1 / 21

Czy są zmiany w AD Domain Services Windows 2012

Czy są zmiany w AD Domain Services Windows 2012. Andrzej Kokociński. andrzej@kokocinski.com.pl. Agenda. Old time AD 2008/2003 Virtualized Domain Controllers Domain Controller Cloning Active Directory Administrative Center Recycle Bin. Background

braith
Download Presentation

Czy są zmiany w AD Domain Services Windows 2012

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Czysązmiany w AD Domain Services Windows 2012 Andrzej Kokociński andrzej@kokocinski.com.pl

  2. Agenda • Oldtime AD 2008/2003 • Virtualized Domain Controllers • Domain Controller Cloning • Active Directory Administrative Center • Recycle Bin

  3. Background • common virtualization operations such as backing up/restoring • Active Directory, this can introduce USN bubbles leading to permanently divergent state causing: • lingering objects • inconsistent passwords • inconsistent attribute values • schema mismatches if the Schema FSMO is rolled back • the potential also exists for security principals to be created with duplicate SIDs

  4. How Domain Controllers are Impacted

  5. Impact to replication • introduces USN bubbles leading to a (potentially permanent) divergent state causing: • lingering objects • inconsistent passwords • inconsistent attribute values • schema mismatches if the Schema FSMO is rolled back Potential exists for security principals to be created with duplicate SIDs • resulting in unauthorized access to resources for a period of time • ultimately, though, the affected users will no longer be able to logon

  6. Windows Server 2012 provides the following functionality for virtual domain controllers: • Safe cloning • Safe snapshot restore Implementing virtualized domain controllers provides the following benefits: • Rapid domain controller deployment • Scalable provisioning of domain controllers • Quick replacement or recovery of domain controllers • Easy provisioning of test environments

  7. VM-GenerationID

  8. You can safely clone an existing virtual domain controller by: • Creating a DcCloneConfig.xml file and storing it in theAD DS database location • Taking the VDC offline and exporting it • Creating a new virtual machine by importing the exported VDC DcCloneConfig.xml to AD DS database location Import the VDC Export the VDC

  9. Domain Controller Cloning

  10. Identify suitable source virtual DC • Authorize source DC by adding it to ‘Cloneable Domain Controllers’ group • Pre-provisioned with Control Access Right (CAR) on domain-NC object (domain head) • Run New-ADDCCloneConfigfile • Verifies pre-requisites, e.g. PDC FSMO is running Windows Server 2012 (more later on this) • Let’s you specify name, IP address, DNS servers, site, etc. • Provide an empty file to auto-generate values • Sample file provided in box at %windir%\system32\SampleDCCloneConfig.xml • Schema file provided in box at %windir%\system32\DCCloneConfigSchema.xsd • Run Get-ADDCCloningExcludedApplicationList • Identify suitable source virtual DC • Authorize source DC by adding it to ‘Cloneable Domain Controllers’ group • Pre-provisioned with Control Access Right (CAR) on domain-NC object (domain head) • Run New-ADDCCloneConfigfile • Verifies pre-requisites, e.g. PDC FSMO is running Windows Server 2012 (more later on this) • Verifies authorization (by checking group membership) • Let’s you specify name, IP address, DNS servers, site, etc. • Provide an empty file to auto-generate values • Sample file provided in box at %windir%\system32\SampleDCCloneConfig.xml • Schema file provided in box at %windir%\system32\DCCloneConfigSchema.xsd • Run Get-ADDCCloningExcludedApplicationList [-generateXML] Shutdown and export source DC Restart source DC Import clone of source DC as many times as desired and start clone VMs

  11. Virtualization-SafeTechnology Virtual DCs use a VM GenerationID Whenever a snapshot is rolled back, GenerationID is changed DC checks during reboot, and for each write in DIT If changed, protection steps are initiated Requirements Windows Server 2012 DCs hosted on hypervisor platform that supports GenerationID: Hyper-V 3.0 3rd-party Hypervisors

  12. Active Directory administration snap-ins consist of four different MMC consoles: • Active Directory Users and Computers • Active Directory Sites and Services • Active Directory Domains and Trusts • Active Directory Schema

  13. Active Directory Administrative Center is a task-oriented tool based on Windows PowerShell

  14. Recycle Bin User Interface Introduced with Windows Server 2008 R2 allowsadministrators to recover deleted objects such as users, groups, OUs Typically high-priorityIn the past, IT pros were required to enable and use the Recycle Bin through PowerShell commands Complex, not easy to remember or use

  15. Recycle Bin User Interface Introduced with Windows Server 2008 R2 allows administrators to recover deleted objects such as users, groups, OUs Typically high-priorityIn the past, IT pros were required to enable and use the Recycle Bin through PowerShell commands Complex, not easy to remember or use

  16. Active Directory Recycle Bin provides a way to restore deleted objects without AD DS downtime • Uses Windows PowerShell with Active Directory Module or the Active Directory Administrative Center to restore objects

  17. Fine-Grained Password Policy UI Introduced with Windows Server 2008, allows more granular management of password-policies Manually create password-settings objects (PSOs) In the past, IT pros were required to enable and use Fine-GrainedPassword Policies through ADSIEDIT or by importing LDIF files Complex, time consuming, not easy to remember or use

  18. Windows Server 2012 provides two tools for configuring PSOs • Windows PowerShell cmdlets • New-ADFineGrainedPasswordPolicy • Add-FineGrainedPasswordPolicySubject • Active Directory Administrative Center • Graphical user interface • Uses Windows PowerShell cmdlets to create and manage PSOs

  19. Pytania???

  20. Dziękuje andrzej@kokocinski.com.pl

More Related