Windows Server 2012中AD DS的新功能主要包含四部分
- Virtualization that just works
Windows Server 2012 provides greater support for the capabilities of public and private clouds through virtualization-safe technologies and the rapid deployment of virtual domain controllers through cloning.
支持在公有云和私有云、支持通過複製快速部署 - Simplified deployment and upgrade preparation
The upgrade and preparation processes (dcpromo and adprep) have been replaced with a new streamlined domain controller promotion wizard that is integrated with Server Manager and built on Windows PowerShell. It validates prerequisites, automates forest and domain preparation, requires only a single set of logon credentials, and it can remotely install AD DS on a target server.
dcpromo和adprep命令被嚮導替代、支持對目標服務器進行遠程安裝AD DS服務 - Simplified management
Examples of simplified management include the integration of claims-based authorization into AD DS and the Windows platform, two critical components of a broader feature known as Dynamic Access Control (DAC). DAC comprises central access policies, directory attributes, the Windows file-classification engine, and compound-identities that combine user and machine identity into one. In addition, the Active Directory Administrative Center (ADAC) now allows you to perform graphical tasks that automatically generate the equivalent Windows PowerShell commands. The commands can be easily copied and pasted into a script simplifying the automation of repetitive administrative actions.
簡化的管理 - AD DS Platform Changes
The AD DS platform comprises core functionality, including the “under-the-covers” behaviors that govern the components upon which the rest of the directory service is built. Updates to the AD DS platform include improved allocation and scale of RIDs (relative identifiers), deferred index creation, various Kerberos enhancements and support for Kerberos claims (see Dynamic Access Control) in AD FS.
平臺技術變更
每個部分具體的變化:
Virtualization that just works
1.Rapid deployment with cloning
AD DS in Windows Server 2012 allows you to deploy replica virtual domain controllers by “cloning” existing virtual domain controllers. You can promote a single virtual domain controller by using the domain controller promotion interface in Server Manager, and then rapidly deploy additional virtual domain controllers within the same domain, through cloning.(通過複製可以快速的將現有的虛擬域控制器添加爲額外的域控制器)
The process of cloning involves creating a copy of an existing virtual domain controller, authorizing the source domain controller to be cloned in AD DS, and running Windows PowerShell cmdlets to create a configuration file that contains detailed promotion instructions (name, IP address, Domain Name System [DNS] servers, and so on). Or you can leave the configuration file empty, which allows the system to automatically fill in the information. Cloning reduces the number of steps and time involved by eliminating repetitive deployment tasks, and it enables you to fully deploy additional domain controllers that are authorized and configured for cloning by the Active Directory domain administrator(複製過程包含複製VHD文件,創建配置文件等操作,通過powershell創建配置文件後可以配置額外域控制器的name、ip、DNS等,或者使用空配置文件讓系統自動的填充這些內容。被複制的域控制器需要被授權。)
2.Safer virtualization of domain controllers
AD DS has been virtualized for several years, but features present in most hypervisors can invalidate strong assumptions made by the Active Directory replication algorithms. Primarily, the logical clocks that are used by domain controllers to determine relative levels of convergence only go forward in time. In Windows Server 2012, a virtual domain controller uses a unique identifier that is exposed by the hypervisor. This is called the virtual machine GenerationID. The virtual machine GenerationID changes whenever the virtual machine experiences an event that affects its position in time. The virtual machine GenerationID is exposed to the virtual machine’s address space within its BIOS, and it is made available to the operating system and applications through a driver in Windows Server 2012.(沒理解~囧)
Simplified deployment and upgrade preparation(簡化的部署和升級)
AD DS deployment in Windows Server 2012 integrates all the required steps to deploy new domain controllers into a single graphical interface. It requires only one enterprise-level credential, and it can prepare the forest or domain by remotely targeting the appropriate operations master roles. The new deployment process conducts extensive prerequisite validation tests that minimize the opportunity for errors that might have otherwise blocked or slowed the installation. The AD DS installation process is built on Windows PowerShell, integrated with Server Manager, able to target multiple servers, and remotely deploy domain controllers, which results in a deployment experience that is simpler, more consistent, and less time consuming. The following figure shows the AD DS Configuration Wizard in Windows Server 2012.
WS 2012提供了一個簡單的部署嚮導來完成全部的部署步驟。
更嚴格的前提條件檢測極大的減少了部署過程中錯誤的發生。
通過powershell可以同時在多臺機器上同時部署域角色。
Simplified management
- Dynamic Access Control
- Off-Premises Domain Join(離線加入域,開啓DirectAccess時可以通過internet加入域)
- Active Directory Federation Services (AD FS)
- Windows PowerShell History Viewer(歷史命令查看)
- Active Directory Recycle Bin User Interface(提供了回收站的圖形化界面,現在可以通過ADAC回覆180天內的對象。)
- Fine-Grained Password Policy User Interface(密碼策略的圖形界面)
- Active Directory Replication and Topology Windows PowerShell cmdlets
- Active Directory Based Activation (AD BA)(基於域的windows和office激活,只限於windows 8。KMS和 ADBA可以共存。需要2012域架構)
- Group Managed Service Accounts (gMSA)