Apply appropriate access policies • Audit access to information• Encrypt information• Apply appropriate retention to information

• Why should you care• Your solution or product creates, manages or protects

information in files• Compliance is becoming a factor in software purchasing

decisions

How Windows 8 enables these objectives• Bring existing identity claims model into the

Windows platform• Introduce a model to target access and audit

policies based on tagging to drive efficient policy enforcement and implement this model for files

• Bridge the gap between IT & Information Owners using information tagging for files

Approach in Windows 8

Plumb claims into the core Authentication platform via Kerberos with Active Directory

Enhance Authorization platform for files to author and manage richer access policies with claims

Enhance audit platform for files to drive efficient Audit controls across the Enterprise

Project User & Device Claims for consumption by .NET apps

Improve File Management infrastructure for Files in Win8

Expression-based access control policy

User claimsUser.Department = Finance

User.Clearance = High

ACCESS POLICYApplies to: @Resource.Impact == “High”

Allow | Read, Write | if (@User.Clearance == “High”) AND (@Device.Managed == True)

Device claimsDevice.Department =

FinanceDevice.Managed = True

Resource propertiesResource.Department =

FinanceResource.Impact = High

Active Directory

File Server

Token changes in Windows 8• Domain Controller issues groups… and claims!• Claims (user & device) sourced from Identity attributes

in AD• Compound ID – binds a user to the device to be

authorized as one principal• Claims delivered in Kerberos PAC

• NT Token has sections• User & Device data• Claims and Groups!

• OID to claim for cert based Auth• Support for X-Forest Claims Transformation

Windows 8 Token

Owner

Group

User Groups

Claims

Device Groups

Claims

Authorization – Updated ACL Model

Support for Expression with ‘AND’/’OR ’ primitives

User.memberOf (USA-Employees) AND User.memberOf (Finance-Division) AND User.memberOf (Authorization-Project)

Support for User Claims from AD

User.Division = ‘Finance’ AND User.CostCenter = 20000

Support for Static Device Claims from AD

User.Division = ‘Finance’AND Device.ITManaged = True

Target Policy based on Resource Type

IF (Resource.Impact = ‘HBI’)ALLOW AU Read User.EmployeeType = ‘FTE’

• No expressions in ACL• Led to group bloat

• ACLs only based on groups

• Led to group bloat

• No ability to control access based on device state

• No way to target policy based on Resource Type

• Claims support in ACEs managed as SDDL strings• Added / removed from SDDL strings via standard string manipulation

functions

Windows 7New in Windows

8 Example

Managing data on file serversLooking at the problem space for a data repository

• One of the largest repositories of data in the organization• Regulatory compliance periodic audits are expensive and

labor intensive• Data leakage of sensitive information• Exposure of information due to complexity of granting

access on a need to know basis

Resource Property

Definitions

In Active Directory:• Create resource property definitionsOn File Server:• Identify information• Tagging information by owner• Automatic classification • Line Of Business applications

Windows 8 Active Directory

Windows 8File Server

Content owner

Applications

Control access to information

Claim Definition

sResource Property

DefinitionsAccess policy

In Active Directory:• Create claim definitions• Create resource property definitions• Create central access policyIn Group Policy:• Send central access policies to file

serversOn File Server:• Apply access policy to the shared

folder• Identify informationAt Runtime:• User tries to access information

Windows 8 Active Directory

Windows 8File Server

Allow/

Deny

End User

Control access to information

DemoDynamic Access Control

Claim Definitions

Resource Property

DefinitionsAudit Policy

In Active Directory:• Create claim definitions• Create resource property

definitionsIn Group Policy:• Create global audit policyOn File Server:• Identify informationAt Runtime:• User tries to access

information

Windows 8 Active Directory

Windows 8File Server

Audit / No

Audit

End User

Audit Access to Information

Summary• What have we learned today?• AD DS is easier to deploy and manage• Server Manager• ADAC• PowerShell• Virtualization

• Claims paradigm is extended to File Servers, powered by AD DS more in John Craddock’s session

© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a

commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Thank you!Questions?

@ploonenhttp://be-id.blogspot.com

[email protected]