Windows Server 2012 can be seen as a major release for Windows Server. Not just in terms of virtualization (Hyper-V 3.0), storage (SMB 3.0 and Storage Spaces) or manageability, but also in terms of Active Directory. There’s a load of new features, improving the lives of many Active Directory admins!
Active Directory Domain Services sees a lot of platform changes in terms of RIDs, DNTs, index creation, Offline Domain Join, LDAP, FAST, APT and Kerberos. Next to these miscellaneous features, Microsoft has categorized the new features for Active Directory Domain Services in two main categories:
Anyone who ever promoted a server to a Domain Controller, knows dcpromo.exe. As Windows Server moves to PowerShell, dcpromo.exe bites the dust. The new Domain Controller Promotion Tool is, of course, based on PowerShell. There is a New Domain Controller Promotion command line. The GUI part of the New Domain Controller Promotion tool is based on MUX.
In earlier versions of Windows Server, dcpromo.exe was used to promote member and standalone servers to Active Directory Domain Controllers. This tool needed to be run on the (remote) desktop of the box. Now, Domain Controller promotion can be run remotely, eliminating the need for interactive logon.
Microsoft introduces a new Active Directory Preparation process, remoteable and automatically targeting the Domain Controllers holding the targeted FSMO role(s). Active Directory Preparation is now part of the new Domain Controller promotion wizard.
Current guidance dictates you need to keep a physical Domain Controller around when organizations adopt server virtualization. With Windows Server 8, Active Directory admins no longer have to fear virtualization admins pausing, snapshotting or cloning virtualized Domain Controllers. Safeguards now protect Active Directory from getting corrupted from these actions.
But that’s not enough! Where, currently, virtualization can be seen as a weak spot in Active Directory, in Windows Server 8, virtualization becomes an area of strength for Active Directory! Scaling out a virtualized Active Directory environment is as easy as copying the VHD of a suitable Domain Controller, create a new VM based on the copy of the VHD and start it up to get a cloned Domain Controller, ready for action!
Windows Server 2008 R2 introduced the Active Directory Recycle Bin, as an optional feature for the Windows Server 2008 R2 Forest Functional Level (FFL). When enabled, it enables organizations to ‘undelete’ objects and trees… through PowerShell. With Windows Server 8, you can now undelete objects through the GUI of the Active Directory Administrative Center (ADAC).
Introduced four years ago, with Windows Server 2008, Fine-grained Password Policies help organizations to reduce their number of Active Directory domains when they have need for different password policies within the organization. (Formerly, a new domain, plus two Domain Controllers per domain, of course, was needed to accommodate different password policies). Password Policies could be set through PowerShell and through one of the many (free) 3rd Party tools. Now, in the Active Directory Administrative Center (ADAC), administrators are able to point and click password policies.
Also, from within the Active Directory Administrative Center (ADAC), you can now explore the PowerShell commands used under the hood when you use ADAC to perform your Active Directory tasks. These commands can be used to script tedious tasks.
Next to the Active Directory PowerShell commands, introduced with Windows Server 2008 R2, Microsoft introduces a couple of new PowerShell commands, targeted at Active Directory Replication & Topology.
While buried deep in this list, Dynamic Access Control (DAC) is the most important authorization feature in Active Directory and Windows in a long time. This feature allows for claims-based access, resulting in the possibility to specify complex access rules to files, without the need to create complex groups. Beyond that, DAC allows for access rules based on both the user and the computer the user uses.
With Windows Server 8, a new member of the Active Directory family is born: Active Directory Activation Services (ADAS). Going beyond Key Management Services, ADAS automatically activates Windows installations joined to the domain and, perhaps even more important, removes activation when it is removed from the domain.
In Windows Server 2008 R2, everyone was pleased Microsoft introduced Managed Service Accounts (MSAs) to solve the security issues with domain service accounts. In Windows Server 2008 R2, however, clustered and load-balanced services could not be facilitated with MSAs. Services that spanned multiple servers required MSAs for each server. For these purposes, Microsoft introduces Group Managed Service Accounts (gMSAs) in Windows Server 8.
Microsoft accounts can also be connected to Active Directory domain accounts. This allows users to build a bridge between their Microsoft Account and their Domain Account.
KDC Improvements (Source)
Kerberos Constrained Delegation in Windows Server 2012 now supports cross-domain and cross-forest authentication scenarios.
Kerberos Armoring - FAST (Source)
A whole new security feature in Active Directory Domain Services in Windows Server 2012 listens to the name Flexible Authentication Secure Tunneling (FAST). This new features solves common security problems with Kerberos and also makes sure clients do not fall back to less secure legacy protocols or weaker cryptographic methods.
RID Improvements (Source)
In Windows Server 2012, when RID leaked when object creation fails occurs, the RID is placed in a RID Reuse pool, instead of being leaked. Upon subsequent object creation, a RID is taken from the RID Reuse pool (if any available) instead of from the RID Pool block. Rebooting a Domain Controller clears the RID Reuse Pool.
Deferred Index Creation (Source)
On Domain Controllers running Windows Server 2012, index creation can be deferred to a time when it’s more convenient.
LDAP Enhancements (Source)
When you’re having trouble and need adequate logging capabilities, Windows Server 2012 has got your back. Also, if you’re involved with Active Directory Domain Services from a software developer or ISV point of view, the new LDAP controls might make your work a lot easier.
DNTs Exposed (Source)
Having an easy way to query and monitor the number of DNTs created per Domain Controller is useful, since we can now have more RIDs than DNTs in Windows Server 2012.
Offline Domain Join Improvements (Source)With Windows 7 and Windows Server 2008 R2 Microsoft introduced a new Active Directory feature called Offline Domain Join (ODJ). This feature allows for clients to be joined to an Active Directory domain, without the need of having a direct connection to any of the Domain Controllers for the Active Directory domain.