Upgrading the Platform - How to Get There! .
-
Upload
emmeline-floyd -
Category
Documents
-
view
213 -
download
0
Transcript of Upgrading the Platform - How to Get There! .
![Page 1: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/1.jpg)
![Page 2: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/2.jpg)
Reimagining and Migrating Your Active DirectoryRick ClausSr. Technical Evangelist@RicksterCDN
#WCAB336Upgrading the Platform - How to Get There!
Andrew McMurrayTechnical
Evangelist@MaccaMSOZ
![Page 3: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/3.jpg)
What part of your IT Infrastructure are you the most concerned with upgrading?
* note: My completely unsubstantiated informal TWPoll: http://twtpoll.com/uuk37y
![Page 4: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/4.jpg)
What version of AD are you running now?
{Insert graph here}
http://twtpoll.com/79pisy
![Page 5: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/5.jpg)
User+
Resources
Active Directory is 14 years old…• Where were you 14 years ago?• What did your network look like?
User
resource
resource
resource
User+
Resources
User+
Resources
U1
R1 R2 R3
U2
R4 R5 R6
UR4
UR1
UR2UR5
UR3
Active Directory Solved a LOT of issues
Why did we all make it so complicated?
![Page 6: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/6.jpg)
Now the party is over….
When was the last time AD design / functionality revisited?
![Page 7: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/7.jpg)
Why Windows Server 2012?• Your AD Admin life easier!• Automation with PowerShell• AD Recycle Bin• Fine Grained Password Policies• GroupPolicy updates
• Paving the way to Dynamic Access Control
• Virtualization support with VMGenID
Easiest path to Windows Server 2012 R2
![Page 8: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/8.jpg)
Guidelines to make your life easier
• Simplify and Consolidate• ADMT 3.2 can’t be installed on Windows Server 2012
• http://support.microsoft.com/kb/2753560
• Consider Server Core implementations
• Read Only Domain Controllers
• Go Virtual (stay tuned)
![Page 9: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/9.jpg)
Lets Get’er done!
![Page 10: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/10.jpg)
Upgrade or Migration?X86 = NO DIRECT “in place” UPGRADE
PATH
:-(
![Page 11: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/11.jpg)
Active Directory® and DNS Migration Pre-Migration Migration
Migration planning•Number of network interface cards (NICs)
Prepare source server•Back up•Collect migration data
Prepare destination server•Install Windows Server 2012•Assign temporary server name•Assign temporary IP address•Join domain
Make destination server a domain controller
Post-Migration (Optional)
Manually migrate DNS server settings
Transfer FSMO roles
Migrate IP address and rename servers
Perform verification steps
Retire source server
Roll back migration
Troubleshoot migration
![Page 12: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/12.jpg)
Bringing in your First Windows Server 2012 DC
![Page 13: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/13.jpg)
But wait – there are other options!
• In place upgrades of 2008 R2
• Virtualized DCs and Cloned DCs
![Page 14: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/14.jpg)
![Page 15: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/15.jpg)
![Page 16: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/16.jpg)
How Serious is USN bubble via Virtualization?
Tim
elin
e o
f even
ts
TIME: T2
TIME: T3
TIME: T4
CreateSnapshot
T1 SnapshotApplied!
USN: 100 ID: A
RID Pool: 500 - 1000
USN: 100 ID: A
RID Pool: 500 - 1000
USN: 250ID: A
RID Pool: 650 - 1000
+150 more users created
DC1(A)@USN = 200
DC2 receives updates: USNs >200
DC1(A)@USN = 250
USN: 200ID: A
RID Pool: 600- 1000
+100 users added
DC2 receives updates: USNs >100
DC
1
DC
2
TIME: T1
USN rollback NOT detected: only 50 users converge across the two DCsAll others are either on one or the other DC100 security principals (users in this example) with RIDs 500-599 have conflicting SIDs
![Page 17: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/17.jpg)
NTDS starts
Obtain current VM-GenID
If different from value in DIT
Reset InvocationID, discard RID pool
DCCloneConfig.xml available?
Dcpromo /fixclone
Parse DCCloneConfig.xml
Configure network settings
Locate PDC
Call _IDL_DRSAddCloneDC(name, site)
Check authorization
Create new DC object by duplicating source DC objects(NTDSDSA, Server, Computer instances)
Generate new DC machine account and password
Save clone state (new name, password, site)
Promote as replica (IFM)
Run (specific) sysprep providers
Reboot
Clone VM Windows Server 2012 PDC
IDL_DRSAddCloneDC
CN=Configuration|--CN=Sites
|---CN=<site name>|---CN=Servers
|---CN=<DC Name> |---CN=NTDS Settings
Rapid Deployment: Cloning Flow
![Page 18: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/18.jpg)
Attack of the DC Clones
![Page 19: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/19.jpg)
But wait – didn’t we forget something?
![Page 20: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/20.jpg)
Cleaning up the old stuff
![Page 21: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/21.jpg)
New stuff
![Page 22: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/22.jpg)
Drop Your Gui - Server Core DCs
Easier to Secure, Manage, and Maintain
Supports Key Infrastructure Roles
Minimal Server Installation
Supports Unattended Installation
Reduced Attack Surface Less Disk Space Required
Reduced Software Maintenance
Reduced Management
~1GB
![Page 23: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/23.jpg)
Implement AD “oops” Recycle Bin• Ever had someone with too many rights?
• “Lost” anything in AD and needed it back?
![Page 24: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/24.jpg)
Updating Password Policy• Why?• Complexity = circumvention• Find right level of usability
• Requirements for Multiple policies?• Old way = domains• New way = Password Settings Object
Passwo
rd
IL0veM
yK1ds!
![Page 25: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/25.jpg)
Remote Server Admin Tools
![Page 26: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/26.jpg)
Group Policy Management Console• Force GP update• Group Policy replication
![Page 27: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/27.jpg)
Easily resolve end-user permission issues
Centrally manage access control from Active Directory
Pre-stage and simulate the effect of changes to access policy
Automatically identify and classify data based on content
Paving the way to the future!Policy-driven access to data with Dynamic Access Control
Desired Access policyFor access to financial information that has high business impact, a user
must be a finance department employee with a high security clearance, and
must use a managed device registered with the finance department.
![Page 28: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/28.jpg)
User claimsUser.Department = Finance
User.Clearance = High
Access policyFor access to financial information that has high business impact, a user must
be a finance department employee with a high security clearance, and must use a managed device registered with the finance department.
Device claimsDevice.Department = Finance
Device.Managed = True
Resource propertiesResource.Department =
FinanceResource.Impact = High
Active Directory Domain Services
Expression-based access rules
28
File server
![Page 29: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/29.jpg)
Active Directory Domain Services
Create claim definitionsCreate file property definitionsCreate central access policy
Group PolicySend central access policies to file servers
File Server
Apply access policy to the shared folderIdentify information
User’s computer
User tries to access information
Central access policy workflow
29
Active Directory Domain Services
User
File server
Allow or deny
Claim definitions
Audit policy
File property definitions
![Page 30: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/30.jpg)
Related content• (MDC-B323) Re-Architecting Your Infrastructure
with Windows Server 2012 and Microsoft System Center 2012 SP1
• (WCA-B336) Reimagining and Migrating Your Active Directory
• (MDC-B348) Networking Infrastructure and Management
• (MDC-B349) Your Fileservers and Storage Options
![Page 31: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/31.jpg)
msdn
Resources for Developers
http://microsoft.com/msdn
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Resources for IT Professionals
http://microsoft.com/technet
![Page 32: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/32.jpg)
Complete an evaluation on CommNet and enter to win!
![Page 33: Upgrading the Platform - How to Get There! .](https://reader031.fdocuments.us/reader031/viewer/2022032600/56649dbd5503460f94aaf660/html5/thumbnails/33.jpg)
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.