Archive | November 2012

What’s new in Active Directory in Windows Server 2012

 

Recently, I had a chance to present some topic publicly over LiveMeeting in WGUiSW Idol competition about
What’s new in Active Directory in Windows Server 2012“.

That was a part of WGUiSW regular meeting organized in Poland. I would like to share with you that PowerPoint presentation and describe some of these news in this article.

As you know, Microsoft introduces something new in their Windows Server’s new realeases for Active Directory. This time some new features or improvements have been added. Just take a look for short list about them:

  • new Domain Controler promotion process
  • improved Active Directory Administrative Center console
  • new Domain Controller virtualization features
  • Dynamic Access Control
  • Active Directory Based Authentication
  • RID Operation Master improvements

and other improvements I did not describe.

All the news in AD in Windows Server 2012 are available at this link
http://technet.microsoft.com/en-us/library/hh831477.aspx

New Domain Controller promotion process

Microsoft simplified Domain Controller promotion process as much as they can. In Windows Server 2012 they do a really great improvement. Domain Controller promotion process allows much more simple introduction of the first Windows Server 2012 DC in your existing domain environment.

You don’t have to extend your schema and prepare domain environment for the first Windows Server 2012 Domain Controller. Previously, you had to extend schema and prepare domain using adprep manually with appropriate switches before you were able to promote DC based on newer operating system. Also dcpromo known from previous Windows versions is no longer used for server promotion. That command is integrated with new Windows Server Manager. Whole process for Windows Server 2012 Domain Controller introduction in the existing environment is based on GUI wizard in Server Manager.

You need to only be logged on with appropriate permissions and you can start the process very quickly. Just add Active Directory: Domain Services role from the new manager and after all, follow post-installation steps in notification area. When you are promoting new DC, you are informed that wizard extends schema and prepares domain for the new Domain Controller.

Automatic forest and domain preparation

Automatic forest and domain preparation

Automatic forest and domain preparation

As I mentioned above, dcpromo cannot be used for DC promotion as it was in the previous versions of Windows. It is integrated with Server Manager and if you try to run it from command-line, you will see that it is not possible and you have to run the process from new manager.

No dcpromo

However, you can still use dcpromo in command-line to:

  • forcefully decommission DC (/forceremoval switch)
  • install from media DC (/adv switch)

Note! You need to know that everything you will do in Server Manager is translated to PowerShell v3.0 code and run in the background.

More about introducing the first Windows Server 2012 in the existing domain environment on my blog in this article.

New Windows Server Manager allows you to promote remote server as Domain Controller. For more details, please read this artcile on my blog.

New Active Directory Administrative Center

Microsoft introduced for the first time ADAC in Windows Server 2008R2. We were able to use this console for:

  • User management
  • Computer management
  • Group management
  • OU management
  • Domain Functional Level management
  • Forest Functional Level management
  • LDAP queries

Now, new Active Directory Administrative Center console allows for more. Of course, all the previous features are still suported but some new are available:

You don’t have to use complicated PowerShell cmd-lets to restore deleted object(s) or create/modify Fine-Grained Password policy. From now, you can simply use GUI for that. Just run new ADAC (it is available in tools or execute dsac.exe in run box) and go to Deleted Objects container to restore deleted object(s)

GUI for AD Recycle Bin

The same situation is for Fine-Grained Password Policy, you don’t have to use ADSI Edit or PowerShell to create new PSO. This is also available over GUI method in ADAC console.

GUI for Fine-Grained Password Policy

Everything what you do in Active Directory Administrative Center is also translated into PowerShell v3.0 code and run in the background. In this case, ADAC has implemented new feature called PowerShell History viewer which allows you to see cmd-lets used for action and whole syntax. You can copy it into notepad and modify to run it later. This is really good method to learn PowerShell.

PowerShell History viewer is available at the bottom of Active Directory Administrative Center console

PowerShell History viewer

Completely new feature in Windows Server 2012 is Dynamic Access Controll. It is responsible for simplified management of claims in AD and allows to extend FileServer permissions out of standard ACL method. User does not need to be a member of many groups in Active Directory, You can allow him/her access to resources over claims in combination with DAC. This option reduces Kerberos token size which is really important in large domain environments where user is a member of many groups.

Domain Controller virtualization features

Introducing Hyper-V 3.0 Microsoft added some new features which allows for better virtualization management for Domain Controllers. From now, you don’t have to affraid USN Rollback when you restore your DC from snapshot or when you use DC’s clone in your environment. New Hyper-V 3.0 is “smarter” and it secures your environment. Thanks to that, you may use new feature for rapid DC deployment from the existing Domain Controller. You need to only allow cloning DC, adding it into appropriate domain group and prepare some XML config file with PowerShell v3.0 cmd-let. Then you can safely clone new DCs from the existing one(s).

In virtualized domain environments, this feature is also really good for disaster forest/domain recovery.

Important! To be able to use the new feature, you need at least one Windows Server 2012 Domain Controller on which you hold PDC Emulator operation master role.

More about Domain Controller virtualization process, you will read on Microsoft Technet at
http://technet.microsoft.com/en-us/library/hh831734.aspx

Active Directory Based Authentication

With Windows Server 2012, Microsoft presented new Windows activation method. This method is called Active Directory Based Authentication. That is available in Volume Activation Services role when you run Server Manager.

Volume Activation Services – Active DIrectory Based Authentication

When you use Windows 8 in your environment, you can simply activate it when client is being joined to the domain. It happens automatically, you don’t need to put an activation key and there is no need to access the Internet.

This much more secures your environment in comparison to KMS server. When KMS was present in the environment, you need to only know server name on which it was running (there is also other method for that but I would not describe it here 🙂 ) and you can simply activate your Windows copy. Now, with AD BA you need to add client to the domain to allow for OS activation. It is also important to limit users in your environment with permission for joining computers into domain.

For more details about user’s limit joining computers into domain, please read an article at this link.

Of course, you can still use KMS server for that. It is suported by AD BA. However, it is required for previous Windows OSes. AD BA may be only used for Windows 8 activation!

Important!To be able to use AD BA option, you need to extend Active Directory schema to Windows Server 2012 but you don’t need to have Windows Server 2012 Domain Controller

RID Operation Master

Microsoft improved RID FSMO role in Windows Server 2012. The most know improvement in this role is its RID pool incrementation. Previously we had 2^30 available RIDs and now we have one bit more 2^31. This bit incremented pool  from one billion to two billions of RIDs. Thanks to that improvement we have doubled RID’s pool. But we need to know one important thing. If we want to use that, we need to have Windows Server 2012 Domain Controllers or Windows Server 2008R2 with appropriate hotfix installed. Other Windows versions do not support extended RID pool.

Remember! Extended RID pool may be used only by Windows Server 2012 and Windows Server 2008R2 with appropriate hotfix installed. Additionally, you need to have RID Operation Master role on Windows Server 2012 Domain Controller!

Another great thing introduced with Windows Server 2012 is RID Pool re-use feature! Microsoft did not fix RID leak issue which happens mostly when you are creating new users in a script mode. When password set up by script does not meet domain password criteria, object cannot be created successfully and RID is lost. In case that your script was prepared to create many user objects, you are loosing many RIDs. With Windows Server 2012 on which RID Operation Master is held, those RIDs are going to RID Pool re-use. This pool catches all those RIDs and uses them for the next objects which are created. If pool is empty then standard RID is used from global DC’s pool.

Important! RID Pool  re-use is only available until you will restart Domain Controller. After server reboot that pool is empty!

In Windows Server 2012 Microsoft introduced also event logging for used RIDs. The first entry will appear when RID consumes 100.000.000 (10% of pool). Another entry will be recorded when 10% of remaining pool will be used (in this case 1.000.000.000 – 100.000.000 = 900.000.000 and 10% from remaining pool is 90.000.000).

Events are recorded every 10% consumption of remaining pool. Smaller RIDs pool more frequent logs in Event log.

Microsoft changed also, possibility to issue large pool of RIDs from RID Master to other Domain Controllers. By default RIDs are delivered in 500 in a pool for each Domain Controller. Administrator is able to change that value in registry but when he/she sets up too high value, RIDs may be exhausted in short time. In Windows Server 2012 Microsoft limited maximum amount of RIDs to issue. The maximum pool allowed for distribution is 15.000 (decimal). When you set up higher value in the registry, it won’t be issued to Domain Controller(s) because new mechanism will issue maximum 15.000 RIDs in a pool.

One more interesting thing introduced in new RID Mater FSMO role is RID Manager artificial ceiling protection mechanism. Microsoft knows that administrators do not read event log frequently and even if they read it, they do not react too fast to solve the issue recorded in Event log. They implemented new mechanism which blocks RID distribution when its pool exceeds 90%. From that point, RID Master does not issue any pool to other Domain Controllers. Administrator must manually unlock this. That mechanism informs administrator about pool exhaustion (90% RIDs in general pool are used) and informs that additional activity may be required to prevent complete exhausting RID pool.

Other new Active Directory features

  • Kerberos enhancements
  • Active Directory Replication and Topology Management
  • Off-Premises Domain Join
  • Group Managed Service Accounts (gMSA)
  • Deferred Index Creation

are described in Microsoft article at Technet. If you’re interested, you may read article(s) to get more information about new AD features in Windows Server 2012

Author: Krzysztof Pytko

Microsoft Language Portal

 

This time, really short entry on my blog 🙂

When you are using Windows Server in your native language, not in English version, you may wish to know an equivalent name of a service or feature in translation. Microsoft runs a portal where you can simply translate English name related with Windows service or feature to your native language.

The portal is available at
http://www.microsoft.com/Language/en-US/Default.aspx

Just take a look below for short example. You can see what is Active Directory Global Catalog translation from English to Polish 🙂

Microsoft Language Portal in action

I hope you will find this portal very useful 🙂

Author: Krzysztof Pytko

Fine-Grained Password Policy in Windows Server 2008/2008R2

 

Recently, I have seen that some administrators afraid of using Fine-Grained Password Policy.It looks like the main reason is they do not know how to set up and how to manage it. I will try to show you some easy steps to understand that and implement in your Active Directory environment.

First of all, if you wish to implement Fine-Grained Password Policy (FGPP) in your environment, your Domain Functional Level must operate at Windows Server 2008 mode. That means, all of your Domain Controllers in a domains must be ran at least on Windows Server 2008. No previous operating systems may be used for DCs. Of course, all the rest domain member servers may be ran on earlier OS versions.

For more details about Domain Functional Level, please read my article on this blog.

OK, so what is FGPP and why we want to use it? As you remember in Windows 2000 Server and Windows Server 2003 we were able only to use single password policy defined at domain level over GPO. There were no possibility to use more than one domain password policy using group policies. When some department in our enterprise required another password policy, we needed to decide if we want to:

  • convince it to use the standard password policy 🙂
  • configure child domain and migrate their objects
  • use 3rd party tools

For more details about Default Domain Password policy, please check an article on my blog for that.

This situation did not change in Windows Server 2008, you can still use only one domain password policy configured in GPO. However, Microsoft introduced new feature to define additional password policies. The policy allows you to define separate password settings for user of group of users.

Important! Fine-Grained Password Policy may be only assigned to user or security global group not to domain or OU

When your DFL is set up at appropriate level, you can start using Fine-Grained Password Policy feature. What do you need to know about this kind of Password Settings Object (PSO) before you will set it up:

  • you can apply it only to user or security global group
  • you can set it up using ADSI Edit
  • you can set it up using PowerShell module for Active Directory
  • you need to use dsget command to verify if policy is applied
  • you can use PowerShell to manage PSO
  • only one password set applies to user or group

Using Fine-Grained Password policy, you overwrite default domain policy for user or group of users. However, you need to know that you may apply as many FGPPs as you wish but the only one will be applied. There are few important things to know about password policy precedence:

  • when applied more than one to a group then PSO with the lowest precedence index is applied
  • when applied more than one to a user then PSO with the lowest precedence index is applied
  • when applied more than one to a user or a group then PSO on user level is applied
  • when user is a member of few groups with PSO assigned then policy with the lowest precedence index is applied

Now, when we know those things, we can start creating our first Fine-Grained Password Policy.

ADSI Edit

ADSI Edit allows you to use GUI method for PSO creation. To start the process, run ADSI Edit from “Administrative Tools” or type in run box: adsiedit.msc

Running ADSIEdit console

When you ran that console, you need to connect to Deafult Naming Context where those objects are stored. To do that, click on root “ADSI Edit” node in a console by right mouse button and choose “Connect to

Connecting to Default Naming Context

Now, in “Connection Settings” window please ensure if in “Select a well known Naming Context area you have pointed to Default Naming Context

Connecting to Default Naming Context

When you are connected to that Naming Context, you need to navigate to a container where you can create PSO. The location of this container is in

CN=Password Settings Container,CN=System,DC=domain,DC=local

Below you can see that container location in ADSI Edit console

PSO container location

In this place you need to create new object by clicking right mouse button and selecting “New -> object”

Creating new Fine-Grained Password Policy

Create object which is responsible for password settings “msDS-PasswordSettings“. From now, you are defining new password policy. Proceed below steps to successfully finish PSO creation process.

Selecting object class

At this step, you need to define Fine-Grained Password Policy name which would be easy to identify by you when you start reviewing PSO list

Creating new PSO object

Now, you need to set up integer value of precedence index. Remember, when any PSO would be in conflict then password policy with the lowest precedence index is being applied

Creating new PSO object

This time, you need to specify if you want to use reversible encryption for passwords. This will store password in plain text, so this is vulnerability for the environment. Do not use this option if any of your legacy application requires that. For this setting you can only use one of two possibilities for boolean variable:

  • true to enable reversible encryption policy
  • false to disable reversible encryption policy

Creating new PSO object

Define how many previous passwords are remembered and user cannot re-use them. This value should be an integer number

Creating new PSO object

OK, at this time, you need to define if user’s password must be complex using 3 out of 4 character categories. When you use true value then, password must meet the complexity using 3 characters group out of 4 available:

  • small letters [a-z]
  • capital letters [A-Z]
  • digits [0-9]
  • special characters [!@#$%^&*()]

in case that yo do not want to force users using complex passwords, you need to put false value in a form. In this example, we would like to use complex passwords

Creating new PSO object

User’s password requires minimum number of characters needed to build good and invulnerable password. You need to define the lowest number of characters to build the password by user. This value is an integer number

Creating new PSO object

Really important part of each password policy is setting for the minimum password age. That means, when user is able to change his/her password after the latest change. When you set this up to short time or disable it, user may change his/her password few times and then he/she is able to use that previous password(s) again. The important part during setting up PSO is to remember that this setting uses non integer variable! Expected value is duration which defines a time in format

d:hh:mm:ss

where

  • d means, how many days
  • hh means, how many hours
  • mm means, how many minutes
  • ss means, how many seconds

an example duration for password which may be changed again after 3 days

3:00:00:00

Creating new PSO object

the next setting determine when user is forced to change the current password. You need to set up time after which password is required to change. This value is also in the same format as the previous one, so you need to use duration format as this is shown in the above step

Creating new PSO object

And now, another part of setting password policy. You need to decide if you wish to enable account lockout or not. However, this is good practice to enable account lockout policy to prevent users guessing password of other users in your environment or prevent hackers from guessing password of your users. Just define integer value for the policy and after entered number of failed logon attempts, the account is being blocked

Creating new PSO object

When you defined after how many failed logon attempts, user account is locked you are able to define 2 other policies related with the previous one. Lockout Observation Window in which you define when user may try to log on once again to the system. After that time, user is able to try once again (but only one chance) log on to the system. If he/she remembers a password and account was locked out by mistake, the next try would be successful. If user does not remember the password, after the next wrong attempt, the account would be locked again for time specified in Lockout Observation Window. This option allows an administrator to tell the users that if they remember password but they locked the account by mistake, they need to wait specified time and try once again. In other case, they should request a password reset. For that setting you need to use again duration variable format like for minimum and maximum password age.

Creating new PSO object

The second policy related with account lockout is Lockout Durationwhich determines the time when user account is completely unlocked. Then user has again defined number of tries to log on to the system. As for the previous setting, it also uses duration format to define time

Creating new PSO object

That was the last setting in PSO wizard. However, remember that when you close it by clicking on “Finish” button, you have only create password policy but it is not applied to any group or user. If you wish to define that at this step, click on “More Attributes” button and from “Select a property to view” drop down box choose “msDS-PSOAppliesTo

Creating new PSO object

Creating new PSO object

When you choose that attribute, you need to define distinguished name of an object to which you want to apply policy. This requires from you to know that DN name to put it in that field in format:

CN=Object Name,OU=OU Location,DC=domain,DC=local

and press “Add” button to add the object to password policy

Creating new PSO object

You can see all objects assigned to PSO in the “Value(s)” list

Creating new PSO object

Above step in PSO wizard requires from you object’s DN to know. What if you do not know it or this DN is really long? You may simply finish a wizard without defining value for msDS-PSOAppliesToattribute. This may be done later in some short and more convenient way. Just take a look for below steps.

When you finish a wizard, you will see new password policy in a selected container. Just edit it by double click on it in ADSI Edit window.

Edit existing PSO

In the “Attribute Editor” list search for msDS-PSOAppliesToattribute and click “Edit” button

Edit existing PSO

Now, you have 2 options for object(s) assigning. Classic window for distinguished name of an object

Edit existing PSO

Edit existing PSO

or just use more familiar option to search an object from AD

Edit existing PSO

Edit existing PSO

OK, when we have created granular password policy and we applied it to some object, how to see if the user is really using that policy? You can use for that dsget command or dsquery and dsget commands combination. Let’s see, how to check if PSO is applied to a user name iSiek

dsquery user -samid iSiek | dsget user -effectivepso

After running this query, you will see information about used PSO policy. If result is empty then you can be sure that user has no Fine-Grained Password Policy assigned and he/she uses default domain password policy

Effective password policy applied to the user

This is working fine as you can see! If you really need different password policies in your environment, I really encourage you to use Fine-Grained Password policy feature as it is really great feature!

PowerShell module for Active Directory

As we already know something more about Fine-Grained Password policy requirements, now we can check how to simply create and apply PSO to an object. For that we need to use PowerShell module for Active Directory. To initiate it run in PowerShell window

Import-Module ActiveDirectory

PowerShell – importing AD module

and wait for cmd-lets to be imported. Now, you can use some PowerShell cmd-lets to manage PSO, let’s see their names. Type in PS window

Get-Help *-ADFine*

Getting cmd-lets for Fine-Grained Password Policy

To create new granular password policy we need to use New-ADFineGrainedPasswordPolicy cmd-let. We need to define all interesting us values as we did it using ADSI Edit. When you skip any value then default settings for that value is being used.

Let’s see how to create another PSO using the same values as in the previous example but over PowerShell cmd-let

New-ADFineGrainedPasswordPolicy -Name it-security-PSO-02 `
-DisplayName it-security-PSO-02 `
-Precedence 200 `
-ComplexityEnabled $true `
-ReversibleEncryptionEnabled $false `
-PasswordHistoryCount 10 `
-MinPasswordLength 8 `
-MinPasswordAge 3.00:00:00 `
-MaxPasswordAge 30.00:00:00 `
-LockoutThreshold 3 `
-LockoutObservationWindow 0.00:25:00 `
-LockoutDuration 0.00:30:00

PowerShell – PSO creation

PSO list

As you can see, PowerShell created new PSO but it is not assigned to any object. We need to use another cmd-let to accomplish that. This cmd-let is Add-ADFineGrainedPasswordPolicySubject

This time, I will assign granular password policy to the user directly.

Add-ADFineGrainedPasswordPolicySubject -Identity it-security-PSO-02 -Subjects iSiek

Assigning PSO to an object

Now, it’s time to verify if PSO is applied to a user. For that you need to use Get-ADFineGrainedPasswordPolicy cmd-let

Get-ADFineGrainedPasswordPolicy -Filter { name -like 'it-security-PSO-02' }

PSO applies to

and that’s all about configuring and setting up Fine-Grained Password Policy objects. You may also check the rest cmd-lets to modify and remove PSO objects.

Author: Krzysztof Pytko