Microsoft has invested three years of development time in Windows Server 2012 and has introduced a slew of Active Directory features, including claims-based authorization to files and folders, a new licensing solution, safe virtualization, Kerberos armoring, cross-forest KCD and group MSAs. I’ve published a whitepaper on this stuff last year.
Hot on the heels of the release of Windows Server 2012, Microsoft released Windows Server 2012 R2. In terms of software development cycles, you might not expect a lot of improvements in Windows Server 2012 R2; Between Windows 2008, Windows Server 2008 R2 and Windows Server 2012, the product teams at Microsoft always had a large amount of time available to plan features, build features and test them thoroughly in many different implementation scenarios.
Even I was skeptical, especially since the work that was put in Windows Server 2012; that work justifies the ‘major revision’ moniker in terms of Active Directory… The opposite is true, however: Windows Server 2012 R2 introduces many new Active Directory and identity-related features.
I will show you these new features in this article series, along with their possibilities and impossibilities, the way you can benefit from them in your own networking environment, their common pitfalls and, of course, basic best practices for deployment and management.
In this first post, I’m providing an overview of the features.
This way, you can quickly see which features may be relevant to you and your situation, and, thus, should be the ones you might want to check out first.
Although Active Directory is not an insecure product or technologies, Microsoft has made some nice security improvements, that will draw the attention of every CIO:
LSASS.exe memory protection
One of the favorite demos used in the Security tracks of TechEd have been to inject cached password hashes back into the Windows security authority. Lsass.exe, acting as the Local Security Authority process was one of the locations where malicious people would be able to take password hashes from. In Windows Server 2012 R2 and Windows 8.1, Microsoft has built a memory protection feature, that helps to remove cached password hashes.
The Protected Users group is a new group, that accommodates the security needs of privileged user accounts. When a user or a group of users is made member of the Protected Users security group, a series of non-configurable security measures are applied, including the inability to further authenticate using older and weak authentication protocols, and use older and weak encryption protocols.
Authentication Policies and Authentication Policy Silos
Authentication Policies and Authentication Policy Silos are another means to secure an Active Directory-based environment. In contrast to the limited Log on to: management capabilities in previous versions of Windows, with Authentication Policies and Authentication Policy Silos you can create a group of computers to which a (group of) user(s) can log on to.
… and there’s more. You can also control the TGT lifetime and criteria for devices and the method used for authentication.
In terms of managing Domain Controllers, ADFS Servers and Certification Authorities (CAs), Microsoft has added some new management features.
Of course, the big news is that Windows 8.1 and Windows Server 2012 R2 come with PowerShell version 4.0. It’s big feature is the Desired State Configuration (DSC), but that largely doesn’t apply to Active Directory.
In PowerShell 4.0, however, Microsoft is including a load more PowerShell Cmdlets to manage Active Directory. Growing from 135 available Active Directory-related PowerShell Cmdlets in Windows Server 2012 to 147 available Active Directory-related PowerShell Cmdlets in Windows Server 2012 R2, twelve new Cmdlets have been introduced. These new Cmdlets allow you to manage the previously mentioned Authentication Policies and Authentication Policy Silos features through PowerShell, but also through the PowerShell history viewer, that is available in the Windows Server 2012 R2 Active Directory Administrative Center (dsac.exe).
In the whole of Bring-Your-Own features in Windows Server 2012 R2, Workplace Join is the main Active Directory feature. It supplements Active Directory Federation Services-based claims-based access control, Work Folders, the Device Registration Service and the Web Application Proxy directly, and also brings claims-based technology to Multi-factor Authentication, System Center and Windows Intune.
Claims-based authentication is the future of Identity and Access Management (IAM). The combined family of on-premises Active Directory products and technologies (Active Directory Domain Services, Active Directory Lightweight Directory Services, Active Directory Federation Services, Active Directory Rights Management Services and Active Directory Certificate Services) and their cloud-based counterparts (Windows Azure Active Directory and Azure Active Directory Rights Management Services) aligns your networking infrastructure perfectly with this long-term trend.
Migrating an Active Directory infrastructure is a challenge, but Microsoft has made several steps significantly easier in the past few Windows Server iterations. Microsoft has done away (mostly) with dependencies on domain functional levels and forest functional levels, to help achieve migrations, like transitioning and in-place upgrading Domain Controllers, easier.
However, in the process, Microsoft is also doing away with older technologies, that have been around since Windows 2000 Server and have carried over with every migration, unless you’ve deliberately migrated them over.
I will cover these environment-wide improvements, first, in the next part of these series. I’ll discuss the functional level implications for Windows Server 2012 R2, and will specifically dive into the FRS deprecation, that you might not have seen coming from miles away…