70-410 Dumps

1
Windows Server 2012 A Techies Insight into the
Hot New Features
2
Windows Server 2012
Domain Controller cloning Enhanced Direct
Access Safe Domain controller virtualization RID
pool enhanced management Enhanced logging
PowerShell 3.0 PowerShell Workflow PowerShell
history Kerberos CBAC Compound identity Remote
FX IP Address Management DHCP HA DA object
recovery GUI ISCI Target Windows NIC
teaming Virtualization, virtualization,
virtualization 32 virtual processors per VM 1TB
virtual machine memory New 64TB VHDX
format Native 4k disk support Hyper-V
Replica Hyper-V virtual fiber channel Virtual
networking Live storage migration Support for up
to 64 nodes per cluster Support for 4000 VMs per
cluster Hyper-V support for up to 2 TB of
physical memory Live VHD merge Cluster shared
volumes v2 SMB 2 Support RDMA support in
SMB Scale-out file server Multi-channel
SMB Virtual NIC monitor mode Storage
PowerShell Network PowerShell Multi-Tenancy, Port
ACLs / Firewall Storage metering Storage
Spaces SMI-S support inbox Virtual NUMA
support CPU metering Network metering Memory
metering RemoteFX 3D graphics remoting Touch
remoting USB remoting VDI Guest Application
Health Monitoring VM Hardware Error Isolation VM
Failover Prioritization Trusted boot
support Removable Shell IE Enables roles in
VHDs Offline Multi-machine management
protocol Integrated workflows and PowerShell
So many new changesandthey are all hot
3
My first dilemma
Defaultinstallation

• Should I be a man or a mouse?

• I went for the GUI

http//www.allpass4sure.com/mcsa-windows-server-20
12-pdf-70-410.html
4
Easy to switch
Server Core
Minimal Server Interface
GUI
Desktop Experience
http//www.allpass4sure.com/mcsa-windows-server-20
12-pdf-70-410.html
5
Make sure PowerShell is you best friend

• PowerShell 3.0 with over 2000 cmdlets
• Allows creation scripts with workflow
• AD PowerShell history helps you get started
• Newest help files download on demand Update-Help

6
A tour around the management GUI
http//www.allpass4sure.com/mcsa-windows-server-20
12-pdf-70-410.html
7
Not technical but a very useful reference
Hover selectfrom Charms bar
Hover clickMetro Start
Windows key Metro Start
Windows key C Open Charms bar
Windows I Settings on Charms bar
Windows Q Search on Charms bar
Just start typing
8
Virtualization, virtualization, virtualization
Clustered VMs hosts
Virtualized domain controller support
Live Migration
Replication
VM1
VM2
VM3
VMn
? ? ? ? ? ? ? ? ? ? ? ?
Virtual machines
Storage virtualization
Networkvirtualization
CPU memoryvirtualization
VM hardwareOffloading
Network Direct HBA for VMsDirect data transfers
ODX
Near SAN capabilityfrom commodity disks
Virtualized customer networks
New dynamicmemory support
9
Impressive scalability
System Resource Maximum number Maximum number Improvement factor
System Resource Windows 2008 R2 Windows Server "8" Beta Improvement factor
Host Logical processors on hardware 64 160 2.5
Host Physical memory 1 TB 2 TB 2
Host Virtual processors per host 512 1,024 2
Virtual machine Virtual processors per virtual machine 4 32 8
Virtual machine Memory per virtual machine 64 GB 1 TB 16
Virtual machine Active virtual machines 384 1,024 2.7
Cluster Nodes 16 64 4
Cluster Virtual machines 1,000 4,000 4
http//www.allpass4sure.com/mcsa-windows-server-20
12-pdf-70-410.html
10
A techies insight into the hot new features

• So many features to choose from
• Lets look at some of the challenges Ive faced
  over the last year
• Deploying DirectAccess
• Troubleshooting Kerberos and delegation issues
• File Server authorization and auditing
• Claims based authentication
• Building POC environments to test it all out

If Windows Server 2012 solves my issues thats
hot
11
My hot three for today

• DirectAccess
• Kerberos enhancements
• Dynamic Access Control

http//www.allpass4sure.com/mcsa-windows-server-20
12-pdf-70-410.html
12
Windows 2008 R2 DirectAccess Simple?
Internet
Corporate intranet

• When a DirectAccess client connects to the
  Internet it is automatically connected to the
  corporate intranet
• No user action required

Its a truly great user experience
- But
13
Simple?
May Be Not
Internet
Corporate intranet
Tunnelling technologies for the Internet and
intranet to support IPv6 over IPv4
Internet tunnelling selection based on client
location Internet, NAT, firewall
Encryption/authentication of Internet traffic
(end-to-edge/end-to-end) PKI required
Client location detection Internet or corporate
intranet
Certificates require PKI
14
2008 Additional Challenges
?Windows Server 2012 fixes all and more

• UAG required for
• Load-balancing
• Support for IPv4 intranet endpoints
• NAT 64 DNS 64
• Requires two consecutive public IPv4 addresses
• Multi-domain support complex
• Poor multi-site support
• Monitoring and troubleshooting problematic
• RRAS DA could not coexist
• 2FA only supported for Smartcards, no OTP support
• Many deployments didnt get off the drawing board

?
?
? NAT
? Multi-domain support
? Multiple entry-points with automatic failover
? Comprehensive
? One role supports both
? OTP virtual SC
? Nows its easier
15
One tunnel or two?

• DA on Windows 2008 R2 creates an infrastructure
  and intranet tunnel
• Client certificates and computer/user accounts
  are used to authenticate to each tunnel endpoint
• Certificates are required to support Windows 7
  clients, NAP and 2FA client
• Windows 8 clients can be supported through a
  single-tunnel configuration
• Authentication to the endpoint managed through a
  Kerberos Proxy
• Uses IPHTTPS
• IPHTTPS optimised via SSL with NULL encryption

16
3-clicks and youre done or full feature

• For small to medium deployments the Getting
  Started Wizard will automatically deploy DA
• Single-tunnel, IPHTTPS, single-public IP or NAT,
  and no PKI
• If no public SSL cert is available a self-signed
  cert is automatically generated
• Client group policy deployed using a WMI filter
• For a full featured DirectAccess deployment you
  will need to go through the Remote Access Setup
  Wizard
• You can use the Getting Started Wizard and access
  the setup wizard afterwards

http//www.allpass4sure.com/mcsa-windows-server-20
12-pdf-70-410.html
17
Just 3-clicks
http//www.allpass4sure.com/mcsa-windows-server-20
12-pdf-70-410.html
18
My hot three for today

• Direct Access
• Kerberos enhancements
• Dynamic Access Control

http//www.allpass4sure.com/mcsa-windows-server-20
12-pdf-70-410.html
19
Kerberos Changes

• Weve seen the Kerberos Proxy in action
• This is used for Direct Access Remote Desktop
  users and cannot be deployed on the edge for
  other functions
• There are a number of other changes to Kerberos
  to enhance day to day operations
• Increase to the maximum Kerberos SSPI context
  buffer size
• PAC group compression
• Warning events for large token sizes
• Increased logging
• Hot topics for me are claims support and
  delegation

20
Adding Claims to the Kerberos Token
Pre-Windows 8
Windows 8
Compound ID PAC contains a users group and
claims information Device information
Users Kerberos Token
User
Groups
Claims
PAC
Device
Groups
Claims
Users group memberships added to
PAC Authorization based on group membership
Authorization based on group membership, user and
device claims
http//www.allpass4sure.com/mcsa-windows-server-20
12-pdf-70-410.html
21
Enabling Kerberos for Claims

• Enable the KDC administrative template for
  Support for Dynamic Access Control and Kerberos
  armoring
• Kerberos armoring, also referred to as Flexible
  Authentication Secure Tunnelling (FAST), provides
• A protected channel between the Kerberos client
  and the KDC
• Protection against offline dictionary attacks
• Signs Kerberos error messages
• Prevents spoofing
• Compound identity

http//www.allpass4sure.com/mcsa-windows-server-20
12-pdf-70-410.html
22
Delegation
Block cross forest delegation by setting netdom
trust to no for /EnableTGTDelegation
Protect backend services by setting services
account parameter PrincipalsAllowedToDelegateToA
ccount

• Prior to Windows Server 2012, constrained
  delegation required the front- and back-end
  services to be in the same domain
• 2012 allows delegation across domains and forest
  trusts

23
Enabling Claims identity
http//www.allpass4sure.com/mcsa-windows-server-20
12-pdf-70-410.html
24
My hot three for today

• Direct Access
• Kerberos enhancements
• Dynamic Access Control

http//www.allpass4sure.com/mcsa-windows-server-20
12-pdf-70-410.html
25
Defining the access requirements

• Sales Consultants from the regional sales
  departments must have read/write access to their
  regions sales documents
• They are not allowed to access sales documents
  for other regions
• Sales Managers must have access to sales
  documents in all regions
• Sales documents with high business impact must
  only be viewable by Sales Managers
• The access model must be applied across multiple
  file servers in the Active Directory forest

http//www.allpass4sure.com/mcsa-windows-server-20
12-pdf-70-410.html
26
A nice to have

• High impact documents should only be accessible
  from client machines that are managed by the Corp
  Sales department

http//www.allpass4sure.com/mcsa-windows-server-20
12-pdf-70-410.html
27
How many different designs can you come up with?
Sales
UK Sales
UK
Sales UK RW
US
Sales US RW
US Sales
HI UK
Sales HI UK RW
Sales Managers
HI US
Sales HI US RW
How do we guarantee HI documents are placed in
the correct folders?
http//www.allpass4sure.com/mcsa-windows-server-20
12-pdf-70-410.html
28
Windows Server 2012 to the rescue
Resolution
No way to tag files and apply authorization and
auditing based on file type
Files can be classified (tagged) and policies
applied based on the files classification
No way to create ACLs based on expressions Require
s complex group structures
Expression based access control and auditing
ACLs defined using groups
Expressions can contain groups, users, and user
and device claims
Device state not supported in authorization
decisions
Access based on compound ID user and device claims
29
Elegant solutions
Access based on Central Access Policy, file and
folder classification,andCBAC
Sales
UK
US

• Permissions applied based on file classification
• No groups
• We even solved the nice to have
• High impact documents should only be accessible
  from client machines that are managed by the Corp
  Sales department

30
A quick tour ofDynamic Access Control
http//www.allpass4sure.com/mcsa-windows-server-20
12-pdf-70-410.html
31
So many great enhancements

• Just one more I couldnt miss

32
Well thats whats hot for me
http//www.allpass4sure.com/mcsa-windows-server-20
12-pdf-70-410.html
33
Consulting services on request
John has designed and implemented computing
systems ranging from high-speed industrial
controllers through to distributed IT systems
with a focus on security and high-availability. A
key player in many IT projects for industry
leaders including Microsoft, the UK Government
and multi-nationals that require optimized IT
systems. Developed technical training courses
that have been published worldwide, co-authored a
highly successful book on Microsoft Active
Directory Internals, presents regularly at major
international conferences including TechEd, IT
Forum and European summits. John can be engaged
as a consultant or booked for speaking
engagements through XTSeminars.
www.xtseminars.co.uk
http//www.allpass4sure.com/mcsa-windows-server-20
12-pdf-70-410.html
34
Whats hot for you?
35
Required Slide
Complete an evaluation on CommNet and enter to
win!
36
2012 Microsoft Corporation. All rights
reserved. Microsoft, Windows, Windows Vista and
other product names are or may be registered
trademarks and/or trademarks in the U.S. and/or
other countries. The information herein is for
informational purposes only and represents the
current view of Microsoft Corporation as of the
date of this presentation. Because Microsoft
must respond to changing market conditions, it
should not be interpreted to be a commitment on
the part of Microsoft, and Microsoft cannot
guarantee the accuracy of any information
provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED
OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.
37
(No Transcript)