Active Directory in Windows Server 8: Moving Forward

I have just returned from the annual Microsoft MVP summit, where those who received awards talked to developers and speakers. In the “directory services” section - the category I specialize in - it was quite rare to hear about radical changes. Usually, the interest was caused by the release of a new operating system and how large it should be. But this year, the definitions of “new release” and “big release” can be safely attributed to AD. I'm going to look at the major changes in identification and security that are built into Windows Server 8.

Keep in mind that these changes qualify as evolutionary, not revolutionary. They extend what we know well in Active Directory. Microsoft Program Manager Nathan Muggli once said: “Implementing changes in Active Directory is like making pizza for a million people — everyone wants something special.” Naturally, no one wants to rock the boat, which contains 75% of global companies. But evolutionary changes are necessary, of course, and they may indicate the direction of future product development. In the identification and security system of Windows 8, these changes include data management, AD, and virtualization.

Data management

')
Before I delve into the description of changes in the identification system in Windows Server 8, I would like to point out one change that Microsoft added to Windows Server 2008 R2: File Classification Infrastructure (FCI). This new feature has escaped me, as you may have, because it is more a file system function than an identification system. You will see how FCI is associated with the identification system a little later, but first I want to explain what FCI is.
FCI allows you to define file classification properties (File-classification properties) for your file servers, automatically classify files according to the folder in which they are located or the contents of this file, manage files, for example, set a period during which access is possible to the file, set standard commands based on file classification, and generate reports that show the distribution of classification properties on the file server. Without FCI, the end user (content owner) can manually classify files or a number of applications (line of business) can automatically set the classification properties of files. You can even use FCI to search through file contents by confidential keywords or patterns, such as social security numbers, and automatically classify the file as confidential and containing personal data.

What is this useful? With FCI, administrators can, for example, automatically move data from expensive online storage to less expensive storage based on file classification and the policy you set. Or you can make files be inaccessible after a certain period of time. You can play around with the FCI settings through the File Server Resource Manager (FSRM) utility, first by installing these functions and then running through the Administrative Tools. This is the same utility that allows you to monitor quotas, screening and storage reports. What is relevant to this discussion is that FCI is one of the cornerstones of Windows Server 8’s truly large-scale identification and security feature: Dynamic Access Control.

DAC is one of the most powerful new features in Server 8. At the most general level, it is related to information management: classifying the data stored on your file servers, gaining a high degree of control over this data, being able to demonstrate (for example, during an audit) that you exercise such control. This is now a critical need for IT infrastructure, generated by the explosive growth of data, the growth of external threats and the costs incurred by the company in the formation of security holes. FCI is a DAC element because it provides a mechanism to classify files and assign tags to them, on which the use of DAC policies depends.

Active Directory

Also benefiting from the DAC project is AD. Tagging and classification of data on file servers is, of course, good, but the benefits are low if you cannot control access to this data based on the new level of detail that you have. To control access at this level, you need to make significant changes to the Local Security Authority (LSA) on the file server and in AD. Leave the changes for later, and consider the changes in AD, as they are fundamentally important, and they point to the future of AD.

To support a higher degree of access control on file servers — and on all other resources that support access control lists (ACLs) in future OS releases — AD must support (claims). If you are not familiar with applications, they are simply another side of authenticating, the application is information (for example, email) that a trusted source (for example, your local certificate authority - CA) transmits regarding the record (for example, your account) . The applications are already lingua franca “cloud identification” and they are a basic component of the federation technology that allows us to securely extend local identity into cloud services. But until Server 8 in AD was heard about claims, we must rely solely on Active Directory Federation Services (AD FS) to transform attributes into claims. Most of these applications were consumed by external services, because traditional organizational applications did not understand them. Now this has changed, and AD is also changing to adapt to them. This change in AD is very important, and every AD administrator should understand that cloud-based identity will become part of his future work.

Regarding the enhancements in Server 8 related to AD, the biggest improvement that the AD development team made was the ability to save time and effort in deploying AD. Anyone who has spent time on the AD forums knows that deployment issues about Adprep, Dcpromo, duplication and virtualization of domain controllers and solutions related to the deployment of DNS are the most frequent. These changes definitely fall into the evolutionary category, and they are enhanced for current AD features.

Updating and enhancing the role of domain controllers have also been significantly improved. The AD team announced MVP to the crowd that “Adprep and Dcpromo are dead.” Dcpromo is now an Active Directory Domain Services Configuration Wizard that is fully integrated with Server Manager. The wizard is easy to use, but more importantly, the configuration wizard makes a lot of work invisible to make the role increase as painless as possible.

The wizard automatically takes over the Adprep / forestprep and / domainprep processes (although you can run them manually if you wish). Dean Wells, a former AD lead consultant who is now part of the Microsoft AD team, remarked that it was a mistake to open the Adprep process for administrators, because the fear created and the avalanche of support calls he created outweighed the real problems caused by the process. The process of enhancing serious analysis (to answer the question: “Do we need it?”) Before starting its implementation, so that if you have problems in your AD environment, the increase did not even stop. It has also become more tolerant of temporary network problems, there are some improved IFM options, and you can fully interact remotely.

Virtualization

Another aspect of simplifying the deployment of AD was the creation of virtual domain controllers, a kind of "bullet-proof vest", which ensures the security of the cloning of the domain controller. Restoring a virtual domain controller from a backup image or a previous snapshot created the risk of damage (USN return) for link integrity of the entire distributed database in a domain or forest, because, unlike standard recovery procedures, the restored domain controller did not contain information about that he was restored. In Active Directory Domain Services in Windows Server 8, VM-Gen ID, a unique 64-bit identifier (similar to the GUID) associated with the hypervisor, was introduced. The purpose of VM-Gen ID is to capture snapshots and transfer them to a virtual machine. With this notification, protective measures will be taken on the domain controller (such as identifier entry failure - RID - and resetting the call ID) to prevent the USN from being returned. In a word, recovery has become easier.

The cloning of a domain controller, which these virtualization-safe enhancements have made a safe and supported option, has its advantages. Cloning allows you to minimize the process of increasing the role of a domain, because why bother with the problem of launching a new enhancement when you can just clone a new domain controller from the current one. In addition, it is very fast to do.

Cloning a domain controller also has its enormous advantages in an area that has not yet been realized: reforestation in the event of destruction. In the current supported configuration, by restoring a forest, you restore the forest seed domain controllers (one per domain), then run Dcpromo on other domain controllers as long as you have a sufficient number of domain controllers in the environment to support users. The problem is that Dcpromo takes a lot of time, even if you install from IFM instead of doing a network promotion. Falling forests is a nightmare for an administrator (if not an event that makes you resume writing a resume), and every second you spend on recovery means thousands or millions of dollars in loss. Cloning a domain controller will allow you to simply make clones of seed forest domain controllers — a much faster operation than IFM or network enhancement. We can only justify the transition to Server 8 AD by saving money.