New features in Active Directory Domain Services in Windows Server 2012, Part 1: Overview
Windows Server 2012 can be seen as a major release for Windows Server. Not just in terms of virtualization (Hyper-V 3.0), storage (SMB 3.0 and Storage Spaces) or manageability, but also in terms of Active Directory. There’s a load of new features, improving the lives of many Active Directory admins!
Active Directory Domain Services sees a lot of platform changes in terms of RIDs, DNTs, index creation, Offline Domain Join, LDAP, FAST, APT and Kerberos. Next to these miscellaneous features, Microsoft has categorized the new features for Active Directory Domain Services in two main categories:
New Domain Controller Promotion Tool
Anyone who ever promoted a server to a Domain Controller, knows dcpromo.exe. As Windows Server moves to PowerShell, dcpromo.exe bites the dust. The new Domain Controller Promotion Tool is, of course, based on PowerShell. There is a New Domain Controller Promotion command line. The GUI part of the New Domain Controller Promotion tool is based on MUX.
Remoteable Domain Controller Promotion
In earlier versions of Windows Server, dcpromo.exe was used to promote member and standalone servers to Active Directory Domain Controllers. This tool needed to be run on the (remote) desktop of the box. Now, Domain Controller promotion can be run remotely, eliminating the need for interactive logon.
Simplified Active Directory preparation
Microsoft introduces a new Active Directory Preparation process, remoteable and automatically targeting the Domain Controllers holding the targeted FSMO role(s). Active Directory Preparation is now part of the new Domain Controller promotion wizard.
Current guidance dictates you need to keep a physical Domain Controller around when organizations adopt server virtualization. With Windows Server 8, Active Directory admins no longer have to fear virtualization admins pausing, snapshotting or cloning virtualized Domain Controllers. Safeguards now protect Active Directory from getting corrupted from these actions.
But that’s not enough! Where, currently, virtualization can be seen as a weak spot in Active Directory, in Windows Server 8, virtualization becomes an area of strength for Active Directory! Scaling out a virtualized Active Directory environment is as easy as copying the VHD of a suitable Domain Controller, create a new VM based on the copy of the VHD and start it up to get a cloned Domain Controller, ready for action!
Recycle Bin Graphical User Interface (GUI)
Windows Server 2008 R2 introduced the Active Directory Recycle Bin, as an optional feature for the Windows Server 2008 R2 Forest Functional Level (FFL). When enabled, it enables organizations to ‘undelete’ objects and trees… through PowerShell. With Windows Server 8, you can now undelete objects through the GUI of the Active Directory Administrative Center (ADAC).
Fine-grained Password Policy Graphical User Interface (GUI)
Introduced four years ago, with Windows Server 2008, Fine-grained Password Policies help organizations to reduce their number of Active Directory domains when they have need for different password policies within the organization. (Formerly, a new domain, plus two Domain Controllers per domain, of course, was needed to accommodate different password policies). Password Policies could be set through PowerShell and through one of the many (free) 3rd Party tools. Now, in the Active Directory Administrative Center (ADAC), administrators are able to point and click password policies.
Active Directory PowerShell History Viewer User Interface
Also, from within the Active Directory Administrative Center (ADAC), you can now explore the PowerShell commands used under the hood when you use ADAC to perform your Active Directory tasks. These commands can be used to script tedious tasks.
Active Directory Replication & Topology Cmdlets
Next to the Active Directory PowerShell commands, introduced with Windows Server 2008 R2, Microsoft introduces a couple of new PowerShell commands, targeted at Active Directory Replication & Topology.
Dynamic Access Control
While buried deep in this list, Dynamic Access Control (DAC) is the most important authorization feature in Active Directory and Windows in a long time. This feature allows for claims-based access, resulting in the possibility to specify complex access rules to files, without the need to create complex groups. Beyond that, DAC allows for access rules based on both the user and the computer the user uses.
Active Directory Activation Services
With Windows Server 8, a new member of the Active Directory family is born: Active Directory Activation Services (ADAS). Going beyond Key Management Services, ADAS automatically activates Windows installations joined to the domain and, perhaps even more important, removes activation when it is removed from the domain.
Group Managed Service Accounts (gMSA’s)
In Windows Server 2008 R2, everyone was pleased Microsoft introduced Managed Service Accounts (MSAs) to solve the security issues with domain service accounts. In Windows Server 2008 R2, however, clustered and load-balanced services could not be facilitated with MSAs. Services that spanned multiple servers required MSAs for each server. For these purposes, Microsoft introduces Group Managed Service Accounts (gMSAs) in Windows Server 8.
In this series I will highlight each of these new features in separate blogposts. Expect to find in-depth knowledge, how-tos and guidance on making your organization(s) benefit the most from the new functionality.
The screenshots you’ll see in this series and the information you will find here will all be based on the Release to Manufacturers (RTM) version of Windows Server 2012.
RedmondMag: Quick Guide: What's New in Windows Server 2012 Active Directory
WindowsITPro: Windows Server 2012 Simplifies AD Upgrades and Deployments
WindowsITPro: How Windows Server 2012 Improves Active Directory Disaster Recovery
WindowsITPro: Virtualization-Safe Active Directory in Windows Server 2012
WindowsSecurity.com: Windows Server 2012 Virtualized Domain Controllers
WindowsSecurity.com: First Look at Dynamic Access Control in Windows Server 2012
Windows Server Blog: Introduction to Windows Server 2012 Dynamic Access Control
SearchWindowsServer: How Windows Server 2012 enables AD cloud deployments
Configuring Active Directory (AD DS) in Windows Server 2012
TechEd videos SIA312 What's New in Active Directory in Windows Server 2012 SIA341 Windows Server 2012 Dynamic Access Control Deep Dive for Active Directory