Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 1 of 47

Windows Server 2012

Table of Contents

1 Introduction ................................................................................... 4 1.1 Understanding Windows Server 2012 Foundation: ..................................... 4

1.2 How Windows Server 2012 Foundation differs from other editions of Windows

Server 2012: ................................................................................. 4

1.3 Supported users: ............................................................................ 6

1.4 X64 Sockets: ................................................................................. 6

1.5 Random Access Memory (RAM) ............................................................ 6

1.6 Failover cluster nodes ..................................................................... 6

1.7 Server Message Block connections: ...................................................... 6

1.8 Network access connections (RRAS): .................................................... 6

1.9 Network access connections (NPS): ...................................................... 7

1.10 Remote Desktop Gateway connections: ................................................. 7

2 System requirements (Hardware): ........................................................ 7 3 Top Most features in Windows Server 2012 ............................................. 8 4 Editions: ...................................................................................... 10 5 Hyper-V Comparison – Windows Server 2008 R2 vs Windows Server 2012 ...... 12 6 Hyper-V Component Architecture: ...................................................... 14

6.1 Windows 2012 Hyper-V Component Architecture. .................................... 14

6.2 Windows 2012 R2 Hyper-V Component Architecture. ................................ 14

7 Installing Windows Server 2012 (step by step) ....................................... 15

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 2 of 47

Domain Controller 2012 Table of Contents

1 Prerequisites: ............................................................................... 21 2 Installation of Domain Controller ........................................................ 22 3 What's New in Windows Server 2012 Domain controller? .......................... 30

3.1 What's New in Certificate Services in Windows Server 2012 ........................ 30

3.2 What's New in Active Directory Domain Services (AD DS) ............................ 30

3.3 What's New in Active Directory Rights Management Services (AD RMS)? .......... 30

3.4 What's New in BitLocker for Windows 8 and Windows Server 2012 ................. 30

3.5 What's New in BranchCache .............................................................. 30

3.6 What's New in DFS Namespaces and DFS Replication in Windows Server 2012 ... 30

3.7 What's New in DHCP in Windows Server 2012 ......................................... 30

3.8 What's New in DNS ......................................................................... 30

3.9 New and changed functionality in File and Storage Services........................ 30

3.10 What's New in Failover Clustering in Windows Server 2012 ......................... 31

3.11 What's New in File Server Resource Manager in Windows Server 2012 ............ 31

3.12 What's New in Group Policy in Windows Server 2012 ................................. 31

3.13 What's New in Hyper-V .................................................................... 31

3.14 What's New in IPAM in Windows Server 2012 .......................................... 31

3.15 What's New in Kerberos Authentication ................................................ 31

3.16 What's New for Managed Service Accounts ............................................ 31

3.17 What's New in Networking in Windows Server 2012 .................................. 31

3.18 What's New in Remote Desktop Services in Windows Server 2012 .................. 31

3.19 What's new in Security Auditing ......................................................... 31

3.20 What‘s new in Server Manager........................................................... 31

3.21 What's New in Smart Cards ............................................................... 32

3.22 What's New in TLS/SSL (Schannel SSP) ................................................. 32

3.23 What's New in Windows Deployment Services in Windows Server 2012............ 32

3.24 What‘s new in Windows PowerShell 3.0 ................................................ 32

4 What's New in Active Directory Domain Services (AD DS) .......................... 33 4.1 Virtualization that just works. ........................................................... 33

4.2 Simplified deployment and upgrade preparation. .................................... 33

4.3 Simplified management................................................................... 33

4.4 AD DS Platform Changes .................................................................. 33

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 3 of 47

5 Virtualization that just works ............................................................ 34 5.1 Rapid deployment with cloning .......................................................... 34

5.2 Safer virtualization of domain controllers ............................................. 34

5.3 Simplified deployment and upgrade preparation ..................................... 34

5.4 Simplified management................................................................... 36

5.5 AD DS Platform Changes .................................................................. 42

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 4 of 47

Windows Server 2012

1 Introduction

1.1 Understanding Windows Server 2012 Foundation:

Windows Server 2012 Foundation is full-featured 64-bit version of Windows® Server that

enables core IT resources, such as file and print sharing, remote access, and security. It

provides a network foundation from which you can centrally manage settings on your

computers that are based on the Windows operating system, and upon which you can run the

most popular business applications. It also provides a familiar Windows user experience that

helps you manage users and safeguard business information.

Because Windows Server 2012 Foundation comes pre-installed with your server hardware, you

do not need to separately obtain and then install the hardware and operating system. Windows

Server 2012 Foundation is supported by an extensive network of certified professionals who can

to provide service for your Windows Server network.

1.2 How Windows Server 2012 Foundation differs from other editions of Windows Server 2012:

Although most core features are the same, there are important limits in Windows Server 2012

Foundation versus other editions of Windows Server 2012 that you should be aware of before

you deploy Windows Server 2012 Foundation. This section describes the applicable limits. The

following table provides a summary of key limits.

Parameter Limit

Maximum number of users 15 (enforced by license terms)

Required client access licenses (CALs)

None

Maximum number of Server Message Block (SMB) connections

30

Maximum number of Routing and Remote Access (RRAS) connections

50

Maximum number of Internet Authentication Service (IAS) connections

10

Maximum number of Remote Desktop Services (RDS) Gateway connections

50

Maximum number of CPU sockets 1 (no limit on CPU cores)

Maximum RAM 32 GB

Virtual image use rights None; cannot host virtual machines or be used as a guest operating system in a virtual machine.

Domain requirements Must be the root domain controller in a domain that has no trusts at the root of the forest. This condition is temporarily allowed for migrations, but if persistent, the system will be forced to restart.

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 5 of 47

Most server roles and features are supported, but not all of them. Certain roles and features are available, but with limits. The following table provides a summary of the supported and unsupported roles and features, as well as applicable limits.

Role or feature Availability and limitations

Active Directory Certificate Services (AD CS)

You can create certification authorities, but no other AD CS role services are available.

Active Directory Domain Services (AD DS) Available

Active Directory Federation Services (AD FS)

Available

Read-only domain controller (RODC) The server cannot be used as a read-only domain controller.

Active Directory Lightweight Directory Services (AD LDS)

Available

Active Directory Rights Management Services (AD RMS)

Available

Application Server Available

Dynamic Host Configuration Protocol (DHCP) Server

Available

Domain Name System (DNS) Server Available

Fax Server Available, but limited to 30.

File and Storage Services Available, but limited to one standalone Distributed File System (DFS) root.

Hyper-V™ Not available

Network Policy and Access Services Available

Print and Document Services Available

Web Server (IIS) Available

Windows Deployment Services Available

Remote Desktop Services Available

Volume Activation Services Available

Print and Document Services Available

Hot Add Memory Not available

Windows Server Update Services Not included

Windows PowerShell™ Available

VSS integration Available

Storage Spaces Available

Data Deduplication Not available

Failover Clustering Not available

Dynamic Memory (in Hyper-V) Not available

SMB Direct and SMB over RDMA Available

IP Address Management Available

BranchCache Available

Distributed File System Replication (DFS-R)

Available

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 6 of 47

DirectAccess Available

Server Manager Available

Storage Management Service Available

1.3 Supported users:

You can use Windows Server 2012 Foundation in either Active Directory® or workgroup environments to create up to 15 user accounts that can access and use the server software. Each user account permits one user, using any device, to access and use your server software with no client access licenses (CALs) required. In the Windows Server 2012 Foundation operating system, you will receive a warning message if you exceed the fifteen-user limit. For steps to remove user accounts from Active Directory, see http://go.microsoft.com/fwlink/?LinkId=150361. For steps to remove user accounts from a workgroup environment, see http://go.microsoft.com/fwlink/?LinkId=150362.

1.4 X64 Sockets:

You can use an x64 socket to run a 64-bit application. Windows Server 2012 Foundation includes support for one x64 socket. One physical processor is the same as one physical socket.

1.5 Random Access Memory (RAM)

Windows Server 2012 Foundation provides access to a maximum of 32 GB of available memory.

1.6 Failover cluster nodes

A failover cluster node is a server that is a member of a failover cluster. A failover cluster node can own and run clustered services and applications. You cannot deploy Windows Server 2012 Foundation as a failover cluster node. For more information about failover clusters, see the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=140233).

1.7 Server Message Block connections:

Windows Server 2012 includes Server Message Block (SMB) to provide users and devices with shared, simultaneous access to network resources. Windows Server 2012 Foundation supports a maximum of 30 simultaneous inbound connections. This means that the total combined number of user accounts and devices that can connect to the server at any given time cannot exceed 30. Connection attempts that exceed the allowable 30 receive a message informing them that the server cannot accept any additional connections at that time.

Important Although Windows Server 2012 Foundation supports up to 30 simultaneous connections, the Microsoft Software License Terms for Windows Server 2012 Foundation allow a maximum of 15 user accounts. For more information about SMB, see the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=140234).

1.8 Network access connections (RRAS):

The Routing and Remote Access service (RRAS) in Windows Server 2012 supports remote user or site-to-site connectivity by using virtual private networking (VPN) or dial-up connections. Windows Server 2012 Foundation supports a maximum of 50 RRAS connections. For more information about RRAS, see the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=140235).

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 7 of 47

1.9 Network access connections (NPS):

Network Policy Server (NPS) is the Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server and proxy in Windows Server. NPS is the replacement for Internet Authentication Service (IAS) in Windows Server 2003. NPS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. Windows Server 2012 Foundation supports a maximum of 10 NPS connections. For more information about NPS, see ―Network Policy Server‖ at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=140236).

1.10 Remote Desktop Gateway connections:

Remote Desktop Gateway (RD Gateway) enables authorized users to connect to virtual desktops, RemoteApp programs, and session-based desktops on an internal corporate network from any Internet-connected device.

2 System requirements (Hardware):

Windows Server 2012 runs only on x64 processors. Unlike its predecessor, Windows Server 2012 does not support Itanium.[4] Upgrades from Windows Server 2008 and Windows Server 2008 R2 are supported, although upgrades from prior releases are not.[45]

Minimum system requirements for Windows Server 2012

Processor 1.4 GHz, x64

Memory 512 MB

Free disk space 32 GB (more if there is 16 GB of RAM or more)

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 8 of 47

3 Top Most features in Windows Server 2012

3.1 Scale and performance

Hyper-V in Windows Server 2012 greatly expands support for host processors and memory. New features include support for as many as 64 virtual processors and 1 terabyte of memory for Hyper-V guests, a new VHDX virtual hard disk format with larger disk capacity of up to 64 terabytes, and additional resiliency. These features help ensure that the virtualization infrastructure can support the configuration of large, high-performance virtual machines to support workloads that might need to scale up significantly. Significant additional improvements have been made across the board, with Hyper-V now supporting increased cluster sizes, a significantly higher number of active virtual machines per host, and additionally, more advanced performance features such as in-guest Non-Uniform Memory Access (NUMA). This capability helps ensure that customers can experience the highest levels of scalability, performance, and density for their business-critical workloads.

3.2 Share-nothing live migration

is a mixture of SMB3 live migration & storage live migration. Basically you move an image between hosts with just an Ethernet cable attached.

3.3 Hyper-V Network Virtualization

Isolating virtual machines of different departments or customers can be a challenge on a shared network. When these departments or customers need to isolate networks of virtual machines, the challenge increases. Traditionally, virtual local area networks (VLANs) are used to isolate networks, but VLANs become very complex to manage on a large scale. Hyper V Network Virtualization helps solve this problem. With this feature, you can isolate network traffic from different business units or customers on a shared infrastructure without using VLANs. Hyper V Network Virtualization also lets you move virtual machines as needed within your virtual infrastructure, while preserving their virtual network assignments. Finally, you can even use Hyper V Network Virtualization to transparently integrate these private networks into a pre-existing infrastructure on another site!

3.4 Hyper-V Replica

Providesa storage-agnostic and workload-agnostic solution that replicates efficiently, periodically, and asynchronously over networks based on Internet Protocol, typically to a remote site. Hyper-V Replica also allows an administrator to more easily test the replica virtual machine without disrupting the ongoing replication. If a disaster occurs at the primary site, administrators can quickly restore their business operations by bringing up the replicated virtual machine at the replica site. Hyper V Replica provides a virtual machine–level, affordable, reliable, and manageable replication solution that is tightly integrated with Hyper V Manager and the failover clustering feature in Windows Server 2012

3.5 Tired of expensive SANs? Well 'might' be the answerSMB3

Windows Server 2012 introduces new File and Storage Services features that let you store server application data on file shares, to take advantage of the new Server Message Block 3 (SMB3) protocol and benefit from low-cost, "commodity‖ hardware. A variety of performance enhancements and availability improvements come together to make file share storage a great low-cost choice for critical workloads such as Hyper-V and Microsoft SQL Server. File and Storage Services now can endure a variety of failures transparently—resulting in minimal interruption in service to the users (or servers) that depend on them for storage. These File Server features allow you to more easily create and manage an optimally available data storage

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 9 of 47

foundation for critical application services such as Microsoft SQL Server and Hyper-V. An array of new server message block protocol enhancements and capabilities such as transparent

3.6 Windows PowerShell 3.0

Powershell command-line interface provides a comprehensive management platform for all aspects of the datacenter: Servers, network, and storage. In this version of Windows PowerShell, sessions to remote servers are resilient and can withstand various types of interruptions.

3.7 Hybrid applications

The following capabilities in Windows Server 2012 help provide the flexibility to build and deploy hybrid applications on-premises and in the cloud: • Programming symmetry across premises and the cloud -Provides the ability to use the same development model across Windows Server 2012 and Windows Azure. • Common development tools -Microsoft Visual Studio and Microsoft Team Foundation Server provide a rich Development experience and offer to Microsoft .NET developers a more complete environment to build cloud and on-premises applications. • Connectivity for hybrid scenarios enables integration of applications across Windows Server 2012 and Windows Azure though different levels of connectivity: -Application-layer connectivity and messaging through Windows Azure Service Bus. -Machine-to-machine connectivity across cloud and premises through Windows Azure Connect. • Machine-to-machine connectivity across cloud and premises through Windows Azure Connect. • Virtual machine portability across premises and cloud. Offers the options through Microsoft System Center or the services portal to provision, manage, and move virtual machine images between Windows Server 2012 and Windows Azure.

3.8 Multitenantcy

Network virtualization decouples server configuration from network configuration to provide a virtual dedicated network to each tenant. This allows seamless migration of workloads, while continuing to provide security isolation between tenants. Partners have the opportunity.

3.9 VDI Scenario

...Growing adoption of VDI desktops in the enterprise requires tools that can help streamline deployment and management tasks for IT administrators. Windows Server 2012 provides a number of enhanced features that help to simplify and expedite these tasks, including: • Simpler wizard-based setup procedures for Remote Desktop Services deployments. • A unified management console for virtual desktops and session-based desktops and applications. • Simplified creation, assignment,and patch management of pooled and personal virtual desktops. • VDI in Windows Server 2012 Remote Desktop Services, which delivers a consistently rich experience to users on different devices, in various locations, and over changing network conditions.

Some of the key enhanced features in Windows Server 2012 supporting this experience include:

RemoteFX Adaptive Graphics: Provides improved graphics processing that enables

smooth delivery of virtual desktop and RemoteApp programs. It also provides an enhanced Windows Aero and 3-D experience across various networks—including those with limited bandwidth and high latency.

RemoteFX for WAN: Delivers a number of technical improvements that enhance the user

experience when connecting over wide area networks. This is especially important for people

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 10 of 47

connecting from dispersed locations such as branch offices, homes, or hotels with low-bandwidth connections.

RemoteFX Multitouch: Lets users of new kinds of touch-enabled and gesture-enabled

applications take advantage of these solutions in remote-desktop environments.

3.10 DAC - Dynamic Access Control

Further improvements to DAC has be added to Windows Server 2012. Previously, file security was handled at the file and folder levels. IT professionals had little control over the way security was handled by users day to day. Now, by using Dynamic Access Control, you can restrict access to sensitive files—regardless of user actions—by establishing and enforcing file security policy at the domain level to enforce it across all Windows Server 2012 file servers. For instance, if a development engineer accidentally posts confidential files to a publicly shared folder, those files can still be protected from access by unauthorized users. In addition, security auditing is now more powerful than ever, and audit tools make it easier to prove compliance with regulatory standards, such as the requirement that access to health and biomedical information is guarded correctly and monitored regularly. Audit logs can also be collected with SCOM 2012.

4 Editions:

Windows Server 2012 has four editions: Foundation, Essentials, Standard and Datacenter

Specifications Foundation Essentials Standard Datacenter

Distribution OEM only Retail, volume licensing, OEM

Retail, volume licensing, OEM

Volume licensing and OEM

Licensing model Per server Per server Per CPU pair[c] +

CAL[d] Per CPU pair[c] +

CAL[d]

Processor chip limit[43]

1 2 64[e] 64[e]

Memory limit 32 GB 64 GB 4 TB 4 TB

User limit 15 25 Unlimited Unlimited

File Services limits 1 standalone DFS

root 1 standalone DFS

root Unlimited Unlimited

Network Policy and Access Services limits

50 RRAS connections and 10 IAS

connections

250 RRAS connections, 50 IAS connections, and 2 IAS Server Groups

Unlimited Unlimited

Remote Desktop Services limits

50 Remote Desktop Services connections

Gateway only Unlimited Unlimited

Virtualization rights N/A Either in 1 VM or 1 physical server, but

not both at once 2 VMs[c] Unlimited

DHCP role Yes Yes Yes Yes

DNS server role Yes Yes Yes Yes

Fax server role Yes Yes Yes Yes

UDDI Services Yes Yes Yes Yes

Print and Document Services

Yes Yes Yes Yes

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 11 of 47

Web Services (Internet Information Services)

Yes Yes Yes Yes

Windows Deployment Services

Yes Yes Yes Yes

Windows Server Update Services

No Yes Yes Yes

Active Directory Lightweight Directory Services

Yes Yes Yes Yes

Active Directory Rights Management Services

Yes Yes Yes Yes

Application server role

Yes Yes Yes Yes

Server Manager Yes Yes Yes Yes

Windows Powershell Yes Yes Yes Yes

Active Directory Domain Services

Must be root of forest and domain

Must be root of forest and domain

Yes Yes

Active Directory Certificate Services

Certificate Authorities only

Certificate Authorities only

Yes Yes

Active Directory Federation Services

Yes[50] No Yes Yes

Server Core mode No No Yes Yes

Hyper-V No No Yes Yes

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 12 of 47

5 Hyper-V Comparison – Windows Server 2008 R2 vs Windows Server 2012

5.1 Processor and Memory Support

Processor/Memory Feature Windows Server 2008 R2 Windows Server 2012

Logical processors on hardware 64 320

Physical memory 1 TB 4 TB

Virtual processors per host 512 2,048

Virtual processors per virtual machine

4 64

Memory per virtual machine 64 GB 1 TB

Active virtual machines 384 1,024

Maximum cluster nodes 16 64

Maximum cluster virtual machines

1,000 8,000

Processor/Memory Feature Windows Server 2008 R2 Windows Server 2012

5.2 Network

Network Feature Windows Server 2008 R2 Windows Server 2012

NIC Teaming Yes, through partners Yes, Windows NIC Teaming in box

VLAN Tagging Yes Yes

MAC spoofing protection Yes, with R2 SP1 Yes

ARP spoofing protection Yes, with R2 SP1 Yes

SR-IOV networking No Yes

Network QoS No Yes

Network metering No Yes

Network monitor modes No Yes

IPsec task offload No Yes

VM Trunk Mode No Yes

5.3 Storage

Storage Feature Windows Server 2008 R2 Windows Server 2012

Live storage migration No, quick storage migration through System Center Virtual Machine Manager

Yes, with no limits (as many as the hardware will allow)

Virtual machines on file storage No Yes, Server Message Block 3.0 (SMB3)

Guest Fibre Channel No Yes

Virtual disk format VHD up to 2 TB VHD up to 2 TB

VHDX up to 64 TB

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 13 of 47

Virtual machine guest clustering Yes, through iSCSI Yes, through iSCSI, Fibre Channel, or Fibre Channel over Ethernet (FCoE)

Native 4 KB disk support No Yes

Live virtual hard disk merge No, offline Yes

Live new parent No Yes

Secure offloaded data transfer No Yes

5.4 Manageability

Manageability Feature Windows Server 2008 R2 Windows Server 2012

Hyper-V PowerShell No Yes

Network PowerShell No Yes

Storage PowerShell No Yes

REST APIs No Yes

SCONFIG Yes Yes

Enable/Disable shell No, server core at operating system setup

Yes

VMConnect support for RemoteFX No Yes

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 14 of 47

6 Hyper-V Component Architecture:

6.1 Windows 2012 Hyper-V Component Architecture.

6.2 Windows 2012 R2 Hyper-V Component Architecture.

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 15 of 47

7 Installing Windows Server 2012 (step by step)

7.1 Insert the Windows Server 2012 DVD, and once you get the following message press Enter to boot from the setup

7.2 Wait for a while till the setup loads all necessary files (Depending on your machine, it will take couple of minutes)

7.3 Once the setup files are loaded, the setup will start with the following screen. You can change these to meet your needs (the default values should be fine for now)

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 16 of 47

7.4 Once you click Next, you can start the installation, click "Install now"

7.5 You will see the following screen, wait until it finishes loading

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 17 of 47

7.6 In the following setup screen, you will see four options. Select Windows Server 2012 DataCenter Evaluation (Server With GUI).

7.7 After you click Next from previous screen, Read the License terms, tick the "I accept the

license terms" and click Next

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 18 of 47

7.8 Now It will ask you for the drive (or partition) you want to install Windows on. Here I'm installing it on the one partition I have here. NOTE: This will remove the content of the partition. Either you create a partition to install windows on, or you can test this on a testing machine.

7.9 Now once we picked our partition, clicking on next from previous screen will start the

setup. This process might take a while.

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 19 of 47

7.10 Once the setup is done, it will restart and start your Windows Server 2012 for the first time. It will ask you then to set up a password for the Administrator user.

7.11 The setup will finalize your settings, might take a couple of minutes.

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 20 of 47

7.12 Once the setup is done, you can log in for the first time to your Windows Server, as the screen says, press Ctrl+Alt+Delete to log in, and use the password you set in the setup process.

7.13 Once you Log in, Windows Server 2012 will show the Server Manager.

Congratulations! You have now Windows server 2012 Installed with Datacenter.

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 21 of 47

Domain Controller 2012

Definition of Domain Controller: On Microsoft Servers, a domain controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, etc.) within the

Windows Server domain.[1][not in citation given][2] A domain is a concept introduced in

Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.

1 Prerequisites:

1.1 Download Windows Server 2012. If you plan on completing this Step-By-Step in a virtual lab, it is recommended to download the FREE Hyper-V Server 2012 first.

1.2 Check to ensure the Domain Functional Level is currently setup to at least Windows 2003 mode. This is the lowest required Domain Functional Level that would allow a Windows Server 2012 Domain Controller installation. Windows NT / 2000 Domain Controllers are not supported via this process.

a) Via the Active Directory Users and Computers console, select the domain via the right mouse button on it.

b) Select Raise Domain Functional Level and review the Current domain functional level reported.

The Domain Functional Level does not need to be raised if the Current domain functional level is reporting Windows Server 2003 NOTE: Should a lower domain be showcased (i.e., Windows Server 2000), please keep in mind that raising Domain Functional Level is a onetime action and cannot be reverted. Remember Windows NT / 2000 Domain Controllers are not supported via this process.

1.3 Ensure your profile is a member of the Enterprise Admins group.

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 22 of 47

Getting Started

a) Setup and install your Windows Server 2012 machine b) Configure the new server's IP address to correspond to the target domain and ensure the

existing Domain Controllers, where DNS is installed and configured, are visible by your new Windows Server 2012 install

Installation or Deploying Domain controller in Windows 2012

2 Installation of Domain Controller

a. Open the Server Manager console and click on Add roles and features.

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 23 of 47

b. Select Role-based of featured-based installation and Select ‗Next‘

c. Select the Active Directory Directory Services role.

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 24 of 47

d. Accept the default features required by clicking the Add Features button.

On the Features screen click the Next button.

e. On the Confirm installation selections screen click the Install button.

NOTE: Check off the Restart the destination server automatically if required box to expedite the

install should you be able to reset the target server automatically.

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 25 of 47

f. Click the Close button once the installation has been completed.

g. Once completed, notification is made available on the dashboard highlighted by an exclamation mark. Select it and amidst the drop down menu select Promote this server to a domain controller

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 26 of 47

h. Select add a Domain Controller into existing domain.

i. Ensure the target domain is specified. If it is not, please either Select the proper domain or enter the proper domain in the field provided.

j. Click Change, provide the required Enterprise Administrator credentials and click the Next button.

k. Define if server should be a Domain Name System DNS server and Global Catalog (GC). Select the Site to which this DC belongs to and define Directory Services Restoration Mode (DSRM) password for this DC.

l. Click the Next button on the DNS options screen.

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 27 of 47

m. In the Additional Options screen you are provided with the option to install the Domain Controller from Install From Media (IFM). Additionally you are provided the option to select the point from which DC replication should be completed. The server will choose the best location for AD database replication if not specified. Click the Next button once completed.

n. Specify location for AD database and SYSVOL and Click the Next button.

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 28 of 47

o. Next up is the Schema and Domain preparation. Alternately, one could run Adprep prior to commencing these steps, Regardless, if Adprep is not detected, it will automatically be completed on your behalf.

p. Finally, the Review Options screen provides a summary of all of the selected options for server promotion. As an added bonus, when clicking View Script button you are provided with the PowerShell script to automate future installations. To click the Next button to continue.

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 29 of 47

q. Should all the prerequisites pass, click the Install button to start the installation.

r. After it completes the required tasks and the server restarts, the new Windows Server 2012 Domain Controller setup is completed.

s. Lastly, on each server/workstation within the target domain require a NIC properties configuration update to point to the new Domain Controller. Open the DHCP management console, select Option no. 006 and under server/scope options and add the IP address of your new Domain Controller as DNS server.

Should you see one of our #CANITPRO Step-By-Step posts in any social media venue, feel free to

contribute thoughts and additional ideas. Additionally, feel free to connect with us on any topic

you would like to see covered. We are always happy to oblige.

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 30 of 47

3 What's New in Windows Server 2012 Domain controller?

Notification: In this session we are covering basic information about domain 2012 new features. Some of points are already covered in Windows in Windows 2012 Features session.

The content in this section describes what's new and changed in Windows Server 2012. This content focuses on changes that will potentially have the greatest impact on your use of this release.

3.1 What's New in Certificate Services in Windows Server 2012

Active Directory Certificate Services (AD CS) in Windows Server 2012 provides multiple new features and capabilities over previous versions. This document describes new deployment, manageability, and capabilities added to AD CS in Windows Server 2012.

3.2 What's New in Active Directory Domain Services (AD DS) Active Directory Domain Services (AD DS) in Windows Server 2012 includes new features that make it simpler and faster to deploy domain controllers (both on-premises and in the cloud), more flexible and easier to both audit and authorize access to files with Dynamic Access Control, and easier to perform administrative tasks at scale, either locally or remotely, through consistent graphical and scripted management experiences.

3.3 What's New in Active Directory Rights Management Services (AD RMS)? Active Directory Rights Management Services (AD RMS) is the server role that provides you with management and development tools that work with industry security technologies—including encryption, certificates, and authentication—to help organizations create reliable information protection solutions.

3.4 What's New in BitLocker for Windows 8 and Windows Server 2012 BitLocker encrypts the hard drives on your computer to provide enhanced protection against data theft or exposure on computers and removable drives that are lost or stolen.

3.5 What's New in BranchCache BranchCache in Windows Server 2012 and Windows 8 provides substantial performance, manageability, scalability, and availability improvements.

3.6 What's New in DFS Namespaces and DFS Replication in Windows Server 2012 DFS Namespaces and DFS Replication in Windows Server 2012 provide new management functionality as well as interoperability with DirectAccess and Data Deduplication.

3.7 What's New in DHCP in Windows Server 2012 Dynamic Host Configuration Protocol (DHCP) is an Internet Engineering Task Force (IETF) standard designed to reduce the administration burden and complexity of configuring hosts on a TCP/IP-based network, such as a private intranet.

3.8 What's New in DNS Domain Name System (DNS) services in Windows Server 2012 and Windows 8 are used in TCP/IP networks for naming computers and network services. DNS naming locates computers and services through user-friendly names.

3.9 New and changed functionality in File and Storage Services File and Storage Services provides a number of new management, scalability, and functionality improvements in Windows Server 2012.

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 31 of 47

3.10 What's New in Failover Clustering in Windows Server 2012

Failover clusters provide high availability and scalability to many server workloads. These include file share storage for server applications such as Hyper-V and Microsoft SQL Server, and server applications that run on physical servers or virtual machines.

3.11 What's New in File Server Resource Manager in Windows Server 2012 File Server Resource Manager provides a set of features that allow you to manage and classify data that is stored on file servers.

3.12 What's New in Group Policy in Windows Server 2012 Group Policy is an infrastructure that enables you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences

3.13 What's New in Hyper-V The Hyper-V role enables you to create and manage a virtualized computing environment by using virtualization technology that is built in to Windows Server 2012. Hyper-V virtualizes hardware to provide an environment in which you can run multiple operating systems at the same time on one physical computer, by running each operating system in its own virtual machine.

3.14 What's New in IPAM in Windows Server 2012 IP Address Management (IPAM) is an entirely new feature in Windows Server 2012 that provides highly customizable administrative and monitoring capabilities for the IP address infrastructure on a corporate network.

3.15 What's New in Kerberos Authentication The Microsoft Windows Server operating systems implement the Kerberos version 5 authentication protocol and extensions for public key and password-based authentication. The Kerberos authentication client is implemented as a security support provider (SSP) and can be accessed through the Security Support Provider Interface (SSPI).

3.16 What's New for Managed Service Accounts Standalone Managed Service Accounts, which were introduced in Windows Server 2008 R2 and Windows 7, are managed domain accounts that provide automatic password management and simplified SPN management, including delegation of management to other administrators.

3.17 What's New in Networking in Windows Server 2012 Discover new networking technologies and new features for existing technologies in Windows Server 2012. Technologies covered include BranchCache, Data Center Bridging, NIC Teaming, and more.

3.18 What's New in Remote Desktop Services in Windows Server 2012 The Remote Desktop Services server role in Windows Server 2012 provides technologies that enable users to connect to virtual desktops, RemoteApp programs, and session-based desktops. With Remote Desktop Services, users can access remote connections from within a corporate network or from the Internet.

3.19 What's new in Security Auditing Security auditing is one of the most powerful tools to help maintain the security of an enterprise. One of the key goals of security audits is to verify regulatory compliance.

3.20 What‘s new in Server Manager In this blog post, senior Server Manager program manager Wale Martins describes the innovations and value of the new Server Manager. Server Manager in Windows Server 2012 lets

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 32 of 47

administrators manage multiple, remote servers that are running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003.

3.21 What's New in Smart Cards Smart cards and their associated personal identification numbers (PINs) are an increasingly popular, reliable, and cost-effective form of two-factor authentication. With the right controls in place, a user must have the smart card and know the PIN to gain access to network resources.

3.22 What's New in TLS/SSL (Schannel SSP) Schannel is a Security Support Provider (SSP) that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols. The Security Support Provider Interface (SSPI) is an API used by Windows systems to perform security-related functions including authentication.

3.23 What's New in Windows Deployment Services in Windows Server 2012 Windows Deployment Services is a server role that enables you to remotely deploy Windows operating systems. You can use it to set up new computers by using a network-based installation.

3.24 What‘s new in Windows PowerShell 3.0

Windows PowerShell 3.0 includes many new features and improvements in the scripting and automation experience, such as Windows PowerShell Workflow, multiple new features in Windows PowerShell ISE to help make scripting and debugging faster and easier, updatable Help, Windows PowerShell Web Access, and over 2,200 new cmdlets and functions.

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 33 of 47

4 What's New in Active Directory Domain Services (AD DS)

You can use Active Directory Domain Services (AD DS) in Windows Server 2012 to more rapidly and easily deploy domain controllers (on-premises and in the cloud), increase flexibility when auditing and authorizing access to files, and more easily perform administrative tasks at scale (locally or remotely) through consistent graphical and scripted management experiences. AD DS improvements in Windows Server 2012 include:

4.1 Virtualization that just works. Windows Server 2012 provides greater support for the capabilities of public and private clouds through virtualization-safe technologies and the rapid deployment of virtual domain controllers through cloning.

4.2 Simplified deployment and upgrade preparation. The upgrade and preparation processes (dcpromo and adprep) have been replaced with a new streamlined domain controller promotion wizard that is integrated with Server Manager and built on Windows PowerShell. It validates prerequisites, automates forest and domain preparation, requires only a single set of logon credentials, and it can remotely install AD DS on a target server.

4.3 Simplified management Examples of simplified management include the integration of claims-based authorization into AD DS and the Windows platform, two critical components of a broader feature known as Dynamic Access Control (DAC). DAC comprises central access policies, directory attributes, the Windows file-classification engine, and compound-identities that combine user and machine identity into one. In addition, the Active Directory Administrative Center (ADAC) now allows you to perform graphical tasks that automatically generate the equivalent Windows PowerShell commands. The commands can be easily copied and pasted into a script simplifying the automation of repetitive administrative actions.

4.4 AD DS Platform Changes The AD DS platform comprises core functionality, including the ―under-the-covers‖ behaviors that govern the components upon which the rest of the directory service is built. Updates to the AD DS platform include improved allocation and scale of RIDs (relative identifiers), deferred index creation, various Kerberos enhancements and support for Kerberos claims (see Dynamic Access Control) in AD FS.

Active Directory and AD DS has been at the center of IT infrastructure for over 10 years, and its features, adoption, and business-value have grown release over release. Today, the majority of that Active Directory infrastructure remains on the premises, but there is an emerging trend toward cloud computing. The adoption of cloud computing, however, will not occur overnight, and migrating suitable on-premises workloads or applications is an incremental and long-term exercise. New hybrid infrastructures will emerge, and it is essential that AD DS support the needs of these new and unique deployment models that include services hosted entirely in the cloud, services that comprise cloud and on-premises components, and services that remain exclusively on the premises. These hybrid models will increase the importance, visibility, and emphasis around security and compliance, and they will compound the already complex and time-consuming exercise of ensuring that access to corporate data and services is appropriately audited and accurately expresses the business intent.

The following sections describe how AD DS in Windows Server 2012 addresses these emerging needs.

For more information about installing AD DS, see Deploy Active Directory Domain Services (AD DS) in Your Enterprise and Upgrade Domain Controllers to Windows Server 2012.

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 34 of 47

5 Virtualization that just works

5.1 Rapid deployment with cloning

AD DS in Windows Server 2012 allows you to deploy replica virtual domain controllers by ―cloning‖ existing virtual domain controllers. You can promote a single virtual domain controller by using the domain controller promotion interface in Server Manager, and then rapidly deploy additional virtual domain controllers within the same domain, through cloning.

The process of cloning involves creating a copy of an existing virtual domain controller, authorizing the source domain controller to be cloned in AD DS, and running Windows PowerShell cmdlets to create a configuration file that contains detailed promotion instructions (name, IP address, Domain Name System [DNS] servers, and so on). Or you can leave the configuration file empty, which allows the system to automatically fill in the information. Cloning reduces the number of steps and time involved by eliminating repetitive deployment tasks, and it enables you to fully deploy additional domain controllers that are authorized and configured for cloning by the Active Directory domain administrator.

For detailed information about virtualized domain controller cloning, see Active Directory Domain Services (AD DS) Virtualization.

5.2 Safer virtualization of domain controllers

AD DS has been virtualized for several years, but features present in most hypervisors can invalidate strong assumptions made by the Active Directory replication algorithms. Primarily, the logical clocks that are used by domain controllers to determine relative levels of convergence only go forward in time. In Windows Server 2012, a virtual domain controller uses a unique identifier that is exposed by the hypervisor. This is called the virtual machine GenerationID. The virtual machine GenerationID changes whenever the virtual machine experiences an event that affects its position in time. The virtual machine GenerationID is exposed to the virtual machine‘s address space within its BIOS, and it is made available to the operating system and applications through a driver in Windows Server 2012.

During boot and before completing any transaction, a virtual domain controller running Windows Server 2012 compares the current value of the virtual machine GenerationID against the value that it stored in the directory. A mismatch is interpreted as a ―rollback‖ event, and the domain controller employs AD DS safeguards that are new in Windows Server 2012. These safeguards allow the virtual domain controller to converge with other domain controllers, and they prevent the virtual domain controller from creating duplicate security principals. For Windows Server 2012 virtual domain controllers to gain this extra level of protection, the virtual domain controller must be hosted on a virtual machine GenerationID–aware hypervisor such as Windows Server 2012 with the Hyper-V role.

For detailed information about the virtualization-safe technology feature, see Active Directory Domain Services (AD DS) Virtualization.

5.3 Simplified deployment and upgrade preparation

AD DS deployment in Windows Server 2012 integrates all the required steps to deploy new domain controllers into a single graphical interface. It requires only one enterprise-level credential, and it can prepare the forest or domain by remotely targeting the appropriate operations master roles. The new deployment process conducts extensive prerequisite validation tests that minimize the opportunity for errors that might have otherwise blocked or slowed the installation. The AD DS installation process is built on Windows PowerShell, integrated with Server Manager, able to target multiple servers, and remotely deploy domain controllers, which results in a deployment experience that is simpler, more consistent, and less

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 35 of 47

time consuming. The following figure shows the AD DS Configuration Wizard in Windows Server 2012.

Figure 1 AD DS Configuration Wizard

An AD DS installation includes the following features:

5.3.1 Adprep.exe integration into the AD DS installation process. Reduces the time required to install AD DS and reduces the chances for errors that might block domain controller promotion.

5.3.2 The AD DS server role installation, which is built on Windows PowerShell and can be run remotely on multiple servers. Reduces the likelihood of administrative errors and the overall time that is required for installation, especially when you are deploying multiple domain controllers across global regions and domains.

5.3.3 Prerequisite validation in the AD DS Configuration Wizard. Identifies potential errors before the installation begins. You can correct error conditions before they occur without the concerns that result from a partially complete upgrade.

5.3.4 Configuration pages grouped in a sequence that mirror the requirements of the most common promotion options, with related options grouped in fewer wizard pages. Provides better context for making installation choices and reduces the number of steps and time that are required to complete the domain controller installation.

5.3.5 A wizard that exports a Windows PowerShell script that contains all the options that were specified during the graphical installation. Simplifies the process by automating subsequent AD DS installations through automatically generated Windows PowerShell scripts.

For detailed information about AD DS integration with Server Manager see Deploy Active Directory Domain Services (AD DS) in Your Enterprise.

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 36 of 47

5.4 Simplified management

Numerous areas were addressed with a view towards simplifying AD DS management experience. These areas include:

5.4.1 Dynamic Access Control

5.4.2 DirectAccess Offline Domain Join

5.4.3 Active Directory Federation Services (AD FS)

5.4.4 Windows PowerShell History Viewer

5.4.5 Active Directory Recycle Bin User Interface

5.4.6 Fine-Grained Password Policy User Interface

5.4.7 Active Directory Replication and Topology Windows PowerShell cmdlets

5.4.8 Active Directory Based Activation (AD BA)

5.4.9 Group Managed Service Accounts (gMSA)

5.4.1 Dynamic Access Control

Today, it is difficult to translate business-intent using the existing authorization model. The existing capabilities of access control entries (ACEs) make it hard or impossible to fully express requirements. In addition, there are no central administration capabilities. Finally, modern-day increases in regulatory and business requirements around compliance further compound the problem.

Windows Server 2012 AD DS addresses these challenges by introducing:

A new claims-based authorization platform that enhances, not replaces, the existing model, which includes:

User-claims and device-claims

User + device claims (also known as compound identity)

New central access policies (CAP) model

Use of file-classification information in authorization decisions

Easier access-denied remediation experience

Access policies and audit policies can be defined flexibly and simply:

IF resource.Confidentiality = high THEN audit.Success WHEN user.EmployeeType = vendor

Requirements:

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 37 of 47

One or more Windows Server 2012 domain controllers

Windows Server 2012 file server

Enable the claims-policy in the Default Domain Controllers Policy

Windows Server 2012 Active Directory Administrative Center

For device-claims, compound ID must be switched on at the target service account by using Group Policy or editing the object directly

For more information about Dynamic Access Control see the Dynamic Access Control section of the technical library.

5.4.2 DirectAccess Offline Domain Join

The offline domain-join feature that was added to AD DS in Windows Server 2008 R2 effectively allows client computers to be joined to a domain without requiring network connectivity to a domain controller, but the client computer could not also be preconfigured for DirectAccess as part of the domain join.

Windows Server 2012 AD DS provides the following improvements:

Extends offline domain-join by allowing the blob to accommodate DirectAccess prerequisites

Certs

Group Policies

What does this mean?

A computer can now be domain-joined over the Internet if the domain is DirectAccess enabled

Getting the blob to the non-domain-joined machine is an offline process and the responsibility of the administrator

Requirements

Windows Server 2012 domain controllers

For more information, see DirectAccess Offline Domain Join.

5.4.3 Active Directory Federation Services (AD FS)

AD FS v2.0 shipped out-of-band of the Windows Server release. In Windows Server 2012, AD FS (v2.1) ships in-the-box as a server role. This provides:

Simplified trust-setup and automatic trust management

SAML-protocol support

Extensible attribute store

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 38 of 47

Allows claims to be sourced from anywhere in the enterprise

Active Directory Lightweight Directory Service (AD LDS) and SQL attribute-store providers supplied out-of-the-box

Requirements

Windows Server 2012

For detailed information about AD FS in Windows Server 2012, see AD FS.

5.4.4 Windows PowerShell History Viewer

Windows PowerShell is a key technology in creating a consistent experience between the command-line and the graphical user interface. Windows PowerShell increases productivity, but also requires investment in learning how to use it.

To minimize the learning investment, Windows Server 2012 includes the new Windows PowerShell History Viewer. The benefits include:

Allow administrators to view the Windows PowerShell commands executed when using the Active Directory Administrative Center. For example:

The administrator adds a user to a group

The UI displays the equivalent Windows PowerShell for Active Directory command

The administrator copies the resulting syntax and integrates it into a script

Reduces Windows PowerShell learning-curve

Increases confidence in scripting

Further enhances Windows PowerShell discoverability

Requirements

Windows Server 2012 Active Directory Administrative Center

For more information about the Windows PowerShell History Viewer, see Active Directory Administrative Center Enhancements.

5.4.5 Active Directory Recycle Bin User Interface

The Active Directory Recycle Bin feature introduced with Windows Server® 2008 R2 provided an architecture permitting complete object recovery. Scenarios that require object recovery by using the Active Directory Recycle Bin are typically high-priority, such as recovery from accidental deletions, for example, resulting in failed logons or work stoppages. But the absence of a rich, graphical user interface complicated its usage and slowed recovery.

To address this challenge, Windows Server 2012 AD DS has a user interface for the Active Directory Recycle Bin that provides the following advantages:

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 39 of 47

Simplifies object recovery through the inclusion of a Deleted Objects node in the Active Directory Administrative Center (ADAC)

Deleted objects can now be recovered within the graphical user interface

Reduces recovery-time by providing a discoverable, consistent view of deleted object

Requirements

Recycle Bin requirements must be met:

Windows Server 2008 R2 forest functional level

Recycle Bin optional-feature must be enabled

Windows Server 2012 Active Directory Administrative Center

Objects requiring recovery must have been deleted within Deleted Object Lifetime (DOL)

By default, DOL is set to 180 days

For more information about the user interface for AD DS Recycle Bin, see Active Directory Administrative Center Enhancements.

5.4.6 Fine-Grained Password Policy User Interface

The Fine-Grained Password Policy (FGPP) introduced with Windows Server 2008 provided more precise management of password-policies. In order to leverage the feature, administrators had to manually create password-settings objects (PSOs). It proved difficult to ensure that the manually defined policy-values behaved as desired, which resulted in time-consuming, trial and error administration.

In Windows Server 2012:

Creating, editing and assigning PSOs now managed through the Active Directory Administrative Center

Greatly simplifies management of password-settings objects

Requirements

FGPP requirements must be met:

Windows Server® 2008 domain functional level

Windows Server 2012 Active Directory Administrative Center

For more information about the user interface for fine-grained password policies, see Active Directory Administrative Center Enhancements.

5.4.7 Active Directory Replication and Topology Windows PowerShell cmdlets

Administrators require a variety of tools to manage Active Directory‘s site topology

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 40 of 47

repadmin ntdsutil

Active Directory Sites and Services

The usage of multiple tools results in an inconsistent experience that is difficult to automate.

Using Windows Server 2012 AD DS, administrators can:

Manage replication and site-topology with Windows PowerShell

Create and manage sites, site-links, site-link bridges, subnets and connections

Replicate objects between domain controllers

View replication metadata on object attributes

View replication failures

Take advantage of a consistent and easily scriptable experience

Compatible and interoperable with other Windows PowerShell cmdlets

Requirements

Active Directory Web Service (also known as Active Directory Management Gateway for Windows Server 2003 or Windows Server 2008)

Windows Server 2012 domain controller or Windows Server 2012 with the Role Administration Tools (RSAT) for AD DS and AD LDS installed

For more information about the Windows PowerShell cmdlets to manage Active Directory topology and replication, see Active Directory Replication and Topology Management Using Windows PowerShell.

5.4.8 Active Directory Based Activation (AD BA)

Today, Volume Licensing for Windows and Office requires Key Management Service (KMS) servers. That solution requires minimal training, and is a turnkey solution that covers about 90% of deployments.

But there is complexity caused by the lack of a graphical administration console. The solution requires RPC traffic on the network, which complicates matters, and it does not support any kind of authentication. The end-user licensing agreement (EULA) prohibits the customer from connecting the KMS server to any external network. For example, connectivity-alone to the service equates to activated.

In Windows Server 2012, the Active Directory-based activation provides the following improvements:

Uses your existing Active Directory infrastructure to activate your clients

No additional machines required

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 41 of 47

No RPC requirement; uses LDAP exclusively

Includes RODCs

Beyond installation and service-specific requirements, no data is written back to the directory

Activating initial CSVLK (customer-specific volume license key) requires:

One-time contact with Microsoft Activation Services over the Internet (identical to retail activation)

Key entered using volume activation server role or using command line.

Repeat the activation process for additional forests up to 6 times by default

Activation-object maintained in configuration partition

Represents proof of purchase

Computers can be member of any domain in the forest

All Windows 8 computers will automatically activate

Requirements

Only Windows 8 computers can leverage AD BA

KMS and AD BA can coexist

You still need KMS if you require down-level volume-licensing

Requires Windows Server 2012 Active Directory schema, not Windows Server 2012 domain controllers

For more information about AD BA see the following:

Volume Activation Overview

Test Lab Guide: Demonstrate Volume Activation Services

5.4.9 Group Managed Service Accounts (gMSA)

Managed Service Accounts (MSAs) were introduced with Windows Server 2008 R2. Clustered or load-balanced services that needed to share a single security-principal were unsupported. As a result, MSAs were not able to be used in many desirable scenarios.

Windows Server 2012 includes the following changes:

Introduces a new security principal type known as a gMSA

Services running on multiple hosts can run under the same gMSA account

One or more Windows Server 2012 domain controllers required

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 42 of 47

gMSAs can authenticate against any domain controllers that run any version of Windows Server

Passwords computed by Group Key Distribution Service (GKDS) running on all Windows Server 2012 domain controllers

Windows Server 2012 hosts using gMSAs obtain password and password-updates from GKDS

Password retrieval limited to authorized computers

Password-change interval defined at gMSA account creation (30 days by default)

Like MSAs, gMSAs are supported only by the Windows Service Control Manager (SCM) and IIS application pools

Requirements

Windows Server 2012 Active Directory schema updated in forests containing gMSAs

One or more Windows Server 2012 domain controllers to provide password computation and retrieval

Only services running on Windows Server 2012 can use gMSAs

For more information about group managed service accounts. See Managed Service Accounts.

5.5 AD DS Platform Changes

Numerous platform changes were made around scalability, throttling, and security. These areas include:

5.5.1 AD DS Claims in AD FS

5.5.2 Relative ID (RID) Improvements

5.5.3 Deferred Index Creation

5.5.4 Kerberos Enhancements

5.5.1 AD DS Claims in AD FS

AD FS v2.0 is able to generate user-claims directly from Windows NT tokens. AD FS v2.0 was also capable of further expanding claims based on attributes in AD DS and other attribute stores.

In Windows Server 2012, Kerberos tickets can be populated with user and device attributes serving as claims. AD FS 2.0 cannot read claims from Kerberos tickets. Therefore, a separate LDAP call to Active Directory must be made to source user-attribute claims, and AD FS 2.0 cannot leverage device-attribute claims at all.

AD FS v2.1 in Windows Server 2012 is able to populate SAML tokens with user- and device-claims taken directly from the Kerberos ticket.

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 43 of 47

Requirements

Dynamic Access Control enabled and configured

Compound ID must be switched on for the AD FS service account

Windows Server 2012 AD FS v2.1

For detailed information about AD FS in Windows Server 2012, see AD FS.

5.5.2 Relative ID (RID) Improvements

The following RID improvements in Windows Server 2012 provide greater ability to react to any potential exhaustion of the global RID pool space:

Periodic RID consumption warning

At 10% of remaining global space, system logs informational event

First event at 100,000,000 RIDs used, second event logged at 10% of remainder

Remainder = 900,000,000

10% of remainder = 90,000,000

Second event logged at 190,000,000

Existing RID consumption plus 10% of remainder

Events become more frequent as the global space is further depleted

RID Manager artificial ceiling protection mechanism

A soft ceiling that is 90% of the global RID space and is not configurable

The soft ceiling is deemed as ‖reached‖ when a RID pool containing the 90% RID is issued

Blocks further allocations of RID pools

When the ceiling is reached, system sets msDS-RIDPoolAllocationEnabled attribute of the RID Manager$ object to FALSE. An administrator must set it back to TRUE to override.

Log an event indicating that the ceiling is reached

An initial warning is logged when the global RID spaces reaches 80%

The attribute can only be set to FALSE by the SYSTEM and is mastered by the RID master (for example, write it against the RID master)

Domain Admin can set it back to TRUE

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 44 of 47

Note

It is set to TRUE by default

Increased the global RID space per domain, doubling the number of security principals that can be created throughout the lifetime of a domain from 1 billion to 2 billion.

Requirements

Windows Server 2012 RID master

Windows Server 2012 Domain Controllers

For more information on RID improvements, see Managing RID Issuance.

5.5.3 Deferred Index Creation

In the past, index creation could adversely impact domain controller performance. Windows Server 2012 introduces a new capability that allows forest administrators to defer index creation to a point in time they choose. By default, domain controllers create indices when they receive the appropriate schema change through replication. In Windows Server 2012, a new DSheuristic was introduced to control whether or not domain controllers defer index creation. The details are as follows:

Setting the 19th byte to 1 causes any Windows Server 2012 DC (DCs that run earlier operating systems will ignore the setting) to defer building indices until:

It receives the UpdateSchemaNow rootDSE mod (triggers rebuild of the schema cache)

It is rebooted (which requires that the schema cache be rebuilt and, in turn, the deferred indices)

Any attribute that is in a deferred index state will be logged in the Event Log every 24 hours

2944: Index deferred – logged once

2945: Index still pending – logged every 24 hours

1137: Index created – logged once (not a new event)

Requirements

Windows Server 2012 domain controllers

5.5.4 Kerberos Enhancements

Kerberos Constrained Delegation across domains

Flexible Authentication Secure Tunneling (FAST)

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 45 of 47

Kerberos Constrained Delegation across domains Kerberos Constrained Delegation (KCD) was introduced with Windows Server 2003. KCD permits a service‘s account (front-end) to act on the behalf of users in multi-tier applications for a limited set of back-end services. For example:

1. User accesses web site as user1

2. User requests information from web site (front-end) that requires the web server to query a SQL database (back-end)

3. Access to this data is authorized according to who accessed the front-end

4. In this case, the web service must impersonate user1 when making the request to SQL

The front-end needed to be configured with the services (by SPN) to which it can impersonate users. Setup and administration requires Domain Admin credentials. KCD delegation only works for back-end services in the same domain as the front-end service-accounts.

The KCD in Windows Server 2012 moves the authorization decision to the resource-owners, which provides these advantages:

Permits back-end to authorize which front-end service-accounts can impersonate users against their resources

Supports across-domain, across-forest scenarios

No longer requires Domain Admin privileges

Requires only administrative permission to the back-end service-account

Requirements

Clients run Windows XP or later

Client domain‘s domain controllers running Windows Server 2003 or later

Front-end server running Windows Server 2012

One or more domain controllers in front-end domain running Windows Server 2012

One or more domain controllers in back-end domain running Windows Server 2012

Back-end server account configured with the accounts that are permitted for impersonation

Not exposed through Active Directory Administrative Center

Configured through Windows PowerShell:

New/Set-ADComputer [-name] <string> [-PrincipalsAllowedToDelegateToAccount <ADPrincipal[]>]

New/Set-ADServiceAccount [-name] <string> [-PrincipalsAllowedToDelegateToAccount <ADPrincipal[]>]

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 46 of 47

Windows Server 2012 schema update in back-end server‘s forest

Back-end application server running Windows Server 2003 or later

For more information about Kerberos constrained delegation see the Kerberos section of the technical library.

Flexible Authentication Secure Tunneling (FAST)

Today, offline dictionary attack against password-based logons is possible. There is a relatively well-known concern around Kerberos errors being spoofed. Clients may:

Fallback to less-secure legacy protocols

Weaken their cryptographic key strength and/or ciphers

Kerberos in Windows Server 2012 supports Flexible Authentication Secure Tunneling (FAST) Defined by RFC 6113

Sometimes referred to as Kerberos armoring

Provides a protected channel between a domain-joined client and DC

Protects pre-authentication data for user‘s AS_REQs

Uses LSK (logon session key) from computer‘s TGT as shared secret

Note that computer authentication is NOT armored

Allows DCs to return authenticated Kerberos errors thereby protecting them from spoofing

Once all Kerberos clients and DCs support FAST (the admin‘s decision to make)

The domain can be configured to either require Kerberos armoring or use it upon request

Must first ensure all or enough DCs are running Windows Server 2012

Enable the appropriate policy

―Support CBAC and Kerberos armoring‖

―All DCs can support CBAC and Require Kerberos armoring‖

Requirements

Windows Server 2012 servers

Ensure that all domains the client uses including transited referral domains:

Enable the ―Support CBAC and Kerberos armoring‖ policy for all Windows Server 2012 DCs

Windows and Domain Controller 2012 features

Document Prepared by Deepak Kotian Page 47 of 47

Have a sufficient number of Windows Server 2012 DCs to support FAST

Enable ―Require FAST‖ policy on supported clients

RFC-compliant FAST interoperability requires Windows Server 2012 domain functional level.