czy są zmiany w ad domain services windows 2012 andrzej kokociński [email protected]
TRANSCRIPT
![Page 2: Czy są zmiany w AD Domain Services Windows 2012 Andrzej Kokociński andrzej@kokocinski.com.pl](https://reader036.vdocuments.mx/reader036/viewer/2022070411/56649f3e5503460f94c5def1/html5/thumbnails/2.jpg)
Agenda
Old time AD 2008/2003Virtualized Domain ControllersDomain Controller CloningActive Directory Administrative CenterRecycle Bin
![Page 3: Czy są zmiany w AD Domain Services Windows 2012 Andrzej Kokociński andrzej@kokocinski.com.pl](https://reader036.vdocuments.mx/reader036/viewer/2022070411/56649f3e5503460f94c5def1/html5/thumbnails/3.jpg)
• Background– common virtualization operations
such as backing up/restoring – Active Directory, this can introduce
USN bubbles leading to permanently divergent state causing:
• lingering objects• inconsistent passwords• inconsistent attribute values• schema mismatches if the
Schema FSMO is rolled back– the potential also exists for security
principals to be created with duplicate SIDs
![Page 4: Czy są zmiany w AD Domain Services Windows 2012 Andrzej Kokociński andrzej@kokocinski.com.pl](https://reader036.vdocuments.mx/reader036/viewer/2022070411/56649f3e5503460f94c5def1/html5/thumbnails/4.jpg)
How Domain Controllers are Impacted
![Page 5: Czy są zmiany w AD Domain Services Windows 2012 Andrzej Kokociński andrzej@kokocinski.com.pl](https://reader036.vdocuments.mx/reader036/viewer/2022070411/56649f3e5503460f94c5def1/html5/thumbnails/5.jpg)
Impact to replicationintroduces USN bubbles leading to a (potentially permanent) divergent state causing:
lingering objects
inconsistent passwords
inconsistent attribute values
schema mismatches if the Schema FSMO is rolled back
Potential exists for security principals to be created with duplicate SIDs
resulting in unauthorized access to resources for a period of timeultimately, though, the affected users will no longer be able to logon
![Page 6: Czy są zmiany w AD Domain Services Windows 2012 Andrzej Kokociński andrzej@kokocinski.com.pl](https://reader036.vdocuments.mx/reader036/viewer/2022070411/56649f3e5503460f94c5def1/html5/thumbnails/6.jpg)
Windows Server 2012 provides the following functionality for virtual domain controllers:• Safe cloning• Safe snapshot restore
Implementing virtualized domain controllers provides the following benefits:• Rapid domain controller deployment• Scalable provisioning of domain controllers• Quick replacement or recovery of domain controllers
• Easy provisioning of test environments
![Page 7: Czy są zmiany w AD Domain Services Windows 2012 Andrzej Kokociński andrzej@kokocinski.com.pl](https://reader036.vdocuments.mx/reader036/viewer/2022070411/56649f3e5503460f94c5def1/html5/thumbnails/7.jpg)
VM-GenerationID
![Page 8: Czy są zmiany w AD Domain Services Windows 2012 Andrzej Kokociński andrzej@kokocinski.com.pl](https://reader036.vdocuments.mx/reader036/viewer/2022070411/56649f3e5503460f94c5def1/html5/thumbnails/8.jpg)
![Page 9: Czy są zmiany w AD Domain Services Windows 2012 Andrzej Kokociński andrzej@kokocinski.com.pl](https://reader036.vdocuments.mx/reader036/viewer/2022070411/56649f3e5503460f94c5def1/html5/thumbnails/9.jpg)
You can safely clone an existing virtual domain controller by:1. Creating a DcCloneConfig.xml file and storing it
in theAD DS database location
2. Taking the VDC offline and exporting it3. Creating a new virtual machine by importing the
exported VDC
Export the VDC
Import the VDC
DcCloneConfig.xml to AD DS database
location
![Page 10: Czy są zmiany w AD Domain Services Windows 2012 Andrzej Kokociński andrzej@kokocinski.com.pl](https://reader036.vdocuments.mx/reader036/viewer/2022070411/56649f3e5503460f94c5def1/html5/thumbnails/10.jpg)
Domain Controller Cloning
![Page 11: Czy są zmiany w AD Domain Services Windows 2012 Andrzej Kokociński andrzej@kokocinski.com.pl](https://reader036.vdocuments.mx/reader036/viewer/2022070411/56649f3e5503460f94c5def1/html5/thumbnails/11.jpg)
1. Identify suitable source virtual DC
2. Authorize source DC by adding it to ‘Cloneable Domain Controllers’ group
Pre-provisioned with Control Access Right (CAR) on domain-NC object (domain head)
3. Run New-ADDCCloneConfigfileVerifies pre-requisites, e.g. PDC FSMO is running Windows Server 2012 (more later on this)Let’s you specify name, IP address, DNS servers, site, etc.
Provide an empty file to auto-generate values
Sample file provided in box at %windir%\system32\SampleDCCloneConfig.xmlSchema file provided in box at %windir%\system32\DCCloneConfigSchema.xsd
4. Run Get-ADDCCloningExcludedApplicationList
1. Identify suitable source virtual DC
2. Authorize source DC by adding it to ‘Cloneable Domain Controllers’ group
Pre-provisioned with Control Access Right (CAR) on domain-NC object (domain head)
3. Run New-ADDCCloneConfigfileVerifies pre-requisites, e.g. PDC FSMO is running Windows Server 2012 (more later on this)Verifies authorization (by checking group membership)Let’s you specify name, IP address, DNS servers, site, etc.
Provide an empty file to auto-generate values
Sample file provided in box at %windir%\system32\SampleDCCloneConfig.xmlSchema file provided in box at %windir%\system32\DCCloneConfigSchema.xsd
4. Run Get-ADDCCloningExcludedApplicationList [-generateXML]
5. Shutdown and export source DC
6. Restart source DC
7. Import clone of source DC as many times as desired and start clone VMs
![Page 12: Czy są zmiany w AD Domain Services Windows 2012 Andrzej Kokociński andrzej@kokocinski.com.pl](https://reader036.vdocuments.mx/reader036/viewer/2022070411/56649f3e5503460f94c5def1/html5/thumbnails/12.jpg)
Virtualization-Safe Technology• Virtual DCs use a VM GenerationID
• Whenever a snapshot is rolled
back, GenerationID is changed
• DC checks during reboot, and for
each
write in DIT
• If changed, protection steps are
initiated
Requirements
• Windows Server
2012
DCs hosted on
hypervisor platform
that supports
GenerationID:
• Hyper-V 3.0
• 3rd-party
Hypervisors
![Page 13: Czy są zmiany w AD Domain Services Windows 2012 Andrzej Kokociński andrzej@kokocinski.com.pl](https://reader036.vdocuments.mx/reader036/viewer/2022070411/56649f3e5503460f94c5def1/html5/thumbnails/13.jpg)
• Active Directory administration snap-ins consist of four different MMC consoles:• Active Directory Users and Computers• Active Directory Sites and Services• Active Directory Domains and Trusts• Active Directory Schema
![Page 14: Czy są zmiany w AD Domain Services Windows 2012 Andrzej Kokociński andrzej@kokocinski.com.pl](https://reader036.vdocuments.mx/reader036/viewer/2022070411/56649f3e5503460f94c5def1/html5/thumbnails/14.jpg)
• Active Directory Administrative Center is a task-oriented tool based on Windows PowerShell
![Page 15: Czy są zmiany w AD Domain Services Windows 2012 Andrzej Kokociński andrzej@kokocinski.com.pl](https://reader036.vdocuments.mx/reader036/viewer/2022070411/56649f3e5503460f94c5def1/html5/thumbnails/15.jpg)
Recycle Bin User Interface
Introduced with Windows Server 2008 R2 allows
administrators to recover deleted objects such as
users, groups, OUs
• Typically high-priority In the past, IT pros were
required to enable and use the Recycle Bin
through PowerShell commands
• Complex, not easy to remember or use
![Page 16: Czy są zmiany w AD Domain Services Windows 2012 Andrzej Kokociński andrzej@kokocinski.com.pl](https://reader036.vdocuments.mx/reader036/viewer/2022070411/56649f3e5503460f94c5def1/html5/thumbnails/16.jpg)
Recycle Bin User Interface
Introduced with Windows Server 2008 R2 allows
administrators to recover deleted objects such
as users, groups, OUs
• Typically high-priority In the past, IT pros were
required to enable and use the Recycle Bin
through PowerShell commands
• Complex, not easy to remember or use
![Page 17: Czy są zmiany w AD Domain Services Windows 2012 Andrzej Kokociński andrzej@kokocinski.com.pl](https://reader036.vdocuments.mx/reader036/viewer/2022070411/56649f3e5503460f94c5def1/html5/thumbnails/17.jpg)
• Active Directory Recycle Bin provides a way to restore deleted objects without AD DS downtime
• Uses Windows PowerShell with Active Directory Module or the Active Directory Administrative Center to restore objects
![Page 18: Czy są zmiany w AD Domain Services Windows 2012 Andrzej Kokociński andrzej@kokocinski.com.pl](https://reader036.vdocuments.mx/reader036/viewer/2022070411/56649f3e5503460f94c5def1/html5/thumbnails/18.jpg)
Fine-Grained Password Policy UI
Introduced with Windows Server 2008, allows more
granular
management of password-policies
• Manually create password-settings objects (PSOs)
In the past, IT pros were required to enable and use
Fine-Grained Password Policies through ADSIEDIT or
by importing LDIF files
• Complex, time consuming, not easy to remember or
use
![Page 19: Czy są zmiany w AD Domain Services Windows 2012 Andrzej Kokociński andrzej@kokocinski.com.pl](https://reader036.vdocuments.mx/reader036/viewer/2022070411/56649f3e5503460f94c5def1/html5/thumbnails/19.jpg)
• Windows Server 2012 provides two tools for configuring PSOs
• Windows PowerShell cmdlets• New-ADFineGrainedPasswordPolicy• Add-FineGrainedPasswordPolicySubject
• Active Directory Administrative Center• Graphical user interface• Uses Windows PowerShell cmdlets to create and
manage PSOs
![Page 20: Czy są zmiany w AD Domain Services Windows 2012 Andrzej Kokociński andrzej@kokocinski.com.pl](https://reader036.vdocuments.mx/reader036/viewer/2022070411/56649f3e5503460f94c5def1/html5/thumbnails/20.jpg)
Pytania???