Hello, Bruce here again.  With the release Windows Server 2012 we all have to start learning the new features of the product.    So I thought I would share with you what I’m studying and some resource to bring you to speed at the same time.     Below is the first topic I’m starting to look at.

Dynamic Access Control (http://technet.microsoft.com/library/hh831717.aspx)

Today, it is difficult to translate business-intent using the existing authorization model. The existing capabilities of access control entries (ACEs) make it hard or impossible to fully express requirements. In addition, there are no central administration capabilities. Finally, modern-day increases in regulatory and business requirements around compliance further compound the problem.

Windows Server 2012 AD DS addresses these challenges by introducing:

• A new claims-based authorization platform that enhances, not replaces, the existing model, which includes:
• User-claims and device-claims
• User + device claims (also known as compound identity)
• New central access policies (CAP) model
• Use of file-classification information in authorization decisions
• Easier access-denied remediation experience
• Access policies and audit policies can be defined flexibly and simply:
• IF resource.Confidentiality = high THEN audit.Success WHEN user.EmployeeType = vendor

Dynamic Access Control: Scenario Overview

http://technet.microsoft.com/en-us/library/hh831717.aspx

Dynamic Access Control demo walkthrough

http://technet.microsoft.com/en-us/video/dynamic-access-control-demo-walkthrough.aspx

Technet Windows Server 2012 Virtual Labs
Using Dynamic Access Control to Automatically and Centrally Secure Data

In this lab, you will explore Dynamic Access Control in Windows Server 2012. You will learn how to create Central Access Policies, explore the new Access Denied Remediation features, as well as learn how to use the audit capabilities built into Dynamic Access Control.

http://go.microsoft.com/?linkid=9806471

Setting Up the Test Environment

http://technet.microsoft.com/en-us/library/hh831776.aspx

Windows Server 2012 Dynamic Access Control Overview

http://northamerica.msteched.com/topic/details/2012/SIA207#fbid=6Bsslue7jST

Windows Server 2012 Dynamic Access Control Deep Dive for Active Directory and Central Authorization Policies

http://northamerica.msteched.com/topic/details/2012/SIA341#fbid=6Bsslue7jST

Windows Server 2012 Dynamic Access Control Best Practices and Case Study Deployments in Microsoft IT

http://northamerica.msteched.com/topic/details/2012/SIA316#fbid=6Bsslue7jST

Hello, Bruce here again.  With the release Windows Server 2012 we all have to start learning the new features of the product.    So I thought I would share with you what I’m studying tonight and some resource to bring you to speed at the same time.     Below is the second topic I’m starting to look at.

Rapid deployment with cloning

AD DS in Windows Server 2012 allows you to deploy replica virtual domain controllers by “cloning” existing virtual domain controllers. You can promote a single virtual domain controller by using the domain controller promotion interface in Server Manager, and then rapidly deploy additional virtual domain controllers within the same domain, through cloning.

The process of cloning involves creating a copy of an existing virtual domain controller, authorizing the source domain controller to be cloned in AD DS, and running Windows PowerShell cmdlets to create a configuration file that contains detailed promotion instructions (name, IP address, Domain Name System [DNS] servers, and so on). Or you can leave the configuration file empty, which allows the system to automatically fill in the information. Cloning reduces the number of steps and time involved by eliminating repetitive deployment tasks, and it enables you to fully deploy additional domain controllers that are authorized and configured for cloning by the Active Directory domain administrator. http://technet.microsoft.com/en-us/library/hh831477.aspx#BKMK_VirtualizationJustWorks

Introduction to Active Directory Domain Services (AD DS) Virtualization

http://technet.microsoft.com/en-us/library/hh831734.aspx

Steps for deploying a clone virtualized domain controller

http://technet.microsoft.com/en-us/library/hh831734.aspx#steps_deploy_vdc

Active Directory Virtualization Safeguards and Domain Controller Cloning with Windows Server 2012

http://northamerica.msteched.com/topic/details/2012/SIA317#fbid=6Bsslue7jST

New features in Active Directory Domain Services in Windows Server 2012, Part 13: Domain Controller Cloning

http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2012/09/10/new-features-in-active-directory-domain-services-in-windows-server-2012-part-13-domain-controller-cloning.aspx

Hi, it is Bruce again!  With the release Windows Server 2012 we all have to start learning the new features of the product.    So tonight I am studying about RID improvements.  Below are some resources to bring you to speed at the same time.    

These improvements have been needed for quite some time. We now finally have a way to handle RID Pool exhaustion. Some cool things we added:

• Alert when you start to run out of RID
• A soft ceiling to allow the administration to take action before they run out
• Double the number of RID available

Relative ID (RID) Improvements

http://technet.microsoft.com/en-us/library/hh831477.aspx

The following RID improvements in Windows Server 2012 provide greater ability to react to any potential exhaustion of the global RID pool space:

• Periodic RID consumption warning
  • At 10% of remaining global space, system logs informational event
    • First event at 100,000,000 RIDs used, second event logged at 10% of remainder
      • Remainder = 900,000,000
      • 10% of remainder = 90,000,000
    • Second event logged at 190,000,000
      • Existing RID consumption plus 10% of remainder
  • Events become more frequent as the global space is further depleted
• RID Manager artificial ceiling protection mechanism
  • A soft ceiling that is 90% of the global RID space and is not configurable
  • The soft ceiling is deemed as ”reached” when a RID pool containing the 90% RID is issued
  • Blocks further allocations of RID pools
    • When the ceiling is reached, system sets msDS-RIDPoolAllocationEnabled attribute of the RID Manager$ object to FALSE. An administrator must set it back to TRUE to override.
  • Log an event indicating that the ceiling is reached
    • An initial warning is logged when the global RID spaces reaches 80%
  • The attribute can only be set to FALSE by the SYSTEM and is mastered by the RID master (for example, write it against the RID master)
    • Domain Admin can set it back to TRUE

Note: It is set to TRUE by default

• Increased the global RID space per domain, doubling the number of security principals that can be created throughout the lifetime of a domain from 1 billion to 2 billion.

Managing RID Issuance

http://technet.microsoft.com/en-US/library/jj574229

New features in Active Directory Domain Services in Windows Server 2012, Part 14: RID improvements

http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2012/09/10/new-features-in-active-directory-domain-services-in-windows-server-2012-part-14-rid-improvements.aspx

It’s, Bruce! With the release Windows Server 2012 we all have to start learning the new features of the product. It is Friday night and I studying Deferred Index Creation. Below are some resources to bring you to speed at the same time.

This new feature solves the problem of ALL DC in a forest at the same time getting bogged down after you enable indexing on attribute’s in AD.

Deferred Index Creation

http://technet.microsoft.com/en-us/library/hh831477.aspx

In the past, index creation could adversely impact domain controller performance. Windows Server 2012 introduces a new capability that allows forest administrators to defer index creation to a point in time they choose. By default, domain controllers create indices when they receive the appropriate schema change through replication. In Windows Server 2012, a new DSheuristic was introduced to control whether or not domain controllers defer index creation.

New features in Active Directory Domain Services in Windows Server 2012, Part 15: Deferred Index Creation

http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2012/09/11/new-features-in-active-directory-domain-services-in-windows-server-2012-part-15-deferred-index-creation.aspx

Hi, Bruce here!  With the release Windows Server 2012 we all have to start learning the new features of the product.    So tonight I am studying an Active Directory-Based Activation.  Below are some resources to bring you to speed at the same time.    

This is a cool new feature which enables enterprises to activate Windows and/or Office through a connection to their domain.  

Active Directory-Based Activation Overview

http://technet.microsoft.com/en-us/library/hh852637.aspx

Active Directory-Based Activation (ADBA) is a new feature for Windows® 8, which enables enterprises to activate computers through a connection to their domain. Many companies have computers at offsite locations that use products that are registered to the company. Previously these computers needed to either use a retail key or a Multiple Activation Key (MAK), or physically connect to the network in order to activate their products by using Key Management Services (KMS). ADBA provides a way to activate these products if the computers can join the company’s domain. When the user joins their computer to the domain, the ADBA object automatically activates Windows installed on their computer, as long as the computer has a Generic Volume License Key (GVLK) installed. No single physical computer is required to act as the activation object, because it is distributed throughout the domain.

New features in Active Directory Domain Services in Windows Server 2012, Part 16: Active Directory-based Activation

http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2012/09/12/new-features-in-active-directory-domain-services-in-windows-server-2012-part-16-active-directory-based-activation.aspx

Volume activation methods in Office 2013

http://technet.microsoft.com/en-us/library/jj219430(v=office.15).aspx