Windows Server 2012 Active Directory – What’s New?

Hello Folks,

Today we will look at some of the new features and enhancements in Active directory with Windows Server 2012.

As usual, I suggest you download the evaluation of Windows Servers 2012 and use the info in this post to setup your own lab and start exploring what’s new in Active directory.

Let’s get going…

Here are the points , In my own opinion, that are the most impactful enhancements of AD

  • Virtualization That Just Works
    • Applying a snapshot to a DC
    • Domain Controller cloning capabilities
  • Simplified deployment of Active Directory
  • Simplified Administration of Active Directory
    • Active Directory Recycle Bin
    • Fine-grained password policies
    • The Windows PowerShell History Viewer
    • Dynamic Access Control

 

Let’s look at these in more details.

Virtualization That Just Works

Virtual environments present unique challenges to distributed workloads, such as Active Directory domain services (AD DS), that depend upon logical clock-based replication schemes.

AD DS replication uses a monotonically increasing value assigned to transactions on each domain controller (known as a USN or Update Sequence Number). Each domain controller’s database instance is also given an identity, known as an InvocationID. The InvocationID of a domain controller and its USN together serve as a unique identifier associated with every write-transaction performed and must be unique within the forest. AD DS replication uses InvocationID and USNs to determine what changes need to be replicated to other domain controllers. If a domain controller is rolled back in time and a USN is reused for an entirely different transaction, replication will not converge since other domain controllers will believe they have already received the updates associated with the re-used USN.

Virtual machines make it too easy for administrators to roll back a domain controller’s USNs (its logical clock) by, for example, applying a snapshot outside of the domain controller’s awareness.  That one was a BAD thing to do… Until now…

In Windows 2012, AD DS relies on the hypervisor platform to expose an identifier called VM GenerationID to detect if a virtual machine has been rolled back in time. The design uses a hypervisor-agnostic mechanism for surfacing the VM GenerationID in the virtual machine.

Before completing any transaction, AD DS first reads the value of this identifier and compares it against the last value stored in the directory. A mismatch is interpreted as a ‘rollback’ and the domain controller employs AD DS safeguards new to Windows Server 2012 comprised of resetting the InvocationID and discarding the RID pool. From this point forward, all transactions are associated with the domain controller’s new InvocationID. Since other domain controllers do not recognize the new InvocationID, they will conclude that they have not already seen these USNs and will accept the updates identified by the new InvocationID and USNs allowing the directory to converge.

This does not mean that you should snapshot to your heart’s content from now on…  Snapshots should never be used a backup mechanism.  EVER!!! 

The other virtualization enhancement we introduced in Windows Server 2012 is the Virtualized domain controller cloning capabilities.  It enables administrators to create a clone of a virtualized domain controller. With virtualized domain controller cloning, administrators can now promote a single virtual domain controller per domain and rapidly deploy all additional replica virtual domain controllers through cloning. Administrators no longer have to repeatedly deploy a sysprepped server image, promote the server to a domain controller and then complete additional configuration requirements for every replica domain controller.

 

Simplified deployment of Active Directory.  That means that we took the scary parts of the equation.  Really…  We did.  I’ve talk to numerous Admins that told me that their AD was still at a 2003 functional levels.  They have not upgraded their domain of forest because they are concerned with running ADPREP/FORESTPREP.  Well as my friend Rick Claus so eloquently put it, “we took ADPREP behind the wood shed and shot it!”.  It’s gone, It’s dead.  The changes needed are still being done by a “pre-requisite check” that happen in the new wizard and background PowerShell process.  This applies to the DCPROMO tool.  the name has been kept but the process is all brand new.

DCs can be deployed rapidly and remotely on multiple machines from a single Windows 8 machine ,from a Windows Server 2012 console, or a PowerShell command windows.

Here are other example of simplified deployment enhancements

image

Simplified Administration of Active Directory.  The Active Directory Administrative Center (ADAC) has been enhanced to support graphical management of the Active Directory Recycle Bin and Fine-Grained Password Policies. Prior to Windows Server 2012, these activities required the use of the ADSI Edit tool, which was cumbersome and non-intuitive.  The Windows PowerShell History Viewer and the ability to deploy Dynamic Access Control  have also been added to the ADAC.

Active Directory Recycle Bin:  When you enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes of the deleted Active Directory objects are preserved and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion.  For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion, within and across domains. Active Directory Recycle Bin works for both Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) environments.

Fine-grained password policies:  You can use fine-grained password policies to specify multiple password policies within a single domain and apply different restrictions for password and account lockout policies to different sets of users in a domain.  For example, you can apply stricter settings to privileged accounts and less strict settings to the accounts of other users. In other cases, you might want to apply a special password policy for accounts whose passwords are synchronized with other data sources.

The Windows PowerShell History Viewer displays Windows PowerShell commands when a task is performed through the user interface.  In Windows Server 2012, Administrators can leverage Active Directory Administrative Center to learn Windows PowerShell for Active Directory cmdlets. As actions are executed in the user interface, the equivalent Windows PowerShell for Active Directory command is shown to the user in Windows PowerShell History Viewer. These commands in turn can be copied and reused in administrators’ scripts. This improvement reduces the time to learn Windows PowerShell for Active Directory. It also increases the users’ confidence in the correctness of their automation scripts.  PowerShell current history is stored "in-memory". You can archive it by using the "Start-Transcript" and "Stop-Transcript" if you want to preserve it.

Dynamic Access Control:   It allows the organization to leverage the information in AD to calculate permissions to access to data.  This help organizations reach data compliance.  DAC, uses the following info:

  • Who the user is
  • What device they are using, and
  • What data is being accessed

in an expression-based access policy to calculate access.  Here is an example: 

Allow | Read, Write | if (@User.Department == @File.Department) AND (@Device.Managed == True)

 

In Windows Server 2012, we also made improvements to Group Policies, (I’m working on another post just on GPOs that should be out very soon).

For more information on the added Active Directory value please see the following:

 

And if you have time you can view Rick Claus’ session at TechEd New Zealand “What's New in Active Directory in Windows Server 2012” below.

As always, I want to hear from you.  Is there a feature you want me to explore for you?  Just leave a comment, or email us at CDN-ITPro-Feedback@microsoft.com and we’ll get right on it.

Cheers!

Signature

Pierre Roman, MCITP, ITIL | Technology Evangelist
Twitter | Facebook | LinkedIn