Hello. Today I’d like to talk to you about how Windows Server 2012 helps IT professionals
manage identity and access.
Page 2
8/29/2012
Page 4
8/29/2012
Cloud and mobility are two major trends that have started to affect the IT landscape, in
general, and the datacenter, in particular. There are four key IT questions that customers claim
are keeping them up at night:
How do I embrace the cloud?
With a private cloud, you get many of the benefits of public cloud computing—including self-
service, scalability, and elasticity—with the additional control and customization available from
dedicated resources. Microsoft customers can build a private cloud today with Windows Server
2008 R2, Microsoft Hyper-V, and Microsoft System Center, but there are many questions
about how to best scale and secure workloads on private clouds and how to cost effectively
build private clouds, offer cloud services, and connect more securely to cloud services.
How do I increase the efficiency in my datacenter?
Whether you are building your own private cloud, are in the business of offering cloud services,
or simply want to improve the operations of your traditional datacenter, lowering infrastructure
costs and operating expenses while increasing overall availability of your production systems
is critical. Microsoft understands that efficiency built into your server platform and good
management of your cloud and datacenter infrastructure are important to achieving operational
excellence.
How do I deliver next-generation applications?
As the interest in cloud computing and providing web-based IT services grows, our customers
tell us that they need a scalable web platform and the ability to build, deploy, and support cloud
applications that can run on-premises or in the cloud. They also want to be able to use a broad
range of tools and frameworks for their next-generation applications, including open source
Page 5
8/29/2012
tools.
How do I enable modern work styles?
As the lines between people’s lives and their work blur, their personalities and individual work
styles have an increasing impact on how they get their work done—and which technologies
they prefer to use. As a result, people increasingly want a say in what technologies they use to
complete work. This trend is called “Consumerization of IT.” As an example of
consumerization, more and more people are bringing and using their own PCs, slates, and
phones to work. Consumerization is great as it unleashes people’s productivity, passion,
innovation, and competitive advantage. We at Microsoft believe that there is power in saying
“yes” to people and their technology requests in a responsible way. Our goal at Microsoft is to
partner with you in IT, to help you embrace these trends while ensuring that the environment is
more secure and better managed.
5
Optimize your IT for the cloud with Windows Server 2012
When you optimize your IT for the cloud with Windows Server 2012, you take advantage of the
skills and investment you’ve already made in building a familiar and consistent platform.
Windows Server 2012 builds on that familiarity. With Windows Server 2012, you gain all the
Microsoft experience behind building and operating private and public clouds, delivered as a
dynamic, available, and cost-effective server platform.
Windows Server 2012 delivers value in four key ways:
1. It takes you beyond virtualization. Windows Server 2012 offers a dynamic, multitenant
infrastructure that goes beyond virtualization technology to a complete platform for building
a private cloud.
2. It delivers the power of many servers, with the simplicity of one. Windows Server 2012
offers you excellent economics by integrating a highly available and easy-to-manage
multiple-server platform.
3. It opens the door to every app on any cloud. Windows Server 2012 is a broad, scalable,
and elastic web and application platform that gives you the flexibility to build and deploy
applications on-premises, in the cloud, and in a hybrid environment through a consistent
set of tools and frameworks.
4. It enables the modern workstyle. Windows Server 2012 empowers IT to provide users
with flexible access to data and applications anywhere, on any device, and while
simplifying management and maintaining security, control, and compliance.
Page 6
8/29/2012
With Windows Server 2012, Microsoft has made significant investments in each of these four areas that allow
customers to take their datacenter operations to the next level. Now, let’s take a look how Windows Server 2012
helps customers to:
• Build and deploy a modern datacenter infrastructure
• Build and run modern applications
• Enable modern work styles for their end users
6
As IT organizations evolve to meet new challenges, identity and access solutions within
Windows Server 2012 have been enhanced to help IT build solutions to support the Modern
Workstyle.
Page 7
8/29/2012
Page 8
8/29/2012
Page 9
8/29/2012
Page 10
8/29/2012
Windows Server 2012 Dynamic Access Control automates information governance on file
servers to satisfy business and regulatory requirements.
Using the file classification technology in DAC, organizations can identify or "tag“ files on their
file servers. Windows Server 2012 builds on this capability to: 1) control access to tagged files
through centralized access policies, 2) audit and report on events concerning access or
attempted access, and 3) use RMS to encrypt Office documents so that they are protected
even if they leave the file server.
Windows Server 2012 includes a feature set that allows IT administrators to:
• Allow content owners to tag their information, rather than restricting this ability to
administrators.
• Apply a central access policy to information in tagged files.
• Provide access denied remediation when users cannot access information.
• Configure central audit policies to log access to information so that it can be analyzed for
auditing and forensic purposes.
• Further protect specific sensitive information by automatically applying RMS protection.
The following slides describe these capabilities in more detail.
Page 11
8/29/2012
Tags identify files that are in need of protection and can be used to group files logically. In
Windows Server 2012, tags can be applied in one of four ways:
Location based. When a file is stored on a file server, it “inherits” the tags from its parent
folder.
Manually. Users and administrators can manually tag files.
Automatically. Files can be automatically tagged based on content or other characteristics.
Or by applications, which can use APIs to tag files that they manage.
The automatic file classification functionality is extremely useful for applying tags to large
amounts of existing information.
Page 12
8/29/2012
A significant part of the Dynamic Access Control story is the introduction of Claims to Active
Directory. In the past, authorization decisions have been made largely on a per-user basis, or
on the basis of group membership in AD. For Active Directory in Windows Server 2012, the
ability to issue ‘claims’ has added another option.
Based on user and device attributes within the directory, claims are created that become part
of the token that is passed to authorization sources – in the case of Dynamic Access Control,
this would be a file server. Now, access and authorization decisions can be also be made
based on values of properties within Active directory.
You’ll see these used as part of Central Access Rules, shown on the next slide
Page 13
8/29/2012
Now that we’ve tagged the files for classification, and issued claims as part of the logon
process, we can take those two factors, and construct central access rules that can be
distributed to organizational file servers for authorization decisions. These central access
policies for files allow organizations to centrally deploy and manage authorization policies that
include conditional expressions using user claims, device claims, and resource properties
(based on file classification).
A central policy rule has the following logical parts:
Applicability. This is a condition that defines which files the policy applies to,
such as those having high business value.
Access conditions. This is a list of one or more access control entries
(ACEs) that define who can access the data, such as allow read and write
access if the user has a high clearance level and their device is a managed
device.
Page 14
8/29/2012
Central access Rules can be combined into Central Access Policies, which are defined
and hosted in Active Directory, as shown here.
Central access policies act as security umbrellas that an organization applies across its
servers. These policies enhance (but do not replace) the local access policy – the
discretionary access control list (DACL) – that is applied to files and folders. For
example, if a local DACL on a file allows access to a specific user but a central policy
that is applied to the file restricts access to the same user, the user cannot gain access
to the file (and vice versa).
[more information]
Central access policies for files allow organizations to centrally deploy and manage
authorization policies that include conditional expressions using a combination of user
claims and device claims that are sourced from Active Directory attributes and resource
properties (file tags). Claims are assertions about the object with which they are
associated, and they can be combined in logical policies to enable fine-grained control
over arbitrarily-defined subsets of files. For example, for accessing high-business-
impact (HBI) data, a user must be a full-time employee, obtain access from a managed
device, and log on with a smart card.
The various organizational access policies are driven by both compliance and business
regulatory requirements. For example, if an organization has a business requirement to
restrict access to personally identifiable information (PII) in files to only the file owner
and members of the human resources (HR) department that are allowed to view PII
Page 15
8/29/2012
information, this is, in essence, an organization-wide policy that applies to PII files
wherever they are on the file servers across the organization.
15
This diagram shows the central access policy structure and the interrelationships between:
-Active Directory, where policies are defined and stored,
-The file server, where policies are applied,
-The user, who is attempting to gain access to information on the file server.
[read slide if necessary]
Page 16
8/29/2012
Central access policies give you tremendous flexibility in controlling access to your
organization’s data. Examples of access policies include:
-Organization-wide authorization policy. Most commonly initiated from the information
security office, this policy is driven from compliance or a high-level organization requirement
and would be relevant across the organization. For example, HBI files should be accessible to
only full-time employees.
-Departmental authorization policy. Each department in an organization has some special
data-handling requirements that they want to enforce. For example, the finance department
might want to limit access to finance servers to the finance employees.
-Specific data-management policy. This policy usually relates to compliance and business
requirements and is targeted at protecting the correct access to information that is being
managed, such as preventing modification or deletion of files that are under retention or files
that are under electronic discovery (eDiscovery).
-Need-to-know policy. This is a catch-all authorization policy type and is typically used in
conjunction with the policy types mentioned earlier. Examples include:
•Vendors should be able to access and edit only files that pertain to a project that they
are working on.
•In financial institutions, information walls are important, so that analysts do not access
brokerage information and brokers do not access analysis information.
Page 17
8/29/2012
Of course, denying access is only part of an effective central access control strategy, and sometimes access must be granted after initially being denied. In this case, the Help desk or file server administrator must handle each exception manually—a time-consuming task. To mitigate this problem, assisted access-denied remediation in Windows Server 2012 reduces the need for manual intervention by providing three different processes for granting users access to resources:
Windows Server 2012 access-denied remediation provides three different processes to grant users access to the resources they need:
-Self-remediation. [more information] If users can determine what the issue is and remediate the problem so that they can get the requested access, Windows Server 2012 provides a general “access denied” message authored by the server administrator for users so that they can try to self-remediate access-denied cases. This message can also include URLs to direct the users to self-remediation websites provided by the organization.
-Remediation by the file owner. [more information] Windows Server 2012 allows administrators to define share owners in the form of a distribution list so that users can directly connect with the file owners to request access. This is similar to the Microsoft SharePoint model where the data owner gets a request from the user to gain access to the file. In the file server case, the remediation can range from adding the user rights to the appropriate file or directory to dealing with share permissions.
-Remediation by Help desk and File Server administrators. [more information] This happens when the user cannot self-remediate the issue and the data owner cannot help. This is the most costly and time-consuming remediation. Windows Server 2012 provides a user interface to view the effective permissions for users on a file or folder so that it is easier to troubleshoot access issues.
Access denied remediation provides a user access to a file when it has been initially denied:
1. The user attempts to read a file.
2. The server returns an “access denied” error message because the user has not been assigned the appropriate claims.
3. On a compute r running the Windows 8 Consumer Preview operating system, Windows retrieves the access information from the File Server Resource Manager on the file server and presents a message with the access remediation options, which may include a link for requesting access.
4. The user requests access to the file.
5. When the user has satisfied the access requirements (e.g. signs an NDA or provides other authentication) the user’s claims are updated and the user can access the file.
Page 18
8/29/2012
Next up is security auditing.
Auditing is one of the most powerful tools to help maintain the security of an enterprise. One of
the key goals of security audits is regulatory compliance. For example, industry standards such
as Sarbanes Oxley (SOX), HIPAA, and Payment Card Industry (PCI) regulations require
enterprises to follow a strict set of rules related to data security and privacy.
Security audits help establish the presence or absence of such policies and thereby prove
compliance or noncompliance with these standards. Additionally, security audits help detect
anomalous behavior, identify and mitigate gaps in security policy, and deter irresponsible
behavior by creating a trail of user activity that can be used for forensic analysis.
Using Dynamic Access Control, you can establish organization-specific audit policies, which,
like the central access control policies, are stored in Active Directory.
This diagram shows the file access auditing workflow and the interrelationships between:
-Active Directory, where claim types and resource properties are created,
-Group Policy, where the audit policies are defined and stored,
-The file server, where policies and resource properties are applied,
-And the user, who is attempting to access information on the file server.
Page 19
8/29/2012
[read slide if necessary]
19
Using Windows Server 2012, you can author audit policies by using claims and resource
properties – similar to the method used for Central Access Rules. In fact, the methodology is
essentially the same – the primary difference is whether the rule is in audit mode, or affecting
permissions in real-time . This leads to richer, more targeted, and easy-to-manage audit
policies. It enables scenarios that until now were either impossible or too difficult to do.
This slide shows examples of audit policies that administrators can author. [Refer to policies on
slide]
These policies help regulate the volume of audit events and limit them to only the most
relevant data or users.
Page 20
8/29/2012
And finally, there is new functionality related to encryption.
There are numerous business reasons for encrypting business sensitive files, but encrypting
all information is expensive and might impair business productivity. This means organizations
tend to have different approaches and priorities for encrypting their information.
To address this issue, Windows Server 2012 provides the ability to automatically encrypt
sensitive Microsoft Office files based on their classification. This is done through file
management tasks that invoke AD RMS protection for sensitive Office documents a few
seconds after the file is identified as being a sensitive file on the file server.
RMS encryption provides another layer of protection for files. Even if a person with access to a
sensitive file inadvertently sends that file out through email, the file is still protected by the
RMS encryption. Any user who wants to access the file must first authenticate himself to an
RMS server to receive the decryption key.
This scenario requires a previously deployed implementation of RMS.
[Walk through scenario above]
Page 21
8/29/2012
Dynamic Access Control in Windows Server 2012 provides new ways for organizations
to control access to information and achieve regulatory compliance. Organizations can
classify unstructured data on their file servers and then apply information governance
based on this classification by using next-generation access and auditing controls as
well as classification-based encryption.
• Identify data – Automatic and manual classification of files can be applied to tag data
in file servers across the organization
• Control access to files - Central access policies enable organizations to apply safety
net policies for information governance
• Audit access to files - Central audit policies for compliance reporting and forensic
analysis.
• Apply RMS encryption - Automatic Rights Management Services (RMS) encryption
for sensitive Office documents so that you can reduce information leakage
Page 22
8/29/2012
Populate the demo title depending upon which demo you plan to deliver. If you don’t plan to
deliver demos, please hide this slide.
Click through demos are (or will be) located at “\\scdemostore01\demostore\Windows Server
2012\WS 2012 Demo Series\Click Thru Demos\Identity and Access
Demo environment build instructions are located here: \\scdemostore01\demostore\Windows
Server 2012\WS 2012 Demo Series\Demo Builds
Page 23
8/29/2012
Page 24
8/29/2012
Virtual machines can be rolled back to a previous state when snapshots are applied, but
domain controller clocks assume that time always goes forward. If an administrator
inadvertently applies a snapshot to a virtual domain controller, it can cause the virtual domain
controller to create security principals with the same time stamp as ones that already exist in
the domain – in other words, duplicates. This can also happen if a virtual domain controller is
copied within the domain.
In Windows Server 2012, a virtual domain controller is able to detect when snapshots are
applied or a virtual machine is copied, because of a unique identifier exposed by the hypervisor
called the virtual machine GenerationID. The virtual machine GenerationID changes whenever
the virtual machine experiences an event that affects its position in time. The virtual machine
GenerationID is exposed to the virtual machine’s address space within its BIOS and made
available to its operating system and applications through a Windows Server 2012 driver.
During boot and before completing any transaction, a Windows Server 2012 virtual domain
controller compares the current value of the virtual machine GenerationID against the value
that it stored in the directory. A mismatch is interpreted as a “rollback” event, causing the
domain controller to converge with other domain controllers, preventing it from creating
duplicate security principals.
For Windows Server 2012 virtual domain controllers to gain this extra level of protection, the
virtual domain controller must be hosted on a virtual machine GenerationID–aware hypervisor
such as Windows Server 2012 Hyper-V.
Page 25
8/29/2012
Many of the domain controllers in the same domain/forest are virtually identical; thus virtual domain controllers are good candidates for cloning. Nevertheless, up to now the process of deploying a virtual domain controller has involved many redundant steps:
1. Preparation and deployment of the sysprep’d server image.
2. Manually promoting a domain controller in one of the following ways:
Over-the-wire. This can be time-consuming, depending upon size of directory.
Install-from-media (IFM). Media preparation and copying adds time and complexity.
3. Performing post-deployment configuration steps where necessary.
With Windows Server 2012 this has changed and virtual domain controllers can be cloned. Using the new domain controller deployment wizard in Server Manager, you can promote a single virtual domain controller and then rapidly deploy all additional virtual domain controllers, within the same domain, through cloning.
[More info]
The process of cloning involves creating a copy of an existing virtual domain controller, authorizing the source domain controller to be cloned in AD DS, and creating a configuration file that contains detailed promotion instructions (name, IP address, Domain Name System [DNS] servers, and so on) or can be left empty, allowing the system to automatically fill in the blanks. This dramatically reduces the number of steps and time involved by eliminating repetitive deployment tasks and also allows you to fully deploy additional domain controllers that are authorized and configured for cloning by the Active Directory domain administrator.
Page 26
8/29/2012
Adding replica domain controllers running newer versions of the Windows Server
operating system has proven to be:
-Time consuming
-Error-prone
-Complex
For example, in the past, IT pros were required to:
-Obtain the correct (new) version of the ADprep tools.
-Interactively log on at specific per-domain domain controllers using a variety of different
credentials.
-Run the preparation tool in the correct sequence with the correct switches.
-Wait for replication convergence between each step.
The AD DS deployment wizard in Windows Server 2012 integrates all the steps to deploy new
domain controllers into a single graphical interface. It requires only one enterprise-level
credential and can prepare the forest or domain by remotely targeting the appropriate
operations master role holders.
The wizard is integrated with Server Manager and built on Windows PowerShell. It can target
multiple servers and remotely deploy domain controllers, making the deployment experience
simpler, more consistent, and less time consuming.
Page 27
8/29/2012
The new domain controller promotion wizard:
• Adprep.exe is integrated into the Active
Directory domain services installation
process. This reduces the time required to
install AD DS and reduces the chances for
errors that might block domain controller
promotion.
• Supports remote deployment. The
wizard is built on Windows PowerShell and
can be executed remotely against multiple
servers. This greatly reduces the likelihood
of administrative errors and the overall time
Page 28
8/29/2012
required for installation, especially when
deploying multiple domain controllers
across global regions and domains.
• Validates environment-wide
prerequisites before beginning
deployment. Prerequisite validation is
performed within the wizard, so potential
errors are identified before deployment
begins. Error conditions can be corrected
before errors occur avoiding the concerns
resulting from a partially complete upgrade.
• Aligns with common
deployment
scenarios. Configuration pages
are grouped in a sequence that mirror the
most common promotion options. Related
options are grouped in fewer wizard pages.
This provides better context for making
installation choices and reduces the
number of steps and the time required to
complete domain controller deployment.
• Integrates with Server Manager and
28
uses Windows PowerShell for
command-line and UI consistency. The
wizard can export a Windows PowerShell script containing all of the options that were
specified during the deployment to simplify the process of automating subsequent
deployments with scripts.
28
In Windows Server 2012, the Windows PowerShell History viewer in Active Directory
Administrative Center allows an administrator to view the Windows PowerShell commands as
they execute in real time. For example, when you create a new fine-grained password policy,
Active Directory Administrative Center displays the equivalent Windows PowerShell
commands in the Windows PowerShell History viewer task pane. You can then use those
commands create a Windows PowerShell script for automating the task.
By combining scripts with scheduled tasks, you can entirely automate everyday administrative
duties that were once completed manually. The cmdlets and required syntax are created for
you, so very little experience with Windows PowerShell is required. Because the Windows
PowerShell commands are the same as the ones executed by the Active Directory
Administrative Center, they function as expected.
This means several distinct advantages, particularly for new users of PowerShell. [refer to
bullets on slide if needed]
Page 29
8/29/2012
Today, volume licensing for Windows and Office has several characteristics that place a
burden on administrators:
-It requires Key Management Service (KMS) servers.
-It requires RPC traffic on the network, even though some organizations want to turn off this
kind of traffic.
-It does not support any kind of authentication, because the EULA prohibits the customer
connecting the KMS server to any external network access.
-And it requires some training, because there is no GUI, and the turnkey solution only covers
about 90 percent of deployments.
All in all, the process is more complicated, restrictive and labor-intensive than it needs to be.
This situation is improved in Windows Server 2012 by leveraging Active Directory to help you
activate your clients.
• No additional machines required
• No remote procedure call (RPC) requirement, uses Lightweight
Directory Access Protocol (LDAP) exclusively
• Includes read-only domain controllers (RODCs)
Page 30
8/29/2012
Activating initial CSVLK (customer-specific volume license key)
requires the following:
– One-time contact with Microsoft Activation Services over the Internet (identical
to retail activation)
– Key entered using volume activation server role or using command line
– Repeat the activation process for additional forests up to 6 times by default
Activation object
• Represents proof-of-purchase
• Machines can be a member of any domain in the forest
30
Managed service accounts (MSAs) were a new type of account introduced in
Windows Server® 2008 R2 and Windows® 7. They eliminate the need for an
administrator to manually administer the service principal name SPN and
credentials for domain-level service accounts. Up until now, however, this
feature has not been available for server groups, such as clusters, that share
their identity and service principal name.
With group MSAs, services or service administrators do not need to manage
password synchronization between service instances. The group MSA will
support credential reset, hosts that are kept off-line for a period of time and
seamless management of member host group management for all instances of
a service.
[more info]
•Administrators can deploy single identity server farms/clusters on Windows
Server 2012 to which domain clients can authenticate without knowing which
instance of a server farm/cluster they are connecting.
Page 31
8/29/2012
•Administrators can configure services with Service Control Manager to use a
shared domain identity that automatically manages passwords
•Once the group MSA has been created, a domain administrator can delegate
management of the group MSA to a service administrator
•Organizations can deploy single identity server farms/clusters on servers
running Windows 8 Consumer Preview for identities in mixed mode domains
31
Active Directory Domain Services in Windows Server 2012 reduces the time requirements and
complexities associated with deploying domain controllers, introduces safeguards that allow
domain controllers to gain an extra level of protection in virtualized environments, provides a
simplified, more intuitive, and more consistent management experience via the UI and
Windows PowerShell, and expands Active Directory functionality to improve desktop activation
and add group service account management.
Page 32
8/29/2012
Populate the demo title depending upon which demo you plan to deliver. If you don’t plan to
deliver demos, please hide this slide.
Click through demos are (or will be) located at “\\scdemostore01\demostore\Windows Server
2012\WS 2012 Demo Series\Click Thru Demos\Identity and Access
Demo environment build instructions are located here: \\scdemostore01\demostore\Windows
Server 2012\WS 2012 Demo Series\Demo Builds
Page 33
8/29/2012
Page 34
8/29/2012
DirectAccess was introduced in Windows 7 and Windows Server 2008 R2 to enable remote
users to more securely access shared resources, websites, and applications on an internal
network without connecting to a VPN. DirectAccess establishes bi-directional connectivity with
an internal network every time a DirectAccess-enabled computer is connected to the Internet.
Users never have to think about connecting to the internal network, and IT administrators can
manage remote computers outside the office, even when the computers are not connected to
the VPN.
Integrated Remote Access
Now with Windows Server 2012, DirectAccess and VPN can be configured together in the
Remote Access Management console by using a single wizard. Other Routing and Remote
Access Services (RRAS) features can be configured using the legacy RRAS management
console. The new role allows easier migration of Windows 7 RRAS and DirectAccess
deployments and provides several new features and improvements.
[Next slide]
Page 35
8/29/2012
Windows Server 2012 enhances and simplifies DirectAccess through improved manageability,
ease of deployment, improved performance and scalability, and support for new scenarios.
Page 36
8/29/2012
Windows Server 2012 provides a highly cloud-optimized operating system. VPN site-to-site functionality in remote access provides cross-premises connectivity between enterprises and hosting service providers. Cross-premises connectivity enables enterprises to connect to private subnets in a hosted cloud network. It also enables connectivity between geographically separate enterprise locations. With cross-premises connectivity, enterprises can use their existing networking equipment to connect to hosting providers by using the industry-standard IKEv2-IPsec (Internet Key Exchange version 2/Internet Protocol security) protocol.
In the example on this slide, the following occurs:
1. Contoso.com and Woodgrove.com offload some of their enterprise infrastructure in a hosted cloud.
2. The hosting provider provides private clouds for each organization.
3. In the hosted cloud, virtual machines running Windows Server 2012 are configured as remote access servers running site-to-site VPN.
4. In each hosted private cloud, a cluster of two or more remote access servers is deployed to provide high availability and failover.
5. Contoso.com has two branch office locations. In each location, a Windows Server 2012 remote access server is deployed to provide a cross-premises connectivity solution to the hosted cloud and between the branch offices.
6. The Contoso.com branch office computers running the unified Remote Access Server role in Windows Server 2012 are also configured as DirectAccess servers in a multisite deployment. DirectAccess clients can more securely access any resource in the Contoso.com public cloud or Contoso.com branch offices from any location on the Internet.
7. Woodgrove.com can use existing routers to connect to the hosted cloud because cross-premises functionality in Windows Server 2012 complies with IKEv2 and IPsec standards.
Page 37
8/29/2012
By using the new Remote Access Management console, you can configure, manage, and
monitor multiple DirectAccess and VPN remote access servers in a single location. The
console provides a dashboard that allows you to view information about server and client
activity. You can also generate reports for additional, more detailed information. Operations
status provides comprehensive monitoring information about specific server components.
Event logs and tracing help diagnose specific issues. By using client monitoring, you can see
detailed views of connected users and computers, and you can even monitor which resources
the clients are accessing. Accounting data can be logged to a local database or a Remote
Authentication Dial-In User Service (RADIUS) server.
In addition to the Remote Access Management console, you can use Windows PowerShell
command-line interface tools and automated scripts for remote access setup, configuration,
management, monitoring, and troubleshooting.
On client computers, users can access the Network Connectivity Assistant application,
integrated with Windows Network Connection Manager, to see a concise view of the
DirectAccess connection status and links to corporate help resources, diagnostics tools, and
troubleshooting information. Users can also enter one-time password (OTP) credentials if OTP
authentication for DirectAccess is configured.
Page 38
8/29/2012
The enhanced installation and configuration design in Windows Server 2012 allows you to set
up a working deployment quickly and easily without changes to your internal networking
infrastructure. In simple deployments, you can configure DirectAccess without being required
to set up a certificate infrastructure. DirectAccess clients can now authenticate themselves by
using only Active Directory credentials; no computer certificate is required. In addition, you can
select to use a self-signed certificate created automatically by DirectAccess for IP-HTTPS and
for authentication of the network location server.
To further simplify deployment, DirectAccess in Windows Server 2012 supports access to
internal servers that are running IPv4 only. An IPv6 infrastructure is not required for
DirectAccess deployment.
Page 39
8/29/2012
Remote access offers several scalability improvements, including support for more users with
better performance and lower costs:
• You can cluster multiple remote access servers for load balancing, high availability, and
failover. Cluster traffic can be load balanced by using Windows Network Load Balancing
(NLB) or a third-party load balancer. Servers can be added to or removed from the cluster
without interrupting connections in progress.
• The remote access server role takes advantage of Single Root I/O Virtualization (SR-IOV)
for improved I/O performance when running on a virtual machine. In addition, remote
access improves the overall scalability of the server host with support for IPsec hardware
offload capabilities, which are available on many server interface cards that perform packet
encryption and decryption in hardware.
• Optimization improvements in IP-HTTPS use the encryption that IPsec provides. This
optimization, combined with the removal of the Secure Sockets Layer (SSL) encryption
requirement, increases scalability and performance.
Page 40
8/29/2012
Remote access in Windows Server 2012 includes additional enhancements, including
integrated deployment for several scenarios that required manual configuration in Windows
Server 2008 R2.
These include force tunneling (which sends all traffic through the DirectAccess connection),
Network Access Protection (NAP) compliance, support for locating the nearest remote access
server from DirectAccess clients in different geographical locations, and deploying
DirectAccess for only remote management.
With Windows Server 2012, you can now configure a DirectAccess server with two network
adapters at the network edge or behind an edge device, or with a single network adapter
running behind a firewall or NAT device. Being able to use a single adapter removes the
requirement to have dedicated public IPv4 addresses for DirectAccess deployment. With this
configuration, clients connect to the DirectAccess server by using IP-HTTPS.
Remote access servers can be configured in a multisite deployment that allows users in
dispersed geographical locations to connect to a multisite entry point closest to them. Traffic
across the multisite deployment can be distributed and balanced with an external global load
balancer. To support fault tolerance, redundancy, and scalability, DirectAccess servers can
now be deployed in a cluster configuration by using Windows load balancer or an external
hardware load balancer.
DirectAccess in Windows Server 2012 adds support for two-factor authentication using an
OTP.
Page 41
8/29/2012
For two-factor smart card authentication, Windows Server 2012 supports using Trusted
Platform Module (TPM)-based virtual smart card capabilities available in Windows 8. The TPM
of client computers can act as a virtual smart card for two-factor authentication, which removes
the overhead and costs incurred in smart card deployment.
Windows Server 2012 introduces the capability for computers to join an Active Directory
domain and receive domain settings remotely via the Internet. This capability allows easy
deployment of new computers in remote offices and provisioning client settings to
DirectAccess clients.
41
Populate the demo title depending upon which demo you plan to deliver. If you don’t plan to
deliver demos, please hide this slide.
Click through demos are (or will be) located at “\\scdemostore01\demostore\Windows Server
2012\WS 2012 Demo Series\Click Thru Demos\Identity and Access
Demo environment build instructions are located here: \\scdemostore01\demostore\Windows
Server 2012\WS 2012 Demo Series\Demo Builds
Page 42
8/29/2012
Page 43
8/29/2012
To sum up:
In IaaS deployments, security, identity, and asset control are all areas requiring critical
attention from IT administrators—particularly when moving to virtualized and private or public
cloud environments.
Windows Server 2012 makes those tasks easier by providing simple but comprehensive new
and enhanced features, including:
• Dynamic Access Control, for flexible, intelligent, auditable security,
• Active Directory Domain Services enhancements, for easier deployment and management in
virtual environments,
• And improvements to DirectAccess to support more flexible deployments, higher
performance, and client experience
Thank you!
Page 44
8/29/2012
Page 45
8/29/2012
8/29/2012
Page 46
Top Related