Windows Server 2012中AD DS的新功能主要包含四部分
- Virtualization that just works
Windows Server 2012 provides greater support for the capabilities of public and private clouds through virtualization-safe technologies and the rapid deployment of virtual domain controllers through cloning.
支持在公有云和私有云、支持通过复制快速部署 - Simplified deployment and upgrade preparation
The upgrade and preparation processes (dcpromo and adprep) have been replaced with a new streamlined domain controller promotion wizard that is integrated with Server Manager and built on Windows PowerShell. It validates prerequisites, automates forest and domain preparation, requires only a single set of logon credentials, and it can remotely install AD DS on a target server.
dcpromo和adprep命令被向导替代、支持对目标服务器进行远程安装AD DS服务 - Simplified management
Examples of simplified management include the integration of claims-based authorization into AD DS and the Windows platform, two critical components of a broader feature known as Dynamic Access Control (DAC). DAC comprises central access policies, directory attributes, the Windows file-classification engine, and compound-identities that combine user and machine identity into one. In addition, the Active Directory Administrative Center (ADAC) now allows you to perform graphical tasks that automatically generate the equivalent Windows PowerShell commands. The commands can be easily copied and pasted into a script simplifying the automation of repetitive administrative actions.
简化的管理 - AD DS Platform Changes
The AD DS platform comprises core functionality, including the “under-the-covers” behaviors that govern the components upon which the rest of the directory service is built. Updates to the AD DS platform include improved allocation and scale of RIDs (relative identifiers), deferred index creation, various Kerberos enhancements and support for Kerberos claims (see Dynamic Access Control) in AD FS.
平台技术变更
每个部分具体的变化:
Virtualization that just works1.Rapid deployment with cloning
AD DS in Windows Server 2012 allows you to deploy replica virtual domain controllers by “cloning” existing virtual domain controllers. You can promote a single virtual domain controller by using the domain controller promotion interface in Server Manager, and then rapidly deploy additional virtual domain controllers within the same domain, through cloning.(通过复制可以快速的将现有的虚拟域控制器添加为额外的域控制器)
The process of cloning involves creating a copy of an existing virtual domain controller, authorizing the source domain controller to be cloned in AD DS, and running Windows PowerShell cmdlets to create a configuration file that contains detailed promotion instructions (name, IP address, Domain Name System [DNS] servers, and so on). Or you can leave the configuration file empty, which allows the system to automatically fill in the information. Cloning reduces the number of steps and time involved by eliminating repetitive deployment tasks, and it enables you to fully deploy additional domain controllers that are authorized and configured for cloning by the Active Directory domain administrator(复制过程包含复制VHD文件,创建配置文件等操作,通过powershell创建配置文件后可以配置额外域控制器的name、ip、DNS等,或者使用空配置文件让系统自动的填充这些内容。被复制的域控制器需要被授权。)
2.Safer virtualization of domain controllers
Simplified deployment and upgrade preparation(简化的部署和升级)AD DS has been virtualized for several years, but features present in most hypervisors can invalidate strong assumptions made by the Active Directory replication algorithms. Primarily, the logical clocks that are used by domain controllers to determine relative levels of convergence only go forward in time. In Windows Server 2012, a virtual domain controller uses a unique identifier that is exposed by the hypervisor. This is called the virtual machine GenerationID. The virtual machine GenerationID changes whenever the virtual machine experiences an event that affects its position in time. The virtual machine GenerationID is exposed to the virtual machine’s address space within its BIOS, and it is made available to the operating system and applications through a driver in Windows Server 2012.(没理解~囧)
Simplified managementAD DS deployment in Windows Server 2012 integrates all the required steps to deploy new domain controllers into a single graphical interface. It requires only one enterprise-level credential, and it can prepare the forest or domain by remotely targeting the appropriate operations master roles. The new deployment process conducts extensive prerequisite validation tests that minimize the opportunity for errors that might have otherwise blocked or slowed the installation. The AD DS installation process is built on Windows PowerShell, integrated with Server Manager, able to target multiple servers, and remotely deploy domain controllers, which results in a deployment experience that is simpler, more consistent, and less time consuming. The following figure shows the AD DS Configuration Wizard in Windows Server 2012.
WS 2012提供了一个简单的部署向导来完成全部的部署步骤。
更严格的前提条件检测极大的减少了部署过程中错误的发生。
通过powershell可以同时在多台机器上同时部署域角色。
- Dynamic Access Control
- Off-Premises Domain Join(离线加入域,开启DirectAccess时可以通过internet加入域)
- Active Directory Federation Services (AD FS)
- Windows PowerShell History Viewer(历史命令查看)
- Active Directory Recycle Bin User Interface(提供了回收站的图形化界面,现在可以通过ADAC回复180天内的对象。)
- Fine-Grained Password Policy User Interface(密码策略的图形界面)
- Active Directory Replication and Topology Windows PowerShell cmdlets
- Active Directory Based Activation (AD BA)(基于域的windows和office激活,只限于windows 8。KMS和 ADBA可以共存。需要2012域架构)
- Group Managed Service Accounts (gMSA)
