New Features in 2012R2

Virtualization-Safe Technology

  • Solution
    • Windows Server 2012 virtual DCs able to detect when:
      • snapshots are applied
      • a VM is copied
    • built on a generation identifier (VM-generation ID) that is changed when virtualization-features such as VM-snapshot are used
    • Windows Server 2012 virtual DCs track the VM-generation ID to detect changes and protect Active Directory
      • protection achieved by:
        • discarding RID pool
        • resetting invocationID
        • re-asserting INITSYNC requirement for FSMOs

Group Managed Service Accounts


  • Solution
    • introduce new security principal type known as a gMSA
    • services running on multiple hosts can run under the same gMSA account
    • 1 or more Windows Server 2012 DCs required
      • gMSAs can authenticate against any OS-version DC
      • passwords computed by Group Key Distribution Service (GKDS) running on all Windows Server 2012 DCs
    • Windows Server 2012 hosts using gMSAs obtain password and password-updates from GKDS
      • password retrieval limited to authorized computers
    • password-change interval defined at gMSA account creation (30 days by default)
    • like MSAs, gMSAs are supported only by the Windows Service Control Manager (SCM) and IIS application pools
      • support for scheduled tasks is being investigated

Off-Premises Domain Join


  • Extends offline domain-join by allowing the blob to accommodate Direct Access prerequisites
    • Certs
    • Group Policies
  • What does this mean?
    • a computer can now be domain-joined over the Internet if the domain is Direct Access enabled
    • getting the blob to the non-domain-joined machine is an offline process and the responsibility of the admin

Recycle Bin User Interface

  • Solution
    • simplify object recovery through the inclusion of a Deleted Objects node in the Active Directory Administrative Center
      • deleted objects can now be recovered within the graphical user interface
    • greatly reduces recovery-time by providing a discoverable, consistent view of deleted objects

Fine-Grained Password Policy


  • Solution
    • creating, editing and assigning PSOs now managed through the Active Directory Administrative Center
    • greatly simplifies management of password-settings objects


Dynamic Access Control (DAC) my favorite


  • Solution
    • new central access policies (CAP) model
    • new claims-based authorization platform enhances, not replaces, existing model
      • user-claims and device-claims
      • user+device claims = compound identity
        • includes traditional group memberships too
    • use of file-classification information in authorization decisions
    • modern authorization expressions, e.g.
      • evaluation of ANDed authorization conditions
      • leveraging classification and resource properties in ACLs
    • easier Access-Denied  remediation experience
    • access- and audit-policies can be defined flexibly and simply, e.g.
      • IF resource.Confidentiality = high THEN audit.Success WHEN user.EmployeeType = vendor


Active Directory SnapShots


Windows DC’s detect when snapshots are applied or VM is copied

VM-generationID is the key here


Virtualization on VMware

VMware has implemented the VM-GenerationID functionality

VMware ESXi 5.0 Update 2 (Build 914586) and subsequent updates to ESXi 5.0

VMware ESXi 5.1 (Build 799733) and subsequent updates to ESXi 5.1

VMware ESXi 5.5 (Build 1331820) and subsequent updates to ESXi 5.5

You’ll need VMware Tools


Rapid Deployment: Domain Controller Cloning


  • Solution
    • create replicas of virtualized DCs by cloning existing ones
      • i.e. copy the VHD through hypervisor-specific export + import operations
    • simplify interaction & deployment-dependencies between Hypervisor and Active Directory admins
      • note that the authorization of clones remains under Enterprise/Domain Admins’ control
    • a game-changer for disaster-recovery
      • requires ONLY a single Windows Server 2012 virtual DC per domain to quickly recover an entire forest
      • subsequent DCs can be rapidly deployed drastically reducing time to steady-state
    • enables elastic provisioning capabilities to support private-cloud deployments, etc

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s