After I download any new server OS release, the first place I go is to take a look at the AD schema. Conveniently, this doesn’t require me to install the OS (and I can even peruse it while I’m getting the OS setup). You can find the AD schema LDF files on each server ISO at:
I do something like this:
And then I’ve got a single file with all the schema for a given release to browse.
I’m probably a schema geek for doing this, but I always find that I learn about new features and things Microsoft and no one else hasn’t yet written about before everyone else does. 😉
Each AD schema version number corresponds to a separate LDF file used to update the AD schema. Over the 6 server OS releases that included schema, they amounted to 56 files.
2012R2 (preview): 69
So this is one of the bigger jumps, which in the past has only happened with a major OS release, not an R2 release.
Of course, what’s really interesting is what is in each of those LDF files. A given file might have only a single schema change or it might have dozens.
OK, that’s enough babble about the background, now let’s jump into the new schema!
From a big picture perspective, almost all of the changes are to support the BYOD enhancements you may have heard Microsoft talk about at TechEd 2013. These include a device objectclass (msDS-Device) to support the workplace join functionality, as well as various other classes to support the infrastructure behind that workplace join functionality.
Here’s a redacted excerpt of the new msDS-Device class:
Pretty ugly, huh?
Well, that’s really just a set of optional attributes and required attributes. That means these attributes …
msDS-IsEnabled: This attribute is used to enable or disable the user-device
msDS-DeviceID: This attribute stores the ID of the device.
altSecurityIdentities: Likely that this contains a X509 certificate.
msDS-DeviceOSType: This attribute is used to track the type of device based on the OS.
msDS-DeviceOSVersion: This attribute is used to track the OS version of the device.
msDS-DevicePhysicalIDs: This attribute is used to store identifiers of the physical device.
msDS-DeviceObjectVersion: This attribute is used to identify the schema version of the device.
msDS-RegisteredOwner: Single valued binary attribute containing the primary SID referencing the first user to register the device. The value is not removed during de-registration, but could be managed by an administrator.
msDS-ApproximateLastLogonTimeStamp: The approximate time a user last logged on with from the device.
msDS-RegisteredUsers: Contains the list of users that have registered the device. Users in this list have all of the features provided by the “Company Portal” app. And they have SSO to company resources.
msDS-IsManaged: This attribute is used to indicate the device is managed by a on-premises MDM.
msDS-CloudIsManaged: This attribute is used to indicate the device is managed by a cloud MDM.
msDS-CloudAnchor: This attribute is used by the DirSync engine to indicate the object SOA and to maintain the relationship between the on-premises and cloud object.
There’s lot of interesting details there, including the fact that multiple users can be registered for the same device, and the last two attributes imply that you will be able to workplace join a device to either your on-premise AD or your Azure Active Directory and a future unreleased version the Azure DirSync will sync devices between AD-DS and AAD. This would represent a change in the nature of the Azure DirSync product, which currently claims it doesn’t sync any objects back to on-premise and only does a handful of attributes back when you enable Exchange hybrid. Note that you wouldn’t know this without looking at the schema
Related to the BYOD enhancements a lot of the changes are to provide a new authentication policy feature, which hasn’t gotten much, if any, demo time in TechEd sessions.
I find that class pretty interesting, so here’s a partially redacted excerpt of it with some further simplification to make it easier to read:
adminDescription: An instance of this class defines authentication policy behaviors for assigned principals.
Note that there appear to be multiple new authentication controls here, which personally make me very eager to discover the details.
One gem in those controls is it appears that there is now support for *per user* Kerberos ticket lifetimes. This would be useful for combatting pass the ticket Kerberos attacks (like pass the hash), where you might give sensitive accounts (think domain admins) a much lower ticket lifetime than other accounts.
Other gems in the schema are 4 new extended rights supported by AD:
displayName: Set Owner of an object during creation.
displayName: Bypass the quota restrictions during creation.
displayName: Read secret attributes of objects in a Partition
displayName: Write secret attributes of objects in a Partition
I’m not sure what to make of these yet (I have a few thoughts), but they are intriguing.
One thing that is always interesting to carefully note is when an existing class is modified. This is especially true when the user class or the granddaddy of all the classes, top, is modified. And in this case, the top objectclass is modified:
# This constructed attribute transitively expands the linked attribute “member”
# This constructed attribute transitively expands the linked attribute “isMemberOfDL”
# No help text, but probably the object’s parent DN
# No help text, your guess is as good as mine
I’m not sure what to make of these changes, but since the member attribute is a highly controlled attribute in my AD environment, I’m glad to know about this, so I can dig deeper to uncover what this is all about.
Well, that’s it for now. I’ll probably keep digging into the new schema to see if I can’t find any more gems like these, but even if I stop here, I have some great details to help guide my explorations of the WS2012R2 Preview and I know something about a future Azure DirSync release that most everyone else doesn’t yet know.