Dynamic Access Control And Server Migration

Dynamic Access Control And Server Migration

Guest blogger Craig Naumann dives deeper into Server Manager, checking out dynamic access control, server migration tactics and much more.

The last day of TechEd 2012 came around quite quickly. I’ve been thoroughly occupied from lunch time Tuesday until the end. I’ve barely had a chance to stop and enjoy the surroundings, between what felt like a never ending flow of technical sessions, to networking events and a helicopter flight. There are a large amount of sessions that I’ll need to catch up on afterwards due to conflicting interests. I’d also wanted to do some hands on labs but was unable to due to lack of time. I was also surprised by how much effort was required to actually produce an article each day!

Migrating to Windows Server 2012

The morning started with some migration sessions to kick start deploying Windows Server 2012 into your environment. The usual candidate was Active Directory – with the premise that adprep doesn’t need to be executed anymore to get the environment ready. This seemed like a great idea, but was a little misleading. The tool is executed as part of a Domain Controller promotion if it is needed. The new Server Manager interface does make all this easier through the wizard-driven configuration, so I’ll take it as a benefit. Running adprep has never really been a concern (plan, test, change control, execute) as you rarely need to run it, but I’ll accept that it integrates all components into a single process. The executable still exists and can be run separately if that better suits your change control processes.

SYSVOL migration logically flowed afterwards to move away from the antiquated FRS (File Replication Service) to DFS-R (Distributed File System Replication). Thankfully I haven’t experienced significant issues with FRS for SYSVOL, but I’ve heard plenty of horror stories. The thought of moving to DFS-R is great, but I work in an environment that still has Windows Server 2003 Domain Controllers. The process is surprisingly easy – one (not recommended) or two or three commands. The process is just progressing through the stages of the migration and waiting for all Domain Controllers to do their thing. This is not really a Windows Server 2012 feature, but something to progress for any environment that meets the pre-requisite Domain Controller and functional levels.

We also migrated a Windows Server 2008 R2 File Cluster to Windows Server 2012 by using the built-in GUI. There was a little bit of a demo failure, but the theory looks nice and it seems to be just two steps. Step one is to pre-stage the data to the new cluster, and step two is to run the migration wizard. The part I enjoyed is that Failover Clustering is now available in Windows Server 2012 Standard Edition.

We had a glimpse of DAC (Dynamic Access Control), which got me excited for the last session of the day. Defining access to resources may not sound like fun, but it’s something required every day.

DirectAccess wonder


A surprise for me were the improvements to DirectAccess (and the highly entertaining session explaining tem). I’d previously looked at this in Windows Server 2008 R2 but there were far too many caveats or complexities to be able to get traction. These complexities are pretty much gone now and the solution is quite nice. Sure, to get the best out if it, the client needs to be Windows 8, but the overall deployment to support Windows 7 is easier than in the past.

Putting on my PKI Administrator hat, I like the concept of using a Kerberos proxy instead of Certificate Services – again, Windows 8 clients only. So for practical use for me I’ll need to continue down the path of making sure Certificate Services is configured to support this. Putting on my client hat, I still like that DirectAccess is built into the client operating system and that it just works. Not needing to launch a client to initiate the session really simplifies the functionality. To summarise some of the key improvements:

  • Built-in NAT64/DNS64 support for internal IPv4 hosts
  • PKI deployment no longer a prerequisite
  • Support for DirectAccess behind a NAT device
  • Kerberos proxy and IP-HTTPS improvements
  • Support for Server Core editions

Dynamic Access Control

A feature that didn’t disappoint was DAC. It was great to finally see it in action, having had the carrot dangled throughout the week. DAC alludes to being the silver bullet for token bloat and, having experienced that first hand, I’d say we’re on track. The flexibility to apply access based on attributes rather than pure group membership will make life so much easier.

A focus of mine at the moment is attempting to plan for role-based access control (but using group membership) and I see DAC as a fantastic way to enhance and complement existing work. The other great part is the ability to use user and computer-based attributes to build up an access profile. To say “You can only access these financial files if you are in the finance department and using a finance computer” will enable scenarios that previously have been put in the “too hard” basket.

I’m also really looking forward to further investigation of Access-Denied Assistance. To enable self-service to help the business should mean quicker time to resolution and also a decrease in workload on service desk staff.

If you haven’t investigated Dynamic Access Control yet, then I’d suggest you do as it can bring a great deal of process improvements to how you work. The number of people in the session shows me that I’m not the only one wanting to improve how access is managed.

The future


The commitment Microsoft has made in improving the feature set in Windows Server 2012 fills me the hope for the future. I know I now have to return to work and start the long task to upgrade our systems to enable everything I’ve seen. Targeting the phrase of “It just works” will empower the business to achieve what they need without them having to think about the systems that support it. The phrase from the start of the week – “Standing on the shoulders of giants” – really does appear to be true. The giant effort put into the functionality of Windows Server 2012 and all the supporting technologies will allow for so much more innovation. This really is a great year to be working with Microsoft technologies, both for IT Professionals and Developers. The ultimate winner is everyone else.

I’d like to thank Microsoft and Lifehacker for the wonderful experience, plus ASUS and Nokia for the brilliant hardware. I can’t speak for David and Terry, who have done an awesome job as fellow guest bloggers, but I know it was fun for me!

Visit Gizmodo’s TechEd 2012 Newsroom for all the news from the show.

Craig Naumann is covering Windows Server 2012 for Gizmodo using his ASUS Zenbook WX32VD.