Notes on IT (mainly Microsoft)

Archive for the ‘Domain Controller’ Category

Windows Server 2012: Planning for Active Directory Forest Recovery

leave a comment »

This guide has now been updated to include using virtualized domain controller cloning in Windows Server 2012 to expedite forest recovery.


Written by adamsync

May 2, 2013 at 22:30

Best Practices for Securing Active Directory

leave a comment »

A (300+ page) guide from Microsoft IT:

Contains recommendations to enhance the security of Active Directory installations, discusses common attacks against Active Directory and countermeasures to reduce the attack surface, and offers recommendations for recovery.

and a high level (6 page) overview.


Written by adamsync

May 2, 2013 at 22:24

Nordic Infrastructure Conference 2013 – session videos available

leave a comment »

Videos of talks covering topics in:

Windows server
Virtualization & Cloud
System Management
Unified Communication
Windows Client
Partner talks

given at the Nordic Infrastructure Conference held in January are now available. There’s broad coverage by many well-known speakers, see the Agenda for links to the videos.

Windows Server 2012 Dynamic Access Control

leave a comment »

The single, best reference by far on the Dynamic Access Control feature is the Understand and Troubleshoot Dynamic Access Control in Windows Server 2012 guide by Mike Stephens of Microsoft. The guide was updated February 2013 from the previous “beta” version.

The scenario guide for Windows Server 2012 Dynamic Access Control is on TechNet.

Three sessions at TechEd 2012 covered:

Windows Server 2012 Dynamic Access Control Overview

Windows Server 2012 Dynamic Access Control Deep Dive for Active Directory and Central Authorization Policies

Windows Server 2012 Dynamic Access Control Best Practices and Case Study Deployments in Microsoft IT

A Build 2012 conference session by Dave McPherson (who you may remember from such technologies as AzMan and “RBAC in the middle tier”) re-presented some of the deep dive content but with added insight into the internals of conditional expressions in Windows; the CALLBACK_ACE_TYPE was entirely new to me. Dave also discussed scalability with respect to security group rationalization and token bloat. There is more material on Extending & customizing Dynamic Access Control on MSDN and there’s information on what partners and ISVs are doing with this technology here. Changes to maximum token size in Windows Server 2012 are discussed here.

If you want to see more demos or walkthroughs of the key components of Dynamic Access Control then check out these, largely at the Microsoft Virtual Academy.

For information on using Dynamic Access Control in multi-forest scenarios see here.

For information on support for DAC in Windows Server 2012 DFSR see here.

A webinar covering “Using  Microsoft Dynamic Access Control for Electronic Export Compliance” (US ITAR and EAR) is here.

At a higher level of abstraction the functional specification and use cases for Dynamic Access Control are part of Microsoft’s Open Protocol Specifications, in particular see:

[MS-AZOD]: Authorization Protocols Overview

the PDF of which is most convenient for reading.

What’s New in Active Directory Domain Services in Windows Server 2012 (TechNet)

leave a comment »

The four tenets of the Windows Server 2012 AD DS improvements:

“Virtualization that just works
Providing greater support for the capabilities of public and private clouds through virtualization-safe technologies and the rapid deployment of virtual domain controllers through cloning.

Simplified deployment
Simplifying the on-premises AD DS deployment (formerly DCpromo) with a new streamlined domain controller promotion wizard that is integrated with Server Manager and built on Windows PowerShell.

Simplified management
Integrating claims-based authorization decisions into AD DS and the Windows platform that permit a combination of centralized access policies, directory attributes, the Windows file-classification engine, and compound-identities comprising both user and machine identity

Providing a consistent graphical and scripted management experience that allows you to perform tasks in the Active Directory Administrative Center that automatically generate the syntax that is required to enable automation for the task in Windows PowerShell.

AD DS Platform Changes
Updating the AD DS platform with changes such as relative ID improvements, deferred index creation, and off-premises domain join improvements.”

More detail on TechNet:

Active Directory Domain Services

                What’s New in Active Directory Domain Services (AD DS)
                Active Directory Replication and Topology Management Using Windows PowerShell
                Deploy Active Directory Domain Services (AD DS) in Your Enterprise
                Active Directory Domain Services (AD DS) Virtualization
                Active Directory Administrative Center Enhancements
                Dynamic Access Control

Written by adamsync

June 20, 2012 at 22:18

What’s new in Active Directory Domain Services in Windows Server 2012 (TechEd)

leave a comment »

Dean Wells, Program Manager in the Directory Services product group at Microsoft, gave a number of excellent and highly-rated talks at TechEd recently:

What’s New in Active Directory  in Windows Server 2012

Impact of Cloning and Virtualization on Active Directory Domain Services

Running Active Directory on Windows Azure Virtual Machine

The interview that Dean gave to Channel 9 during TechEd is a frank and lucid briefing on the latest developments:

Dean Wells Live at Tech Ed