Windows Server 8 Features via AD Schema Analysis

So I finally got around to looking more closely at the Windows Server 8 bits given out at Build. One of the first things I do when I look at a new MS server OS is look at the AD schema files. I’m sure that sounds pretty geeky and tedious to others, but I find that it gives me a really quick overview of most of the new features and some of the details associated with them, so I know what to look for (and what to hope for). Sometimes I find gems that I really like but which don’t make it into slide decks or announcements because they aren’t flashy enough or didn’t require much MS investment–and there are plenty of examples of that in this new set of schema files.

Of course, this OS is not even at beta level yet, so it’s hard to know what will be cut or added, but even so, it paints an interesting picture. And I figure this info is of broad interest, so here are my notes from perusing the new schema files:

  • *Lots* of stuff to support CBAC, including cross-forest
  • Stuff to support integrating KMS with AD (called KDS), especially storing various keys in AD, but also storing configuration settings. Details here may have implications on those of us who run KMS (especially if that KMS serves more than one forest).
  • Stuff to represent TPM as a new object type, link to computer objects, and other new TPM functionality. Maybe a refactor of how they do AD integrated bitlocker–or maybe this is only to support the new UEFI boot which I heard they had to make some changes to support.
  • Stuff to support DNS zone signing, including storage of NSEC keys in AD, and storage of some DNS settings in AD. Haven’t heard of this yet.
  • Stuff to help with DC virtualization, including an attribute to support VM snapshot resumption detection and a controlAccessRight that to allow a DC to clone itself.
  • An attribute to support ‘act on behalf of’ access checks. Might be only for CBAC, but maybe it’s to help with cross-forest Kerberos delegation. Unclear.
  • Stuff to support scan repository/secure print devices. Looks like it’s trying to make it easy for a vendor to design their product to join AD and store certs there to secure their device. Hadn’t heard of this yet.
  • An attribute (and backlink) to store whether a computer is a user (or group’s) primary computer. Haven’t heard of this yet. Nice gem. 🙂
  • A controlAccessRight for “validated write to MS DS additional DNS Host Name”. Not sure what this is yet.
  • Stuff to support managed password data for a group managed service account, including what looks like a custom access control mechanism.
  • New attributes to store geo coordinates in, including longitude, latitude, and altitude. Haven’t heard of this yet.