What’s new in Active Directory in Windows Server 2012
Recently, I had a chance to present some topic publicly over LiveMeeting in WGUiSW Idol competition about
“What’s new in Active Directory in Windows Server 2012“.
That was a part of WGUiSW regular meeting organized in Poland. I would like to share with you that PowerPoint presentation and describe some of these news in this article.
As you know, Microsoft introduces something new in their Windows Server’s new realeases for Active Directory. This time some new features or improvements have been added. Just take a look for short list about them:
- new Domain Controler promotion process
- improved Active Directory Administrative Center console
- new Domain Controller virtualization features
- Dynamic Access Control
- Active Directory Based Authentication
- RID Operation Master improvements
and other improvements I did not describe.
All the news in AD in Windows Server 2012 are available at this link
New Domain Controller promotion process
Microsoft simplified Domain Controller promotion process as much as they can. In Windows Server 2012 they do a really great improvement. Domain Controller promotion process allows much more simple introduction of the first Windows Server 2012 DC in your existing domain environment.
You don’t have to extend your schema and prepare domain environment for the first Windows Server 2012 Domain Controller. Previously, you had to extend schema and prepare domain using adprep manually with appropriate switches before you were able to promote DC based on newer operating system. Also dcpromo known from previous Windows versions is no longer used for server promotion. That command is integrated with new Windows Server Manager. Whole process for Windows Server 2012 Domain Controller introduction in the existing environment is based on GUI wizard in Server Manager.
You need to only be logged on with appropriate permissions and you can start the process very quickly. Just add Active Directory: Domain Services role from the new manager and after all, follow post-installation steps in notification area. When you are promoting new DC, you are informed that wizard extends schema and prepares domain for the new Domain Controller.
As I mentioned above, dcpromo cannot be used for DC promotion as it was in the previous versions of Windows. It is integrated with Server Manager and if you try to run it from command-line, you will see that it is not possible and you have to run the process from new manager.
However, you can still use dcpromo in command-line to:
- forcefully decommission DC (/forceremoval switch)
- install from media DC (/adv switch)
Note! You need to know that everything you will do in Server Manager is translated to PowerShell v3.0 code and run in the background.
More about introducing the first Windows Server 2012 in the existing domain environment on my blog in this article.
New Windows Server Manager allows you to promote remote server as Domain Controller. For more details, please read this artcile on my blog.
New Active Directory Administrative Center
Microsoft introduced for the first time ADAC in Windows Server 2008R2. We were able to use this console for:
- User management
- Computer management
- Group management
- OU management
- Domain Functional Level management
- Forest Functional Level management
- LDAP queries
Now, new Active Directory Administrative Center console allows for more. Of course, all the previous features are still suported but some new are available:
- GUI for Active Directory Recycle Bin
- GUI for Fine-Grained Password Policy
- PowerShell History Viewer
- Dynamic Access Control
You don’t have to use complicated PowerShell cmd-lets to restore deleted object(s) or create/modify Fine-Grained Password policy. From now, you can simply use GUI for that. Just run new ADAC (it is available in tools or execute dsac.exe in run box) and go to Deleted Objects container to restore deleted object(s)
The same situation is for Fine-Grained Password Policy, you don’t have to use ADSI Edit or PowerShell to create new PSO. This is also available over GUI method in ADAC console.
Everything what you do in Active Directory Administrative Center is also translated into PowerShell v3.0 code and run in the background. In this case, ADAC has implemented new feature called PowerShell History viewer which allows you to see cmd-lets used for action and whole syntax. You can copy it into notepad and modify to run it later. This is really good method to learn PowerShell.
PowerShell History viewer is available at the bottom of Active Directory Administrative Center console
Completely new feature in Windows Server 2012 is Dynamic Access Controll. It is responsible for simplified management of claims in AD and allows to extend FileServer permissions out of standard ACL method. User does not need to be a member of many groups in Active Directory, You can allow him/her access to resources over claims in combination with DAC. This option reduces Kerberos token size which is really important in large domain environments where user is a member of many groups.
Domain Controller virtualization features
Introducing Hyper-V 3.0 Microsoft added some new features which allows for better virtualization management for Domain Controllers. From now, you don’t have to affraid USN Rollback when you restore your DC from snapshot or when you use DC’s clone in your environment. New Hyper-V 3.0 is “smarter” and it secures your environment. Thanks to that, you may use new feature for rapid DC deployment from the existing Domain Controller. You need to only allow cloning DC, adding it into appropriate domain group and prepare some XML config file with PowerShell v3.0 cmd-let. Then you can safely clone new DCs from the existing one(s).
In virtualized domain environments, this feature is also really good for disaster forest/domain recovery.
Important! To be able to use the new feature, you need at least one Windows Server 2012 Domain Controller on which you hold PDC Emulator operation master role.
More about Domain Controller virtualization process, you will read on Microsoft Technet at
Active Directory Based Authentication
With Windows Server 2012, Microsoft presented new Windows activation method. This method is called Active Directory Based Authentication. That is available in Volume Activation Services role when you run Server Manager.
When you use Windows 8 in your environment, you can simply activate it when client is being joined to the domain. It happens automatically, you don’t need to put an activation key and there is no need to access the Internet.
This much more secures your environment in comparison to KMS server. When KMS was present in the environment, you need to only know server name on which it was running (there is also other method for that but I would not describe it here 🙂 ) and you can simply activate your Windows copy. Now, with AD BA you need to add client to the domain to allow for OS activation. It is also important to limit users in your environment with permission for joining computers into domain.
For more details about user’s limit joining computers into domain, please read an article at this link.
Of course, you can still use KMS server for that. It is suported by AD BA. However, it is required for previous Windows OSes. AD BA may be only used for Windows 8 activation!
Important!To be able to use AD BA option, you need to extend Active Directory schema to Windows Server 2012 but you don’t need to have Windows Server 2012 Domain Controller
RID Operation Master
Microsoft improved RID FSMO role in Windows Server 2012. The most know improvement in this role is its RID pool incrementation. Previously we had 2^30 available RIDs and now we have one bit more 2^31. This bit incremented pool from one billion to two billions of RIDs. Thanks to that improvement we have doubled RID’s pool. But we need to know one important thing. If we want to use that, we need to have Windows Server 2012 Domain Controllers or Windows Server 2008R2 with appropriate hotfix installed. Other Windows versions do not support extended RID pool.
Remember! Extended RID pool may be used only by Windows Server 2012 and Windows Server 2008R2 with appropriate hotfix installed. Additionally, you need to have RID Operation Master role on Windows Server 2012 Domain Controller!
Another great thing introduced with Windows Server 2012 is RID Pool re-use feature! Microsoft did not fix RID leak issue which happens mostly when you are creating new users in a script mode. When password set up by script does not meet domain password criteria, object cannot be created successfully and RID is lost. In case that your script was prepared to create many user objects, you are loosing many RIDs. With Windows Server 2012 on which RID Operation Master is held, those RIDs are going to RID Pool re-use. This pool catches all those RIDs and uses them for the next objects which are created. If pool is empty then standard RID is used from global DC’s pool.
Important! RID Pool re-use is only available until you will restart Domain Controller. After server reboot that pool is empty!
In Windows Server 2012 Microsoft introduced also event logging for used RIDs. The first entry will appear when RID consumes 100.000.000 (10% of pool). Another entry will be recorded when 10% of remaining pool will be used (in this case 1.000.000.000 – 100.000.000 = 900.000.000 and 10% from remaining pool is 90.000.000).
Events are recorded every 10% consumption of remaining pool. Smaller RIDs pool more frequent logs in Event log.
Microsoft changed also, possibility to issue large pool of RIDs from RID Master to other Domain Controllers. By default RIDs are delivered in 500 in a pool for each Domain Controller. Administrator is able to change that value in registry but when he/she sets up too high value, RIDs may be exhausted in short time. In Windows Server 2012 Microsoft limited maximum amount of RIDs to issue. The maximum pool allowed for distribution is 15.000 (decimal). When you set up higher value in the registry, it won’t be issued to Domain Controller(s) because new mechanism will issue maximum 15.000 RIDs in a pool.
One more interesting thing introduced in new RID Mater FSMO role is RID Manager artificial ceiling protection mechanism. Microsoft knows that administrators do not read event log frequently and even if they read it, they do not react too fast to solve the issue recorded in Event log. They implemented new mechanism which blocks RID distribution when its pool exceeds 90%. From that point, RID Master does not issue any pool to other Domain Controllers. Administrator must manually unlock this. That mechanism informs administrator about pool exhaustion (90% RIDs in general pool are used) and informs that additional activity may be required to prevent complete exhausting RID pool.
Other new Active Directory features
- Kerberos enhancements
- Active Directory Replication and Topology Management
- Off-Premises Domain Join
- Group Managed Service Accounts (gMSA)
- Deferred Index Creation
are described in Microsoft article at Technet. If you’re interested, you may read article(s) to get more information about new AD features in Windows Server 2012
Author: Krzysztof Pytko