Active Directory in Windows Server 8: Moving Forward

Original author: Sean Deuby
  • Transfer


I have just returned from the annual Microsoft MVP Summit, where those who received awards communicated with developers and speakers. In the section “directory services” - the category in which I specialize - quite rarely was heard of radical changes. Usually, the release of a new operating system and how large it should be caused interest. But this year, the definitions of “new release” and “big release” can be safely attributed to AD. I am going to review the major changes in authentication and security that are built into Windows Server 8.

Keep in mind that these changes qualify as evolutionary, not revolutionary. They extend what we know well in Active Directory. Microsoft Program Manager Nathan Muggli once said: “Implementing changes in Active Directory - like making pizza for a million people - everyone wants something special.” Naturally, no one wants to rock the boat, in which 75% of the world's companies are located. But evolutionary changes are necessary, of course, and they can indicate the direction of future product improvement. In Windows 8 Identity and Security, these changes include data management, AD, and virtualization.

Data management



Before I delve into the description of the changes to the authentication system in Windows Server 8, I would like to point out one change that Microsoft has added to Windows Server 2008 R2: File Classification Infrastructure (FCI). This new feature has eluded me, as perhaps you, because it is more a function of the file system rather than an identification system. You will see how FCI is associated with the identification system a bit later, but first I want to explain what FCI is.
FCI makes it possible to determine File-classification properties for your file servers, automatically classify files according to the folder in which they are located or the contents of this file, manage files, for example, set a period for which access is possible to the file, set standard commands based on the classification of files, and generate reports that show the distribution of classification properties on the file server. Without FCI, the end user (the owner of the content) can manually classify files or a number of applications (line of business) can automatically set the classification properties of files. You can even use FCI to search the contents of files for confidential keywords or patterns,

What is useful in this? With FCI, administrators can, for example, automatically move data from expensive online storages to less expensive storages based on file classification and the policies you specify. Or you can make the files inaccessible after a certain period of time. You can play with FCI settings through the File Server Resource Manager (FSRM) utility by first installing this feature and then running it through Administrative Tools. This is the same utility that allows you to control quotas, screening, and storage reports. What is relevant to this discussion is that FCI is one of the cornerstones of Windows Server 8’s truly major identity and security feature: Dynamic Access Control.

DAC is one of the most powerful new features in Server 8. At the most general level, it is related to information management: classification of data located on your file servers, obtaining a high degree of control over this data, the ability to demonstrate (for example, during an audit) that you exercise such control. This is now a critical need for IT infrastructure, generated by the explosive growth of data, the growth of external threats and the costs that the company incurs when creating security gaps. FCI is a DAC element because it provides a mechanism to classify files and assign tags to them, which affects the application of DAC policies.

Active Directory



Also benefiting from the DAC project is AD. Tagging and classifying data on file servers is, of course, good, but it’s not very useful if you cannot control access to this data based on the new level of granularity that you have. To control access at this level, you need to make significant changes to the Local Security Authority (LSA) on the file server and in AD. Let us leave the changes for later, and consider the changes in AD, as they are fundamentally important, and they indicate the future of AD.

To support a higher degree of access control on file servers - and on all other resources that support access control lists (ACLs) in future OS releases - AD must support claims. If you are not familiar with the applications, then they simply represent another side of authentication, the application is information (for example, email) that a trusted source (for example, your local certificate authority (CA) transmits regarding the record (for example, your account) . Applications are already lingua franca “cloud identification” and they are a basic component of federation technology, which allows us to securely expand the local identity in cloud services. But before Server 8 in AD, applications weren’t heard, we had to rely solely on Active Directory Federation Services (AD FS), to transform attributes into claims. Most of these applications were consumed by external services because traditional organizational applications did not understand them. Now that has changed, and AD is also changing to adapt to them. This change in AD is very important, and every AD administrator needs to understand that a cloud-based identity will become part of his future work.

As for the enhancements in Server 8 related to AD, the biggest improvement that the AD development team made was to save time and effort in deploying AD. Anyone who has spent time on AD forums knows that deployment issues about Adprep, Dcpromo, duplication and virtualization of domain controllers, and DNS deployment related solutions are the most common. These changes definitely fall into the evolutionary category, and they are enhanced for current AD features.

The upgrade and enhancement of domain controllers has also been greatly improved. The AD team announced to the assembled MVP that “Adprep and Dcpromo are dead.” Dcpromo is now an Active Directory Domain Services Configuration Wizard that integrates fully with Server Manager. The wizard is easy to use, but more importantly, the configuration wizard makes the bulk of the work invisible to make the promotion as painless as possible.

The wizard automatically takes care of the Adprep / forestprep and / domainprep processes (although you can start them manually if you want). Dean Wells, a former lead AD consultant who is now a member of the Microsoft AD team, noted that it was a mistake to open the Adprep process to administrators, as the fear and flood of support calls he created outweighed the real problems caused by the process. The process of increasing serious analysis (in order to answer the question: “is it necessary?”) Before starting its implementation, so if you have problems in your AD environment, the increase did not even think of ending. It has also become more tolerant of temporary network problems, there are some improved IFM options, and you can fully interact remotely.

Virtualization



Another aspect of simplifying the deployment of AD was the creation of virtual domain controllers with a kind of “body armor”, which ensures the security of cloning a domain controller. Restoring a virtual domain controller from an image backup or a previous snapshot posed a risk of damage (USN return) for link integrity of the entire distributed database in the domain or forest, because unlike standard recovery procedures, the restored domain controller did not contain information about that it was restored. Active Directory Domain Services in Windows Server 8 introduced the VM-Gen ID, a unique 64-bit identifier (similar to a GUID) associated with a hypervisor. The purpose of VM-Gen ID is to capture snapshots and transfer them to the virtual machine. With such a notice, Protective measures will be taken on the domain controller (such as failure to record the identifier — RID — and resetting the access ID) to prevent the return of the USN. In a word, recovery has become easier.

Cloning a domain controller that these virtualization-safe enhancements have made a secure and supported option has its advantages. Cloning allows you to minimize the process of increasing the role of a domain, because why bother with the problem of launching a new promotion when you can simply clone a new domain controller from the current one. In addition, it is very quick to do.

Cloning a domain controller also has its huge advantages in an area that is not yet understood: reforestation in the event of destruction. In a modern supported configuration, restoring the forest, you restore the forest seed domain controllers (one per domain), then run Dcpromo on other domain controllers as long as you have enough domain controllers in the environment to support users. The problem is that Dcpromo is time-consuming, even if you install from IFM instead of doing network role promotion. The fall of the forest is a nightmare for the administrator (if not an event that makes you take up writing a resume), and every second you spend on restoration means thousands or millions of dollars of loss. Cloning a domain controller allows you to simply make clones of seed forest domain controllers - a much faster operation than IFM or network enhancement. We can justify the transition to Server 8 AD only that it is possible to save.

Also popular now: