Czy są zmiany w AD Domain Services Windows 2012
21
description
Czy są zmiany w AD Domain Services Windows 2012. Andrzej Kokociński. [email protected]. Agenda. Old time AD 2008/2003 Virtualized Domain Controllers Domain Controller Cloning Active Directory Administrative Center Recycle Bin. Background - PowerPoint PPT Presentation
Transcript of Czy są zmiany w AD Domain Services Windows 2012
Agenda
Old time AD 2008/2003Virtualized Domain ControllersDomain Controller CloningActive Directory Administrative CenterRecycle Bin
• Background– common virtualization operations
such as backing up/restoring – Active Directory, this can introduce
USN bubbles leading to permanently divergent state causing:
• lingering objects• inconsistent passwords• inconsistent attribute values• schema mismatches if the
Schema FSMO is rolled back– the potential also exists for security
principals to be created with duplicate SIDs
How Domain Controllers are Impacted
Impact to replicationintroduces USN bubbles leading to a (potentially permanent) divergent state causing:
lingering objectsinconsistent passwordsinconsistent attribute valuesschema mismatches if the Schema FSMO is rolled back
Potential exists for security principals to be created with duplicate SIDs
resulting in unauthorized access to resources for a period of timeultimately, though, the affected users will no longer be able to logon
Windows Server 2012 provides the following functionality for virtual domain controllers:• Safe cloning• Safe snapshot restore
Implementing virtualized domain controllers provides the following benefits:• Rapid domain controller deployment• Scalable provisioning of domain controllers• Quick replacement or recovery of domain controllers
• Easy provisioning of test environments
VM-GenerationID
You can safely clone an existing virtual domain controller by:1. Creating a DcCloneConfig.xml file and storing it
in theAD DS database location
2. Taking the VDC offline and exporting it3. Creating a new virtual machine by importing the
exported VDC
Export the VDC
Import the VDC
DcCloneConfig.xml to AD DS database
location
Domain Controller Cloning
1. Identify suitable source virtual DC2. Authorize source DC by adding it to ‘Cloneable Domain
Controllers’ groupPre-provisioned with Control Access Right (CAR) on domain-NC object (domain head)
3. Run New-ADDCCloneConfigfileVerifies pre-requisites, e.g. PDC FSMO is running Windows Server 2012 (more later on this)Let’s you specify name, IP address, DNS servers, site, etc.
Provide an empty file to auto-generate valuesSample file provided in box at %windir%\system32\SampleDCCloneConfig.xmlSchema file provided in box at %windir%\system32\DCCloneConfigSchema.xsd
4. Run Get-ADDCCloningExcludedApplicationList
1. Identify suitable source virtual DC2. Authorize source DC by adding it to ‘Cloneable Domain
Controllers’ groupPre-provisioned with Control Access Right (CAR) on domain-NC object (domain head)
3. Run New-ADDCCloneConfigfileVerifies pre-requisites, e.g. PDC FSMO is running Windows Server 2012 (more later on this)Verifies authorization (by checking group membership)Let’s you specify name, IP address, DNS servers, site, etc.
Provide an empty file to auto-generate valuesSample file provided in box at %windir%\system32\SampleDCCloneConfig.xmlSchema file provided in box at %windir%\system32\DCCloneConfigSchema.xsd
4. Run Get-ADDCCloningExcludedApplicationList [-generateXML]
5. Shutdown and export source DC6. Restart source DC7. Import clone of source DC as many times as desired and
start clone VMs
Virtualization-Safe Technology• Virtual DCs use a VM GenerationID• Whenever a snapshot is rolled
back, GenerationID is changed• DC checks during reboot, and for
each write in DIT
• If changed, protection steps are initiated
Requirements• Windows Server
2012 DCs hosted on hypervisor platform that supports GenerationID:
• Hyper-V 3.0• 3rd-party
Hypervisors
• Active Directory administration snap-ins consist of four different MMC consoles:• Active Directory Users and Computers• Active Directory Sites and Services• Active Directory Domains and Trusts• Active Directory Schema
• Active Directory Administrative Center is a task-oriented tool based on Windows PowerShell
Recycle Bin User InterfaceIntroduced with Windows Server 2008 R2 allows
administrators to recover deleted objects such as users, groups, OUs• Typically high-priority In the past, IT pros were
required to enable and use the Recycle Bin through PowerShell commands
• Complex, not easy to remember or use
Recycle Bin User Interface
Introduced with Windows Server 2008 R2 allows administrators to recover deleted objects such as users, groups, OUs• Typically high-priority In the past, IT pros were
required to enable and use the Recycle Bin through PowerShell commands
• Complex, not easy to remember or use
• Active Directory Recycle Bin provides a way to restore deleted objects without AD DS downtime
• Uses Windows PowerShell with Active Directory Module or the Active Directory Administrative Center to restore objects
Fine-Grained Password Policy UI
Introduced with Windows Server 2008, allows more granular management of password-policies• Manually create password-settings objects (PSOs)
In the past, IT pros were required to enable and use Fine-Grained Password Policies through ADSIEDIT or by importing LDIF files• Complex, time consuming, not easy to remember or
use
• Windows Server 2012 provides two tools for configuring PSOs• Windows PowerShell cmdlets
• New-ADFineGrainedPasswordPolicy• Add-FineGrainedPasswordPolicySubject
• Active Directory Administrative Center• Graphical user interface• Uses Windows PowerShell cmdlets to create and
manage PSOs
Pytania???
