Matt Hitchcock's Blog

I finally managed to get a first look at Active Directory in Windows 8 at the Community Technology Update event yesterday, run by the Singapore Windows User Group.  Andrew Cheng (MVP) presented the session, his blog with a link to the deck and recorded presentation are found on his blog.  After hearing so much about the improvements it was great to get an actual look in anticipation of the public beta.  My takeaways from the session where as follows:

• No More DCPROMO:  Server Manager (and the Active Directory Administrative Center introduced in Windows 2008 R2) seem to be the future for Administration.  This shows that Microsoft really are ditching the MMC console.  Server Manager is used (once the domain controller role is installed) to promote your DC(s) and this of course is running PowerShell under the hood.  It’s possible to initiate a DCPROMO on remote DC’s, running the command locally on that machine rather than over RDP.  I suspect this is made possible using new features of PowerShell v3 and Windows Remote Management.  This would enable a DCPROMO to run reliably over unreliable network connections, the improvements in connection persistence in PowerShell v3 ensure that if your connection drops out mid-operation, you can reconnect as you were and the target server is unaffected.  I need to confirm that information but it makes the most sense.
• Server GUI can be removed using Features (general Windows feature):  Not a feature of AD as such but the GUI is just a check box that you can now add and remove as you like or need.  This starts to highlight the importance of PowerShell to the platform.  Headless servers will start becoming more common, enabling the GUI only for applications that need it.  You can administer everything with remote tools and PowerShell so why use a GUI?  Time to make sure your WinRM and PowerShell Remoting is set up.
• AD Recycle Bin has a GUI:  You can recover deleted items from Active Directory Administrative Center using a right-click on the object in the deleted items container.  This is much more flexible than Windows Server 2008 R2.  The Recycle Bin is still not enabled by default at this time and I would imagine that this is because third-party tools exist in the marketplace that need to be taken into account, but also the function probably has some limitations that you need to acknowledge and address first.  I’ll post more on this as I find it.
• PSO’s now Graphical:  Similar to the Recycle Bin you can also manage Password Settings Objects through the Administrative Center rather than resorting to ADSI Edit and PowerShell.
• Dynamic Access Control:  This is a general feature that integrates with AD as it uses Claims, a concept from ADFS.  In addition to NTFS Security, Claims adds another secure layer to satisfy.  Using Tagging and Categorisation for data (introduced in Windows Server 2008) you can begin to restrict access based on dynamic criteria.  For example, if you categorise all Finance data using a Finance tag, you can specify that only accounts with Finance in their Department field can access the data, provided they have satisfied NTFS permissions first.  This is a great way to lock down data as you restructure groups and find that perhaps a number of employees have more access to data than they should.  This functionality is configured and delivered through AD using Claims and Group Policy to set the NTFS Settings.  I will be looking into this more in future.  There was a Question in the session as to how ADRMS and CBAC (Claims Based Access Control) relate to each other.  CBAC is something that would apply at the Disk level, allowing you to view, access, modify as you would with NTFS operations normally.  It will not protect data once it leaves the scope or leaves your system.  RMS is Content Management, and controls how users can consume the content of a document regardless of the system on which it is accessed.  RMS will serve you beyond your organisation boundaries and limit the operations within the content, CBAC will not.
• Licensing and Activation from AD:  You can now import your licenses and activate Windows using AD rather than a KMS or other methods.  Much easier and much more flexible, more details on this to come.

Unfortunately, we didn’t see the improvements around Domain Controller virtulization but that will be something I start exploring once the public Beta is out.  Lots of useful information provided by Andrew though.

So what does this mean in the grand scheme of things?  If we’re looking to the future and strategising around our AD Management, there are things we can start doing now:

1. Start defining PowerShell’s place in your infrastructure.  Particularly if you are running legacy environments also.  Define your execution policy, deploy the software, configure your profiles and remote management and train your admins.
2. Start moving away from the MMC.  Microsoft are keen to do it and it is something you can do as long as you are running 2003 or later domain controllers.  If you are running 2008 R2 DC’s you can leverage the Microsoft AD cmdlets or the Quest ActiveRoles cmdlets to manage AD regardless of your DC OS levels.  Embrace the future of Administration now.
3. Standardise your AD Data.  Most organisations don’t use most of the object attributes in AD and they are left blank.  By developing a standard for attribute population and standard values, you can start preparing for Claims Based authentication and start automating the management of AD Objects.  The more data on the objects you have to work with, the more you can start to do.  PowerShell is a great way to GET and SET any data you need.

I hope the above has been of some use to you as well.  Windows 8 BETA is due in February and that’s where the real fun can start.